陳昇瑋 中央研究院 資訊科學研究所 世代的資安議題
What is Web 2.0? (Andy Budd) “ Putting The  We  in Web” “ … the Living Web ” --   Newsweek, 4/3/2006
Global Traffic Ranking
Web 2.0 Growth
Web 2.0: Definition Web 2.0 is the  network as platform , spanning all  connected devices ; Web 2.0 applications are those...
Web 2.0: Interpretations ( Figure courtesy of Irwin King )
 
The Conversation Prism www.briansolis.com
Social Network Services (SNS) <ul><li>A replication in electronic form of  human relationships  and  trust connections </l...
e-mail Users  543 million Social Networking Users Social Spaces 484 million comScore Inc.  WSJ 10/18/07 August 2007
 
Facebook <ul><li>Over 175 million profiles </li></ul><ul><li>Increased by 270% in one year (ending in June 2007)  </li></u...
One Facebook Profile (out of 175 million)
MySpace <ul><li>Founded in August 2003 </li></ul><ul><li>Acquired by Fox Interactive Media  in October 2005  (with a price...
Let’s Look … MySpace http:// www.myspace.com /
凡事有利必有弊 The top 10 social networking sites increased their audience of 46.8 million in 2005 to 68.8 million in April 2006,...
Threats arisen from SNS Development <ul><li>Security  and  privacy  was not the first concern in  SNS development. </li></ul>
Time to move sentry post to Web 2.0!
Potential Threats <ul><li>Nothing is Ever Deleted from the Internet </li></ul><ul><li>Information Leakage from Contact Des...
“ There is so much more personal information online.&quot;
1. Nothing is Ever Deleted from the Internet
Yahoo Site History 1996
Yahoo Site History 2000
Yahoo Site History 2005
Yahoo Site History 2009
Internet Data Never Be Deleted <ul><li>Users reveal sensitive information (e.g. dates, political views) in profiles </li><...
An Online Quiz (for fun) yes yes yes
Blackmail claim stirs fears over Facebook
LTA suspends top junior players
Whether asked website to delete data that no longer wanted to be public? Outcome of request to delete data:
2. Information Leakage on SNS
Pseudonym != Anonymity <ul><li>axxxxx1 可愛的 * 嘉嘉 *  </li></ul><ul><li>axxx7 ??? 俐嘉 ,,( 要記得我悠 !! 壹樣斗 * 我會記得你 ?  </li></ul><u...
非自願姓名洩露 <ul><li>使用者沒有公開其真實姓名 </li></ul><ul><li>卻能透過好友描述推測 </li></ul><ul><li>無法保障使用者隱私 </li></ul>真實姓名為劉德榮?
案例分析:無名小站 <ul><li>國內用戶數最多  ( 超過  390  萬人 ) </li></ul><ul><ul><li>使用者皆匿名參與 </li></ul></ul><ul><li>蒐集  766,972 (20%)  使用者 </...
使用者以真實姓名稱呼朋友傾向與被朋友以真實姓名稱呼的比率具有高度相關 使用者的姓名洩露比例與性別  ( 上圖 ) 及使用者年齡  ( 下圖 )  的關係 名稱種類 推測到的比例 暱稱 60% 全名 30% 名字  ( 不包括姓 ) 72% 全名...
年齡及就學記錄的資訊洩露 <ul><li>就讀學校 及 年齡 的非自願洩露 </li></ul><ul><ul><li>使用者沒有公開其就讀學校及年齡 </li></ul></ul><ul><ul><li>卻能透過好友關係推測其學歷及所屬年齡群...
使用者的就讀學校推測結果  ( 上圖 )  及平均推測範圍  ( 邊數 ) 使用者的年齡推測結果  ( 上圖 )  及平均推測範圍  ( 邊數 )
Sensitive Information Leakage <ul><li>Real name </li></ul><ul><li>Education history </li></ul><ul><li>Career history </li>...
無名小站情報分析事務所 http://mmnet.iis.sinica.edu.tw/proj/wretchinfo/
分析結果(範例一)
分析結果(範例二)
問卷結果  ( 一 )
問卷結果  ( 二 )
服務使用後續追蹤  ( 一 ) 姓名洩露程度的變化 有沒有任何姓名洩露
服務使用後續追蹤  ( 二 ) 姓名洩露程度與使用者反應的關係
服務使用後續追蹤  ( 三 ) 姓名洩露程度與使用者態度的關係
無名小站.文字繪 http://mmnet.iis.sinica.edu.tw/proj/tagart/
無名小站.文字繪
使用者不喜歡的標籤  <ul><li>公關 , 哈哈 , 跟好 , 天空 , 羽豬 , 偉宏 , 科科 , 哭哭 , 還有 , 一個 , 不過 , 媺棻 , 討厭 , 朋友 , 數學 , 憲緯 , 但老 , 老媽 , 人很 , 會讓 , 又說 ...
Visual Shopping on Like.com
Content-based Image Retrieval (CBIR) Iguania Chelonia Amphisbaenia Alligatoridae   Alligatorinae   Crocodylidae   Cricosau...
3. Face Recognition <ul><li>Facebook hosts in excess of  30 billion  user photos </li></ul><ul><ul><li>growing at a rate o...
Face Recognition <ul><li>A data source for identifying profiles across services using face recognition algorithms </li></u...
4. Location Identification <ul><li>Features matching on  location-specific features : road sign, painting in a room, arran...
A Parrot As The Feature
5. Image Tagging and Metadata <ul><li>Users can tag images with a person’s real name, SNS profile, or email address </li><...
