Online Privacy, the next Battleground
Dominic White, SensePost
1
About Me
•  Dominic White
–  Security guy talking about privacy
–  Work:
•  Consulting @ SensePost
•  http://www.sensepost...
3
Agenda
•  What’s Changed
•  Defining Privacy & Private Data
•  Collecting Online Private Information
•  Online Privacy A...
What’s changed?
•  Initial reactions were based on new technology to
record and disseminate information
•  Later reactions...
Reactions to New Technology
“[Recent inventions] have invaded the sacred
precincts of private and domestic life; and
numer...
Total Information Awareness
Post 9/11 project to:
“[Create] enormous computer databases to
gather and store the personal
i...
Your Typical Day
Plan Day
Check Mail
Plan Route
Doctor’s Appointment
Write Report
Phone a Friend
Visit Friends
Watch TV
Go...
Follow the Money
The primary business model of today’s most successful
corporation is the monetisation of the mass collect...
Private Info Monetised
•  Acxiom – 750 billion pieces of information or 1 500 facts
on ½ billion people
–  Correlate ‘cons...
10
Agenda
•  What’s Changed
•  Defining Privacy & Private Data
•  Collecting Online Private Information
•  Online Privacy ...
What is Privacy
•  Privacy is misunderstood, undefined, arbitrary and
disregarded
•  Many people don’t care about online p...
Privacy in Philosophy
•  No single answer
•  One century of philosophy and law summarized as:
1.  Privacy as Control over ...
Private Data Defined
•  Isn’t Privacy just Security applied to a data subset?
The “C” in CIA?
•  Keeping something private...
Aggregation, Correlation & Meta-Data
Online Privacy Leaks
White’s Taxonomy of Online Privacy Invasion
14
Application Data
...
Taxonomy | Web Request
•  A single web request, e.g. an image on a website
•  One webpage is made of multiple requests
•  ...
Taxonomy | Cross Site Tracking
•  Using cookies to track across computers and affiliated
sites
•  Cookie is stored on your...
Advertisers Allowing Opt-Out
•  Acerno
•  Adtech
•  Advertising.com
•  AOL
•  Akamai
•  AlmondNet
•  Atlas
•  Microsoft
• ...
Taxonomy | Rich Browser Environments
•  Rich Web 2.0 Technologies
–  JavaScript / AJAX
–  Flash / Silverlight
•  What they...
CSS History Hack
available at http://singe.za.net/privacy/privacy.html
modified from http://ha.ckers.org/weird/CSS-history...
Taxonomy | Application Data
•  Rich information inputs
•  Structured & unstructured data (previously only structured)
–  S...
Application Data Example
21
•  Search logs
•  Far less information rich than e-mail
•  Or are they …
•  “Anonymised” searc...
Taxonomy | Aggregation, Correlation
& Meta -Data
•  Combining the previous levels
•  Meta - Data – Include interactions wi...
23
Agenda
•  What’s Changed
•  Defining Privacy & Private Data
•  Collecting Online Private Information
•  Online Privacy ...
Correlation Demo
•  Demo - How much information do you really leak publicly
–  Name and Surname
•  Known aliases
–  Contac...
Meta Data Demo
•  Data you may not be aware of leaking
•  Complex insights into relationships available
•  Social network ...
26
Agenda
•  What’s Changed
•  Defining Privacy & Private Data
•  Collecting Online Private Information
•  Online Privacy ...
Threat Information
•  Information leads to more information
–  Don’t view info in isolation
•  Simple leaks become fixatio...
Defences
•  Connection
–  MAC rotation
–  Secured Medium
–  Egress Firewall Filtering
•  Network
–  VPN: Prevents local
di...
QUESTIONS?
Thanks to Paterva, Chris Sumner & Moxie Marlinspike
31
Upcoming SlideShare
Loading in …5
×

Online Privacy, the next Battleground

2,645 views
2,556 views

Published on

Presentation by Dominic White at ISSA in 2010.

