A Brave New World

  • Published on

  • View

  • Download

Embed Size (px)


Presentation by Dominic White at the ITweb security summit 2010. This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.


<ul><li>1.A Brave New WorldThe Politics &amp; Technology of Online Privacy</li></ul> <p>2. /whois singe Argumentative Catholic Hacker Geek Consultant @ SensePost Involved with ZaCon Love Building Security, breaking it still fun TinFoil is in this Winter Blog at http://singe.za.net/ Tweet as @singe 3. A Brave New World Source: acceleratingfuture.com 4. Agenda Behavioural Tracking Primer Politics vs Tech NAI Opt-Out Do Not Track Tracking Prevention Lists GoogleSharing Next Level EverCookie Mobile Protections 5. Behavioural Tracking Analyse user interactions to build a profile Third parties do this across multiple sites $21.7 billion industry in US $42.5 in 2015(BAI/Kelsey U.S. Local Media Annual Forecast) Behavioural only 7% of this by 2014 Popularised by Google, usurped by Facebook The business model for online monetisationPicture Source: foture.net 6. Problems People arrested Data driven inferences could be wrong Overcriminalisation Profiles sold to third-parties Employee abuse Companies hacked 7. You have little to no control over this If you dont care, will you forever?Does nobody have the right to care?What about your kids? Activists? 8. Politics &amp; Tech 9. Opt Out Advertisers realised they needed to dosomething to appease the growing noise Network Advertising Initiatives Opt-Out Sets an Out-Out cookie for eachparticipating third party You still send data to the third party, just withone less unique identifier 10. Opt-Out Problems Requires third-party cookies to be enabled Only covers participating NAI members Only un-sets one cookies (others remain) The cookie still exists, some still with an UID Only prevents targeting ads, data still stored Only deals with todays problem We only have the people we dont trustspromise 11. Do Not Track Consumer, not advertiser driven (Stanford IETF draft) Allows you to make a general statement to everyone Sends a DNT=1 HTTP header, or sets DNT DOM flag Requires receiving server to comply A technical signal, not a technical protection Backed by legislation Currently only implemented by Associated PressAnalytics Firefox 4, Internet Explorer 9 &amp; Safari (no Chrome) 12. Legislation DNT submitted to FTC[Industry efforts to address privacy through self-regulation] have been too slow, and up to now havefailed to provide adequate and meaningfulprotection. SB 761 California Do Not Track proposal atAppropriations Committee Do Not Track Act of 2011 introduced on Mon 13. Response The trackers got mad: California Senate Bill 761 would create anunnecessary, unenforceable and unconstitutionalregulatory burden on Internet commerce. It would stop Californias information economy in itstracks The measure would negatively affect consumers whohave come to expect rich content and free servicesthrough the Internet, and would make them morevulnerable to security threats. Google, Facebook, Yahoo, TimeWarner,MPAA, NAI &amp; many others 14. Do Not Track ProblemsProblems: Requires cooperation from trackers Not as verifiable as they claim e.g. AP News Limited granularity DOM implementation could be hackedBenefits: Law is a big, if slow, stick Expresses preference to all Works with other techniques 15. Tracking Protection Lists Microsoft driven (W3C draft) Technically a DNT implementation Extension of AdBlock Plus approach Detailed list of domains, URLs &amp; paths Provides blocking &amp; allow statements Prevents blocked content fromloading Multiple providers of lists EasyList, PrivacyChoice, Abine, TRUSTe 16. TPL Pros/ConsProblems: Blacklist, enumerating badness Only blocks third-parties Enumerating Badness Needs legislationBenefits GranularNo Idea Very Bad Transparent/Verifiable Not a signal, an enforcement Blocks active content, prevents further leaks 17. GoogleSharing Built by the very smart MoxieMarlinspike Active Subversion &amp; Unblockable Pools identities, lets you use arandom one Proxies requests, over SSL No need to trust the proxy Tools provided to run your own This can be extended 18. Active Subversion Why must we accommodate trackers? Take back ourprivacy by force if we must Muddies trackers data sets One user is many users Looks like a NAT Unblockable, undistinguishable Increases cost of tracking Keeps you safe Network location is kept secret No trackinghttp://1984.za.net/ 19. Next Level 20. Beyond Cookies Cookies are only one way to track Flash Local Storage Objects have been usedfor years, but thats not all Samy Kamkar came up with 13 methods intotal Also, a way to use one method to restore theothersThe Evercookie 21. Evercookie Normal Cookies HTML5 Session Storage Flash LSO HTML5 Local Storage Silverlight Isolated HTML5 Global StorageStorage HTML5 Database WebHistory Storage Etags Internet Explorer WebCache userData window.name cache Force cached PNG http://samy.pl/evercookie/ 22. NeverCookie 23. NeverCookie Deletes normal/HTML5/Flash/Silverlightcookies Can prevent setting of future Flash &amp;Silverlight objects Sets a binary Adobe Preferences Object Touches a disabled.dat Silverlight file GUI written by Willem @ SensePost OSX &amp; Safari only currently, plan to extend 24. NeverCookie 25. Mobile EverCookie On Apple iOS, each application is in a sandbox Every app allowing surfing is vulnerable tothe evercookie There could be hundreds of evercookies! Built-in settings only clear some ofMobileSafaris cache 26. ResetSafari Jailbreak SBSettings application by Sea Comet Based on my code release Deletes all Cookies as NeverCookie but for all apps Nevercookie for Mobilehttp://modmyi.com/cydia/package.php?id=32881 27. Proxy.Pac GoogleSharing if (shExpMatch(host,"*google.*")) {return proxy_GoogleSharing; } Ad &amp; Tracking Block (simple) if ( shExpMatch(host,"*googlesyndication.*)|| shExpMatch(host,"*googleadservices.*")|| shExpMatch(host,"*google-analytics.*)|| shExpMatch(url,"*facebook.com/plugins/like.php*)){return proxy_BlackHole; } 28. Blackhole Problem Blackholes are handled differently WebKit fails to DIRECT Need a blackhole proxy server Implemented a simple Twisted HTTP serverthan responds with HTTP 200 OK toeverything Thanks Gert @ SensePost 29. Available Athttp://1984.za.net/proxy.php ?proxy= - sets default proxy&amp;port= - sets default proxy port&amp;socks makes it a SOCKS proxyDont trust us 30. Enabling on iPhone Wifi network .pac can be configured normally 3G doesnt allow proxy settings via Interface /Library/Preferences/SystemConfiguration/preferences.plistHTTPEnable0HTTPProxyType2HTTPSEnable0ProxyAutoConfigEnable1ProxyAutoConfigURLStringhttp://1984.za.net/proxy.php 31. Summary &amp; Conclusion Behavioural Tracking is big business We need control of our data Opt-out is highly politicised, in-flux &amp; requireslegistlation Subversion should be built in the mean-time Watch out for whats coming next (or now) These tools are easy to build, get started 32. Thank YouQuestions?sensepost.com/blogdominic@sensepost.com </p>