Presentation is loading. Please wait.

Presentation is loading. Please wait.

Could Googling Take Down A President, a Prime Minister, or an Average Citizen? Greg Conti | United States Military Academy |

Similar presentations


Presentation on theme: "Could Googling Take Down A President, a Prime Minister, or an Average Citizen? Greg Conti | United States Military Academy |"— Presentation transcript:

1 Could Googling Take Down A President, a Prime Minister, or an Average Citizen? Greg Conti | United States Military Academy |

2 The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government.

3 Who is familiar with the AOL dataset disclosure?

4 Who has seen the data?

5 The AOL Dataset Debacle SIGIR – IR List (August 2006) Subject: research.aol.com AOL is embarking on a new direction for its business making its content and products freely available to all consumers. To support those goals, AOL is also embracing the vision of an open research community. To get started, we invite you to visit us at where you will find: 20,000 hand labeled, classified queries 3.5 million web question/answer queries (who, what, where, when, etc.) Query streams for 500,000 users over 3 months (20 million queries) 2 million queries against US Government domains Also, please feel free to provide feedback on the site, datasets you'd like to see in the future, and any other comments about our vision.

6 The AOL Dataset Debacle SIGIR – IR List (August 2006) Subject: research.aol.com AOL is embarking on a new direction for its business making its content and products freely available to all consumers. To support those goals, AOL is also embracing the vision of an open research community. To get started, we invite you to visit us at where you will find: 20,000 hand labeled, classified queries 3.5 million web question/answer queries (who, what, where, when, etc.) Query streams for 500,000 users over 3 months (20 million queries) 2 million queries against US Government domains Also, please feel free to provide feedback on the site, datasets you'd like to see in the future, and any other comments about our vision. AOL Psycho AOL Stalker

7 AOL Demo User #10291 User #2708

8 Questionnovaguelysomewhatvery Are you familiar with the AOL data disclosure of August 2006? 84%7% 2% Knowledge of the AOL Dataspill

9 Questionnovaguelysomewhatvery Are you familiar with the AOL data disclosure of August 2006? 84%7% 2% Knowledge of the AOL Dataspill

10 Outline Information Disclosure –Computing Platform –Network Eavesdropping –Destination Websites / ISPs Vectors Cross-site Tracking –Advertising and Embedded Content Where we are and where we are going

11 Definitions googling: The full spectrum of free online tools and services (such as search, mapping, , Web-based word processing and calendaring etc.) web-based information disclosure: the information we disclose as we surf the web

12 “Free” web tools and services aren’t free, we pay for them with micropayments of personal information.

13 “Never talk when you can nod, and never nod when you can wink, and never write an because it's death. You're giving prosecutors all the evidence we need.” - Eliot Spitzer Two Years before his resignation Eliot Spitzer Former-Governor of New York

14 Maf54 (7:43:27 PM): well dont ruin my mental picture Xxxxxxxxx (7:43:32 PM): oh lol...sorry Maf54 (7:43:54 PM): nice Maf54 (7:43:54 PM): youll be way hot then Xxxxxxxxx (7:44:01 PM): haha...hopefully Mark Foley Former-US Congressman

15 Can anyone help me please! This stalking thing is not funny at all. When I type my name in keyword it gives a list of places that show where I have been on aol on the net. This is nobodys business. I have not done anything wrong at all and I have contacted aol about this matter and they keep saying they will do something about it but never do. -Debbie How do I get stuff removed from aol stalker? Can anyone tell me? Aol won't respond even though they claim willingness to remove data when requested. Someone, anyone, please help! -Sally

16 In the news… Administration Demands Search Data; Google Says No; AOL, MSN & Yahoo Said Yes –http://blog.searchenginewatch.com/blog/ Hit Pause On The Evil Button: Google Assists In Arrest Of Indian Man –http://www.washingtonpost.com/wp-dyn/content/article/2008/05/18/AR html Moroccan Man Jailed For Fake Facebook Profile –http://www.techcrunch.com/2008/02/07/moroccan-man-jailed-for-fake-facebook-profile/ Group: Yahoo Assisted China With Torture –http://origin.foxnews.com/wires/2007Apr19/0,4670,YahooChina,00.html Google ordered to give YouTube user data to Viacom –http://afp.google.com/article/ALeqM5hty1hXgakr7zoviTVNKalsStgSOw

17 Data Collection / Comscore Yahoo MySpace AOL Google Facebook Microsoft Ebay Amazon Number of Times Data is Collected on Each Visitor in a Month (Average) 3000

18 Unique Visitors & Comscore Yahoo MySpace AOL Google Facebook Microsoft Ebay Amazon 180 Millions Unique Visitors per Month

19 source:

20 Global Computing Statistics World Population ~6.6 Billion Cell Phones~3.3 Billion Personal Computers ~1.2 Billion MP3 Players~220 Million Digital Cameras~120 Million Webcams~100 Million PDAs~85 Million DVRs~44 Million Servers~27 Million Kevin Kelly, “The Planetary Computer.” Wired, 16.07, July 2008, pp52-55

21 Data Retention/Anonymization Ask“hours” Google18 months Microsoft18 months Yahoo13 months Other logs… Other companies… The cookie fallacy. ISPs?

