SlideShare a Scribd company logo

Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [rootedvlc4]

RootedCON
RootedCON

En los últimos años diversas redes sociales libres y de código abierto están enfrentando una gran batalla como una alternativa descentralizada a plataformas comerciales como Twitter, evitando el riesgo que una única compañía monopolice tu comunicación. En esta charla analizaremos una red social de gran interés como es Mastodon, estudiaremos sus características, sus problemas de seguridad, la posibilidad de realizar comunicaciones encubiertas y ataques masivos, así como automatizar el espionaje de la red completa. Y esto es solo el principio…

Technology
1 of 57
Playing with Mastodon for fun and profit Dr. Alfonso Muñoz - @mindcrypt Miguel Hernández - @MiguelHzBz
Dr. Alfonso Muñoz Senior Cybersecurity Expert & Research Lead alfonso@criptored.com - Twitter: @mindcrypt https://es.linkedin.com/in/alfonso-muñoz-phd-1984141b http://alfonsocv.com Whoami Doctor de Telecomunicaciones (UPM) & Postdoc (UC3M) Books (3), artículos científico-técnicos (+60), speaker (+60), security tools, premios… Empresas: UPM,UC3M, Telefónica, IOActive, BBVA-i4s… Certificados profesionales: CEH, CHFI, CISA, CES, OSCP, CCSK Some conferences: STIC CCN-CERT, DeepSec, HackInTheBox, Virus Bulletin, RootedCon, 8.8, No cON Name, GSICKMinds, Cybercamp, Secadmin, JNIC, Ciberseg… Co-editor @criptored (Red Temática de Criptografía y Seguridad de la información)  +16 años de vida Background: Investigador (academia) | Industria | Underground Profesor (docente – Máster Seguridad): UEM, UNIR, UC3M, UPM, UJAEN … Perfil Técnico: Seguridad defensiva/ofensiva (pentesting), protección de información (criptografía/esteganografía - comunicaciones seguras) y Data Science (machine learning y NLP)
Miguel Hernández Boza Security Researcher miguelhernandez2907@gmail.com - Twitter: @miguelhzbz https://www.linkedin.com/in/miguel-hern%C3%A1ndez-boza-8967bb86 Ingeniero en Telecomunicaciones por la universidad de Zaragoza (UNIZAR) y Máster en Ciberseguridad por la universidad Carlos III de Madrid (UC3M). Analista de seguridad Informática. Amante de CTFs, programación e IA. Ha invertido los últimos años de su carrera profesional en multinacionales españolas, como Telefónica o BBVA (i4s), en investigación e innovación de nuevos procedimientos de detección de fraude, thread intelligence y seguridad defensiva. Actualmente trabaja en el sector bancario aplicando tecnologías de Natural Language Processing, Deep Learning y graph databases. Ha sido premiado con diferentes reconocimientos por su trabajo en estas disciplinas: Accesit y Finalista – III / IV Concurso de Jóvenes Profesionales ISACA, ganador del Sinfonier Contest 2015 (Telefónica) o publicación en la revista SIC. Conferencias: RootedCon, Mariapitadefcon, JNIC, Secrypt... Whoami
Def: Social media is the collective of online communications channels dedicated to community-based input, interaction, content- sharing and collaboration.
CENSORSHIP ● Irán ● Libia ● China ● Túnez ● Turquía ● Turkmenistán ● Emiratos Árabes Unidos ● Pakistán ● Malasia ● Siria ● Uzbekistán ● Bangladesh ● Vietnam
Social Network “and/or” Business? http://www.elconfidencial.com/tecnologia/2016-11- 02/facebook-data-valuation-tool-ingresos- publicidad_1282290/
Why? Joshua: A strange game. The only winning move is not to play. https://www.osi.es/es/guia-de-privacidad-y- seguridad-en-internet
Agenda • Definition: Microblogging social network • Mastodon network • Conclusions & Countermeasures • Mastodon instances (Public & Private) • Toots (Feed Local vs Feed Federated) & API • Security Issues • Spy network (users, toots, text-mining, relations & following “friends”) • Massive user creation (transversal user – N Instances) & Impersonation • Massive phishing & covert channels • Massive User creation (in each instance) – SPAM/DoS
Microblogging ● Less time spent developing content ● Less time spent consuming individual pieces of content ● The opportunity for more frequent posts ● An easier way to share urgent or time- sensitive information
Mastodon is a free, open-source social network server. A decentralized solution to commercial platforms, it avoids the risks of a single company monopolizing your communication. Anyone can run Mastodon and participate in the social network seamlessly. Created by Eugen Rochko in 2016
https://www.genbeta.com/a-fondo/como-mastodon-el-ultimo-clon-de-twitter-ha-triunfado-en-japon-gracias-al-lolicon
https://github.com/tootsuite/mastodon Features • Fully interoperable with GNU social and any OStatus platform • Real-time timeline updates • Media attachments like images and WebM • OAuth2 and a straightforward REST API • Background processing for long-running tasks • Deployable vía Docker Activity Streams is an open format specification for activity stream protocols. Implementors of the activity Activity Streams draft include → WebFinger is a protocol specified by the Internet Engineering Task Force IETF that allows for discovery of information about people and things identified by a URI. WebSub (formerly PubSubHubbub) is an open protocol for distributed publish/subscribe communication on the Internet. Salmon protocol aims to define a standard protocol for comments and annotations to swim upstream to original update sources -- and spawn more commentary in a virtuous cycle. It's open, decentralized, abuse resistant, and user centric. Technologies
