When I first saw this fly by on Twitter (ironic) I thought it was Rsnake joking around. I followed his comment about it over to Vantage Credit Union’s web site and saw that sure enough, their customers can do limited banking via Twitter. Before I go further, let me state this openly. I like and use Twitter quite a bit. The ability to find people with similar interests and hear about events on the fly is awesome. All that said, here’s some of my thoughts.
I took a look through the documentation on how to use their service. Customers can perform simple functions such as view their balances, deposits, withdrawals, holds, and cleared checks. They can also transfer money between accounts inside of VCU. Nothing particularly earth shattering about this. The commands are pretty basic and easy (at least to me) to remember. To pull the last 5 deposits customers send a direct message to the credit union using the following command.
d myvcu #l5d <last digit of their account number>
The credit union’s twitter account receives the message, then sends back the results.
Ok, that’s kinda neat and the actions available in the first release aren’t too worrisome. But I’m still concerned about the whole idea of this. If I’m a customer of VCU (I’m not), do I want Twitter to be the middle man for access to my account? The whole security model hangs on the idea that direct messages are completely secure and only visible to the two parties taking part of the exchange. While I suspect Twitter has gone to some lengths to protect these messages, do we think that they designed its security with banking in mind? I doubt it ever entered their mind. Keep in mind that all of this is being done without encryption too.
However, for the sake of argument, lets say that direct messages never become exposed due to a vulnerability. Do people only use Twitter with their browser directly on Twitter’s website? Not by a long shot. I personally use two other applications to keep tabs on my feeds. These apps also have their own issues. I don’t know of any Twitter apps that do this, but I have heard of some apps sending data back to the developers. They also are subject to vulnerabilities. So even if Twitter itself is perfectly safe (it’s not), the mediums with which we use it aren’t.
And last, the whole notion just strikes me as asking for trouble. VCU plans on offering functionality via Facebook and text messaging as well. They have in essence decided to teach their users to trust third parties with access to their bank accounts. These aren’t third parties that we know either. I don’t know the people who are, will or used to work at Twitter. VCU is training their customers that it’s ok to put access to their financials in the hands of others. This is a bad idea and one that may come back to bite folks who believe that Twitter has their back because otherwise their bank would have never offered it.
Today we had a really bad thing that happened, but it ended up not mattering at all. One of my clients was busy doing some work and accidentally deleted a directory with about 1 GB of data in it. I got a very worried email from them and if it could be restored. Fortunately, we had recently implemented a new backup system and it was running very well. I logged into the system, found the needed directory in the last backup to Mozy and kicked off the restore. 40 minutes later, they were back to using the files that had gone MIA.
Why did this not matter? Because we had good backups in place. The system syncs nightly to Mozy’s storage systems and I get daily updates on how things went. When I got the email telling me about the issue I knew right away where the data would be and how to get it back. No running around for tapes. No hoping that last job had actually worked.
In the past, backups could cost quite a bit. Tape drives, backup software and tapes don’t come cheap when you are a small or medium sized business (SMB). You could easily drop $5,000 or more on a single tape drive, some software and enough tapes to keep it going for a while. Then you have to switch tapes daily and all that other fun stuff. As a result a lot of SMBs don’t have the backups they need and we all need them. Accidents happen.
The good news is that backups don’t have to cost you a ton of capital. How much did this wonderful peace of mind cost my client? For this server, the grand total is less than $10 per month. How long did it take to setup? About 15 minutes. How long and expensive could it have been if the data was completely gone?
The last week was really busy while I prepared to do my presentation at the Utah Open Source Conference. While I was engaged in this process I got a message from Larry Pesce of the Pauldotcom Podcast. He had some updates to Reconnoiter and wanted to shoot them over to me. He said that he would be doing a tech segment on harvesting usernames via social media and was going to use the script as part of it. I thought that was quite cool and figured that it would be one of the tools he mentioned. I checked the show notes after the recording and found that the entire segment was built around Reconnoiter!
One of the things that I really liked about the podcast was that the guys spent some time on how it could be better. The requests I heard were the following:
Configure what format it generates the user names into. Perhaps you already know the format a client uses and need just want a dictionary. Why have a bunch of user names that you know are bad.
Add some kind of GUI or website. Good point. Particularly for the Yahoo version of the script. That API key is insanely long to put in as a command line argument.
Instead of spewing to STDOUT, save it to a file. Larry has already provided the code for this and implemented it into both scripts.
I’ve been kicking around a couple other ideas, but will need to get some time to implement them. I’ve also got another script in mind that may or may not help deduce what the user name format for a company might be. Depends on how the target has their email server configured. No hacking, just taking note of what the email server tells me.
You can check out the episode at pauldotcom.com. Thanks guys!
On Friday October 9th at 12:00 PM I will be speaking at the Utah Open Source Conference on how to put together a kit of security tools using open source software. I discuss a fictional company that we work at and some of the things that we can put in place to help secure the environment and handle some of the requests that get thrown our way. The slides can be downloaded here. I hope to have video of the presentation up later.
Here are the apps I cover and where you can got to get more information on them. I’ve also got some community resources to go check out.
