Just a quick reminder that the HTCIA – DC Chapter infosec meetup event is tomorrow. For more information about the HTCIA – DC Chapter, see its description in our Infosec Meetups section. View our Calendar for a list of similar infosec events in and around the NoVA area. See our original post for more information about this meetup.

###

Keep the local security community going strong by becoming a subscriber of our site. You can also spread the word about NovaInfosecPortal
 by passing this post along to a friend.

Focusing on the growing trend of criminal activity via social networking sites, synthetic worlds, and ARGs, the “Synthetic Worlds” meetup will be hosted by the IRS Criminal Investigation Electronic Crimes Technology & Support Center and will feature Jason A. Thomas of West Virginia University as the speaker.  

To learn more about this meetup, continue reading below.

• Who: Jason A. Thomas of West Virginia University
• What: “Synthetic Worlds – 2nd Life Live Demo”
  • According to the HTCIA – DC Chapter website, “[t]his presentation aims to expose the criminal use and danger of a variety of Internet technologies, including Second Life, ARGs, MySpace, Facebook, and others. Through specific case studies, attendees will gain an awareness of the types of threats these technologies pose. Moreover, attendees will learn ways to combat and mitigate the risks associated with new technologies.”
• When: 03-19, 10:00 AM EST
• Where: IRS Criminal Investigation (6359 Walker Lane, Alexandria, VA 22310; Electronic Crimes Technology & Support Center, Suite 240)

For more information on the HTCIA – DC Chapter infosec meetup event, description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the HTCIA – DC Chapter page with more information about this meetup.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

Creative title aside however, the ISSA – DC Chapter meetup tomorrow promises to deliver some practical information about browser patches and why they sometimes fail to keep us protected. Whether we’re comfortable admitting it or not, there is an underlying assumption—from the general public and security professionals alike—that having a fully patched browser keeps the bad guys at bay. As the ISSA site says, “[g]one are the days when installing the latest security patches and avoiding questionable web sites meant a safe web browsing experience.” 

Presentor Michael Sutton of Zscaler Labs will talk about a variety of recent attacks that succeeded against fully patched browsers. He will also discuss what can be expected from attackers and how companies, professionals, and the public should be protecting themselves against such attacks in the future.

Get more information about the meetup below.

• Who: Michael Sutton of Zscaler Labs 
• What: Your Browser Wears No Clothes: Why Fully Patched Browsers Remain Vulnerable
  o The presentation will discuss how modern attacks are using social networking sites and other commonplace sites with intended browser functionality to develop highly damaging attacks.
• When: 02-17, 6:30 – 8:00 PM EST
• Where: Radio Free Asia (2025 M Street NW; Washington, DC 20036; in the first floor conference room)

For more information on the ISSA – DC Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

Hamiel and Moyer also cleverly integrated Social Networking into their talk by requesting that the audience tweet them questions instead of asking questions outloud. Not only did this keep the presentation running more smoothly, it also increased audience participation. While the talk is now over, you can still follow Hamiel and Moyer on their Twitter pages:  @nathanhamiel and @shawnmoyer.

While “Fail 2.0: Further Musings on Attacking Social Networks” was a standalone talk, it was actually based on a talk that Hamiel and Moyer had done at DefCom and BlackHat last year, entitled “Satan is on my friends list: Attacking Social Networks.” You can now download the slides from that talk at HexSec.com.

The nice thing about the “Fail 2.0” talk is that Hamiel and Moyer didn’t just focus on the technical side of Social Networks, but also talked about the goal of Social Networks, which is to:

• Have users create the content
• Get as many people in one place as possible
• Retrieve demographic information on a large scale

Mind you, I’m paraphrasing, but those are some of the major goals behind Social Networks. Unfortunately (or fortunately, depending on who you talk to), all of these things and more make Social Networks an attacker’s dream. There are multiple flaws in Social Networks that can easily be exploited, meaning that pwnage for the user and the Social Network is pretty much imminent if users don’t know what they’re doing. (As Hamiel and Moyer pointed out, most users don’t know about the danger of flashy shiny things on their Social Networking pages). 

The major way that users of Social Networks get taken advantage of? Apps and external content. Hamiel and Moyer even went so far as to name their 6th slide “Offsite Content = Fuxor.” If a clever take on profane language doesn’t relay the seriousness of offsite content, I don’t know what will.

But why is offsite content so bad? Because it can be a clever disguise for malicious intent. Whether embedded in images, links, or what appear to be “external” websites, attackers can embed all sorts of assaults that can cause anything from identity theft (i.e. taking over someone’s Social Networking account and using it to for devious means) to taking control over a user’s router.

While apps work the same way, they are especially dangerous because they can start out being non-malicious, but later become malicious if the attacker chooses. Worse still? You don’t even have to be the one who installed the app; even viewing the app on someone else’s page gives the attacker an opportunity to attack you via the information they’ve collected through your web browser.

All in all, Hamiel and Moyer’s talk was not only entertaining and informational, but timely. Social Networks show no sign of slowing down, which means that the potential attacks on users will only grow as time goes on. You can view the full “Fail 2.0” slides at HexSec.com.

Did you attend this talk? If so, I’m curious to hear what you thought about it. 

###

Was this post helpful? If so, consider passing it along to a friend or becoming a subscriber of our site. Or, you can always do both—we won’t complain.

You may want to pass these nice little guides around to any family and friends so they can tighten down their profiles as well. Also for anyone out there that uses these services more than I do, what do you think of these guidelines? Will they severely limit their usability?