https://instances.social/list/advanced#lang=&allowed=&prohibited=&users= 1. Mastodon Instances
Instances https://dashboards.mnm.social/dashboard/db/network-drilldown
https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Docker-Guide.md
Administration panel
Public instances 1425 https://joinmastodon.org/#getting-startedhttps://instances.social/list
Censorship instances
“Private” Instances > 1200
Fuente: Viatcheslav Zhilin
2. Toots
Inside instance
https://github.com/tootsuite/documentation/blob/master/Using-the-API/API.md
Security Issues
1. Spy network: Crawling Users… Security issues: - You can list all users and followers/following - Predictable URL (bruteforce Sequential ID) - “Infinite” queries… Limitation: 1 user/request Ej/ mastodon.social (80K users) 80.000 request  1xseg 80.000/3600  22h (con un solo cliente)
1. Spy network: Crawling Toots… Security issues: - You can request toots from the “beginning”… - Predictable URL (bruteforce Sequential ID) - “Infinite” queries… Limitation: máx 40 toots/request Ej/ mastodon.social (80K users) 14.355.810 toots (day 2/08) 358.896 requests-> 1xseg 358.896/3600 → 100H … 10 clientes en paralelo 10H (10H actividad de toda la instancia)
1. Spy network: Text mining… Keywords: "nazi", "hitler", "whitepower", "hacker“ Instances: 2 (mastodon.social, cybre.space) Users under suspicious: 282,093 Users detected: 1,891 Analysed Toots: 967,820 Toots with keywords: 3,417
1. Spy network: Studing relations Traducción: Este sitio es sólo los usuarios chinos para entrar No discuta la violación de las leyes chinas en Hong Kong en este nodo No discuta la política, la pornografía, la violencia, el terrorismo, el odio nacional y otras leyes relacionadas que prohíben la libertad de expresión. No anunciar y Spam en este nodo
1. Spy network: Following “new friends” Anything wrong?
1. Spy network: Following “new friends”
2. Creation user (Transversal user) 1 2 3
2. Creation user (Transversal user) STEP 1 authenticity_token authenticity_token+FORM STEP 2 https://mastodon.social/auth POST /auth HTTP/1.1 Host: mastodon.social User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 324 Referer: https://mastodon.social/auth Connection: keep-alive Upgrade-Insecure-Requests: 1 utf8=%E2%9C%93&authenticity_token=c7FPNGz1h68xFRQBQ9c0rqlixJbCijqt2mpmzUwdRpqK5yBSq23Rd6OK43 ssDM81gTXGkrTwOYVXFeIOGgHhag%3D%3D&user%5Baccount_attributes%5D%5Busername%5D=mindcrypt1 981&user%5Bemail%5D=alfonso.munoz%40pepito.com&user%5Bpassword%5D=pepino&user%5Bpassword_conf irmation%5D=pepino&button=: undefined
2. Creation user (Transversal user) STEP 3 STEP 4 STEP 5
GET (1&2)access_token POST(3) GET(5) (4) 1. GET HTTP/S 2. TAKE ACCESS_TOKEN 3. SEND ACCESS_TOKEN + FORM 4. RECEIVE CONFIRM EMAIL 5. SEND GET TO THE URL INSIDE MAIL 2. Creation user: Summary
2. Creation user (Transversal User) * Only 1 email account -> 700 accounts ☺
3. Impersonation
3. Impersonation
3. Impersonation
4. Phishing masivo
4. Phishing masivo Instance A Instance B Instance C URL phishing Crawling browser ☺ Sending 1 single message per instance -> 4781 requests
5. Covert channels in Mastodon - Toots 500 characters  Linguistic/Textual steganography - Images, audio and video: The default limit is 8 megabytes. - Multiple instances & thousands of users: Matrix Embedding, Distribution, … - MLS (Multi-Level Steganography)… - Typical tools: http://www.jjtc.com/Steganography/tools.html - Example: Stegodolphy ☺
5. Covert channel in Mastodon… so funny ELECE Beb
5. Covert channel in Mastodon Easy covert channel for RootedValencia ☺ Dolphin Alphabet: e, E Toot (max): 500 characters Hidden capacity: VR2,500=2500  log2(2500) = 500 bits per toot Examples: Custom alphabet (64 char:6 bits/char)  1 toot / 83 char (url, gps coords, C&C, IPS, telephone number, Short message, password…)
6. Creating multi-users per instance - DoS/SPAM 1. GENERATE NEW EMAIL ACCOUNT 2. GET HTTP 3. TAKE ACCESS_TOKEN 4. SEND ACCESS_TOKEN + FORM WITH THIS NEW EMAIL 5. RECEIVE CONFIRM EMAIL 6. SEND GET TO THE URL INSIDE MAIL * Mastodon doesn’t support removing accounts ☺ STEP 0
6. Demo: Mastodon DoS
7. Countermeasures & Conclusions - We love mastodon ☺ - Security techniques are needed to protect the infrastructure and avoid the abuse of automatization (API restriction / Captcha). - The future is non-commercial social media. - Security is also a problem with open-source alternatives, not only with big companies. - “OSINT friends”.
Playing with Mastodon for fun and profit Dr. Alfonso Muñoz - @mindcrypt Miguel Hernández - @MiguelHzBz