Image Tagging and Metadata <ul><li>EXIF data embedded in photos </li></ul><ul><ul><li>Serial number of the camera can be t...
6. Spamming <ul><li>SNS are starting to replace emails </li></ul><ul><li>Through friend invitations and comment posting </...
State-of-the-art Solution <ul><li>CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) </l...
Text-based CAPTCHA
WHAT ARE THESE PICTURES OF? Image-based CAPTCHA
THE IMAGES NEED TO BE  RANDOMLY DISTORTED Image-based CAPTCHA
PLAYER 1 PLAYER 2 THE ESP GAME http://www.espgame.org/ GUESSING:   CAR GUESSING:   BOY GUESSING:   CAR SUCCESS! YOU AGREE ...
© 2004 Carnegie Mellon University, all rights reserved. Patent Pending.
SAMPLE  LABELS BEACH CHAIRS SEA PEOPLE MAN WOMAN PLANT OCEAN TALKING WATER PORCH
15 MILLION LABELS   WITH 75,000 PLAYERS THE ESP GAME  IS FUN THERE ARE MANY PEOPLE THAT PLAY  OVER 20 HOURS A WEEK
SEARCH RESULTS OF  CAR
SEARCH RESULTS OF  DOG
SEARCH RESULTS OF  小甜甜布蘭妮
SEARCH RESULTS OF  GOOGLE
Having Fun = Work
Idea of Human Computation Take advantage of people’s desire to be entertained and perform useful tasks as a side effect
Human Computation as OCR System
7. Phishing and Social Phishing <ul><li>More than  66,000 phishing cases  reported to or detected by Anti-Phishing Working...
Phishing Statistics <ul><li>43%  of adults have received a phishing contact.  </li></ul><ul><li>5%  of those adults gave t...
Phishing Attacks
Phishing through Emails
Official vs Phishing Pages http://www.ebay.com.fake.cc/ http://www.ebay.com/
Spear Phishing <ul><li>Spear phishing:  targeted  phishing attacks </li></ul><ul><li>An experiment by U. Indiana showed: s...
Anti-Phishing Techniques <ul><li>Blacklist / whitelist </li></ul><ul><li>Logo recognition </li></ul><ul><li>Content-based ...
Our Layout-based Detection Method <ul><li>Capture the screen of Phishing page </li></ul>
Block Analysis
Layout Analysis
Match example <ul><li>eBay original page (left) and a phishing page (right) </li></ul>
Performance Evaluation <ul><li>Collected Data </li></ul><ul><ul><li>312 original web page screens </li></ul></ul><ul><ul><...
Example: Correct Classification
Example: Correct Classification
Example: Correct Classification
Example: Correct Classification
Example: Incorrect Classification
Example: Incorrect Classification
Example: Incorrect Classification
Example: Incorrect Classification
Our Local-Feature-based Detection Method <ul><li>Step 1:  Visual assessment with local content descriptors </li></ul><ul><...
Phishing Page Matching (Classification)
<ul><li>Superior  to EMD (Earth-Mover’s Distance) scheme (IEEE TDSC, 2006) </li></ul>Performance Evaluation
Phishgig 1. Installed in Firefox 3.0.1 2. Live Status 3. Protected Pages Management http://mmnet.iis.sinica.edu.tw/proj/ph...
Phishgig in Action 1. Legitimate eBay login page 2. Fake eBay login page
8. SNS Aggregators <ul><li>Integrating  data from various  SNS into a single web application,  e.g., Snag, ProfileLinker <...
9. XSS, Viruses, and Worms <ul><li>The SAMY virus, which infected MySpace profiles, has spread to  over one million users ...
10. Information Leakage due to  Network Infiltration <ul><li>Currently anyone with a usable email address can join any geo...
Information Leakage due to Network Infiltration <ul><li>Another experiment </li></ul><ul><ul><li>Antivirus company Sophos ...
11. Reputation Slander though Identity Theft <ul><li>Fake profiles may be created in the name of  well-known persons or de...
12. Cyberstalking <ul><li>Around  20%  users on Facebook disclosed their full address and at least two classes they are at...
Micro blogging
Twitter is  HOT !
Twitter Vision 3D
Twitter Map
看到許許多多的資安問題, 我們能做些什麼?
 
Efforts to Cope with Threats (1) <ul><li>Restrict spidering and bulk downloads </li></ul><ul><ul><li>But how? </li></ul></...
Privacy Control Settings of Facebook
However, … <ul><li>Profile Searchability </li></ul><ul><ul><li>We measured the percentage of users that changed search def...
Efforts to Cope with Threats (2) <ul><li>Image anonymization techniques, e.g., face de-identification. </li></ul>K-Same: t...
Efforts to Cope with Threats (3) <ul><li>Reputation management </li></ul><ul><ul><li>Rating an account or an object (e.g.,...
Rating Score Aggregation <ul><li>The review is considered trustworthy if his/her earlier reviews are more consistent with ...
Collusion-Resistant Impeachment System <ul><li>開放網友檢舉申訴不當行為 </li></ul><ul><ul><li>Social network systems ( 無名小站 , Facebook...
Our Proposed Algorithm <ul><li>Step 1:  Find voting communities </li></ul><ul><ul><li>Newman's  community structure  analy...
Performance Evaluation
Efforts to Cope with Threats (4) <ul><li>Biometric signature for combating  identity theft </li></ul><ul><ul><li>fingerpri...
TAKE HOME MESSAGES <ul><li>Rule 1: If you think  your mom  would be offended, then don't post it.  </li></ul><ul><li>Rule ...
結語 <ul><li>線上社群網路是不容忽視的嶄新網路生態,同時也帶來許多資安危機及隱憂。 </li></ul><ul><li>除了依賴使用者的 “ 自覺 ” ,更須有妥善的 機制來防範未然。 </li></ul><ul><li>對學術研究者:...
謝謝各位! 陳昇瑋 中央研究院 資訊科學研究所 http://www.iis.sinica.edu.tw/~swc
Questions
Upcoming SlideShare
Loading in...5
×

Web 2.0世代的資安議題

2,821

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,821
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • The conversation map is a representation of Social services and conversation
  • Especially when almost as many people are on social networks than using emails. Can we play then in those spaces? NEXT
  • 人工檢查,抽樣 1000 ,準確率 74% (738) , error 大部分也為暱稱。 78% 再 74% = 58% ( 超過一半 ) 72% 再 74% = 53% ( 超過一半 ) 30% 再 74% = 22% (5 分之一 )
  • 人工檢查,抽樣 1000 ,準確率 74% (738) , error 大部分也為暱稱。 78% 再 74% = 58% ( 超過一半 ) 72% 再 74% = 53% ( 超過一半 ) 30% 再 74% = 22% (5 分之一 )
  • h
  • Web 2.0世代的資安議題

    1. 1. 陳昇瑋 中央研究院 資訊科學研究所 世代的資安議題
    2. 2. What is Web 2.0? (Andy Budd) “ Putting The We in Web” “ … the Living Web ” -- Newsweek, 4/3/2006
    3. 3. Global Traffic Ranking
    4. 4. Web 2.0 Growth
    5. 5. Web 2.0: Definition Web 2.0 is the network as platform , spanning all connected devices ; Web 2.0 applications are those that make the most of the intrinsic advantages of that platform: delivering software as a continually-updated service that gets better the more people use it, consuming and remixing data from multiple sources, including individual users, while providing their own data and services in a form that allows remixing by others, creating network effects through an &quot; architecture of participation ,&quot; and going beyond the page metaphor of Web 1.0 to deliver rich user experiences . ( Figure courtesy of Irwin King )
    6. 6. Web 2.0: Interpretations ( Figure courtesy of Irwin King )
    7. 8. The Conversation Prism www.briansolis.com
    8. 9. Social Network Services (SNS) <ul><li>A replication in electronic form of human relationships and trust connections </li></ul><ul><ul><li>Posting personal profile and user-created content </li></ul></ul><ul><ul><li>Socially-focused interactions </li></ul></ul><ul><ul><ul><li>recommendations </li></ul></ul></ul><ul><ul><ul><li>discussion </li></ul></ul></ul><ul><ul><ul><li>blogging </li></ul></ul></ul><ul><ul><ul><li>organization of offline events </li></ul></ul></ul><ul><ul><li>Defining social relationships </li></ul></ul>
    9. 10. e-mail Users 543 million Social Networking Users Social Spaces 484 million comScore Inc. WSJ 10/18/07 August 2007
    10. 12. Facebook <ul><li>Over 175 million profiles </li></ul><ul><li>Increased by 270% in one year (ending in June 2007) </li></ul><ul><li>A valuation for Facebook translates to US$ 286 per user profile in 2007 </li></ul><ul><li>Average user has 120 friends on the site </li></ul><ul><li>More than 3 billion minutes (around 5800 years) are spent on Facebook each day </li></ul>
    11. 13. One Facebook Profile (out of 175 million)
    12. 14. MySpace <ul><li>Founded in August 2003 </li></ul><ul><li>Acquired by Fox Interactive Media in October 2005 (with a price US$ 35 per profile) </li></ul><ul><li>225 million profiles as of March, 2008 </li></ul><ul><li>The most visited in US (> 114 million visitors) in June 2007 </li></ul><ul><li>On average 300,000 new people sign up on MySpace every day </li></ul>
    13. 15. Let’s Look … MySpace http:// www.myspace.com /
    14. 16. 凡事有利必有弊 The top 10 social networking sites increased their audience of 46.8 million in 2005 to 68.8 million in April 2006, reaching 45% of active Web users.
    15. 17. Threats arisen from SNS Development <ul><li>Security and privacy was not the first concern in SNS development. </li></ul>
    16. 18. Time to move sentry post to Web 2.0!
