SlideShare a Scribd company logo

Luiz eduardo. introduction to mobile snitch

Yury Chemerkin
Yury Chemerkin
Technology
1 of 43
Download to read offline
Mobile Snitch CONFidence 2012 Pre Luiz Eduar le(at)trus
genda Intro Motivations Current “issue” Profiling Mitigation Tips Future 2
whois Luiz Eduardo Head of SpiderLabs LAC Knows a thing or two about WiFi Conference organizer (YSTS & SilverBullet) Amateur photographer le/at/ trustwave /dot/ com @effffn 3
whois Rodrigo Montoro curity Researcher at Trustwave/Spiderlabs •  Intrusion Detection System Rules •  New ways to detect malicious activities •  Patent Pending Author for methodology to discover malicious digital files eaker •  Toorcon, SecTor, .FISL, Conisli, CNASI , OWASP Appsec Brazil, H2HC (São Paulo and México) under Malwares-BR Group / Webcast Localthreats under and Coordinator ort Brazilian Community •  Snort Rules Library for Brazilian Malwares 4
ustwave SpiderLabs ® wave SpiderLabs uses real-world and innovative security research to improve wave products, and provides unmatched expertise and intelligence to customers. REATS PROTECTI al-World Custome covered Product Response and Investigation (R&I) Analysis and Testing (A&T) Research and Development (R&D) earned Partner 5
oals of this Talk nformation about the data your mobile devices broadcast Possible implications of that Raise awareness of public in general in regards to mobile privacy 6
otivations revious WiFi Research ons of travel lient-side / targeted attacks and Malware rending ery initial thoughts of this talk presented at ayThreat 2011 very very initial WiFi-based devices location at oorCon Seattle 2008) 7
sclaimer 8
efinitive Goal Ability to fingerprint a PERSON based on the information given by heir mobile device(s) Passive information gathering of •  Automatic “LAN/Internal” protocols •  Non-encrypted traffic analysis (security flaws / features / non- confidential info) 9
urrent “issue” Massive adoption of mobile devices Usability vs. Security •  Networking Protocols •  Broadcast / Multicast (and basic WiFi operation) •  And… 10
YOD 11
YO(B)D i Security as we know it •  protect the infrastructure •  protect the user, once it’s in the protected network the newER buzzword: BYOD Security , doesn’t solve the privacy issue 12
ivacy Matters? 13
can haz ZeroConfig Used by most mobile devices Discovery, Announcement & Integration with (mostly) home devic •  Multimedia products •  IP Cameras •  Printers Yet, always on and automatic ro configuration networking allows devices such as mputers and printers to connect to a network automatical hout zeroconf, a network administrator must set up services…” 14
eroConfig Protocols mDNS UPnP SSDP (Simple Service Discovery Protocol) SLP (Service Location Protocol) 15
PV6) k of Monitoring Protection Knowledge Etc… 16
DNS is evil then? 17
o, how does it work? ata Acquisition (Passive) ilters Profile Creation ompare with Existing Info •  Domain Request Info •  First Search –  Internet Search •  IP / Geolocation –  Applications (Netbios / Services) •  Locations (collection) hird Party •  Contacts •  Arp Poisoning •  Company info •  Extra pcaps •  Personal Network •  Info correlation •  Softwares •  Additional Internet Search •  etc 18
ata Acquisition (mdns - multicast 19
dns query 20
dns “passive port scan” 21
ata Acquisition (Netbios - Broadcast) 22
etbios query 23
ey Information 24
mdns we trust … cure $ perl snitch.pl rodrigo-montoro-ipad-iphone.pcap ### Mobile Snitch ##### ### Analyzing File: rodrigo-montoro-ipad-iphone.pcap ### Tool by @effffn and @spookerlabs et Number: 596 Address: 5c:59:48:45:db:fb e Info: Rodrigo-Montoro.local,Rodrigo-Montoro.local 25
