Leaderboard

Reconnaissance with Images Gathering data on a target is extremely important if we plan to execute an attack in a more efficient manner. A typical attack scenario starts with a long reconnaissance process. In this case “reconnaissance” refers to the gathering of information in any and all possible manners regarding a particular object of interest. We can gather information from websites online, dumpster-diving offline, and also through the classic act of social engineering. Online information gathering emerged after millions of people all over the world started participating in social networking sites like Orkut, Facebook, Twitter etc. People started to maintain a virtual image of themselves, which may, or may not, be similar to their real-world image. In this article, we shall see the social implications of these dual personas and how they can lead to the exploitation of vanity. We shall also look into how someone’s life can be affected and the risks of geo-localization. This article also features various tools used to perform reconnaissance with the images. Social networks like Twitter, Facebook etc. are exploiting human vanity. The Y2K syndrome highlighted global fears that there might be something out in the virtual universe that would take control of our lives—something like the implantation of GPS chips in our skin, for example. Well, it’s not “something” that takes control of our lives, instead we ourselves blithely send out various pieces of personal information in an attempt to project ourselves as something special within the virtual universe. A Classic Example of Information Leakage Through Social Networking Sites In the above image, we can glean a lot of indirect information regarding the whereabouts of the person. Mr. XYZ was at “Annamalai International Hotel” in a place called “Pondicherry” eight hours ago, and he is using a Windows phone! It’s well known that the interface shown in the above image is from Facebook. Possible Attack Scenario: It’s a reasonably valid assumption that this person uses his mobile device to check email, and to access other online accounts. Suppose I am his friend on the social networking site. Through a socially engineered attack, I can gather information regarding his habits and other personal updates by monitoring the feeds on the site. In addition, because his email ID is listed in his profile, I can probably send him a crafted mail that can gain me backdoor access to his phone through the available exploits. Or I can potentially steal his credentials; the possibilities depend on my creativity. The scenario above provides just one example where an image can speak for the individual. EXIF Data and Images: Smartphones and digital cameras (including scanners) use a standard format for images and recorded sounds. This standard is called exchangeable image file format. This information may include details about the camera model, shutter speed, focal length, etc. Most importantly, it contains GPS information about where the image was taken. By default almost all smartphones have GPS data activated. The camera setup asks the user to set it during the pre-initial setup. People tend not to remember to wipe off the GPS location data for every photo they shoot. Thus, GPS information is embedded in almost all images taken. Social and Security Issues When a member of the press releases an interview with a hacker (or another wanted criminal) offers a promise of anonymity during the telecast, that offer is not always valid. Any image that is uploaded from the interview might help an investigation by allowing examiners to track the GPS location where the image was taken. An untrained member of the press staff who publishes the image on the net might not be aware of the fact that he should have stripped off the EXIF data that’s hidden in the image. With this back ground let’s see various online and offline tools to extract metadata from an image: Jeffrey’s Exif viewer Type of tool: Online URL: Jeffrey's Exif viewer Input options to the tool Basic Information provided by the viewer This is a very basic EXIF data viewer. It shows the specifications of an image with respect to the camera. The information gained from this tool tells us the date and time when the image was taken. It also tells us which camera has been used for the image. This information is vital if we are going to find a lost camera belonging to a particular person. If we have a database of EXIF data from public images on the internet, a lost camera can be found by comparing the EXIF data of the owner’s image and the stolen image. EXIFDATA.COM Type of tool: Online URL: EXIF Data Viewer Input interface of this tool Metadata shown This tool offers a lot of details and can be considered advanced. It reveals every tiny bit of metadata found embedded the images as you can see from the above example—that image was taken from an Apple iphone 4. Such easily available information will definitely make any attack very efficient. In the image below we see the geo-localization of information. As mentioned before, the default settings of smartphones keeps the GPS settings switched ON. As a result, when an image is taken, its geo-local information (like longitude, latitude, and height above the sea level) gets embedded in the image. This comes in very handy when trying to pinpoint the exact location of a criminal who might be absconding from law. GPS Position Exactly Displayed Opanda IExif Tool Type of tool: Freeware Download URL: Exif viewer : Opanda IExif - Professional EXIF / GPS / IPTC Viewer & Editor in Windows, IE & Firefox Summary of Metadata on Opanda Opanda is a very advanced tool. It allows for the categorization of various kinds of metadata that can be found in an image. It categorizes data into GPS and IPTC sections. The summary includes all the details, and this tool is very organized compared to all other tools. It also delivers optimum performance with respect to various images. One added advantage of this tool is that it also allows us to edit EXIF data within the image. This is very helpful when we would want to strip off the metadata. We can either change and mask our information, or delete the information altogether. Windows Image Property Viewer Tool type: general, built-in operating system feature The above figure shows how to strip off general metadata This method for viewing metadata is designed for a layman who isn’t very adept at using advanced tools and technology. These interfaces also don’t strip off a huge amount of metadata information like Opanda. Thus, this is one of the least used methods when it comes to stripping or viewing EXIF data. Writing a Custom PHP Script: The following image shows a script in PHP which will capture the EXIF data from an image. It returns the time and date when the image was taken, the GPS coordinates of the location where the image was taken, and also tries to read from the headers of the image. Conclusion In this article we have reviewed the hidden information that pictures can reveal to a forensic expert. Undoubtedly, hidden metadata provides the truth in the age-old quote: “A picture is worth a thousand words.” I have tried my best to show you both faces of the coin, i.e. the advantages to both reading the metadata and also to stripping off the metadata. As many people spend time projecting a new virtual image onto the public Internet, they are unaware of just how much information they are unintentionally revealing about themselves. A stalker can find all this information and can still trouble you and invade your privacy. Thus any uploading interface should be embedded with scripts to strip the image being uploaded of metadata so that the user’s privacy is not compromised. With these words, I advise all readers to keep a close watch on the amount of information you reveal online. Sursa