    17. 19. Potential Threats <ul><li>Nothing is Ever Deleted from the Internet </li></ul><ul><li>Information Leakage from Contact Descriptions </li></ul><ul><li>Face Recognition </li></ul><ul><li>Location Tracking </li></ul><ul><li>Image Tagging and Metadata </li></ul><ul><li>Spamming </li></ul><ul><li>Spear Phishing </li></ul><ul><li>SNS Aggregators </li></ul><ul><li>XSS, Viruses, and Worms </li></ul><ul><li>Information Leakage due to Network Infiltration </li></ul><ul><li>Reputation Slander though Identity Theft </li></ul><ul><li>Cyberstalking </li></ul>
    18. 20. “ There is so much more personal information online.&quot;
    19. 21. 1. Nothing is Ever Deleted from the Internet
    20. 22. Yahoo Site History 1996
    21. 23. Yahoo Site History 2000
    22. 24. Yahoo Site History 2005
    23. 25. Yahoo Site History 2009
    24. 26. Internet Data Never Be Deleted <ul><li>Users reveal sensitive information (e.g. dates, political views) in profiles </li></ul><ul><li>Data can be downloaded and stored over time by third parties </li></ul><ul><ul><li>Web page sampling techniques </li></ul></ul><ul><ul><li>Low cost of storage </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>Miss New Jersey was threatened with images taken from her profile </li></ul></ul><ul><ul><li>Two British tennis stars were suspended for revelations made on SNS </li></ul></ul>
    25. 27. An Online Quiz (for fun) yes yes yes
    26. 28. Blackmail claim stirs fears over Facebook
    27. 29. LTA suspends top junior players
    28. 30. Whether asked website to delete data that no longer wanted to be public? Outcome of request to delete data:
    29. 31. 2. Information Leakage on SNS
    30. 32. Pseudonym != Anonymity <ul><li>axxxxx1 可愛的 * 嘉嘉 * </li></ul><ul><li>axxx7 ??? 俐嘉 ,,( 要記得我悠 !! 壹樣斗 * 我會記得你 ? </li></ul><ul><li>axxxx0 哩尬 </li></ul><ul><li>axxxx5 俐嘉 -- </li></ul><ul><li>axxx4 【 愛 ‧哩軋 】我們有許多小秘密 </li></ul><ul><li>axx6 同學 俐嘉 </li></ul><ul><li>axxx2 哩嘎 ~ 瘋 ... 但是有氣質 </li></ul><ul><li>axxxxxx3 利嘉 (2) </li></ul><ul><li>axxxxxx1 俐嘉 </li></ul><ul><li>bxxxxx1 哩 軋 </li></ul><ul><li>bxxxxx4 俐嘉 * 活潑可愛的小女孩 </li></ul><ul><li>cxxxxx1 很有活力也很可愛的學妹 _ 俐嘉 </li></ul><ul><li>dxxxxxx0 哩嘎 </li></ul><ul><li>gxxx3 哩尬 ( 和窩起阿達 ) </li></ul><ul><li>qxxxxxx8 哩嘎 </li></ul><ul><li>rxxxxxx6 力嘎 ( 郭郭的七辣 ) </li></ul><ul><li>sxxxxy 俐 嘉 </li></ul><ul><li>sxxxxxxxxxx6 嘉嘉 ? </li></ul><ul><li>wxxxxxxx8 *“ 劉俐嘉 </li></ul><ul><li>yxxxxxxx6 小孩 〝 俐嘉 〞 </li></ul><ul><li>yxxxxxxx6 俐嘉 </li></ul><ul><li>zxxxx6 ▽-> 俐 嘉 。 ? 〞 </li></ul><ul><li>zxxxxx7 ◆╭☆ ﹋ 俐嘉 ﹋☆╮◇ </li></ul>
    31. 33. 非自願姓名洩露 <ul><li>使用者沒有公開其真實姓名 </li></ul><ul><li>卻能透過好友描述推測 </li></ul><ul><li>無法保障使用者隱私 </li></ul>真實姓名為劉德榮?
    32. 34. 案例分析:無名小站 <ul><li>國內用戶數最多 ( 超過 390 萬人 ) </li></ul><ul><ul><li>使用者皆匿名參與 </li></ul></ul><ul><li>蒐集 766,972 (20%) 使用者 </li></ul><ul><li>使用者經常使用真實姓名描述好友 </li></ul><ul><li>分析步驟 </li></ul><ul><ul><li>分析在不同描述中重覆出現的候選字串 </li></ul></ul><ul><ul><li>大學聯考名單比對 </li></ul></ul><ul><ul><li>常用詞語列表比對 </li></ul></ul>“ Involuntary Information Leakage in Social Network Services,” Ieng-Fat Lam, Kuan-Ta Chen, and Ling-Jyh Chen, Proceedings of IWSEC 2008 . http://mmnet.iis.sinica.edu.tw/publication_detail.html?key=lam08_wretch
    33. 35. 使用者以真實姓名稱呼朋友傾向與被朋友以真實姓名稱呼的比率具有高度相關 使用者的姓名洩露比例與性別 ( 上圖 ) 及使用者年齡 ( 下圖 ) 的關係 名稱種類 推測到的比例 暱稱 60% 全名 30% 名字 ( 不包括姓 ) 72% 全名或名字 78%
    34. 36. 年齡及就學記錄的資訊洩露 <ul><li>就讀學校 及 年齡 的非自願洩露 </li></ul><ul><ul><li>使用者沒有公開其就讀學校及年齡 </li></ul></ul><ul><ul><li>卻能透過好友關係推測其學歷及所屬年齡群 </li></ul></ul><ul><li>使用者就讀學校及年齡的推測 </li></ul><ul><ul><li>找出已透露的使用者 </li></ul></ul><ul><ul><li>以關係關鍵字直接推測其好友 (direct inference) </li></ul></ul><ul><ul><li>從已推測到使用者推測其好友 (indirect inference) </li></ul></ul>
    35. 37. 使用者的就讀學校推測結果 ( 上圖 ) 及平均推測範圍 ( 邊數 ) 使用者的年齡推測結果 ( 上圖 ) 及平均推測範圍 ( 邊數 )
    36. 38. Sensitive Information Leakage <ul><li>Real name </li></ul><ul><li>Education history </li></ul><ul><li>Career history </li></ul><ul><li>Mobile phone # </li></ul><ul><li>Real-life relationship </li></ul><ul><ul><li>date, spouse </li></ul></ul><ul><ul><li>relatives </li></ul></ul><ul><ul><li>boss, staff </li></ul></ul>
    37. 39. 無名小站情報分析事務所 http://mmnet.iis.sinica.edu.tw/proj/wretchinfo/
