 Welcome to Social Zombies. Your friends want to eat your brains. Thanks for coming out. No, it's the last talk at DefCon. So we appreciate it. This movie is starring. I'm Tom Aston. Man, that freaks me out every time I see that. Yeah, I am hungry. I want brains. By day, I'm a penetration tester for a large Fortune 500 financial institution. And by night, I am a social media security researcher, co-host of the Security Justice Podcast, and a blogger. And I also am a zombie, apparently. Yeah, we have photographic proof. That really scares me, this picture. My wife loves this picture. So what you see here is truth in media news. You got zombies on TV, and they label them hackers. This is not Photoshopped. At all. I'm Kevin Johnson. I work for InGuardians as a security consultant. I also teach the web penetration testing class for sands, and I'm a nerd. I run more open source projects than anybody should have time for, and I don't sleep. Pretty much covers it. So real quick, I want to make sure that we are not these kind of zombies. Okay? Not zombie strippers at all. All clothes will remain on. Kevin's clothes will remain on the entire presentation. And mine too. Yes, please. Sorry. And if any of you people were at the adult night clubs in Vegas, if you saw this on stage, leave immediately, or you better be packing a shotgun. Aim for the head. That is a health violation. You are right, sir. So, we're here to talk about social networks, and social networks are the new hotness. Let's face it. Raise your hands. How many of their parents are on Facebook? Oh, my God. How many of you are connected to your parents on Facebook? Block them immediately. Yeah, my mother came to me and was like, Tom, I got this new Facebook account. I'm like, find out where the delete button is and remove it. Don't even go there. So it just goes to show everybody is using social networks, even your parents. Scary. So Facebook, right? This is the big daddy, the big daddy of them all. Facebook has 250 million users. That's a lot of freaking people to attack. Seriously. That is the purpose of Facebook, right? Yeah. MySpace, the cesspool of the internet, or as I like to call, social geocities. Yeah. I mean, seriously, guys, it really is. 110 million users. That number is actually decreasing, believe it or not, because Facebook has just taken over. People are getting tased. They have to just go away altogether. So here it is, Twitter. Twitter is the fastest growing social network right now. It actually grew in 2008 by 752%. That's crazy. It's crazy. Just in June of 2009, 20 million visitors, and they estimate, because Twitter doesn't like to give out the numbers of accounts they have, but they're saying 50 million users. So that's still a lot of people, and that's growing every day. So interesting statistic here. This was a quote from a Nielsen online report, which was done in March of this year. And it says, basically, social networks and blogs are now the fourth most popular online activity, which is even ahead of personal email. So you think about that, and from an attack standpoint, you know how spam has always been the major problem, and attackers are going through email and things like that. Well, now this kind of shows the shift from email all the way to the social network attack platform, which is what we're going to talk about today. So money, right? Social networks is all about money. We know they're all startups, right? And they really, you think about a startup, and how do they make money? Well, they make money through a couple of ways. It's basically the information that you share, right? Everything that you put up in your social network profile, whether it be Twitter, MySpace, Facebook, Hi5, whatever it be, they take that information and they use that for targeted advertising. They also use it to sell demographic info about you to third parties. All of this is stated in their terms of service and privacy policies, which no one reads anyway, but you should. How many of you have read them? Really? How many of you read them before Facebook changed their profile about deleting the accounts? I thought so. So, which leads us to trust, right? Social networks. It's all about trust. Trust really is everything. It's how social networks work. Without trust, there would be no social networks. Trust is important for a couple of reasons. Well, first of all, the attackers love trust relationships because they like to exploit your friends because you trust your friends and when you get a malicious link from your friend, you're just like, hey, it's from John. It looks kind of weird, but I trust them, so I'm going to click on it. With social networks, most people will tell you, I don't trust Facebook, I don't trust MySpace, but when you really talk to them, they take the trust from their friends and move it into that social networks. When they're sitting there in front of that screen and they see that link or they see that questionnaire, top 15 questions, right? Let me know about you. They're going to answer them. They're going to click them because that trust they have in the real world carries over. So, let's talk about some fake profiles. So I spoke at Nauticon 6 this year