Web sites that strip personally identifiable information about their users and then share that data may be compromising their users' privacy, according to researchers at the University of Texas at Austin.
They took a close look at the way anonymous data can be analyzed and have come to some troubling conclusions. In a paper set to be delivered at an upcoming security conference, they showed how they were able to map out the connections on public social networks such as Twitter and Flickr. They were then able to identify people who were on both networks by looking at the many connections surrounding their network of friends. The technique isn't 100 percent effective, but it may make some users uncomfortable about whether they should allow their data to be shared in an anonymous format.
Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these "anonymized" data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with.
- 4cast (1)
- aboutus (1)
- apple (3)
- attacks (1)
- authors (1)
- backontrack (1)
- backtrack (2)
- blog (1)
- botnet (1)
- breach (1)
- cell phone (2)
- cell phone forensics (2)
- cellebrite (1)
- chain of custody (1)
- challenge (1)
- copyright (1)
- crime (1)
- crypto (1)
- cyber security (6)
- cyber stalking (2)
- cybercrime (4)
- cyberwar (1)
- data size (1)
- economy (1)
- encase (1)
- encryption (3)
- enticement (1)
- evidence (3)
- exploit (3)
- facebook (4)
- fail (1)
- forensics (16)
- free (1)
- free speech (2)
- ftk (1)
- ftw (3)
- funny (1)
- future (1)
- game systems (2)
- government (1)
- gps (1)
- guidance (1)
- harassment (1)
- imaging (1)
- interview (6)
- investigation (8)
- ip (1)
- ip address (1)
- iphone (2)
- law (3)
- links (22)
- mac (2)
- model (1)
- news (16)
- pentest (2)
- podcast (1)
- printers (1)
- privacy (12)
- products (1)
- ps3 (1)
- quickhit (1)
- registry (1)
- regripper (2)
- review (1)
- riaa (1)
- sim card (1)
- skype (1)
- social engineering (2)
- social networking (1)
- theft (1)
- threats (8)
- tools (2)
- triage (1)
- Twitter (1)
- video (2)
- vpn (1)
New Website
Check out MattChurchill.net. I have migrated most of the content over to this site and will mostly be using it from now on. Thanks.
Matt's Twitter
Other Blogs
CanSecWest is currently going on, and I am not there. No complaints however, as I am finishing up a week long training class in X-Ways Forensics. (Verdict: top notch. Check out the program.)
Catching up on the news tonight, I found these quotes from an interview with Charlie Miller (winner of the PWN to OWN contest against OS X) very interesting:
I have heard this rumbled about for a while. There is no disputing that there is a market for bugs, and it is sort of refreshing to hear someone be upfront about their reasons for finding bugs. A lot of people like to pretend that this work is done for "the good of the community". Really, there are a few reasons white hats find the bugs: a) To keep private to add value to their pentests, b) to release to the public to show off their skillz and c) to sell.Did you consider reporting the vulnerability to Apple?
I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.
I don't see any shame in that. Why should companies like Apple, MS, etc. expect customers to do their work for them? What is the value?
You talked earlier about the value of vulnerabilities. Was it a surprise that he (Nils) basically gave up three “high-value” bugs for $5,000 each?
It’s clear he’s incredibly talented. I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point.
For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they’re paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.
Other thing that jumped out at me was some of the comments about targeting Macs.
Why Safari? Why didn’t you go after IE or Safari?
It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
Take that quote, combine it with some recent commentary about the number of security professionals using Macs, and with meterpreter now being ported to the Mac (complete with the ability to take pics with built in iSight cameras), and times might get interesting. Going to my above statement about one of the main reasons for tracking down bugs being to show of your skillz, it makes one wonder how many infosec people one could bag at a con...
This story is kind of funny, but kind of sad.
MARCH 18--Meet Michelle Owen. Concerned that an ex-boyfriend had used her laptop to search for child pornography, the Indiana woman asked police to search the computer for illegal images, but had her plan backfire when cops discovered two videos of her engaged in illicit acts with a dog. Owen, 24, was charged last week with two felony bestiality counts in connection with the video files, which a detective found in the laptop's "recycle bin." At the time Owen asked cops to search the computer, she was locked up in the Johnson County Jail on a public intoxication charge (which violated the terms of her release in a prior drunk driving case). According to a police affidavit, a copy of which you'll find here, a cop told Owen that he had found videos of her on the laptop and asked if she "knew what those files might be." Owen, pictured in the below mug shot, replied, "The one with the dog." Cops believe that the dog in question, Toby, is a beagle. After asking if she was "going to be charged with this," Owen said that the videos "were just something she did when she was drunk and barely remembers it," adding that she tried to "delete them the next day when she was sober."From TheSmokingGun.com
"We've found a way to identify documents even when there was nothing additional printed on them," said Alex Halderman, now an assistant professor at the University of Michigan, who was part of the Princeton team. "This is like an invisible serial number printed on every piece of paper ever made."
