By Eric Beach & Adam Marcus, * last updated October 29, 2009
[Jump right to the table]
A coalition of "privacy advocates" have called for legislation that would drastically curtail the collection of data for use in delivering personalized (or "behavioral") advertising. Yet for all the attention this issue has received, such "tracking" of users for advertising purposes is perhaps the least important of the many online threats to privacy: Little real harm has been shown to result from such data use, while it can actually benefit users by dramatically increasing advertising revenue for the sites preferred by users, allowing them to offer more and better "free" content and services. We discuss herein twenty other online threats to online security and privacy (and three relevant offline threats). We will review methods to deal with these threats in future "Privacy Solutions Series."
Focusing the conversation about online privacy exclusively on behavioral advertising is much like trying to deal with the general problem of drug abuse by clamping down on legal, prescription drugs with stricter regulations. Most drug abusers buy their drugs on the black market, not from pharmacies. Similarly, most online security and privacy threats are from "hackers," not public corporations subject to public scrutiny and enforcement of unfair and deceptive trade practice laws by the FTC and state governments. Pharmacies, drug companies, online publishers and online advertisers can be forced to comply with stricter laws, but stricter laws mean little for the rogue actors who lurk in the shadows of America's cities and in the dark corners of the Internet. By definition, criminals break laws; worse, they ignore them. The better approach to the problem of drug abuse is to educate and empower abusers to defeat the enemy: their own addiction. Similarly, the better approach to concerns about online security and privacy is to educate and empower users to defeat those who would prey on their ignorance.
Although this piece focuses on online cyber-security threats, offline threats can be just as dangerous. As the saying goes, a chain is only as strong as its weakest link. You can follow all the rules for using the Internet safely and still fall victim to identity theft if your laptop is stolen, for example.
Government Mandates - A variety of legislative/regulatory proposals for copyright, child privacy, indecency, and defamation would require websites and/or ISPs to filter content, gather identification information about their users, or to log their users' activities. Information required by the government for one purpose could very easily be used by the government for other purposes.
Pretexting - Someone lies about their identity, credentials, or purpose to gain unauthorized access to your information or services-e.g. calling an ISP or phone company, claiming to be you, but insisting they've just "lost" your password. Most companies require some other piece of information (e.g. a "secret question") before giving out or resetting a user's password, but that other information can often be obtained by "pretexting" the user, too (e.g. calling the user and claiming that you're doing a survey, that they've won a prize, or that you're calling from their ISP or phone company), phishing, packet sniffing, or some other means. More information: 1, 2, 3
Physical Access - If someone has physical access to your computer or external drives, they can easily gain direct access to the information on them-unless your drives are encrypted. As Adam Thierer has cataloged in his Lost Laptops Series, there have been many high profile stories (for example) of laptops being stolen, memory-sticks being lost, and thrown-away computers revealing embarrassing files. Users also compromise their security when they leave computers unattended while logged in and not locked with a password.
Each threat listed in the table below is further described and accompanied by links containing a number of author-reviewed sources for additional information.
The security and privacy threats listed in this paper each come from one of three "threat vectors":
- Websites: These threats are implemented (or not implemented, in the case of encryption) by websites.
- Intermediaries: Because these threats involve intercepting communications between users and websites, they are the least likely to be noticed by users, but also some of the most dangerous in that they can be successful even against savvy users using reputable websites. The intermediary could be your employer or ISP, someone who has used WEP/WPA cracking to gain access to your wireless network, a colleague on the same office network, or a law enforcement agency with a digital wiretap on your broadband connection. The Hollywood story of a hacker "tapping" a wire somewhere to gain access isn't even necessary: With wireless networks so common, physical access generally isn't necessary and being physically near the wireless access point will suffice.
- Users: No technology can protect against threats that involve either tricking users to install software, reveal information, or depend on users having easy-to-guess or crack passwords.
The goals of the perpetrators of these online threats may vary, with one goal but a step towards another. The list below is in order of severity.
- Packet Sniffing: Data travels over the Internet in packets. These packets are not encrypted by default, so anyone with access to the packets can read them. (Encryption is the scrambling of content to protect against unauthorized viewing). Packet inspection often goes hand-in-hand with filtering. More information: 1, 2, 3, 4, 5, 6, 7, 8
- "Shallow packet inspection" involves only examining the metadata for each packet (i.e., the header), which specifies only the IP address and port of the originating and destination computers for the packet.
