17/03/15 Advanced Persistent Threats & Social Engineering SBA Research & Vienna University of Technology Edgar R. Weippl Observa(on & Empirical Research Observa(on of complex systems 1
Impact Real- World Problems NYT, By David E. Sanger and Nicole Perlroth February 14, 2015 2
17/03/15 Empirical Research Dropbox Mar(n Mulazzani, Sebas(an SchriDwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as adack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebas(an SchriDwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Mar(n Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texfng you? evalua(ng the security of smartphone messaging applica(ons. In Network and Distributed System Security Symposium (NDSS 2012), Feb 2012. Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Compu(ng Security Workshop (CCSW) at ACM CCS 2013, 2013. Facebook Markus Huber, Sebas(an SchriDwieser, Mar(n Mulazzani, and Edgar Weippl. Appinspect: Large- scale evaluafon of social networking apps. In ACM Conference on Online Social Networks (COSN), 2013. Tor Philipp Winter and Richard Koewer and Mar(n Mulazzani and Markus Huber and Sebas(an SchriDwieser and Stefan Lindskog and Edgar R. Weippl, Spoiled Onions: Exposing Malicious Tor Exit Relays, in Proceedings of the 14th Privacy Enhancing Technologies Symposium, 2014 GSM Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Mar(n Mulazzani, and Edgar R. Weippl, IMSI- Catch Me If You Can: IMSI- Catcher- Catchers in Proceedings of ACSAC, 2014 Apple Email TwiDer ipdad iphone Mac Cool handle Digital Na(ves Google To buy stuff Amazon 1: Backup email unknown 4: forgot PW? Support asks for: 2: Google m..n@gmail.com 6: Add new CC: 9: Post nonsense to TwiDer Billing address 3: Backup: m n@me.com Email, CC (fake) Billing address Last 4 digits of CC 8: Devices iphone ipad Mac 5: Whois: Address 7: forgot PW? You need: Email, CC info Billing address Last 4 digits of other CCs are visible Slide by Christian Platzer, ISecLab, Vienna University of Technology 3
AppInspect: Large- scale Evalua(on of Social Networking Apps Social networks act as proxies between user and third- party providers Personal informa(on is transferred to providers App providers themselves rely on third- parfes (analy(cs, adver(sing products) Custom hosfng infrastructures Approval of apps with authenfcafon dialog System Architecture for Data Collec(on 4
Enumera(on Exhaus(ve search in June 2012 with character trigrams 434,687 unique applica(ons in two weeks Main obstacle: Facebook account rate limits Most Popular Apps 10,624 most popular app, 94.07% of samples cumula(ve applica(on usage Language: English (64.72%), 69 different languages 5
Permissions per Provider 4,747 applica(ons belonged to 1,646 dis(nct providers 60.24% of all providers requested personal email address Suspicious Apps 40 providers requested more than 10 permissions 139 web tracking / adver(sing providers used Manually verified requested permissions vs. app func(onality Legi(mate uses da(ng and job hun(ng applica(ons XBOX applica(on (not available anymore) Malprac(ces Horoscopo Diario, 2.5 million monthly users Would only require birthdate, 25 different permissions Wisdom of the Buddha etc. 6
Informa(on Leaks 315 apps directly transferred sensi(ve informa(on (via HTTP parameter) Informa(on Leaks 51 applica(ons leaked unique user iden(fiers (HTTP Referrer) 14 out of these 51 applica(ons also leaked API authoriza(on tokens 7
Facebook Summary Reported our findings to Facebook in November 2012 Facebook responded within one week Skype mee(ngs with Facebook Facebook acknowledged problems and contacted developers Fixed in May 2013 Security and privacy implica(ons Since January 2010 unproxied access to email address 60% of applica(on developers request email address Social phishing, context- aware spam Users trackable with real name Hos(ng Number of hosts possible vulnerable FTP/SSH bruteforce Amazon EC2 community images Data Deduplica(on At the server Same file only stored once Save storage space at server At the client Calculate hash or other digest Reduce communica(on 8
Hash manipulafon Stolen Host ID ADacks Direct Up- /Download Uploading without linking Simple HTTPS request hdps://dl- clientxx.dropbox.com/ store 1. Steal hashes 4. Download all files of the victim 3. Link hashes with fake client 2. Send hashes to Attacker Attackers PC Victim using Dropbox Solu(ons Anermath Dropbox fixed the flaws Host ID is now encrypted No more client- side deduplica(on Proof of ownership Take down no(ce 9
Authen(ca(on Viber, WhatsApp, fring, GupShup, hike, KakaoTalk, Line, ChatOn, textplus and WeChat Man- in- the- Middle 10
WhatsApp in 2012 Forfone (Iphone + Android) 11
Spoofing Forfone WowTalk 12
XMS, JaxtrSMS (Android,!Iphone) LegiFmate Registering Spoofing Enumera(on ADack 13
Enumera(on ADack Status Messages 14
Results 2012 Re- Evalua(on 2014 15
17/03/15 Empirical Research Dropbox Mar(n Mulazzani, Sebas(an SchriDwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as adack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebas(an SchriDwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Mar(n Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texfng you? evalua(ng the security of smartphone messaging applica(ons. In Network and Distributed System Security Symposium (NDSS 2012), Feb 2012. Markus Huber, Sebas(an SchriDwieser, Mar(n Mulazzani, and Edgar Weippl. Appinspect: Large- scale evaluafon of social networking apps. In ACM Conference on Online Social Networks (COSN), 2013. Tor Philipp Winter and Richard Koewer and Mar(n Mulazzani and Markus Huber and Sebas(an SchriDwieser and Stefan Lindskog and Edgar R. Weippl, Spoiled Onions: Exposing Malicious Tor Exit Relays, in Proceedings of the 14th Privacy Enhancing Technologies Symposium, 2014 Facebook Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Compu(ng Security Workshop (CCSW) at ACM CCS 2013, 2013. GSM Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Mar(n Mulazzani, and Edgar R. Weippl, IMSI- Catch Me If You Can: IMSI- Catcher- Catchers in Proceedings of ACSAC, 2014 Upcoming Conferences Sacmat 2015 hdp://www.sacmat.org/2015/index.php ARES 2015 hdp://www.ares- conference.eu/conf/ Esorics 2015 hdp://esorics2015.sba- research.org/ ACM CCS 2016 16
17/03/15 Past Conferences 2014 GI Sicherheit 2014 hdp://sicherheit2014.sba- research.org/ DB Sec 2014 hdp://dbsec2014.sba- research.org/ IFIP WG 11.9 Interna(onal Conference on Digital Forensics eweippl@sba- research.org Edgar.Weippl@tuwien.ac.at eweippl@sba- research.org 17