    38. 40. 分析結果(範例一)
    39. 41. 分析結果(範例二)
    40. 42. 問卷結果 ( 一 )
    41. 43. 問卷結果 ( 二 )
    42. 44. 服務使用後續追蹤 ( 一 ) 姓名洩露程度的變化 有沒有任何姓名洩露
    43. 45. 服務使用後續追蹤 ( 二 ) 姓名洩露程度與使用者反應的關係
    44. 46. 服務使用後續追蹤 ( 三 ) 姓名洩露程度與使用者態度的關係
    45. 47. 無名小站.文字繪 http://mmnet.iis.sinica.edu.tw/proj/tagart/
    46. 48. 無名小站.文字繪
    47. 49. 使用者不喜歡的標籤 <ul><li>公關 , 哈哈 , 跟好 , 天空 , 羽豬 , 偉宏 , 科科 , 哭哭 , 還有 , 一個 , 不過 , 媺棻 , 討厭 , 朋友 , 數學 , 憲緯 , 但老 , 老媽 , 人很 , 會讓 , 又說 , 師大 , 國小 , 最愛 , 最有 , 小芝 , 芝君 , 表姐 , 世傑 , 轉到 , 士傑 , 睡覺 , 台客 , 鴿子 , 學生 , 王子 , 身邊 , 一直 , 寵物 , 世界 , 北安 , 老公 , 君仁 , 毛毛 , 勁舞 , 道恆 , 舞步 , 阿海 , 烏龜 , 咖美 , 小米 , 龔柏 , 麻齊 , 佩瑜 , 罐子 , 爺爺 , 趙哥 , 小董 , 阿囧 , 東華 , 其實 , 薛球 , 阿嫂 , 姐姐 , 范鑫 , 盈靜 , 胖丁 , 彥浦 , 表姐 , 表姊 , 叔叔 , 白熊 , 雨涵 , 曉初 , 竹北 , 小雯 , 學姊 , 雯歆 , 兩老 , 妹子 , 口丁 , 雄中 , 男友 , 珮君 , 嘉蓉 , 洗澡 , 堯安 , 哈囉 , 抱歉 , 阿毛 , 媽媽 , 北安 , 市立 , 下棋 , 吟芝 , 白目 , 柏宏 , 低能 , 如珍 , 學姐 , 匯捷 , 名字 , 資通 , 實踐 , 縣立 , 仁愛 , 燕文 , 杏如 , 海灘 , 陽光 , 娃娃 , 立航 , 阿呈 , 陰暗 , 角落 , 大爺 , 亦方 , 沛嫻 , 不多 , 眼中 , ㄎㄎ , 聽說 , 中文 , 雅芳 , 氣直 , 嬸嬸 , 眉毛 , 妤雯 , 瑞鋒 , 瑞峰 , 國小 , 考試 , 好友 , 欣蓉 , 討厭 , 佳宜 , 才不 , 想交 , 雅亭 , 國防 , 軍警 , 立寰 , 皇冕 , 黑道 , 合嘴 , 管家 , 晚娘 , 嬌嗔 , 年級 , 慈敏 , 阿敏 , 小敏 , 洪小 , 明道 , 小摟 , 蘭妙 , 慶伶 , 畇伶 , 昀伶 , 想妳 , 孤單 , 水睞 , 四妹 , 撿角 , 測幹 , 凱凱 , 矮子 , 釣魚 , 阿綱 , 殭屍 , 好人 , 胖哥 , 謝肥 , 芳芳 , 種豬 , 經商 , 想改 , 小祺 , 警察 , 大學 , 高中 , 豬頭 , 什麼 </li></ul><ul><li>三是井 , 卻無法 , 平凡人 , 看不懂 , 黃媺棻 , 級媺棻 , 級米香 , 好人卡 , 彰憲偉 , 倒著唸 , 章憲偉 , 倒著念 , 國立高 , 都不理 , 說自己 , 加拿大 , 台北縣 , 勁舞團 , 出家人 , 一歲卻 , 吳木木 , 黃里歐 , 施佩君 , 高雄縣 , 陳漢典 , 哈哈哈 , 政治人 , 周百合 , 說賤人 , 外國團 , 哈哈哈 , 試試看 , 林紅君 , 小護士 , 蘭司心 , 愛自拍 , 鬼畜嘉 , 陳珮君 , 王冠腸 , 白蟾蜍 , 堯安姊 , 搖滾樂 , 據說還 , 吳秉寰 , 陳如珍 , 如珍啦 , 對不起 , 屏東縣 , 小麥肌 , 小海豹 , 沛沛嫻 , 或許連 , 個怎樣 , 說不清 , 能告訴 , 周百合 , 好人卡 , 上學除 , 從民生 , 挖哈哈 , 賴怡安 , 林世傑 , 你好棒 , 阿切切 , 被狗幹 , 沒路用 , 褚又豪 , 我愛你 , 謝謝你 , 個怪人 , 第二枚 , 陳立寰 , 池塘裡 , 小敏兒 , 洪小囉 , 洪小敏 , 洪小摟 , 蟹肉棒 , 小小白 , 陳蘭妙 </li></ul><ul><li>一事無成 , 無名小站 , 逛街購物 , 不用咪聽 , 身邊一直 , 下棋彈琴 , 黃金獵犬 , 縣立文德 , 市立大直 , 市立北安 , 國立鳳新 , 正緩緩為 , 妳在哪裡 , 正在就學 , 我哈哈哈 , 運動釣魚 , 蝦米咚咚 , 好人一個 , 你是好人 , 國立台灣 , 浪費時間 , 國防大學 , 葛神靈鬼 , 市立大直 , 下棋彈琴 , 戴阿格那 , 小粉公主 , 縣立仁愛 , 被人保護 , 當瘦子但 , 縣立板橋 </li></ul>1. 姓名 , 2. 關係 , 3. 不雅綽號 , 4. 身份 , 5. 學經歷
    48. 50. Visual Shopping on Like.com
    49. 51. Content-based Image Retrieval (CBIR) Iguania Chelonia Amphisbaenia Alligatoridae Alligatorinae Crocodylidae Cricosaura typica Xantusia vigilis Elseya dentata Glyptemys muhlenbergii Phrynosoma braconnieri Phrynosoma ditmarsi Phrynosoma taurus Phrynosoma douglassii Phrynosoma hernandesi Alligator mississippiensis Caiman crocodilus Crocodylus cataphractus Tomistoma schlegelii Crocodylus johnstoni *Purgatorio -- Canto XXXIII 64
    50. 52. 3. Face Recognition <ul><li>Facebook hosts in excess of 30 billion user photos </li></ul><ul><ul><li>growing at a rate of > 14 million every day </li></ul></ul>
    51. 53. Face Recognition <ul><li>A data source for identifying profiles across services using face recognition algorithms </li></ul><ul><ul><li>Correlate profiles on other services given a profile </li></ul></ul><ul><ul><li>Identify profiles on various services given a photo </li></ul></ul><ul><li>Thinking of online dating services </li></ul><ul><ul><li>Match.com </li></ul></ul><ul><ul><li>奇摩交友 </li></ul></ul><ul><ul><li>… </li></ul></ul>
    52. 54. 4. Location Identification <ul><li>Features matching on location-specific features : road sign, painting in a room, arrangement of furniture </li></ul><ul><li>Allows linking of a user to location data </li></ul><ul><ul><li>stalking </li></ul></ul><ul><ul><li>unwanted marketing </li></ul></ul><ul><ul><li>blackmails </li></ul></ul>
    53. 55. A Parrot As The Feature
    54. 56. 5. Image Tagging and Metadata <ul><li>Users can tag images with a person’s real name, SNS profile, or email address </li></ul><ul><li>Users’ privacy may be under great threat from image tags posted by others </li></ul>流川楓 櫻木花道 三井
    55. 57. Image Tagging and Metadata <ul><li>EXIF data embedded in photos </li></ul><ul><ul><li>Serial number of the camera can be tracked to a warranty registration card </li></ul></ul><ul><ul><li>“ Harry Potter and the Deathly Hallows ” event </li></ul></ul>
