advanced persistent threats & social engineering secrypt ·...
TRANSCRIPT
24/08/14
1
Advanced Persistent Threats & Social Engineering
Edgar Weippl SBA Research
Digital Na)ves
Cool handle
Twi4er
iPdad iPho
ne
Mac
Apple Email
To buy stuff
Amazon
2: Google [email protected]
1: Backup email unknown
3: Backup: m…[email protected]
4: forgot PW? Support asks for:
Billing address
Last 4 digits of CC
5: Whois: Address
Billing address
6: Add new CC:
Email, CC (fake) Billing address
7: forgot PW? You need:
Email, CC info Billing address
Last 4 digits of other CCs are visible
Last 4 digits of CC
8: Devices iPhone iPad Mac
9: Post nonsense to Twi4er
Slide by Christian Platzer, ISecLab, Vienna University of Technology
Knowledge Worker • It demands that we impose the responsibility for their
produc)vity on the individual knowledge workers themselves. Knowledge workers have to manage themselves. They have to have autonomy.
• ConBnuous innovaBon has to be part of the work, the task and the responsibility of knowledge workers.
• Knowledge worker produc)vity requires that the knowledge worker is both seen and treated as an 'asset' rather than a 'cost'. It requires that knowledge workers want to work for the organizaBon in preference to all other opportuniBes.”
Source: h4p://www.knowledgeworkerperformance.com/Peter-‐Drucker-‐Knowledge-‐Worker-‐Produc)vity.aspx
Privacy & Social Engineering • Anatomy of an a4ack.
h4p://blogs.rsa.com/anatomy-‐of-‐an-‐a4ack/ • Google hack a4ack was ultra sophis)cated, new details show h4p://www.wired.com/threatlevel/2010/01/opera)on-‐aurora/
• Microsoe hacked: Joins apple, facebook, twi4er – Informa)onWeek h4p://www.informa)onweek.com/security/a4acks/microsoe-‐hacked-‐joins-‐apple-‐facebook-‐tw/240149323
• N. Perlroth. Chinese hackers infiltrate new york )mes computers. The New York Times, Jan. 2013.
24/08/14
2
Empirical Research • Dropbox Mar)n Mulazzani, Sebas)an Schri4wieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as a4ack vector and online slack space. USENIX Security, 8/2011.
• WhatsApp Sebas)an Schri4wieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Mar)n Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texBng you? evalua)ng the security of smartphone messaging applica)ons. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.
• Facebook Markus Huber, Sebas)an Schri4wieser, Mar)n Mulazzani, and Edgar Weippl. Appinspect: Large-‐scale evaluaBon of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), 2013.
• Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Compu)ng Security Workshop (CCSW) at ACM CCS 2013, 2013.
Outline
Informa)on Gathering
Elicita)on & Pretex)ng APT
AppInspect: Large-‐scale Evalua)on of Social Networking Apps
• Social networks act as proxies between user and third-‐party providers
• Personal informa)on is transferred to providers
• App providers themselves rely on third-‐parBes (analy)cs, adver)sing products)
• Custom hosBng infrastructures • Approval of apps with authenBcaBon dialog
System Architecture for Data Collec)on
24/08/14
3
System Architecture for Data Collec)on Enumera)on
• Exhaus)ve search in June 2012 with character trigrams • 434,687 unique applica)ons in two weeks • Main obstacle: Facebook account rate limits
Most Popular Apps
• 10,624 most popular app, 94.07% of samples’ cumula)ve applica)on usage
• Language: English (64.72%), 69 different languages
Permissions per Provider • 4,747 applica)ons belonged to 1,646 dis)nct providers • 60.24% of all providers requested personal email address
24/08/14
4
Suspicious Apps • 40 providers requested more than 10 permissions • 139 web tracking / adver)sing providers used • Manually verified requested permissions vs. app func)onality
• Legi)mate uses – da)ng and job hun)ng applica)ons – XBOX applica)on (not available anymore)
• Malprac)ces – Horoscopo Diario, 2.5 million monthly users Would only require birthdate, 25 different permissions
– Wisdom of the Buddha etc.
Vulnerability • 55% Apache h4pd, nginx (15.63%), Microsoe IIS (9.4%) • 2 hosts source code disclosure vulnerability (CVE-‐2010-‐2263) • 8 hosts ProFTPD buffer overflow (CVE-‐2006-‐5815,
CVE-‐2010-‐4221) • Host with 1.2 million monthly users and sensi)ve informa)on
Web Bugs Informa)on Leaks • 315 apps directly transferred sensi)ve informa)on (via HTTP parameter)
24/08/14
5
Informa)on Leaks • 51 applica)ons leaked unique user iden)fiers (HTTP Referrer)
• 14 out of these 51 applica)ons also leaked API authoriza)on tokens
Facebook Summary • Reported our findings to Facebook in November 2012
– Facebook responded within one week – Skype mee)ngs with Facebook – Facebook acknowledged problems and contacted developers – Fixed in May 2013
• Security and privacy implica)ons – Since January 2010 unproxied access to email address – 60% of applica)on developers request email address – Social phishing, context-‐aware spam – Users trackable with real name
• Hos)ng – Number of hosts possible vulnerable – FTP/SSH bruteforce – Amazon EC2 community images
Man-‐in-‐the-‐Middle Authen)ca)on
Viber, WhatsApp, fring, GupShup, hike, KakaoTalk, Line, ChatOn, textPlus and WeChat
24/08/14
6
In Reality
Even Worse
Code = “Hi!”
WowTalk
24/08/14
7
Forfone Spoofing Forfone
XMS, JaxtrSMS
LegiBmate Re-‐Registering Spoofing
Status Messages
24/08/14
8
Enumera)on A4ack
Enumera)on A4ack Results 2012
24/08/14
9
Re-‐Evalua)on 2014
eweippl@sba-‐research.org
eweippl@sba-‐research.org