- Deep Packet Inspection (DPI) involves examining the contents of these packets (i.e., the contents of the web page), often for the purpose of filtering content.
- Filtering: The attempt by an intermediary to block certain content, websites, and/or applications. The criteria for filtering can be one or more of the following:
- Access: Third parties may gain access to your online accounts without your permission. For example, one cross-site scripting (XSS) attack was used--unbeknownst to users--to automatically flag certain works on Amazon.com as inappropriate, causing those works to disappear from search results on Amazon. Such attacks are dangerous because users may not realize their security has been compromised, but the danger is somewhat mitigated by the fact that data stored on their own computers is not at risk, only their online identity and information.
- Executing Code on A User's PC: By far the most dangerous category of threats: Because most computer operating systems allow users full access to the entire computer by default, once a user has been tricked into running a malicious application, the application has full run of the user's computer. For example, Botnets have even been designed to scan infected computers for financial records and send them to the botnet's controller.
Botnets - Catch-all term for programs ("bots") unknowingly installed on potentially thousands of users' computers. The bots are then remotely controlled as a group (hence "net"). Botnets are most often used to send spam, perform distributed denial of service (DDoS) attacks, and send login IDs and financial information from infected computers back to the bot controller. More information: 1, 2, 3, 4, 5, 6.
Content-Control Software - Commonly known as "filtering software," this software usually runs on a user's computer and restricts the materials to which some users of the computer have access through keyword filtering, IP blocking, etc. Such software is often used by schools, libraries, and parents to block access to pornographic content. Businesses may also use such software to block access to non-work-related websites. Content-control software doesn't always have to be installed on the user's computer; sometimes it is installed at a corporation's Internet gateway. Common content control software includes Net Nanny, Covenant Eyes, Hedgebuilders, K9 Web Protection, CyberSitter, ContentProtect, Naomi Internet Filter, Scieno Sitter, Sentry Parental Controls, Untangle, Websense, WinGate, and X3Watch. More information: 1, 2.
Cookie Stealing - When a computer situated between the user and the server that provides the desired web page "sniffs" (i.e., intercepts and reads) the packets containing the HTTP headers sent by the user. Since those HTTP headers include any cookies associated with the website, the intermediary can learn the cookie values and subsequently connect to the same website using the original user's authorized cookie values, thereby impersonating the user. For example:
- User A logs into Facebook using HTTPS and is given an authorization cookie with a unique and un-guessable cookie ID;
- User A is redirected to a non-HTTPS Facebook page and in this process, User A's packets are sniffed (User A's unique and un-guessable cookie ID is recorded by User B);
- User B makes an HTTP request to Facebook using User A's captured un-guessable cookie ID;
- Facebook's server, seeing User A's un-guessable cookie ID, grants User B access to User A's account.
The availability of programs such as CookieMonster makes this kind of attack incredibly fast and easy. More information.
Cross-Site Request Forgery (XSRF) - When malicious code embedded in a web page is executed by a user's web browser, causing it to send a HTTP request using the user's credentials unbeknownst to the user. Because the functionality of the malicious code is so limited (it can only send HTTP requests), this threat is not classified as executing code on a user's PC. For example:
- A hacker visits a website that (a) lacks adequate security settings and (b) allows HTML-enabled user comments, e.g. a user forum website and posts a comment containing hidden malicious code;
- An innocent users signs into his web-based email account. His browser now contains a cookie with an un-guessable ID that authorizes access to his webmail account.
- The innocent user then visits the hacked website and views a page containing the hacker's posted comment.
- In the normal course of attempting to load the page, the innocent user's web browser automatically executes the malicious code. The code instructs the web browser to send an email through the user's webmail provider. Since the browser already contains a cookie with the user's authorization, the user is not prompted for their username or password and the email is sent automatically.
More information: 1, 2, 3, 4, 5, 6.
Cross-Site Scripting (XSS) - One of the most common security vulnerabilities on the Internet. Similar to a Cross-Site Request Forgery (XSRF), but:
- Cross-site request forgery exploits the trust that websites have for web browsers and cross-site scripting exploits the trust that users have for familiar websites.