rst Search e Info: Rodrigo-Montoro.local,Rodrigo-Montoro.local ating to Google (or any other search tool) go Montoro inurl:facebook.com go Montoro inurl:linkedin.com go Montoro inurl:twitter.com e images go+Montoro ro Rodrigo ro y other Google search for that matter. 26
27
ut …. 28
odrigo is not that famous (yet)… 29
o we could use third-party info ARP Spoofing New pcaps n depth request analysis •  http objects rebuild (oh yeah) •  Plain-text request •  Who wants a cookie ? •  Usernames (we don’t want passwords .. At least, not now ) •  GeoIP / Domains •  SSIDs databases •  Image EXIF info 30
p Spoofing Difficult level: -10 # arpspoof –i eth0 192.168.0.1 * Don’t forget to enable ip_forwa 31
ew pcaps Cloudshark Pcapr Sniffing random locations Create an online repository ? 32
tp objects rebuilt - the secrets uthToken":"name:hpVy","distance": irstName":”Rodrigo","formattedName":”Rodrigo ntoro","headline":”Nerds at iderlabs","id":”1337","lastName":”Montoro","picture":htt media.linkedin.com/mpr/mpr/shrink_80_80/p/ 00/13/ al.jpg,"hasPicture":true,"twitter":”spookerlabs"} 33
r-Agents (-e http.user_agent http.request.method == GET) a/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Saf 1 a/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Vers Safari/533.21.1 ivial/5.810 a/5.0 (iPad; CPU OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9A405 rForBlackBerry/2.1.0.28 (BlackBerry; U; BlackBerry 9300; es) Version/5.0.0.846 a/5.0 (Linux; U; Android 2.1-update1; es-ar; U20a Build/2.1.1.A.0.6) AppleWebKit/530.17 (KHTML, li ) Version/4.0 Mobile Safari/530.17 [FBAN/FB4A;FBAV/1.8.4;FBDM/ ity=0.75,width=320,height=240};FBLC/es_AR;FB_FW/1;FBCR/CLARO;FBPN/com.facebook.katana;FB FBSV/2.1-update1;] 34
e are the good guys … /var/log/snort/alert | grep "[**" | sort | uniq -c | sort -nr [**] [1:100000236:2] GPL CHAT Jabber/Google Talk Incoming Message [**] [**] [1:100000233:2] GPL CHAT Jabber/Google Talk Outgoing Message [**] [**] [1:2010785:4] ET CHAT Facebook Chat (buddy list) [**] [**] [1:2100538:17] GPL NETBIOS SMB IPC$ unicode share access [**] [**] [1:2014473:2] ET INFO JAVA - Java Archive Download By Vulnerable Client [**] [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] [**] [1:2011582:19] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [1:2002878:6] ET POLICY iTunes User Agent [**] [**] [1:100000230:2] GPL CHAT MISC Jabber/Google Talk Outgoing Traffic [**] 35
erson “MACnification” Mac Address sername ictures acebook inkedin witter ocations ompany oftwares xtras nfected ? 36
ext time we meet… 37
Mitigation” Tips Name the device: Never use your name / last name in your device Careful where you use your mobile Turn off WiFi (BlueTooth and etc) when not using it Bonus!) Consider removing some SSID entries from your device… but why? 38
onus! : Bring Your Own Probe Request Bluetooth 39
sconnected Devices & SSIDs Company People SSN #s Hotel School Event Airport Lounges … and Free Public WiFi 40
areful with the New Features t might affect (event more) your privacy…. 41
uture … Website for profile feed collaboration? •  Macprofiling.com •  Whoisthismac.com •  Followthemac.com •  ISawYouSomehereAlready.com Social Engineer •  SET (Social Engineer Toolkit) integration •  Maltego Others 42
dditional Resources wnload the Global Security Report: http://www.trustwave.com/GS d our Blog: http://blog.spiderlabs.com ow us on Twitter: @SpiderLabs / @efffffn / @spookerlabs 43

