A privacy and security analysis of realistic personal data leakages through fingerprinting and inadequate policies

Abstract

In this thesis, we evaluate and analyze the cybersecurity and privacy impact of personal information leakages in practice. Here, we study two types of countermeasures that have historically been deployed to protect against privacy or security abuses, more specifically, network traffic encryption and international privacy regulations. First, we extensively discuss webpage fingerprinting in the domain of network traffic analysis and present novel attacks that are capable of predicting webpage visits as MitM from large social media platforms. At the same time, we solve many of the practical implications such as the need for large network traffic datasets and the ability to fingerprint webpages which are inherently dynamic by nature. Moreover, we demonstrate that fingerprinting methods of prior academic work are unrealistic to conduct in real-life, especially due to the base-rate fallacy and the wide variety of network clients that induce different behaviour in network traffic. Therefore, we devise a novel network processing technique which significantly improves upon prior methods with accuracy increases up to 50% in realistic use cases. To finalize, we suggest several countermeasures against these fingerprinting attacks and experimentally evaluate the viability to implement these defenses in practice. In addition to webpage fingerprinting, we also discuss several methods applied by the industry to fingerprint domain names of websites in the context of zero-rating. Here, we demonstrate that recent encryption protocols such as DoH and ECHO do not sufficiently protect the end-user against leakages by proposing a chain of attack techniques that are able to substantially reduce the effectiveness of these protocols.

The second and last part of this thesis analyzes the implementation of privacy policies and how personal information leakages can occur in this context by abusing Art. 15 `Right of Access' of the GDPR. In our ethically set up analysis we demonstrate that by using specially crafted social engineering attacks, we are able to request highly sensitive personal data from external individuals. We carefully pick 55 organizations from the Alexa top websites and observe that 27% of the tested organizations are vulnerable to our attack. These organizations conduct business in diverse areas such as the financial, transport and entertainment industry. To solve these high-impact issues, we propose various technical suggestions for organizations to improve their security policies and for consumers to avoid using organizations that have no strict or secure policy in place. Finally, we examine whether the vulnerable organizations have ameliorated their policies after a period of 2 years by conducting an improved variant of our attack. In this study, we discover that more than half of the organizations have not (yet) implemented the necessary changes to prevent our attack and avoid leaking personal data. In addition, we learn that 27% of the organizations have worsened their policies over time instead of improving them. To better understand the reasoning behind choosing specific secure (or insecure) privacy policies, we have conducted interview sessions with DPO and also compared the different methods to abuse the `Right of Access' from prior work. Based on our overall findings from our experiments and interviews, we discover that many of the insecure practices are a direct result of common technical security misconceptions such as for instance, digital signatures and the inner-workings of two-factor authentication.