    56. 58. 6. Spamming <ul><li>SNS are starting to replace emails </li></ul><ul><li>Through friend invitations and comment posting </li></ul><ul><ul><li>Software like FriendBot can do automate friend invitations and comment posting (based on demographic criteria) </li></ul></ul><ul><ul><li>SNS accounts can be easily applied and thrown away </li></ul></ul><ul><li>Through user profiles </li></ul><ul><ul><li>Stealing members’ passwords to promote the advertisement on their profiles </li></ul></ul>
    57. 59. State-of-the-art Solution <ul><li>CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) </li></ul>
    58. 60. Text-based CAPTCHA
    59. 61. WHAT ARE THESE PICTURES OF? Image-based CAPTCHA
    60. 62. THE IMAGES NEED TO BE RANDOMLY DISTORTED Image-based CAPTCHA
    61. 63. PLAYER 1 PLAYER 2 THE ESP GAME http://www.espgame.org/ GUESSING: CAR GUESSING: BOY GUESSING: CAR SUCCESS! YOU AGREE ON CAR SUCCESS! YOU AGREE ON CAR GUESSING: KID GUESSING: HAT
    62. 64. © 2004 Carnegie Mellon University, all rights reserved. Patent Pending.
    63. 65. SAMPLE LABELS BEACH CHAIRS SEA PEOPLE MAN WOMAN PLANT OCEAN TALKING WATER PORCH
    64. 66. 15 MILLION LABELS WITH 75,000 PLAYERS THE ESP GAME IS FUN THERE ARE MANY PEOPLE THAT PLAY OVER 20 HOURS A WEEK
    65. 67. SEARCH RESULTS OF CAR
    66. 68. SEARCH RESULTS OF DOG
    67. 69. SEARCH RESULTS OF 小甜甜布蘭妮
    68. 70. SEARCH RESULTS OF GOOGLE
    69. 71. Having Fun = Work
    70. 72. Idea of Human Computation Take advantage of people’s desire to be entertained and perform useful tasks as a side effect
    71. 73. Human Computation as OCR System
    72. 74. 7. Phishing and Social Phishing <ul><li>More than 66,000 phishing cases reported to or detected by Anti-Phishing Working Group (APWG) in September, 2007 </li></ul><ul><li>Up to 95% of phishing targets were related to financial services and Internet retailers </li></ul><ul><li>In 2007 (a survey by Gartner, Inc.) </li></ul><ul><ul><li>More than $3.2 billion was lost due to phishing in the US </li></ul></ul><ul><ul><li>3.6 million adults lost their money in phishing attacks </li></ul></ul><ul><ul><li>Much more than the 2.3 million who did so the year before </li></ul></ul>
    73. 75. Phishing Statistics <ul><li>43% of adults have received a phishing contact. </li></ul><ul><li>5% of those adults gave their personal information. </li></ul>
    74. 76. Phishing Attacks
    75. 77. Phishing through Emails
    76. 78. Official vs Phishing Pages http://www.ebay.com.fake.cc/ http://www.ebay.com/
    77. 79. Spear Phishing <ul><li>Spear phishing: targeted phishing attacks </li></ul><ul><li>An experiment by U. Indiana showed: spear phishing attacks can achieve a hit rate of 72% , compared with a control of 15% </li></ul><ul><li>Context-aware attacks </li></ul><ul><ul><li>Knowing your personal information </li></ul></ul><ul><ul><li>Knowing the information of your friends </li></ul></ul><ul><ul><li>Impersonate as your friends </li></ul></ul><ul><li>SNS profiles may be used for phishing attacks </li></ul><ul><ul><li>The JS/Quickspace worm </li></ul></ul><ul><ul><li>Posting comments as your friends </li></ul></ul><ul><ul><li>Particularly effective due to the extra trust from the circle of friends </li></ul></ul>
    78. 80. Anti-Phishing Techniques <ul><li>Blacklist / whitelist </li></ul><ul><li>Logo recognition </li></ul><ul><li>Content-based recognition </li></ul><ul><li>Page Image similarity </li></ul><ul><li>Password hashing </li></ul><ul><li>Mutual authentication (e.g., personal visual clues) </li></ul><ul><li>Site seals </li></ul>
    79. 81. Our Layout-based Detection Method <ul><li>Capture the screen of Phishing page </li></ul>
    80. 82. Block Analysis
    81. 83. Layout Analysis
    82. 84. Match example <ul><li>eBay original page (left) and a phishing page (right) </li></ul>
    83. 85. Performance Evaluation <ul><li>Collected Data </li></ul><ul><ul><li>312 original web page screens </li></ul></ul><ul><ul><li>1531 phishing page screens, targeted to </li></ul></ul><ul><ul><ul><li>Bank of America (46) </li></ul></ul></ul><ul><ul><ul><li>Charter One Money Manager GPS (102) </li></ul></ul></ul><ul><ul><ul><li>eBay (654) </li></ul></ul></ul><ul><ul><ul><li>Marshall and Ilsley Bank (138) </li></ul></ul></ul><ul><ul><ul><li>PayPal (591) </li></ul></ul></ul><ul><li>We use Naïve Bayesian Classifier to perform supervised classification </li></ul>