Recommended

Stealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile SurveillancewareStealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile Surveillanceware
Priyanka Aash
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Chase Schultz
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
amiable_indian
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?
hackdemocracy
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
Clare Nelson, CISSP, CIPP-E
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 

Recommended

Stealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile SurveillancewareStealth Mango and the Prevalence of Mobile Surveillanceware
Stealth Mango and the Prevalence of Mobile Surveillanceware
Priyanka Aash
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Chase Schultz
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
amiable_indian
 
OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!OSINT Black Magic: Listen who whispers your name in the dark!!!
OSINT Black Magic: Listen who whispers your name in the dark!!!
Nutan Kumar Panda
 
Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?Wikileaks: secure dropbox or leaking dropbox?
Wikileaks: secure dropbox or leaking dropbox?
hackdemocracy
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
gaurang17
 
LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
Clare Nelson, CISSP, CIPP-E
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
Clare Nelson, CISSP, CIPP-E
 
Everything you need to know about choosing the right running shoes
Everything you need to know about choosing the right running shoesEverything you need to know about choosing the right running shoes
Everything you need to know about choosing the right running shoes
Stylight
 
Integrating Digital and Mail for Results
Integrating Digital and Mail for ResultsIntegrating Digital and Mail for Results
Integrating Digital and Mail for Results
vobenfoxboronet
 
Karya ilmiah adon
Karya ilmiah adonKarya ilmiah adon
Karya ilmiah adon
Rahmat Poliyoto
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
Yury Chemerkin
 
Ijmer 46044245
Ijmer 46044245Ijmer 46044245
Ijmer 46044245
IJMER
 
Vibration control of newly designed Tool and Tool-Holder for internal treadi...
Vibration control of newly designed Tool and Tool-Holder for internal treadi...Vibration control of newly designed Tool and Tool-Holder for internal treadi...
Vibration control of newly designed Tool and Tool-Holder for internal treadi...
IJMER
 
Ijmer 46046266
Ijmer 46046266Ijmer 46046266
Ijmer 46046266
IJMER
 
Suitability of Composite Material for Flywheel Analysis
Suitability of Composite Material for Flywheel Analysis Suitability of Composite Material for Flywheel Analysis
Suitability of Composite Material for Flywheel Analysis
IJMER
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
Priyanka Aash
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
MarceloCunha571649
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
Vasco Veloso
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivity
APNIC
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
Priyanka Aash
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
Paul Morse
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
Digicomp Academy AG
 

More Related Content

Viewers also liked

Ijmer 46044245
Ijmer 46044245Ijmer 46044245
Ijmer 46044245
IJMER
 
Ijmer 46046266
Ijmer 46046266Ijmer 46046266
Ijmer 46046266
IJMER
 

Viewers also liked (8)

Everything you need to know about choosing the right running shoes
Everything you need to know about choosing the right running shoesEverything you need to know about choosing the right running shoes
Everything you need to know about choosing the right running shoes
 
Integrating Digital and Mail for Results
Integrating Digital and Mail for ResultsIntegrating Digital and Mail for Results
Integrating Digital and Mail for Results
 
Karya ilmiah adon
Karya ilmiah adonKarya ilmiah adon
Karya ilmiah adon
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 
Ijmer 46044245
Ijmer 46044245Ijmer 46044245
Ijmer 46044245
 
Vibration control of newly designed Tool and Tool-Holder for internal treadi...
Vibration control of newly designed Tool and Tool-Holder for internal treadi...Vibration control of newly designed Tool and Tool-Holder for internal treadi...
Vibration control of newly designed Tool and Tool-Holder for internal treadi...
 
Ijmer 46046266
Ijmer 46046266Ijmer 46046266
Ijmer 46046266
 
Suitability of Composite Material for Flywheel Analysis
Suitability of Composite Material for Flywheel Analysis Suitability of Composite Material for Flywheel Analysis
Suitability of Composite Material for Flywheel Analysis
 

Similar to Luiz eduardo. introduction to mobile snitch

Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
TechWell
 
Intelligent Embedded Systems (Robotics)
Intelligent Embedded Systems (Robotics)Intelligent Embedded Systems (Robotics)
Intelligent Embedded Systems (Robotics)
Adeyemi Fowe
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
REVULN
 

Similar to Luiz eduardo. introduction to mobile snitch (20)

Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
The evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivityThe evolving threat in the face of increased connectivity
The evolving threat in the face of increased connectivity
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
IoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation TrackIoTNEXT 2016 - SafeNation Track
IoTNEXT 2016 - SafeNation Track
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition]
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Intelligent Embedded Systems (Robotics)
Intelligent Embedded Systems (Robotics)Intelligent Embedded Systems (Robotics)
Intelligent Embedded Systems (Robotics)
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
 

