Samy Kamkar
This article contains content that is written like an advertisement. (May 2023) |
Samy Kamkar | |
---|---|
Website | samy |
Samy Kamkar (born December 10, 1985)
Work
Samy worm
In 2005, Kamkar released
In 2006, Kamkar was raided by the United States Secret Service and Electronic Crimes Task Force, expanded from the Patriot Act, for releasing the worm.[5] After being presented with a plea bargain for no prison time, but paying a fine of US$20,000, serving three years of probation, working 720 hours of community service, Kamkar pled guilty to a felony charge of computer hacking in Los Angeles Superior Court.[13] Also per the aforementioned agreement, Kamkar was allowed to keep a single computer that was not connected to a network, but explicitly prohibited from any internet access during his sentence.[14] Since 2008, Kamkar has been doing independent computer security and privacy research and consulting.[15]
Notable works
In 2008, after Kamkar's restriction from computers was lifted, he demonstrated weaknesses in
In 2010, Kamkar traveled to more than a dozen countries speaking about his mobile security research and weaknesses he discovered from his cryptanalysis of the PHP programming language, including speaking at some of the largest annual hacker conventions in the world such as DEF CON, Black Hat Briefings and ToorCon.[20][21][22]
In late 2010, Kamkar traveled to Bratislava to attend Faraday Hack Day to help expose political and corporate corruption within Slovakia's government.[23][failed verification]
In early 2011, Kamkar joined the Board of Directors of
In addition to releasing the Evercookie as free and open source software, and exposing the surreptitious collection of data by Apple, Google and Microsoft,[27] in 2011, Kamkar also exposed KISSmetrics, an online advertising network, and Hulu as recreating tracking cookies after consumers deleted them by storing the unique tracking identifiers in Flash cookies and HTML5 Local Storage, which were not automatically deleted when consumers cleared their browser cookies.[28][29] Several companies identified as performing cookie respawning were subsequently sued by class-action lawyers. In January 2013, KISSmetrics settled its cookie respawning related lawsuit for $500,000.[30]
Flaw in PHP
In early 2010, Kamkar discovered a major flaw in all versions of the PHP programming language, specifically in the pseudorandom number generator, which allowed an attacker to hijack the session ID of a user and take over their session.[31] Kamkar released a patch[32] and once fixed, released exploit code demonstrating the attack which was possible on major banks, social networks, and forums.[33][34][35]
Evercookie
In 2010, Kamkar released
Mobile research
In 2011, Kamkar discovered the iPhone, Android and Windows Phone mobile devices were continuously sending GPS coordinates, correlated to Wi-Fi MAC addresses, back to Apple, Google and Microsoft respectively, and released his research through several front page The Wall Street Journal articles.[27][38][39] The iPhone would continue to send location data "even when the location services were turned off".[38] The Windows Phone would also continue to send location data "even when the user has not given the app permission to do so". He discovered that some of this data was exposed by Google and he released Androidmap, a tool exposing Google's database of Wi-Fi MAC addresses correlated to the physical coordinates populated by Android phones.[40]
Parrot AR Drone research
In 2013, Kamkar created
Automotive security research
On July 30, 2015, Kamkar introduced OwnStar - a small electronic device that could be concealed on or near a General Motors vehicle to interpose itself between the vehicle's OnStar link and the driver's OnStar RemoteLink app. In this classic man-in-the-middle attack, Kamkar, or any unauthorized user, could substitute his OnStar commands to locate, unlock, or start the vehicle. By August 11, General Motors had released upgrades to the OnStar server software and RemoteLink app to block such attacks.[44]
In 2015, it was reported that Kamkar had built an inexpensive electronic device about the size of a wallet that could be concealed on or near a locked vehicle to capture a single
Magnetic stripe and credit card emulation device
On November 24, 2015, Samy Kamkar released MagSpoof;[47] a portable device that can spoof/emulate any magnetic stripe or credit card "wirelessly", even on standard magstripe readers by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.
In his own words, MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.
Internet traffic hijacking
On November 16, 2016, Samy Kamkar released PoisonTap;[48] a USB Ethernet emulator that can be used to hijack all Internet traffic on a target machine, even if the computer was password protected and locked.
A backdoored device can be remotely forced to make a request with its user's cookies on HTTP (unsecured) websites that have no security flags, meaning that the attacker can remotely impersonate a local user.
On May 2, 2022, a suspected North Korean spy recruited a 38-year-old South Korean crypto exchange executive and a 29-year-old military officer to use PoisonTap in order to hack into the Korean Joint Command and Control System (KJCCS).[49]
References
- ^ "Twitter / samykamkar". Twitter.
