I wrote Twitter yet another letter today about the issue at hand. This time they actually responded...
Their response was:
------------------------------------------------------------------------
## In replies all text above this line is added to the ticket ##
Ticket #204174: Found about 1200 names and ...
Hi,
Thanks for your email. You can search for people on Twitter by keyword, user name, location and more. Information about searching for people is here:
http://help.twitter.com/forums/10711/entries/14022
We're currently experiencing a couple of issues with finding people; if you can't find yourself in search, make sure you've posted updates (so we can index you and your updates.) Profiles that haven't posted updates aren't indexed in search.
Profiles added in the last 8 weeks aren't being indexed by search. We're tracking this problem here:
http://help.twitter.com/forums/31935/entries/29912
Support requests reporting this issue are being closed, as we're aware of and working on the problem. Please check the thread above for updates.
When you're using 'Find People' to look for folks by name or user name, you can only perform 50 searches per hour before you're limited-- this is for abuse control and spam prevention. If you hit a search limit using Find People, try checking out Twitter Search's advanced search:
http://search.twitter.com/advanced
If you're not listed in search and your profile is public, we may be investigating your account for a violation listed here:
http://help.twitter.com/forums/26257/entries/18311
If you're sure that doesn't pertain to you and you still can't find yourself or your friends, add your comments here:
http://help.twitter.com/forums/31935/entries/29912
Thanks!
Twitter Support
This email is a service from Twitter Support
------------------------------------------------------------------------
Remember folks, this email is a Service, not a Privilege.
-km
Wednesday, April 22, 2009
Twitter posts 1200+ accounts with names and phone numbers without their owner’s knowledge.. gotta be a fan of that!
Twitter posts 1200+ accounts with names and phone numbers without their owner’s knowledge.. (or Twitter’s, quite possibly)
Today (4/11) I was looking up new people to follow on Twitter for fun. I did a search for “303”. I looked through most of the list and started seeing some Twitter accounts that all had things in common. CO_(number). That looked curious, so I started clicking on them. Each of them had only a couple of followers and each other them were only following a couple of people. In nearly each case, they were all the same people that they were following and being followed by.
I poked around on the following accounts. One of them was CO_HQ. CO_HQ was following 292 accounts. All of them said the same thing – a name and a phone number. I mentioned it to Ryan, Chris, and PJ about how weird it looked and that I was going to start chasing more of it down.
Ryan has a throwaway phone with an anonymous number, so he dialed one of the numbers just to see what it was. A woman on the other side answered and he asked if it was her correct name and her phone number. She said yes. He asked her if she had ever been on Twitter before. She said no.
Next bit of fun: We started to record another podcast (Exotic Liability Podcast #4) and dialed another number live on the podcast. This woman had also no idea about her name being publicized, as well as her phone number, and we had to explain to her what Twitter was.
I did some more poking around, found another main Twitter account named dc_ev, and found over 1100 accounts that were similar to these two. Some of them were even unlocked, meaning you could just add them to your followers without asking their permission, and just started Tweeting away at them. They were for the following states: MO, VA, CO, NH, WI, and ME among the ones that I saw. I didn’t look though all the 1100+ following on the dc_ev account.
I wrote Twitter and explained what I found. We tweeted other friends of ours (thank you Chris Gates) who started looking up the numbers and seeing if there were some connections on Maltego. We both found a political clue on someone’s account about standing in lines at voting polls.
What Chris Gates found gave us some more speculation that they were Republican names and phone numbers. We are speculating that they are grassroots supporters. Either way, it’s a complete violation of their rights on Twitter since they seem to have no knowledge of their accounts and phone numbers. Chris did some more research and said that someone’s account did not protect their updates which gave us the polling clues.
I am anxious to see what Twitter does in response to this…
(note: 4/22/09 …this will be continued soon…trying to gain more information since Twitter has not written me back and I wanted to get this out…pictures coming soon, too.)
Monday, April 6, 2009
Why NOT to pick padlocks on a Flight
This is an OOLD post but due to some stories told this weekend I thought I would put it back out there for the public to see once again.
enjoy
enjoy
Monday, April 30, 2007
 | Current mood:  cynical Category: Life Wow... Where to start.. Great!! Now the whole plane starts freaking out. People are clamoring about guns, knives, bombs, and the best….. How I am some sort of terrorist. Yep, ME… working all my life to secure this country and the businesses within it…. A TERRORIST! The next was my favorite. Attendant: (to the other attendant as well as the pilot… but loud enough for the first 10 rows to hear) : I think he may be some sort of terrorist. He says he works for the government, but I just don't know. I don't believe him. Fantastic. I am going out of my way to go to Pittsburgh to see my girlfriend and attend her Grand Fathers 80th Birthday, meeting the ENTIRE family and ALL of her old friends from growing up there. I thought that was stressful.. HAHA.. Now I have to worry about the passengers, crew, and whatever is waiting back at the gate. Maybe I will be meeting Grandpa from a pretty urn or conference call from the hospital. Finally the pilot chimes in Pilot: One of our attendants has identified a major security risk on the flight and we will be going back to the O'hare gate to further investigate. Whew…. Least we aren't gonna fly around so one of these 9/11 scared maniac sheep of American society, back in the bowels of the plane can try and be a hero and toss me out. I may have a shot at living through the ignorance of this stress addled icon of customer service flight attendant. We arrive to the gate… flashing lights all over…and I stand up to get my cell phone. Fortunately I know a lot of government and TSA contacts that I have done work for. I spam every person I know that can vouch for who I am and what I can do. I am met mid ascent to the overhead baggage by our first hero in the back Hero: SIT DOWN!!!! ME: (obviously this guy is gonna save this freshly docked plane from the bad terrorist before the cops do… his one big shot at TV glory, oh man… what now?) Hey man, I am just getting my phone… there is a huge misunderstanding… Its all ok. Hero: SIT THE F*%& DOWN BEFORE I COME UP THERE AND MAKE YOU SIT (**Cheered on by a few other passengers chours'n in**) I sit down and disengage..right as the plane stops and attaches to the catwalk. As soon as the door of the jet flings open, the crew quickly scoots outside. No announcement to the passengers… nothing… Gotta love that?!? I would have been terrified if I was in the back of that flight. They are off the plane for almost 20 min when an agent from TSA Sticks his badge laden hat through the door. I nod and walk out. I am met By Chicago Police officials, TSA Chief, TSA Lieutenant, Captain /Co Cap of the flight. The first thing I am met with is the Captain of the flight with his hand extended. Naturally I bounce out of the plane and say " Hey guys, what's up?" I was as American as baseball and apple pie. I walk up to the captain and shake his hand Captain: " Mr. Nickerson…. We are REALLY sorry about this mess. Our flight attendant did not know that you are allowed to have these and she really handled the situation inappropriately! We are so sorry!" Me: " Right on… I understand, but that was really crazy. I tried to give them to her and explain, but she wouldn't stop yelling at me." Chicago Police: " We are sorry Chris…. We understand that these are tools of your trade and appreciate what you guys do. This is not something we have ever run into before here." TSA: "We apologize for the situation; did you bring those through our checkpoints?" Me: "NO, but I have many times. Every time I fly I hand them to TSA before screening my bags. This way they can approve and check them out." TSA: "Oh, well you shouldn't have those but we…" Chicago Police "Give Him Back his TOOLS!!" As they snatch it from his hands and toss at me I tell the clan thanks…etc… and start making my way back on the jet. The captain calls out Captain: "So.. I have to ask… how long would it take to get through the lock on that door?" Me: "What???? Um…. * Blown away by the question, I walk on the plane… look at the lock n come back** Prolly 30+ min if ever… it's a Medco… those kick ass" Captain: "Great, I never knew.." ** as he puts an hand on my back like I was his frat buddy and marches up the catwalk with me He proceeds to make an announcement to the passengers about how I was a security professional and WAS supposed to have what I did and that they were totally safe and to know worry. Beware.... Please.... |
Wednesday, March 11, 2009
SE Webcast
This was a really fun webcast I had the pleasure of doing with Mike Murry and Don from EH.NET. I am pumped about working on the SE Masterclass with Mike. He is a huge resource in the SE community and we are setting the bar impossibly high for this class.
The info:
In this 1-hour webcast, you'll be taken on a whirlwind adventure back to the days of the first charlatan, forward to the dawn of the Internet and smack dab into the present where these two topics are merging to form the most effective attacks to date.
Topics include:
- Brief history
- How do I utilize recon data in a SE attack
- Highly effective client-side attacks combining SE with exploit frameworks like Core IMPACT & Metasploit
- Business value in adding SE to your pen testing efforts
- How to learn what they know
It has become imperative to assemble a world-class team of experts to train professionals on the technologies and methods of the most dangerous and costly attackers, social engineers. ChicagoCon has responded with the first ever offering of the Social Engineering Master Class, developed and taught by Mike and Chris from May 4 - 8, 2009. For more information, please visit www.chicagocon.com/2009s/semasterclass.html.
If you are looking for a class to show you a new way to ask for a password or silly parlor tricks to mess with someone's head, then this course is not for you! If, however, you desire to uncover advanced level material of both a technical and psychological manner, and learn the repeatable methods to gather intelligence, execute attacks, manipulate situations, and formally track a company's susceptibility to social engineering... and be able to mess with someone's head, then there simply is no other course like this in the world.
Two additional announcements:
- After the live event, come right back to this thread to talk to Chris and Mike.
- A coupon code for a huge discount to the Social Engineering Master Class at ChicagoCon 2009s will be shown during the webcast. Don't miss it!!
HERE IT IS!
http://www.ethicalhacker.net/content/view/242/2/
If you want to ask questions or make comments about the class, we have opened up a thread on EH net to keep the interaction going.
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,3616.0/
Monday, March 9, 2009
Webcast: Modern Social Engineering - A Vital Component of Pen Testing
I was torn away from teh blog just as soon as I started it. In turn, I have decided to schedule a post every weds to keep some of my rants on track.
I though I would post this one a bit off to let you know about a webcast I am hosting on Social Engineering.
Info Below. PS!! the REAL reason to go ** there is a $1000 coupon to our SE Master Class during ChicagoCON!
The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?
I though I would post this one a bit off to let you know about a webcast I am hosting on Social Engineering.
Info Below. PS!! the REAL reason to go ** there is a $1000 coupon to our SE Master Class during ChicagoCON!
The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?
To find out, we must do as Sun Tzu taught. "Think like our enemy!" That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn't it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads... literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense.
Join world-renowned social engineers, Chris Nickerson of TruTV's Tiger Team and noted expert and international speaker, Mike Murray, as they prepare you for the future of pen testing. This webcast on Tuesday March 10, 2009 at 11:00 CST is your primer to the world of "Modern Social Engineering."
Register:
https://www2.gotomeeting.com/register/627910728
Monday, February 23, 2009
What's to come?!
Well as a first post to this blog I will likely look back on today and ask "Why did I get into this?" In order to quell that thought and give you a taste of whats going on in my head I'd like to give all some of the essays and articles that are floating around on my HDD's.
GENERAL TOPICS
GENERAL TOPICS
Social Engineering
- What the hell is going on this year? There are attacks getting posted every day and no one cares? No news? No action? *I plan on taking on this issue and talking about the modern spin doctors of security and the ways to start firing up community and business alike to stop the bleeding sieve.
- Security Testing/Services companies. Are there any good shops out there? How can you tell, what questions to ask of them, and what is the difference between security value and slick marketing. I'm gonna rant for awhile here because this one drives me crazy
- PAPER TIGERS and the fall of consulting. I want to explore the new era of security engineers. I think that the testing/services shops are just as much to blame OR EVEN MORE to blame than the companies getting hacked. Come on, lets hire a $50/hr fighter who's never been in the ring to train us for our PayPerView Main event.
- Training Security engineers. Too much tech and not enough business makes Mr. Engineer a worthless commodity.
- How to spend your security dollar and get free testing towards your compliance initiatives. This will detail the use of techniques to review the business objectives, long/sort term security strategy, and the pertinent risk to how they interact. There is a way to spend FAR less and gain exponential protection. * I'll do this one sooner than later, as everyone is sweating the budget crunch.
- Where to get started. How to drink the ocean of security and protection strategies one sip at a time. This will come from the perspective of the many engagements we have done as VIRTUAL CSO's for large and small organizations. The meat of this will be how to stay calm under fire and create a reasonable goal oriented security program founded on ROI not just fear. ** after all.. I don't see a lot of people scared right now after 2 major processors got hit?!?
Random others:
- The modern Social engineer and the talents needed to ACTUALLY provide value. This will go over the skills needed in the SE space to truly provide value from a service provider perspective. How to integrate into testing methodologies and find results that clients can take action on.
- THE METHOD: SE in 5 distinct phases (Intelligence Collection, Vulnerability Analysis, Planning, Exploitation, and Digging for the gold). If I hear one more person rant to me about how SE is not repeatable and it is a service that lies only on the skill of the engineer I am going to lose it. SE is a method, It has distinct steps, Intel, Vulns, exploits and *shells*. I will start to outline what those are and how to make it something that can be Tracked and trended EVERY time.
- Information gathering. The most important skill. If you didn't get in... its probably because of poor Intel work, lets take another look at how and what we need to collect in Intel and Recon.
- Exploitation tech. the real technology in SE. This one will probably be a few posts.
- Client side attacking in SE projects and how/why you MUST be doing it
- Phishing in Pen-tests and how/why you MUST be doing it.
- Revisiting google for SE. Tips and tricks on getting the information you need in a Red Team/SE event are very different than the gdork that you are used to.
- War stories: entertaining tales from the front line of Red Team/SE and other Risk assessments.
- The security sales game.
- Behind the scenes. The really fun stuff that happened during Tiger Team ( not safe for TV)
- and more..
I hope to provide an outlet to vent research,sleepless nights, 10 hour introspective flights, experiences, and what I have learned about security thus far. I also make this disclaimer... I'm not an expert... I just play one on TV =o)
On we go.
Subscribe to:
Posts (Atom)
Posts
