Social Zombies Gone Wild: Totally Exposed and Uncensored

•  Senior Security Consultant, SecureState •  Founder of SocialMediaSecurity.com •  Facebook Privacy & Security Guide •  Blogger •  Co-host of Security Justice, Social Media Security Podcasts

•  Security Consultant, Secure Ideas •  Author Sec542 from SANS •  Instructor of the SamuraiWTF class •  SANS Internet Storm Center Handler •  Project lead for: –  SamuraiWTF –  Yokoso! –  Laudanum –  WeaponizedFlash

•  Location Based Services are exactly that •  Services that provide your location to others –  Be them friends or companies that want to know •  These services can be built into our devices and software or programs we sign up for –  Can tell where we are or where we aren’t

Chart: Gigaom.com

The market for location-basedservices on mobile phones willbe worth about $3 billion in 2013… -Frost and Sullivan (Market Research Firm)

•  The original way of performing geo-location checks •  Determined through ISP lookups and whois records •  Prone to misleading results –  Due to ISP location being reported •  Popular with Banners/Adult Advertising

•  Researchers have found new ways to get closer results via IP address •  Typical results used to get you within 200 kilometers (>me based) •  Now within a few hundred meters! •  Creates new ways for adver>sers and the government to track you J •  Using proxy’s seem to help…but who controls these?

•  GPS in the mobile device was revolutionary –  Users have embraced it •  We have our phone with us everywhere •  Ability to use web based tech with the mobile GPS has changed the way we use phones! –  Mash-ups for the win!

•  GPS •  WiFi •  Bluetooth •  RFID •  3G/EDGE, CDMA, GSM •  We pack our phones with latest wireless tech…

•  IP address •  RFID •  WiFi and Bluetooth MAC addresses •  GSM/CDMA cell IDs •  Manual user input

•  Service Examples: –  Google Location Services •  Cell Tower •  Wiﬁ based –  Skyhook/Loki •  Wiﬁ based

•  Many new providers of Geolocation data •  Skyhook •  SimpleGeo (working on Geofences)

•  Yes, its scary and has been around for a few years •  Your phone determines if you are in a location or not •  iOS4 already supports background geo •  SimpleGeo can do this in 6 lines of code •  30 lines to support background geo tracking on iOS4

“So you basically just say, Track User and we handlethat in our API along with record history. I can then come back and say, Show me the last 10places the user was , Stump continues... Creepy? Sort of. Powerful and easy? Yes. - TechCrunch Interview w/SocialGeo co-founder Joe Stump

•  Firefox (> 3.5 uses Google) •  Opera (nightly build uses Skyhook) •  Safari (uses Skyhook in iPhone/iPad) •  Chrome (uses Google) •  Internet Explorer 9 (HTML5-based)

Geolocation is not standardized…yet. •  Follow the Geolocation developer mailing list...it s fun! – http://www.w3.org/2008/geolocation/

•  How will developers use this? •  W3C Geolocation API •  Code is easy to manipulate for evil things

•  Now available in Safari, Opera and Chrome •  The Evercookie (Samy Kamkar) •  Store and track your locations as well

FourSquare/Gowalla •  These games are supposed to be fun, right?

•  Opt in by default •  Built into the API •  Forgotten by many users…

•  We <3 Google •  Tracks your location history •  How many use the same password for all sites?

•  600 Million Users all sharing locations… •  Kevin loves this

•  Barcode Hero? Yeah seriously…

QR Codes

Rebecca Rolled?

•  Geolocation DoS •  Randomly generate SSIDs •  Fake SSID ﬂood •  Hardware jamming

•  2008 Research by Students from ETH Zurich •  AP Impersonation •  WLAN Jamming •  SkyHook DoS

•  [Disclaimer] These are illegal! •  Easy to buy overseas

•  hIp://ilektrojohn.github.com/creepy/ •  Geolocation stalking tool! •  Works on Windows and Linux

•  Sniff and Spoof (Man-in-the-Middle Attacks) •  Or…just use FireSheep and hijack the account for location data •  Fun at conferences and hotels ;-)

•  Proxies •  Tor (still slow) •  Moxie Marlinspike s GoogleSharing creates interesting possibilities

•  Blackberry •  iPhone •  Android

•  Fake Location App (iPhone/Android) •  Geolocater Firefox Plugin •  Manually manipulate Firefox, use touch.facebook.com

•  FourSquare gaming the system •  Lots of scripts, programs to do this…even a Metasploit module! (thanks to CG)

•  Pulls location information without the user knowing •  Hooked through Skyhook •  Developer gets your location •  Great for stalking app users…

•  Plug-ins for BeEF to retrieve HTML5 Geolocation –  Designed for PHP version of BeEF •  Allows the attacker to track the victims •  Scope testing for pen-testers

•  Enhances upon the BeEF framework –  Part of the HTML5 plug-ins •  Determines if the payload is supported •  Retrieves the location for the controller

•  Geolocation can be problematic –  Current browsers respond erratically •  Often just the ﬁrst time its called –  Support is getting better everyday

Ruby BeEF•  Geoloca>on plug in is part of the Ruby version of BeEF •  Supports most browsers –  IE is s>ll problema>c –  Kevin and Frank are working on an update •  Displays coordinates in the results

•  Inadvertent Location Sharing –  Many mobile apps enable this by default! •  Cyberstalking •  Physical Security

•  You automatically allow your location shared with applications you use! •  Apple s 159+ page Terms of Service state… By using any loca-on-‐based services on your iPhone, you agree and consent to Apple s and its partners and licensees transmission, collec-on, maintenance, processing, and use of your loca-on data to provide such products and services.

•  What does your phone or browser leave behind? •  Can you be tracked? •  How many of us sell our phones on eBay/ Craigslist?

•  Anonymize your location •  Allow access to delete/remove location data •  Ability to turn off location based services •  What are the W3C devs doing?

- Image from Broadstuff.com

•  Getting more popular for promotions/ prizes (Starbucks) •  How do you verify check-in? •  Lot s of *fun* ways to abuse the system •  Two-factor geo check-in s?

•  Ensure full disclosure of how you use location based data •  Implement PETs •  Demand more/get involved with W3C

•  To share or not to share? •  Share with only a select group? Example: create a list in Facebook, share only with them •  Think before sharing your location •  Read the TOS, privacy policy of apps and services

•  SocialMediaSecurity.com •  Kevin will be submitting BeEF patches •  Follow us: @agent0x0 @secureideas •  Friend Kevin on Facebook. Really.

http://socialmediasecurity.com	7763
http://feeds2.feedburner.com	132
http://feeds.feedburner.com	44
http://translate.googleusercontent.com	28
http://socialmediasecurity.spylogic.net	3
http://static.slidesharecdn.com	2
http://webcache.googleusercontent.com	1
http://socialmediasecurity.com.	1
http://www.google.com	1
http://feedback	1
http://dustpan.intranet	1
http://74.6.238.254	1
https://portal.eccouncil.org	1

Social Zombies Gone Wild: Totally Exposed and Uncensored

by Tom Eston on Apr 18, 2011

Accessibility

Categories

Upload Details

Usage Rights

13 Embeds 7,979

Statistics

Social Zombies Gone Wild: Totally Exposed and Uncensored Presentation Transcript