- Cross-site request forgeries usually involve a user's web browser performing some action without the user's knowledge, while cross-site scripting attacks usually involve tricking the user into using a phishing website by changing links that appear on a legitimate website. For example:
- A hacker visits a website that (a) lacks adequate security settings and (b) allows HTML-enabled user comments, e.g. a user forum website and posts a comment containing hidden malicious code;
- An innocent user visits the hacked website and views a page containing the hacker's posted comment.
- The malicious code modifies the web page on the fly, replacing the URL for a valid shopping link with the URL of a phishing site.
- The user clicks on that link and is redirected to the phishing site. The user doesn't realize anything is amiss and provides their name, address, and credit card number as part of the ordering process. That information is then used to make unauthorized credit card purchases and/or steal the person's identity.
More information: 1, 2, 3, 4, 5.
DNS Tampering - When you load a website such as http://www.pff.org, your computer must first determine the numeric IP address (18.104.22.168) associated with the specified domain name (www.pff.org). This task is accomplished by querying a domain name system (DNS) server, which acts like a phonebook for the Internet. DNS tampering involves causing a DNS server to refuse to resolve a domain or improperly resolve a domain. Such tampering is generally the result of government mandates. An analogy to DNS tampering is either removing a controversial person's phone number from the phone book or simply changing the phone number to so that people end up calling someone else. More information: 1, 2, 3.
DOM Storage - DOM storage is a new standard meant to be a successor to HTML cookies. It is supported by Internet Explorer 8, Firefox since version 2, Safari, and Chrome. But since clearing the DOM storage is a separate procedure from clearing cookies, users who want to block all cookie-like functionality may not realize that they must both configure their web browsers to reject cookies and also configure it to not use DOM storage. See also Cookies, Local Shared Objects (LSOs, AKA Flash Cookies). More information: 1, 2, 3.
Drive-by Downloads - On the most basic level, a drive-by download occurs when a user unknowingly downloads and installs some software, e.g., visiting a website that secretly installs a malicious Java plug-in or ActiveX control. People can be directed to these websites by spam email, search engine results, or website comment spam. Drive-by downloads are almost always intended to compromise the user's privacy or security. Common examples of drive-by downloads include viruses and spyware. More information: 1, 2, 3, 4.
Encryption, Not Using - Unless encrypted, data transmitted over the Internet can be easily read by intermediaries who sit between the user and the website. Consequently, a user who transmits sensitive data to a website that does not use encryption risks having that data stolen. While many websites now use encryption to protect users' username and password at login, many sites don't use encryption for subsequent communications. More information: 1, 2, 3, 4.
End-to-End Timing Attack - An extremely sophisticated and advanced monitoring technique that can be used to learn what website someone is accessing even when they're trying to hide their actions by using a proxy. It involves simultaneously watching (1) the traffic exiting the user's computer and (2) the traffic either (a) exiting an encrypted proxy server or (b) accessing a restricted website in order to ascertain that the traffic is related and that the user is accessing a restricted or questionable website. For example:
- A dissident located in China wants to access a website that is located within China but is not accessible from within China. In other words, China blocked the website in question to users within China while allowing users outside China to access the website.
- The dissident uses an encrypted HTTP tunnel to connect to an ISP within the United States.
- The dissident accesses the blocked website in China through the ISP within the United States.
Because the traffic appears to be originating from the ISP in the United States instead of China, the dissident can access the content on the banned website. But the Chinese government could use an end-to-end timing attack to connect the dots and detect that, at roughly the same time the dissident inside China made a request to the IP associated with the ISP in the United States, the IP associated with the ISP inside the United States made a request to the restricted website inside China. Users can make their actions less susceptible to an end-to-end timing attack by increasing the number of intermediary nodes between themselves and the website(s) they access. More information: 1, 2.
IP Blocking - Network operators can view the header information in the IP packets travelling across their network and selectively discard any packets with a specified origin or destination address. For example, the Chinese government could block attempts by Chinese users to connect to a website associated with the "free Tibet" movement. See also Port Blocking. More information: 1, 2, 3, 4.
Local Shared Objects (LSOs, AKA Flash cookies) - LSOs are cookie-like files used by the Adobe Flash Player. Many privacy experts worry about LSOs because they operate outside the cookie policies implemented in most web browsers. Users who want to block all cookie-like functionality may not realize that they must both configure their web browsers to reject cookies and also configure Adobe Flash to reject LSOs. See also Cookies, DOM Storage. More information: 1, 2, 3.
