Upload
aarthy
View
214
Download
0
Embed Size (px)
Citation preview
8/17/2019 DarkReading.pdf
1/3
Welcome Guest. | Log In | Register | Membership Benefits
ATTACKS / BREACHES VULNERABILITIES APPLICATION SECURITY CLIENT SECURITY PERIMETER SECURITY
SECURITY MANAGEMENT STORAGE SECURITY ENCRYPTION NAC ANTIVIRUS PRIVACY BLOGS SLIDESHOW S
Tech Center: Advanced Threats
E-mail this page | Print this page |
'Cree.py' Social Engineering
Tool Pinpoints A Person's
Physical LocationFree tool automates process of pulling geolocation,
other information on 'targets'
Mar 29, 2011 | 07:42 PM | 0 Comments
By Kelly Jackson Higgins
Darkreading
A savvy and determined social engineer can gather and manually correlate
the geolocation tags of his or her target's social network or other online
posts. But a new, free tool automates that process of creeping around
and finding the physical location of a targeted person. "Cree.py" makes it
easier for social engineers to track the physical whereabouts of their
targets -- it grabs geolocations from Twitter and Foursquare, as well as
Twitpic, Flickr, and others.
Yiannis Kakavas, an independent researcher at the Royal Institute of
Technology in Stockholm, Sweden, says he built the tool -- currently in
beta -- to raise awareness of how easy it is for the physical location you
share online to be abused. "By making the process of retrieving and
analyzing all the shared location-specific information that users share easy
and automated, I hoped to make clear how easy it is for someone to stalk
you, rob you, find out where you've been, and why," Kakavas says. "The
second goal was to create a tool to add in one's social engineering
toolbox that would facilitate information gathering for geolocation
information."
The privacy and security risk w ith all of the geolocation tagging in today's
social networking applications has been disconcerting to security experts
and privacy advocates. Users today can include their physical locations
when they tweet, post pictures from Flickr, or check in on Foursquare.
Kakavas says the information Cree.py gathers can be used for
reconnaissance on a target, such as where he lives, when he's at home,
or when he's traveling and to where. "It can also be used to create
behavioral models of the target regarding the places he/she frequents --
coffee shops, gym, favorite restaurants, etc. -- [and] traveling patterns,
among others. These behavioral patterns can be very useful in socialengineering when it comes to pretexting. It can be used to create trust
relationships with the target based on supposedly common interests or
experiences," he says.
From there, an attacker can take it to another level, impersonating the
target, for example, to social-engineer another user into handing over a
password or other sensitive information, he says.
"Cree.py is just that -- CREEPY, but what a great tool to gather
information and building profiles on targets," blogged the social
engineering professionals at social-engineer.org, which provided screen
shots of how it works. "It also should be a very rude awakening to how
much information we release."
It works like this for Twitter: The social engineer feeds Cree.py the
target's Twitter handle, for example, and it takes it f rom there, pulling
Related Content
Advanced Threats Reports
Malware War: How Malicious Code Authors Battle to Evade
DetectionThe stakes have never been higher in the fight for control of corporate andconsumer devices between malicious code and the antimalware softwaredesigned to detect and stop it. It's a war of one-upsmanship, as security labswork 'round the clock to analyze malicious code and the bad guys design new,
ingenious ways to frustrate analysts and automated tools. This Tech Center report coversthe key methods malware writers use to thwart analysis and evade detection.
Hackers Find New Means of Disguise Advanced Evasion Techniques (AETs) are the latest method hackers are using tofoil security solutions. AETs combine new methods of disguise to circumventnetwork security solutions. This white paper reveals proactive tips for securing your network and staying one step ahead of hackers.
New Methods for Bypassing Intrusion Prevention TechnologiesDiscover the latest set of evasion techniques that intrusion detection and preventionsystems (IPS) can miss. Prepare your defenses by downloading this whitepaper.
Accuracy vs. Speed: Is It Really a Choice?This brief will explore why a software-based approach to IPS technologies willdeliver the fast, dynamic and flexible solutions that the modern threat landscapenecessitates, often at a fiscal advantage.
