Observa(on & Empirical Research. Advanced Persistent Threats & Social Engineering. Observa(on of complex systems

Size: px

Start display at page:

Download "Observa(on & Empirical Research. Advanced Persistent Threats & Social Engineering. Observa(on of complex systems"

Doreen Greene
8 years ago
Views:

1 17/03/15 Advanced Persistent Threats & Social Engineering SBA Research & Vienna University of Technology Edgar R. Weippl Observa(on & Empirical Research Observa(on of complex systems 1

2 Impact Real- World Problems NYT, By David E. Sanger and Nicole Perlroth February 14,

3 17/03/15 Empirical Research Dropbox Mar(n Mulazzani, Sebas(an SchriDwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as adack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebas(an SchriDwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Mar(n Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texfng you? evalua(ng the security of smartphone messaging applica(ons. In Network and Distributed System Security Symposium (NDSS 2012), Feb Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Compu(ng Security Workshop (CCSW) at ACM CCS 2013, Facebook Markus Huber, Sebas(an SchriDwieser, Mar(n Mulazzani, and Edgar Weippl. Appinspect: Large- scale evaluafon of social networking apps. In ACM Conference on Online Social Networks (COSN), Tor Philipp Winter and Richard Koewer and Mar(n Mulazzani and Markus Huber and Sebas(an SchriDwieser and Stefan Lindskog and Edgar R. Weippl, Spoiled Onions: Exposing Malicious Tor Exit Relays, in Proceedings of the 14th Privacy Enhancing Technologies Symposium, 2014 GSM Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Mar(n Mulazzani, and Edgar R. Weippl, IMSI- Catch Me If You Can: IMSI- Catcher- Catchers in Proceedings of ACSAC, 2014 Apple TwiDer ipdad iphone Mac Cool handle Digital Na(ves Google To buy stuﬀ Amazon 1: Backup unknown 4: forgot PW? Support asks for: 2: Google 6: Add new CC: 9: Post nonsense to TwiDer Billing address 3: Backup: m n@me.com , CC (fake) Billing address Last 4 digits of CC 8: Devices iphone ipad Mac 5: Whois: Address 7: forgot PW? You need: , CC info Billing address Last 4 digits of other CCs are visible Slide by Christian Platzer, ISecLab, Vienna University of Technology 3

4 AppInspect: Large- scale Evalua(on of Social Networking Apps Social networks act as proxies between user and third- party providers Personal informa(on is transferred to providers App providers themselves rely on third- parfes (analy(cs, adver(sing products) Custom hosfng infrastructures Approval of apps with authenfcafon dialog System Architecture for Data Collec(on 4

5 Enumera(on Exhaus(ve search in June 2012 with character trigrams 434,687 unique applica(ons in two weeks Main obstacle: Facebook account rate limits Most Popular Apps 10,624 most popular app, 94.07% of samples cumula(ve applica(on usage Language: English (64.72%), 69 different languages 5

6 Permissions per Provider 4,747 applica(ons belonged to 1,646 dis(nct providers 60.24% of all providers requested personal address Suspicious Apps 40 providers requested more than 10 permissions 139 web tracking / adver(sing providers used Manually verified requested permissions vs. app func(onality Legi(mate uses da(ng and job hun(ng applica(ons XBOX applica(on (not available anymore) Malprac(ces Horoscopo Diario, 2.5 million monthly users Would only require birthdate, 25 different permissions Wisdom of the Buddha etc. 6

7 Informa(on Leaks 315 apps directly transferred sensi(ve informa(on (via HTTP parameter) Informa(on Leaks 51 applica(ons leaked unique user iden(fiers (HTTP Referrer) 14 out of these 51 applica(ons also leaked API authoriza(on tokens 7

8 Facebook Summary Reported our findings to Facebook in November 2012 Facebook responded within one week Skype mee(ngs with Facebook Facebook acknowledged problems and contacted developers Fixed in May 2013 Security and privacy implica(ons Since January 2010 unproxied access to address 60% of applica(on developers request address Social phishing, context- aware spam Users trackable with real name Hos(ng Number of hosts possible vulnerable FTP/SSH bruteforce Amazon EC2 community images Data Deduplica(on At the server Same file only stored once Save storage space at server At the client Calculate hash or other digest Reduce communica(on 8

9 Hash manipulafon Stolen Host ID ADacks Direct Up- /Download Uploading without linking Simple HTTPS request hdps://dl- clientxx.dropbox.com/ store 1. Steal hashes 4. Download all files of the victim 3. Link hashes with fake client 2. Send hashes to Attacker Attackers PC Victim using Dropbox Solu(ons Anermath Dropbox fixed the flaws Host ID is now encrypted No more client- side deduplica(on Proof of ownership Take down no(ce 9

10 Authen(ca(on Viber, WhatsApp, fring, GupShup, hike, KakaoTalk, Line, ChatOn, textplus and WeChat Man- in- the- Middle 10

11 WhatsApp in 2012 Forfone (Iphone + Android) 11

12 Spoofing Forfone WowTalk 12

13 XMS, JaxtrSMS (Android,!Iphone) LegiFmate Registering Spoofing Enumera(on ADack 13

14 Enumera(on ADack Status Messages 14

15 Results 2012 Re- Evalua(on

16 17/03/15 Empirical Research Dropbox Mar(n Mulazzani, Sebas(an SchriDwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as adack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebas(an SchriDwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Mar(n Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texfng you? evalua(ng the security of smartphone messaging applica(ons. In Network and Distributed System Security Symposium (NDSS 2012), Feb Markus Huber, Sebas(an SchriDwieser, Mar(n Mulazzani, and Edgar Weippl. Appinspect: Large- scale evaluafon of social networking apps. In ACM Conference on Online Social Networks (COSN), Tor Philipp Winter and Richard Koewer and Mar(n Mulazzani and Markus Huber and Sebas(an SchriDwieser and Stefan Lindskog and Edgar R. Weippl, Spoiled Onions: Exposing Malicious Tor Exit Relays, in Proceedings of the 14th Privacy Enhancing Technologies Symposium, 2014 Facebook Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Compu(ng Security Workshop (CCSW) at ACM CCS 2013, GSM Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Mar(n Mulazzani, and Edgar R. Weippl, IMSI- Catch Me If You Can: IMSI- Catcher- Catchers in Proceedings of ACSAC, 2014 Upcoming Conferences Sacmat 2015 hdp:// ARES 2015 hdp:// conference.eu/conf/ Esorics 2015 hdp://esorics2015.sba- research.org/ ACM CCS

17 17/03/15 Past Conferences 2014 GI Sicherheit 2014 hdp://sicherheit2014.sba- research.org/ DB Sec 2014 hdp://dbsec2014.sba- research.org/ IFIP WG 11.9 Interna(onal Conference on Digital Forensics research.org research.org 17

EHR: System Architecture and Systems Security An Analysis of Interdependencies. SBA Research & Vienna University of Technology Edgar R.

EHR: System Architecture and Systems Security An Analysis of Interdependencies SBA Research & Vienna University of Technology Edgar R. Weippl Typical Security Errors in Large-Scale Systems SBA Research