SOCIAL ZOMBIES
...
• Profiling & Penetration  Team Manager,  SecureState• Social Media Security  Podcast Co-Host• SANS Mentor• OWASP Mobile T...
• Senior Consultant,  Secure Ideas• SANS Instructor  and Author  – SEC542/642/571• Open-Source Bigot• Ninja
...
• 5-9 PM TODAY!• $10-$15• All proceeds benefit Hackers for Charity
…
Thanks to Robin Wood (@digininja)!
LOLZ!THANKS!  $$$
• Your friends are still bots• Ed Skoudis will STILL not accept my friend  request..why??• Malware is delivered via social...
• Charlie Miller and Moxie Marlinspike BOTH work at  Twitter now! “I’m not clicking on any tweets from these guys…”
• Rapid adoption of mobile applications and  platforms  – We use mobile devices for everything• Advancements in mobile tec...
,
:
• Let’s hope not• But…do we still  care?
…• We love mobile devices!  – They provide us with data  – They give us new attack vectors• We discuss new ways to leverag...
• Face Unlock• Google Now  – “Cards” that are modified based on what you do
“It’s like having unprotected sex with another device!”
• Near Field Communication• Two-way short range communication• Designed for ease of use• “tap” your device with another de...
• Using NFC to launch BeEF hook• Great for physical and/or social engineering  attacks
• Google wants NFC to be open and have little  authorization              “When an Android-powered              device dis...
• Now with NFC! Imagine all the FUN!      Image: Mashable http://mashable.com/2012/09/27/moo-nfc-business-cards/
• iOS keeps adding integrations  – Cause it wants to just be friends!• Facebook now integrated into  the OS  – Twitter sin...
• Centralized integration point  – Designed to provide access!• Tickets, coupons, geofencing and your data• Two methods to...
• OSX is becoming iOS ;)  – Or so it seems• 10.8.2 adds integration with FB  and Twitter• Partially on by default  – Share...
• OAuth Tokens Stored in PLIST file (Apple iOS)• Simply copy the PLIST file to another device,  you’re logged in as them!•...
• CNN Mobile App (iOS) – Disqus Comment  System API Key Vulnerability• Potentially allows you to delete, update and  modif...
• Facebook,  Twitter and  LinkedIn have  grown  exponentially• 900 Million!• Privacy issues  have increased  as well      ...
:Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
• UDID = Unique Device Identifier• Privacy concern since this uniquely identifies  your mobile device• Research has shown ...
• Anonymous said it’s from the FBI, FBI denies• Really from a third-party company…
• Many apps are still using UDID…(for example)  –   Draw Something  –   Words with Friends  –   Redbox  –   United Airline...
.
• Sometimes the server response tells you  interesting details• What if you wanted to post comments on a  news site anonym...
• Disqus comment system leaks emails…
• …and IP Addresses
!
• Bottom Line  – Painful to read, no idea what is captured, I just    want to play Angry Birds…
• Hardcoded “production” user name and  password used for data access
• More apps are doing this• “See if your friends are using this app”• Apple iOS apps can access contact data  without perm...
• Takes your:  – Address book  – LinkedIn contacts  – Facebook Friends List  – Who you follow on Twitter  – Gmail address ...
• First “Trojan” for Apple  iOS?• It was a spammy app  that sent your contact  list to a third-party  server• Your friends...
• Easier then ever to  view where  someone has been• Pulls location data  from photos, status  updates and more…
“…you can now much more easily access photos      you and others took    months or even years                     ago.”   ...
• “Facedeals”• Camera  matches your  photo to photos  on Facebook to  give you deals
:
• Not much has changed over the years• Technology has advanced, privacy has not  – Its only going to get worse!  – What ab...
You thought duck face was bad. This is called“bagel face” and it’s a popular saline injectionin Japan. Awesome. You’ve bee...
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
Upcoming SlideShare
Loading in...5
×

Social Zombies: Rise of the Mobile Dead

3,876

Published on

Just when you thought “bath salts” were turning innocent humans into flesh eating Zombies in Florida…mobile devices have begun taken over the world like an infectious Zombie virus outbreak. Tablets and mobile phones are being used by everyone today and are more powerful than ever before. The technology implemented in these devices is truly bleeding edge. From new wireless technology like NFC (Near Field Communication) to social networks being integrated directly into mobile operating systems, the times are rapidly changing. These new technology advancements also introduce new privacy and physical security concerns not seen before as well. In addition, with new technology come new responsibilities and challenges for security professionals and consumers alike especially in a world of BYOD.

In this presentation Tom Eston and Kevin Johnson explore and exploit the new technology being implemented by these mobile platforms. Tom and Kevin have discovered interesting security and privacy issues with Android Jelly Bean, Apple iOS 6, OS X Mountain Lion, NFC and many popular mobile applications. New tools and exploits will be discussed that can be used by penetration testers to exploit these new technologies. Tom and Kevin will also discuss strategies to combat the ensuing mobile device onslaught into the enterprise. This information alone will help you to survive the “Rise of the Mobile Dead”.

