Godlike Productions - Conspiracy Forum
Users Online Now: 2,620 (Who's On?)Visitors Today: 1,797,729
Pageviews Today: 2,599,596Threads Today: 680Posts Today: 14,909
10:23 PM


Rate this Thread

Absolute BS Crap Reasonable Nice Amazing
 

Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users

 
Monarch
Offer Upgrade

User ID: 895609
United States
02/25/2010 01:46 PM
Report Abusive Post
Report Copyright Violation
Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users
You thought you were an a/c!

[link to www.darkreading.com]


Attack Unmasks User Behind The Browser


Researchers develop proof-of-concept that exploits social networking patterns to 'deanonymize' online users

Feb 23, 2010 | 05:32 PM

By Kelly Jackson Higgins
DarkReading

A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks.

The 'deanonymization' attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany's Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to "fingerprint" and identify them.

"Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel," says Gilbert Wondracek, a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept.

Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code -- there's no malicious link, per se. "We could put the attack code on a Website that contains a political, dating, religious, [or other] forum. If someone posts anonymously to this Website, there is a chance that we could find out the social network profile for this person," Wondracek says. "Since social network profiles contain a wealth of info and, per definition, the friends of this person, blackmailing is also an option."

Wondracek says he and fellow researcher Thorsten Holz had wondered how the well-known history-stealing technique could used to unmask online users via their social networking profiles. History stealing allowed them to peek at a user's URL browsing history to see if he had visited specific social network groups -- sports-related or other groups that friend or fan organizations, for instance -- that the researchers had joined.

"We can now perform an intersection and find out that there are just a few people in the whole social network that belong to exactly these ... groups. The group fingerprint is rather unique among all users," Wondracek says.

Then the attacker uses history-stealing once again to check for links that are similar to each member of the groups.

The researchers say that while their PoC was for Xing, it can work with any other social network. They crawled 7,000 public groups in Xing and found around 1.8 million users belong to at least one group. "These users are vulnerable to our attack," Holz blogged recently.

Volunteers from Xing can participate in the experiment via the researchers' demo Website here. The more regularly a Xing user participates in groups on the social network, the more likely he will be deanonymized by the PoC.

There is no fix for this attack, but workarounds include turning off browsing history or using private-browsing mode. Wondracek says the only protection social networks could provide is to change the way their Web applications use hyperlinks to move information from one point of their site to another in "keep state." Xing has implemented this as part of its response to the attack research, he says.

"I was -- and am still -- quite surprised that, a, getting the group data was so easy, and, b, almost all social networks use URLs that leak private information," Wondracek says."The attitude behind this is pretty scary from our maybe naive point of view."

The researchers will present their paper (PDF) on their preliminary results on the attack in May at the 31st IEEE Symposium on Security & Privacy.
John 3:16 (Amplified Bible)
“For God so greatly loved and dearly prized the world that He [even] gave up His only begotten ([a]unique) Son, so that whoever believes in (trusts in, clings to, relies on) Him shall not perish (come to destruction, be lost) but have eternal (everlasting) life.

A prudent person foresees the danger ahead and takes precautions;the simpleton goes blindly on and suffers the consequences-Proverbs22:3
<><


[link to www.teslasociety.com]

U.S. Supreme Court decision (Case #369 decided June 21, 1943)

[link to www.ntesla.org]

News








Proud Member Of The Angry Mob