I'm sure many people who know me personally or follow me on Twitter will be surprise to see Gaurav Thorat saying 'Beware from Check ins'! Well, I being a newbie product of Symbiosis's Information Security MBA happened to study a subject called, 'Vulnerability Analysis and Penetration Testing'. Sounds very techie isn't it? But frankly speaking this subject needs a lot of common sense along with good technical understanding of Networks and Information Systems.
Foursquare, as many of you must be knowing is a wonderful mobile application by which you can find near by places like hotels, malls, theaters and what not. It's like where ever you go, you just take out your phone and Check in to the place. Let's say I go to Esquare Multiplex in Pune to watch movie, so the moment I go there I'll take out my mobile. Open foursquare app, it'll find my current location with the help of GPS. It'll show me the nearby places along with Esquare Multiplex, I'll just Click on Equare and it'll notify my friends on Foursquare and Twitter/Facebook (if you have allowed foursquare and twitter/facebook integration). So whats the use of it? Well personally, I use Foursquare because It tells my friends about my where about. So if anybody is around me can just drop by for a quick meetup! Secondly, many a times merchants register with Foursquare and give away some really nice offers/discounts. So you check in to merchant's shop and you get discount on your shopping. More the check ins, you unlock Foursquare badges to flaunt within the community!
So whenever I used to Check in, it used to appear like this on twitter
As part of our VAPT subject's assignment we were told to search some security assessment tools and present it infront of students. I being more interested in Social Media, wanted to present a tool which is unique that no body else can think of! And just as I expected all the students choose hardcore technical tools like snort, sniffers and network analyzer. Nobody thought that something called as 'Social Engineering' should also be considered which is comparatively less technical but if used against the targets, can cause huge loss! I find people are still very ignorant about 'Social Engineering' which exploits the weakest link in security that is Human/User behavior.
Tool which I'm going to discuss over here is one, which can help hacker/cracker to perform passive type of Social Engineering attack which often seek to acquire seed information for further active social engineering or network-based attacks.
Active Social Engineering attacks are more of Direct kind which may involve direct interaction with target to obtain security relevant information, gain access privileges, persuade someone to commit a policy violation or act as a proxy on attacker’s behalf. While Passive as described earlier is more of Indirect type of attack which involves eavesdropping, observation and subsequent analysis of the results.
Tool which may allow an hacker/cracker in Passive Social Engineering attack is called Creepy Tool which is developed in python that allows you to gather geo location related information about users from social networking platforms and image hosting services.
Details
Website : http://ilektrojohn.github.com/creepy/
Platforms : Linux, Windows
License : GPLv3
Author : Yiannis Kakavas
Contact Email : jkakavas@gmail.com
So what does application do?
If you Check in to Foursquare which redirects it to Twitter. Or if you take photos with geo tagging allowed in it, chipping in the data about where have you taken the pictures you are vulnerable for a passive Social Engineering attack with the help of Creepy tool.
Hacker/cracker all they need is your username on twitter/flickr and they can track you down. With the help of you check ins they can study the pattern/routine of your day like when do you leave from home to office, where is your home & office located. What do you generally do on weekends, which places to do you visit. Some people also supply information like what food/drink they love the most along with the Hotel's Check in. You may not realize that why would somebody need and find this information important but let me remind you this why Social Engineering attacks are more risky and cause more damage than any other hacking attack because we are tend to be ignorant about Social Engineering attacks, most of us never worry about all these simple information.
So Creepy tool can integrate all these check in/ geo tagging related information at a one place, supplied with a map, google map! So hacker/cracker might not be knowing Pune city very well but with the help of Google maps within the Creepy tool can easily supply them with necessary information for a further strong Social Engineering attack.
If you see above image is Creepy's interface. I checked one user from flickr who has uploaded photos of Military aircrafts. All I did is put his username in Creepy and you can see where did he take that photo! This is passive social engineering, which a terrorist group may use for destructive and dangerous attack. I hope you are getting the seriousness and why I said Beware from Check ins and geo tagging.
Same is the case with Check ins which appear on Twitter, with all the aggregated information about your daily/weekend check ins hacker/cracker or any person with bad intention can plant more dangerous attack on you/your organization/home.
So how will you save yourself from such type of Passive Engineering attack?
1. Be aware, keep your eyes/ears open.
2. Common Sense
3. If not required disable Geo Tagging feature while you take photos from your smartphone/camera.
4. If you care then stop posting your Check ins on Twitter, you may want to continue using Foursquare but don't integrate it with Twitter.
That's all from me, I will be waiting to hear some comments from you!
