1,720,967 research outputs found
A privacy and security analysis of realistic personal data leakages through fingerprinting and inadequate policies
No full textIn this thesis, we evaluate and analyze the cybersecurity and privacy impact of personal information leakages in practice. Here, we study two types of countermeasures that have historically been deployed to protect against privacy or security abuses, more specifically, network traffic encryption and international privacy regulations. First, we extensively discuss webpage fingerprinting in the domain of network traffic analysis and present novel attacks that are capable of predicting webpage visits as MitM from large social media platforms. At the same time, we solve many of the practical implications such as the need for large network traffic datasets and the ability to fingerprint webpages which are inherently dynamic by nature.
Moreover, we demonstrate that fingerprinting methods of prior academic work are unrealistic to conduct in real-life, especially due to the base-rate fallacy and the wide variety of network clients that induce different behaviour in network traffic. Therefore, we devise a novel network processing technique which significantly improves upon prior methods with accuracy increases up to 50% in realistic use cases. To finalize, we suggest several countermeasures against these fingerprinting attacks and experimentally evaluate the viability to implement these defenses in practice.
In addition to webpage fingerprinting, we also discuss several methods applied by the industry to fingerprint domain names of websites in the context of zero-rating. Here, we demonstrate that recent encryption protocols such as DoH and ECHO do not sufficiently protect the end-user against leakages by proposing a chain of attack techniques that are able to substantially reduce the effectiveness of these protocols.
The second and last part of this thesis analyzes the implementation of privacy policies and how personal information leakages can occur in this context by abusing Art. 15 `Right of Access' of the GDPR. In our ethically set up analysis we demonstrate that by using specially crafted social engineering attacks, we are able to request highly sensitive personal data from external individuals. We carefully pick 55 organizations from the Alexa top websites and observe that 27% of the tested organizations are vulnerable to our attack. These organizations conduct business in diverse areas such as the financial, transport and entertainment industry. To solve these high-impact issues, we propose various technical suggestions for organizations to improve their security policies and for consumers to avoid using organizations that have no strict or secure policy in place.
Finally, we examine whether the vulnerable organizations have ameliorated their policies after a period of 2 years by conducting an improved variant of our attack. In this study, we discover that more than half of the organizations have not (yet) implemented the necessary changes to prevent our attack and avoid leaking personal data. In addition, we learn that 27% of the organizations have worsened their policies over time instead of improving them. To better understand the reasoning behind choosing specific secure (or insecure) privacy policies, we have conducted interview sessions with DPO and also compared the different methods to abuse the `Right of Access' from prior work. Based on our overall findings from our experiments and interviews, we discover that many of the insecure practices are a direct result of common technical security misconceptions such as for instance, digital signatures and the inner-workings of two-factor authentication
A privacy and security analysis of realistic personal data leakages through fingerprinting and inadequate policies
No full textIn this thesis, we evaluate and analyze the cybersecurity and privacy impact of personal information leakages in practice. Here, we study two types of countermeasures that have historically been deployed to protect against privacy or security abuses, more specifically, network traffic encryption and international privacy regulations. First, we extensively discuss webpage fingerprinting in the domain of network traffic analysis and present novel attacks that are capable of predicting webpage visits as MitM from large social media platforms. At the same time, we solve many of the practical implications such as the need for large network traffic datasets and the ability to fingerprint webpages which are inherently dynamic by nature.
Moreover, we demonstrate that fingerprinting methods of prior academic work are unrealistic to conduct in real-life, especially due to the base-rate fallacy and the wide variety of network clients that induce different behaviour in network traffic. Therefore, we devise a novel network processing technique which significantly improves upon prior methods with accuracy increases up to 50% in realistic use cases. To finalize, we suggest several countermeasures against these fingerprinting attacks and experimentally evaluate the viability to implement these defenses in practice.
In addition to webpage fingerprinting, we also discuss several methods applied by the industry to fingerprint domain names of websites in the context of zero-rating. Here, we demonstrate that recent encryption protocols such as DoH and ECHO do not sufficiently protect the end-user against leakages by proposing a chain of attack techniques that are able to substantially reduce the effectiveness of these protocols.
The second and last part of this thesis analyzes the implementation of privacy policies and how personal information leakages can occur in this context by abusing Art. 15 `Right of Access' of the GDPR. In our ethically set up analysis we demonstrate that by using specially crafted social engineering attacks, we are able to request highly sensitive personal data from external individuals. We carefully pick 55 organizations from the Alexa top websites and observe that 27% of the tested organizations are vulnerable to our attack. These organizations conduct business in diverse areas such as the financial, transport and entertainment industry. To solve these high-impact issues, we propose various technical suggestions for organizations to improve their security policies and for consumers to avoid using organizations that have no strict or secure policy in place.