22 Data Retention Perceptions Questionneversometimesfrequentlyalways Search engines retain the keywords I search on. 1%12%42%45% Search engine companies retain the links I click on from their search results page(s)? 1%20%38%40%

23 Data Retention Perceptions Questionneversometimesfrequentlyalways Search engines retain the keywords I search on. 1%12%42%45% Search engine companies retain the links I click on from their search results page(s)? 1%20%38%40%

24 Impact of Data Retention Duration on Search Habits Questionno change minimal change somewhat of a change Signif- icant change If you knew for a fact that the topics you search for using a search engine were saved forever, would it change you search habits? 29%40%26%6%

25 Impact of Data Retention Duration on Search Habits Questionno change minimal change somewhat of a change Signif- icant change If you knew for a fact that the topics you search for using a search engine were saved forever, would it change you search habits? 29%40%26%6%

26 Ebay

27

28 Amazon

29

30 Profiling “Career Watcher” Tacoda, The Home of Behavioral Targeting, “Active Gamer” Google hackers Security researchers Political activists Company XXX employee Corporate leaders Law enforcement officer Government official

31

32

33

34

35

36

37

38

39

40

41

42 Information Leakage and Spurious Emanations on a Network Online Company

43 Information Leakage and Spurious Emanations on a Network Online Company

44 Information Leakage and Spurious Emanations on a Network Online Company

45 Information Leakage and Spurious Emanations on a Network Online Company

46 Information Leakage and Spurious Emanations on a Network Online Company

47 Information Leakage and Spurious Emanations on a Network Online Company

48 ISPs vs. Large Online Companies Online Company Sees global traffic from many customers –domain specific Advertising and embedded content brings in additional information Limited knowledge of user identity Extensive datamining ISP Sees all traffic from its set of customers –except encrypted traffic –traffic analysis Limited to no visibility on non-customers Knows identity and location of accounts Ability to manipulate network flows –DNS –blocking P2P

49 ISPs vs. Large Online Companies Online Company Sees global traffic from many customers –domain specific Advertising and embedded content brings in additional information Limited knowledge of user identity Extensive datamining ISP Sees all traffic from its set of customers –except encrypted traffic –traffic analysis Limited to no visibility on non-customers Knows identity and location of accounts Ability to manipulate network flows –DNS –blocking P2P

50 ISPs vs. Large Online Companies Online Company Sees global traffic from many customers –domain specific Advertising and embedded content brings in additional information Limited knowledge of user identity Extensive datamining ISP Sees all traffic from its set of customers –except encrypted traffic –traffic analysis Limited to no visibility on non-customers Knows identity and location of accounts Ability to manipulate network flows –DNS –blocking P2P

51 DNS Based Vulnerabilities

52 Rogers ISP

53 Myriad Disclosure Vectors Search Communications – / IM / SMS… Advertising Networks / Purchasing Other Web 2.0 innovations –Web office suites –Mashups –Location based services –Social networking Cloud computing

54 The Many Flavors of Search (Simply Google)

55 Any that touches any of these servers should be considered compromised.

56 Map Quest Mapping sites reveal locations of interest, allowing diverse groups of users to be linked.

57 Everyscape

58 Linked In Social networking sites know your contacts and your contacts’ contacts. Old friends will find you and let the site know of the relationship.

59 Craig’s List

60

61 You Send It

62 rot 13 Even the most innocent appearing services should be considered as collecting your data

63 If the content on the web it is fair game.

64 Motivation Cost benefit analysis –users –webmasters –bloggers Short-term gain vs. long term risks Boils down to trust and awareness

65 Cross-site Tracking Referer values Click-through tracking Cookies Information sharing agreements Advertising networks Web bugs Third-party content and services –Videos –Affiliate networks –Analytics services

66 Embedded Advertising Amazon MP3 Clips Widget

67 Ebay pulling ads from a Yahoo server

68 A Visit to MSNBC

69 A Visit to MSNBC

70 a365.ms.akamai.net a509.cd.akamai.net ad.3ad.doubleclick.net amch.questionmarket.com c.live.com.nsatc.net c.msn.com.nsatc.net rad.msn.com.nsatc.net context3.kanoodle.com global.msads.net.c.footprint.net hm.sc.msn.com.c.footprint.net msnbcom.112.2o7.net prpx.service.mirror-image.net wrpx.service.mirror-image.net switch.atdmt.com view.atdmt.com www-google-analytics.l.google.com 16 third-party sites 10 separate companies

71 Privacy Policies the LCD

72 Is there a browser plug-in that easily shows third-party contact?

73 Questionstrongly disagree disagreeagreestrongly agree I believe my use of a web search engine is anonymous. 19%59%20%2% I know how to surf anonymously. 28%57%13%2% Anonymous Web Surfing

74 Questionstrongly disagree disagreeagreestrongly agree I believe my use of a web search engine is anonymous. 19%59%20%2% I know how to surf anonymously. 28%57%13%2% Anonymous Web Surfing

75 Questionstrongly disagree disagreeagreestrongly agree I believe my use of a web search engine is anonymous. 19%59%20%2% I know how to surf anonymously. 28%57%13%2% Anonymous Web Surfing

76 Countermeasures Patching Users –Raised Awareness –Know What You are Disclosing –Usable Security –... Technical Countermeasures –Cookie Managers –Content Filtering –Self-monitoring –Search Term Chaffing –Encryption –Anonymizing Proxies –Tor –NAT Firewalls –... Policy Countermeasure –Petition Law and Policy Makers –Support EFF and other Privacy Organizations –...

77 TrackMeNot and Beyond… /08/trackmenot_1.html

78 Progress Attempts at increasing user awareness Data leak prevention Search query anonymization Malware warnings

79 User Awareness

80

81

82 Challenges Electronic discovery Phoning home Dependency New products and services Corporate consolidation and death Web 2.0 / Interaction tracking Trend away from desktop Multiple privacy policies

83 Threat Spectrum Likely Less Likely Data Spills Government collaboration User profiling Targeted advertising Third-party sharing User fingerprinting Cross-site tracking Redirect to malicious sites Search result ranking manipulation DNS Redirection Service eliminated ISP manipulation

84 Threat Spectrum Likely Less Likely Data Spills Government collaboration User profiling Targeted advertising Third-party sharing User fingerprinting Cross-site tracking Digital Assassination Redirect to malicious sites Search result ranking manipulation DNS Redirection Service eliminated ISP manipulation

85 Threat Spectrum Likely Less Likely Data Spills Government collaboration User profiling Targeted advertising Third-party sharing User fingerprinting Cross-site tracking Search result ranking manipulation DNS Redirection Service eliminated ISP manipulation Digital Assassination Redirect to malicious sites

86 Threat Spectrum Likely Less Likely Data Spills Government collaboration User profiling Targeted advertising Third-party sharing User fingerprinting Cross-site tracking Search result ranking manipulation DNS Redirection Service eliminated ISP manipulation Digital Assassination Redirect to malicious sites

87 Threat Spectrum Likely Less Likely Data Spills Government collaboration User profiling Targeted advertising Third-party sharing User fingerprinting Cross-site tracking Search result ranking manipulation DNS Redirection Service eliminated ISP manipulation Digital Assassination Redirect to malicious sites

88 Digital Assassination Your diary and your electronic life is in someone else’s hands.

89 Acknowledgements 3efd09cddc148ee790d17e35ae , Kulsoom Abdullah, Sergey Bratus, Defcon, Georgia Tech, HOPE, Interz0ne, New Security Paradigms Workshop, Anna Shubina, Ed Sobiesk, StankDawg, Symposium on Usable Privacy and Security

90 More Information... E. Sobiesk and G. Conti; "The Cost of Free Web Tools;" IEEE Security and Privacy, May/June K. Abdullah, G. Conti and E. Sobiesk; "Self-monitoring of Web-based Information Disclosure;" Workshop on Privacy in the Electronic Society; October G. Conti and E. Sobiesk; "An Honest Man Has Nothing to Fear: User Perceptions on Web-based Information Disclosure;" Symposium on Usable Privacy and Security (SOUPS); July G. Conti; "Googling Considered Harmful;" New Security Paradigms Workshop; October G. Conti; Googling Security. Addison-Wesley. ~October 2008

91 DAVIX (Jan Monsch and Raffy Marty) DAVIX Workshop DEFCON Breakout Room Sunday 2PM-4PM

92 “Free” web tools and services aren’t free, we pay for them with micropayments of personal information… But we also pay for them by tolerating evil interfaces. Survey

93 Could Googling Take Down A President, a Prime Minister, or an Average Citizen? Greg Conti | United States Military Academy |

94 Backup Slides

95 Linking Users, Groups, and Organizations


Download ppt "Could Googling Take Down A President, a Prime Minister, or an Average Citizen? Greg Conti | United States Military Academy |"

Similar presentations


Ads by Google