Facebook Application Security For the User:
A Brief Introduction

Alex Fernandez-Gatti
Eastern Michigan University
College of Technology
Information Assurance Department
Ypsilanti, Mich

Disclaimer:

This document is intended to be a brief introduction to Facebook application security as it relates to user data and the confidentiality of said data. It does not cover all aspects of Facebook security, or Facebook applications. Please do not take it as such.

This document has been written as part of a research study for Eastern Michigan University. All content is property of the author of the study and must be contacted prior to use in other mediums.

Author Information:
Alex Fernandez-Gatti
(248)232-3377
afernan4@emich.edu

Facebook has become the unequivocal dominating container of information volunteered by users of its service like you and I. Status updates, e-mail addresses, phone numbers, birthdays, pets names, siblings, favorite colors, interests, and significant others are broadcast on ones personal space which is maintained by the individual of which it references. We shout this information to the world and never stop to think what we are telling people about ourselves. Whether it is our friends, an advertiser, an insurance agency, or a potential employer, this information is available to the public if one does not take the proper precautions to protect their information. A majority of us have heard this speech before and have taken the proper precautions of locking down certain albums from Mom and Dad, blocking our ex-boyfriends and ex-girlfriends, and sharing only what we think isn’t personally damaging in the here and now. But there’s something more that most of us haven’t taken a look at before, and that’s what the applications we use can do with our information.

In August of 2009 the ACLU (American Civil Liberties Union) created a Facebook quiz application that asked users a series of questions regarding their knowledge of privacy regarding Facebook applications, over 8,000 participant volunteered to take it. Contained with in the quiz were various bits of information that was pulled from the users account whether it was marked as private or not. The methodology for doing this quite simple, and the developer of the application simply stores the data for use in what ever way they desire. A developer may want to store this information to get a picture of what his audience is so he can charge a higher price to advertisers for the space, or advertisers may collect this data and use it to advertise other products. There is unlimited potential for the gathered information to be used in ways that were originally unintended. The consequences of this information leak are that control over the information is lost.

The results of this research helped fuel a program within Facebook to change the default privacy settings and allow users to control their information more effectively. As it stands though if the user is using any application built on the Facebook application platform that does any data collection, the user is not able to totally opt-out of sharing information through the Facebook Platform. The only method to totally opt-out is to remove all applications from ones profile and then complete the opt-out process. While not perfect, this is a vast improvement from where it was.

Facebook hosts a plethora of information on each of its users, all of it volunteered. Facebook does not ask users to change their privacy settings on a consistent basis however. And while tbe knowledge that privacy settings by default are not very private, is not uncommon knowledge, a good exercise for any Facebook user would be to verify that their account has the level of privacy they desire.

Privacy Settings Location:
1. When logged into your Facebook account, hover your mouse over the word “settings” at the top of the page.
2. Select the word “Privacy”
3. Click on the fourth selection “Applications”
4. Select the “settings” tab above the text displayed on your screen.
5. Verify that the privacy options are as you would like them.

Click here for the 2 question Survey! Please take this, it’s only 2 questions and will help me graduate! Your support is greatly appreciated!

It’s official! I’m teaching NITA 379 – Ethical hacking at Eastern Michigan University in the winter semester of 2010!

A few days ago I was given an offer to get my masters degree for free essentially if I teach a few classes while I’m doing it. The pay would not be good by any stretch of the imagination so I would most certainly have to get a good job to go along with this, which not a big deal at all. With the contacts I have I’m sure I could get something that will make me happy and financially stable while I do the masters program. Both teaching and getting a masters degree are pretty attractive to me at this point in my life, but I would be sacrificing some very good job opportunities that could lead to a few great careers so I’m stuck and having trouble figuring out what the hell I’m going to do…

Masters of Science in Information Assurance @EMU Pros:
1. A Masters degree of any form is a damn good thing on a resume in a time where BS’s and BA’s are becoming common place.
2. To get the masters degree I wouldn’t have to take all that many more classes, maybe a year and a half at most.
3. I will have the support of an educational facility to continue my research.
4. I am already familiar with the faculty members and have an easier time getting things done than if I were to go to another university like Indiana U or Purdue.
5. EMU’s IA program has a lot of very useful and nice connections that are very interesting.
6. I have helped build EMU’s IA program, influenced it, watched it evolve, and grow from a tiny 40 student program to over 200 students now. Currently I’m helping to design and build the new lab, and frankly I want to see my baby grow. It would be very intrinsically rewarding to see new students come in, teach them, watch how they utilize the lab, and see the creativity flow.
7. I already know that I will be a life long student, this new development seems to be a chance to both get paid, and further my education to a higher level degree at the same time while doing something that I love.

Masters of Science in Information Assurance @EMU Cons:
1. Finances may be rough, teachers do not make much, and while I know I can find a good job, masters work is pretty intense.
2. Opportunity knocks once, if I pass up a kick ass job today will I have that same opportunity after the masters program?
3. Will the state of cyber security be the same in the future or is obama’s cyber security initiative a bunch of PR bullshit?

The pro’s are pretty powerful, but I have to admit that in this economy that passing up a kick ass job scares the bejezzus out of me. I’ve been told that it will work out, and yes I feel that is true, I just wonder how it will work out.

I’d appreciate any comments from anyone on this.

Recently I posted about a malformed url penetration attempt on my webserver. It didn’t work because I had taken steps to prevent attacks like that, such as setting proper permissions on my directories and files, and not using very silly programming practices. How ever it seems that AT&T, the creators of System 5 Unix from Bell Labs, dropped the ball on this little corner of security.

