Social Zombies Gone Wild: Totally Exposed and Uncensored

  • 10,421 views
Uploaded on

Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements …

Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.

Tom Eston is a Senior Security Consultant for SecureState. Tom focuses his research on the security of social media. Tom is also the founder of SocialMediaSecurity.com and co-host of the Security Justice and Social Media Security podcasts. Kevin Johnson is a security researcher with Secure Ideas. He has many years of experience performing security services for Fortune 100 companies, and leads a large number of open source security projects including BASE and SamuraiWTF. Kevin is also an instructor for SANS.

Presented at Notacon 8 in Cleveland Ohio.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
10,421
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
55
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. GONE
  • 2. •  Senior Security Consultant, SecureState •  Founder of SocialMediaSecurity.com •  Facebook Privacy & Security Guide •  Blogger •  Co-host of Security Justice, Social Media Security Podcasts
  • 3. •  Security Consultant, Secure Ideas •  Author Sec542 from SANS •  Instructor of the SamuraiWTF class •  SANS Internet Storm Center Handler •  Project lead for: –  SamuraiWTF –  Yokoso! –  Laudanum –  WeaponizedFlash
  • 4. •  Location Based Services are exactly that •  Services that provide your location to others –  Be them friends or companies that want to know •  These services can be built into our devices and software or programs we sign up for –  Can tell where we are or where we aren’t
  • 5. Chart: Gigaom.com
  • 6. The market for location-basedservices on mobile phones willbe worth about $3 billion in 2013… -Frost and Sullivan (Market Research Firm)
  • 7. •  The original way of performing geo-location checks •  Determined through ISP lookups and whois records •  Prone to misleading results –  Due to ISP location being reported •  Popular with Banners/Adult Advertising
  • 8. •  Researchers  have  found  new  ways  to  get   closer  results  via  IP  address  •  Typical  results  used  to  get  you  within  200   kilometers  (>me  based)  •  Now  within  a  few  hundred  meters!  •  Creates  new  ways  for  adver>sers  and  the   government  to  track  you  J  •  Using  proxy’s  seem  to  help…but  who  controls   these?  
  • 9. •  GPS in the mobile device was  revolutionary –  Users have embraced it •  We have our phone with us everywhere •  Ability to use web based tech with the mobile GPS has changed the way we use phones! –  Mash-ups for the win!
  • 10. •  GPS •  WiFi •  Bluetooth •  RFID •  3G/EDGE, CDMA, GSM •  We pack our phones with latest wireless tech…
  • 11. •  IP address •  RFID •  WiFi and Bluetooth MAC addresses •  GSM/CDMA cell IDs •  Manual user input
  • 12. •  Service Examples: –  Google Location Services •  Cell Tower •  Wifi based –  Skyhook/Loki •  Wifi based
  • 13. •  Many new providers of Geolocation data •  Skyhook •  SimpleGeo (working on Geofences)
  • 14. •  Yes, its scary and has been around for a few years •  Your phone determines if you are in a location or not •  iOS4 already supports background geo •  SimpleGeo can do this in 6 lines of code •  30 lines to support background geo tracking on iOS4
  • 15. “So you basically just say, Track User and we handlethat in our API along with record history.  I can then come back and say, Show me the last 10places the user was , Stump continues...  Creepy? Sort of. Powerful and easy? Yes.  - TechCrunch Interview w/SocialGeo co-founder Joe Stump
  • 16. •  Firefox (> 3.5 uses Google) •  Opera (nightly build uses Skyhook) •  Safari (uses Skyhook in iPhone/iPad) •  Chrome (uses Google) •  Internet Explorer 9  (HTML5-based)
  • 17. Geolocation is not standardized…yet. •  Follow the Geolocation developer mailing list...it s fun! – http://www.w3.org/2008/geolocation/
