Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)

17,517 views

Published on

This talk is dedicated to de-anonymizing active Internet users. We will give a hands-on demonstration of various Internet resources tracking and/or storing user data, and explain how this data can be used to find out the identity on the other side of the screen for your own (either good or evil) purposes.

Доклад посвящен деанонимизации активных пользователей интернета. На практике будет показано, как различные интернет-ресурсы следят или содержат информацию о пользователях и как ее можно использовать, чтобы вычислить, кто находится по ту сторону монитора для собственных (как плохих, так и хороших) нужд.

Published in: Technology

Bo0oM - Deanonymization and total espionage (ZeroNights, 2014)

  1. 1. Deanonymization and total espionage Dmitry «Bo0oM» Boomov
  2. 2. Tits and kittens. Hopefully, now you like my report.
  3. 3. Deanonymization Passive Active
  4. 4. Password retrieval
  5. 5. Password retrieval
  6. 6. Getting information from email
  7. 7. Getting information from email
  8. 8. Getting information from email
  9. 9. Getting information from phone. Viber
  10. 10. Getting information from phone. Whatsapp
  11. 11. Getting information from phone. Banks
  12. 12. Getting information from phone. Banks
  13. 13. Getting information from phone
  14. 14. Getting information from phone http://numbuster.com/
  15. 15. Find friends
  16. 16. ← Anonist
  17. 17. Apps https://developers.facebook.com/
  18. 18. Apps https://vk.com/editapp?act=create
  19. 19. Apps Demo: bo0om.ru/zn2014/vk/1/
  20. 20. Online users https://letters.yandex.ru/promo
  21. 21. Clickjacking
  22. 22. Clickjacking Demo: bo0om.ru/zn2014/vk/2/
  23. 23. Clickjacking Demo: bo0om.ru/zn2014/vk/3/
  24. 24. CSRF + XSS + BUGS = PROFIT
  25. 25. Click, click…
  26. 26. Click, click… <a href='tel://1234567890'>Click me</a>
  27. 27. Callback
  28. 28. Callback Thx @black2fan ;)
  29. 29. Social detector Demo: bo0om.ru/zn2014/sd/
  30. 30. Вate of birth
  31. 31. Nicknames
  32. 32. Nicknames
  33. 33. Friends and relatives
  34. 34. Friends and relatives
  35. 35. Friends and relatives
  36. 36. Tinfoleak http://vicenteaguileradiaz.com/tools/
  37. 37. Exif
  38. 38. Analytics
  39. 39. Analytics
  40. 40. Banners
  41. 41. Social buttons
  42. 42. BIG DATA http://bo0om.ru/zn2014/wtf/
  43. 43. GEO https://maps.google.com/locationhistory/
  44. 44. Cookie Matching Specifically, when creating a new cookie, it uses the following storage mechanisms when available: - Standard HTTP Cookies - Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in RGB values of auto-generated, force- cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage - HTML5 Local Storage - HTML5 Global Storage - HTML5 Database Storage via SQLite - HTML5 IndexedDB - Java JNLP PersistenceService - Java CVE-2013-0422 exploit (applet sandbox escaping) http://samy.pl/evercookie/
  45. 45. Js: on flash: on Js: on flash: on Js: on flash: on Js: on flash: on Js: on flash: on Js: on flash: on Js: off flash: off
  46. 46. Providers http://imarker.ru/
  47. 47. Evil
  48. 48. Twi: @i_bo0om

×