• Save
Samy Kamkar - Geolocation via XXXSS (2010, cutted part of it)
Upcoming SlideShare
Loading in...5
×
 

Samy Kamkar - Geolocation via XXXSS (2010, cutted part of it)

on

  • 29,206 views

 

Statistics

Views

Total Views
29,206
Views on SlideShare
28,932
Embed Views
274

Actions

Likes
2
Downloads
0
Comments
0

4 Embeds 274

http://www.diit.cz 261
http://diit.cz 10
https://twitter.com 2
http://m.diit.cz 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • AMERICA, evercookie, why haven’t you done anything new
  • Probation Honorable people, Probation which was like AOL IRL
  • They know everything. Seriously.
  • How accurate is this?
  • Jack bauer-level triangulation
  • Well, zuckerberg said it best. Privacy is dead
  • Well, zuckerberg said it best. Privacy is dead
  • And that concludes

Samy Kamkar - Geolocation via XXXSS (2010, cutted part of it) Samy Kamkar - Geolocation via XXXSS (2010, cutted part of it) Presentation Transcript

  • Who is samy?
    • "Narcissistic Vulnerability Pimp"
    • (aka Security Researcher for fun)
    • Creator of The MySpace Worm
    • Author of Evercookies
    • Co-Founder of Fonality, IP PBX company
    • Lady Gaga aficionado
  • Cyber Warrior
    • Raided
    • Computer use lost (Hackers-style)
    • 700 hours of community service
    • Restitution
    • Probation
  • Geolocation via XXXSS
  • Geolocation via XXXSS
    • Anna visits malicious site
    • XXXSS scans her local network for the type of router she uses
  • Geolocation via XXXSS
    • Anna visits malicious site
    • XXXSS scans her local network for the type of router she uses
    • If necessary, log in with default credentials!
  •  
  • Geolocation via XXXSS
    • Anna visits malicious site
    • XXXSS scans for router type
    • Logs in with default credentials (if necessary)
    • XSS router to load remote malicious JS
  • Geolocation via XXXSS
    • Remote JS uses AJAX to acquire MAC
  • Why MAC Address?
    • Just Bing it!
    • Type www.bing.com in your URL bar
    • Type in “ Google ” in the search box
    • Hit enter!
  • Why MAC Address?
  • Geolocation via XXXSS
    • Upon MAC acquisition, ask the Google
    • See FF source for Location Services
  • Geolocation via XXXSS latitude: 36.0920029 longitude: -123.3461946
  • Geolocation via XXXSS
  • Geolocation via XXXSS
  • NAT Pinning: prevention
    • Strict firewall – don’t allow unknown outbound connections
    • Client side – run up to date browser
    • Client side – use NoScript if using Firefox
    • Client side – run local firewall or tool like LittleSnitch to know if an application is accessing unknown ports
    PRIVACY IS DEAD
  • Fin phpwn: samy.pl/phpwn NAT Pinning: samy.pl/natpin Geolocation via XSS: samy.pl/mapxss Samy Kamkar www.samy.pl [email_address] twitter.com/SamyKamkar * No IRC channels were trolled in the making of this presentation.