The Vulnerability of Snapchat

The year 2011 marked the creation of the popular smartphone application Snapchat. The app allows users to send and recieve photographs and videos to and from other users.  Once a picture or video on the app has been opened, it will expire after a designated amount time from the phone of the recipient and the Snapchat server itself; a picture can be set to last from one to ten seconds and a video expires after it is played. The app also contains a chat feature; chats from user to user disappear over time, usually after the app is closed and reopened. If a user wants to reopen one of the pictures or videos they receive, they have the option of replaying it within a few seconds of opening it for the first time. This can only be done once every twenty-four hours. The app sends about 700 million photos and videos a day, with over half of the users being between the ages thirteen and seventeen.

In 2012, apps begin to appear on smartphone marketplaces under various names such as SnapSave and Snap Spy. These apps not only offered a user with a Snapchat account the ability to save the photos and videos they received on Snapchat, but it allowed them to do so without alerting the sender. Photos or videos saved through this method could then be stored and distributed by the recipient for whatever purposes they desired.

In October of 2014, an event brought this problem to light in the form of a huge collection of data from Snapchat (stored on a third-party apps website) being released. This mass leak of data from Snapchat, was dubbed the Snappening (a conjunction of the words Snapchat and Happening). An exploit in the website, known as SnapSaved led to a data breach that resulted in the release of around 12.7 Gigabytes of data, roughly translating to around 88,521 images and 9,173 videos. While it is unknown what percentage of this data contained pornographic or suggestive material, the sheer amount of data released is overwhelming.

Alarming rumors soon spread on 4Chan that databases were under construction to link the information to individuals. Security experts proved these rumors false, finding it close to impossible to link the files to specific Snapchat usernames, with the exception of 320 usernames for which files had been saved in an alternative naming format.

Snapchat would later comment on the leak by blaming third party apps that bypassed the Snapchats security features:

“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

Owners of the third-party app SnapSaved disputed that it was the source of the leak. In a post on its Facebook account the company announced that only 500 mb of information had been stolen from its servers. Regardless of how much information was gathered and from where, the fact that many users of Snapchat are underage qualifies some of the contents of the leak as child pornography. This led to Reddit banning many of the discussion boards that featured the file containing images from the Snappening.

Threat Analysis: Operation KKK

Accusations of group membership can be damaging, even if they are untrue. The above video is from a group claiming the mantle of the hacktivist group Anonymous. In it, they announce their intent to release the names and addresses of reported members of the Ku Klux Klan (KKK) on November 5 that they seized from webservers and Twitter accounts belonging to the KKK.

“You are legally free to live and be any which way you choose to live and be. Keep in mind, it is not illegal nor oppressive to hurt your feelings. With that said – We are stripping you of your anonymity. Again. This is our protected speech.” (Emphasis added)

This is not the first time a group claiming to be Anonymous has targeted the KKK. Previously, a group hijacked the KKK’s Twitter account and released personal information of a leading member of the KKK. This time, in a press release dubbing the release Operation KKK, the group claims the KKK’s threats to use lethal force during the Ferguson protests in 2014 as its motivation behind the data release.

In a twist of the story, there has been an early release on Pastebin (which we will not link to) that purportedly names mayors, members of Congress and police officers. However the accuracy of this and similar other lists has been called into question. These lists have included information such as phone numbers, email addresses and spousal information of the alleged KKK members.

Among the expected denials by various politicians is that of Knoxville Mayor Madeline Rogero. In a Facebook response, she explained that her inclusion in the list does not make any sense. She is a part of an interracial family, has launched initiatives to reduce racial violence and has pushed for LGBT (Lesbian Gay Bisexual Transsexual) rights.

In fact, the Anonymous group behind Operation KKK has denied the current list on Pastebin as being from them.

anontweet

Regardless of the authenticity, the publication of this information is problematic. As demonstrated with the recent takeover of CIA Director John Brennan’s Verizon and email accounts, a tiny amount of information made public, such as a phone number, can lead to a severe consequences for the individual. Likewise, accused membership in a white supremacy group creates a situation where it becomes probable that the information will be used for no good.

Con-Artistry 2.0: Social Engineering CIA Director John Brennan

WIRED recently posted an interview with a “hacker” representing a group who broke into the AOL account of CIA Director John Brennan. Upon examination of his method, we assert that this hacker was in fact a social engineer.

As we have discussed before, social engineering is essentially con-artistry with information technology. It involves the obtainment and violation of trust to achieve a specific goal. In this case, the goal was to obtain access to Director Brennan’s account.

Here is how the hacker claims to have done it:

BrennanSEChart

The group behind the account breach began posting to Twitter screenshots of the documents they obtained. One of those documents appears to be the director’s SF-86 application, which is used for background checks. These applications ask for more personal information, including information on friends and family. They also include:

  • criminal history
  • psychological records
  • past drug use
  • interactions with foreign nationals

If true, this account hijacking could lead to serious repercussions for the director, his job, and his friends and family. The cyclical process of social engineering could lead to more breaches, the theft of his identity and the leaking of sensitive government documents.

