running away from security
TRANSCRIPT
Running Away from Security
MICAH HOFFMAN
Web App Vulnerabilities and OSINT Collide
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Who am I?
◦NoVA Hacker
◦PwnWiki.io Curator
◦Recon-ng module Writer
◦SANS Instructor (SEC542)
◦Hiker / Backpacker Novahackers.com
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Disclaimer
These are my thoughts and research and are not those of
my employer(s).
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
An Experiment
What
informationare you
uncomfortablesharingwith the
entire world?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
If anyone in the world knew…
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
o Your name, home address and phone
o Your place of work, address and phone
o Had pictures of your kids, pets and family
o Had pics/vids inside & outside your home
o Sexual preferences and fetishes
Our Data on the Internet
◦Whose job is it to keep online data safe?
◦How does our “private” data get disclosed?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Stealing Our Data
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Stealing Our [cheating] Data
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
An example of data leakage
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
It all started with some exercise
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
http://www.strava.com/activities/123456789
The Issue is in the Numbers
Activities◦ http://www.strava.com/activities/100000◦ http://www.strava.com/activities/100001
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
The Issue is in the Numbers
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
The Issue is in the Numbers
Athletes◦ http://www.strava.com/athletes/123456
◦ http://www.strava.com/athletes/123457
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
The Issue is in the Numbers
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Look at the page source
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Responsible disclosure attempt
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Strava’s Privacy Setting
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Google Already Has the Data!
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
But how could I get the data?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Created dictionary of 800,000 activities
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
What could someone do with it?
1. Find patterns in behavior◦ Same walks/rides◦ Commuting to/from work
2. Find the real person behind the account/activities
3. Odd things in the data
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
OSINT in a Nutshell
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
o OSINT = Open Source INTelligence
o Public Information on the Internet◦ About a company◦ About a person◦ About anything really
o Search. Gather. Analyze.
What to do with OSINT?
o Identity theft
o Personal harm, theft, kidnapping
o Social engineering
o Extortion, Espionage
o Dating
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Question 1REPEATED ACTIVITIES BY A SINGLE USER AND EVENTS SUCH AS “COMMUTE”?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Question 2FIND THE ACTUAL USER MOVING FROM CYBER TO PHYSICAL WORLDS?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Head to Google Maps
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Public Data Dimes Out Dan
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Now to the Whitepages
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Dan’s Home Sweet Home
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
What about other fitness sites?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Let’s meet Janna on fitbit
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Question 2bHOW MUCH INFO CAN WE GET ABOUT SOMEONE?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Giving it awayDeath by 1,000 cuts
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
“Over-Sharers”
Images: http://i4.mirror.co.uk/incoming/article5769373.ece/ALTERNATES/s615/PAY-Seagull.jpghttp://images58.fotki.com/v286/photos/9/127099/8281743/airplane20in20birds-vi.gifhttp://images.elephantjournal.com/wp-content/uploads/2013/10/tmi.jpg
Need to belong/be social
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
This is Trisha on fitbit
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Trisha Trisha Trisha
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Trisha Recap
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Her name, home address and phone
Her place of work, address and phone
Her likes and dislikes
Her daily thoughts and concerns
Pictures of her kids, pets and family
Pics/vids inside & outside her home
Beyond “Googling it”
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Putting it all together: MindMap
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
RECON-NG
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
o Open Source, http://recon-ng.com
o Python framework
o Recon tool to gather data on the Internet:o Host names
o User (names, emails, credentials)
o Location-based data (Tweets, Instagrams)
Recon-ng: Profiler Module
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
o Search 190 sites per username x 3 names = 30secs
Question 3ODD THINGS IN THE STRAVA DATA
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
These apps aren’t just for fitness!
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
What are these “patrols”?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Nature Preserve Patrol
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Soft Drink Anyone?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
The unexplainable
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
What is your OSINT profile?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
Does the Internet need your…
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
o Name, home address and phone
o Place of work, address and phone
o Daily thoughts, worries and concerns
o Pictures of your kids, pets and family
o Pics/vids inside & outside your home
What can you do?
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM
1. Limit what you and your family members post on the Internet
2. Enable and monitor privacy settings
3. Understand the risks and be weary
4. Make it harder for us◦ Use different usernames/avatars for
different classes of sites
◦ Limit geotracking yourself
Protect yourself.
Twitter: @WebBreacher
http://webbreacher.com
◦ http://recon-ng.com (Recon-ng)◦ http://xmind.net (MindMap)
© 2015 MICAH HOFFMAN - RUNNING AWAY FROM SECURITY - @WEBBREACHER - WEBBREACHER.COM