Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Brave New World

4,655 views

Published on

Presentation by Dominic White at the ITweb security summit 2010.

This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A Brave New World

  1. 1. A Brave New WorldThe Politics & Technology of Online Privacy
  2. 2. /whois singe• Argumentative Catholic Hacker Geek• Consultant @ SensePost• Involved with ZaCon• Love Building Security, breaking it still fun• TinFoil is in this Winter• Blog at http://singe.za.net/• Tweet as @singe
  3. 3. A Brave New World Source: acceleratingfuture.com
  4. 4. Agenda• Behavioural Tracking Primer• Politics vs Tech – NAI Opt-Out – Do Not Track – Tracking Prevention Lists – GoogleSharing• Next Level – EverCookie – Mobile Protections
  5. 5. Behavioural Tracking• Analyse user interactions to build a profile• Third parties do this across multiple sites• $21.7 billion industry in US  $42.5 in 2015 (BAI/Kelsey U.S. Local Media Annual Forecast) – Behavioural only 7% of this by 2014• Popularised by Google, usurped by Facebook• The business model for online monetisation Picture Source: foture.net
  6. 6. Problems• People arrested• Data driven inferences could be wrong• Overcriminalisation• Profiles sold to third-parties• Employee abuse• Companies hacked
  7. 7. You have little to no control over this If you don’t care, will you forever?Does nobody have the right to care? What about your kids? Activists?
  8. 8. Politics & Tech
  9. 9. Opt Out• Advertisers realised they needed to do something to appease the growing noise• Network Advertising Initiative’s Opt-Out• Sets an “Out-Out” cookie for each participating third party• You still send data to the third party, just with one less unique identifier
  10. 10. Opt-Out Problems• Requires third-party cookies to be enabled• Only covers participating NAI members• Only un-sets one cookies (others remain)• The cookie still exists, some still with an UID• Only prevents targeting ads, data still stored• Only deals with todays problem• We only have the people we don’t trust’s promise
  11. 11. Do Not Track• Consumer, not advertiser driven (Stanford IETF draft)• Allows you to make a general statement to everyone• Sends a DNT=1 HTTP header, or sets DNT DOM flag• Requires receiving server to comply• A technical signal, not a technical protection• Backed by legislation• Currently only implemented by Associated Press Analytics• Firefox 4, Internet Explorer 9 & Safari (no Chrome)
  12. 12. Legislation• DNT submitted to FTC [Industry efforts to address privacy through self- regulation] “have been too slow, and up to now have failed to provide adequate and meaningful protection.”• SB 761 California “Do Not Track” proposal at Appropriations Committee• Do Not Track Act of 2011 introduced on Mon
  13. 13. Response• The trackers got mad: – “California Senate Bill 761 would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce.” – “It would stop California’s information economy in its tracks” – “The measure would negatively affect consumers who have come to expect rich content and free services through the Internet, and would make them more vulnerable to security threats.”• Google, Facebook, Yahoo, TimeWarner, MPAA, NAI & many others
  14. 14. Do Not Track ProblemsProblems:• Requires cooperation from trackers• Not as verifiable as they claim e.g. AP News• Limited granularity• DOM implementation could be hackedBenefits:• Law is a big, if slow, stick• Expresses preference to all• Works with other techniques
  15. 15. Tracking Protection Lists• Microsoft driven (W3C draft)• Technically a DNT implementation• Extension of AdBlock Plus approach• Detailed list of domains, URLs & paths• Provides blocking & allow statements• Prevents blocked content from loading• Multiple providers of lists – EasyList, PrivacyChoice, Abine, TRUSTe
  16. 16. TPL Pros/ConsProblems:• Blacklist, enumerating badness• Only blocks third-parties Enumerating Badness• Needs legislationBenefits• Granular No Idea Very Bad• Transparent/Verifiable• Not a signal, an enforcement• Blocks active content, prevents further leaks
  17. 17. GoogleSharing• Built by the very smart Moxie Marlinspike• Active Subversion & Unblockable• Pools identities, lets you use a random one• Proxies requests, over SSL• No need to trust the proxy• Tools provided to run your own• This can be extended
  18. 18. Active Subversion• Why must we accommodate trackers? Take back our privacy by force if we must• Muddies trackers data sets – One user is many users – Looks like a NAT – Unblockable, undistinguishable• Increases cost of tracking• Keeps you safe – Network location is kept secret – No trackinghttp://1984.za.net/
  19. 19. Next Level
  20. 20. Beyond Cookies• Cookies are only one way to track• Flash Local Storage Objects have been used for years, but that’s not all• Samy Kamkar came up with 13 methods in total• Also, a way to use one method to restore the others The Evercookie
  21. 21. Evercookie• Normal Cookies • HTML5 Session Storage• Flash LSO • HTML5 Local Storage• Silverlight Isolated • HTML5 Global Storage Storage • HTML5 Database• WebHistory Storage• Etags • Internet Explorer• WebCache userData• window.name cache • Force cached PNG http://samy.pl/evercookie/
  22. 22. NeverCookie
  23. 23. NeverCookie• Deletes normal/HTML5/Flash/Silverlight “cookies”• Can prevent setting of future Flash & Silverlight objects – Sets a binary Adobe Preferences Object – Touches a disabled.dat Silverlight file• GUI written by Willem @ SensePost• OSX & Safari only currently, plan to extend
  24. 24. NeverCookie
  25. 25. Mobile EverCookie• On Apple iOS, each application is in a sandbox• Every app allowing “surfing” is vulnerable to the evercookie• There could be hundreds of evercookies!• Built-in settings only clear some of MobileSafari’s cache
  26. 26. ResetSafari• Jailbreak SBSettings application by Sea Comet• Based on my code release• Deletes all Cookies as NeverCookie but for all apps• Nevercookie for Mobilehttp://modmyi.com/cydia/package.php?id=32881
  27. 27. Proxy.Pac• GoogleSharing if (shExpMatch(host,"*google.*")) { return proxy_GoogleSharing; }• Ad & Tracking Block (simple) if ( shExpMatch(host,"*googlesyndication.*”)|| shExpMatch(host,"*googleadservices.*")|| shExpMatch(host,"*google-analytics.*”)|| shExpMatch(url,"*facebook.com/plugins/like.php*”)){ return proxy_BlackHole; }
  28. 28. Blackhole Problem• Blackholes are handled differently• WebKit fails to DIRECT• Need a blackhole proxy server• Implemented a simple Twisted HTTP server than responds with HTTP 200 OK to everything• Thanks Gert @ SensePost
  29. 29. Available At http://1984.za.net/proxy.php ?proxy=<> - sets default proxy&port=<> - sets default proxy port&socks – makes it a SOCKS proxy Don’t trust us
  30. 30. Enabling on iPhone• Wifi network .pac can be configured normally• 3G doesn’t allow proxy settings via Interface• /Library/Preferences/SystemConfiguration/prefer ences.plist <dict> <key>HTTPEnable</key> <integer>0</integer> <key>HTTPProxyType</key> <integer>2</integer> <key>HTTPSEnable</key> <integer>0</integer> <key>ProxyAutoConfigEnable</key> <integer>1</integer> <key>ProxyAutoConfigURLString</key> <string>http://1984.za.net/proxy.php</string> </dict>
  31. 31. Summary & Conclusion• Behavioural Tracking is big business• We need control of our data• Opt-out is highly politicised, in-flux & requires legistlation• Subversion should be built in the mean-time• Watch out for what’s coming next (or now)• These tools are easy to build, get started
  32. 32. Thank You Questions?sensepost.com/blogdominic@sensepost.com

×