  • 18. •  How will developers use this? •  W3C Geolocation API •  Code is easy to manipulate for evil things
  • 19. •  Now available in Safari, Opera and Chrome •  The Evercookie (Samy Kamkar) •  Store and track your locations as well
  • 20. FourSquare/Gowalla •  These games are supposed to be fun, right?
  • 21. •  Opt in by default •  Built into the API •  Forgotten by many users…
  • 22. •  We <3 Google •  Tracks your location history •  How many use the same password for all sites?
  • 23. •  600 Million Users all sharing locations… •  Kevin loves this
  • 24. •  Barcode Hero?  Yeah seriously…
  • 25. QR Codes
  • 26. Rebecca  Rolled?  
  • 27. •  Geolocation DoS •  Randomly generate SSIDs •  Fake SSID flood •  Hardware jamming
  • 28. •  2008 Research by Students from ETH Zurich •  AP Impersonation •  WLAN Jamming •  SkyHook DoS
  • 29. •  [Disclaimer] These are illegal! •  Easy to buy overseas
  • 30. •  hIp://ilektrojohn.github.com/creepy/  •  Geolocation stalking tool! •  Works on Windows and Linux
  • 31. •  Sniff and Spoof (Man-in-the-Middle Attacks) •  Or…just use FireSheep and hijack the account for location data •  Fun at conferences and hotels ;-)
  • 32. •  Proxies •  Tor (still slow) •  Moxie Marlinspike s GoogleSharing creates interesting possibilities
  • 33. •  Blackberry •  iPhone •  Android
  • 34. •  Fake Location App (iPhone/Android) •  Geolocater Firefox Plugin •  Manually manipulate Firefox, use touch.facebook.com
  • 35. •  FourSquare gaming the system •  Lots of scripts, programs to do this…even a Metasploit module! (thanks to CG)
  • 36. •  Pulls location information without the user knowing •  Hooked through Skyhook •  Developer gets your location •  Great for stalking app users…
  • 37. •  Plug-ins for BeEF to retrieve HTML5 Geolocation –  Designed for PHP version of BeEF •  Allows the attacker to track the victims •  Scope testing for pen-testers
  • 38. •  Enhances upon the BeEF framework –  Part of the HTML5 plug-ins •  Determines if the payload is supported •  Retrieves the location for the controller
  • 39. •  Geolocation can be problematic –  Current browsers respond erratically •  Often just the first time its called –  Support is getting better everyday
  • 40. Ruby BeEF•  Geoloca>on  plug  in  is  part  of  the  Ruby   version  of  BeEF  •  Supports  most  browsers   –  IE  is  s>ll  problema>c   –  Kevin  and  Frank  are  working  on  an  update  •  Displays  coordinates  in  the  results  
  • 41. •  Inadvertent Location Sharing –  Many mobile apps enable this by default! •  Cyberstalking •  Physical Security
  • 42. •  You automatically allow your location shared with applications you use! •  Apple s 159+ page Terms of Service state…  By  using  any  loca-on-­‐based  services  on  your   iPhone,  you  agree  and  consent  to  Apple s  and  its   partners  and  licensees  transmission,  collec-on,   maintenance,  processing,  and  use  of  your  loca-on   data  to  provide  such  products  and  services.  
  • 43. •  What does your phone or browser leave behind? •  Can you be tracked? •  How many of us sell our phones on eBay/ Craigslist?
  • 44. •  Anonymize your location •  Allow access to delete/remove location data •  Ability to turn off location based services •  What are the W3C devs doing?
  • 45. - Image from Broadstuff.com
  • 46. •  Getting more popular for promotions/ prizes (Starbucks) •  How do you verify check-in? •  Lot s of *fun* ways to abuse the system •  Two-factor geo check-in s?
  • 47. •  Ensure full disclosure of how you use location based data •  Implement PETs •  Demand more/get involved with W3C
  • 48. •  To share or not to share? •  Share with only a select group? Example: create a list in Facebook, share only with them •  Think before sharing your location •  Read the TOS, privacy policy of apps and services
  • 49. •  SocialMediaSecurity.com •  Kevin will be submitting BeEF patches •  Follow us: @agent0x0 @secureideas •  Friend Kevin on Facebook. Really.
  • 50. GONE