Recommended

Jose Selvi - FIESTA: an HTTPS side-channel party [rooted2018]
Jose Selvi - FIESTA: an HTTPS side-channel party [rooted2018]Jose Selvi - FIESTA: an HTTPS side-channel party [rooted2018]
Jose Selvi - FIESTA: an HTTPS side-channel party [rooted2018]RootedCON
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Crackingn|u - The Open Security Community
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
Security awareness for information security team
Security awareness for information security teamSecurity awareness for information security team
Security awareness for information security teamKirill Ermakov
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1Setia Juli Irzal Ismail
 

Recommended

Jose Selvi - FIESTA: an HTTPS side-channel party [rooted2018]
Jose Selvi - FIESTA: an HTTPS side-channel party [rooted2018]Jose Selvi - FIESTA: an HTTPS side-channel party [rooted2018]
Jose Selvi - FIESTA: an HTTPS side-channel party [rooted2018]RootedCON
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Crackingn|u - The Open Security Community
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
Security awareness for information security team
Security awareness for information security teamSecurity awareness for information security team
Security awareness for information security teamKirill Ermakov
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1Setia Juli Irzal Ismail
 
Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Kirill Ermakov
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Docker and-daily-devops
Docker and-daily-devopsDocker and-daily-devops
Docker and-daily-devopsSatria Ady Pradana
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] Jose Manuel Ortega Candel
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
Ethically Hacking School District Information Systems to Improve Security
Ethically Hacking School District Information Systems to Improve SecurityEthically Hacking School District Information Systems to Improve Security
Ethically Hacking School District Information Systems to Improve SecurityJack Maynard
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3Setia Juli Irzal Ismail
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Michel Schudel
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
 
Espiando redes de microblogging Navaja Negra 2017
Espiando redes de microblogging Navaja Negra 2017Espiando redes de microblogging Navaja Negra 2017
Espiando redes de microblogging Navaja Negra 2017Miguel Hernández Boza
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 

More Related Content

What's hot

Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Kirill Ermakov
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] Jose Manuel Ortega Candel
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force toolszeus7856
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursDavid Busby, CISSP
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
Ethically Hacking School District Information Systems to Improve Security
Ethically Hacking School District Information Systems to Improve SecurityEthically Hacking School District Information Systems to Improve Security
Ethically Hacking School District Information Systems to Improve SecurityJack Maynard
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Michel Schudel
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
 

What's hot (20)

Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017Vulners report: comparing vulnerability world 2016 to 2017
Vulners report: comparing vulnerability world 2016 to 2017
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Docker and-daily-devops
Docker and-daily-devopsDocker and-daily-devops
Docker and-daily-devops
 
OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition] OSINT tools for security auditing [FOSDEM edition]
OSINT tools for security auditing [FOSDEM edition]
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox Techniques
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Password cracking and brute force tools
Password cracking and brute force toolsPassword cracking and brute force tools
Password cracking and brute force tools
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yours
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 
Ethically Hacking School District Information Systems to Improve Security
Ethically Hacking School District Information Systems to Improve SecurityEthically Hacking School District Information Systems to Improve Security
Ethically Hacking School District Information Systems to Improve Security
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Password Attack
Password Attack Password Attack
Password Attack
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012Zombie browsers spiced with rootkit extensions - DefCamp 2012
Zombie browsers spiced with rootkit extensions - DefCamp 2012
 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
 

Similar to Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [rootedvlc4]

Espiando redes de microblogging Navaja Negra 2017
Espiando redes de microblogging Navaja Negra 2017Espiando redes de microblogging Navaja Negra 2017
Espiando redes de microblogging Navaja Negra 2017Miguel Hernández Boza
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Kimberley Dray
 
Privacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August MeetingPrivacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August MeetingJose L. Quiñones-Borrero
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
CryptoParty Belfast July 2015 Online Privacy Tips
CryptoParty Belfast July 2015 Online Privacy Tips CryptoParty Belfast July 2015 Online Privacy Tips
CryptoParty Belfast July 2015 Online Privacy Tipspgmaynard
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardPositive Hack Days
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_pptNarayanan
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxDinesh582831
 
Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramBGA Cyber Security
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...Mohammed Almeshekah
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Internet and PC safety - for CIS PTA - 19 Jan 2011
Internet and PC safety - for CIS PTA - 19 Jan 2011Internet and PC safety - for CIS PTA - 19 Jan 2011
Internet and PC safety - for CIS PTA - 19 Jan 2011PasocoPteLtd
 
Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netChris Hammond-Thrasher
 

Similar to Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [rootedvlc4] (20)

Espiando redes de microblogging Navaja Negra 2017
Espiando redes de microblogging Navaja Negra 2017Espiando redes de microblogging Navaja Negra 2017
Espiando redes de microblogging Navaja Negra 2017
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptx
 
Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019Password and Account Management Strategies - April 2019
Password and Account Management Strategies - April 2019
 
Privacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August MeetingPrivacy on the Internet - Init6 InfoSec August Meeting
Privacy on the Internet - Init6 InfoSec August Meeting
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
CryptoParty Belfast July 2015 Online Privacy Tips
CryptoParty Belfast July 2015 Online Privacy Tips CryptoParty Belfast July 2015 Online Privacy Tips
CryptoParty Belfast July 2015 Online Privacy Tips
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Network security
Network securityNetwork security
Network security
 
Crypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year BackwardCrypto Hot Cases – One Year Backward
Crypto Hot Cases – One Year Backward
 
Network security
Network security Network security
Network security
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response Program
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- The...
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Internet and PC safety - for CIS PTA - 19 Jan 2011
Internet and PC safety - for CIS PTA - 19 Jan 2011Internet and PC safety - for CIS PTA - 19 Jan 2011
Internet and PC safety - for CIS PTA - 19 Jan 2011
 
Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the net
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [rootedvlc4]

