Bridging The Security Gap
Last week I attended the Hack In The Box Security Conference 2014 in Kuala Lumpur. Besides the fact that the conference ran smoothly there was one talk that caught my eye. Paul S. Ziegler, Founder of Reflare, gave a presentation about “Image Hoster Diving”.
What was interesting about his presentation was his statement about the fact that we, as security specialists, have managed to get a little security awareness in most people.
Most security awareness programs warn employees to be careful when disposing of information. So in most cases the traditional “dumpster diving” will not result in the finding of potentially dangerous information (like passwords, credit card information etc.) The thing is that even if most companies have managed to suppress some specific behavior it’s impossible to change human nature. Humans are terrible at gauging risk and love convenience.
Paul illustrated this by comparing this to speeding. It’s not uncommon for humans to speed by 10-20 km/h. This is really dangerous in case something happens, but the chance that an accident happens is really small. Because the chance is small humans tend to neglect the risk they are taking.
How does this relate to the oldskool dumpsterdiving? The human mind thinks of a low chance as: “it’s not going to happen”. And this is partially true: if I throw my username and password in the trash, the chance that somebody finds my specific username/password combination is very low. In a dumpster however any username and password combination would do. Paul illustrates this in the following way: “We’re not looking for a needle in a haystack. We’re examining a haystack that someone mixed with a dump truck full of needles.”
Well, apparently humans also like to throw interesting information on the internet while neglecting associated risks. This place on the internet are so called image hosters. Apparently humans still dump their passwords and sensitive information on the internet by sharing this information in images. The image hosters give a false sense of security: they generate a hard-to-remember URL. For humans NOT in security this seems relatively safe. However: URLs are generated by a mix of 6 character in the alphabet and/or digits which makes it relatively easy to find and download random images.
In this case Paul managed to download a total of 600.000 images. Using OCR (tesseract) he was able to identify and retrieve interesting texts from the images. Using this technique he found username and password combinations, credit card information, paypal accounts, subscriptions to all kinds of services, software keys and registrations and to top it off: even passports.
Crazy isn’t it?