Deanonymizing You: I know who you are after 1 click online or a mobile call

If you like your privacy when you are using your cellphone or surfing cyberspace, then you might find it disturbing how easily you can be personally identified while doing either. Here’s a look at two different deanonymizing processes by which your privacy can be obliterated.

Location-based services sometimes offer to protect user privacy and anonymize or obfuscate personally identifiable information (PII) in the location data. There has been research in the past showing ways to defeat the anonymization, but new research showed “these methods can be effectively defeated: a set of location traces can be deanonymized given an easily obtained social network graph.”

This week at the Association for Computing Machinery’s Computer and Communications Security (ACM CCS) conference in Raleigh, NC, researchers Mudhakar Srivatsa and Mike Hicks are to present “Deanonymizing mobility traces: using social networks as a side-channel” [PDF]. It’s interesting how the mobility traces were matched to a contact graph and then social networks were exploited to find friendships via Facebook data and business relationships via LinkedIn.

Matching a user’s mobility trace to their identity “can provide information about habits, interests and activities—or anomalies to them—which in turn may be exploited for illicit gain via theft, blackmail, or even physical violence,” stated the research. It’s worth a read to see how the researchers used Wi-Fi hotspots on a university campus, captured chats via instant messengers, as well as Bluetooth connectivity to show inter-user correlations. In these social network side channel attacks, they were able to strip out privacy and deanonymize users via their mobility traces with an accuracy of 80%. And this flyer claimed that the “proposed algorithms to quantify information released in location traces, using social networks as a side-channel, are within 90% of the optimal.”

The research paper authors concluded [PDF]:

This paper studied the use of interuser correlation models to address this problem. In particular, we exploited structural similarities between two sources of inter-user correlations (the contact graph and the social network) and developed techniques to leverage such structural similarities to deduce mapping between nodes in the contact graph with that in the social network, thereby de-anonymizing the contact graph (and thus the underlying mobility trace). We validated our hypothesis using three real world datasets and showed that the proposed approach achieves over 80% accuracy, while incurring no more than a few minutes of computational cost in de-anonymizing these mobility traces.

Then Jeremiah Grossman, founder of WhiteHat Security, has a different deanonymizing approach in his “I Know . . .” series. He builds on what he has previously demonstrated about attack techniques and how a user may do nothing more than visit the “wrong” site for that website to “learn what websites you’ve visited, how they can steal a browser’s auto-complete data, what sites you are logged in to, surreptitiously activate a computer’s video camera and microphone, list out what Firefox Add-Ons are installed, what you’ve previously watched on YouTube, who is listed in your Gmail contact list, etc.”

If you think you are relatively anonymous, then you’ll be disappointed. Grossman warned that unless a user takes “very particular precautions,” then nearly every website can quickly glean your personal information, such as “I Know:  …A LOT About Your Web Browser and Computer,  …The Country, Town, and City You Are Connecting From (IP Geolocation),  …What Websites You Are Logged-In To (Login-Detection via CSRF),   … I Know Your Name, and Probably a Whole Lot More (Deanonymization via Likejacking, Followjacking, etc.) ,  … Who You Work For,  … Your [Corporate] Email Address, and more….”

Grossman’s entire I Know series is excellent, but in keeping with deanonymization via social networks, let’s hone in on “I know your name, and probably a whole lot more.” Clickjacking techniques involve an invisible object that chases your mouse around the page, waiting for you to click on something, anything, while you are there. Clickjacking can be used by hackers to covertly turn on your computer’s camera and microphone, but many people are unaware of that as was highlighted in the study that found 1 in 2 Americans are ‘clueless’ about webcam hacking.  

Since we’ve also previously looked at cookiejacking, let’s hone in specifically on Followjacking via Twitter and Likejacking via Facebook. You should read Grossman’s article, but here’s his shorter explanation and demonstration in a video.

Of the clickjacking, Grossman wrote:

By now it should be clear that this style of attack can be extended to LinkedIn, Google+, and other online services providing similar functionality. That list is quite long.

I would like to reiterate a key lesson and highlight a new one.

• If a browser is logged-in to a social network or similar identity storage website, as many are persistently, a single-mouse click is all it takes for any website to reveal a visitor’s real name and other personal information.
• If the browser happens to have the popular Tor proxy installed, it does not provide any protection against deanonymization via Likejacking and Followjacking.

Can we actually call this clickjacking –> deanonymization issue a “vulnerability?” If so, who is responsible for dealing with it? The browser vendors? The logged-in visitor? The social networking website(s)? The Web standards bodies?

All of deanonymization examplifies where your identity can be revealed via alleged anonymized location data from a mobile device, or via one click and a website can find out pretty much everything about you, actually create more questions than answers. Both are disturbing from a privacy/security perspective.

Like this? Here’s more posts:

• Time to disable Java AGAIN: 1 billion at risk from newest critical Java bug
• Feds Warn of Zombie Apocalypse! Buy emergency kit, but you might be a terrorist if…
• Senate report: Fusion centers don’t find terrorists, filled with ‘crap’ that violates privacy
• Smartphone snoop: Even when phone sleeps, digital assistant always eavesdrops
• Facebook Want Button: Collecting massive amounts of data about you has never been easier
• Busted! Forensic expert who recovered lurid SMS warns: Phone texts don’t die, they hide
• Microsoft: Companies should pay Uncle Sam $10k per H-1B Visa to hire skilled foreigners
• Lock picking hotel rooms like James Bond
• Flame’s vicious sibling miniFlame malware, a cyber-espionage ‘surgical attack tool’
• Surveillance State: From Inside Secret FBI Terrorist Screening Room to TrapWire Training
• Social media surveillance helps the government read your mind

Follow me on Twitter @PrivacyFanatic