  • 1. Playing with Mastodon for fun and profit Dr. Alfonso Muñoz - @mindcrypt Miguel Hernández - @MiguelHzBz
  • 2.
  • 3. Dr. Alfonso Muñoz Senior Cybersecurity Expert & Research Lead alfonso@criptored.com - Twitter: @mindcrypt https://es.linkedin.com/in/alfonso-muñoz-phd-1984141b http://alfonsocv.com Whoami Doctor de Telecomunicaciones (UPM) & Postdoc (UC3M) Books (3), artículos científico-técnicos (+60), speaker (+60), security tools, premios… Empresas: UPM,UC3M, Telefónica, IOActive, BBVA-i4s… Certificados profesionales: CEH, CHFI, CISA, CES, OSCP, CCSK Some conferences: STIC CCN-CERT, DeepSec, HackInTheBox, Virus Bulletin, RootedCon, 8.8, No cON Name, GSICKMinds, Cybercamp, Secadmin, JNIC, Ciberseg… Co-editor @criptored (Red Temática de Criptografía y Seguridad de la información)  +16 años de vida Background: Investigador (academia) | Industria | Underground Profesor (docente – Máster Seguridad): UEM, UNIR, UC3M, UPM, UJAEN … Perfil Técnico: Seguridad defensiva/ofensiva (pentesting), protección de información (criptografía/esteganografía - comunicaciones seguras) y Data Science (machine learning y NLP)
  • 4. Miguel Hernández Boza Security Researcher miguelhernandez2907@gmail.com - Twitter: @miguelhzbz https://www.linkedin.com/in/miguel-hern%C3%A1ndez-boza-8967bb86 Ingeniero en Telecomunicaciones por la universidad de Zaragoza (UNIZAR) y Máster en Ciberseguridad por la universidad Carlos III de Madrid (UC3M). Analista de seguridad Informática. Amante de CTFs, programación e IA. Ha invertido los últimos años de su carrera profesional en multinacionales españolas, como Telefónica o BBVA (i4s), en investigación e innovación de nuevos procedimientos de detección de fraude, thread intelligence y seguridad defensiva. Actualmente trabaja en el sector bancario aplicando tecnologías de Natural Language Processing, Deep Learning y graph databases. Ha sido premiado con diferentes reconocimientos por su trabajo en estas disciplinas: Accesit y Finalista – III / IV Concurso de Jóvenes Profesionales ISACA, ganador del Sinfonier Contest 2015 (Telefónica) o publicación en la revista SIC. Conferencias: RootedCon, Mariapitadefcon, JNIC, Secrypt... Whoami
  • 5. Def: Social media is the collective of online communications channels dedicated to community-based input, interaction, content- sharing and collaboration.
  • 6. CENSORSHIP ● Irán ● Libia ● China ● Túnez ● Turquía ● Turkmenistán ● Emiratos Árabes Unidos ● Pakistán ● Malasia ● Siria ● Uzbekistán ● Bangladesh ● Vietnam
  • 7.
  • 8. Social Network “and/or” Business? http://www.elconfidencial.com/tecnologia/2016-11- 02/facebook-data-valuation-tool-ingresos- publicidad_1282290/
  • 9. Why? Joshua: A strange game. The only winning move is not to play. https://www.osi.es/es/guia-de-privacidad-y- seguridad-en-internet
  • 10. Agenda • Definition: Microblogging social network • Mastodon network • Conclusions & Countermeasures • Mastodon instances (Public & Private) • Toots (Feed Local vs Feed Federated) & API • Security Issues • Spy network (users, toots, text-mining, relations & following “friends”) • Massive user creation (transversal user – N Instances) & Impersonation • Massive phishing & covert channels • Massive User creation (in each instance) – SPAM/DoS
  • 11. Microblogging ● Less time spent developing content ● Less time spent consuming individual pieces of content ● The opportunity for more frequent posts ● An easier way to share urgent or time- sensitive information
  • 12. Mastodon is a free, open-source social network server. A decentralized solution to commercial platforms, it avoids the risks of a single company monopolizing your communication. Anyone can run Mastodon and participate in the social network seamlessly. Created by Eugen Rochko in 2016
  • 14. https://github.com/tootsuite/mastodon Features • Fully interoperable with GNU social and any OStatus platform • Real-time timeline updates • Media attachments like images and WebM • OAuth2 and a straightforward REST API • Background processing for long-running tasks • Deployable vía Docker Activity Streams is an open format specification for activity stream protocols. Implementors of the activity Activity Streams draft include → WebFinger is a protocol specified by the Internet Engineering Task Force IETF that allows for discovery of information about people and things identified by a URI. WebSub (formerly PubSubHubbub) is an open protocol for distributed publish/subscribe communication on the Internet. Salmon protocol aims to define a standard protocol for comments and annotations to swim upstream to original update sources -- and spawn more commentary in a virtuous cycle. It's open, decentralized, abuse resistant, and user centric. Technologies