and we did a little game called Bot or Not. You've heard of Hot or Not, right? Well, we did Bot or Not. So here's some samples here. Obviously, this one right here, 0EPB4A is a bot. Pretty obvious. She's a hot chick, first of all, because all bots are hot chicks. For some strange reason, I still haven't figured this out, but fake profiles, they just love to use hot chicks. We'll click them. We click them, exactly. And she wants to sell you a free laptop and she's using a strange tiny URL. People click it, trust me. Now here's Jennifer. This is a fake profile on Facebook that was created using some tools which we'll get into. Looks pretty legitimate. She's got friends. She's actually in conversations. You couldn't really tell the difference. She's a hot chick. And a bot. And a bot. How many of you are friends with Jennifer? How many of you are friends with Rick Astley? There's no way Rick Astley could be a bot. Never. For real. Can't trust worthy. Well, he is. I created real Rick Astley because I had the plan of Rick rolling Twitter at one point. But it says he's real. He is. That is the real Rick Astley. Absolutely. This actually does not even violate Twitter's terms of service because you are allowed to create parody accounts. So the link to the website is actually Rick's real website. And I just pulled off information off of his website. So if anything, he got some publicity for his upcoming events. But what's interesting is when you start following people with Rick Astley using our bot, you get some interesting types of replies. You know, no way this is the real Rick Astley. Website is too crap to be Rick Astley. There's no way. Yeah, you get, you know, assuming this is the real Rick Astley. Claims to be the real deal. I'm getting Rick rolled. You might be. Someone said it was probably an ad for porn sites. Wouldn't that be cool? This guy here says that being followed by him and Governor Schwarzenegger on the same day is life affirming. I couldn't agree more. This is the real Rick Astley on Twitter. If so, he's going to blow up on here big time. Hey, Rick roll him. Will Rick roll you? This is the best one. I'm so excited. My 80s heartthrob just found me and is following me. Rick Astley, I followed him back. Love him bunches. We're hoping not to break her heart by having her watch the video. Yeah. So what's the point, right? The point is that you can be anybody you want to be on a social network. There's no way to verify who you are on a social network. No authentication process. So you go up, want to be a celebrity, want to be a movie star, whoever you want to be, just get a little creative and you can do that. And then add some bots, you know, scripts and software to that. And you have the potential for all kinds of interesting things. Privacy concerns. You're kidding me. There's privacy concerns with social networks? I'm not concerned. I'm not either. Yeah. Who cares about that stuff, right? Anybody get those 25 random things about you on Facebook from your friends? Be honest. Why don't you tell them a little story, Kevin? Frank Dimazio and I sat down one day and we actually went through and picked 15 of the most common password reset questions that we come about, both in my work, his research, and we collected them, posted them as a note on our Facebook profiles, didn't ask people to fill it out. We just answered the questions ourselves. They just did. Yeah. Why not, right? Our information isn't private, Facebook's got it. Before we knew it, you know, hundreds of people had picked up this questionnaire themselves, copied it off of our profile or their friends' profiles, answered the questions, and then of course tagged their friends to answer the questions. Because really, if you're going to give out all your personal information, let's your friend do it with you. Absolutely. Right? Now the sad part about this is, if you look at my Facebook network, there are security professionals in my Facebook network who answered the question. There are help desk personnel, people who ask these questions every day to reset passwords. Some of them might be CISSPs. Oh no, I'll guarantee you they were CISSPs. And they answered the questions and they spread it around. It actually got to the point where Frank and I sat down one day and we're like, we're feeling guilty. It's like, what do you want to notify these people? They just screwed themselves. Nah. Yeah, it's amazing. So corporate espionage, right? Because there's so much information out there on social networks, but companies are using social networks now. They're using Facebook, they're using Twitter, they're using all kinds of things. LinkedIn, they're putting everything up there. This is a goldmine of information for an attacker or for the competition or anybody that wants to do some harm to a company. If you're doing a pen test and you're not looking at social network sites, fail. Absolutely. You know, we regularly start a pen test with recon, right? Let's look around, see what information is leaking. Leaking. LinkedIn leaking. Exactly. Leaked in. It should be what it's called. Yeah, that's great. That's good. Here's some screenshots of Bank of America on LinkedIn. I'm just picking on the