SlideShare a Scribd company logo

(ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking

Download as PPTX, PDF
G. S. McNamara
G. S. McNamara

While the US and Europe ponder the privacy implications of today’s Web cookies, tracking mechanisms are expanding and diversifying greatly. As are their privacy implications. These new targeting technologies don’t rely on cookies, are more persistent, are harder to evade, and are invasively intrinsic.

1 of 39
#CybersecuregovFrom Zero to 60: Advancing the Cybersecurity Workforce The Next APT: Advanced, Persistent Tracking Jarad Kopf and G. S. McNamara
3 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Introduction » Persistent tracking mechanisms very prevalent and growing » Tech conglomerates such as Google have flirted with this type of new technology » Not limited to cookies anymore, these tracking mechanisms come in many forms
4 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Why should you care? » Privacy concerns » These technologies are extremely accurate » Perhaps violating your organization’s policy
5 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Evercookies » Goal: Identify unique client even after standard cookies have been removed » Storage mechanisms include: Flash Cookies, Silverlight Isolated storage, HTTP ETags*, many more
6 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Evercookie FAQs » Do evercookies work cross-browser? » Does the browser or server have to install anything?
7 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Evercookie Repopulation Image: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf
8 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce ETag Overview » One storage mechanism of Evercookies » ETag (Entity Tag) part of HTTP protocol • provides for web cache validation » Can be used as opaque identifier assigned by a web server to a specific version of a resource found at a URL
9 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce ETag Mechanism Im1e.coage: https://lucbm/randomprojects/cookielesscookies/
10 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce HSTS Overview » HSTS: web security policy mechanism to protect HTTPS websites from downgrade attacks » Allows web servers to declare that web browsers should only interact using secure connections » Your browser can remember this – this is set when the server sends back an HTTP header with a parameter field named Strict-Transport- Security
11 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Abusing HSTS » HSTS potential for tracking is specified in RFC 6797 » No known cases in the wild yet Images taken from: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser- dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or- security/)
12 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Fingerprinting (Type 1 of 2): Device
13 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Fingerprinting (Type 2 of 2): Canvas
14 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Let’s tell a story… (If I were evil)
15 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce A world full of corporate assets
16 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce We might even allow BYOD
17 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce We’ve hardened our network
18 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce And we trust our ISP
19 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce But what about the phones?
20 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce The carrier wouldn’t meddle with our data “Verizon’s ‘Perma- Cookie’ Is a Privacy-Killing Machine”http://www.wired.com/2014/10/verizons-perma-cookie/
21 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce The data gathered would never then be sold “Relevant Mobile Advertising Program” http://www.verizonwireless.com/support/relevant-mobile-ad/
22 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Selling location data is inconceivable “Carriers Sell Users’ Tracking Data in $5.5 Billion Market”http://www.bloomberg.com/news/articles/2013-06-06/carriers-sell-users-tracking-data-in-5-5-billion-market
23 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Location lacks impact “ISIS Fighter Accidentally Geotagged Tweets And Revealed His Not- So Secret Location” http://www.mtv.com/news/2038989/isis-twitter-geotagging-fail/
24 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce If only used for ads, is this OK?
25 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Ads are safe “Malware in ads turn computers into zombies” http://www.usatoday.com/story/tech/2015/01/20/malvertising/21889547/
26 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Well, if you stick to legitimate sites “Malvertising hits The New York Times” http://www.dailyfinance.com/2009/09/14/malvertising-hits-the-new-york-times/
27 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce This ‘malvertising’ economy won’t catch on “Malvertising Abuses Real-Time Bidding on Ad Networks”https://threatpost.com/ad-networks-ripe-for-abuse-via-malvertising/111840
28 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce It’s probably just run by kids “APTs Target Victims with Precision, Ephemeral Malvertising” https://threatpost.com/apts-target-victims-with-precision-ephemeral-malvertising/108906
29 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Besides, cyber-physical isn’t real “'Operation DeathClick' targets defense contractors”http://archive.federaltimes.com/article/20141017/IT/310170016/-Operation-DeathClick-targets-defense-contractors
30 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Malware doesn’t even work on phones “Ads 'biggest mobile malware risk'” http://www.bbc.com/news/technology-26447423
31 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce It only works on “real” computers “Now e-cigarettes can give you malware” http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers
32 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce The future isn’t mobility anyway “BYOD: Many Call It Bring Your Own Malware (BYOM)” http://blogs.cisco.com/security/byod-many-call-it-bring-your-own-malware-byom
33 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce And the small details don’t matter “Two US power plants infected with malware spread via USB drive” http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/
34 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Next-Gen Tracking is a blind spot.
35 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce This was just one idea
36 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Policy Scandals
37 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce EU Cookie Law » Into effect May 2012 » EU requires prior informed consent for storage of or access to information stored on a user’s machine • Many exemptions » Tools like Google Analytics fall under jurisdiction
38 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce So what now? »Talk to legal about policy updates »Talk to IT about control
39 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce “The greatest victory is that which requires no battle.” ― Sun Tzu, The Art of War Jarad Kopf, M.S., CISSP Jarad.Kopf@gmail.com G. S. McNamara, M.S. Main@GSMcNamara.com

