security ty p privacy cy us user e expect ectati tion ons
play

Security ty, P Privacy cy, & & Us User E Expect ectati - PowerPoint PPT Presentation

Sep 23, 2023 •176 likes •710 views

Security ty, P Privacy cy, & & Us User E Expect ectati tion ons: Case Studies in Web Tracking and Application Permissions Franzi ziska Roesner er Assistant Professor Computer Science & Engineering University of Washington

  1. Security ty, P Privacy cy, & & Us User E Expect ectati tion ons: Case Studies in Web Tracking and Application Permissions Franzi ziska Roesner er Assistant Professor Computer Science & Engineering University of Washington

  2. Security ty, P Privacy cy, & & Us User E Expect ectati tion ons: Case Studies in Web Tracking and Application Permissions Franzi ziska Roesner er + many c collaborators! Assistant Professor Computer Science & Engineering University of Washington

  3. New t technologies b bring n new b benefits… … but but a also so new new r risk sks. s. Franziska Roesner 3 10/20/2016

  4. Impr proving ng S Secur urity & & Privacy Security and privacy challenges often arise when user expectations don’t match real system properties. Educ ducate, de design be better U UIs, increa ease e tran ansp spar arency. Build s d systems that b better match us user e expe pectatio ions. Franziska Roesner 4 10/20/2016

  5. Outlin line I. I. The W e Web eb: Third-Party Tracking II. II. Modern OSes: Permission Granting Franziska Roesner 5 10/20/2016

  6. Outlin line I. I. The W e Web eb: Third-Party Tracking II. II. Modern OSes: Permission Granting F. F. R Roesner, T. Kohno, D. Wetherall . “Detecting and Defending Against Third-Party Tracking on the Web.” In USENIX Symposium on Networked Systems Design and Implementation (NSDI) 2012. F. R F. Roesner, C. Rovillos, T. Kohno, D. Wetherall. “ShareMeNot: Balancing Privacy and Functionality of Third-Party Social Widgets.” In USENIX ;login: 2012. A. Lerner, A. Kornfeld Simpson, T. Kohno, and F. Ro Roesner. “Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 201.” In USENIX Security Symposium 2016. Franziska Roesner 6 10/20/2016

  7. Ads Ads T Tha hat Follow Y You Advertisers (and others) track your browsing behaviors for the purposes of targeted ads, website analytics, and personalized content. I. The Web: Third-Party Web Tracking 7 10/20/2016

  8. Third rd-Party W arty Web T Trac acki king Browsing p g profi file e for u user er 1 123: cnn.com theonion.com adult-site.com political-site.com These ads allow crite teo.com to link your visits between sites, even if you never click on the ads. I. The Web: Third-Party Web Tracking 8 10/20/2016

  9. Conc ncerns A About ut Privac acy I. The Web: Third-Party Web Tracking 9 10/18/16

  10. Understan anding t the T Tracki king E Ecosystem In 2011, much discussion about tracking, but limited understanding of how it actually works. Ou Our Go Goal: systematically study web tracking ecosystem to inform policy and defenses. Challeng enges es: – No agreement on definition of tracking. – No automated way to detect trackers. (State of the art: blacklists) I. The Web: Third-Party Web Tracking 10 10/20/2016

  11. Our App ur Approac ach ANAL NALYZE ZE (1) Reverse-engineer trackers’ methods. (2) Develop tracking taxonomy. MEA EASURE (3) Build automated detection tool. (4) Measure prevalence in the wild. (5) Evaluate existing defenses. BUILD ILD (6) Develop new defenses. I. The Web: Third-Party Web Tracking 11 10/20/2016

  12. Web B Background Websites store info in cookies in the browser. – Only accessible to the site that set them. – A utomatically included with web requests. cookie: id=123 theonion.com server cookie: id=123 cookie: id=456 cnn.com server cookie: id=456 I. The Web: Third-Party Web Tracking 12 10/20/2016

  13. Ano Anonym ymous T Trac acki king Trackers included in other sites use cookies containing unique identifiers to create browsing profiles. cookie: id=789 crit iteo. o.com om use user 789 789: theonion.com, cnn.com, adult-site.com, … cookie: id=789 I. The Web: Third-Party Web Tracking 13 10/20/2016

  14. Our T ur Trac acki king Taxonomy [NSDI ’12] In the wild, tracking is much more complicated. (1) Trackers don’t just use cookies. – Flash cookies, HTML5 LocalStorage, etc. (2) Trackers exhibit different behaviors. – Within-site vs. cross-site. – Anonymous vs. non-anonymous. – Specific behavior types: analyt an lytics, van anill illa, f forced ed, refer erred ed, p personal. I. The Web: Third-Party Web Tracking 14 10/20/2016