    84. 86. Example: Correct Classification
    85. 87. Example: Correct Classification
    86. 88. Example: Correct Classification
    87. 89. Example: Correct Classification
    88. 90. Example: Incorrect Classification
    89. 91. Example: Incorrect Classification
    90. 92. Example: Incorrect Classification
    91. 93. Example: Incorrect Classification
    92. 94. Our Local-Feature-based Detection Method <ul><li>Step 1: Visual assessment with local content descriptors </li></ul><ul><ul><li>Context Contrast Histogram (CCH) </li></ul></ul><ul><ul><ul><li>invariant to scale, rotation, etc. </li></ul></ul></ul><ul><ul><ul><li>even more efficient than SIFT, the most well-known descriptor for its excellent performance </li></ul></ul></ul><ul><li>Step 2: Page scoring & classification </li></ul><ul><ul><li>Scoring Criteria </li></ul></ul><ul><ul><ul><li>correct matching rate </li></ul></ul></ul><ul><ul><ul><li>ratio of matched area </li></ul></ul></ul><ul><ul><li>Naïve bayesian classification </li></ul></ul>
    93. 95. Phishing Page Matching (Classification)
    94. 96. <ul><li>Superior to EMD (Earth-Mover’s Distance) scheme (IEEE TDSC, 2006) </li></ul>Performance Evaluation
    95. 97. Phishgig 1. Installed in Firefox 3.0.1 2. Live Status 3. Protected Pages Management http://mmnet.iis.sinica.edu.tw/proj/phishgig/
    96. 98. Phishgig in Action 1. Legitimate eBay login page 2. Fake eBay login page
    97. 99. 8. SNS Aggregators <ul><li>Integrating data from various SNS into a single web application, e.g., Snag, ProfileLinker </li></ul><ul><li>Protecting several SNS profiles by a single username/password authentication </li></ul><ul><li>An estimate shows that at least 15% overlaps in two of the major social networking sites </li></ul>
    98. 100. 9. XSS, Viruses, and Worms <ul><li>The SAMY virus, which infected MySpace profiles, has spread to over one million users within just 20 hours </li></ul><ul><li>One of the fastest spreading viruses </li></ul><ul><li>Forced MySpace to shut down its site </li></ul>
    99. 101. 10. Information Leakage due to Network Infiltration <ul><li>Currently anyone with a usable email address can join any geographical network on the Facebook </li></ul><ul><li>An experiment on Facebook </li></ul><ul><ul><li>A user sent invitations to 250,000 users across US </li></ul></ul><ul><ul><li>75,000 users (30%) accepted the invitations (and reveal their profile information to a random stranger) </li></ul></ul>
    100. 102. Information Leakage due to Network Infiltration <ul><li>Another experiment </li></ul><ul><ul><li>Antivirus company Sophos created a profile page for “Freddi Staur” (an anagram of “ID Fraudster”) </li></ul></ul><ul><ul><li>A green plastic frog with minimal personal information in the profile </li></ul></ul><ul><ul><li>200 friend requests were sent, 87 of the 200 responded </li></ul></ul><ul><ul><li>72% of respondents revealed their email addresses; 84% revealed their birth date </li></ul></ul>
    101. 103. 11. Reputation Slander though Identity Theft <ul><li>Fake profiles may be created in the name of well-known persons or dead celebrities </li></ul><ul><ul><li>E.g., Galileo has a profile on MySpace and 3000 friends </li></ul></ul><ul><li>Fake profiles may be used for malicious purposes , e.g., defamation </li></ul><ul><ul><li>The target of the attack cannot access the profile </li></ul></ul><ul><li>Most SNS perform only weak authentication of registrants </li></ul><ul><ul><li>But how? </li></ul></ul>
    102. 104. 12. Cyberstalking <ul><li>Around 20% users on Facebook disclosed their full address and at least two classes they are attending </li></ul><ul><li>78% provided instant messaging accounts suitable for tracking their online status </li></ul><ul><li>Mobile SNS, e.g., Twitter, emphasize location data </li></ul>
    103. 105. Micro blogging
    104. 106. Twitter is HOT !
