Kirk Durbin - User Security: Who Is Responsible?

someone like identity that was created millions like her guests were many asked about the small business security world they're the curtains of business and the cryptocurrency space is a consultant Palio police department is an adviser to paddle space a local maker space thank you alright so yeah my talk is on user security and you were responsible for what's being co-sponsored some Union first

first whom I like I said my name is Kurt Durbin I'm a security researcher I am a founder of Apollo 18 which is a cryptocurrency mining operation based in Altoona and I've also devised the catalyst phase which is a makerspace an incubator base about town so I wanted to come under this presentation it's 17 preaching powder which you own it the kind of making the discussion kind of see because I think this is going to be a conversation that we're going to have in the very near future so how many you space with a lot as like the evil corporation and everything but Facebook is interchangeable with Twitter slack discord I message Android messages any

kind of communication so I wanted haven't going to feel from you guys so do you feel that Facebook bears any responsibility over the data the biggest plane to its users yes no why because some heavy responsibility do you say yes yeah I think is the so Zuckerberg said and it's his quote is it's clear now that we did not do it not prevent acute abuse because it's great news for interference and data Christ it was a huge mistake it was my mistake jackdaws even Twitter also said that it was a huge fan of the companies of Twitter have sent a bar fight the Mosin for urban on the victims of abuse so if this social media

precedent setting precedents of assuming responsibility for the content content that they're opposed personally I am I feel that users are responsible for the security but I'm curious to know where your word if you feel that Facebook bears that murder what line is that tone where's that line Tom on Facebook America like if I post something that you could be upset or you get hacked because of it it's Facebook liable for efficient if I press efficient link targeting us be reliable

that's a cuz they separate us they did send the president that they accepted responsibility right exactly OCS something like the absolutely I think I think they should have responsibility is they have the technology analyst to the people the vampire the proposal ooh the grades right they're gonna control the conversation with initiative based on yes that's it I'm gonna talk about two different exploits features bugs that were found in this piece but specifically if you guys remember in 2010 in 2010 there was a facebook chat implemented in Oscars so you can go email username and Facebook all they have 70 with an email to the usually messenger unless it never really took off in 2012 I found that if you

have a you keep primary email they use the log into the account you could send messages as them to England so a spoof female from a from an attacker and I didn't see any BC they whatever was spooked email came through it said how does that you had this small my summation look here it says said problem you know I doesn't you know so as a user you know the Facebook's responsible and what we learn they wear them but the email was sent from there was a spooky using on the search engine so in fast-forward a few years everything started to grab URL reviews and put them into your communications so whenever you post you are at all these

messenger Twitter Facebook they go out to the website have a preview of it and then post them onto into your feet even more recently I message doesn't Android messages and just about any way you communicate does URL news now so figure what if we spin up a web server that would display one thing to Facebook but just play something other tutor to your target so these are this is Facebook messages Twitter and Facebook message I personally it was definitely trustworthy calm and pretty view that came out was Disney and put wooden click Disney it would actually take you to Kennywood website Thomas goes yeah yeah the musical arts but if you give you certainty sure that donation you start

to see where this to go really wrong what if I put something up apple.com and Apple phishing page and Facebook displays a lot mom's preview whenever clearly in there not you got your ID information that was a huge target repair drug theft so there was aid I was going to attend or they kind of walk through the script I have our gated and weaponize this so you can just go in edit a config file put in what you are not one of the user to seen visit i give us out and he grabs the ass right now get up go to the grounds of HTML and then injects what those uses for the paper gonna text the javascript

for the room so what it does is the at the time there was a lord are going to take them we were trying to research if we attract people to the darknet and ever the FBI was trying to interested it so the paper that were built into now grab a fingerprint based on resolution so if you want to get help gonna get up / LOL all my p /a k that is the code for this specific attack like I said you can run generate websites and check your Caitlyn is too big no and target your user base and that's it so is there any questions about the site the papal is to keep anything you've got

browser click Next when teaching freeware indeed awesome all sorts of pre-built affording the popular mining in the browser really had kind of a browser-based attack of being injected into this it can be used for mitigation or uses it so a bit about how smooth that happen I mean mitigation really has to be being being cops of what's going on so definitely trustworthy Commission and display for Disney you know one of the common attack types that I've seen is they buy these domains that might be trustworthy long and then they add a Thomas something means before it so you'll see account stock Disney guy who created for eating dog chocolate II don't know so it kind of gets lost them all it so

it really goes back to that to watch that you're clicking Tom's line clicks and Athens move agree what's neat there is it not so much the previous if you can see up in the quarter one actually it's definitely do this but yeah I think for mitigation it's kind of being that board out social awareness because I think the state of security still remember here gave Kennedy said he doesn't mind okay it's all next wouldn't even trust and so that's really awareness education with that so one how was that working into how do you want them fixing so how does it working all basically so the script has a list of user agents would you can add to it

whenever you post early Tuesday Facebook they have a user agent that goes up I think it's actually called Facebook agent or something that it goes out to who got the preview and whatever the script sees that it gives up the Disney stream or the what fate so your things stored it gives me dark so there's one without HTML and then blackness is you know so yes it would grow it goes out displays Disney movies whenever you go to get your appreciations different than Facebook block so they're not they're gonna see the infected page how I'm gonna fix it I think there's different way I mean they do all this crazy stuff in their codes who subvert look at walkers they

can use more than one user agent that's at the simplest this yeah making them those common region there is why you have to burn I I'm not sure why to have to grant all my you know but maybe there's a reason internally watts they'll say it's trustworthy I come on your display is being was there that what its density do they have any tools they're looking to you know I don't know yeah well this would put on them they're like it's up to the user to protect themselves but then when they went from Congress they're like no it's our turn there so it's kind of like which one is it I think what there's a high profile

issue it's going to this conversation to report in a bigger and bigger scope as hard as machine learning I don't know because what if it's a disappearing people you nobody grabs that in so it's kind of tough to discern what would yeah do you think it's creeping agency oh wait it's asking for credit card info this might be a little iffy great and reverses or kennywood's I know it's real quick there was a top turret down the necklac so is there any other questions or any other discussion on user responsibility and so you know there's a lot