biggest bank. But these guys, I mean, you can find everything just by going to the page on LinkedIn. Current employees, former employees, their titles. I mean, there's some systems engineers in there, architects, security people. It's all in there and these people are ripe for targeting. But Tom, it says right there, don't apply if you're not a current or former employee. Yeah, yeah, yeah. I can't do that. I could get my account banned and, you know, what would happen then? Yeah. I have to create another account. Because the two people running that group know all what, 87 bajillion people? Yeah, there's 9,000 people in that group. Exactly. Yeah. So what about default privacy settings? There's got to be some kind of security or privacy settings in these social networks, right? Well, there are in some. I mean, and they purposely bury them for various reasons. Like I said, going back to the fact that they want you to share as much information as possible. But Facebook is interesting. They actually have the best controls of any social network, believe it or not. But do you know where they are? Do your friends and family do you or they even care? Honestly. So what I did was I created a Facebook privacy and security guide late last year. And it just basically goes through what's the baseline for privacy settings in Facebook. And then you can change that based on your risk level and things like that. So we're probably going to be releasing a video pretty soon that's going to show a walk-through, very similar to this guide that you can download from a site I'll be talking about later. Security concerns. No security concerns either with social networks. That's crazy. Guess what, guys? Social networks are the number one target right now for malware. Absolutely, hands down. That's where everybody, all the attackers are going because that's where the people are going. Spam, everything from we've seen our web vulnerabilities, typical web vulnerabilities, crisis scripting, C-surf, everything else. It's all out there. Interestingly enough, with disinformation, especially on Twitter, a recent example here at DEF CON yesterday, talking about the virus on the DEF CON CD. Somebody had tweeted that and said this is confirmed. There is a virus on the CD on Twitter and everybody's retweeting this and a lot of people were believing that. And then there was a statement from Jeff Moss that said there is no virus. Disinformation and it spreads viral on Twitter. It's funny though how the confirmed not there doesn't spread as quickly. Right. Yeah. Yeah, exactly. So some recent examples here with Twitter. There was the don't click, click jacking attempt. You may remember that with the hidden iframe under the don't click button. You may have clicked on it. You may have clicked on it. You know, fairly harmless but really just shows you how a worm can spread throughout Twitter. The other one is the stock daily and or Mikey cross a scripting where there was no input validation in the location field on your profile. So if you had clicked on that link, it would add some nice JavaScript into your location profile and then it would tweet on your behalf to go to stock daily. And so with your friends and all you had to do is look at somebody's profile. That's it. Here's my favorite one. Coop Face. So Coop Face is an interesting one. I like to call this like recycled exploits. Coop Face originally started on my space then it moved to Facebook and now we're seeing it on Twitter. It's going across different social networks, which is really interesting exploits trust because when your friends click on the link, which looks like it's coming from one of your friends. There's a funny video posted about you. So haha, I'm going to go see this video of me and ask you to install a codec, which we know the codec is not really a codec. It's bad. I still can't get over that. It's 2009. People still install codecs because people still do install codecs. The internet told me to. Yes. Yes. And so this is very effective. So when they install the codec, it takes over your computer and then it starts logging into your social network sites and then starts sending out these links to all your friends and the cycle continues. So social network bots. So there's lots of ways that you can deliver malware and other kinds of things through social networks with bots. So we've got Twitter bots, right? We have not a bot, which is a bot that I created, which just basically goes around every hour and gives you complete nothing, just total useful information or useless, depending how you look at it. I follow it. Of course. Of course. He brightens your day. Let's put it that way. It does. It does. There's other bots that have some actual purpose, like forecast. You send your zip code and you get the weather back. Hey, cool. That's kind of neat. I'm sure nobody uses it, but apparently 5,000 people are following it. Look out the window. Yeah. But there's lots of different automated tools, right? We've got automated tools, like GUI-based tools. There's one called Webdom. There's another one here that just some custom script stuff, UBOT. These are all really crappy Windows applications that somebody made in a .NET