An other attack on our privacy discovered

Discussion in 'privacy general' started by true north, Feb 2, 2010.

Thread Status:
Not open for further replies.
  1. true north

    true north Registered Member

    Joined:
    Dec 14, 2006
    Posts:
    159
    Hi there,

    Students at the University of Viennna discovered severe attacks on social networks and how these attacks can reveal your surf history.
    http://www.iseclab.org/papers/sonda-TR.pdf
    Please note; the server at the university is busy because of this white paper. The best time to download is after 22:00 EST.

    true north
     
  2. true north

    true north Registered Member

    Joined:
    Dec 14, 2006
    Posts:
    159
    Hi there,

    The described attacks in the before mentioned white paper has far reaching consequences for social network users like facebook;
    quote:

    "In this paper, we introduce a novel, practical deanonymization
    attack that makes use of the group information
    in social networking sites. Using empirical, realworld
    experiments, we show that the group membership of
    a user in a social network (i.e., the groups within a social
    network in which a user is a member), may reveal enough
    information about an individual user to identify her when
    visiting web pages from third parties.
    The implications of the attack we present are manifold.
    The attack requires a low effort, and has the potential to
    affect millions of registered social networking users who
    have group memberships.
    The theoretical analysis and empirical measurements we
    present demonstrate the feasibility of the attack on the Xing,
    Facebook, and LinkedIn social networks. Furthermore, our
    investigations suggest that many more social networks that
    support group memberships can potentially be misused for
    similar attacks."

    After deanomyzation of a social network user the information gathered can be used to pitching, blackmail or fraud.

    true north
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very interesting paper! It's almost necessary to have some background in statistical analysis (which I do not!) to completely understand the details, but sifting through to find strings (plain English) provides enough information.

    The first thing I notice is how many conditions and "ifs" are required for a successful exploitation.

    If you are not familiar with "history stealing" or "browser sniffing" you can check those two references in the paper, or search the web, for explanations/examples.

    It's another example of a feature that can be misused, like browser plugins for Flash and PDF: When plugins are enabled, a Flash (SWF) or PDF file on a web page will load/run/open automatically. It's a user decision whether or not to keep these features enabled.

    Each browser has different methods of controlling storing/deleting of private data. In Opera 9, it's Tools|Delete Private Data:

    opera_deletedata.gif

    It's interesting, that the results of their controlled test yielded less than a 50% success rate:

    I notice more and more where people say they delete their browser cache/history after each session.

    More on the methods:

    That is one of the big conditions: the victim must be led to the attacker's page and somehow be persuaded to stay there for a while.

    For those who help people who are members of an on-line social networking group, controlling storing of private data is just one of the recommended security measures. Others include,

    • avoiding installing 3rd-party applications

    • being cautious about which groups you join, and whom you permit to join as a "friend"

    • avoid clicking on links received from people to visit a web site or open an attachment without first verifying from the individual, using communication outside of the social networking site, (one's own email, for example)

    • have anti-execution protection as part of security, to prevent unwanted malware from accidentally installing by remote code execution

    Social networking sites need not be places of disaster. They just need attention paid to security measures. Unfortunately, their popularity as grown immensely, faster than information on proper security protection has been addressed by the mainstream media. In these circumstances, privacy attacks, unfortunately, can snag unaware victims.

    ----
    rich
     
    Last edited: Feb 7, 2010
Loading...
Thread Status:
Not open for further replies.