I know what you did last summer: New persistent tracking mechanisms - - PowerPoint PPT Presentation

i know what you did last summer new persistent tracking
SMART_READER_LITE
LIVE PREVIEW

I know what you did last summer: New persistent tracking mechanisms - - PowerPoint PPT Presentation

Jan 18, 2024 252 likes •578 views

I know what you did last summer: New persistent tracking mechanisms in the wild Stefano Belloro & Dr Alexios Mylonas $whoami Currently: Lecturer, Cyber Security @BU Previously: PhD in Cyber Security & BSc @AUEB MSc

slide-1
SLIDE 1

I know what you did last summer: New persistent tracking mechanisms in the wild

Stefano Belloro & Dr Alexios Mylonas

slide-2
SLIDE 2

$whoami

Currently:

– Lecturer, Cyber Security @BU

Previously:

– PhD in Cyber Security & BSc @AUEB – MSc Information Security @RHUL – Security Consultant

slide-3
SLIDE 3

$id belloro

Currently:

– Software Engineering Manager @BBC

Previously:

– M.Sc. in software engineering and Internet architecture

slide-4
SLIDE 4
  • The world wide web (www) has changed our lives
  • We spend more than 34h per week accessing online

content

Web

slide-5
SLIDE 5
  • Mobile devices are the primary means used to access

the web

Web

slide-6
SLIDE 6

Web Threats?

Threats

Malware Phishing Malverti- sing Watering hole attacks Profiling /tracking Browser exploita- tion kits

slide-7
SLIDE 7

Protection from web threats?

Threats

Malware Phishing Malverti- sing Watering hole attacks Profiling /tracking Browser exploita- tion kits

Can (mobile|desktop) browsers protect us from web threats?

slide-8
SLIDE 8

Protection from web threats?

Control Availability

  • Popular controls absent from mobile browsers (September 2013)
  • Multiple usability issues in the GUI

Blacklists

  • Blacklist unavailable on mobile browsers or ineffective (July 2014)
  • Blacklist ineffective (December 2016 & June 2018)

Private browsing

  • Artefacts can be recovered after a private session (April 2016)

Tracking

  • November 2017 & May 2018
  • New tracking vectors
slide-9
SLIDE 9

Protection from web threats?

Control Availability

  • Popular controls absent from mobile browsers (September 2013)
  • Multiple usability issues in the GUI

Blacklists

  • Blacklist unavailable on mobile browsers or ineffective (July 2014)
  • Blacklist ineffective (December 2016 & June 2018)

Private browsing

  • Artefacts can be recovered after a private session (April 2016)

Tracking

  • November 2017 & May 2018
  • New tracking vectors
slide-10
SLIDE 10

Protection from web threats?

Control Availability

  • Popular controls absent from mobile browsers (September 2013)
  • Multiple usability issues in the GUI

Blacklists

  • Blacklist unavailable on mobile browsers or ineffective (July 2014)
  • Blacklist ineffective (December 2016 & June 2018)

Private browsing

  • Artefacts can be recovered after a private session (April 2016)

Tracking

  • November 2017 & May 2018
  • New tracking vectors
slide-11
SLIDE 11

Protection from web threats?

Control Availability

  • Popular controls absent from mobile browsers (September 2013)
  • Multiple usability issues in the GUI

Blacklists

  • Blacklist unavailable on mobile browsers or ineffective (July 2014)
  • Blacklist ineffective (December 2016 & June 2018)

Private browsing

  • Artefacts can be recovered after a private session (April 2016)

Tracking

  • November 2017 & May 2018
  • New tracking vectors
slide-12
SLIDE 12

Tracking

  • Web tracking is not new

– Madrigal. I'm Being Followed: How Google—and 104 Other Companies—Are Tracking Me on the Web, link

  • Today?
slide-13
SLIDE 13

Tracking

slide-14
SLIDE 14

Tracking

  • Client-side tracking is not new

– Madrigal. I'm Being Followed: How Google—and 104 Other Companies—Are Tracking Me on the Web, link

  • Different tracking vectors

– Cookies, Flash cookies, Silverlight, … – HTML 5.0 storage

slide-15
SLIDE 15

HTML 5.0 client-side technologies

  • Focus

– Web Storage, Web SQL Database, Indexed Database API

  • Have not received the same level of attention

– Infrequent use or no use as tracking vector – Should be treated as cookies

slide-16
SLIDE 16

Used for tracking?

  • 1. Frequency of their use?
  • 2. How often used for tracking?
slide-17
SLIDE 17

Methodology

HTTP Archive Tracking Blacklists Google BigQuery Static Analysis

slide-18
SLIDE 18

Methodology: Architecture

slide-19
SLIDE 19

Frequency of use

APIs often found as 3rd party subresource (N=460K)

slide-20
SLIDE 20

Tracking?

Tracking is their main use case

slide-21
SLIDE 21

Pervasiveness?

High percentage of websites containing at least

  • ne tracking subresource (N=460K)
slide-22
SLIDE 22

Browser Protection

  • Can I erase them like cookies?

– Tested all popular desktop and mobile browsers – Windows, Mac OS – Android, iOS, Windows Phone

slide-23
SLIDE 23

Methodology

https://github.com/stefano-belloro/storage-watcher

slide-24
SLIDE 24

Clearing browsing data might not be enough

  • 1. Data from these APIs might not be removed
  • 2. Extra step in the GUI is required
slide-25
SLIDE 25
slide-26
SLIDE 26

Private session might not be enough

  • 1. Data persists after closing private mode or

guest mode

  • 2. Data from a private session leaked to normal

session

slide-27
SLIDE 27
slide-28
SLIDE 28

Submitted bugs…

  • Most of the bugs that we found have been

patched 

– Users might not update their OS or app 

  • Newer versions of the browser introduce
  • ther bugs 

– Noticed this in our experiments – Bugs appear and disappear in newer versions! 

slide-29
SLIDE 29

Demo

Android 8

  • Firefox 63.0.2
  • Opera 48.2
slide-30
SLIDE 30

More info

Belloro, S., & Mylonas, A. (2018). I know what you did last summer: New persistent tracking mechanisms in the wild. IEEE Access, 6, 52779-52792. Link (open access)

slide-31
SLIDE 31

Questions

Now! Later:

  • Alexios Mylonas,

amylonas@bournemouth.ac.uk, alexios.mylonas@gmail.com

  • Steafano Belloro, stefano.belloro@gmail.com