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
3,876
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Social Zombies: Rise of the Mobile Dead"

  1. 1. SOCIAL ZOMBIES
  2. 2. ...
  3. 3. • Profiling & Penetration Team Manager, SecureState• Social Media Security Podcast Co-Host• SANS Mentor• OWASP Mobile Threat Model Project Lead• Survivor of the Zombie Apocalypse
  4. 4. • Senior Consultant, Secure Ideas• SANS Instructor and Author – SEC542/642/571• Open-Source Bigot• Ninja
  5. 5. ...
  6. 6. • 5-9 PM TODAY!• $10-$15• All proceeds benefit Hackers for Charity
  7. 7.
  8. 8. Thanks to Robin Wood (@digininja)!
  9. 9. LOLZ!THANKS! $$$
  10. 10. • Your friends are still bots• Ed Skoudis will STILL not accept my friend request..why??• Malware is delivered via social networks• Your private data is harvested more then ever• Zuckerburg is a now a billionaire• Your mom is still on Facebook• MySpace still sucks… – Except in some comments lately?!?!
  11. 11. • Charlie Miller and Moxie Marlinspike BOTH work at Twitter now! “I’m not clicking on any tweets from these guys…”
  12. 12. • Rapid adoption of mobile applications and platforms – We use mobile devices for everything• Advancements in mobile technology• Mobile application developers lack awareness – It’s 2008 all over again! – Or 1999?
  13. 13. ,
  14. 14. :
  15. 15. • Let’s hope not• But…do we still care?
  16. 16. …• We love mobile devices! – They provide us with data – They give us new attack vectors• We discuss new ways to leverage mobile devices, applications and new technology for pentesting
  17. 17. • Face Unlock• Google Now – “Cards” that are modified based on what you do
  18. 18. “It’s like having unprotected sex with another device!”
  19. 19. • Near Field Communication• Two-way short range communication• Designed for ease of use• “tap” your device with another device to transfer data• More research recently released – Charlie Miller (Black Hat 2012)
  20. 20. • Using NFC to launch BeEF hook• Great for physical and/or social engineering attacks
  21. 21. • Google wants NFC to be open and have little authorization “When an Android-powered device discovers an NFC tag, the desired behavior is to have the most appropriate activity handle the intent without asking the user what application to use.” http://developer.android.com/guide/topics/connectivity/nfc/nfc.html
  22. 22. • Now with NFC! Imagine all the FUN! Image: Mashable http://mashable.com/2012/09/27/moo-nfc-business-cards/
  23. 23. • iOS keeps adding integrations – Cause it wants to just be friends!• Facebook now integrated into the OS – Twitter since iOS 5• Provides simple access to share – Providing more chance for problems
  24. 24. • Centralized integration point – Designed to provide access!• Tickets, coupons, geofencing and your data• Two methods to use – Apps now contact you based on your location – You can access application data
  25. 25. • OSX is becoming iOS ;) – Or so it seems• 10.8.2 adds integration with FB and Twitter• Partially on by default – Share via• Accounts add it to Contacts and the others
  26. 26. • OAuth Tokens Stored in PLIST file (Apple iOS)• Simply copy the PLIST file to another device, you’re logged in as them!• We are finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers…• Found in LinkedIn (Fixed), Facebook (Fixed) and others
  27. 27. • CNN Mobile App (iOS) – Disqus Comment System API Key Vulnerability• Potentially allows you to delete, update and modify user comments• Passed in the GET request
  28. 28. • Facebook, Twitter and LinkedIn have grown exponentially• 900 Million!• Privacy issues have increased as well Image: Ben Foster http://www.benphoster.com/facebook-user-growth-chart-2004-2010/
  29. 29. :Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
  30. 30. Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
  31. 31. Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
  32. 32. Image: TechCrunch http://techcrunch.com/2012/08/25/5-design-tricks-facebook-uses-to-affect-your-privacy-decisions/
  33. 33. • UDID = Unique Device Identifier• Privacy concern since this uniquely identifies your mobile device• Research has shown that it can be used to correlate the person using the device!
  34. 34. • Anonymous said it’s from the FBI, FBI denies• Really from a third-party company…
  35. 35. • Many apps are still using UDID…(for example) – Draw Something – Words with Friends – Redbox – United Airlines – Pinterest – Flipboard – Calculator (really?)• Some of these apps use UDID with third-party services like flurry.com!
  36. 36. .
  37. 37. • Sometimes the server response tells you interesting details• What if you wanted to post comments on a news site anonymously?• Sure you can see the user id but…
  38. 38. • Disqus comment system leaks emails…
  39. 39. • …and IP Addresses
  40. 40. !
  41. 41. • Bottom Line – Painful to read, no idea what is captured, I just want to play Angry Birds…
  42. 42. • Hardcoded “production” user name and password used for data access
  43. 43. • More apps are doing this• “See if your friends are using this app”• Apple iOS apps can access contact data without permission (fixed in iOS 6)• Install prompt on Android• Developers can notify you on their own…
  44. 44. • Takes your: – Address book – LinkedIn contacts – Facebook Friends List – Who you follow on Twitter – Gmail address book – FourSquare Locations – And more… Image: Brewster.com
  45. 45. • First “Trojan” for Apple iOS?• It was a spammy app that sent your contact list to a third-party server• Your friends get SMS spammed from the server• App removed from the App Store and Google Play Image: Kaspersky Labs
  46. 46. • Easier then ever to view where someone has been• Pulls location data from photos, status updates and more…
  47. 47. “…you can now much more easily access photos you and others took months or even years ago.” – Kevin Systrom, co- founder and CEO of InstagramImage: Mashable
  48. 48. • “Facedeals”• Camera matches your photo to photos on Facebook to give you deals
  49. 49. :
  50. 50. • Not much has changed over the years• Technology has advanced, privacy has not – Its only going to get worse! – What about privacy policies?• You’re responsible for your data and the services you use!• Don’t complain if you click Kevin’s links…
  51. 51. You thought duck face was bad. This is called“bagel face” and it’s a popular saline injectionin Japan. Awesome. You’ve been warned.

×