Recommended

Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 

Recommended

Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMDEFENDING AGAINST THREATS TARGETING THE MAC PLATFORM
DEFENDING AGAINST THREATS TARGETING THE MAC PLATFORMCrowdStrike
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike
 
You Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionYou Can't Stop The Breach Without Prevention And Detection
You Can't Stop The Breach Without Prevention And DetectionCrowdStrike
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeTom Janetscheck
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviourDefCamp
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseBrendon Macaraeg
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
Webinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPRWebinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPRSucuri
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!Stu Hirst
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
DevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeDevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeCosmin Bratu
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Nevada County Tech Connection
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attackskevinmass30
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 

More Related Content

What's hot

CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdStrike
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns CrowdStrike
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeTom Janetscheck
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdStrike
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsCrowdStrike
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviourDefCamp
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseBrendon Macaraeg
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Stu Hirst
 
Webinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPRWebinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPRSucuri
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!Stu Hirst
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
DevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeDevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeCosmin Bratu
 

What's hot (20)

CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns Cyber Security Extortion: Defending Against Digital Shakedowns
Cyber Security Extortion: Defending Against Digital Shakedowns
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
CrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing IntelligenceCrowdCast Monthly: Operationalizing Intelligence
CrowdCast Monthly: Operationalizing Intelligence
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence OperationsBear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviour
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016Building a Security culture at Skyscanner 2016
Building a Security culture at Skyscanner 2016
 
Webinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPRWebinar: eCommerce Compliance - PCI meets GDPR
Webinar: eCommerce Compliance - PCI meets GDPR
 
DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
 
DevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @CrowdstrikeDevTalks 2021 Cloud Engineering @Crowdstrike
DevTalks 2021 Cloud Engineering @Crowdstrike
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 

Similar to (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking

Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attackskevinmass30
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
McClansy Security Corporation
McClansy Security CorporationMcClansy Security Corporation
McClansy Security CorporationsmailOrhan3
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Dinis Cruz
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Dinis Cruz
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMRick Bouter
 
Staying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters NowStaying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters NowCapgemini
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Ernest Staats
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET Journal
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Cybersecurity Interview Questions Part -2.pdf
Cybersecurity Interview Questions Part -2.pdfCybersecurity Interview Questions Part -2.pdf
Cybersecurity Interview Questions Part -2.pdfInfosec Train
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaperAlan Rudd
 

Similar to (ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking (20)

Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacks
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
McClansy Security Corporation
McClansy Security CorporationMcClansy Security Corporation
McClansy Security Corporation
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecurity
 
Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)Making the case for sandbox v1.1 (SD Conference 2007)
Making the case for sandbox v1.1 (SD Conference 2007)
 
Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)Inconvenient Truth(s) - On Application Security (from 2007)
Inconvenient Truth(s) - On Application Security (from 2007)
 
Staying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBMStaying ahead in the cyber security game - Sogeti + IBM
Staying ahead in the cyber security game - Sogeti + IBM
 
Staying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters NowStaying Ahead in the Cybersecurity Game: What Matters Now
Staying Ahead in the Cybersecurity Game: What Matters Now
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
 
IT Security for Nonprofits
IT Security for NonprofitsIT Security for Nonprofits
IT Security for Nonprofits
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
1530 track1 ulinski
1530 track1 ulinski1530 track1 ulinski
1530 track1 ulinski
 