More from Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
Yury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
Yury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
Yury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
Yury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
Yury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
Yury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
Yury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
Yury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
Yury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
Yury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
Yury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
Yury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
Yury Chemerkin
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 

More from Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Luiz eduardo. introduction to mobile snitch

  • 1. Mobile Snitch CONFidence 2012 Pre Luiz Eduar le(at)trus
  • 2. genda Intro Motivations Current “issue” Profiling Mitigation Tips Future 2
  • 3. whois Luiz Eduardo Head of SpiderLabs LAC Knows a thing or two about WiFi Conference organizer (YSTS & SilverBullet) Amateur photographer le/at/ trustwave /dot/ com @effffn 3
  • 4. whois Rodrigo Montoro curity Researcher at Trustwave/Spiderlabs •  Intrusion Detection System Rules •  New ways to detect malicious activities •  Patent Pending Author for methodology to discover malicious digital files eaker •  Toorcon, SecTor, .FISL, Conisli, CNASI , OWASP Appsec Brazil, H2HC (São Paulo and México) under Malwares-BR Group / Webcast Localthreats under and Coordinator ort Brazilian Community •  Snort Rules Library for Brazilian Malwares 4
  • 5. ustwave SpiderLabs ® wave SpiderLabs uses real-world and innovative security research to improve wave products, and provides unmatched expertise and intelligence to customers. REATS PROTECTI al-World Custome covered Product Response and Investigation (R&I) Analysis and Testing (A&T) Research and Development (R&D) earned Partner 5
  • 6. oals of this Talk nformation about the data your mobile devices broadcast Possible implications of that Raise awareness of public in general in regards to mobile privacy 6
  • 7. otivations revious WiFi Research ons of travel lient-side / targeted attacks and Malware rending ery initial thoughts of this talk presented at ayThreat 2011 very very initial WiFi-based devices location at oorCon Seattle 2008) 7
  • 9. efinitive Goal Ability to fingerprint a PERSON based on the information given by heir mobile device(s) Passive information gathering of •  Automatic “LAN/Internal” protocols •  Non-encrypted traffic analysis (security flaws / features / non- confidential info) 9
  • 10. urrent “issue” Massive adoption of mobile devices Usability vs. Security •  Networking Protocols •  Broadcast / Multicast (and basic WiFi operation) •  And… 10
  • 11. YOD 11
  • 12. YO(B)D i Security as we know it •  protect the infrastructure •  protect the user, once it’s in the protected network the newER buzzword: BYOD Security , doesn’t solve the privacy issue 12
  • 14. can haz ZeroConfig Used by most mobile devices Discovery, Announcement & Integration with (mostly) home devic •  Multimedia products •  IP Cameras •  Printers Yet, always on and automatic ro configuration networking allows devices such as mputers and printers to connect to a network automatical hout zeroconf, a network administrator must set up services…” 14
  • 15. eroConfig Protocols mDNS UPnP SSDP (Simple Service Discovery Protocol) SLP (Service Location Protocol) 15
  • 17. DNS is evil then? 17
  • 18. o, how does it work? ata Acquisition (Passive) ilters Profile Creation ompare with Existing Info •  Domain Request Info •  First Search –  Internet Search •  IP / Geolocation –  Applications (Netbios / Services) •  Locations (collection) hird Party •  Contacts •  Arp Poisoning •  Company info •  Extra pcaps •  Personal Network •  Info correlation •  Softwares •  Additional Internet Search •  etc 18
