CS 290 Host-based Security and Malware Christopher Kruegel [email protected]• Social networks – massive growth and rise in popularity – people provide significant amount of private/sensitive information – security and privacy threats not well understood – often, protection offered by social network providers lacking Social Networks 2!CS 290: Host-based security and malware• Data privacy – blackmail – identity theft – personalized spear-phishing – targeted advertisement • New venue to reach large number of potential victims – spam – malware / worms – links that point to sites with browser exploits (drive-by downloads) Social Network Security Issues 3!CS 290: Host-based security and malware• Rogue applications – developed and under control of third parties – access to profile information and those of friends • Support for regular crime – absence notes for burglary opportunities – monitor victim’s spending habits • Crawlers – obtain large amount of data against will of social networks Social Network Security Issues 4!CS 290: Host-based security and malware• Data privacy – blackmail – identity theft – personalized spear-phishing – targeted advertisement • New venue to reach large number of potential victims – spam – malware / worms – links that point to sites with browser exploits (drive-by downloads) Social Network Security Issues 5!CS 290: Host-based security and malwareData Privacy • Wealth of sensitive and private information – not everything on Facebook is cool 6!CS 290: Host-based security and malwareData Privacy • Wealth of sensitive and private information – not everything on Facebook is cool – so, how do social networks protect this data 7!CS 290: Host-based security and malwareData Privacy • Wealth of sensitive and private information – not everything on Facebook is cool – so, how do social networks protect this data • Wait! You need to be my friend to see my data. • True, but … – open profiles – fake profiles – profile cloning – link addicts 8!CS 290: Host-based security and malwareFake Profile (Ranum Experiment) CS 290: Host-based security and malware 9!Source: Shawn Moyer and Nathan Hamiel (BlackHat Talk)Profile Cloning 10 10 10!CS 290: Host-based security and malware11 11 Profile Cloning 11!CS 290: Host-based security and malware12 12 Profile Cloning 12!CS 290: Host-based security and malwareProfile Cloning 13!CS 290: Host-based security and malwareDe-Anonymization of Third-Party Web Site Visitors 14!CS 290: Host-based security and malwareAttack Scenario Profile: John Smith Member of a few groups Offline preparation “Interesting … John Smith is visiting our site” Learn identity of users that visit your web site 15!CS 290: Host-based security and malwareOffline Preparation Learn group memberships of all social network users – find all groups in social network – determine members of each group • Find groups – public group directories (Facebook) – predictable group identifiers (LinkedIn) • Determine what users are members in a specific group – examine public group pages (Facebook) – join private group pages (more difficult) – examine user profiles (in LinkedIn, via public membership directory) 16!CS 290: Host-based security and malwareFinding Groups 17!CS 290: Host-based security and malwareFinding Membership Information 18!CS 290: Host-based security and malwareFinding Membership Information • Is it feasible? – we used 80legs service to crawl 3M LinkedIn group IDs for $7.49 – randomly crawled 3M user profiles for $6.57 – apologizes for wasting your resources – fully enumerated group memberships for Xing (8M users) 19!CS 290: Host-based security and malwareOnline JavaScript Attack • We now have group membership information, but … who cares? In the online part of the attack 1. We leverage browser history stealing and predictable URLs to determine the groups that visitor is member of 2. We combine this information with the group membership information to determine the identity of the visitor 20!CS 290: Host-based security and malwareOnline Attack • How does browser history stealing work? – well-known browser “problem” (typically considered harmless) – put a (hidden) link on a page and check its color (using CSS magic) – when link has been visited (i.e., it is in the browser history), then the color is different – serves as an oracle for presence / absence of specific URLs – note that you cannot simply read out entire history of the browser – our JavaScript sent to victim performs history stealing, that is, it checks for certain URLs 21!CS 290: Host-based security and malwareOnline Attack • Which URLs are checked? – those that indicate that a visitor is member of a group – this only works when such URLs exist and are predictable – fortunately (for the attacker), this is the case for most SNs 22!CS 290: Host-based security and malwareCandidate Sets • In the best of all cases 1. attacker obtains group memberships from history stealing 2. intersects the known members in all these groups 3. only one profile remains, and the person is de-anonymized • But wait … - group memberships are not always unique, are they? - what happens when history stealing attack misses groups? 23!CS 290: Host-based security and malwareCandidate Sets • Candidate sets – all users in intersection (or union) of identified groups – additional refinement step • Refinement step – check for URLs that indicate individual users – dynamically generate this list from candidate set, and launch history stealing attack – of course, we could have checked for these links right away, unfortunately, there are way too many (in the millions) – thus, not feasible in practice – takes too long 24!CS 290: Host-based security and malwareCandidate Set Sizes • Xing - 4.4 million membership relations, 1.8 million unique users in groups - 6,277 groups before the entire set of users is covered - 42.06% of users have a unique group fingerprint - for 90% of all users, the candidate set is < 2,912 users 25!CS 290: Host-based security and malwareCandidate Set Sizes