Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social Zombies Gone Wild: Totally Exposed and Uncensored


Published on

Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.

Tom Eston is a Senior Security Consultant for SecureState. Tom focuses his research on the security of social media. Tom is also the founder of and co-host of the Security Justice and Social Media Security podcasts. Kevin Johnson is a security researcher with Secure Ideas. He has many years of experience performing security services for Fortune 100 companies, and leads a large number of open source security projects including BASE and SamuraiWTF. Kevin is also an instructor for SANS.

Presented at Notacon 8 in Cleveland Ohio.

Published in: Technology

Social Zombies Gone Wild: Totally Exposed and Uncensored

  1. 1. GONE
  2. 2. •  Senior Security Consultant, SecureState •  Founder of •  Facebook Privacy & Security Guide •  Blogger •  Co-host of Security Justice, Social Media Security Podcasts
  3. 3. •  Security Consultant, Secure Ideas •  Author Sec542 from SANS •  Instructor of the SamuraiWTF class •  SANS Internet Storm Center Handler •  Project lead for: –  SamuraiWTF –  Yokoso! –  Laudanum –  WeaponizedFlash
  4. 4. •  Location Based Services are exactly that •  Services that provide your location to others –  Be them friends or companies that want to know •  These services can be built into our devices and software or programs we sign up for –  Can tell where we are or where we aren’t
  5. 5. Chart:
  6. 6. The market for location-basedservices on mobile phones willbe worth about $3 billion in 2013… -Frost and Sullivan (Market Research Firm)
  7. 7. •  The original way of performing geo-location checks •  Determined through ISP lookups and whois records •  Prone to misleading results –  Due to ISP location being reported •  Popular with Banners/Adult Advertising
  8. 8. •  Researchers  have  found  new  ways  to  get   closer  results  via  IP  address  •  Typical  results  used  to  get  you  within  200   kilometers  (me  based)  •  Now  within  a  few  hundred  meters!  •  Creates  new  ways  for  adversers  and  the   government  to  track  you  J  •  Using  proxy’s  seem  to  help…but  who  controls   these?  
  9. 9. •  GPS in the mobile device was revolutionary –  Users have embraced it •  We have our phone with us everywhere •  Ability to use web based tech with the mobile GPS has changed the way we use phones! –  Mash-ups for the win!
  10. 10. •  GPS •  WiFi •  Bluetooth •  RFID •  3G/EDGE, CDMA, GSM •  We pack our phones with latest wireless tech…
  11. 11. •  IP address •  RFID •  WiFi and Bluetooth MAC addresses •  GSM/CDMA cell IDs •  Manual user input
  12. 12. •  Service Examples: –  Google Location Services •  Cell Tower •  Wifi based –  Skyhook/Loki •  Wifi based
  13. 13. •  Many new providers of Geolocation data •  Skyhook •  SimpleGeo (working on Geofences)
  14. 14. •  Yes, its scary and has been around for a few years •  Your phone determines if you are in a location or not •  iOS4 already supports background geo •  SimpleGeo can do this in 6 lines of code •  30 lines to support background geo tracking on iOS4
  15. 15. “So you basically just say, Track User and we handlethat in our API along with record history. I can then come back and say, Show me the last 10places the user was , Stump continues... Creepy? Sort of. Powerful and easy? Yes. - TechCrunch Interview w/SocialGeo co-founder Joe Stump
  16. 16. •  Firefox ( 3.5 uses Google) •  Opera (nightly build uses Skyhook) •  Safari (uses Skyhook in iPhone/iPad) •  Chrome (uses Google) •  Internet Explorer 9 (HTML5-based)
  17. 17. Geolocation is not standardized…yet. •  Follow the Geolocation developer mailing s fun! –
  18. 18. •  How will developers use this? •  W3C Geolocation API •  Code is easy to manipulate for evil things