  • 19. ata Acquisition (mdns - multicast 19
  • 20. dns query 20
  • 21. dns “passive port scan” 21
  • 22. ata Acquisition (Netbios - Broadcast) 22
  • 25. mdns we trust … cure $ perl snitch.pl rodrigo-montoro-ipad-iphone.pcap ### Mobile Snitch ##### ### Analyzing File: rodrigo-montoro-ipad-iphone.pcap ### Tool by @effffn and @spookerlabs et Number: 596 Address: 5c:59:48:45:db:fb e Info: Rodrigo-Montoro.local,Rodrigo-Montoro.local 25
  • 26. rst Search e Info: Rodrigo-Montoro.local,Rodrigo-Montoro.local ating to Google (or any other search tool) go Montoro inurl:facebook.com go Montoro inurl:linkedin.com go Montoro inurl:twitter.com e images go+Montoro ro Rodrigo ro y other Google search for that matter. 26
  • 27. 27
  • 28. ut …. 28
  • 29. odrigo is not that famous (yet)… 29
  • 30. o we could use third-party info ARP Spoofing New pcaps n depth request analysis •  http objects rebuild (oh yeah) •  Plain-text request •  Who wants a cookie ? •  Usernames (we don’t want passwords .. At least, not now ) •  GeoIP / Domains •  SSIDs databases •  Image EXIF info 30
  • 31. p Spoofing Difficult level: -10 # arpspoof –i eth0 192.168.0.1 * Don’t forget to enable ip_forwa 31
  • 32. ew pcaps Cloudshark Pcapr Sniffing random locations Create an online repository ? 32
  • 33. tp objects rebuilt - the secrets uthToken":"name:hpVy","distance": irstName":”Rodrigo","formattedName":”Rodrigo ntoro","headline":”Nerds at iderlabs","id":”1337","lastName":”Montoro","picture":htt media.linkedin.com/mpr/mpr/shrink_80_80/p/ 00/13/ al.jpg,"hasPicture":true,"twitter":”spookerlabs"} 33
  • 34. r-Agents (-e http.user_agent http.request.method == GET) a/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Saf 1 a/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Vers Safari/533.21.1 ivial/5.810 a/5.0 (iPad; CPU OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9A405 rForBlackBerry/2.1.0.28 (BlackBerry; U; BlackBerry 9300; es) Version/5.0.0.846 a/5.0 (Linux; U; Android 2.1-update1; es-ar; U20a Build/2.1.1.A.0.6) AppleWebKit/530.17 (KHTML, li ) Version/4.0 Mobile Safari/530.17 [FBAN/FB4A;FBAV/1.8.4;FBDM/ ity=0.75,width=320,height=240};FBLC/es_AR;FB_FW/1;FBCR/CLARO;FBPN/com.facebook.katana;FB FBSV/2.1-update1;] 34
  • 35. e are the good guys … /var/log/snort/alert | grep "[**" | sort | uniq -c | sort -nr [**] [1:100000236:2] GPL CHAT Jabber/Google Talk Incoming Message [**] [**] [1:100000233:2] GPL CHAT Jabber/Google Talk Outgoing Message [**] [**] [1:2010785:4] ET CHAT Facebook Chat (buddy list) [**] [**] [1:2100538:17] GPL NETBIOS SMB IPC$ unicode share access [**] [**] [1:2014473:2] ET INFO JAVA - Java Archive Download By Vulnerable Client [**] [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] [**] [1:2011582:19] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] [1:2002878:6] ET POLICY iTunes User Agent [**] [**] [1:100000230:2] GPL CHAT MISC Jabber/Google Talk Outgoing Traffic [**] 35
  • 36. erson “MACnification” Mac Address sername ictures acebook inkedin witter ocations ompany oftwares xtras nfected ? 36
  • 37. ext time we meet… 37
  • 38. Mitigation” Tips Name the device: Never use your name / last name in your device Careful where you use your mobile Turn off WiFi (BlueTooth and etc) when not using it Bonus!) Consider removing some SSID entries from your device… but why? 38
  • 39. onus! : Bring Your Own Probe Request Bluetooth 39
  • 40. sconnected Devices & SSIDs Company People SSN #s Hotel School Event Airport Lounges … and Free Public WiFi 40
  • 41. areful with the New Features t might affect (event more) your privacy…. 41
  • 42. uture … Website for profile feed collaboration? •  Macprofiling.com •  Whoisthismac.com •  Followthemac.com •  ISawYouSomehereAlready.com Social Engineer •  SET (Social Engineer Toolkit) integration •  Maltego Others 42
  • 43. dditional Resources wnload the Global Security Report: http://www.trustwave.com/GS d our Blog: http://blog.spiderlabs.com ow us on Twitter: @SpiderLabs / @efffffn / @spookerlabs 43