framework. They crash all the time, but you know what? They're point and click and they're really easy to use to send out mass friend requests, send out messages, capture bypass. It's all out there. So if you don't want to download the free stuff, there's pay services too. So for 1995, you can go to addnewfriends.com and get whatever you want, send anything you want to your friends. There's lots of stuff out there and there's a lot of money to be made by making bots and bot services. What about bot nets, right? This is the real cool stuff. So what about Facebook apps as bots? There was a researcher that created something called Facebot, which was a proof of concept distributed denial of service Facebook app, so that if people installed this app, they would basically have a website targeted within the code and at the same time coordinated with whoever was controlling the app, it would do a basic distributed denial of service to a website. Pretty scary, especially if you had, you know, five million people installed it. The other one, which I guess is actually kind of funny, in the news there was a developer who wrote a Facebook app and it basically DDoS'd himself. Yeah, yeah, because he wrote crappy code, which is another part of the problem, which Kevin will probably talk about, you know, these guys don't know what they're doing when they're writing Facebook apps. Well, the biggest part of the problem there is one, we can go without saying that most people who call themselves developers should be punched. Right? Security through pain. Yeah, hello. Yes, sometimes. I didn't say I was a good developer though. So, but even when you've got developers who know what they're doing and know how to architect code securely, have you looked at the API documentation from Facebook and MySpace? As I've said many times before, I think the people who wrote it are on crack. It gives horrible examples. Most of the stuff it talks about either doesn't work or is insecure. They update the Facebook API faster than they update the documentation and there's 87 billion tutorials floating on the Internet that are better written but more incorrect. And so these people who are trying to develop the websites and trying the web applications to embed within Facebook or MySpace, they've started out at a disadvantage. We might as well just have them shut their eyes, bang on the keyboard, and then publish it to a web server. So, in terms of bot nuts, right, what if you had a bot that looked for commands on legitimate Twitter accounts and then takes action on a victim PC based on the command. So, you're looking for a way to deliver malware or malicious payloads onto victims' PCs. Kind of like IRC command and control, but let's do it over a social network, right? Nobody would want to do that. And no one would want to do that, right, because everyone's using social networks. So, at Noticon, I released Robin Wood DigiNinja on Twitter. He created a bot called Twitterbot. And what Twitterbot does is the control piece is basically a bot that runs in Ruby on the victim machine and it looks for commands. So, in this example here, it's looking for commands from a Twitter account, and then the control portion will actually send a command to it. So, you can see here it's doing a simple ping. The bot sees the ping and then runs the ping on the machine. Pretty cool, right? Well, we're going to introduce Creos C2, which is the new version of Robin Wood's fantastic code. So, Creos C2 is just like I explained, but this new version provides encrypted commands and check sums, which it didn't do before. So, now when things are posted to Twitter from the bot, it's encrypted. And it looks just like kind of a harmless gobbly-gook, which is decrypted by the victim machine and run. So, let's do a demo. So, in the demo, what we're going to show you is it comes up. On the left, you have the Twitterbot code that's running looking for commands. So, this is like the victim PC that it's installed. Looking for commands. So, on the attacker, I'm going to send a language change command. So, basically, it's sending English commands like the original Twitterbot did, and now what it's doing is it's going to change that to the encrypted command. So, here is the evil bot. This is the bot that I've configured to look for commands. It's changing the language. In the second here, you will see it's changed the language on the victim PC. There it is. So, you can see it has changed it to encrypted. So, now it's going to look for encrypted commands from that other bot. Now, of course, our attacker is using the find backtrack for distribution. So, he's getting ready because he wants to connect to that victim PC through a Netcat. So, we are going to send a command. We're going to send a Netcat listener command on that victim PC so we can get a remote backdoor into it. The command is run. You can see it's sending the message. The message is encrypted, and it says execute command sent. And there you have it. The process of the command decrypts the message, checks the checksum. Make sure it's the right one from the bot, and then executes the command. Go back to the Twitter page so you can see what the command looks like