Foursquare, as many of you must be knowing is a wonderful mobile application by which you can find near by places like hotels, malls, theaters and what not. It's like where ever you go, you just take out your phone and Check in to the place. Let's say I go to Esquare Multiplex in Pune to watch movie, so the moment I go there I'll take out my mobile. Open foursquare app, it'll find my current location with the help of GPS. It'll show me the nearby places along with Esquare Multiplex, I'll just Click on Equare and it'll notify my friends on Foursquare and Twitter/Facebook (if you have allowed foursquare and twitter/facebook integration). So whats the use of it? Well personally, I use Foursquare because It tells my friends about my where about. So if anybody is around me can just drop by for a quick meetup! Secondly, many a times merchants register with Foursquare and give away some really nice offers/discounts. So you check in to merchant's shop and you get discount on your shopping. More the check ins, you unlock Foursquare badges to flaunt within the community!
So whenever I used to Check in, it used to appear like this on twitter
As part of our VAPT subject's assignment we were told to search some security assessment tools and present it infront of students. I being more interested in Social Media, wanted to present a tool which is unique that no body else can think of! And just as I expected all the students choose hardcore technical tools like snort, sniffers and network analyzer. Nobody thought that something called as 'Social Engineering' should also be considered which is comparatively less technical but if used against the targets, can cause huge loss! I find people are still very ignorant about 'Social Engineering' which exploits the weakest link in security that is Human/User behavior.
Tool which I'm going to discuss over here is one, which can help hacker/cracker to perform passive type of Social Engineering attack which often seek to acquire seed information for further active social engineering or network-based attacks.
Active Social Engineering attacks are more of Direct kind which may involve direct interaction with target to obtain security relevant information, gain access privileges, persuade someone to commit a policy violation or act as a proxy on attacker’s behalf. While Passive as described earlier is more of Indirect type of attack which involves eavesdropping, observation and subsequent analysis of the results.
Tool which may allow an hacker/cracker in Passive Social Engineering attack is called Creepy Tool which is developed in python that allows you to gather geo location related information about users from social networking platforms and image hosting services.
Details
Website : http://ilektrojohn.github.com/creepy/
Platforms : Linux, Windows
License : GPLv3
Author : Yiannis Kakavas
Contact Email : jkakavas@gmail.com
So what does application do?
If you Check in to Foursquare which redirects it to Twitter. Or if you take photos with geo tagging allowed in it, chipping in the data about where have you taken the pictures you are vulnerable for a passive Social Engineering attack with the help of Creepy tool.
Hacker/cracker all they need is your username on twitter/flickr and they can track you down. With the help of you check ins they can study the pattern/routine of your day like when do you leave from home to office, where is your home & office located. What do you generally do on weekends, which places to do you visit. Some people also supply information like what food/drink they love the most along with the Hotel's Check in. You may not realize that why would somebody need and find this information important but let me remind you this why Social Engineering attacks are more risky and cause more damage than any other hacking attack because we are tend to be ignorant about Social Engineering attacks, most of us never worry about all these simple information.
So Creepy tool can integrate all these check in/ geo tagging related information at a one place, supplied with a map, google map! So hacker/cracker might not be knowing Pune city very well but with the help of Google maps within the Creepy tool can easily supply them with necessary information for a further strong Social Engineering attack.
If you see above image is Creepy's interface. I checked one user from flickr who has uploaded photos of Military aircrafts. All I did is put his username in Creepy and you can see where did he take that photo! This is passive social engineering, which a terrorist group may use for destructive and dangerous attack. I hope you are getting the seriousness and why I said Beware from Check ins and geo tagging.
Same is the case with Check ins which appear on Twitter, with all the aggregated information about your daily/weekend check ins hacker/cracker or any person with bad intention can plant more dangerous attack on you/your organization/home.
So how will you save yourself from such type of Passive Engineering attack?
1. Be aware, keep your eyes/ears open.
2. Common Sense
3. If not required disable Geo Tagging feature while you take photos from your smartphone/camera.
4. If you care then stop posting your Check ins on Twitter, you may want to continue using Foursquare but don't integrate it with Twitter.
That's all from me, I will be waiting to hear some comments from you!
The blog seem to be good.. But it is more of personal talk... Put the content that can be excited to read...When u r writing abt Social engineering, tell more abt it rather than being using it on personal basis..
ReplyDeleteBut still its a good one..
Agreed and very valid points. Thieves can monitor the pattern about how you travel, eat-out or being away from home. Check-in, Geo-Tagging should be limited for friends and you shouldn't accept random friend requests. Verify, Verify, Verify and then only add a friend and share your data.
ReplyDeleteGood one. Keep posting.