Exfiltration of information in a known social network and the possible real threat.
Through public knowledge of an error and unrecognized from a social network, which has a frequency of 6000 publications per second, we will identify the threat by analyzing the anatomy of the code to inject the information to be exfiltrated into the metadata. Demonstration of the exploitation of the aforementioned error through the resolution of a CTF challenge that will also combine other methods of concealment and calls to second objects.
We will propose an easy and possible solution to the problem.
And finally raising awareness about the real threat that the possible exfiltration of information in such important social networks can represent and the ease with which the code that can be used inappropriately diffuses, eg: communication of organized criminal networks, distribution of malware, etc…
Source and writeup CTF challenge https://github.com/hackers4f/hackers4fun-writeups/tree/master/challenges/Stego/Reto_H4F_17_L0aD1ng_2019
2. >_3xF1ltR4t3 Y0uR fR1k1 m3t3d4t4
Disclaimer / Aviso Legal y Descargo de
Responsabilidad
>_1. El objetivo de esta charla es mejorar la
Seguridad en Internet.
>_2. Los conocimientos que os vamos a intentar
transmitir, están dirigidos a una práctica ética, si
los usáis para practicas no adecuadas ni en
consonancia con la legislación sería únicamente
responsabilidad vuestra.
>_3. No nos hacemos responsables del mal uso que se le
pueda dar a las herramientas y habilidades que
mostremos.
#SecurityWeek #HoneyCON19
3. >_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
~# whoami
>_1Ꮩ4η Ꮢ @1r0Dm48O
>_Miembro de @HoneySec
>_Co-fundador de @H4ck3rs4FunCTF
>_Cibercooperante del @Incibe …
~#cat mission
Exfiltración de información en una red social
conocida y la posible amenaza real…
#SecurityWeek #HoneyCON19Track #OSINT
4. >_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
>_500 millones publicaciones al día (6,000 por segundo de media)
>_139 millones usuarios activos (Aproximadamente el 42%)
>_80% de los usuarios en dispositivos móviles
…
~# find hidding_a_payload
Track #OSINT
>_ https://business.twitter.com
>_ https://s22.q4cdn.com/826641620/files/doc_financials/2019/q3/Q3-2019-Earnings-Press-Release.pdf
>_ https://www.oberlo.com/blog/twitter-statistics#1_Number_of_Twitter_Users
>_ https://info.mention.com/hubfs/Twitter%20Engagement%20Report%202018%20%7C%20Mention.pdf
>_ https://www.omnicoreagency.com/twitter-statistics/
5. >_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
~# cat index
>_ Antecedentes (Background)
>_ It's Not a Bug, It's a Feature. (Trite—or Just Right)
>_ Cronología del #NotaBug (Recon)
>_ Código del XxXxX.py
>_ Demo (Explotación)
>_ Easy and possible detection? (Nope)
>_ Conclusiones (Done)
#SecurityWeek #HoneyCON19Track #OSINT
6. >_201304_An Error-Resistant Steganography Algorithm For Communicating
Secretly On Facebook (Security PM Fb Owen-Campbell Moore / @owencm )
https://github.com/owencm/secretbook/blob/master/secretbook-research-thesis.pdf
>_2013_Unicode Text Steganography Encoders/Decoders - IronGeeks
(Sec.Analycst IU Adrian Crenshaw)
https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder
>_201401_Unistego/python text steganography library (Senior OPS Man. Oracle
Ivan Zderadicka)
https://github.com/izderadicka/unistego
>_201404_Steg Of The Dump (Web Dev Front-end Director at @springload
Matthew Holloway)
https://github.com/holloway/steg-of-the-dump
>_201609_Hiding a payload in PNG files with Python (CTO Adgorithmics /
@briandeheus)
https://gist.github.com/briandeheus/9df32136c756227df4bfbff580a1aadd
>_201805 Keeping your account secure (CTO Tw Parag Agrawal / @paraga)
https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html
>_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
~# cat background
Track #OSINT
7. >_ https://es.wikipedia.org/wiki/Jargon_File#De_1990_en_adelante
>_ https://web.archive.org/web/20160304190001/http://barrapunto.com/articles/11/08/13/1147243.shtml
>_ http://jargon-file.org/archive/
>_ https://web.archive.org/web/20110723230646/http://www.cosman246.com/jargon.html#feature
>_ https://web.archive.org/web/20130827121341/http://cosman246.com/jargon.html
>_ https://parceladigital.com/2018/06/01/jargon-file-la-jerga-hacker/
>_ https://juanjeojeda.com/not-bug/
>_ http://blogitecno.blogspot.com/2009/10/renfe-cercanias-mejora-tecnologica-o.html
>_Se reporta el «bug» o fallo en una aplicación > el programador informa que no es un
error (#notabug), sino que es algo hecho adhoc(itsafeature?)
