Could Googling Take Down A President, a Prime Minister, or an Average Citizen? Greg Conti | United States Military Academy | gregory-conti@usma.edu The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. http://www.whitehouse.gov/omb/budget/fy2005/images/justice-7.jpg Who is familiar with the AOL dataset disclosure? Who has seen the data? The AOL Dataset Debacle SIGIR – IR List (August 2006) Subject: research.aol.com AOL is embarking on a new direction for its business making its content and products freely available to all consumers. To support those goals, AOL is also embracing the vision of an open research community. To get started, we invite you to visit us at http://research.aol.com, where you will find: • 20,000 hand labeled, classified queries • 3.5 million web question/answer queries (who, what, where, when, etc.) • Query streams for 500,000 users over 3 months (20 million queries) • 2 million queries against US Government domains Also, please feel free to provide feedback on the site, datasets you'd like to see in the future, and any other comments about our vision. The AOL Dataset Debacle SIGIR – IR List (August 2006) Subject: research.aol.com AOL is embarking on a new direction for its business making its content and products freely available to all consumers. To support those goals, AOL is also embracing the vision of an open research community. To get started, we invite you to visit us at http://research.aol.com, where you will find: • 20,000 hand labeled, classified queries • 3.5 million web question/answer queries (who, what, where, when, etc.) • Query streams for 500,000 users over 3 months (20 million queries) • 2 million queries against US Government domains Also, please feel free to provide feedback on the site, datasets you'd like to see in the future, and any other comments about our vision. AOL Stalker AOL Psycho AOL Demo • User #10291 • User #2708 Knowledge of the AOL Dataspill Question no vaguely somewhat very Are you familiar with the AOL data disclosure of August 2006? 84% 7% 7% 2% Knowledge of the AOL Dataspill Question no vaguely somewhat very Are you familiar with the AOL data disclosure of August 2006? 84% 7% 7% 2% Outline • Information Disclosure – Computing Platform – Network Eavesdropping – Destination Websites / ISPs • Vectors • Cross-site Tracking – Advertising and Embedded Content • Where we are and where we are going Definitions googling: The full spectrum of free online tools and services (such as search, mapping, email, Web-based word processing and calendaring etc.) web-based information disclosure: the information we disclose as we surf the web “Free” web tools and services aren’t free, we pay for them with micropayments of personal information. “Never talk when you can nod, and never nod when you can wink, and never write an e-mail because it's death. You're giving prosecutors all the evidence we need.” - Eliot Spitzer Two Years before his resignation Eliot Spitzer Former-Governor of New York http://abcnews.go.com/Blotter/story?id=4424507&page=1 Maf54 (7:43:27 PM): well dont ruin my mental picture Xxxxxxxxx (7:43:32 PM): oh lol...sorry Maf54 (7:43:54 PM): nice Maf54 (7:43:54 PM): youll be way hot then Xxxxxxxxx (7:44:01 PM): haha...hopefully http://abcnews.go.com/WNT/BrianRoss/Story?id=2509586&page=2 Mark Foley Former-US Congressman Can anyone help me please! This stalking thing is not funny at all. When I type my name in keyword it gives a list of places that show where I have been on aol on the net. This is nobodys business. I have not done anything wrong at all and I have contacted aol about this matter and they keep saying they will do something about it but never do. -Debbie How do I get stuff removed from aol stalker? Can anyone tell me? Aol won't respond even though they claim willingness to remove data when requested. Someone, anyone, please help! -Sally http://blogs.ittoolbox.com/security/investigator/archives/aol-stalker-website-unleashed-11133 In the news… • Administration Demands Search Data; Google Says No; AOL, MSN & Yahoo Said Yes – http://blog.searchenginewatch.com/blog/060119-060352 • Hit Pause On The Evil Button: Google Assists In Arrest Of Indian Man – http://www.washingtonpost.com/wp-dyn/content/article/2008/05/18/AR2008051800657.html • Moroccan Man Jailed For Fake Facebook Profile – http://www.techcrunch.com/2008/02/07/moroccan-man-jailed-for-fake-facebook-profile/ • Group: Yahoo Assisted China With Torture – http://origin.foxnews.com/wires/2007Apr19/0,4670,YahooChina,00.html • Google ordered to give YouTube user data to Viacom – http://afp.google.com/article/ALeqM5hty1hXgakr7zoviTVNKalsStgSOw Data Collection 3000 Number of Times Data is Collected on Each Visitor in a Month (Average) Yahoo MySpace AOL Google Facebook Microsoft Ebay Amazon http://www.nytimes.com/2008/03/10/technology/10privacy.html?pagewanted=1&_r=1&hp / Comscore Unique Visitors 180 Millions Unique Visitors per Month Yahoo MySpace AOL Google Facebook Microsoft Ebay Amazon http://www.nytimes.com/2008/03/10/technology/10privacy.html?pagewanted=1&_r=1&hp & Comscore source: http://www.internetworldstats.com/stats.htm Global Computing Statistics • World Population • Cell Phones • Personal Computers • MP3 Players • Digital Cameras • Webcams • PDAs • DVRs • Servers ~6.6 Billion ~3.3 Billion ~1.2 Billion ~220 Million ~120 Million ~100 Million ~85 Million ~44 Million ~27 Million Kevin Kelly, “The Planetary Computer.” Wired, 16.07, July 2008, pp52-55 Data Retention/Anonymization • • • • Ask Google Microsoft Yahoo “hours” 18 months 18 months 13 months • • • • Other logs… Other companies… The cookie fallacy. ISPs? http://www.webmonkey.com/blog/Yahoo_Trumps_Google_With_New_Data_Retention_Policy http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027924&source=rss_news50 Ebay Ebay Amazon Amazon Profiling “Career Watcher” “Active Gamer” • Google hackers • Security researchers • Political activists • Company XXX employee • Corporate leaders • Law enforcement officer • Government official Tacoda, The Home of Behavioral Targeting, http://www.tacoda.com/ Information Leakage and Spurious Emanations on a Network Online Company Information Leakage and Spurious Emanations on a Network Online Company Information Leakage and Spurious Emanations on a Network Online Company Information Leakage and Spurious Emanations on a Network Online Company Information Leakage and Spurious Emanations on a Network Online Company Information Leakage and Spurious Emanations on a Network Online Company ISPs vs. Large Online Companies Online Company • Sees global traffic from many customers – domain specific • Advertising and embedded content brings in additional information • Limited knowledge of user identity • Extensive datamining ISP • Sees all traffic from its set of customers – except encrypted traffic – traffic analysis • Limited to no visibility on non-customers • Knows identity and location of accounts • Ability to manipulate network flows – DNS – blocking P2P ISPs vs. Large Online Companies Online Company • Sees global traffic from many customers – domain specific • Advertising and embedded content brings in additional information • Limited knowledge of user identity • Extensive datamining ISP • Sees all traffic from its set of customers – except encrypted traffic – traffic analysis • Limited to no visibility on non-customers • Knows identity and location of accounts • Ability to manipulate network flows – DNS – blocking P2P ISPs vs. Large Online Companies Online Company • Sees global traffic from many customers – domain specific • Advertising and embedded content brings in additional information • Limited knowledge of user identity • Extensive datamining ISP • Sees all traffic from its set of customers – except encrypted traffic – traffic analysis • Limited to no visibility on non-customers • Knows identity and location of accounts • Ability to manipulate network flows – DNS – blocking P2P DNS Based Vulnerabilities • Rogers ISP http://lauren.vortex.com/rogers-google.jpg Myriad Disclosure Vectors • Search • Communications – Email / IM / SMS… • Advertising Networks / Purchasing • Other Web 2.0 innovations – Web office suites – Mashups – Location based services – Social networking • Cloud computing The Many Flavors of Search (Simply Google) Map Quest Mapping sites reveal locations of interest, allowing diverse groups of users to be linked. Everyscape http://www.everyscape.com/sanfrancisco-ca.us.aspx Linked In Social networking sites know your contacts and your contacts’ contacts. Old friends will find you and let the site know of the relationship. Craig’s List Craig’s List You Send It rot 13 Even the most innocent appearing services should be considered as collecting your data If the content