Could Googling Take Down A President,

advertisement
Could Googling Take Down A President,
a Prime Minister, or an Average Citizen?
Greg Conti | United States Military Academy | gregory-conti@usma.edu
The views expressed in this presentation
are those of the author and do not reflect
the official policy or position of the United
States Military Academy, the Department
of the Army, the Department of Defense or
the U.S. Government.
http://www.whitehouse.gov/omb/budget/fy2005/images/justice-7.jpg
Who is familiar with the
AOL dataset disclosure?
Who has seen the data?
The AOL Dataset Debacle
SIGIR – IR List (August 2006)
Subject: research.aol.com
AOL is embarking on a new direction for its
business making its content and products
freely available to all consumers. To support
those goals, AOL is also embracing the
vision of an open research community. To
get started, we invite you to visit us at
http://research.aol.com, where you will
find:
• 20,000 hand labeled, classified queries
• 3.5 million web question/answer queries
(who, what, where, when, etc.)
• Query streams for 500,000 users over 3
months (20 million queries)
• 2 million queries against US Government
domains
Also, please feel free to provide feedback
on the site, datasets you'd like to see in the
future, and any other comments about our
vision.
The AOL Dataset Debacle
SIGIR – IR List (August 2006)
Subject: research.aol.com
AOL is embarking on a new direction for its
business making its content and products
freely available to all consumers. To support
those goals, AOL is also embracing the
vision of an open research community. To
get started, we invite you to visit us at
http://research.aol.com, where you will
find:
• 20,000 hand labeled, classified queries
• 3.5 million web question/answer queries
(who, what, where, when, etc.)
• Query streams for 500,000 users over 3
months (20 million queries)
• 2 million queries against US Government
domains
Also, please feel free to provide feedback
on the site, datasets you'd like to see in the
future, and any other comments about our
vision.
AOL Stalker
AOL Psycho
AOL Demo
• User #10291
• User #2708
Knowledge of the AOL Dataspill
Question
no
vaguely
somewhat
very
Are you familiar
with the AOL data
disclosure of
August 2006?
84%
7%
7%
2%
Knowledge of the AOL Dataspill
Question
no
vaguely
somewhat
very
Are you familiar
with the AOL data
disclosure of
August 2006?
84%
7%
7%
2%
Outline
• Information Disclosure
– Computing Platform
– Network Eavesdropping
– Destination Websites / ISPs
• Vectors
• Cross-site Tracking
– Advertising and Embedded Content
• Where we are and where we are
going
Definitions
googling: The full spectrum of
free online tools and services
(such as search, mapping, email,
Web-based word processing and
calendaring etc.)
web-based information
disclosure: the information we
disclose as we surf the web
“Free” web tools and
services aren’t free, we
pay for them with
micropayments of
personal information.
“Never talk when you
can nod, and never
nod when you can
wink, and never write
an e-mail because it's
death. You're giving
prosecutors all the
evidence we need.”
- Eliot Spitzer
Two Years before his resignation
Eliot Spitzer
Former-Governor of New York
http://abcnews.go.com/Blotter/story?id=4424507&page=1
Maf54 (7:43:27 PM):
well dont ruin my
mental picture
Xxxxxxxxx (7:43:32 PM):
oh lol...sorry
Maf54 (7:43:54 PM):
nice
Maf54 (7:43:54 PM):
youll be way hot
then
Xxxxxxxxx (7:44:01 PM):
haha...hopefully
http://abcnews.go.com/WNT/BrianRoss/Story?id=2509586&page=2
Mark Foley
Former-US Congressman
Can anyone help me please! This stalking
thing is not funny at all. When I type my
name in keyword it gives a list of places
that show where I have been on aol on the
net. This is nobodys business. I have not
done anything wrong at all and I have
contacted aol about this matter and they
keep saying they will do something about
it but never do.
-Debbie
How do I get stuff removed from aol
stalker? Can anyone tell me? Aol won't
respond even though they claim
willingness to remove data when
requested. Someone, anyone, please help!