Cybersecurity Interview Questions Part -2.pdf
Cybersecurity Interview Questions Part -2.pdfCybersecurity Interview Questions Part -2.pdf
Cybersecurity Interview Questions Part -2.pdf
 
security_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepapersecurity_secure_pipes_frost_whitepaper
security_secure_pipes_frost_whitepaper
 

(ISC)2 CyberSecureGov 2015 - The Next APT: Advanced, Persistent Tracking

  • 1.
  • 2. #CybersecuregovFrom Zero to 60: Advancing the Cybersecurity Workforce The Next APT: Advanced, Persistent Tracking Jarad Kopf and G. S. McNamara
  • 3. 3 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Introduction » Persistent tracking mechanisms very prevalent and growing » Tech conglomerates such as Google have flirted with this type of new technology » Not limited to cookies anymore, these tracking mechanisms come in many forms
  • 4. 4 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Why should you care? » Privacy concerns » These technologies are extremely accurate » Perhaps violating your organization’s policy
  • 5. 5 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Evercookies » Goal: Identify unique client even after standard cookies have been removed » Storage mechanisms include: Flash Cookies, Silverlight Isolated storage, HTTP ETags*, many more
  • 6. 6 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Evercookie FAQs » Do evercookies work cross-browser? » Does the browser or server have to install anything?
  • 7. 7 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Evercookie Repopulation Image: https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf
  • 8. 8 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce ETag Overview » One storage mechanism of Evercookies » ETag (Entity Tag) part of HTTP protocol • provides for web cache validation » Can be used as opaque identifier assigned by a web server to a specific version of a resource found at a URL
  • 9. 9 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce ETag Mechanism Im1e.coage: https://lucbm/randomprojects/cookielesscookies/
  • 10. 10 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce HSTS Overview » HSTS: web security policy mechanism to protect HTTPS websites from downgrade attacks » Allows web servers to declare that web browsers should only interact using secure connections » Your browser can remember this – this is set when the server sends back an HTTP header with a parameter field named Strict-Transport- Security
  • 11. 11 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Abusing HSTS » HSTS potential for tracking is specified in RFC 6797 » No known cases in the wild yet Images taken from: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser- dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or- security/)
  • 12. 12 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Fingerprinting (Type 1 of 2): Device
  • 13. 13 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Fingerprinting (Type 2 of 2): Canvas
  • 14. 14 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Let’s tell a story… (If I were evil)
  • 15. 15 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce A world full of corporate assets
  • 16. 16 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce We might even allow BYOD
  • 17. 17 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce We’ve hardened our network
  • 18. 18 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce And we trust our ISP
  • 19. 19 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce But what about the phones?
  • 20. 20 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce The carrier wouldn’t meddle with our data “Verizon’s ‘Perma- Cookie’ Is a Privacy-Killing Machine”http://www.wired.com/2014/10/verizons-perma-cookie/
  • 21. 21 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce The data gathered would never then be sold “Relevant Mobile Advertising Program” http://www.verizonwireless.com/support/relevant-mobile-ad/
  • 22. 22 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Selling location data is inconceivable “Carriers Sell Users’ Tracking Data in $5.5 Billion Market”http://www.bloomberg.com/news/articles/2013-06-06/carriers-sell-users-tracking-data-in-5-5-billion-market
  • 23. 23 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Location lacks impact “ISIS Fighter Accidentally Geotagged Tweets And Revealed His Not- So Secret Location” http://www.mtv.com/news/2038989/isis-twitter-geotagging-fail/
  • 24. 24 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce If only used for ads, is this OK?
  • 25. 25 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Ads are safe “Malware in ads turn computers into zombies” http://www.usatoday.com/story/tech/2015/01/20/malvertising/21889547/
  • 26. 26 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Well, if you stick to legitimate sites “Malvertising hits The New York Times” http://www.dailyfinance.com/2009/09/14/malvertising-hits-the-new-york-times/
  • 27. 27 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce This ‘malvertising’ economy won’t catch on “Malvertising Abuses Real-Time Bidding on Ad Networks”https://threatpost.com/ad-networks-ripe-for-abuse-via-malvertising/111840
  • 28. 28 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce It’s probably just run by kids “APTs Target Victims with Precision, Ephemeral Malvertising” https://threatpost.com/apts-target-victims-with-precision-ephemeral-malvertising/108906
  • 29. 29 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Besides, cyber-physical isn’t real “'Operation DeathClick' targets defense contractors”http://archive.federaltimes.com/article/20141017/IT/310170016/-Operation-DeathClick-targets-defense-contractors
  • 30. 30 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Malware doesn’t even work on phones “Ads 'biggest mobile malware risk'” http://www.bbc.com/news/technology-26447423
  • 31. 31 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce It only works on “real” computers “Now e-cigarettes can give you malware” http://www.theguardian.com/technology/2014/nov/21/e-cigarettes-malware-computers
  • 32. 32 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce The future isn’t mobility anyway “BYOD: Many Call It Bring Your Own Malware (BYOM)” http://blogs.cisco.com/security/byod-many-call-it-bring-your-own-malware-byom
  • 33. 33 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce And the small details don’t matter “Two US power plants infected with malware spread via USB drive” http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/
  • 34. 34 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Next-Gen Tracking is a blind spot.
  • 35. 35 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce This was just one idea
  • 36. 36 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce Policy Scandals
  • 37. 37 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce EU Cookie Law » Into effect May 2012 » EU requires prior informed consent for storage of or access to information stored on a user’s machine • Many exemptions » Tools like Google Analytics fall under jurisdiction
  • 38. 38 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce So what now? »Talk to legal about policy updates »Talk to IT about control
  • 39. 39 #Cybersecuregov From Zero to 60: Advancing the Cybersecurity Workforce “The greatest victory is that which requires no battle.” ― Sun Tzu, The Art of War Jarad Kopf, M.S., CISSP Jarad.Kopf@gmail.com G. S. McNamara, M.S. Main@GSMcNamara.com