Phishing (AKA Email Spoofing) - In the broadest sense, phishing involves attempting to deceive a user in order to gain access to their data or services. The most common example involves sending an official-looking email to a user with a link to a website designed to gather the user's personal data and/or username and password. Phishing emails often contain "spoofed" headers so it appears they are from a legitimate email address. For example, a spoofed email that appeared to be from email@example.com could inform the user that there is a problem with their account and ask them to log in to resolve the issue at a link included in the email. But instead of linking to the actual bank website, the link would be to a copy-cat website that looks identical to the bank's actual website. If the user falls for the ruse and logs in, the hacker can then use the user's account information to log into the bank's actual website and transfer funds to their own bank account. More information:
1, 2, 3, 4, 5, 6, 7, 8, 9.
Port Blocking - Computers can, of course, can handle large numbers of tasks simultaneously. So that Internet-connected computers can have multiple simultaneous connections to other Internet computers, the basic Internet protocol requires specifying not only the destination computer's IP address, but a port number as well. Think of IP addresses as street addresses for buildings and port numbers as apartment numbers. Most Internet applications use standard port numbers, which means specific applications (e.g. email, BitTorrent) can be blocked by just blocking all communications using those port numbers. This sort of blocking can be done by an employer, an ISP, or a national government (in conjunction with ISPs and/or at the points where those ISPs connect to the rest of the Internet). See also: IP Blocking.
RST Injection - When a packet of data is sent from a user to a server, an intermediary can inject TCP reset packets (RST Injection) into the stream in order to reset the connection, thereby cancelling the user's request. For example, when a Chinese citizen requests a website that contains keywords such as "democracy in China," the government intermediary can abort the request by sending forged RST packets to both the user and web server. More information: 1, 2.
Stateful Traffic Analysis - Online security, like many other types of security, is a cat-and-mouse game. When users learned they could circumvent blocking based on packet sniffing by using a secure SSH tunnel, some network administrators started blocking the standard SSH ports. Users then learned to circumvent blocking of the standard SSH ports by using HTTP tunneling. As administrators started blocking the IP addresses of popular proxies, users began using software like Tor, which uses a large and dynamic networks of proxies. The response to this latest circumvention technique is stateful traffic analysis, which stores a stream of packets in order to make decisions based upon each user's activity in the aggregate. For example, a single request to an out-of-country web server does not suggest the user is attempting to circumvent filtering. But if a user is only communicating with out-of-country web servers and the packets don't contain any recognizable words, the ISP can be reasonably certain that the user is using HTTP tunneling to evade filtering and that alone may raise suspicion. More information.
Weak Passwords & Secret Questions - When a user sets a weak (i.e. easy to guess) password for an important account or uses the same password for numerous accounts, it increases the likelihood that the user's accounts can be easily compromised. Secret questions are additional questions companies use to verify the identity of people if they forget their password (e.g. mother's maiden name, pet's name, social security number). Hackers can often obtain this information through pretexting or other means. To be safe, users should treat secret questions the same as passwords: Use a different answer for every website or service. More information: 1, 2, 3, 4, 5, 6, 7, 8.
WEP & WPA Cracking - Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) are the two most common algorithms used to secure Wi-Fi connections. In 2001, computer security experts exposed major flaws in WEP's design that eventually led to the introduction of WPA. Despite the widespread availability of free software (1, 2) that can crack WEP within minutes and an abundance of tutorials about how to do so (1, 2, 3, 4), WEP is still in common use. WPA, which was introduced to fix security problems in WEP, contains its own security problems (1, 2, 3). More information: 1, 2, 3, 4.
* Eric Beach was a 2009 PFF Summer Fellow and is currently an MBA student at Cornell University. Adam Marcus is a Research Fellow and Senior Technologist at PFF.
. Metadata is summary information about a message ("data about data"). With regards to packets on the Internet, for example, the body of an email is the content, while the timestamp and routing information associated with the email is metadata. On the Internet, metadata is generally "machine-readable," meaning that it can be understood by computers because it is organized in some standard form. This is how the Internet is able to support so many different applications, because the means for sending and receiving packets is standardized and works regardless of the content of the packets.