Two blank pieces of paper may look identical, but if you hold them to a light, you can see that in fact they're unique mashups of fibers. The researchers said that they can measure this unique texture using a standard 1,200 dpi scanner and some custom software they've written.
By turning the page by 90 degrees and scanning it again and again, the researchers can pluck out subtle distinctions in the paper's texture and create a unique digital map of its surface. "You scan it four times and then the software is able -- from these four scans -- to figure out what the surface texture of the document looks like," said William Clarkson, a Princeton graduate student. "Then it can extract essentially a fingerprint of the document."
Saw this article today that had me shaking my head. Turns out Apple rejected an update to a twitter update due to the fact that a curse word shows up on the trend list.
So, lets get this strait. Apple will approve applications where teens share indecent pictures with each other (Twinkle) and apps that are full of nothing other then pornography (Zintin), but they won't approve an app that shows a "naughty" word?
Good job Apple!
There was recently a discussion about forensics on the PS3 game system on the HTCIA mailing list. I had put together a posting for the list regarding the encrypted drives on the PS3, that I thought I would share here as well. Despite these advancements in extracting decrypted data off of the system, the best way to do a forensics exam of the PS3 is still to create an image, then start back up the PS3 and take photos of the data you can access through the PS3 interface. Its not sexy, but it gets the job done as best possible right now.Within the PS3 hacking community, the last couple weeks there has been a bit of a tift. One group is claiming to have found a way of decrypting the PS3 HD, while another is saying it is just a lie. Well, a tutorial recently came out with a walk through on how to "decrypt" the data. you can read it at http://streetskaterfu.I have not attempted this myself as of yet (as my PlayStation is currently into Sony for repairs), but will try to get a chance to do so soon. To summarize the process, all that is being done is first you make an image of the the PS3 HD. Afterward, place the HD back into the PS3, and copy a large file off of removable media, onto the the PS3 hard drive through the PS3 interface. Then remove the PS3 HD, and take another image. At that point, you take a diff of the two images, and you will see which data has changed between the images. This is now your known data, your scratch file.You can then take some unknown encrypted data, and overwrite the scratch file with it. You then write the image to the PS3 HD, and place it back into the PS3. Then, through the PS3 interface you can access your "scratch file", and copy it off to removable media for examination. The contents of the scratch file will have changed to be a decrypted version of the data which was pasted into the scratch file previously. This process could then be repeated for the entire span of unknown data on the PS3 HD, giving you a decrypted version of all the data.Again, I have not been able to verify this at all, but it does sound logical depending on how the internal structure of the PS3 filesystem is maintained. It will be about a week or more before my PS3 is going to be back, and then I will be leaving down for a couple weeks, so I have no idea when I will get a chance to work with this. If anyone else verifies this before I have a chance, I would be very interested in hearing back from you.
Just wanted to bring up an impressive experience I had today with a vendor.
I have been using Maltego from about this summer, after running into Chris Gates when Matt and I were speaking at ToorCon. Chris highly recommended the product, so I checked it out and bought a copy after I was back from San Diego.
I have been using the product for a while, and have been happy with it. It does its job well. Not much to say about it that has not been said before.
Today however, I received a call to ask me how happy I have been with the product. (Frankly, at first I worried that a customer database was leaked and this was a phishing scam.) I was asked questions such as how often I use the product, what I like, what I don't like, what I wish it did, etc. Overall, I was pretty impressed that a vendor was soliciting this sort of input. Really, for as much as this product costs, this level of customer service is unheard of. I look at the money we have spent on AccessData products, on EnCase, on Core Impact, etc, and I never got a call like this before.
Then to top it off, less then an hour after I got off the phone I received an e-mail from Roelof from Paterva. While on the call, I had expressed some interest in a feature within the product, and Roelof was contacting me to let me know how to accomplish my wish list within the current feature set.
This level of quick follow up from solicited input was amazing. I wish all my vendors treated me this well.
Well done Paterva.
Anyone interested in trying out Maltego, it is in the beta of BackTrack 4.
Subscribe to:
Posts (Atom)