encrypted. Well, the bot continues to look for more commands. Refesh the page. And there it is. That's what it looks like on Twitter. And then as the attacker, I'm going to connect to Netcat. And I am now agent 0x0. Cool. Remote backdoor through a social network. Pretty cool. So, now are you ready for the zombie attack? Yeah. So, what we're going to start talking about is, up till now, the previous section was Krios, we're talking about the normal bots that people are used to, the things we've been talking about for years. Bots, new and cool, newness. Hotness. Hotness, yeah. No, hotness is Facebook. It's all hotness. Yeah. Now we're going to start talking about browser-based bots, which is a place I love to play. Because our browsers, they hate us. You're kidding. No. Somebody needs to tell Germany that IE is a hacker tool. It would work. So is knowing it's gotus, by the way. But, browsers are getting more feature-rich. We're demanding our browsers to do more. We're no longer happy with the gray background, the black text, and the blue links. I'm old. We have to add Flash, Silverlight, Java. Every new feature. Heck, Chrome is talking about and already doing it, supporting Python as a client-side scripting language. Lots of crack being smoked there. Nothing can go wrong there. Yeah. So with these features and the complexity, let's forget about the typical exploits that people can patch for. Let's forget about the one-offs and the buffer overflows and all the other ways we've typically attacked websites. Let's start using the features our users will not turn off, or can't, to abuse them. And we're going to take those features and start beating the users about the head. We'll talk about zombies, browser zombies. They're typically bots, but we had to come up with a new name for it, so we did. Zombies are cool. Yeah, zombies are cooler than bots. Bots don't eat brains. No. It uses JavaScript, and the JavaScript gets shoved down into the browser, starts running, executing, and it hooks that browser. Basically, the JavaScript reports back to a controller, which we're going to show you in a second. And when that controller sends commands, the JavaScript is going to interpret it and run it. And so we have control. We can tell that browser to go check out other websites. We can find out what pages people have visited, all kinds of coolness. Now, we talk about JavaScript, but most of the technologies we're using can do it. You can hook a browser with Flash. You can hook a browser with a Java applet. This all is available to us. Now, I don't know about you, but I'm lazy. And the frameworks to do this have already been built. We've got things like beef. Thank you, Wade. Beef is awesome. Everybody needs to buy a Wade, a beer. Or several. Or several. Yes. Beef and browser writer, these are frameworks that have a controller, and they have all of the JavaScript and other logic built into the pre-built, ready to go so that when you hook that browser with the hook provided by that framework, you have the ability to then send the commands down. Issue the options you want it to do. Tell it, hey, go check out this website. Let's have all of the browsers we have control of go visit Amazon to buy Kindles. Sorry. Right? So you've got the browsers. But the browser-based zombies, but how are we going to hook them? Well, let's use our social networks because they give us the functionality to embed third-party applications. We might as well just call them evil. They're evil. They are. These SOC nets give us the ability. Now, we have multiple options here, right? When we write these third-party applications, we can deliver them via an iframe that's injected. Now, that's simple, but not so cool. Let's actually use the APIs to push the JavaScript down. You know, when Facebook first released its API, they didn't allow JavaScript, and we applauded them. Well, we did, right? We were a little disappointed. And developers complained, and other people said, no, no, no, we need that functionality. We need to be able to push it. So the APIs now support JavaScript. They now support Ajax calls because nothing could ever go wrong with allowing Ajax calls within the scope of your application. Oh, by the way, those are Ajax calls that some other third-party developer, possibly an idiot, wrote. So why do we need this? Why in the world would you allow this? If you developed your own social network site, why would you allow the developers who you have no control over, you haven't even verified, just somebody who knows how to fill out a form, why would you let them do that? Oh, yeah, mafia wars. That's it, folks, right there, mafia wars. That's the entire purpose. And how many people here play? Two people? It has to be more than two people. You're all lying. Yeah. So we're going to show you hooking the browser right now with a tool that we're going to discuss in a second. But social butterfly. So what you've got here is the browser-writer management interface, the console that the attacker is given. Off to the left is a list blank currently of zombies that you have hooked. And off to the other side are all of the options, the features, the plugins, the payloads. So you've got your