Social Zombies: Rise of the Mobile Dead


Published on

Just when you thought “bath salts” were turning innocent humans into flesh eating Zombies in Florida…mobile devices have begun taken over the world like an infectious Zombie virus outbreak. Tablets and mobile phones are being used by everyone today and are more powerful than ever before. The technology implemented in these devices is truly bleeding edge. From new wireless technology like NFC (Near Field Communication) to social networks being integrated directly into mobile operating systems, the times are rapidly changing. These new technology advancements also introduce new privacy and physical security concerns not seen before as well. In addition, with new technology come new responsibilities and challenges for security professionals and consumers alike especially in a world of BYOD.

In this presentation Tom Eston and Kevin Johnson explore and exploit the new technology being implemented by these mobile platforms. Tom and Kevin have discovered interesting security and privacy issues with Android Jelly Bean, Apple iOS 6, OS X Mountain Lion, NFC and many popular mobile applications. New tools and exploits will be discussed that can be used by penetration testers to exploit these new technologies. Tom and Kevin will also discuss strategies to combat the ensuing mobile device onslaught into the enterprise. This information alone will help you to survive the “Rise of the Mobile Dead”.

Published in: Technology
1 Comment
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Social Zombies: Rise of the Mobile Dead

  2. 2. ...
  3. 3. • Profiling & Penetration Team Manager, SecureState• Social Media Security Podcast Co-Host• SANS Mentor• OWASP Mobile Threat Model Project Lead• Survivor of the Zombie Apocalypse
  4. 4. • Senior Consultant, Secure Ideas• SANS Instructor and Author – SEC542/642/571• Open-Source Bigot• Ninja
  5. 5. ...
  6. 6. • 5-9 PM TODAY!• $10-$15• All proceeds benefit Hackers for Charity
  7. 7.
  8. 8. Thanks to Robin Wood (@digininja)!
  9. 9. LOLZ!THANKS! $$$
  10. 10. • Your friends are still bots• Ed Skoudis will STILL not accept my friend request..why??• Malware is delivered via social networks• Your private data is harvested more then ever• Zuckerburg is a now a billionaire• Your mom is still on Facebook• MySpace still sucks… – Except in some comments lately?!?!
  11. 11. • Charlie Miller and Moxie Marlinspike BOTH work at Twitter now! “I’m not clicking on any tweets from these guys…”
  12. 12. • Rapid adoption of mobile applications and platforms – We use mobile devices for everything• Advancements in mobile technology• Mobile application developers lack awareness – It’s 2008 all over again! – Or 1999?
  13. 13. ,
  14. 14. :
  15. 15. • Let’s hope not• But…do we still care?
  16. 16. …• We love mobile devices! – They provide us with data – They give us new attack vectors• We discuss new ways to leverage mobile devices, applications and new technology for pentesting
  17. 17. • Face Unlock• Google Now – “Cards” that are modified based on what you do
  18. 18. “It’s like having unprotected sex with another device!”
  19. 19. • Near Field Communication• Two-way short range communication• Designed for ease of use• “tap” your device with another device to transfer data• More research recently released – Charlie Miller (Black Hat 2012)
  20. 20. • Using NFC to launch BeEF hook• Great for physical and/or social engineering attacks
  21. 21. • Google wants NFC to be open and have little authorization “When an Android-powered device discovers an NFC tag, the desired behavior is to have the most appropriate activity handle the intent without asking the user what application to use.”
  22. 22. • Now with NFC! Imagine all the FUN! Image: Mashable
  23. 23. • iOS keeps adding integrations – Cause it wants to just be friends!• Facebook now integrated into the OS – Twitter since iOS 5• Provides simple access to share – Providing more chance for problems
  24. 24. • Centralized integration point – Designed to provide access!• Tickets, coupons, geofencing and your data• Two methods to use – Apps now contact you based on your location – You can access application data
  25. 25. • OSX is becoming iOS ;) – Or so it seems• 10.8.2 adds integration with FB and Twitter• Partially on by default – Share via• Accounts add it to Contacts and the others
  26. 26. • OAuth Tokens Stored in PLIST file (Apple iOS)• Simply copy the PLIST file to another device, you’re logged in as them!• We are finding OAuth tokens in lots of PLIST files…Dropbox and apps that use Dropbox like password managers…• Found in LinkedIn (Fixed), Facebook (Fixed) and others
  27. 27. • CNN Mobile App (iOS) – Disqus Comment System API Key Vulnerability• Potentially allows you to delete, update and modify user comments• Passed in the GET request
  28. 28. • Facebook, Twitter and LinkedIn have grown exponentially• 900 Million!• Privacy issues have increased as well Image: Ben Foster
  29. 29. :Image: TechCrunch
  30. 30. Image: TechCrunch
  31. 31. Image: TechCrunch
  32. 32. Image: TechCrunch
  33. 33. • UDID = Unique Device Identifier• Privacy concern since this uniquely identifies your mobile device• Research has shown that it can be used to correlate the person using the device!
  34. 34. • Anonymous said it’s from the FBI, FBI denies• Really from a third-party company…
  35. 35. • Many apps are still using UDID…(for example) – Draw Something – Words with Friends – Redbox – United Airlines – Pinterest – Flipboard – Calculator (really?)• Some of these apps use UDID with third-party services like!
  36. 36. .
  37. 37. • Sometimes the server response tells you interesting details• What if you wanted to post comments on a news site anonymously?• Sure you can see the user id but…
  38. 38. • Disqus comment system leaks emails…
  39. 39. • …and IP Addresses
  40. 40. !
  41. 41. • Bottom Line – Painful to read, no idea what is captured, I just want to play Angry Birds…
  42. 42. • Hardcoded “production” user name and password used for data access
  43. 43. • More apps are doing this• “See if your friends are using this app”• Apple iOS apps can access contact data without permission (fixed in iOS 6)• Install prompt on Android• Developers can notify you on their own…
  44. 44. • Takes your: – Address book – LinkedIn contacts – Facebook Friends List – Who you follow on Twitter – Gmail address book – FourSquare Locations – And more… Image:
  45. 45. • First “Trojan” for Apple iOS?• It was a spammy app that sent your contact list to a third-party server• Your friends get SMS spammed from the server• App removed from the App Store and Google Play Image: Kaspersky Labs
  46. 46. • Easier then ever to view where someone has been• Pulls location data from photos, status updates and more…
  47. 47. “…you can now much more easily access photos you and others took months or even years ago.” – Kevin Systrom, co- founder and CEO of InstagramImage: Mashable
  48. 48. • “Facedeals”• Camera matches your photo to photos on Facebook to give you deals
  49. 49. :
  50. 50. • Not much has changed over the years• Technology has advanced, privacy has not – Its only going to get worse! – What about privacy policies?• You’re responsible for your data and the services you use!• Don’t complain if you click Kevin’s links…
  51. 51. You thought duck face was bad. This is called“bagel face” and it’s a popular saline injectionin Japan. Awesome. You’ve been warned.