Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSec 2012
-
Upload
stevewerby -
Category
Technology
-
view
78 -
download
1
description
Transcript of Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSec 2012
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Forget Malicious Links and Fear the QR Code
http://bit.ly/consec2012
Steve WerbySecurity Researcher and ConsultantConSec 2012
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
The rules Have a question? Ask away! Have a comment? Share! I will ask you some questions too. I will give away Attrition shirts to a subset
of those who participate
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Disclaimer
The opinions shared represent my views, the views of my clients, the views of my past employers, and most importantly, the views of my future employers.
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Disclaimer
The opinions shared represent my views, the views of my clients, the views of my past employers, and most importantly, the views of my future employers.
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Disclaimer
Ahoy, matey! Th' opinions shared represent me views.
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Who am I?
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Who am I? ISACA Certified Information Security Manager (CISM), 2010 (not quite) (ISC)2 Certified Information Systems Security Professional (CISSP), 2010 GIAC Security Leadership Certification (GSLC), 2008 GIAC Certified Forensics Analyst (GCFA), 2007 GIAC Web Application Security Certificate (GWAS), 2007 GIAC Security Essentials Certification (GSEC), 2007 GIAC Certified Incident Handler (GCIH), 2006 MBA, Virginia Commonwealth University BS, Industrial and Systems Engineering, Virginia Tech
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Who am I?
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Who am I?
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Who am I?
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Agenda
1. Overview of QR codes2. Planning the research study3. Deploying the research study4. Analysis of the results5. Education campaign6. Recommendations to reduce risk7. Q&A
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Takeaways
1. QR codes pose risk similar to shortened URLs
2. Not all QR code readers created equal3. People easily socially engineered4. Resource for educating users
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Shortened URL risk No visual cue what the destination web
page is May point to a malicious web page May point to a legitimate web page, with
an intermediary malicious web page
bit.ly/a301xD => ?
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: QR codes
1. 2-d barcode2. Varies by:
1. Mode2. Version3. Level of error correction
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: QR codes
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Target actions
1. URL2. Text3. Calendar entry4. SMS5. Email6. vCard7. Phone call
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Threat
1. Deliver [malicious|undesired] payload2. Funnel to [malicious|undesired] destination3. MiTM
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Threat
1. Deliver [malicious|undesired] payload1. Exploit app vulnerability2. Exploit OS vulnerability
2. Funnel to [malicious|undesired] destination1. Phishing page2. Premium SMS
3. MiTM1. Clickjacking, framesniffing, etc.2. CSRF, XSS
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Overview: Examples
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Goals Evaluate QR code readers’ controls and
default behavior Assess user vulnerability to attacks Educate users
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning Mediums What to measure Granularity
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Mediums Electronic – web, email, Facebook 1:1 print – mailers, newspaper inserts, flyers 1:n print
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Campaigns Classes
Original Added Overlaid
Original No written URL Written shortened URL Written
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Granularity
Granular Campaign Campaign variants Physical location by GPS coordinates Target action performed Education
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: What to measure Count people scanning QR code Count people who perform target action
By choice Automatically
Effectiveness of campaign types Effectiveness of context
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Flow qrcoderisk.com spoofed spoofed => qrcoderisk.com innocuous innocuous => qrcoderisk.com Shortened URL => qrcoderisk.com Shortened URL => qrcoderisk.com => real Shortened URL => innocuous => real Shortened URL => spoofed => real
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Attributes to capture
Campaigns Campaign ID Campaign variant ID Campaign description Flow type (direct, shortened URL) URL display type (none, shortened URL,
real)
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Attributes to capture
Deployments QR code ID Campaign variant ID Physical location GPS coordinates Number deployed Type (original, added, overlaid) Date deployed Picture
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Attributes to capture
Tracked Visit ID QR code ID Campaign variant ID IP address (stripped/purged after 72 hours) User agent Date/time
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Attributes to capture
Surveyed Visit ID QR code reader Knowledge of QR code risk
Data backed up QR code reader behavior
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Planning: Hosts and services
Hosts qrcoderisk.com the<word>portal.com qrcode<obfuscated>.com (innocuous) bit.ly/qrcodeNNN
Services Amazon EC2 – LAMP platform bitly QRStuff QR Code Generator GPS Status (Android app) Several Android QR code readers
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Setup Generate shortened URLs using bitly Create unique QR codes pointing to
unique URLs Print documents and stickers
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Locations Easy to access High foot traffic Low security Unlikely to be removed quickly
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns Original
Suspicious Plausible
Added / overlaid Anything went
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Locations Stores (grocery, department, etc.) Schools Events (sporting, conferences) Vehicles (authorized!)
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Deploying: Campaigns
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Analysis: Capturing bitly tracking (when used) Apache access.log MySQL DB populated from access.log,
user actions, user input
66.87.xxx.yyy - - [14/Sep/2012:12:33:52 +0000] "GET /nnn HTTP/1.1" 200 558 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3"
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Analysis (preliminary): Campaigns
Ranking
Free iPad (20)Work at home (17)Scan me for recipes (13)Catchall of Added (11)Mystery shopper (9)Scan this I dare you (8)Catchall of Overlaid (7)Don’t scan me (6)Only a QR code (5)Scan me (4)
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Analysis: Tools for Android
ToolExpand Shortened URL
Warn if Malicious
Default Post-Scan Actions
Edit Post-Scan Actions
Save Scanned QR Codes
QR Droid No No Ask By Type YesMicrosoft tag No No Open No Yes
Quick Barcode Scanner No No Open No No
Scanlife Barcode & QR Reader
No No Open Yes, Global Yes
QuickMark Barcode Scanner
No No Ask No Yes
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Education campaign: Components Risks that QR codes can pose What to look for Tool features Tool recommendations
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Education campaign: Measurement Knowledge of the risk QR reader used What gained
New knowledge Intent to change behavior
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Reducing risk: Publishers Describe in detail what the QR code does Do not use shortened URLs for QR codes
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Reducing risk: App developers Give user control over QR code actions Set default settings to lowest risk
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Reducing risk: Users Be cautious Use QR code readers with adequate
controls and enable them
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Reducing risk: Infosec practitioners Make constituents aware of risk Deploy/configure/recommend adequate
tools
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Takeaways
1. QR codes pose risk similar to shortened URLs
2. Not all QR code readers created equal3. People easily socially engineered4. Resource for educating users
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Thanks @itandmore for helping come up with the
research idea @tbwerby for assisting with copywriting,
graphics, and deployment Volunteers for deployment assistance wtfqrcodes.com for many of the
interesting QR code examples ConSec for selecting my presentation
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Next steps Continue research (volunteers?) Implement qrcoderisk.com as an ongoing
security awareness site (possibly)
Steve Werby (@stevewerby) ConSec 2012: Forget Malicious Links and Fear the QR Code
Q&A
Ask now, ||Track me down later ||<EMAIL ADDRESS STRIPPED> ||@stevewerby ||DerbyCon ||SecTor ||Hack3rcon