Vaagn ToukharianQualys

Social Untrust

info

@tukharian

WAS developer at Qualys

leader of OWASP Armenia

Information = money

not about social engineering

it’s about social trust and it’s monetization

Exceptions?

• ePride

• eEducation

• eFitnes

new formula: trust=money

CIA

is this enough?

Con

fiden

tialit

yIntegrity

Availability

On Trust

“It takes 20 years to build a reputation and five minutes to ruin it” Warren Buffet

On Social Networks

PAAS(Pride As A Service)

Strava – community of show-off athletes

• KOM (king of mountain)

• ride/run data analysis

• regular social stuff

Going to the Top

My Strava

Strava Privacy

ScreenShot of what a great feature the privacy is

Detectable

Our “tool”

• just compress the time without jumps

• HR data stays the same

• spoof the date/time

• resampled data borrowed from other athletes is accepted by the system as a unique entry

Just Compress the Time

Reaction

Solution

• current

• closure of APIs

• stricter internal fraud-detection algo

• user reporting

• future?

• signed GPS logs

• correlation (physiology based)

GPS Trouble

Uber

• convenient / just one click to get a ride

• cheaper than a regular cab

• good for rider’s too

• in SF or NYC a driver can get unto 90K a month

• drivers feel safer since all the riders are “tracable”

Uber Hacks

• regular things, like lying, hedging vs Lyft

• creating new accounts with new phone numbers getting referrals (repeat)

• new scams:

• rider canceling the current ride?

• rider requesting stops that could not be proven to be initiated by rider

Uber (un)trust

Uber (local office) will adjust/judge disputes based on GPS log

Gympact

ePride + real_money

• get paid to visit the gym regularly

• get penalized for every missed workout

• one could make a little money (~$25) per week

• or loose up to $50 per missed workout

• Gympact trusts GPS for correctness

Trust GPS

Uber, Strava, Gympact besides all other trusts also have a trust on GPS

• could be spoofed

• could be just unreliable

• military GPS uses auth

Hacking GPS

• jamming

• spoofing

• spoofing on the device with fake GPS location app

Stealing Boats and Stuff

Fixes

• crypto

• auth

• correlation with other sensors

• polarization

• angle of arrival

• time consistency

MOOC Trouble

• plagiarism

• cheating on tests

Fixing MOOC

• verified certificates

• webcam / human supervision

• keystroke analysis

• peer review

• hybrid courses

• charging money

• anti-plagiarism tools

Misc

• crypto currencies

• phishing

• SSL

• self driving cars ?

Summary

• trust no one ?

• more control ?

• make cheating technically more challenging

• change business model

• suggestions?

thanks

In a context of OWASP Top10

A2-Broken Authentication and Session Management

A3-Cross-Site Scripting (XSS)

A6-Sensitive Data Exposure

A8-Cross-Site Request Forgery (CSRF)

A10-Unvalidated Redirects and Forwards