dox yourself bsides orlando
TRANSCRIPT
Dox YourselfSamuel Greenfeld
BSides OrlandoMarch 12, 2016
Disclaimer• This presentation uses personal examples• Some fields are blacked out for pictures/video recording• I know you can find the information
• I have no doubt you can make my life or others miserable • Please Don’t
Introduction
SSNs historically predictable• Prior to June 25, 2011, SSNs issued in a predictable sequence• First three digits = state/territory of issuance (+ a few special things)
• After 1973 also based on ZIP code within a state
• Middle numbers = issued in a known sequence • Depending on the year even/odds were used, jumps around a bit• “High Group” lists issued by the SSA tell you the maximum number for this
expected to be issued for any given month for all possible first digit combinations
• Last digit set = issued sequentially within the first two• The IRS required SSNs for dependents in 1987
Florida Driver’s License• LLLL-FNI-YY-DMB-N• LLLL: Based on Last Name• FNI: Based on First Name, Middle Initial• YY: Year of Birth• DMB: Based on Day/Month of Birth & Gender• N: Sequence number in case of collisions
Surprised?
Security Professionals• We love to talk about the latest data breach/security technique/etc.• But we often forget to consider what was “normal” or
“best practices” in the past.
Birthday pondering• Government records• Birth Certificates• Driver’s License• Voter Registration
• Commercial records• Websites• Third party surveys/forms/rebates• Data aggregators
• Social Media Profiles/Posts
Voter Information as a Public Record
What’s the Problem?• Companies want to know who they are dealing with• Authentication/Authorization (strict check)• Advertising (loose might be acceptable)
• Users want to use services/purchase items easily
What’s the Real Problem?• Big Data is the new “in” thing• Many firms want to gather as much data as legally possible• Want to make using their systems as “sticky”/easy as possible• But when everyone has lots of data• How do you identify someone when everyone else has much of the
same information?• How do you differentiate your service?• All of the old information is not going away!• Lots of data already compromised
What’s the Real Problem? (2)• Anyone & Everyone wants to know what you are doing• Stores• Data aggregation firms• Nation states• Your Internet Provider
• Many want to know what your LinkedIn, Facebook, etc. accounts contain, who you know, etc.
The Beginning is still here
If you get arrested…
Authentication
Historical• Password• Security questions• Security pictures
Current Trend: Give Us More Info
Current Trend: Give Us More Info (2)
Two-factor Everywhere• Too many Two Factors!• Phone Calls/SMS Text Messages• OATH
Custom Two-Factor Authenticators
Many firms want your phone number
Many firms want your phone number (2)
Many firms want your phone number (3)
(Aside) Not just phone numbers
Where have we seen this before?
We train people for this
But evil is not always obvious
Fallbacks to historical approaches still exist• What happens when the user doesn’t have their second factor?• Back to security questions again in many cases
• Be sure to email the user or mail them a postcard/letter when an override is used• If email was part of the process, find another way to contact the user which
does not require something used as part of the override• If a user changes email addresses, be sure to send one final vague message to
the previous address warning them of it.
• When designing any authentication system, be sure to determine what is considered an acceptable level of risk
Analytics
Coffee Makers
Coffee Makers (2)
Analytics• Discovery and communication of meaningful patterns in data.• Site information/performance• User information/demographics
• Can be used both for secondary identification as well as advertising• In either case you are generally not told about it
Supercookies• Method of storing information in a web browser using redundant
methods that are hard to delete• Example proof of concept: Evercookie
• http://samy.pl/evercookie/
• Uses• HTTP Cookies• Adobe Flash Local Shared Objects• Web history (where you’ve been)• Web cache (storing files)• Etags (has a cached file been modified)• HTML 5 Storage (5 types of it)• And much more
Browser Fingerprinting• Attempt to detect the same user without storing anything in their
web browser• Uses things like• Browser type/version• Configured language(s)• Installed plugins/versions• Time Zone• Screen Size/Color Depth• Fonts on computer
• Often can get a unique match, or at least prove a browser is 1:1,000+• https://panopticlick.eff.org/
Cell phone supercookie
Which rules apply?
(Paragraph removed in 12 January 2016 update)
Everyone wants to have their cake & eat it too• Consumers want to have accurate predictions. But they do not want
everyone to know everything about them.• Businesses want to be able to beat their competitors by figuring out
the “secret sauce” necessary to gain an advantage. But they don’t want other businesses to know how or scare potential customers by telling them how they’re doing it• Governments want to be able to monitor things per their local laws,
but not have communications they are responsible to protect broken
We need to hunt down the truth
If you are a user• Realize how much information about you is public• Your daily purchases, interactions, etc. reveal more than you realize• https://history.google.com/history/ is a good place to start
• If you or someone else puts something on the Internet, it may never go away• Consider using ad/site tracker blocking software if concerned,
but realize that these can occasionally break websites
If you are looking to “dox” someone• Consider if you *really* want to do it• You will affect their feelings, even if you told them in advance• There may be legal implications• Search the Internet with you know and go from there• Realize that some sources are completely incorrect, while some are
scarily close to accurate• Don’t publish information online unless absolutely necessary• Outing the wrong person has occurred before!
If you are trying to authenticate users• There is a careful balance between making your service easy to use
and making it secure• Realize that many identifiers are public information, or can be derived
from such• Follow the required regulations/laws for your industry/location(s)• Don’t try to special case things based on known local flaws• Two factor authentication is now probably the norm
If you are into advertising/analytics• Respect your users• Don’t tie site functionality into metric/analytic systems in fragile ways• Don’t overload your site with trackers• Use tools to measure their impact on performance• Try home/mobile Internet connections far away from your datacenter
– not just the office
• If you collect it, someone else can steal it• It’s not if you are compromised, but when you will be