Earlier this month I decided to take the scripts for username generation and roll them into an open source project. There were a couple of reasons for doing so. First, I needed source control hosting and SourceForge provides that for free as long as you release the project to the public. Second, I want to expand the scope of it to go beyond what I’ve done so far. It’s great that people have found these scripts useful, but its hardly rocket science. This should give me some more room to explore and share with others.
If you would like to check out the project, you can search for “Reconnoiter” on sourceforge.net or you can just follow this link:
One last note. There are some changes in the 0.2 release of Reconnoiter that may be useful. I found a nasty bug in the Yahoo script that needed to be fixed badly. That’s been done and committed to the release. Last, I made the output a lot more useful. There was no filtering at all for results that included HTML code in them. This caused some obviously bad usernames. Unless you logged in as “<b>jwood</b>” often. To help with that I’ve added some filtering which should improve the quality of the results. Enjoy!
Last month I sent the Utah Open Source Conference a proposal for a presentation on “Building an Open Source Security Tool Set“. Presentations are voted on by the registered attendees and the other folks who have submitted a presentation. When I was making my votes, I saw that there were a lot of great abstracts. In fact, there were a lot of abstracts period. Because of this, I really didn’t expect to get selected. Turns out I was wrong!
I received word on September 3rd that my presentation was accepted and that I will be speaking at the Utah Open Source Conference. The current time scheduled is on October 9th at 12:00 PM. Here is my description of the proposal.
If you want to build out a kit of commercial security tools, bring a big bank account to pay for it. Not only that, you’ll find that there are still gaps in your setup that need to be filled. What do you do if you have a finite budget (who doesn’t?) or have no budget? Does testing your security require a fat wallet? Fortunately, no.
In this presentation I’ll go over a number of open source security tools, what they do and where you can get them. Individual tools will be discussed as well as Live CDs which have a collection of the tools all together.
I’m very excited to have been selected to give this presentation. It should be a lot of fun and I hope it will be useful to those in attendance. I’m trying to have some goodies for the attendees, but I’m not sure how many I’ll need. We will see.
You can register for the conference using the UTOS 2009 banner on the right or you can use the link below. Hope to see you there!
I’ve written a couple of posts about a script I wrote to generate usernames. Since then I’ve written another script that uses Yahoo’s XML API and both of them have been included in SamuraiWTF. It’s been pretty cool to see people try out something that I wrote and find it useful to them. The scripts are still pretty rough and need some work.
I’d like to make the Yahoo script less ugly to use. Putting a huge API key in as a command argument strikes me as kinda lame. The results from it are very consistent though. So I actually prefer using it to the google version of the script. You can download the Yahoo script here: usernameGenYahoo.txt The Google script is here: usernameGen-v2.1.1.txt
Please let me know if you find any bugs with them, want additional functionality or if you just found them useful.
Mike Patterson on the Pauldotcom mailing list commented that he thought usernameGen.py could use handling for middle names. The template that he suggested was of first initial, middle initial and last name. I think he’s right. Originally I had the script avoid middle names or initials, but I went back and added the format Mike requested.
I wanted to do some testing on access controls to a SQL server recently, but I needed to a decent password list and username list. Password lists are fairly straight forward to find and I used an excellent how to from the Pauldotcom Podcast to create my password list. Next I needed a list of usernames. To be effective, it would be better to have a list targeted to the environment I was working in. I wanted to do this with fairly public information so that no one could accuse me of using insider knowledge. So I decided to see what LinkedIn had.
Now Linkedin generally lets people decide how much information they want displayed to people they don’t know. If you aren’t connected to them, all you may see is their description if you find them by company. No names. In my case, I’m connected with a lot of people, so this pollutes the process. So, I logged out of Linkedin to see how an outside might do this.
For this scenario, I’m an attacker who wants to find out about Company XYZ. I’m not employed by them, but they have something I want. I’m not connected to anyone on Linkedin at the target. In fact, I may not even have a Linkedin account. How do I get this information? Kevin Johnson at InGuardians has already done some awesome work on how people are willing to accept invitations on social networking sites from almost anyone. But lets say that I don’t want to get connected to my target. Who would have this information?
Google of course! Everyone wants Google to be able to find things on their website. Linkedin is no different. So I do a query on the company name like this “site:linkedin.com Company XYZ”. Sure enough, I get pages of people who work at or did work at Company XYZ. With a bit of Python scripting I download the results, mix the names into common username variations and I have my username list.
Here’s the script I hacked up to make this work. usernameGen.txt PDP at gnucitizen.org wrote the original script. I just polished up the regular expression and pointed the starting URL to Google’s mobile search to simplify the HTML. Then I added the username generation. Was a fun little puzzle for the evening.
There have been a few vulnerabilities lately with Adobe Acrobat Reader handing malicious javascript badly and this post is to show how to disable javascript in Acrobat Reader. While disabling an entire piece of functionality seems a bit like over kill, there are a couple of reasons that you may want to do this.
Adobe was kind of slow patching the issue. The issue was reported on 4/28/09 and a patch was released on 5/13/09. During this time, there were reports of active exploitation being done via this issue.
I don’t know of many PDF files that I’ve seen which use javascript, so even having this functionality seems a bit odd to me.
If Adobe isn’t real fast at patching and there’s really no reason to actually have the technology available, why run it? So here is a quick video which shows how to disable javascript.