Editor's Notes

  1. [Slide to show during first 3 minute segment] Who we are…
  2. -many different types of alternate persistent tracking mechanisms are being developed and utilized in the wild. -lots of companies and websites have been utilizing and developing these types of persistent tracking methods -Google, AT&T, Verizon (more on that later) -significant privacy concern for all individuals--European Union, legislation was enacted (EU Cookie Law) -not all cookies are the same. persistent cookies, stay in one of your browser's subfolders until you delete them manually or until your browser deletes them based on the duration period contained within the persistent cookie's file. These persistent cookies are relatively new, and as you’ll see, are of great importance/concern for privacy advocates as well as all individuals.
  3. -background: half of all the cookies written onto users' browsers are first party half are third party cookies -online tracking leading to direct ad placement and ultimately profit for corporations. -These tracking mechanisms are not only hard to detect, but are also difficult for the average user to control and block or remove. Why is any of this important? -PRIVACY CONCERNS -Minimal false positives….99.1% positive identification (https://panopticlick.eff.org/browser-uniqueness.pdf) -Violating your organization’s policy? Many organizational policies have elements regarding privacy. Though not all will touch (or rule) on tracking mechanisms, it is prudent to ensure you are in compliance with all policies [Should be at 8 minute mark now]
  4. Web tracking techniques fall into two broad categories: Active and passive techniques. -Evercookie goal is to identify a client even after they've removed standard cookies. -it actively "resists" deletion by copying itself in different forms on the user's machine and resurrecting itself if it notices that some of the copies are missing or expired. -many diff storage mechanisms    
  5. Does this work cross-browser? Does the client have to install anything? Does the server have to install anything? Is evercookie open source? Note: this is important because mentions HTML5 options… upcoming technology that will be embraced with enthusiasm worldwide! How to Detect Identifier Strings
  6. -Evercookie is designed to make persistent data extremely persistent. How does this happen if the user deletes their cookies? With all the methods available, it only takes one of the values kept in storage to remain for most, if not all, of them to be reset again. -diagram example There are numerous popular sites that use evercookies: aol.com , and many popular tv streaming sites as well as gambling themed sites.
  7. -Etags are one of the storage mechanisms that evercookies utilize to store persistent data; -ETag or entity tag, is part of the HTTP protocol. -An ETag is an opaque identifier assigned by a web server to a specific version of a resource found at a URL
  8. -Server sends an ETag HTTP header with the response, containing an arbitrary string (which is normally a checksum of the resource). Compliant browsers (IE5.5+, Safari, Chrome, Opera, Firefox, etc.) send the If-None-Match HTTP header with subsequent requests containing the same string the ETag header contained. -What if the server uses the ETag/If-None-Match headers as session Ids, for example? We could then implement some ‘session’ store keyed by this Id and use it for tracking. -Etags can be used to track people: the browser sends the information back to the server that it previously received (the ETag). Which is almost exactly the way cookies work.
  9. -HSTS is a web security policy mechanism which is necessary to protect secure  HTTPS websites against downgrade attacks -allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections -If you visit a site that has HSTS enabled, your web browser will remember this flag and ensure the connection is secure any time you visit the website in the future.
  10. -HSTS can be abused to keep track of you when you visit a website, even though it keeps your communication with that site more secure -HSTS is an IETF standards track protocol, and In fact, a description of HSTS for tracking even made it into the RFC 6797 that describes the standard -(use diagram example)This automatic redirecting that HSTS uses protects your access to the site from being intercepted but could also be abused by a malicious site to store a unique number (identifier) to track your web browser. which is more important: security, or privacy? [should be at 18 to 21 minute mark now]