Finally, we examine whether the vulnerable organizations have ameliorated their policies after a period of 2 years by conducting an improved variant of our attack. In this study, we discover that more than half of the organizations have not (yet) implemented the necessary changes to prevent our attack and avoid leaking personal data. In addition, we learn that 27% of the organizations have worsened their policies over time instead of improving them. To better understand the reasoning behind choosing specific secure (or insecure) privacy policies, we have conducted interview sessions with DPO and also compared the different methods to abuse the `Right of Access' from prior work. Based on our overall findings from our experiments and interviews, we discover that many of the insecure practices are a direct result of common technical security misconceptions such as for instance, digital signatures and the inner-workings of two-factor authentication
Knocking on IPs: Identifying HTTPS Websites for Zero-Rated Traffic
No full textZero-rating is a technique where internet service providers (ISPs) allow consumers to utilize a specific website without charging their internet data plan. Implementing zero-rating requires an accurate website identification method that is also efficient and reliable to be applied on live network traffic. In this paper, we examine existing website identification methods with the objective of applying zero-rating. Furthermore, we demonstrate the ineffectiveness of these methods against modern encryption protocols such as Encrypted SNI and DNS over HTTPS and therefore show that ISPs are not able to maintain the current zero-rating approaches in the forthcoming future. To address this concern, we present “Open-Knock,” a novel approach that is capable of accurately identifying a zero-rated website, thwarts free-riding attacks, and is sustainable on the increasingly encrypted web. In addition, our approach does not require plaintext protocols or preprocessed fingerprints upfront. Finally, our experimental analysis unveils that we are able to convert each IP address to the correct domain name for each website in the Tranco top 6000 websites list with an accuracy of 50.5% and therefore outperform the current state-of-the-art approaches.This research was funded in part by Bijzonder Onderzoeksfonds (BOF) of Hasselt University. Finally, the authors thank Balazs Nemeth and Pieter Robyns for sharing their indepth knowledg
Realistically Fingerprinting Social Media Webpages in HTTPS Traffic
No full textIn webpage fingerprinting (WPF), an adversary attempts to identify
webpages in encrypted network traffic. Identifying social media
webpages however is a challenging task, due to the similarity and
dynamic nature of such pages. Existing webpage fingerprinting
attacks often have unrealistic assumptions regarding the capability
of government agencies or knowledge of the criminal’s environment, which renders these attacks ineffective when applied to social
media platforms. In this paper, we unravel the current concerns in
state of the art WPF attacks in a social network context for forensic
analysis. To resolve the issues presented, we propose an enhanced
version of the WPF attack ‘IUPTIS’ and introduce an intelligent
observer that significantly improves upon previous works. Furthermore, our improvements are compared to related WPF attacks by
conducting extensive experiments on two social platforms: Twitter
and Instagram. Our examination shows that the improved IUPTIS
attack defeats previous works in terms of realistic obstacles such
as HTTP/2, caching and performance costs, thus making it feasible
to identify social media webpages with minimal resources.Thank you to Robin Marx for his extensive knowledge of the
HTTP/2 protocol. As well as Pieter Robyns for his valuable deep
learning experience, Balazs Nemeth and Tom Haber for their insightful feedback.