    105. 107. Twitter Vision 3D
    106. 108. Twitter Map
    107. 109. 看到許許多多的資安問題, 我們能做些什麼?
    108. 111. Efforts to Cope with Threats (1) <ul><li>Restrict spidering and bulk downloads </li></ul><ul><ul><li>But how? </li></ul></ul><ul><li>Require the consent of the data subject for tagging </li></ul><ul><li>Provide more privacy control over search results </li></ul>
    109. 112. Privacy Control Settings of Facebook
    110. 113. However, … <ul><li>Profile Searchability </li></ul><ul><ul><li>We measured the percentage of users that changed search default setting away from being searchable to everyone on the Facebook to only being searchable to CMU users </li></ul></ul><ul><ul><li>1.2% of users (18 female, 45 male) made use of this privacy setting </li></ul></ul><ul><li>Profile Visibility </li></ul><ul><ul><li>We evaluated the number of CMU users that changed profile visibility by restricting access from unconnected users </li></ul></ul><ul><ul><li>Only 3 profiles ( 0.06% ) in total fall into this category </li></ul></ul>
    111. 114. Efforts to Cope with Threats (2) <ul><li>Image anonymization techniques, e.g., face de-identification. </li></ul>K-Same: thwarts face recognition while many facial details remain.
    112. 115. Efforts to Cope with Threats (3) <ul><li>Reputation management </li></ul><ul><ul><li>Rating an account or an object (e.g., comment) </li></ul></ul><ul><ul><li>Reporting inappropriate behavior or content </li></ul></ul><ul><li>Collective decision , not by the experts </li></ul><ul><li>Collusion: a secret agreement between two or more parties for a fraudulent, illegal, or deceitful purpose </li></ul><ul><ul><li>Unfairly low ratings – bad-mouthing </li></ul></ul><ul><ul><li>Unfairly high ratings – ballot stuffing </li></ul></ul>
    113. 116. Rating Score Aggregation <ul><li>The review is considered trustworthy if his/her earlier reviews are more consistent with public opinions. </li></ul>5 0.1 8 2 0.3 7 5 0.1 6 1 0.6 5 4 0.9 4 3 0.3 3 5 0.4 2 3 1 1 Rating T(i) i TVBS Counting Method TVBS outputs 3 !! Counting method outputs 5 !!
    114. 117. Collusion-Resistant Impeachment System <ul><li>開放網友檢舉申訴不當行為 </li></ul><ul><ul><li>Social network systems ( 無名小站 , Facebook, 奇摩交友 , …) </li></ul></ul><ul><ul><li>Online games ( 檢舉作弊或使用外掛 ) </li></ul></ul><ul><li>Bad mouthing problem </li></ul><ul><ul><li>Some voters with secret agreement vote some victims for a fraudulent, illegal, or deceitful purpose </li></ul></ul><ul><li>Our Goal </li></ul><ul><ul><li>Detecting misbehaved users despite of collusion behavior </li></ul></ul>
    115. 118. Our Proposed Algorithm <ul><li>Step 1: Find voting communities </li></ul><ul><ul><li>Newman's community structure analysis algorithm </li></ul></ul><ul><ul><li>break into highly-connected subcomponents </li></ul></ul><ul><li>Step 2: Identify bad users based on votes between voting communities </li></ul><ul><ul><li>Cluster users according to two features : </li></ul></ul><ul><ul><ul><li>Votee's outside edges: Misbehaved users tend to be voted by different communities. </li></ul></ul></ul><ul><ul><ul><li>Voter's outside edges: Voters who vote misbehaved users tend to vote misbehaved users in different communities </li></ul></ul></ul><ul><ul><li>Select the cluster with the highest outside edges as misbehaved user group </li></ul></ul>outside edge inside edge
    116. 119. Performance Evaluation
    117. 120. Efforts to Cope with Threats (4) <ul><li>Biometric signature for combating identity theft </li></ul><ul><ul><li>fingerprint </li></ul></ul><ul><ul><li>voice </li></ul></ul><ul><ul><li>keystroke </li></ul></ul><ul><ul><li>mouse move dynamics </li></ul></ul>
    118. 121. TAKE HOME MESSAGES <ul><li>Rule 1: If you think your mom would be offended, then don't post it. </li></ul><ul><li>Rule 2: Consider the “7 Ps” ( Parents, Police, Predators, Professors, Prospective Employers, Peers and Pals ) before posting your own information on the Internet. </li></ul><ul><li>Rule 3: Ask your pals to follow the rules. </li></ul>
    119. 122. 結語 <ul><li>線上社群網路是不容忽視的嶄新網路生態,同時也帶來許多資安危機及隱憂。 </li></ul><ul><li>除了依賴使用者的 “ 自覺 ” ,更須有妥善的 機制來防範未然。 </li></ul><ul><li>對學術研究者:新的研究議題; 對社群系統設計者:將隱私問題考慮在系統設計內。 </li></ul><ul><li>問題:我們還能做些什麼? </li></ul>
    120. 123. 謝謝各位! 陳昇瑋 中央研究院 資訊科學研究所 http://www.iis.sinica.edu.tw/~swc
    121. 124. Questions

    ×