  11. Thank you Jarad for presenting those 3 technical tracking examples. Now if you’ll hold with us I will present 3 more, talk about the impact on government and policy, and begin the discussion on how we can be proactive.... --- EFF (Electronic Frontier Foundation... nonprofit organization for civil liberties in the digital world) is running an experiment to find out what fingerprints your browser leaves behind on the web. Their system, Panopticlick will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to their database of many other Internet users' configurations. Then, it will give you a uniqueness score — letting you see how easily identifiable you might be as you surf the web. “Panopticlick creates its fingerprint from just eight pieces of information that are freely shared by web browsers, such as your timezone, screen resolution, plugins, and fonts. According to Sophos Security, the research shows that in general browser fingerprints are probably unique enough to be used to 'regenerate' deleted cookies (as Jarad showed) or even to replace tracking cookies entirely.” So I went to Panopticlick myself. On a work computer... which should be pretty generic! And I got “Your browser fingerprint appears to be unique among the 5,191,485 tested so far.” As far as the browser goes, I believe I only have one customization so far. So device fingerprinting is a snapshot of what your device IS.
  12. “...the previous was complex, but don’t worry, it only gets worse…” At a high level: Canvas fingerprinting is where a site gets your web browser to draw a hidden image. But think about this… I ask each of you to draw for me a cat, or to write MY name. Each will be a bit unique. This is the same principle, because the composition of your computer’s hardware and software can create a unique style of drawing an image, or rendering characters in a font. Canvas fingerprinting is about what your device DOES, not what it IS. And as an advertiser all I need to do is create a database of these compositions to remember you, because I’m always going to ask you to draw for me the same picture. The only time this might change is if your hardware or software change. This may not sound unique enough to be a concern, so let’s examine the possible future of this tech with a thought experiment... let’s look at just part of the feature set in forensic handwriting recognition. This is the human equivalent of canvas fingerprinting. The following quote is from the FBI: Handwriting features that examiners evaluate include the size and slope of the writing, pen pressure, pen lifts, the spacing between words and letters, the position of the writing on the baseline, height relationships, beginning and ending strokes, and line quality. A writer’s identity cannot be established through a single individual feature in the writing. Rather, identity is established through a combination of the significant features between the writings, with no significant differences. Now you may be thinking ‘why would an advertiser even bother?’ ‘This seems like a pain?’ Well, to realize the increasing adoption of all these tracking mechanisms let’s think about mobile. Cookies are not always supported on mobile, but mobile is the future and advertisers are concerned. Here is a quote from VentureBeat:” “Instead of cookies, marketers track you on mobile by creating a personal identifier, or PI, to try to correlate browsing patterns. Canvas fingerprints are one such PI — and while they can’t be tied directly to an individual’s personal identity, they do provide marketers with data they can correlate”
  13. Location and tracking information change the game. Imagine you could target devices known to be near your adversary’s organization. The following thought experiment will show that something seemingly benign--a simple step in the evolution of business--can be exploited. We’ll see how a business practice of Verizon and others might lead to a highly targeted attack on your organization...
  14. Let’s say you are responsible for the security of all assets.
  15. You might even go so far as to allow personal devices in the workplace.
  16. You’ve covered all traditional attack scenarios.
  17. And as far as wireless providers go, they are out of sight, out of mind
  18. Did we forget something?
  19. Are you OK with just this one use, just this time?
  20. A mentor of mine says that “Success is lost in the details.”
  21. ... Today’s battles about targeting and tracking online revolve around cookies, which were created in 1994 (specifically, next month they will be old enough to drink). By being hyper focused on cookies alone we’ve become biased to think that they are the only way to track online. This is no longer true.