>_1975_Jargon File diccionario jerga Hacker iniciado en 1975 (Raphael Finkell US – “el
archivo” o “jargón-1”) evoluciona a The New Hacker's Dictionary
>_1947_Errores o problemas de funcionamiento en aparatos y programas informáticos >
“bug” > «First actual case of bug being found» (1947- MarkII)
>_1896_Thomas Edison uso «bug» lo utilizó para indicar cualquier fallo o problema en
las conexiones o funcionamiento de aparatos eléctricos
>_BUGS_Iniciales para referirse a que había ruido en las líneas de teléfono («bugs in
a telephone cable»)
>_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
~# echo “notabug” > itsafeature
#SecurityWeek #HoneyCON19Track #OSINT
10. >_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
~#cat inject.py
#SecurityWeek #HoneyCON19Track #OSINT
>_ #!/usr/bin/python3
>_ Parsing .jpg and .zip files
>_ Válido para múltiples formatos
>_ Introduce en el perfil ICC divididos en fragmentos de 64 KB
>_ *.jpg es también un archivo *.zip
13. >_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
~#./get_in_short
#SecurityWeek #HoneyCON19Track #OSINT
>_ Artefactos que no han sido detectados siguen perdurando en Tw
>_ Posible distribución de malware
>_ Comunicaciones personas y grupos organizados
>_ Volatilidad de las comunicaciones
>_ Facilidad de difusión
>_ Posibilidad de que funcione en otras RRSS
14. >_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
~#cat 0tH3r_R3f3R3nC35
#SecurityWeek #HoneyCON19Track #OSINT
>_Someone Embedded Shakespeare’s Entire Collection in a JPEG on Twitter
https://techweez.com/2018/10/31/complete-works-shakespeare-twitter-jpeg/
>_This Tiny Picture on Twitter Contains the Complete Works of Shakespeare
https://www.vice.com/en_us/article/bj4wxm/tiny-picture-twitter-complete-works-of-shakespeare-
steganography
>_Someone just tweeted the entire works of Shakespeare with one tweet
https://www.techspot.com/news/77209-someone-tweeted-entire-works-shakespeare-one-tweet.html
>_You can unzip this tiny image on Twitter to reveal the complete works of Shakespeare
https://www.theverge.com/2018/11/1/18051514/twitter-image-steganography-shakespeare-unzip-me
>_JPEG image of Shakespeare which is also a zip file containing his complete works
https://news.ycombinator.com/item?id=18342042
>_Tiny Twitter thumbnail tweaked to transport different file types
https://www.theregister.co.uk/2018/10/31/twitter_thumbnail_code/
>_This man used Steganography to compress Entire Work of Shakespeare into a Tiny Picture and
tweeted it out
https://innov8tiv.com/this-man-used-steganography-to-compress-entire-work-of-shakespeare-into-
a-tiny-picture-and-tweeted-it-out/
>_Whole Shakespeare collection hidden inside a single tweet
https://www.zmescience.com/science/whole-shakespeare-collection-hidden-inside-a-single-tweet/
>_How to fit all of Shakespeare in one tweet (and why not to do it!)
https://nakedsecurity.sophos.com/2018/11/12/how-to-fit-all-of-shakespeare-in-one-tweet-and-why-
not-to-do-it/
>_To be or not to be 280 characters: All of Shakespeare’s works in a single tweet
https://www.digitaltrends.com/cool-tech/complete-works-shakespeare-twitter-message/
15. >_3xf1ltr4t3 y0ur fr1k1 M3taD4t4
Thanks!
You can find me at @1r0Dm48O && @H4ck3rs4FunCTF
👍
Track #OSINT