One of their PHP scripts used the QUERY_STRING attribute and was able to do some very fun things because of through some very bad programming. It was able to call any file on the server by simply entering it’s path on the box. Since paths for most things are commonly known, files like /etc/passwd which contains the user names and passwords with some low level encryption, were very vulnerable to access from outside non-authorized users. All one would have to do once they got this file was run John the Ripper against it and start logging into research.att.com systems. Hell the attacker could have access to the employees personal data through access.att.com, and remotely log in through the VPN and gain a lot more access than users outside of the network have.

AT&T Research is the new Bell Labs as Bell Labs was sold off a few years ago to Acatel Research and is now known as Lucent-Acatel Bell Labs. AT&T Research is primarily responsible for research and development of network and system related products to be delivered to market. Recently they’ve put out things like the 4G Multilevel network protocols and design, and Adaptive Defense technology.

The exploit is simple. Once a vulnerable page has been found, such as:

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=

All the attacker would have to do is enter the path for the target file, and the file would display in clear text in the browser.

Example:

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=../../../../etc/passwd

AT&T’s response to this vulnerability was to simply pull the page down, or at least make it inaccessible to outside users. I’m sure that’s not the only page that had this ability though, as if some coder was able to make that big of a mistake in one place, the coder probably copied and pasted the code to another part of the site as well.

Attribution: Shane Forsythe on the Web Security Mailing list added the reddit link to the mailing list. Reddit is the first place I know of the vulnerability being divulged.

http://www.reddit.com/r/programming/comments/94z5w/att_exposes_etcpasswd_bad_php/

It seems that someone has tried to gain access to my website by trying to use URL injection, which was amateur at best. The IP address routes to a block owned by a school district in Colorado leased by comcast business. The local time for that area when the attempt was made was 3:36pm. Considering the lack of delay between requests it also shows that a tool was used to attempt to gain access.

An image of the log file:
http://chaulis.com/images/penattempt.jpg

Nmap output of the IP:
Not shown: 919 filtered ports, 66 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
106/tcp open pop3pw
311/tcp open asip-webadmin
389/tcp open ldap
625/tcp open apple-xsrvr-admin
749/tcp open kerberos-adm
1723/tcp open pptp
3283/tcp open unknown
3306/tcp open mysql
3659/tcp open unknown
5900/tcp open vnc
No OS matches for host

The IP address hosts a website for the school district though. So either it’s some script kiddy in high school trying to deface my site or it’s a server that insecure that’s being used as a proxy. He didn’t even look for subdomains on the site, and just wend after the horde mail box which doesn’t exist, and the wordpress crap. Sucks to be him!

I did a little bit of google hacking last night just to hone my skills with search term ninjutsu. There are a lot of very wonderful programs out there that will do this for you (Maltego, goolag scanner, etc) and give you results that you wouldn’t normally find by just doing a normal search. And while I have a particular love for Maltego and how easy it is to link a name, with an email address, and find all sorts of interesting things out about a person or organization. There’s definitely a special magic to google hacking that satisfies the soul.

So there I was, minding my own business, performing recon on a friends site. When lo and behold jack pot. “ADMIN CONTROL PANEL| OLD”. I click it, and it’s dead. I could have sworn that I would have had something with that result. But wait! Google in it’s superior wisdom caches the internets. Located in this cache was exactly what I should not have been able to find. User names, passwords, e-mail addresses, dates that the accounts were created, all sorts of very fun and interesting things. Sure the data was old, but it gave me a starting point to explore further. I had an idea of the user name assignment policy, and the password policy. As an attacker this gives me a vital starting point. Of course being a white hat security job seeking student I stopped there and notified the admin.

What if I hadn’t? I don’t need to run nmap yet as the search results also included a very nice file which let me know exactly what was running, the current patch level (at time of the caching) and if any ports were re-mapped. So let’s just say the site is running a version of SQL that has some interesting injection features available to it. I’ve already seen the listing of user names and passwords, I have an idea of what data is kept in the database, and I know how it’s formatted. Let’s see if I can get the site to tell me what’s currently in the database at this moment. Or, lets see if I can telnet in with one of the already discovered user names and passwords. Or, let’s see how much fun it is to embed a javascript that makes any users browser report back to me what their gmail password is if they are logged in.

I spoke with the admin of the site I tested. He was pretty amazed to find that he was broadcasting such information. We discussed an incident that occurred a few weeks ago and here’s what his response to the attack was:

“I’ve done a lot of ip blocking by country though. both attacks from jack and wherever were from 125. (gualamaula) I just blocked the whole country. 125.0.0.0 and haven’t had an issue since”

Well sir, if you are an actual target for these individuals then be ready for another attack. A proxy can easily get around that. Security isn’t just putting up a firewall, installing a virus scanner, and turning off telnet. A steel door on a white picket fence doesn’t do anything other than make the attacker step over the fence. So how does one protect themselves in this world of “evil hackers” and thieves? Simple, absolute protection from all threats is as easy as never leaving your room, and having no connections to the out side world. Just please shower when you decide to be realistic and join the rest of us.

There is no one method. Attackers will always be thinking of new ways to get around the system, and defenders will always be finding new ways to prevent them from doing so. A good security professional keeps up to date on what’s going on. Other than that follow best practices, listen to pauldotcom security weekly, and keep your head down.