0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Archive for the ‘web2.0’ Category

Framing via Facebook ==> FaceFraming?

with 3 comments

So, i was posting on the wall of a friend in facebook today, alluding to how we should steal my car back from the fascist towing company who took it. I realize it’s probably a bad idea to even hint at this, but what the hell. I can account for my time, and i truly have no intentions of stealing it.

Regardless, it occurred to me that it’s getting easier & easier to damage a reputation online, or to frame someone for a crime they didn’t do.

Imagine if i wanted someone knocked off. If i wanted to create a convincing argument for another person, i could simply log into the framed person’s account, and post a menacing statement like: “I hate everybody today. I think i’m gonna snap soon. @#$# _______” Cheesy? Sure. But convincing enough for a jury? We will see.  It’s now a matter of a public record (how much so depends on your privacy concerns / settings), and can be used against you.

I think we’re going to see a lot more of this type of evidence in the future. Here are a couple examples of it being used in court (drunk driving cases):

Advertisements

Written by jcran

September 30, 2008 at 3:02 AM

Posted in attack, web2.0

Tagged with , , ,

Google Calendar Search for Fun & Profit

with 2 comments

In the same vein as the earlier post on searching for vulnerabilities with Google Code Search, I realized tonight that you can search for private calendars on Google Calendar Search by simply typing ‘private’ in the search box. You’ll be surprised by how many results you get (960 at time of writing).

With such nuggets as:

What

Presentation in Bern [work]

When

Mon Sep 1 12pm – Mon Sep 1 4pm
20080901T120000/20080901T160000

Where

Created By

Michel

It’s certainly not a great deal of work to trace other public details, and find out exactly who this might be.  Interestingly, he’s also praying at 1AM today, and rowing at 2PM. He looks to be a bit worried about his skills.

This post ties closely to an observation made by stan over at n0where.org. What if a bank were able to access your calendar while you were planning to make a week-long trip to vegas? Do you think they’d still be eager to give you that home-loan? Food for thought, no?

UPDATE 09/02/08:
Google: John Gomez! Are you really sure you want to share this with the world?
John Gomez: *clicks yes*
Google: Are you sure??
John Gomez: just do it, it’s handy!
Google: Okay, but don’t say I didn–
John Gomez: DO IT!
Google: fine. idiot.
[Except this doesn’t happen, and people have NO IDEA they’re sharing this info most likely]

Delta Air Lines #616, 01:15 PM PDT

WhenFri, Sep 26, 4:15pm – 10:01pm
WhereSFO – JFK (map)
Description Record Locator: MXNYGI Flight: Delta Air Lines #616 Confirmation: CYT0L0 Departure Location: San Francisco International Airport (SFO) Departure Time: Friday, September 26 at 01:15 PM PDT Departure Terminal: 1 Arrival Location: John F. Kennedy International Airport (JFK) Arrival Time: Friday, September 26 at 10:01 PM EDT Arrival Terminal: 3
UPDATE (09/02/08) (2):
Looks like our boy John is in good company at least… 680 results for the term ‘Record Locator.’ Ouch.
So how do you take advantage of this?
– Impersonate them
– Break into their house / steal their car while they’re away
– Frame them for a crime happening in their vicinity
– Call the airport, impersonate an authority (you’ve got all the details, right?.. right.)

Out of curiosity, is anyone doing a taxonomy of real-world attacks? The final attack listed above is analogous to a DOS attack, but these are all straight-forward. I’d love to see a taxonomy of possible ways to exploit a piece of information (vulnerability).

Written by jcran

September 2, 2008 at 4:24 AM