  19. 19. •  Now available in Safari, Opera and Chrome •  The Evercookie (Samy Kamkar) •  Store and track your locations as well
  20. 20. FourSquare/Gowalla •  These games are supposed to be fun, right?
  21. 21. •  Opt in by default •  Built into the API •  Forgotten by many users…
  22. 22. •  We 3 Google •  Tracks your location history •  How many use the same password for all sites?
  23. 23. •  600 Million Users all sharing locations… •  Kevin loves this
  24. 24. •  Barcode Hero? Yeah seriously…
  25. 25. QR Codes
  26. 26. Rebecca  Rolled?  
  27. 27. •  Geolocation DoS •  Randomly generate SSIDs •  Fake SSID flood •  Hardware jamming
  28. 28. •  2008 Research by Students from ETH Zurich •  AP Impersonation •  WLAN Jamming •  SkyHook DoS
  29. 29. •  [Disclaimer] These are illegal! •  Easy to buy overseas
  30. 30. •  hIp://  •  Geolocation stalking tool! •  Works on Windows and Linux
  31. 31. •  Sniff and Spoof (Man-in-the-Middle Attacks) •  Or…just use FireSheep and hijack the account for location data •  Fun at conferences and hotels ;-)
  32. 32. •  Proxies •  Tor (still slow) •  Moxie Marlinspike s GoogleSharing creates interesting possibilities
  33. 33. •  Blackberry •  iPhone •  Android
  34. 34. •  Fake Location App (iPhone/Android) •  Geolocater Firefox Plugin •  Manually manipulate Firefox, use
  35. 35. •  FourSquare gaming the system •  Lots of scripts, programs to do this…even a Metasploit module! (thanks to CG)
  36. 36. •  Pulls location information without the user knowing •  Hooked through Skyhook •  Developer gets your location •  Great for stalking app users…
  37. 37. •  Plug-ins for BeEF to retrieve HTML5 Geolocation –  Designed for PHP version of BeEF •  Allows the attacker to track the victims •  Scope testing for pen-testers
  38. 38. •  Enhances upon the BeEF framework –  Part of the HTML5 plug-ins •  Determines if the payload is supported •  Retrieves the location for the controller
  39. 39. •  Geolocation can be problematic –  Current browsers respond erratically •  Often just the first time its called –  Support is getting better everyday
  40. 40. Ruby BeEF•  Geolocaon  plug  in  is  part  of  the  Ruby   version  of  BeEF  •  Supports  most  browsers   –  IE  is  sll  problemac   –  Kevin  and  Frank  are  working  on  an  update  •  Displays  coordinates  in  the  results  
  41. 41. •  Inadvertent Location Sharing –  Many mobile apps enable this by default! •  Cyberstalking •  Physical Security
  42. 42. •  You automatically allow your location shared with applications you use! •  Apple s 159+ page Terms of Service state… By  using  any  loca-on-­‐based  services  on  your   iPhone,  you  agree  and  consent  to  Apple s  and  its   partners  and  licensees  transmission,  collec-on,   maintenance,  processing,  and  use  of  your  loca-on   data  to  provide  such  products  and  services.  
  43. 43. •  What does your phone or browser leave behind? •  Can you be tracked? •  How many of us sell our phones on eBay/ Craigslist?
  44. 44. •  Anonymize your location •  Allow access to delete/remove location data •  Ability to turn off location based services •  What are the W3C devs doing?
  45. 45. - Image from
  46. 46. •  Getting more popular for promotions/ prizes (Starbucks) •  How do you verify check-in? •  Lot s of *fun* ways to abuse the system •  Two-factor geo check-in s?
  47. 47. •  Ensure full disclosure of how you use location based data •  Implement PETs •  Demand more/get involved with W3C
  48. 48. •  To share or not to share? •  Share with only a select group? Example: create a list in Facebook, share only with them •  Think before sharing your location •  Read the TOS, privacy policy of apps and services
  49. 49. • •  Kevin will be submitting BeEF patches •  Follow us: @agent0x0 @secureideas •  Friend Kevin on Facebook. Really.
  50. 50. GONE