Arnauld Mascret (Security Researcher, Sogeti / ESEC)

PRESENTATION TITLE: Whistling Over the Wire

PRESENTATION ABSTRACT:

Two years ago, we showed how to use social web site to identify target in a company using LinkedIn then learn about his computer and compromise it using malicious application on Facebook (HITB Dubai 2010).

Since then, we choosed to take a closer look at Twitter. Its purpose is to allow quick and easy publication of small content to a large number of person that you don’t necessarily know. By design, Twitter doesn’t raise the same privacy issues as other platforms, but even if the amount of available information may seem smaller or not as well defined as other social platform, there is still a lot to learn about a target, like his contacts, his sources of information and sometimes application or OS used. We will present a new method to gather this data and analyse it.

During our work on Twitter, we also take a closer look at URL shortening services. Using redirection to access a website give a lot of possibilities to the owner of the redirection service. We know these services are used a lot in phishing campaign but we made experimentations to understand if they could also be used for a targeted attack. We will present our results and how URL shortening service may be used by an attacker to consolidate data previously gathered or even to finalize an attack.

ABOUT ARNAULD MASCRET

Arnauld Mascret is a security researcher at Sogeti/ESEC since 2009. He has been working on information gathering on open sources and more specifically via social media.