  22. ... New technology comes with a cost and not everyone involved has the same goal. This scenario tied together some of my observations from industry: from marketing data reselling > Multi-Data-Point Identity Confidence > malicious ads > industry and company targeting > malware propagation across devices. It poked fun at Verizon for a practice AT&T dropped last year after realizing it might have been too powerful. It just takes a little bit of a malicious mindset to ride on the back of some of these trends. [should be at anywhere from 28 to 34 min mark now]
  23. Finally, let’s tie all this to government with a real world example. Let’s talk about the current state of policy. The vendor here in this heated twitter exchange has gotten lots of bad press for a past shady practice, and they’re sore about it. They are the ones that got the White House featured in a negative article by the digital watchdog group the EFF. The vendor, AddThis, is a widely used social bookmarking service that can be integrated into a website with the use of a web widget. They were integrated into WhiteHouse.gov. I didn’t see them last I checked. Without alerting customers, AddThis decided to use its existing customer base’s websites as a massive R&D project. All of them. The government. The commercial. And the dirty. They just went ahead and deployed canvas fingerprinting technology through these installed plugins on the websites, to see how it would work out. We can say, all WhiteHouse visitors became betatesters or early adopters, and they could have been recognized across the entire AddThis portfolio as they browsed different sites. Where is the conflict? The main distinction is that the canvas fingerprint can’t be blocked by cookie management techniques, or erased with your other cookies. This is inconsistent with the White House’s promise that “Visitors can control aspects of website measurement and customization technologies used on WhiteHouse.gov.” From my own reading, let’s go over to the State Department for a second… regarding State.gov’s privacy policy, I don’t think it will stand the test of time: the only section that addresses the topic of tracking is specific to cookies. The White House potentially is precedent for identical accusations against other sites with dated privacy policies. --- source: https://www.addthis.com/blog/2014/07/23/the-facts-about-our-use-of-a-canvas-element-in-our-recent-rd-test/#.VTccepTF9jc source: https://www.eff.org/deeplinks/2014/07/white-house-website-includes-unique-non-cookie-tracker-despite-privacy-policy source: https://twitter.com/addthis/status/520670446715301888
  24. Let’s go abroad for a second, to see what is happening elsewhere. EU Cookie Law went into effect in May 2012. While this may seem to save us it’s limited again to COOKIES! The ePrivacy directive – more specifically Article 5(3) – requires prior informed consent for storage of or access to information stored on a user's terminal equipment. However, there are exemptions: user‑input cookies, authentication cookies, user‑centric security cookies, multimedia content player cookies, load‑balancing cookies, user‑interface customisation cookies, third‑party social plug‑in content‑sharing cookies Google Analytics is covered by the requirements of the EU Cookie Law.  This means the website owners must seek consent for the use of GA
  25. The problem is here today. So as a jumpstart we propose a few initial thoughts on both technical and non-technical ways to start mitigating the effects of these persistent tracking mechanisms: As a system owner, there are non-technical ways to remediate. It is prudent for users and organizations to review and update their Privacy Policy. For example, State.gov’s says:“If you do not wish to have session or persistent cookies stored on your machine, you can turn cookies off in your browser.” But we can’t just turn off the new technologies anymore, as some are intrinsic. For technical: We advocate source code review and version locking. This perhaps may have helped the White House avoid being criticized for including a next-generation tracking technology on its website. The incident may have even occurred without their knowledge. The tracking code could have been embedded in remotely-hosted code under vendor control, and included into the site. This is the extra code used to supply social media sharing buttons. Specifically, this case may have been mitigated by a White House developer copying down vendor’s client-side JavaScript code, reviewing it for these tracking technologies, and then once vetted, locking in the version and self-hosting the code on White House servers to keep it under their control. [should be at 35 to 41 min mark now]
  26. “Now we’ll take questions”