We remind readers to practice security best practices, such as not using personal email accounts to handle work related information.

Threat Analysis: Third Party Apps

Locked-down

Bypassing security in computers can be as easy as tricking someone into downloading something that they should not. This is especially true of third party apps.

Third party applications are programs written to work within an operating system but were not created by the makers of the operating system. In short, they were not created by one of the big three: Microsoft, Apple, or Linux.

These applications can be standalone, like the Youtube app, or they can be plugins that add functionality to another program, such as AdBlock for the Chrome web-browser. This means that the majority of programs, including most anti-virus programs, firewalls and multimedia programs, are third party.

Theoretically speaking, using third party applications can lessen the number and extent of potential vulnerabilities in a system when used to isolate certain functions, such as email, from other applications in the system. The problem is that many third party apps do not isolate themselves. Instead, many want access to other parts of the system.

Many applications are transparent and innocuous in their requests for access, like a photo-alteration program wanting access to your camera and photos. These requests are necessary for the program to work. Other applications are not. On example is ransomware, a malicious program that gains administrative access to the system to “lock” your keyboard or computer and prevent you from accessing your data until you pay a ransom.

One such ransomware is an app called Porn Droid. Porn Droid masquerades as an app for viewing adult videos. The underlying malicious code is known as a LockerPin Trojan that activates the devices administrator privileges in a hidden underlying window. The malicious code uses this access to take a picture of user, lock the system and display a message directing the user to send money in the form of Bitcoin to the maker.

Similar applications can be found in application download centers such as the Google Play store, which does not investigate all apps that is makes available for download. Even companies that have strict guidelines on what can enter the marketplace on their devicesre susceptible. This has been demonstrated by the release of malware on the Chinese iOS store.

What we learn from these examples is that users must be wary of what they download onto their devices. Every application has the potential to harm the system for which it was downloaded. Good questions to ask before and after downloading an application include:

  • Do I really need this app?
  • Are there any negative stories about this app online?
  • Does this app really need these system privileges to properly run?

Trolling for the Terrorists: The Many Faces of Joshua Goldberg

In mid-September, a man who went under the Twitter handle “Australi Witness” was charged with illegally distributing information relating to the creation of explosives in a plot to bomb a 9/11 memorial ceremony in Kansas City, Missouri, in violation of Title 18, United States Code, Section 842(p). This arrest was the result of a FBI joint investigation with the Australian Federal Police.

However, all is not what it seems. Australi Witness was an atypical Australian jihadist. In fact, Australi Witness turned out to be neither Australian nor a jihadist. He was instead 20-year old Joshua Goldberg, a U.S. citizen from Florida. Goldberg was an Internet troll who delighted in creating controversy and upsetting his fellow Internet users.

Read More

Law Enforcement and Social Engineering

PoliceandSM

It is not just the criminals and terrorists who use social media to perform social engineering. Law enforcement agencies have been known to use social media for investigative purposes as well, with varying results.

Private investigators use social engineering techniques to trick people into giving up personal and financial information all of the time. In fact, Kevin Mitnick, the infamous social engineer, worked as a private investigator for several years. It appears as though the police and federal authorities are beginning to adapt these practices as well.

Social media is already a well-established tool of Real-time Crime Centers for police departments in places such as New York, Houston and Cincinnati. However, there is a difference in passively analyzing social media data to detect crimes and actively using it to investigate. One of those active means involves creating fake social media accounts and using them to gain and exploit the trust of the “bad guys.”

The U.S. Federal Bureau of Investigation has used Facebook to go undercover with false online profiles to communicate with suspects. They have also gathered private information such as the identity of a target’s friends or relatives, postings, photographs and videos through these means.

These methods have not always been viewed as proper by the courts. The U.S. Drug Enforcement Agency was recently sued in civil court by a woman whose likeness in the form of pictures was used in an undercover sting. They ended up settling for 134,000 USD.

This trend appears to indicate that investigative techniques using social media will only grow in the future. Whether or not those techniques will involve social engineering remains unanswered.

Social Engineering for the Terrorists: The Death of Junaid Hussain

On August 28th 2015, an ISIS hacker named Junaid Hussain was killed in air strike. While the death of a member of an extremist movements falls outside our usual topics of discussion, it was his job description that is of particular interest here.

Hussain’s job primarily involved online recruitment and propaganda. During his tenure, he is alleged to have been a part of the team responsible for the posting of personal information and financial details of United States military personnel online for others to exploit.

Hussain’s method included aggregating openly available information from the Internet. He then used this information to further ISIS goals such as breaking into a social media accounts, such as US Central Command’s Twitter and YouTube accounts, to send pro-ISIS messages. In effect, Hussain was a social engineer.

Hussain had a history of using social engineering skills before he joined ISIS. He plead guilty in 2012 to publishing former British Prime Minister Tony Blair’s address book. He accomplished this by gaining access to the email account of one Blair’s staff. In other words, he found a week point in their human security and exploited it to further a goal.

This example points to the dual nature of the social engineer. These skills could have proved invaluable in protecting critical information. Instead they were used to perpetuate jihadi goals. This decision ultimately cost Hussain his life.