running away from security

Running Away from Security

MICAH HOFFMAN

Web App Vulnerabilities and OSINT Collide

© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM

Who am I?

◦NoVA Hacker

◦PwnWiki.io Curator

◦Recon-ng module Writer

◦SANS Instructor (SEC542)

◦Hiker / Backpacker Novahackers.com


Disclaimer

These are my thoughts and research and are not those of

my employer(s).


An Experiment

What

informationare you

uncomfortablesharingwith the

entire world?


If anyone in the world knew…


o Your name, home address and phone

o Your place of work, address and phone

o Had pictures of your kids, pets and family

o Had pics/vids inside & outside your home

o Sexual preferences and fetishes

Our Data on the Internet

◦Whose job is it to keep online data safe?

◦How does our “private” data get disclosed?


Selling Our Data


Stealing Our Data


Stealing Our [cheating] Data


Leaking Our Data


An example of data leakage


It all started with some exercise


http://www.strava.com/activities/123456789

The Issue is in the Numbers

Activities◦ http://www.strava.com/activities/100000◦ http://www.strava.com/activities/100001



Athletes◦ http://www.strava.com/athletes/123456

◦ http://www.strava.com/athletes/123457


Look at the page source


Responsible disclosure attempt


Strava Response


Strava’s Privacy Setting


Google Already Has the Data!


But how could I get the data?


Created dictionary of 800,000 activities


What could someone do with it?

1. Find patterns in behavior◦ Same walks/rides◦ Commuting to/from work

2. Find the real person behind the account/activities

3. Odd things in the data


OSINT in a Nutshell


o OSINT = Open Source INTelligence

o Public Information on the Internet◦ About a company◦ About a person◦ About anything really

o Search. Gather. Analyze.

What to do with OSINT?

o Identity theft

o Personal harm, theft, kidnapping

o Social engineering

o Extortion, Espionage

o Dating


Question 1REPEATED ACTIVITIES BY A SINGLE USER AND EVENTS SUCH AS “COMMUTE”?


Yes. Yes we can.


Question 2FIND THE ACTUAL USER MOVING FROM CYBER TO PHYSICAL WORLDS?


Hello “Dan S.”


Head to Google Maps


Public Data Dimes Out Dan


Now to the Whitepages


Dan’s Home Sweet Home


What about other fitness sites?


Let’s meet Janna on fitbit


Question 2bHOW MUCH INFO CAN WE GET ABOUT SOMEONE?


Giving it awayDeath by 1,000 cuts


“Over-Sharers”

Images: http://i4.mirror.co.uk/incoming/article5769373.ece/ALTERNATES/s615/PAY-Seagull.jpghttp://images58.fotki.com/v286/photos/9/127099/8281743/airplane20in20birds-vi.gifhttp://images.elephantjournal.com/wp-content/uploads/2013/10/tmi.jpg

Need to belong/be social


This is Trisha on fitbit


Trisha


Trisha Trisha Trisha


Trisha Recap


Her name, home address and phone

Her place of work, address and phone

Her likes and dislikes

Her daily thoughts and concerns

Pictures of her kids, pets and family

Pics/vids inside & outside her home

Beyond “Googling it”


Putting it all together: MindMap


RECON-NG


o Open Source, http://recon-ng.com

o Python framework

o Recon tool to gather data on the Internet:o Host names

o User (names, emails, credentials)

o Location-based data (Tweets, Instagrams)

Recon-ng: Profiler Module


o Search 190 sites per username x 3 names = 30secs

Question 3ODD THINGS IN THE STRAVA DATA


These apps aren’t just for fitness!


What are these “patrols”?


Nature Preserve Patrol


Soft Drink Anyone?


The unexplainable


What about you?


What is your OSINT profile?


Does the Internet need your…


o Name, home address and phone

o Place of work, address and phone

o Daily thoughts, worries and concerns

o Pictures of your kids, pets and family

o Pics/vids inside & outside your home

What can you do?


1. Limit what you and your family members post on the Internet

2. Enable and monitor privacy settings

3. Understand the risks and be weary

4. Make it harder for us◦ Use different usernames/avatars for

different classes of sites

◦ Limit geotracking yourself

Protect yourself.

Twitter: @WebBreacher

http://webbreacher.com

◦ http://recon-ng.com (Recon-ng)◦ http://xmind.net (MindMap)


http://recon-ng.com/

http://xmind.net/