This presentation is about online privacy.
The presentation begins with a look at what privacy is. Where online privacy leaks occur and the implications of the leaks are discussed. The presentation ends with a brief discussion on how you can protect your online privacy.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,645
On SlideShare
0
From Embeds
0
Number of Embeds
350
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Online Privacy, the next Battleground

  1. 1. Online Privacy, the next Battleground Dominic White, SensePost 1
  2. 2. About Me •  Dominic White –  Security guy talking about privacy –  Work: •  Consulting @ SensePost •  http://www.sensepost.com/blog/ –  Academic •  MSc Computer Security –  Personal •  http://singe.za.net/ •  @singe 2
  3. 3. 3 Agenda •  What’s Changed •  Defining Privacy & Private Data •  Collecting Online Private Information •  Online Privacy Attacks •  Defences
  4. 4. What’s changed? •  Initial reactions were based on new technology to record and disseminate information •  Later reactions driven by active recording from governments and companies •  Today, many lives are no longer just recorded online, but lived online 4
  5. 5. Reactions to New Technology “[Recent inventions] have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops.“ Warren and Brandeis “The Right to Privacy” 1890 5
  6. 6. Total Information Awareness Post 9/11 project to: “[Create] enormous computer databases to gather and store the personal information of everyone in the United States, including personal e-mails, social network analysis, credit card records, phone calls, medical records, and numerous other sources, without any requirement for a search warrant. Additionally, the program included funding for biometric surveillance technologies that could identify and track individuals using surveillance cameras, and other methods.” 6https://secure.wikimedia.org/wikipedia/en/wiki/Information_Awareness_Office
  7. 7. Your Typical Day Plan Day Check Mail Plan Route Doctor’s Appointment Write Report Phone a Friend Visit Friends Watch TV Google Calendar Gmail Google Maps Google Health Google Docs Google Voice Google Latitude YouTube 7
  8. 8. Follow the Money The primary business model of today’s most successful corporation is the monetisation of the mass collection, correlation & analysis of individual private data 8
  9. 9. Private Info Monetised •  Acxiom – 750 billion pieces of information or 1 500 facts on ½ billion people –  Correlate ‘consumer’ info from signups, surveys, magazine subscriptions –  $1.38 billion turnover for 2008 FY •  Colligent – Actionable consumer research derived from social networks •  Rapleaf – 450 million social network profiles –  Submit request and aggregated social network profiles returned within a day •  Phorm –  uses "behavioural keywords" - keywords derived from a combination of search terms, URLs and even contextual page analysis, over time - to find the right users. 9
  10. 10. 10 Agenda •  What’s Changed •  Defining Privacy & Private Data •  Collecting Online Private Information •  Online Privacy Attacks •  Defences
  11. 11. What is Privacy •  Privacy is misunderstood, undefined, arbitrary and disregarded •  Many people don’t care about online privacy, the few who do are accused of extremism •  Poor understanding of actual threats •  What do you think privacy is? –  Secrecy,Concealment,Seclusion,Solitude,Confidentiality,Anonymity –  Prejudicial Information –  Personally Identifiable Information (PII) –  Whatever you want •  Intuitionist approaches abound 11
  12. 12. Privacy in Philosophy •  No single answer •  One century of philosophy and law summarized as: 1.  Privacy as Control over Information 2.  Privacy as Human Dignity 3.  Privacy as Intimacy 4.  Privacy as Social Relationships 5.  Privacy as Restricted Access 6.  Privacy as Plurality 12
  13. 13. Private Data Defined •  Isn’t Privacy just Security applied to a data subset? The “C” in CIA? •  Keeping something private is not keeping something secret •  Implies access control & authorised use •  Example: –  Credit card number used to pay for Pizza •  Access control : employee at Pizzeria •  Authorised use: pay for my order –  Privacy Violation •  Employee shares number with fraudster •  Company sells purchase detail to third party •  Additional facts deduced through data mining 13
  14. 14. Aggregation, Correlation & Meta-Data Online Privacy Leaks White’s Taxonomy of Online Privacy Invasion 14 Application Data Rich Browser Environments Cross Site Tracking Web Request Application Stack Danger
  15. 15. Taxonomy | Web Request •  A single web request, e.g. an image on a website •  One webpage is made of multiple requests •  What they can find out –  Location (Latitude, Longitude, City, Country) –  Language –  Operating System & Browser used –  What site you came from –  Internet Service Provider –  Have you been here before? 15 Web Request
