If you like your privacy when you are using your cellphone or surfing cyberspace, then you might find it disturbing how easily you can be personally identified while doing either. Researchers exploited anonymized location mobility traces and social networks to deanonymize users. If you like your privacy when you are using your cellphone or surfing cyberspace, then you might find it disturbing how easily you can be personally identified while doing either. Here’s a look at two different deanonymizing processes by which your privacy can be obliterated.Location-based services sometimes offer to protect user privacy and anonymize or obfuscate personally identifiable information (PII) in the location data. There has been research in the past showing ways to defeat the anonymization, but new research showed “these methods can be effectively defeated: a set of location traces can be deanonymized given an easily obtained social network graph.”This week at the Association for Computing Machinery’s Computer and Communications Security (ACM CCS) conference in Raleigh, NC, researchers Mudhakar Srivatsa and Mike Hicks are to present “Deanonymizing mobility traces: using social networks as a side-channel” [PDF]. It’s interesting how the mobility traces were matched to a contact graph and then social networks were exploited to find friendships via Facebook data and business relationships via LinkedIn.Matching a user’s mobility trace to their identity “can provide information about habits, interests and activities—or anomalies to them—which in turn may be exploited for illicit gain via theft, blackmail, or even physical violence,” stated the research. It’s worth a read to see how the researchers used Wi-Fi hotspots on a university campus, captured chats via instant messengers, as well as Bluetooth connectivity to show inter-user correlations. In these social network side channel attacks, they were able to strip out privacy and deanonymize users via their mobility traces with an accuracy of 80%. And this flyer claimed that the “proposed algorithms to quantify information released in location traces, using social networks as a side-channel, are within 90% of the optimal.” The research paper authors concluded [PDF]:This paper studied the use of interuser correlation models to address this problem. In particular, we exploited structural similarities between two sources of inter-user correlations (the contact graph and the social network) and developed techniques to leverage such structural similarities to deduce mapping between nodes in the contact graph with that in the social network, thereby de-anonymizing the contact graph (and thus the underlying mobility trace). We validated our hypothesis using three real world datasets and showed that the proposed approach achieves over 80% accuracy, while incurring no more than a few minutes of computational cost in de-anonymizing these mobility traces.Then Jeremiah Grossman, founder of WhiteHat Security, has a different deanonymizing approach in his “I Know . . .” series. He builds on what he has previously demonstrated about attack techniques and how a user may do nothing more than visit the “wrong” site for that website to “learn what websites you’ve visited, how they can steal a browser’s auto-complete data, what sites you are logged in to, surreptitiously activate a computer’s video camera and microphone, list out what Firefox Add-Ons are installed, what you’ve previously watched on YouTube, who is listed in your Gmail contact list, etc.” If you think you are relatively anonymous, then you’ll be disappointed. Grossman warned that unless a user takes “very particular precautions,” then nearly every website can quickly glean your personal information, such as “I Know: …A LOT About Your Web Browser and Computer, …The Country, Town, and City You Are Connecting From (IP Geolocation), …What Websites You Are Logged-In To (Login-Detection via CSRF), … I Know Your Name, and Probably a Whole Lot More (Deanonymization via Likejacking, Followjacking, etc.) , … Who You Work For, … Your [Corporate] Email Address, and more….”Grossman’s entire I Know series is excellent, but in keeping with deanonymization via social networks, let’s hone in on “I know your name, and probably a whole lot more.” Clickjacking techniques involve an invisible object that chases your mouse around the page, waiting for you to click on something, anything, while you are there. Clickjacking can be used by hackers to covertly turn on your computer’s camera and microphone, but many people are unaware of that as was highlighted in the study that found 1 in 2 Americans are ‘clueless’ about webcam hacking. Since we’ve also previously looked at cookiejacking, let’s hone in specifically on Followjacking via Twitter and Likejacking via Facebook. You should read Grossman’s article, but here’s his shorter explanation and demonstration in a video.Of the clickjacking, Grossman wrote:By now it should be clear that this style of attack can be extended to LinkedIn, Google+, and other online services providing similar functionality. That list is quite long.I would like to reiterate a key lesson and highlight a new one.If a browser is logged-in to a social network or similar identity storage website, as many are persistently, a single-mouse click is all it takes for any website to reveal a visitor’s real name and other personal information.If the browser happens to have the popular Tor proxy installed, it does not provide any protection against deanonymization via Likejacking and Followjacking.Can we actually call this clickjacking –> deanonymization issue a “vulnerability?” If so, who is responsible for dealing with it? The browser vendors? The logged-in visitor? The social networking website(s)? The Web standards bodies?All of deanonymization examplifies where your identity can be revealed via alleged anonymized location data from a mobile device, or via one click and a website can find out pretty much everything about you, actually create more questions than answers. Both are disturbing from a privacy/security perspective.Like this? Here’s more posts:Time to disable Java AGAIN: 1 billion at risk from newest critical Java bugFeds Warn of Zombie Apocalypse! Buy emergency kit, but you might be a terrorist if…Senate report: Fusion centers don’t find terrorists, filled with ‘crap’ that violates privacySmartphone snoop: Even when phone sleeps, digital assistant always eavesdropsFacebook Want Button: Collecting massive amounts of data about you has never been easierBusted! Forensic expert who recovered lurid SMS warns: Phone texts don’t die, they hideMicrosoft: Companies should pay Uncle Sam $10k per H-1B Visa to hire skilled foreignersLock picking hotel rooms like James BondFlame’s vicious sibling miniFlame malware, a cyber-espionage ‘surgical attack tool’Surveillance State: From Inside Secret FBI Terrorist Screening Room to TrapWire TrainingSocial media surveillance helps the government read your mindFollow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe