Well, ShmooCon started almost a week ago and it's about time to post something. First and foremost, all of the talks were outstanding and I'll probably wind up talking about most of them but I wanted to start with one that stuck out - URL Enlargement: Is it for You? by Daniel Crowley.
We all have seen URL shorteners. Many Twitter clients utilize them automatically. If you haven't seem one, check out www.tinyrul.com. Basically, you put a URL of any length in and you get a shortened version back out. For example, if I enter http://nwnsecurity.blogspot.com, I get back http://tinyurl.com/4v9e7w7. Now that's a savings of only 5 characters. That's not much but could help when using something like Twitter. If you are talking about longer URLs, the savings can be significant.
OK, that's convenient but what does that have to do with information security? Here's where the fun part begins. Check out this link - http://tinyurl.com/4g8gfpk No, really! I promise there's no malware there. In fact, it won't actually point to a web page. Just check out the URL that it resolves to. If you don't want to actually click on the like, check out http://www.longurlplease.com/ or http://www.longurl.org/.
OK, so we've established that URL shortening can be used to circumvent DLP systems. What else can it do? Well, a while back Billy Hoffman (a.k.a. Acidus) created a tool called TinyDisk. It is basically a file system that utilizes TinyURL (or other shortener) for storage. Now you can upload large data files to a stealth file system. That's cool. Unfortunately, I did some quick checking and couldn't find TinyDisk available for download. I'm sure it's out there but I couldn't find it with the 2 minutes of checking I did.
We've established that URL shortening can be used to establish covert channels but there are some other uses that I found to be particularly interesting.
When performing social engineering, will a user click on a link to http://www.somethingevil.com. Probably. But let's assume that the user is paying attention. They might think twice about clicking on somethingevil but what about clicking on http://tinyurl.com/o5h7wv. Now that's a completely different story. URL shorteners can be used to hide the javascript tags in a cross-site scripting attack or other URL parameters that might give away what you are really trying to do.
Also, when a user clicks on a shortened URL, their browser actually connects to the URL shortening service server and that server refers them to the final destination. If you are doing penetration testing and want to track who clicked on what, you can send different people URLs to the same site that were shortened by different URL shorteners. That way, tracking the referred will allow you to identify who clicked what.
One last point. What would happen if you encoded malware in base-64 and shortened that via a URL shortener? Hmmmmm.
Thanks Daniel for an excellent talk. Now off to the URL shortening.
Thursday, February 3, 2011
Subscribe to:
Posts (Atom)
Posts