payloads with all your exploits. Hey, let's run this JavaScript. Let's cause this pop-up. Let's steal this cookie. And then down below it, you have your payloads, which are similar to plugins, but they change when the attack launches that you can say, hey, only do this if the referer is and fill in the blank. So if you only want to grab people coming in from Facebook, or you only want to grab people coming in from Myspace. So you've got this. If we can click. At this point we're doing to open up a new tab. We're now the victim. And we're browsing to a really cool application. Zombie Smiles. Don't add anything called Zombie Smiles. No, please do. Well, yeah, okay. And so you get a smile. And we even warn you, right? Denise's mood today? Evil. It's bad. You never want to click on something when they already told you they're evil. In this page is a API call which pushes down and allows an iframe to be pushed to the browser, which loads the browser rider hook. At this point you may not know it, but we already have control of the browser. We come back over and you'll notice we've got a zombie. And look at the inordinate huge amount of detail that Facebook passes up through the referer tag. All about that person. We're not even getting into the API calls. We could have done it at this point. It's all in that white box up there that you see. Yeah. The mouse over. It's hard to read right now, but all information about who the person is, what they're doing, what their active session is, all information that we can then use against you. And at this point we go look at the zombie. We see information about it. And then we have all of these plugins we can now launch against that one person in this dropdown. You know, execute JavaScript, cause this pop-up, tell them to go to this website, whatever. Pwned. Yeah, definitely. But let's go to something else, which I think is even more important. You know, it's kind of cool to hook browsers, right? I got control your browser and have you go surf to websites and do whatever I want. But I don't know about you, but in my opinion, information is king. As a penetration tester, the more information I have about your company, the more information I have about you, the better it is that I can attack you. We do it constantly. We go out to social network sites. We get full information about people who say they work there, and then use that to reset their password by answering their secret questions. Or we do social engineering attacks. And we take complete control of these networks. But the problem we run into is that's all client-side. We're limited to what we can see and what we can crawl and what we can parse from that side. So let's move into server-side information collection, right? Oh, I've got the control in my hand. So this information can give us access, right? And social networks, as we've already talked about and you already know, is littered with this information. And I will tell you that as somebody who has manually parsed through thousands of MySpace pages... Because you wanted to? No. If I see another middle-class emo kid complaining about his parents not buying him a Porsche, they're all over the place. So why don't we connect it together, right? How? Third-party apps. It's a theme there, right? Any time somebody comes to you and says, hey, let's add third-party apps capability to our website. Throat punch them. Several times. Yeah, the first time doesn't work. Do it again. Third-party apps have access to everything. All of your information. You get that little invite, right? You got a pillow thrown at you. Do you want to throw it back? No. I'm 36. I haven't thrown a pillow in years. Okay, not true. Liar. Once the user says yes, and how many users do you know won't say yes. They always say yes. Yes is, it's so nice. You got to be friendly. That's what my parents taught me. Of course. Right. Once that user says yes, you have access to it. Not their information. You have access to their information. You have access to portions of their friend's information. Even better. Oh, yeah. Let's start building maps of who's related to who and who knows each other and who works at the same company. Right? And we have all this information coming in. Not only that, but in certain social networks, we also have the ability to ask the user, hey, do you mind giving us, I don't know, extended permissions? So for example, we can send you an email because you want an email from my app, right? So we can use that, right? Because as penetration testers, we try to follow the terms of service, which by the way, so far in our reading and our lawyers' readings, we're following the toss. And so like all the data we collect, we're not storing anything that's marked un-storable. Right? The terms of service says we can only store this information for 24 hours. Okay, I'll only store it for 24 hours. But I can ask the user if I can refresh it infinitely, which means that I don't have to wait for them to come back to my app. I can refresh it, again, not violating the terms of service. Or I have Chris add my app. He gives me all of his information. He doesn't know it. And then I get Chris to convince one of his friends to add my app. Well, when