Upload
vudat
View
225
Download
8
Embed Size (px)
Citation preview
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Walter Sprenger
Compass Security AG
Identifying Users with Browser Fingerprinting
© Compass Security AG Seite ‹#›www.csnc.ch
AGENDA
Browser Fingerprinting
Identifying Users
Live Demo
Browser GeoLocation
Live Demo
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Browser Fingerprinting
© Compass Security AG Seite ‹#›www.csnc.ch
EFF - Panopticlick
Panopticlick from Electronic Frontier Foundation� Showed that the fingerprint of a browser is unique
� Cookies are not used for the fingerprint
� Test your browser: panopticlick.eff.org
© Compass Security AG Seite ‹#›www.csnc.ch
Browser Fingerprint
More than 40 usable Parameters
Categories� HTTP Request Headers
� JavaScript
� Java Applet
� Flash
� HTML5 Features
Parameters with most Entropy� User-Agent string
� Font-List
� Installed Plugins
Calc-Hash
Par1 ParXPar2
© Compass Security AG Seite ‹#›www.csnc.ch
Identify Users
An Internet User� enters his password 8 times a day
� has 25 Web-Accounts
� Remembers 6.5 different passwords
� Uses one password for about 3.9 web sites
Reference: "A Large Scale Study of Web Passwords Habits", Dinei Florêncio, Cormac Herley, WWW '07
Interesting sites� Large user bases
� User is author or can create apps
� Security is not main goal of site
⇒ Ideal: Social Networking Sites
© Compass Security AG Seite ‹#›www.csnc.ch
Proof-of-Concept Fingerprintr
Fingerprintr� Create Fingerprint
� Compare Fingerprint
� Configure Parameters used for fingerprint
� Store data in database
Facebook App� Create Fingerprint
© Compass Security AG Seite ‹#›www.csnc.ch
Facebook App Fingerprintr
Facebook App
Fingerprintr
Admin-Interface
Direct Access
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo: Identifying Users with Browser Fingerprinting
© Compass Security AG Seite ‹#›www.csnc.ch
Screenshot: Fingerprintr
© Compass Security AG Seite ‹#›www.csnc.ch
Screenshot: Fingerprintr
© Compass Security AG Seite ‹#›www.csnc.ch
Screenshot: Fingerprintr
© Compass Security AG Seite ‹#›www.csnc.ch
Why using Browser Fingerprinting?
Why should you want to identify users with browser
fingerprinting?
© Compass Security AG Seite ‹#›www.csnc.ch
Fraud Detection
Fraud Detection� Create browser profiles of users
� Verify profile when ordering, transfering money
� Detect session hijacking attacks
In Case of different Fingerprints� Re-authenticate user
� Enforce another identifying parameter
� Security question
� SMS token
� Mail link
© Compass Security AG Seite ‹#›www.csnc.ch
Session Tracking
User Friendly� Replace Cookies functionality (if cookies are not allowed or deleted)
� Track User spanning multiple sessions
� Persistent identification (Remember Me-Functionality)
Marketing / Statistics� Record and analyze user behaviour
� Improve data quality of address databases
© Compass Security AG Seite ‹#›www.csnc.ch
Investigations
Identify the name of� Stalkers
� Anonymous WebMail senders
� Malicious Blogger
� Hackers
� Resolve IP-Address to user name without court order
© Compass Security AG Seite ‹#›www.csnc.ch
Pitfalls with Browser Fingerprinting
Problems with Browser Fingerprint� Fingerprint changes with browser modifications
� Browser/Plugin update
� New plugins
� New fonts
� New applications on system
� The more parameters are used for the fingerprint…
� The better the uniqueness among many browsers
� The lower the chance of not identifying the same browser again
� Cross-Domain
� Websites must include JavaScript (like Google Analythics)
� Browser parameters sometimes differ on different sites/servers(eg. order of font list)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Reference: http://samy.pl/evercookie/
Evercookie
© Compass Security AG Seite ‹#›www.csnc.ch
Storage used by Everycookie
Storage of Evercookie� Standard HTTP Cookies
� Local Shared Objects (Flash Cookies)
� Silverlight Isolated Storage
� Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
� Storing cookies in Web History
� Storing cookies in HTTP Etags
� Storing cookies in Web cache
� window.name caching
� Internet Explorer userData storage
� HTML5 Session Storage
� HTML5 Local Storage
� HTML5 Global Storage
� HTML5 Database Storage via SQLite
© Compass Security AG Seite ‹#›www.csnc.ch
Evercookie Framework
Framework Features/Advantages� Works cross browser
� Read all storage locations
� Recover deleted cookies
Proof-of-Concept� http://samy.pl/evercookie/
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo: Evercookie
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Browser GeoLocation
© Compass Security AG Seite ‹#›www.csnc.ch
Locate Mobile Phones and Laptops?
