IFIP International Information Security Conference

SEC 2015: ICT Systems Security and Privacy Protection pp 126-141 | Cite as

A Survey of Alerting Websites: Risks and Solutions

Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 455)

Abstract

In the recent years an incredible amount of data has been leaked from major websites such as Adobe, Snapchat and LinkedIn. There are hundreds of millions of usernames, email addresses, passwords, telephone numbers and credit card details in the wild. The aftermath of these breaches is the rise of alerting websites such as http://haveibeenpwned.com, which let users verify if their accounts have been compromised. Unfortunately, these seemingly innocuous websites can be easily turned into phishing tools. In this work, we provide a comprehensive study of the most popular ones. Our study exposes the associated privacy risks and evaluates existing solutions towards designing privacy-friendly alerting websites. In particular, we study three solutions: private set intersection, private set intersection cardinality and private information retrieval adapted to membership testing. Finally, we investigate the practicality of these solutions with respect to real world database leakages.

Keywords

Data leakages Phishing Private set intersection Private information retrieval Bloom filter 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13, July 1970Google Scholar
  2. 2.
    Bongard, D.: De-anonymizing users of french political forums. In: Passwords 2013 (2013)Google Scholar
  3. 3.
    Cachin, C., Micali, S., Stadler, M.A.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  4. 4.
    Chang, Y.-C.: Single database private information retrieval with logarithmic communication. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 50–61. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  5. 5.
    Chor, B., Gilboa, N., Naor, M.: Private information retrieval by keywords (1998)Google Scholar
  6. 6.
    Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: Annual Symposium on Foundations of Computer Science, FOCS 1995 (1995)Google Scholar
  7. 7.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: Network and Distributed System Security Symposium, NDSS 2014 (2014)Google Scholar
  8. 8.
    de Carné de Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: Network and Distributed System Security Symposium, NDSS 2014 (2014)Google Scholar
  9. 9.
    De Cristofaro, E., Gasti, P., Tsudik, G.: Fast and private computation of cardinality of set intersection and union. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 218–231. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    De Cristofaro, E., Tsudik, G.: Practical private set intersection protocols with linear complexity. In: Proceedings of the 14th International Conference on Financial Cryptography and Data Security (2010)Google Scholar
  11. 11.
    De Cristofaro, E., Tsudik, G.: Experimenting with fast private set intersection. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 55–73. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  12. 12.
    Dong, C., Chen, L., Wen, Z.: When private set intersection meets big data: an efficient and scalable protocol. In: ACM Conference on Computer and Communications Security (2013)Google Scholar
  13. 13.
    Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  14. 14.
    Gentry, C., Ramzan, Z.: Single-database private information retrieval with constant communication rate. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 803–815. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  15. 15.
    Goldberg, I.: Improving the robustness of private information retrieval. In: IEEE Symposium on Security and Privacy, 2007. S&P 2007 (2007)Google Scholar
  16. 16.
    Hohenberger, S., Weis, S.A.: Honest-verifier private disjointness testing without random oracles. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 277–294. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  17. 17.
    Huang, Y., Evans, D., Katz, J.: Private set intersection: are garbled circuits better than custom protocols? In: NDSS (2012)Google Scholar
  18. 18.
    Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 201313 (2013)Google Scholar
  19. 19.
    Kissner, L., Song, D.: Privacy-preserving set operations. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 241–257. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  20. 20.
    Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: SAuth: protecting user accounts from password database leaks. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 (2013)Google Scholar
  21. 21.
    Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally-private information retrieval. In: Proceedings of the 38th Annual Symposium on Foundations of Computer Science (1997)Google Scholar
  22. 22.
    Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  23. 23.
    Melchor, C.A., Gaborit, P.: A fast private information retrieval protocol. In: IEEE International Symposium on Information Theory, 2008. ISIT 2008 (2008)Google Scholar
  24. 24.
    Mitzenmacher, M.: Compressed bloom filters. In: ACM Symposium on Principles of Distributed Computing - PODC 2001 (2001)Google Scholar
  25. 25.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: ACM Conference on Computer and Communications Security, CCS 2005 (2005)Google Scholar
  26. 26.
    Olumofin, F., Goldberg, I.: Revisiting the computational practicality of private information retrieval. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 158–172. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  27. 27.
    Parno, B., McCune, J.M., Wendlandt, D., Andersen, D.G., Perrig, A.: CLAMP: Practical prevention of large-scale data leaks. In: IEEE Symposium on Security and Privacy - S&P 2009 (2009)Google Scholar
  28. 28.
    Sion, R., Carbunar, B.: On the Practicality of Private Information Retrieval. In: NDSS (2007)Google Scholar
  29. 29.
    Vaidya, J., Clifton, C.: Secure set intersection cardinality with application to association rule mining. J. Comput. Secur. 13(4), 593–622 (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  1. 1.INRIAGrenobleFrance

Personalised recommendations