  • 20.
  • 21.
  • 23.
  • 25.
  • 26.
  • 30.
  • 32.
  • 34. 1. Spy network: Crawling Users… Security issues: - You can list all users and followers/following - Predictable URL (bruteforce Sequential ID) - “Infinite” queries… Limitation: 1 user/request Ej/ mastodon.social (80K users) 80.000 request  1xseg 80.000/3600  22h (con un solo cliente)
  • 35. 1. Spy network: Crawling Toots… Security issues: - You can request toots from the “beginning”… - Predictable URL (bruteforce Sequential ID) - “Infinite” queries… Limitation: máx 40 toots/request Ej/ mastodon.social (80K users) 14.355.810 toots (day 2/08) 358.896 requests-> 1xseg 358.896/3600 → 100H … 10 clientes en paralelo 10H (10H actividad de toda la instancia)
  • 36.
  • 37. 1. Spy network: Text mining… Keywords: "nazi", "hitler", "whitepower", "hacker“ Instances: 2 (mastodon.social, cybre.space) Users under suspicious: 282,093 Users detected: 1,891 Analysed Toots: 967,820 Toots with keywords: 3,417
  • 38. 1. Spy network: Studing relations Traducción: Este sitio es sólo los usuarios chinos para entrar No discuta la violación de las leyes chinas en Hong Kong en este nodo No discuta la política, la pornografía, la violencia, el terrorismo, el odio nacional y otras leyes relacionadas que prohíben la libertad de expresión. No anunciar y Spam en este nodo
  • 39. 1. Spy network: Following “new friends” Anything wrong?
  • 40. 1. Spy network: Following “new friends”
  • 41. 2. Creation user (Transversal user) 1 2 3
  • 42. 2. Creation user (Transversal user) STEP 1 authenticity_token authenticity_token+FORM STEP 2 https://mastodon.social/auth POST /auth HTTP/1.1 Host: mastodon.social User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 324 Referer: https://mastodon.social/auth Connection: keep-alive Upgrade-Insecure-Requests: 1 utf8=%E2%9C%93&authenticity_token=c7FPNGz1h68xFRQBQ9c0rqlixJbCijqt2mpmzUwdRpqK5yBSq23Rd6OK43 ssDM81gTXGkrTwOYVXFeIOGgHhag%3D%3D&user%5Baccount_attributes%5D%5Busername%5D=mindcrypt1 981&user%5Bemail%5D=alfonso.munoz%40pepito.com&user%5Bpassword%5D=pepino&user%5Bpassword_conf irmation%5D=pepino&button=: undefined
  • 43. 2. Creation user (Transversal user) STEP 3 STEP 4 STEP 5
  • 44. GET (1&2)access_token POST(3) GET(5) (4) 1. GET HTTP/S 2. TAKE ACCESS_TOKEN 3. SEND ACCESS_TOKEN + FORM 4. RECEIVE CONFIRM EMAIL 5. SEND GET TO THE URL INSIDE MAIL 2. Creation user: Summary
  • 45. 2. Creation user (Transversal User) * Only 1 email account -> 700 accounts ☺
  • 50. 4. Phishing masivo Instance A Instance B Instance C URL phishing Crawling browser ☺ Sending 1 single message per instance -> 4781 requests
  • 51. 5. Covert channels in Mastodon - Toots 500 characters  Linguistic/Textual steganography - Images, audio and video: The default limit is 8 megabytes. - Multiple instances & thousands of users: Matrix Embedding, Distribution, … - MLS (Multi-Level Steganography)… - Typical tools: http://www.jjtc.com/Steganography/tools.html - Example: Stegodolphy ☺
  • 52. 5. Covert channel in Mastodon… so funny ELECE Beb
  • 53. 5. Covert channel in Mastodon Easy covert channel for RootedValencia ☺ Dolphin Alphabet: e, E Toot (max): 500 characters Hidden capacity: VR2,500=2500  log2(2500) = 500 bits per toot Examples: Custom alphabet (64 char:6 bits/char)  1 toot / 83 char (url, gps coords, C&C, IPS, telephone number, Short message, password…)
  • 54. 6. Creating multi-users per instance - DoS/SPAM 1. GENERATE NEW EMAIL ACCOUNT 2. GET HTTP 3. TAKE ACCESS_TOKEN 4. SEND ACCESS_TOKEN + FORM WITH THIS NEW EMAIL 5. RECEIVE CONFIRM EMAIL 6. SEND GET TO THE URL INSIDE MAIL * Mastodon doesn’t support removing accounts ☺ STEP 0
  • 56. 7. Countermeasures & Conclusions - We love mastodon ☺ - Security techniques are needed to protect the infrastructure and avoid the abuse of automatization (API restriction / Captcha). - The future is non-commercial social media. - Security is also a problem with open-source alternatives, not only with big companies. - “OSINT friends”.
  • 57. Playing with Mastodon for fun and profit Dr. Alfonso Muñoz - @mindcrypt Miguel Hernández - @MiguelHzBz