Advanced Threats Newsfeed
IronKey: U.K Organisations Fearful Of Organized Cybercrime
Symantec Announces April 2011 MessageLabs Intelligence Report
Michigan Woman Pleads Guilty To Selling More Than $400,000 In Counterfeit BusinessSoftware
F5 Security Solutions Help Deliver DNS Security For Newly Signed .com Domain
Better Business Bureau Warns Of First Phishing Attacks In Wake Of Epsilon Breach
Banking Department Warns Consumers about Email 'Phishing' Scams After SecurityBreaches At Epsilon And RSA
MORE NEWSFEED >>>
Advanced Threats
Authentication
Cloud Security
Database Security
Security
Monitoring
Security Services
SMB Security
Vulnerability
Management
py' Social Engineering Tool Pinpoints A Person's Physical Location ... http://www.darkreading.com/advanced-threats/167901091/securi
5/2/2011
8/17/2019 DarkReading.pdf
2/3
together geolocation information and links to photos on img.ly, yfrog,
twitpic, analyzing the photos' metadata for GPS information. "It presents
all the retrieved information in an easy-to-view manner [with] locations in
an embedded map, which you can also export for further analysis,"
Kakavas says. It also links to Foursquare check-ins to get geolocation
information.
It can take anywhere from two to 15 minutes for Cree.py to determine the
target's physical location, and much of that is the recon part. "It depends
on the number of t he user's tweets and how many of them actually contain
some geolocation information," he says. "The most t ime-consuming
process is actually the retrieval of the user's tweets, photos from image
hosting services, and not the analysis for geolocation information."
Cree.py can be downloaded from the Cree.py website.
Have a comment on this story? Please click "Add Your Comment" below.
If you'd like to contact Dark Reading's editors directly, send us a
message.
Care to Comment?
Subject (max length: 75):
Comment:
Captcha:
Type the characters you see in the picture above.
Subscribe to RSS
» Write To Editor
» Reprint This Article
» Download Top Reports
Enabling People and Organizations to Harness the Transformative Power of Technology
py' Social Engineering Tool Pinpoints A Person's Physical Location ... http://www.darkreading.com/advanced-threats/167901091/securi
5/2/2011
8/17/2019 DarkReading.pdf
3/3
CIOs & IT Professionals
Black HatBYTECloud ConnectDark ReadingEnterprise 2.0Enterprise ConnectEnterprise EfficiencyHDIInformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek Events
InformationWeek Global CIOInformationWeek HealthcareInformationWeek IndiaInformationWeek SMBInteropNetwork ComputingNo Jitter Plug into the CloudTechWeb.comThe BrainYard
Software Developers
Dr. DobbsDr. Dobbs M-DevDr. Dobbs DigestDr. Dobb's UpdateTechWeb.com
Web & Digital Professionals
Internet EvolutionWeb 2.0 ExpoWeb 2.0 SummitTechWeb.com
Government Officials
GTEC OttawaInformationWeek GovernmentTechWeb.com
Vertical Markets
Advanced TradingBank Systems & TechnologyCreateYourNextCustomer InformationWeek GovernmentInformationWeek HealthcareInsurance & TechnologyLight Reading / TelecomThe CMO SiteWall Street & Technology
Game Industry Professionals
Gamasutra.comGame Developers Conference (GDC)
Independent Games FestivalGame Developer MagazineGDC EuropeGDC ChinaGame Career GuideGame Advertising Online
Global Communications
Service Providers
Heavy ReadingHeavy Reading InsidersPyramid ResearchLight ReadingLight Reading MobileLight Reading CableLight Reading EuropeLight Reading AsiaEthernet ExpoTelcoTVTower SummitLight Reading Live & Virtual Events
Webinars
Most Popular
Cable CatchupCloud Connect BlogDigital LifeEvil BytesInformationWeek AnalyticsInterop BlogMonkey BidnessOver the Air Personal TechThe Philter Valley Wonk
About UBM TechWeb Advertising Contacts Technology Marketing Solutions Contact Us Feedback
Reprints TechWeb Digital Library / White Papers TechWeb Events Calendar TechWeb.com
UBM TechWeb Reader Services
Terms of Service | Privacy Statement | Copyright © 2011 UBM TechWeb, All rights reserved.
Dark Reading Home Attacks / breaches Vulnerabilities Application Security Client Security Perimeter Security Security Management Storage Security
Encryption NAC Antivirus Privacy Blogs Security discussions
Newsletters Video Webcasts Live events TechWeb Digital Library Registration/membership About us
Sales and marketing contacts Send us a tip or comments Site map Technology Marketing Solutions
py' Social Engineering Tool Pinpoints A Person's Physical Location ... http://www.darkreading.com/advanced-threats/167901091/securi
5/2/2011