  15. Other er T Tracker ers? “Personal” Trackers I. The Web: Third-Party Web Tracking 15 10/20/2016

  16. Personal al T Trac acki king cookie: id=franzi.roesner cookie: id=franzi.roesner facebook ook.com om user er franzi zi.roesn esner er: theonion.com, cnn.com, adult-site.com, … cookie: id=franzi.roesner • Tracking is not anonymous (linked to accounts). • Users directly visit tracker’s site  evades some defenses. I. The Web: Third-Party Web Tracking 16 10/20/2016

  17. Measur urement S Study udy Ques estions: ns: – How prevalent is tracking (of different types)? – How much of a user’s browsing history is captured? – How effective are defenses? Appr Approach: Build tool to automatically crawl web, detect and categorize trackers based on our taxonomy. TrackingObserver: tracking d g det etec ecti tion p platform http:/ ://tracking ngobserver.cs.washing ngton. n.edu du I. The Web: Third-Party Web Tracking 17 10/20/2016

  18. How pr preval alent i is tracki king? (2011) 11) 524 unique trackers on Alexa top 500 websites (homepages + 4 links) 457 domains (91%) embed at least one tracker. (97% of those include at least one cross-site tracker.) 50% of domains embed between 4 and 5 trackers. One domain includes 43 trackers. I. The Web: Third-Party Web Tracking 18 10/18/16

  19. How pr preval alent i is tracki king? (2011) 11) 524 unique trackers on Alexa top 500 websites (homepages + 4 links) 457 domains (91%) embed at least one tracker. Trac acking i is increasi asing! (97% of those include at least one cross-site tracker.) Unique trackers on the top 500 50% of domains embed websites (homepages only): between 4 and 5 trackers. 2011: 383 2013: 409 One domain 2015: 512 includes 43 trackers. I. The Web: Third-Party Web Tracking 19 10/18/16

  20. [USENIX Security ’16] How has has thi his c chan hanged o over t time? The web has existed for a while now… • What about tracking before 2011? (our first study) - What about tracking before 2009? (first academic study) - Solution: time travel! I. The Web: Third-Party Web Tracking 20 10/18/16

  21. Th The e Wayb ybac ack Machi hine ne t to the Rescue ue Time travel for web tracking (lots of challenges!) http://trackingexcavator.cs.washington.edu I. The Web: Third-Party Web Tracking 21 10/18/16

  22. 1996 1996-2016: M More & & More T Tracking More trackers of more types I. The Web: Third-Party Web Tracking 22 10/18/16

  23. 1996 1996-2016: M More & & More T Tracking More trackers of more types, more per site I. The Web: Third-Party Web Tracking 23 10/18/16

  24. 1996 1996-2016: M More & & More T Tracking More trackers of more types, more per site, more coverage I. The Web: Third-Party Web Tracking 24 10/18/16

  25. Who ho/w /what ar are t the he top t p trac ackers? (201 011) I. The Web: Third-Party Web Tracking 25 10/20/2016

  26. Who ho/w /what ar are t the he top t p trac ackers? (201 011) Defenses for personal trackers (red bars) were inadequate. I. The Web: Third-Party Web Tracking 26 10/20/2016

  27. Defen ense: e: ShareM eMeN eNot Prior defenses for personal trackers: ineffective or completely removed social media buttons. Ou Our d defense se: ShareMeNot (for Chrome/Firefox) protects against - tracking without compromising button functionality. Blocks requests to load buttons, replaces with local - versions. On click, shares to social media as expected. Techniques adopted by Ghostery and the EFF. - http://sharemenot.cs.washington.edu I. The Web: Third-Party Web Tracking 27 10/20/2016

  28. Sum ummar ary: W Web T b Tracking Pre-2011: Limited understanding of web tracking. Our work: – Comprehensive tracking taxonomy. – Measurements and archeological study from 1996-2016. – Example results: >500 unique trackers, some able to capture up to 66% of a user’s browsing history. – New defense for “personal trackers” like Facebook, Google, Twitter: built into ShareMeNot, adopted by Ghostery + EFF. I. The Web: Third-Party Web Tracking 28 10/20/2016

  29. Outlin line I. I. The W e Web eb: Third-Party Tracking II. II. Moderns OSes: Permission Granting F. F. R Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, C. Cowan. “User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems.” In IEEE Symposium on Security & Privacy 2012 (Best Practical Paper Award). F. F. R Roesner, J. Fogarty, T. Kohno. “User Interface Toolkit Mechanisms for Securing Interface Elements.” In ACM Symposium on User Interface Software and Technology (UIST) 2012. F. F. R Roesner, T. Kohno. “Securing Embedded User Interfaces: Android and Beyond.” In USENIX Security 2013. T. Ringer, D. Grossman, F. R Roes esner ner. “AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems.” In ACM Conference on Computer and Communications Security (CCS) 2016. Franziska Roesner 29 10/20/2016