-Sally
http://blogs.ittoolbox.com/security/investigator/archives/aol-stalker-website-unleashed-11133
In the news…
• Administration Demands Search Data;
Google Says No; AOL, MSN & Yahoo Said Yes
–
http://blog.searchenginewatch.com/blog/060119-060352
• Hit Pause On The Evil Button: Google Assists
In Arrest Of Indian Man
–
http://www.washingtonpost.com/wp-dyn/content/article/2008/05/18/AR2008051800657.html
• Moroccan Man Jailed For Fake Facebook
Profile
–
http://www.techcrunch.com/2008/02/07/moroccan-man-jailed-for-fake-facebook-profile/
• Group: Yahoo Assisted China With Torture
–
http://origin.foxnews.com/wires/2007Apr19/0,4670,YahooChina,00.html
• Google ordered to give YouTube user data to
Viacom
–
http://afp.google.com/article/ALeqM5hty1hXgakr7zoviTVNKalsStgSOw
Data Collection
3000
Number of
Times
Data
is
Collected
on Each
Visitor in a
Month
(Average)
Yahoo MySpace
AOL
Google Facebook Microsoft Ebay Amazon
http://www.nytimes.com/2008/03/10/technology/10privacy.html?pagewanted=1&_r=1&hp / Comscore
Unique Visitors
180
Millions
Unique
Visitors
per Month
Yahoo MySpace
AOL
Google Facebook Microsoft Ebay Amazon
http://www.nytimes.com/2008/03/10/technology/10privacy.html?pagewanted=1&_r=1&hp & Comscore
source: http://www.internetworldstats.com/stats.htm
Global Computing Statistics
• World Population
• Cell Phones
• Personal Computers
• MP3 Players
• Digital Cameras
• Webcams
• PDAs
• DVRs
• Servers
~6.6 Billion
~3.3 Billion
~1.2 Billion
~220 Million
~120 Million
~100 Million
~85 Million
~44 Million
~27 Million
Kevin Kelly, “The Planetary Computer.” Wired, 16.07, July 2008, pp52-55
Data Retention/Anonymization
•
•
•
•
Ask
Google
Microsoft
Yahoo
“hours”
18 months
18 months
13 months
•
•
•
•
Other logs…
Other companies…
The cookie fallacy.
ISPs?
http://www.webmonkey.com/blog/Yahoo_Trumps_Google_With_New_Data_Retention_Policy
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027924&source=rss_news50
Ebay
Ebay
Amazon
Amazon
Profiling
“Career Watcher”
“Active Gamer”
• Google hackers
• Security
researchers
• Political activists
• Company XXX
employee
• Corporate leaders
• Law enforcement
officer
• Government
official
Tacoda, The Home of Behavioral Targeting, http://www.tacoda.com/
Information Leakage and Spurious
Emanations on a Network
Online
Company
Information Leakage and Spurious
Emanations on a Network
Online
Company
Information Leakage and Spurious
Emanations on a Network
Online
Company
Information Leakage and Spurious
Emanations on a Network
Online
Company
Information Leakage and Spurious
Emanations on a Network
Online
Company
Information Leakage and Spurious
Emanations on a Network
Online
Company
ISPs vs. Large Online Companies
Online Company
• Sees global traffic
from many customers
– domain specific
• Advertising and
embedded content
brings in additional
information
• Limited knowledge of
user identity
• Extensive datamining
ISP
• Sees all traffic from its
set of customers
– except encrypted traffic
– traffic analysis
• Limited to no visibility
on non-customers
• Knows identity and
location of accounts
• Ability to manipulate
network flows
– DNS
– blocking P2P
ISPs vs. Large Online Companies
Online Company
• Sees global traffic
from many customers
– domain specific
• Advertising and
embedded content
brings in additional
information
• Limited knowledge of
user identity
• Extensive datamining
ISP
• Sees all traffic from its
set of customers
– except encrypted traffic
– traffic analysis
• Limited to no visibility
on non-customers
• Knows identity and
location of accounts
• Ability to manipulate
network flows
– DNS
– blocking P2P
ISPs vs. Large Online Companies
Online Company
• Sees global traffic
from many customers
– domain specific
• Advertising and
embedded content
brings in additional
information
• Limited knowledge of
user identity
• Extensive datamining
ISP
• Sees all traffic from its
set of customers
– except encrypted traffic
– traffic analysis
• Limited to no visibility
on non-customers
• Knows identity and
location of accounts
• Ability to manipulate
network flows
– DNS
– blocking P2P
DNS Based Vulnerabilities
• Rogers ISP
http://lauren.vortex.com/rogers-google.jpg
Myriad Disclosure Vectors
• Search
• Communications
– Email / IM / SMS…
• Advertising Networks / Purchasing
• Other Web 2.0 innovations
– Web office suites
– Mashups
– Location based services
– Social networking
• Cloud computing
The Many Flavors of Search
(Simply Google)
Map Quest
Mapping
sites reveal
locations of
interest,
allowing
diverse
groups of
users to be
linked.
Everyscape
http://www.everyscape.com/sanfrancisco-ca.us.aspx
Linked In
Social
networking
sites know
your contacts
and your
contacts’
contacts. Old
friends will
find you and
let the site
know of the
relationship.
Craig’s List
Craig’s List
You Send It
rot 13
Even the
most
innocent
appearing
services
should be
considered
as collecting
your data
If the content on the web
it is fair game.