This research was funded in part by the Bijzonder Onderzoeksfonds
(BOF) of Hasselt Universit
Personal Information Leakage by Abusing the GDPR 'Right of Access'
No full textThe General Data Protection Regulation (GDPR) “Right of Access” grants (European) natural persons the right to request and access all their personal data that is being processed by a given organization. Verifying the identity of the requester is an important aspect of this process, since it is essential to prevent data leaks to unauthorized third parties (e.g. criminals).in this paper, we evaluate the verification process as implemented by 55 organizations from the domains of finances, entertainment, retail and others. To this end, we attempt to impersonate targeted individuals who have their data processed by these organizations, using only forged or publicly available information extracted from social media and alike. We show that policies and practices regarding the handling of GDPR data requests vary significantly between organizations and can often be manipulated using social engineering techniques. For 15 out of the 55 organizations, we were successfully able to impersonate a subject and obtained full access to their personal data. The leaked personal data contained a wide variety of sensitive information, including financial transactions, website visits and physical location history. Finally, we also suggest a number of practical policy improvements that can
be implemented by organizations in order to minimize the risk of personal information leakage to unauthorized third parties.This research was funded in part by the Bijzonder Onderzoeksfonds (BOF) of Hasselt University and by a Ph.D. Grant of the Research Foundation Flanders (FWO), grant number 1S14916N. Finally, we thank the reviewers and shepherd for their in-depth feedback
Revisiting Identification Issues in GDPR ‘Right Of Access’ Policies: A Technical and Longitudinal Analysis
No full textSeveral data protection regulations permit individuals to request all personal information that an organization holds about them by utilizing Subject Access Requests (SARs). Prior work has observed the identification process of such requests, demonstrating weak policies that are vulnerable to potential data breaches. In this paper, we analyze and compare prior work in terms of methodologies, requested identification credentials and threat models in the context of privacy and cybersecurity. Furthermore, we have devised a longitudinal study in which we examine the impact of responsible disclosures by re-evaluating the SAR authentica-tion processes of 40 organizations after they had two years to improve their policies. Here, we demonstrate that 53% of the previously vulnerable organizations have not corrected their policy and an additional 27% of previously non-vulnerable organizations have potentially weakened their policies instead of improving them, thus leaking sensitive personal information to potential adversaries. To better understand state-of-the-art SAR policies, we interviewed several Data Protection Officers and explored the reasoning behind their processes from a viewpoint in the industry and gained insights about potential criminal abuse of weak SAR policies. Finally, we propose several technical modifications to SAR policies that reduce privacy and security risks of data controllers
Personal Information Leakage by Abusing the GDPR 'Right of Access'
No full textThe General Data Protection Regulation (GDPR) “Right of Access” grants (European) natural persons the right to request and access all their personal data that is being processed by a given organization. Verifying the identity of the requester is an important aspect of this process, since it is essential to prevent data leaks to unauthorized third parties (e.g. criminals).in this paper, we evaluate the verification process as implemented by 55 organizations from the domains of finances, entertainment, retail and others. To this end, we attempt to impersonate targeted individuals who have their data processed by these organizations, using only forged or publicly available information extracted from social media and alike. We show that policies and practices regarding the handling of GDPR data requests vary significantly between organizations and can often be manipulated using social engineering techniques. For 15 out of the 55 organizations, we were successfully able to impersonate a subject and obtained full access to their personal data. The leaked personal data contained a wide variety of sensitive information, including financial transactions, website visits and physical location history. Finally, we also suggest a number of practical policy improvements that can
be implemented by organizations in order to minimize the risk of personal information leakage to unauthorized third parties.This research was funded in part by the Bijzonder Onderzoeksfonds (BOF) of Hasselt University and by a Ph.D. Grant of the Research Foundation Flanders (FWO), grant number 1S14916N. Finally, we thank the reviewers and shepherd for their in-depth feedback
IUPTIS: Fingerprinting Profile Webpages in a Dynamic and Practical DPI Context
No full textIn this paper, we propose an extended overview of a novel webpage fingerprinting technique ‘IUPTIS’ that allows an adversary to identify webpage profiles in an encrypted HTTPS traffic trace. Our approach works by identifying sequences of image resources, uniquely attributed to each webpage. Assumptions of previous state-of-the-art methods are reduced by developing an approach that does not depend on the browser utilized. Additionally, it outperforms previous methods by allowing webpages to be dynamic in content and permitting a limited number of browser and CDN-cached resources. These easy-to-use properties make it viable to apply our method in DPI frameworks where performance is crucial. With practical experiments on social media platforms such as Pinterest and DeviantArt, we show that IUPTIS is an accurate and robust technique to fingerprint profile webpages in a realistic scenario. To conclude, we propose several defenses that are able to mitigate IUPTIS in privacy-enhanced tools such as Tor
Going Beyond Counting First Authors in Author Co-citation Analysis
Full text linkThe present study examines one of the fundamental aspects of author co-citation analysis (ACA) - the way co-citation
counts are defined. Co-citation counting provides the data on which all subsequent statistical analyses and mappings
are based, and we compare ACA results based on two different types of co-citation counting - the traditional type that
only counts the first one among a cited work's authors on the one hand and a non-traditional type that takes into
account the first 5 authors of a cited work on the other hand. Results indicate that the picture produced through this non-traditional author co-citation counting contains more coherent author groups and is therefore considerably clearer. However, this picture represents fewer specialties in the research field being studied than that produced through the traditional first-author co-citation counting when the same number of top-ranked authors is selected and analyzed. Reasons for these effects are discussed
- …