  30. Smartp artphone ( (In)S )Securi rity ty Users accidentally install malicious applications. II. Modern OSes: Permission Granting 30 10/20/2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas Reynolds University at Albany a Lightning Talk Symposium On Usable Privacy & Security Carnegie Mellon University, July 2011 Usable

371 views • 5 slides
Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design

Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design

Department of Computer Science, University of Oxford Innovation Inaction or In Action? The Role of User Experience in the Security and Privacy Design of Smart Home Cameras George Chalhoub, Ivan Flechais, Norbert Nthala, Ruba Abu-Salma Sixteenth

1.1k views • 12 slides
Applications using Erlang Web 2.0 Security & Privacy (W2SP) 2010 May 20, Berkeley,

Applications using Erlang Web 2.0 Security & Privacy (W2SP) 2010 May 20, Berkeley,

Enforcing User Privacy in Web Applications using Erlang Web 2.0 Security & Privacy (W2SP) 2010 May 20, Berkeley, California, USA Ioannis Papagiannis , Matteo Department of Computing Migliavacca, Peter Pietzuch Imperial College London

627 views • 30 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
Tuenti: Our Privacy and Security Strategy Mara de Sousa-Valadas User Support Manager @Tuenti

Tuenti: Our Privacy and Security Strategy Mara de Sousa-Valadas User Support Manager @Tuenti

European Conference on Cyberbullying Tuenti: Our Privacy and Security Strategy Mara de Sousa-Valadas User Support Manager @Tuenti Contents 1. Tuenti, facts & figures 2. Tuenti: reporting tools and actions 3. Self-regulatory initiatives

318 views • 18 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Privacy as a Service Raymond Cheng Build practical cloud services that protect user privacy from

Privacy as a Service Raymond Cheng Build practical cloud services that protect user privacy from

Privacy as a Service Raymond Cheng Build practical cloud services that protect user privacy from powerful threats 2 3 Powerful Threats to User Privacy Organized Crime Nation-State Actors 4 Powerful Threats to User Privacy Gather

1.56k views • 104 slides
CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu

CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu

CIS700: Security and Privacy of Machine Learning Prof. Ferdinando Fioretto ffiorett@syr.edu Tell us your: Name (how you like to be called) Position (MS / PhD) and year Research Interests What do you expect from this

563 views • 34 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned Did you know... 77 percent of all Americans feel their personal health information privacy is very important, and 84 percent said they

769 views • 50 slides
Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan

Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan

Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan mcmahan@google.com DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to Data Sharing including Privacy and Fairness 2017.10.24 Our Goal Imbue

956 views • 70 slides
User privacy Vicen c Torra February, 2018 SAIL + PICS, School of Informatics, University of

User privacy Vicen c Torra February, 2018 SAIL + PICS, School of Informatics, University of

User privacy Vicen c Torra February, 2018 SAIL + PICS, School of Informatics, University of Sk ovde, Sweden Outline Outline 1. User privacy 1 / 25 Outline User privacy 2 / 25 DP > Dimensions Outline Data Privacy Classification

836 views • 37 slides
Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya

Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya

Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama, Tatsuya Mori NTT Secure Platform Laboratories, Waseda University, NICT, RIKEN API NDSS Symposium 24 th

768 views • 46 slides
COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your

COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your

CS 498RK SPRING 2020 COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your computer so that a site can remember you and what you did on subsequent visits Bro w se r Serve r first request

340 views • 23 slides
Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. Pellegrino , M. Johns, S.

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. Pellegrino , M. Johns, S.

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. Pellegrino , M. Johns, S. Koch, M. Backes, C. Rossow gpellegrino@cispa.saarland ACM CCS 2017 Nov 2 nd , Dallas, USA U WONT BELIEVE WHAT DIS CAT IS DOIN !!!1! <img

980 views • 16 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade

How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade

The Future of Advertising & Privacy How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade Commission 1 Agenda Types of ads Web tracking with cookies Web tracking beyond cookies Tracking

1.43k views • 118 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web framework written in Python First release was in 2010 Current version (1.1.1) was released in July 2019 Currently powers LinkedIn and

278 views • 8 slides
User Authentication in Perl 1. Using .htaccess Check out:

User Authentication in Perl 1. Using .htaccess Check out:

User Authentication in Perl 1. Using .htaccess Check out: http://www.wpi.edu/Academics/CCC/Help/Unix/Webdev/htaccess.html The above site is pretty self-explanatory. The main steps if you want to allow two users with username/password as

284 views • 3 slides
The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert

The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations Eyal Ronen , Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom Transport Layer Security (TLS) The most widely used cryptographic protocol

1.36k views • 120 slides

More recommend