An other attack on our privacy discovered

Hi there,

Students at the University of Viennna discovered severe attacks on social networks and how these attacks can reveal your surf history.
http://www.iseclab.org/papers/sonda-TR.pdf
Please note; the server at the university is busy because of this white paper. The best time to download is after 22:00 EST.

true north

 

Hi there,

The described attacks in the before mentioned white paper has far reaching consequences for social network users like facebook;
quote:

"In this paper, we introduce a novel, practical deanonymization
attack that makes use of the group information
in social networking sites. Using empirical, realworld
experiments, we show that the group membership of
a user in a social network (i.e., the groups within a social
network in which a user is a member), may reveal enough
information about an individual user to identify her when
visiting web pages from third parties.
The implications of the attack we present are manifold.
The attack requires a low effort, and has the potential to
affect millions of registered social networking users who
have group memberships.
The theoretical analysis and empirical measurements we
present demonstrate the feasibility of the attack on the Xing,
Facebook, and LinkedIn social networks. Furthermore, our
investigations suggest that many more social networks that
support group memberships can potentially be misused for
similar attacks."

After deanomyzation of a social network user the information gathered can be used to pitching, blackmail or fraud.

true north

 

Very interesting paper! It's almost necessary to have some background in statistical analysis (which I do not!) to completely understand the details, but sifting through to find strings (plain English) provides enough information.

The first thing I notice is how many conditions and "ifs" are required for a successful exploitation.

If you are not familiar with "history stealing" or "browser sniffing" you can check those two references in the paper, or search the web, for explanations/examples.

It's another example of a feature that can be misused, like browser plugins for Flash and PDF: When plugins are enabled, a Flash (SWF) or PDF file on a web page will load/run/open automatically. It's a user decision whether or not to keep these features enabled.

Each browser has different methods of controlling storing/deleting of private data. In Opera 9, it's Tools|Delete Private Data:

​

It's interesting, that the results of their controlled test yielded less than a 50% success rate:

I notice more and more where people say they delete their browser cache/history after each session.

More on the methods:

That is one of the big conditions: the victim must be led to the attacker's page and somehow be persuaded to stay there for a while.

For those who help people who are members of an on-line social networking group, controlling storing of private data is just one of the recommended security measures. Others include,

• avoiding installing 3rd-party applications
  
  
• being cautious about which groups you join, and whom you permit to join as a "friend"
  
  
• avoid clicking on links received from people to visit a web site or open an attachment without first verifying from the individual, using communication outside of the social networking site, (one's own email, for example)
  
  
• have anti-execution protection as part of security, to prevent unwanted malware from accidentally installing by remote code execution

Social networking sites need not be places of disaster. They just need attention paid to security measures. Unfortunately, their popularity as grown immensely, faster than information on proper security protection has been addressed by the mainstream media. In these circumstances, privacy attacks, unfortunately, can snag unaware victims.

----
rich