An Introduction to Pinworm: Man in the Middle for your Metadata

Presented at DEF CON 24 (2016), Aug. 7, 2016, 2 p.m. (60 minutes).

What is the root cause of memory and network traffic bloat? Our current research using tools we previously released Badger at Black Hat in 2014 and the Kobra released at BsidesLV 2015 shows a 40 percent increase in outside unique IP traffic destinations and a 400 percent increase in data transmitted towards these destinations. But through the course of the research we found currently used IRP monitoring tools were lacking to help produce enough information to forensically investigate the exfiltration of user metadata. Pinworm is a sniffer that shows all created IRPs created in the kernel in I/O devices. The IRPs are correlated with the processes that created them and the called driver stack. With network traffic data we are off to the races. Using pinworm which we released this week, we will show forensic case studies from cradle to grave of what happens when you do things online in social media sites.

Like all of our previously released tools, Pinworm is a framework including server side code you can use to collect and display user metadata inline in browser frames. Does this metadata collection happen in the browser, in userland, or in the kernel? Come to our talk and find out. We will demonstrate the collection of user metadata and collecting this information in a live browser session. Then we will show you how to intercept your personal data before it leaves your computer keeping your privacy, well, private. BYOTFH (Bring your own tin foil hat).


Presenters:

Links:

Similar Presentations: