Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security, CS6262 Richard G. Personal Information Masquerading, Profiling, Snooping.

Published byHomer Glenn Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Security, CS6262 Richard G. Personal Information Masquerading, Profiling, Snooping."— Presentation transcript:

1 Network Security, CS6262 Richard Bailey—richard@magichappyplace.com G. Stepanov—gstepanov@gatech.edu Personal Information Masquerading, Profiling, Snooping

2 Agenda 1. Motivation & Goals 2. What we accomplished 3. How we did it & How to fix it 4. Future Work 5. Q & A

3 First, a survey Do you use: Amazon.com Gmail Facebook Instant Messaging services Is it okay if any of these are compromised? Do you think about exposure of your personal information to anybody that cares to look?

4 Our Goals… 1. Determine exposure of personal information when using common web sites 2. Construct visualization of exposed data 3. Compromise these sites allowing us to take unauthorized actions as another person 4. Automate this entire process (time permitting)

5 Goal #1, #2 (Assess & Visualize) Clearly everything transmitted via HTTP instead of HTTPS is exposed

6 Goal #3 (Attack) Dealing with “secure” commercial websites Attack vector is the cookies used to identify your session SSL: GET /loginPage.php SSL: 200 OK SSL: POST /loginPage.php SSL: 200 OK, here are some cookies HTTP: GET /privateInfo.php, here are my cookies Evil blackhat nose sniffs your session!

7 Goal 4 (Automate) Facebook Spider Gets Friends Employment history Misc. personal info.pcap scrapers Amazon browsing history GMail URLs (beginning of automation) Cookies for masquerade attack Firefox plugin to load cookies from scrapers

8 How to fix this Use SSL all the time (GMail) Establish session key during authentication. Keep this secure by not transmitting it in clear text. Use this to encrypt your data on the client side. Sign your requests with a hash involving the requesting IP (or the secure session key and a timestamp)

9 Future Work Complete the automation process Implement proof of concept that does fully secure communication from the client

10 Summary / Q&A Wireless is convenient but should not be trusted We step into sessions allowing us to steal information about people Attacking the session allows us to go beyond just using sniffed data Each website leaks a little information that can be collected into a profile of the user

Download ppt "Network Security, CS6262 Richard G. Personal Information Masquerading, Profiling, Snooping."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.

Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Web services security I

Web services security I
Web Services Testing David Ward. Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years.

Web Services Testing David Ward. Something To Consider Eight to Eighty Information and Communications Systems Department (ICS) Over 5 years.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)

Similar presentations

Ads by Google