he adds my app, I send an email back to Chris saying, hey, Brenna just added this application. Why don't you come back and see what she did? They come back, I get their information again. All through a third-party application. These APIs win for us. Every time. I've told people a long time. When a penetration tells you, penetration tester tells you they love something, get it off your network. Quickly. I love SharePoint. SharePoint for the win. Both MySpace and Facebook provide a server-side API. Now, we want to be very clear here, right? We've already talked about the Twitter API. But that's a client API. So far, Twitter has resisted all Siren calls of adding server-side apps. Thank you, Twitter. God help us if they do. Oh, yeah. Yeah, yet, right? Yeah. These APIs provide us this access that we want. Not only do they provide us the access, but the application that we write runs on an attacker-controlled server. Nothing wrong with that, right? Which means that our application can actually be the back-end for both MySpace and Facebook. Which means we're able to collect data from both. And there is the potential. No potential there, actually. It's actually working. To kind of cross that privacy line. We see MySpace. We see Facebook, your information in both. And we can tie them together, right? And we're allowed to connect these different users based on their friends, based on the groups they're in, based on the favorites. I'm a fan of sleeping in, whatever. Those damn quizzes. I know those damn quizzes. Stop the quizzes, Facebook. Just stop it. How well do you know? So let's go and actually get a piece of software. We've written an app called Social Butterfly. I'd like to apologize now. I'm not allowed to release the code. But if I can write it, anybody can write it, right? I'm the lowest bar at developer skill. So Social Butterfly is a third-party app. It runs on an attacker-controlled server. Read mine, right? And it collects this data and just puts itself out there as different applications. Zombie Smiles being the one we've talked about today. Which, by the way, has been turned off by me. It's out there somewhere. Now, this collects all that data we've been talking about. It's what fronts, well, backends for all the social networks that apply it. Now, the one that we've not yet been able to get to, which is nice, LinkedIn. Because LinkedIn verifies the developers of their third-party apps and actually vets them. They're the only ones that do that, by the way. They're the only one I know about. Facebook, $300 to give you a nice little seal, kind of like the hacker-safe. Yeah, on your app. But, you know, they don't check the code. And even if they did, they checked the code when they verified it, but the code runs on my server. Yep, I can modify that whenever I want. Anytime. There is a fine line that you're running at this point between violating the toss and not violating the toss. My recommendation, don't violate the toss. Right. Social butterfly, it simply runs in the back. But it's all hope lost. Yes. I think it is. Okay, we're done. There's been a zombie invasion and we're all going to die. Bored up the windows. You run the windows? So how do we prevent this, right? Well, the first thing is user education, right? I mean, this is the hardest part. I mean, everything starts with the user and is the basis for most of these problems that we're seeing. Users aren't going to listen to us, but we have to try. We have to do something. We have to educate them with the teach them through videos, through guides, websites, just talking to them. We've got to do something. And also, like Kevin mentioned, these opt-in developer models. Yeah, have the social networks verify the code. Have them actually verify that the developer is doing the right thing. Have them fix their documentation. Hate to say it, but do something a little more like LinkedIn, which is a start. Yeah. It's not perfect, but it's a start. And also controlling API usage, spam throttling, better account verification. I mean, the list could go on. This is just a sample, but these are some things that the social network themselves could do. Remove the support for JavaScript in third-party apps. Yeah, not alone. So, more information. Creo-C2 can be downloaded right now from DigiNinja.org. Fantastic website. Robin Wood is a fantastic developer and has all kinds of great tools. So, I highly, highly recommend you check that out. He's also the creator of Yasager, which runs on the fawn, wireless router. So, if you're into wireless stuff, check that out as well. I mentioned a website earlier that I launched a couple days ago. It's called socialmediassecurity.com. And what this is, is a central source for news vulnerabilities, exploits, all kinds of stuff with social media. Not just Twitter, Facebook, all kinds of other social media sites. There's also links to the guidebook that I talked about, the Facebook Privacy Security Guide. There's videos, presentations, documents, all kinds of stuff. So, if you want to get involved, just send me an email through the website and we'd love to have your help. Yes, we do. So, I think we're taking questions in 105. 105. Thanks for coming, guys.