Oct 21 2013

Facebook Data Mining Tool Uncovers Your Life

You know you shouldn’t post potentially damaging data on Facebook, but more often that not, your friends don’t think twice about it, and this can impact you even more than you think. At the Hack In The Box conference in Kuala Lumpur, security consultants Keith Lee and Jonathan Werrett from SpiderLabs revealed how a simple tool can enable anyone to find a comprehensive amount of data on any user.

Facebook Data Mining
Keith Lee and Jonathan Werrett during their presentation

To get the information, they created the aptly named FBStalker. This tool reverse-engineers the Facebook Graph and can find information on almost anyone. You don’t have to be a friend with someone on the network – the only thing that FBStalker needs to work is for parts of your posts to be marked as public. The tool will find things based on photos you’ve been tagged in, the comments you’ve put on other people’s posts, the things that you like, etc.

If you are tagged in a photo, we can assume you know the people you’re in the photo with. If you comment on a post, FBStalker knows there’s an association. Most people have an open friends list and this gives the tool a variety of people to target for more information. By looking at their posts and your interactions with them, it’s possible to understand how some of those people are important in your life.

Even though many users don’t use the Check-In function, it’s still possible to determine their favorite places to hang-out based on the tagged photos and posts from their friends. Just imagine the level of detail you can achieve and how that can help you if you want to mount a targeted social engineering attack against the user.

The first thing that came to mind when I learned about this tool was to ask if it’s a violation of Facebook’s terms of service. Werrett was expecting the question, he says with a smile: “The tool is basically automating what the user can do in the browser. We’re not using any APIs or unofficial ways of interacting with the interface. We’re using Graph Search to build-up this profile.”

FBStalker goes also a step further and provides private information about the targeted user that might not be obvious to others. It allows you to analyze the time when the person is online and, with time you are able to guess their sleep patterns and active hours.

This type of tool works well if you haven’t locked down your profile, but it can still work even if you have, provided that your friends haven’t locked down their profiles. You know the old saying – the chain is only as strong as its weakest link. With Facebook’s recent announcement that they are removing a privacy feature and that every user is going to be discoverable by name, things are getting increasingly harder to hide.

Even if your account is locked down, you can’t mark your profile picture as private. Once you change it and people like the picture, the attacker can start building a view of your friends list.

What can you do to protect yourself? The authors have a few suggestions: turn off location tracking and tighten your Facebook privacy settings. However, with the social networking giant increasingly removing privacy options, you may have trouble staying hidden.

Oct 01 2013

New Touch ID Hack Allows to Unlock iPhone by Multiple FingerPrints

iPhone 5S Touch ID HackThe Iranian group defeated the very basic phenomenon of an iPhone Fingerprinting scanner, which allows them to unlock an iPhone device with multiple Fingerprints.

Apple‘s iPhone 5s, was launched just available in stores two weeks before with a new feature of biometrics-based security system called “Touch ID”, that involves analyzing a user’s fingerprint and using that to unlock the phone.

Apple launched the technology that it promises will better protect devices from criminals and snoopers seeking access. With this you can purchase things from the iTunes App Store. Basically, you can now use it in place of your password.

“Fingerprint is one of the best passcodes in the world. It’s always with you, and no two are exactly alike,” according to the Apple’s website.

Last week Germany Hackers showed that how they were able to deceive Apple’s latest security feature into believing they’re someone they’re not, using a well-honed technique for creating a latex copy of someone’s fingerprint.

Another interesting fact is that, Touch ID is not only designed to scan the fingerprints of your fingers, it works with various human body parts and appendages which are also not fingers.

In a video demonstration, the Group set up a mixed Fingerprint scan of 5-6 people for an iPhone 5S handset (as shown in the video), which allowed all of them to unlock the locked device with their individual fingerprint.

According to Apple, the chance that Touch ID will misread a finger is 1 in 50,000 , this is because Touch ID is not designed to capture the fingerprint in strict mode. It scans the fingerprint on a very high-resolution (2400 dpi), to get and match the partial parts of an impression for faster unlocking.

If the iPhone is not able to scan the thumb impression in the strict mode to be unique, there is a possibility that out of 1000 thumb impressions iPhone’s Touch ID system can count 2-3 impressions as of the same person.