Search Results

1 - 8 of 8 items :

  • IT-Security and Cryptology x
Clear All
A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients

Abstract

Commercial Virtual Private Network (VPN) services have become a popular and convenient technology for users seeking privacy and anonymity. They have been applied to a wide range of use cases, with commercial providers often making bold claims regarding their ability to fulfil each of these needs, e.g., censorship circumvention, anonymity and protection from monitoring and tracking. However, as of yet, the claims made by these providers have not received a sufficiently detailed scrutiny. This paper thus investigates the claims of privacy and anonymity in commercial VPN services. We analyse 14 of the most popular ones, inspecting their internals and their infrastructures. Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage. The work is extended by developing more sophisticated DNS hijacking attacks that allow all traffic to be transparently captured.We conclude discussing a range of best practices and countermeasures that can address these vulnerabilities

Open access
Beeswax: a platform for private web apps

Abstract

Even if a web-based messaging service offered confidential channels, how would users know whether their keys, or indeed even their plaintext, was not being exfiltrated? What if a variety of applications offered confidentiality? How would a user gain trust in all of them?

In this paper we argue that a platform for private web applications is the only practical way for users to gain assurance about the confidentiality claims of a large number of full-featured web-services.We introduce Beeswax, a client-side platform that allows confidential data to be exchanged between users at the behest of an application, through a narrow set of APIs. Beeswax installs in a modern browser to deliver a complete practical solution, from key distribution to isolation of private data from the applications, thereby making an analysis of application code unnecessary. This focuses scrutiny and trust on the platform itself, rather than on all the applications using it.

Open access
Location Privacy for Rank-based Geo-Query Systems

Abstract

The mobile eco-system is driven by an increasing number of location-aware applications. Consequently, a number of location privacy models have been proposed to prevent the unwanted inference of sensitive information from location traces. A primary focus in these models is to ensure that a privacy mechanism can indeed retrieve results that are geographically the closest. However, geo-query results are, in most cases, ranked using a combination of distance and importance data, thereby producing a result landscape that is periodically flat and not always dictated by distance. A privacy model that does not exploit this structure of geo-query results may enforce weaker levels of location privacy. Towards this end, we explore a formal location privacy principle designed to capture arbitrary similarity between locations, be it distance, or the number of objects common in their result sets. We propose a composite privacy mechanism that performs probabilistic cloaking and exponentially weighted sampling to provide coarse grain location hiding within a tunable area, and finer privacy guarantees under the principle inside this area. We present extensive empirical evidence to supplement claims on the effectiveness of the approach, along with comparative results to assert the stronger privacy guarantees.

Open access
Recursive Trees for Practical ORAM

Abstract

We present a new, general data structure that reduces the communication cost of recent tree-based ORAMs. Contrary to ORAM trees with constant height and path lengths, our new construction r-ORAM allows for trees with varying shorter path length. Accessing an element in the ORAM tree results in different communication costs depending on the location of the element. The main idea behind r-ORAM is a recursive ORAM tree structure, where nodes in the tree are roots of other trees. While this approach results in a worst-case access cost (tree height) at most as any recent tree-based ORAM, we show that the average cost saving is around 35% for recent binary tree ORAMs. Besides reducing communication cost, r-ORAM also reduces storage overhead on the server by 4% to 20% depending on the ORAM’s client memory type. To prove r-ORAM’s soundness, we conduct a detailed overflow analysis. r-ORAM’s recursive approach is general in that it can be applied to all recent tree ORAMs, both constant and poly-log client memory ORAMs. Finally, we implement and benchmark r-ORAM in a practical setting to back up our theoretical claims.

Open access
Social Engineering Attacks on Government Opponents: Target Perspectives

. Cox, “A Hacker Claims to Have Leaked 40GB of Docs on Government Spy Tool FinFisher,” Aug. 2014. [Online]. Available: http://motherboard.vice.com/read/a-hacker-claims-to-have-leaked-40gb-of-docs-on-government-spy-tool-finfisher [8] A. Greenberg, “Hacking Team Breach Shows a Global Spying Firm Run Amok,” Jul. 2015. [Online]. Available: https://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-firm-run-amok/ [9] FinFisher, “Remote Monitoring & Infection Solutions: FinFly ISP,” Spy Files, 2011, accessed: 30-August-2016. [Online]. Available

Open access
Analyzing Remote Server Locations for Personal Data Transfers in Mobile Apps

, and William Snavely. Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets. 2015. [10] Mary Carolan. Data protection commissioner to investigate max schrems claims. http://www.irishtimes.com/news/crime-and-law/courts/high-court/data-protectioncommissioner-to-investigate-max-schrems-claims-1.2398728, 2015. [11] F. Di Cerbo, D. F. Some, L. Gomez, and S. Trabelsi. Ppl v2.0: Uniform data access and usage control on cloud and mobile. In TEchnical and LEgal aspects of data pRivacy and SEcurity, 2015 IEEE

Open access
Access Denied! Contrasting Data Access in the United States and Ireland

]. [54] Microsoft. Your privacy and Microsoft personalized ads. http://choice.microsoft.com/en-US [Accessed: 15- Jul-2015]. [55] P. Newenham. Facebook responds to Belgian tracking claims, 2015. http://www.irishtimes.com/business/technology/facebook-responds-to-belgian-tracking-claims-1.2219799 [Accessed: 20- Jul- 2015]. [56] L. Newman. Here’s how Facebook chooses which ads to show you, 2014. http://www.slate.com/blogs/future_tense/2014/08/14/facebook_s_why_am_i_seeing_this_shows_what_the_company_knows_about_you.html [Accessed: 10- Jun

Open access
Towards a Model on the Factors Influencing Social App Users’ Valuation of Interdependent Privacy

. Conjoint analysis in consumer research: Issues and outlook. Journal of Consumer Research, 5(2):103-123, 1978. [43] P. Green and V. Srinivasan. Conjoint analysis in marketing: New developments with implications for research and practice. The Journal of Marketing, 54(4):3-19, 1990. [44] K. Greene. Google faces new privacy class claims over email scanning. http://www.law360.com/articles/699961, 2015. Accessed: 2015-09-11. [45] J. Grossklags and A. Acquisti. When 25 cents is too much: An experiment on willingness-to-sell and

Open access