What a great week for Black Hat 2013, Security BSides Las Vegas and DEFCON 21 in Las Vegas!
At Black Hat, there were multiple interesting presentations – including the BREACH attack that could reveal a 32-bits CSRF token in 30 seconds by sniffing the HTTPS traffic, how Jeff Forristal discovered the Android master keys, and MACTANS install malware into iPhones connected to a malicious charger. All of these stories taught us that the Web is seriously broken, while the mobile platforms are bumping on a country road with deep holes.
It sounds very depressing. But, in fact, the goal of thousands of security professionals and hackers getting together during this week every year is so that we can talk about it to make progress. No pain, no gain.
Barracuda Labs also proudly presented our talk and tools during the fabulous hack show last week. Our talk named “Abusing Web APIs Through Scripted Android Applications” and our tool “SocialKlepto”— a social engineering tool to conduct company espionage on LinkedIn — had both attracted a full house of attendees, and won rounds of applause.
Details about the talk and tool have been fully presented in our research reports, but we will provide a brief teaser here for the show.
Picture of Daniel Peck’s Talk on Abusing Web APIs
The briefing talk “Abusing Web APIs Through Scripted Android Applications” focused on hacking on several Android applications to gain extra limitations that most Web APIs do not provide. Many mobile application providers have used less security requirements on their apps than on their websites, resulting in hackers gaining additional advantages over their APIs via hacked Android applications. This talk concluded with several case studies of popular apps, demonstrating private key retrieval, arbitrary unlimited account creation on a social network, and locating and using custom cryptographic routines without the need to understand their implementation. Additional details on the talk can be found at: http://www.blackhat.com/us-13/briefings.html#Peck, and the associated tool is released at Github.
During the Arsenal Turbo talk, we introduced the SocialKlepto tool. This tool allows users to create customized LinkedIn profiles, connect to employees in targeted company, monitor their daily activities on LinkedIn, and finally aggregate this information to identify potential qualified sales leads. Not only can SocialKlepto be used as a social engineering tool, it can use the information shared on LinkedIn to conduct severe company espionage in stealth mode. Why such a tool works? The main reason is that many LinkedIn users are quick to accept connections and share their activities (using the default settings). For example, sales representatives in any company are very open-connected, and frequently share likes and updates, in order to attract a broader audience, potentially new customers. After penetrating this layer of connections, you easily can connect to other senior-level profiles in the same company, as you now have shared connections—these sales people. The SocialKlepto tool will be released later – more on this soon.
Picture of SocialKlepto Tool: Creating Customized LinkedIn Profile
Changing your privacy settings and cautiously accepting new invitations will stop such attacks on LinkedIn. However, changing your privacy settings on LinkedIn requires several clicks and going over several setting tabs: not an easy task. We are proudly introducing the “Barracuda Profile Protector for LinkedIn” Chrome Extension, which can protect LinkedIn users with a single click. You can install this Chrome extension here: https://chrome.google.com/webstore/detail/ndbgecgajaalmppafcopncbpblkgikif. Please give us your feedback if you like it or run into issues.
Screenshot of Chrome Extension: “Barracuda Profile Protector for LinkedIn”
Again, last week was fantastic for the security community as a whole.