  16. 16. Taxonomy | Cross Site Tracking •  Using cookies to track across computers and affiliated sites •  Cookie is stored on your computer and sent with every request •  Cookies usually associated with logon details •  What they can find out –  Who you are –  What sites you visit (affiliates) –  Behavioral profiles 16 Cross Site Tracking
  17. 17. Advertisers Allowing Opt-Out •  Acerno •  Adtech •  Advertising.com •  AOL •  Akamai •  AlmondNet •  Atlas •  Microsoft •  Audience Science •  Blue Kai •  Bluestreak Source: www.dubfire.net/opt-out/ •  Next Action •  NexTag •  Media 6 Degrees •  Media Math •  MindSet Media •  Nielsen Online •  Omniture •  OpenX •  PrecisionClick •  Safecount •  Question Market •  Smart Adserver 17 •  BrightRoll •  BTBuckets •  Collective Media •  Cossette •  Eyeblaster •  Exelator •  Fox Audience Network •  Google •  Doubleclick •  interCLICK •  Lotame •  Tacoda Audience Networks •  Traffic Marketplace •  Tribal Fusion •  Exponential •  Turn •  Undertone Networks •  Zedo •  ValueClick •  Mediaplex •  [x+1]
  18. 18. Taxonomy | Rich Browser Environments •  Rich Web 2.0 Technologies –  JavaScript / AJAX –  Flash / Silverlight •  What they can find out –  Browser history –  Clipboard data –  Key presses –  Visual stimulus –  Browser plug-ins –  Desktop display preferences 18 Rich Browser Environments
  19. 19. CSS History Hack available at http://singe.za.net/privacy/privacy.html modified from http://ha.ckers.org/weird/CSS-history.cgi stolen from http://blackdragon.jungsonnstudios.com/ 19
  20. 20. Taxonomy | Application Data •  Rich information inputs •  Structured & unstructured data (previously only structured) –  Search requests –  E-mails –  Calendar items –  Instant Message Communications •  What they can find out –  Who you are –  Who your friends are –  What you’re doing on Sunday –  Your interests 20 Application Data
  21. 21. Application Data Example 21 •  Search logs •  Far less information rich than e-mail •  Or are they … •  “Anonymised” search logs released by AOL •  AOL User 4417749 •  Thelma Arnold •  Lilburn, Georgia
  22. 22. Taxonomy | Aggregation, Correlation & Meta -Data •  Combining the previous levels •  Meta - Data – Include interactions with applications •  Aggregation – combining the information from various sources •  Correlation – normalising entities across sources •  Provides information you may not be aware of –  e.g. Advertising profile •  What they can find out –  Social networks –  Behavioural profiles –  Psychological profiles –  Deep databases 22 Aggregation, Correlation & Meta- Data
  23. 23. 23 Agenda •  What’s Changed •  Defining Privacy & Private Data •  Collecting Online Private Information •  Online Privacy Attacks •  Defences
  24. 24. Correlation Demo •  Demo - How much information do you really leak publicly –  Name and Surname •  Known aliases –  Contacts •  Email addresses •  Physical location / street address •  Phone numbers –  Physical / Mobile –  IM/Skype details –  Associations and memberships (social networks + real life) –  Education –  Employment history –  Profiles of •  Family •  Friends 24
  25. 25. Meta Data Demo •  Data you may not be aware of leaking •  Complex insights into relationships available •  Social network example –  Twitter –  Facebook 25
  26. 26. 26 Agenda •  What’s Changed •  Defining Privacy & Private Data •  Collecting Online Private Information •  Online Privacy Attacks •  Defences
  27. 27. Threat Information •  Information leads to more information –  Don’t view info in isolation •  Simple leaks become fixation points for correlation –  Just mentioning a child’s name… •  Combining information leads to new, possibly undisclosed information •  You leak more than you know •  Don’t trust people based on their knowledge of you •  View your disclosures as a whole (think correlation points) •  Err on the side of caution, you can’t undo a leak 27
  28. 28. Defences •  Connection –  MAC rotation –  Secured Medium –  Egress Firewall Filtering •  Network –  VPN: Prevents local disclosure, Easy to spot –  Covert Channels: DNS, ICMP, Steganography –  Proxies –  TOR •  Web Browser –  SRWare –  NoScript –  CookieButton •  Applications –  Don’t use if possible –  Don’t Identify –  Limit your disclosure –  Limit public disclosure –  Ensure authoritative source •  Correlation/Aggregation –  Temporary Information (e.g. Mailinator) –  False Information (e.g. FaceCloak) –  Split Across Providers –  Isolate cross-web invaders •  Plan for privacy breach! –  Request removal, offload risk, change details, muddy waters 29
  29. 29. QUESTIONS? Thanks to Paterva, Chris Sumner & Moxie Marlinspike 31

×