Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

So let me show you what you are unknowningly disclosing to the world...

personal information is the key to exploiting blind trust

your information disclosures weaken the security of the organizations that you are associated with

What do your network probes say about you?

Or where you've been?

IT MEANS YOU CAN BE TRACKED!

(This is true especially when the network names are unique)

Your wireless device stores the network name (SSID) of access points you have connected to in the past

and is ALWAYS trying to reconnect (conveniently) for you automatically.

So what does this mean?

And interestingly enough:

it also means that personality traits & characteristics can potentially be identified

  • attwifi
  • hhonors
  • gogoinflight
  • cafe on 8th
  • OperaHouseLobby
  • IBM-Corp
  • IBM-Conference
  • Chuck-E-Cheese

00:A6:B5:C4:B3:8F

  • linksys
  • dlink
  • HPSETUP
  • Allie's Macbook
  • Steven's Macbook
  • Hooters
  • FugSportsBarAndGrill
  • Buffalo Wild Wings
  • attwifi
  • tmobile
  • Hey apt317 - Shut your dog up!

00:11:22:33:44:55

Low Severity leads to High Severity

Convenience Is An Attack Vector

But noboby seems to care ...

CONVENIENCE IS WINNING

In the battle between convenience and security

unless it's their own personal information that's being disclosed.

Analysis of Information Disclosures

Confessions of Your Stalker

Confessions of Your Identity Thief

802.11 Ways to Annoy You

Alternate Presentation Titles

M A R K W U E R G L E R

@MarkWuergler

Security Researcher / Penetration Tester / SILICA Developer

for Immunity Inc.

RECAP:

ARP DISCLOSED

[girlfriend's house]

ARP DISCLOSED

[your house]

YOU ARE DISCLOSING WHERE YOU HAVE BEEN

ARP DISCLOSED

[starbucks]

What do we know about you so far?

01) MAC Address

02) What you connect to

03) Current GPS location

04) Preferred Network Names / Locations

05) Data

Time It Takes To Access Your Plaintext Data

by the way,

48.861962, 2.288728

Your photo's metadata can also disclose GPS data.

You tell us what networks you have privileged access to

(since you can't hide a data frame)

The MAC address of the wireless access point also offers us

a point in space that can be plotted on a map for geographical tracking.

So what else can we get?

06) Name

07) Address

08) Age

09) Passwords

10) Phone Number

11) Family

12) Friends

13) Pizza Preference

14) Browsing Habits

15) Emails

16) Text Messages

17) ...

18) ...

Attack Scenario: Find the corporate wireless device that is also ARPing for the local Starbucks. It's an attacker's path of least resistance to gain unauthorized access to company resources.

Now that we have access to plaintext data

we can start looking for more personal information disclosures ...

was the result of a research project to determine if I could shape identities and personalities of those in control of data transmitting devices. Everything that is "interesting" is stored in a database.

STALKER

PCAP -> PEOPLE = PEOPLECAP!

Do you know what you are leaking?

Things to Consider

Sites often use SSL to protect password transmission but don't protect

the authenticated session or the data that is in it.

XSRF tokens DON'T WORK if everyone gets to peek at them ...

If data is not encrypted it's vulnerable to man-within-range-of-you

attacks (with wireless you don't have to be in the middle of anything ;)

Sites that disclose personal data are interesting but sites that

offer an API to your personal data are even more interesting.

- and your passwords, chats, sms messages, downloaded files, etc, etc, etc ...

AGGRESSIVE ENUMERATION

OF PERSONAL DATA

FORCED BROWSING

Using content injection to manipulate the content rendered in a target's browser for the purpose of exploitation, personal data enumeration or forced marketing.

FORCED MARKETING

Using forced browsing to generate like's, +1's, votes, clicks as well as to inject custom web content and ads into an active web session.

Forcing you to disclose your personal information

DEMO

FORCED BROWSING

Using content injection to

control the browser

2

An attacker sees the client’s request and

generates a modified response.

The modified response will make everything appear normal to the client, but includes hidden code to initiate the forced browsing.

2a

1

A wireless client makes a request

to an unencrypted website.

3

The attacker sends the forged response to the client before the real response arrives.

4

The client computer sees cnn.com as expected, but executes the attacker's hidden code and is secretly directed to information-disclosing websites.

DEMO

CONTENT INJECTION

1

Client either visits a website or is forced to visit a website whose password is stored by the browser.

Form injection to retrieve stored passwords

2

An attacker injects a form to mimic what is auto-populated by the browser

Convenience is an attack vector

Ever use these?

3

The code is executed, and sends the browser-populated data to the attacker

Little by Little:

building a profile against you one site at a time.

What can I find out about you when all you are doing is listening to Pandora?

DEMO

CONTENT INJECTION

Turning a trusted Facebook application into a trojan

1. An attacker forces a logged-in user to browse to a facebook application's permission dialog (non-SSL)

2. The attacker collects XSRF tokens from the permission dialog's HTML

3. The attacker generates a POST request with all possible application permissions and forces the (re-)installation of the application by simulating the "Allow" click.

By escalating permissions and grabbing your access key:

THE ATTACKER HAS FULL, ANYTIME ACCESS TO ALL

YOUR FACEBOOK DATA INCLUDING YOUR:

INBOX, CHATS, EMAIL, PHONE, ADDRESS, FAMILY, FRIENDS, STATUSES, PHOTOS, WALL POSTS, LOCATIONS, RELATIONSHIPS, EMPLOYMENT DATA, & EVERYTHING ELSE FACEBOOK HAS TO OFFER.

THE ATTACKER CAN EVEN SEND YOU SMS MESSAGES OR POST TO YOUR WALL AS YOU.

BEFORE the attack there were only a few default permissions set for this trusted app.

AFTER the attack,

all of the available

permissions are set.

LIVE DEMO

CONTENT INJECTION

Install a Facebook trojan/backdoor

Fermat's Last Theorem

Using data or access we have in order to get

the data or access we want.

Scenario: Your gmail account is over SSL but your backup email that you have registered (for password recovery) is under our control.

[it's in the clear so it's under everyone's control, really].

Some sites forget that 3rd party sites that they interact with are a part of the security model. You're only as strong as your weakest link, etc.

Answers to popular security questions ...

Pet's name?

Mother's maiden name?

Favorite book/movie?

Birthday?

Birthplace?

Teacher's name?

Phone numbers?

Childhood friend?

Hero/rolemodel?

что за это самое - вот эта штука - что это такое?!

Answers to these questions are all over the websites you visit, especially social networking sites.

Even though the email and phone number are obfuscated we have enough information (in STALKER) to piece together which email account the recovery process will use.

!

Conclusion #1

1) your information disclosures weaken the security of the organizations that you are associated

with TODO :

2)

Learn more about creating dynamic, engaging presentations with Prezi