on the web it is fair game. Cross-site Tracking • • • • • • • Referer values Click-through tracking Cookies Information sharing agreements Advertising networks Web bugs Third-party content and services – Videos – Affiliate networks – Analytics services Embedded Advertising Amazon MP3 Clips Widget Ebay pulling ads from a Yahoo server A Visit to MSNBC 255.255.255.255 0.0.0.0 A Visit to MSNBC 255.255.255.255 0.0.0.0 • • • • • • • • • • • • • • • • a365.ms.akamai.net a509.cd.akamai.net ad.3ad.doubleclick.net amch.questionmarket.com c.live.com.nsatc.net c.msn.com.nsatc.net rad.msn.com.nsatc.net context3.kanoodle.com global.msads.net.c.footprint.net hm.sc.msn.com.c.footprint.net msnbcom.112.2o7.net prpx.service.mirror-image.net wrpx.service.mirror-image.net switch.atdmt.com view.atdmt.com www-google-analytics.l.google.com • 16 third-party sites • 10 separate companies http://www.msnbc.msn.com/ Privacy Policies the LCD Is there a browser plug-in that easily shows third-party contact? TrackMeNot and Beyond… • http://mrl.nyu.edu/~dhowe/trackmenot/ • http://mrl.nyu.edu/~dhowe/words.html • http://www.schneier.com/blog/archives/2 006/08/trackmenot_1.html Progress • Attempts at increasing user awareness • Data leak prevention • Search query anonymization • Malware warnings User Awareness http://www.google.com/privacy_ads.html Challenges • Electronic discovery • Phoning home • Dependency • New products and services • Corporate consolidation and death • Web 2.0 / Interaction tracking • Trend away from desktop • Multiple privacy policies Threat Spectrum ISP manipulation Service eliminated Cross-site tracking DNS Redirection User profiling Third-party sharing Government Targeted advertising collaboration Likely Search result ranking manipulation User fingerprinting Data Spills Redirect to malicious sites Less Likely Threat Spectrum ISP manipulation Service eliminated Cross-site tracking DNS Redirection User profiling Third-party sharing Government Targeted advertising collaboration Likely Search result ranking manipulation Digital Assassination User Redirect to fingerprinting malicious sites Data Spills Less Likely Threat Spectrum ISP manipulation Service eliminated Cross-site tracking DNS Redirection User profiling Third-party sharing Government Targeted advertising collaboration Likely Search result ranking Digital manipulation Assassination User Redirect to fingerprinting malicious sites Data Spills Less Likely Threat Spectrum ISP manipulation Service eliminated Cross-site tracking DNS Redirection User profiling Third-party sharing Government Targeted advertising collaboration Likely Search result ranking Digital manipulation Assassination User Redirect to fingerprinting malicious sites Data Spills Less Likely Threat Spectrum ISP manipulation Service eliminated Cross-site tracking DNS Redirection User profiling Third-party sharing Government Targeted advertising collaboration Likely Search result ranking Digital manipulation Assassination User Redirect to fingerprinting malicious sites Data Spills Less Likely Acknowledgements 3efd09cddc148ee790d17e35ae 323852, Kulsoom Abdullah, Sergey Bratus, Defcon, Georgia Tech, HOPE, Interz0ne, New Security Paradigms Workshop, Anna Shubina, Ed Sobiesk, StankDawg, Symposium on Usable Privacy and Security More Information... • E. Sobiesk and G. Conti; "The Cost of Free Web Tools;" IEEE Security and Privacy, May/June 2007. • K. Abdullah, G. Conti and E. Sobiesk; "Self-monitoring of Web-based Information Disclosure;" Workshop on Privacy in the Electronic Society; October 2007. • G. Conti and E. Sobiesk; "An Honest Man Has Nothing to Fear: User Perceptions on Web-based Information Disclosure;" Symposium on Usable Privacy and Security (SOUPS); July 2007. • G. Conti; "Googling Considered Harmful;" New Security Paradigms Workshop; October 2006. • G. Conti; Googling Security. Addison-Wesley. ~October 2008 DAVIX (Jan Monsch and Raffy Marty) DAVIX Workshop DEFCON Breakout Room Sunday 2PM-4PM http://www.secviz.org/node/89 “Free” web tools and services aren’t free, we pay for them with micropayments of personal information… But we also pay for them by tolerating evil interfaces. Survey Could Googling Take Down A President, a Prime Minister, or an Average Citizen? Greg Conti | United States Military Academy | gregory-conti@usma.edu Backup Slides Linking Users, Groups, and Organizations