Twitter is more than just a social networking tool for people to tweet about their private life... publicly. At Rapid7, we've had plenty of success getting interesting security information just by monitoring Twitter, and sometimes the stuff we see is actually way better than other resources we use. If you're obsessed with 0days like me, or just the latest information in general, then here are some really good examples why Twitter is a fantastic tool for security enthusiasts:
CVE-2011-0611 was a Adobe Flash vulnerability first discovered by @yuange1975. A few weeks after this tweet, people began to pick up targeted attacks originated in Asia, and no patch was available at the time. In case you're wondering how this tweet is related to CVE-2011-0611, it's because CALL [0x11111110 0x08] is where the software crash lands when inspected in a debugger.
CVE-2012-1182 was a Samba exploit leaked on pastebin as a working proof-of-concept in Python. Later, @bl4sty claimed credit for the original code on Twitter... makes you wonder how the exploit was leaked in the first place? Although a patch was already available before the leak, this was still the highlight of the day, because how often do you see a working Samba exploit in public?
CVE-2012-4681 was a Java 0day found in the wild specifically against version 1.7 (or JRE7). Accuvant researcher (also our ex-Metasploit lead exploit developer) Joshua Drake (@jduck1337) ported the exploit to a working proof-of-concept, and then it became available in Metasploit in a couple of hours. Due to the media pressure, Oracle was forced to release an out-of-band patch in a few days... which is a rare thing, because users most likely would have waited months to receive this update.
CVE-2012-4969 was a Microsoft Internet Explorer 0day. Less than a month after the Oracle Java 0day drama (CVE-2012-4681), another 0day was spotted by Eric Romang exploiting IE. Thanks to Eric Romang and @binjo, this too, was quickly ported to Metasploit with additional improvements and more target coverage. A "fix-it" was released by Microsoft in 2 days, and then soon after, an official out-of-band update was available in 4 days.So really, what's the trick to picking up critical information like that quickly? Simple -- search for the right keywords, follow the right people.
Save these search results!
- 0day / 0-day: Believe it or not, we really pick up vulnerabilities exploited in the wild just by staring at this search. Sometimes I find this more effective than searching C0000005 on Google (which is the exception code for access violation, often meaning a possibly exploitable crash... and people post about their crashes all the time in order to get help).
- #Metasploit / Metasploit: Any Metasploit-related information (announcements, updates, tricks, technical information, etc) can be picked up this way on Twitter.
- proof of concept / exploit / vulnerability: Similar to the 0day / 0-day keywords, except these ones also tend to pick up more unrelated tweets.
- When there's a new CVE that receives lots of public attention, you should setup a search for it, too.
If you like vulnerability research and/or exploit development, then you should follow these people:
- Rapid7: @rapid7, @hdmoore, @metasploit, @chris_kirsch, @botherder, @_sinn3r, @_juan_vazquez_, @todb, @egyp7, @TheLightCosine, @HeadlessZeke, @stdlib, @BrandonPrry, @ThreatAgent
- Other security researchers that will blow your mind: @ExodusIntel, @aaronportnoy, @WTFuzz, @daveaitel, @net__ninja, @nicowaisman, @sagar38, @MarkWuergler, @WanderingGlitch, @cBekrar, @_eosyop_, @TaPiOn, @sbekrar, @jgrusko, @_frego_, @n_joly, @jduck1337, @eromang, @binjo, @armitagehacker, @mubix, @carnal0wnage, @corelanc0d3r, @jcran, @bannedit0, @BenHayak, @ChrisJohnRiley, @scriptjunkie1, @exploitdb, @packet_storm, @XploitSweatshop, @mikko, @SCADAhacker, @zashraf1337, @xanda, @0xcharlie, @ochsff, @Agarri_FR, @rattle1337, @Ivanlef0u, @mdowd, @Dinosn, @mihi42, @aszy, @EdiStrosar, @hustlelabs, @r3dy__, @kernelpool, @j00ru, @i0n1c, @s7ephen, @nudehaberdasher, @attackresearch, @alexsotirov, @dguido, @taviso, @fjserna, etc.
Soc Monkey: Your all-in-one source for security trends on Twitter
Soc Monkey is an iPhone application created by Rapid7. It uses a smarter algorithm to automatically collect the latest security news on Twitter, and then all that goes to your phone. This is perfect for those who just don't have the time to manually monitoring what goes on on Twitter. Soc Monkey is available on your iPhone's "App Store". Or, you can see it from here.
