Conference:  Defcon 31

Authors: Cooper Quintin Senior Staff Technologist – EFF

2023-08-01

For the last 6 years my colleagues and I have been tracking the activities of the cyber-mercenaries we call Dark Caracal. In this time we have observed them make a number of hilarious mistakes which have allowed us to gain crucial insights into their activities and victims. In this talk we will discuss the story of Dark Caracal, the mistakes they have made, and how they have managed to remain effective despite quite possibly being the dumbest APT to ever exist.

Conference:  Black Hat Asia 2023

Authors: Karel Dhondt, Victor Le Pochat

2023-05-12

Fitness tracking social networks such as Strava allow users to record sports activities and share them publicly. Sharing encourages peer interaction but also constitutes a risk, because an activity's start or finish may inadvertently reveal privacy-sensitive locations such as a home or workplace. To mitigate this risk, networks introduced endpoint privacy zones (EPZs), which hide track portions around protected locations. We show that EPZ implementations of major services remain vulnerable to inference attacks that significantly reduce the effective anonymity provided by the EPZ, and even reveal the protected location. Our attack leverages distance information leaked in activity metadata, street grid data, and the locations of the entry points into the EPZ. This yields a constrained search space where we use regression analysis to predict protected locations. Our evaluation of 1.4 million Strava activities shows that our attack discovers the protected location for up to 85% of EPZs. Larger EPZs reduce the performance of our attack, while geographically dispersed activities in sparser street grids yield better performance. We propose six countermeasures, that, however, come with a usability trade-off, and responsibly disclosed our findings and countermeasures to the major networks.

Conference:  OWASP 20th Anniversary Event

Authors: Nick Nikiforakis

2021-09-24

Browser extensions can be fingerprinted and tracked through web accessible resources and visible side effects.

• Browser extensions can be easily fingerprinted through static extraction or behavioral fingerprinting.
• Developers can stop static extraction by referencing images and CSS from websites or CDNs.
• Behavioral fingerprinting is more difficult to get rid of because it requires extra UI buttons and ad blockers.
• The middle way combines the best of both worlds by using CSS-based extension fingerprinting.
• Web accessible resources can be used to unmask browser extensions.
• Visible side effects of extensions can be used to fingerprint and track them.
• A system can automatically compare a page with and without an extension to detect changes that could be used to fingerprint.