- Fusion (TV channel). September 28, 2015. Retrieved 2015-09-28.
- ^ "Open Source - Fonality". Intel.
- ^ a b Jeremiah Grossman (April 2006). "Cross-Side Scripting Worms and Viruses: The Impending Thread and the Best Defense" (PDF). Whitehat Security. Archived from the original (PDF) on 2011-01-04.
- ^ a b "[Owasp-losangeles] OWASP LA". Retrieved 25 December 2015.
- ^ a b Goodin, Dan (2013-12-08). "Flying hacker contraption hunts other drones, turns them into zombies". Ars Technica.
- ^ a b "'Tor Stinks' presentation". The Guardian.
- ^ a b "New Web Code Draws Concern Over Privacy Risks". The New York Times. October 10, 2010. Retrieved 2011-05-19.
- ^ "Google and Apple on Capitol Hill for high-tech privacy hearing". CNN.
- Betanews. October 13, 2005.
- ^ "MySpace Worm Explanation". Archived from the original on 24 September 2015. Retrieved 25 December 2015.
- ^ "Cross-Site Scripting Worm Floods MySpace". Slashdot. 14 October 2005.
- ^ "MySpace speaks about Samy Kamkar's sentencing". TechSpot. Retrieved 2017-07-15.
- ^ "Greatest Moments In Hacking History: Samy Kamkar Takes Down Myspace". Vice-videos. Retrieved 2017-07-15.
- ^ "Background Data". The Wall Street Journal. April 22, 2011.
- ^ "chap.py".
- ^ "RFIDiot Documentation".
- ^ "SpiderLabs - Getting in with the Proxmark3".
- ^ "Proxmark3 Code".
- ^ "Samy Kamkar Talks". Retrieved 2013-04-28.
- ^ "DEF CON 18 Speakers". Archived from the original on 2010-10-20. Retrieved 2013-04-28.
- ^ "Black Hat USA 2010 Speakers". Retrieved 2013-04-28.
- ^ "Faraday Hack Day". Retrieved 2013-04-28.
- ^ "Brave New Software".
- ^ "Brave New Software". Archived from the original on 2013-10-31. Retrieved 2013-10-30.
- ^ "Lantern".
- ^ a b "Apple, Google Collect User Data". The Wall Street Journal. April 22, 2011. Retrieved 2011-05-19.
- ^ "Respawn Redux by Ashkan Soltani". 11 August 2011.
- ^ "Samy Kamkar KISSmetrics Research" (PDF).
- ^ Davis, Wendy (2013-01-23). "KISSmetrics Finalizes Supercookies Settlement". MediaPost New. Retrieved 2013-01-18.
- ^ "PHP blunders with random numbers".
- ^ "PHP 5.3.2 Release Announcement".
- ^ Baldoni, Roberto; Chockler, Gregory (2012). Collaborative Financial Infrastructure Protection.
- ^ "Attack on PHP sessions and random numbers".
- ^ "Advisory: Weak RNG in PHP session ID generation leads to session hijacking".
- ^ "'Evercookie' is one cookie you don't want to bite". MSNBC. September 22, 2010. Archived from the original on September 24, 2010. Retrieved 2011-05-19.
- ^ "Q&A: Evercookie Creator Samy Kamkar". 31 August 2022.
- ^ a b "Jobs Tries to Calm iPhone Imbroglio". The Wall Street Journal. April 28, 2011. Retrieved 2011-05-19.
- CNET Networks. September 2, 2011. Retrieved 2011-05-19.
- Huffington Post. April 25, 2011. Retrieved 2011-05-19.
- ^ a b "Samy Kamkar - SkyJack".
- ^ "SkyJack source code". GitHub. 2013-12-08. Retrieved 2013-12-08.
- ^ Strange, Adario. "Amazon Unveils Flying Delivery Drones on '60 Minutes'". Mashable. Retrieved 2013-12-01.
- Autonet. Retrieved 2015-08-11.
- Tech Insider. Retrieved 2015-08-11.
- ^ Kamkar, Samy (2015-08-07). "Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars". DEF CON 23. Retrieved 2015-08-11.
- ^ "samyk/magspoof". GitHub. Retrieved 25 December 2015.
- ^ "samyk/poisontap". GitHub. Retrieved 16 November 2016.
- ^ "Two South Koreans arrested for helping Pyongyang steal 'military secrets' | NK News". www.nknews.org. Archived from the original on 3 May 2022. Retrieved 15 May 2022.