Venue: Rio Hotel and Casino We reached Rio Hotel at around 8 am. We thought we did good on time until a nice gentleman came to us and said “It’s a 3 hour long line guys !”. We however got through the line in about 90 minutes, thanks to the nice staff at Defcon. One you get through the registration process, you are offered a Defcon badge which is your entry pass to Defcon and a booklet that informs you about the whole Defcon schedule. ntro to Digital Forensics: Tools and Tactics This talk by Ripshy and Jacob was mainly directed at people who wanted to get started with Infosec. Before the talk, the authors quickly distributed some Backtrack Live CD’s to the public. The talk started by an introduction to the Backtrack distro, telling about the little things like the user/pass for logging in to BT and getting started with network services in BT. The author then mentioned the top 5 tools used in Infosec which included Nmap, TCPDump, netcat, Ntop and Metasploit. The author then explained all the 5 top Infosec tools and their basic usage, by giving examples with screenshots, commands etc. Cerebral Source Code This was one of the best talks i have ever been to at Defcon. This talk by Siviak was mainly focussed on Social Engineering. The speaker starts by explaining how simple things like being nice to people can help you get the information you want. The speaker then tells that things like good books and courses for Social Engineering doesn’t exist. To be good at Social engineering, you have to go out and live the experience, and take a chance whenever possible. The key thing is to motivate people to give you the thing that you want. There is no such thing as an effective Social Engineering technique, it changes by time and even by weather. One of the funny incidents happened when someone from the audience asked “What is an effective technique to get traffic on your site by Social Networking ?” and the speaker replied “PORN.” One of the good questions asked were “What is a good Social Engineering technique to gain access to a security facility via Social Engineering ?”. The speaker Siviak replied by telling that we should always look like we know what we are doing, and that we are supposed to be in the place where we are. If some security guy fires a tough question at you, fire them back ! They don’t know how to react to such a situation. Don’t give their brains time to catch up. Humans are like computers, the more information you give them, the more they will be able to figure things out. We must change things quickly so their brains don’t catch up with what’s going on. If you want to perform Social engineering on a specific subject (person) and you don’t know what he/she has under her desk, how many kids he/she have etc, you are not trying hard enough. These things will help you build a common thread which could help you in obtaining more information from the subject. The talk ended with a last question when someone asked “Do we need to learn psychology in order to perform Social Engineering ?” and the speaker replied “No”. Overall the talk was very informative and the speaker was very funny so he kept the audience in a very good mood throughout. DEF CON 101 This panel was taken by Pyro, Roamer, Lockheed, Alxrogan, Lost and FLipper who are responsible for organizing many of the events and maintaining the network at Defcon. The talk was mainly focussed on how you could maximize your Defcon experience. The main point told by the organizers was “You get as much out of Defcon as you put into it.” They talk about how we should just not attend Defcon talks, but meet and socialize with people. We could just go up to some people, but them a beer and you never know, that guy might just turn into your best friend. The defcon organizers tell about how they are looking forward to this weekend for the whole year, and all they want from us is just to listen to the Goons if they have some problem with you. Lockheed then comes up and talk about some of the challenges they face while setting up the Defcon network. The authors then tell us about the Defcon nightlife, some of the events that will be happening in the night, and asks us to attend these events too. The authors conclude by telling us that we should be careful while talking to the media and should ask for the power to edit the article because you never know what they might publish. Screw the Planet, Hack the Job ! This talk by Roamer, Lockheed, Alxrogan who are part of the Defcon staff tells us how utilizing Defcon can help you find your dream job. One of the best parts of this talk was when someone asked “I know there are potential employers/employees at Defcon. Do you plan to have something like a job fair at Defcon ?” and one of the speakers replied “I know what you are talking about, we have people who want to hire at Defcon. But the moment we cross that line and it turns into a job fair, we have lost our credibility.” HF Skiddies SUCK, don’t be one. Learn some basic Python.’ The speaker King TunA starts by speaking about some of the basic advantages of using Python by giving demos via videos (which weren’t possible to see as long as you are very close to the screen but are online on Youtube). The speaker explains how things which can take 200-300 lines of code in other languages could be done in Python in much lesser lines. Finally, the author ends the talk by giving a demo of an HTTP scraper. Here’s a quick video of this year’s Defcon badge. Well there is more to Defcon than just the talks. Its also about the Defco nightlife, meetups etc. There was this very good event called “the Summit” being held which was a fundraiser for the EFF. I went to the hackfest meetup in Flamigo though. Well that’s it for Defcon day 1. I will be writing about Defcon day 2 and day 3 also. Please let me know if there is something specific about Defcon that you want me to write about. I leave you now with some pictures from the event. Original Article