The localization of mobile phones has been known for a long time.
(GPS, Cell-ID, HLR lookups, Silent SMS, iPhone Tracking, etc.)
But did you know that your laptop can be localized as well?
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo: GeoLocation
© Compass Security AG Seite ‹#›www.csnc.ch
Sample of GeoLocation
maps.google.com
© Compass Security AG Seite ‹#›www.csnc.ch
Disable GeoLocation
Internet Explorer 9 options
Firefox about:config
© Compass Security AG Seite ‹#›www.csnc.ch
JavaScript Code Snippet
GeoLocation JavaScript
var mylat; var mylong;
// geolocation supported?
if (navigator.geolocation) {
// get coordinates
navigator.geolocation.getCurrentPosition(
function (position) {
mylat=position.coords.latitude;
mylong=position.coords.longitude;
}
)};
© Compass Security AG Seite ‹#›www.csnc.ch
Browser Localization explained
How does Browser Localization work?� JavaScript in HTML page requests coordinates
� Browser binary retrieves list of access points (MAC, SSID, signal-strength) from the wireless network card
� List of access points is sent to geolocation service provider
� Geolocation service provider returns latitude/longitude, postal address and accuracy information
GeoLocation Service Providers� Skyhook Wireless
� Apple
� Navizon
� Xtify
© Compass Security AG Seite ‹#›www.csnc.ch
Browser Localization explained
POST https://www.google.com/loc/json
{"version":"1.1.0","request_address":true,
"access_token":
"2:2wKdveEadfvychcI:-dadsf7uYNAnQLZO",
"wifi_towers":[
{"mac_address":"00-11-22-33-44-55",
"ssid":“WLANDefault","signal_strength":-55},
{"mac_address":“aa-bb-cc-dd-ee-ff",
"ssid":"OpenRG","signal_strength":-84}]}
© Compass Security AG Seite ‹#›www.csnc.ch
Browser Localization explained
JSON Response
{"location":
{"latitude":47.2353182,
"longitude":9.1869627,
"address":{
"country":"Switzerland",
"country_code":"CH",
"region":"St Gall",
"county":"Toggenburg",
"city":"Nesslau-Krummenau",
"street":"Ämelsbergstrasse",
"street_number":"1658",
"postal_code":"9652"},
"accuracy":33.0}}
© Compass Security AG Seite ‹#›www.csnc.ch
Update WiFi/Coord Databases
Updating the GeoLocation Database� StreetView cars
� Navigation providers (TomTom, Navigon, etc.)
� Contracts with 3rd parties (taxi, buses, garbage collection)
� Every user of location services help to update the database
� iPhone with GPS/WLAN/CellID Information
� Browser with geolocation services
� For example
� 4 WiFi MAC addresses are submitted from a client
� 3 are known in geolocation database
� The new MAC address is inserted into the database accordingly
© Compass Security AG Seite ‹#›www.csnc.ch
Usage of GeoLocation Services
What could this be used for?
Locate Users� An application that collects MAC addresses of WiFi access points and sends
this information to the surveyor
� Weakness in browser that allows to access the Geolocation API withoutprompting the user
Find Criminals� Find the location of criminals without court order
� Location information is much more accurate than IP to Location
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Live Demo: GeoLocation Trojan
© Compass Security AG Seite ‹#›www.csnc.ch
Voting!
© Compass Security AG Seite ‹#›www.csnc.ch
Discussion
Questions?
© Compass Security AG Seite ‹#›www.csnc.ch
Contact
Compass Security Network Computing
Werkstrasse 20
Postfach 2038
CH - 8645 Jona
[email protected] | www.csnc.ch | +41 55 214 41 60
Secure File Exchange: www.csnc.ch/filebox
PGP-Fingerprint:
© Compass Security AG Seite ‹#›www.csnc.ch
References
Identifying Users� http://panopticlick.eff.org/
� http://samy.pl/evercookie/
GeoLocation� http://code.google.com/intl/de-CH/apis/gears/api_geolocation.html
� http://www.mozilla.com/de/firefox/geolocation/
� http://diveintohtml5.org/geolocation.html