Cross-site Tracking
•
•
•
•
•
•
•
Referer values
Click-through tracking
Cookies
Information sharing agreements
Advertising networks
Web bugs
Third-party content and services
– Videos
– Affiliate networks
– Analytics services
Embedded Advertising
Amazon MP3 Clips Widget
Ebay pulling ads from a Yahoo server
A Visit to MSNBC
255.255.255.255
0.0.0.0
A Visit to MSNBC
255.255.255.255
0.0.0.0
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
a365.ms.akamai.net
a509.cd.akamai.net
ad.3ad.doubleclick.net
amch.questionmarket.com
c.live.com.nsatc.net
c.msn.com.nsatc.net
rad.msn.com.nsatc.net
context3.kanoodle.com
global.msads.net.c.footprint.net
hm.sc.msn.com.c.footprint.net
msnbcom.112.2o7.net
prpx.service.mirror-image.net
wrpx.service.mirror-image.net
switch.atdmt.com
view.atdmt.com
www-google-analytics.l.google.com
• 16 third-party sites
• 10 separate companies
http://www.msnbc.msn.com/
Privacy Policies the LCD
Is there a browser
plug-in that easily
shows third-party
contact?
TrackMeNot and Beyond…
• http://mrl.nyu.edu/~dhowe/trackmenot/
• http://mrl.nyu.edu/~dhowe/words.html
• http://www.schneier.com/blog/archives/2
006/08/trackmenot_1.html
Progress
• Attempts at increasing user
awareness
• Data leak prevention
• Search query anonymization
• Malware warnings
User Awareness
http://www.google.com/privacy_ads.html
Challenges
• Electronic discovery
• Phoning home
• Dependency
• New products and services
• Corporate consolidation and death
• Web 2.0 / Interaction tracking
• Trend away from desktop
• Multiple privacy policies
Threat Spectrum
ISP
manipulation
Service
eliminated
Cross-site
tracking
DNS
Redirection
User
profiling
Third-party
sharing
Government
Targeted
advertising collaboration
Likely
Search result
ranking
manipulation
User
fingerprinting
Data Spills
Redirect to
malicious
sites
Less Likely
Threat Spectrum
ISP
manipulation
Service
eliminated
Cross-site
tracking
DNS
Redirection
User
profiling
Third-party
sharing
Government
Targeted
advertising collaboration
Likely
Search result
ranking
manipulation
Digital
Assassination
User
Redirect to
fingerprinting
malicious
sites
Data Spills
Less Likely
Threat Spectrum
ISP
manipulation
Service
eliminated
Cross-site
tracking
DNS
Redirection
User
profiling
Third-party
sharing
Government
Targeted
advertising collaboration
Likely
Search result
ranking
Digital
manipulation Assassination
User
Redirect to
fingerprinting
malicious
sites
Data Spills
Less Likely
Threat Spectrum
ISP
manipulation
Service
eliminated
Cross-site
tracking
DNS
Redirection
User
profiling
Third-party
sharing
Government
Targeted
advertising collaboration
Likely
Search result
ranking
Digital
manipulation Assassination
User
Redirect to
fingerprinting
malicious
sites
Data Spills
Less Likely
Threat Spectrum
ISP
manipulation
Service
eliminated
Cross-site
tracking
DNS
Redirection
User
profiling
Third-party
sharing
Government
Targeted
advertising collaboration
Likely
Search result
ranking
Digital
manipulation Assassination
User
Redirect to
fingerprinting
malicious
sites
Data Spills
Less Likely
Acknowledgements
3efd09cddc148ee790d17e35ae
323852, Kulsoom Abdullah,
Sergey Bratus, Defcon, Georgia
Tech, HOPE, Interz0ne, New
Security Paradigms Workshop,
Anna Shubina, Ed Sobiesk,
StankDawg, Symposium on
Usable Privacy and Security
More Information...
• E. Sobiesk and G. Conti; "The Cost of Free Web Tools;"
IEEE Security and Privacy, May/June 2007.
• K. Abdullah, G. Conti and E. Sobiesk; "Self-monitoring of
Web-based Information Disclosure;" Workshop on
Privacy in the Electronic Society; October 2007.
• G. Conti and E. Sobiesk; "An Honest Man Has Nothing to
Fear: User Perceptions on Web-based Information
Disclosure;" Symposium on Usable Privacy and Security
(SOUPS); July 2007.
• G. Conti; "Googling Considered Harmful;" New Security
Paradigms Workshop; October 2006.
• G. Conti; Googling Security. Addison-Wesley. ~October
2008
DAVIX
(Jan Monsch and Raffy Marty)
DAVIX Workshop
DEFCON Breakout Room
Sunday 2PM-4PM
http://www.secviz.org/node/89
“Free” web tools and
services aren’t free, we
pay for them with
micropayments of personal
information…
But we also pay for them by
tolerating evil interfaces.
Survey
Could Googling Take Down A President,
a Prime Minister, or an Average Citizen?
Greg Conti | United States Military Academy | gregory-conti@usma.edu
Backup Slides
Linking Users, Groups, and
Organizations
Download