Abstract
We investigate the degree to which privacy preserving technologies (PPT) are able to protect an organization against a variety of attacks aimed at undermining their privacy. We studied a PPT at a United States based organization and executed multiple attacks associated with network monitoring, phishing, and online social networks (OSNs). To begin, we received written authorization to conduct this study from the General Counsel of the case study organization and completed a formal application with the George Mason University Human Subject Review Board. Next, we surveyed 160 of the PPT users to get an idea of their background and security knowledge when it comes to privacy and anonymization on the Internet. We incorporated a network monitoring solution to monitor the websites and the actions performed by the users while on the PPT. The point of the phishing attack was to determine what additional information the users were willing to give up. We found that 92 of the 160 (58 percent) participants fell victim to our phishing campaign. The last attack phase shows the extent to which information made freely available on an online social network can negatively impact the anonymization offered by the PPT. We were able to determine the (Facebook) profiles of 34 of the 160 participants (21 percent). Upon completion of the attacks, we compiled the information and presented it to the users as security awareness training.
Keywords
- Network Monitoring
- Online Social Network
- Privacy Concern
- General Counsel
- Threat Model
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Acquisti, A., Gross, R.: Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 36–58. Springer, Heidelberg (2006)
Aycock, J., Buchanan, E., Dexter, S., Dittrich, D.: Human subjects, agents, or bots: Current issues in ethics and computer security research. In: Proceedings from 2nd Workshop on Ethics in Computer Security Research, St. Lucia (2011)
Clark, J.: Correlating a persona to a person. To appear in the 3rd International Workshop on Security and Privacy in Social Networks (2012)
Clark, J., Stavrou, A.: Breaching & protecting an anonymizing network system. In: 6th Annual Symposium on Information Assurance (ASIA 2011), p. 32 (2011)
Cranor, L.F.: Internet privacy. Communications of the ACM 42(2), 28–38 (1999)
Cutillo, L.A., Molva, R., Strufe, T.: Safebook: A privacy-preserving online social network leveraging on real-life trust. IEEE Communications Magazine 47(12), 94–101 (2009)
Debatin, B., Lovejoy, J.P., Horn, A.K., Hughes, B.N.: Facebook and online privacy: Attitudes, behaviors, and unintended consequences. Journal of Computer-Mediated Communication 15(1), 83–108 (2009)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)
Dodge, R., Coronges, K., Rovira, E.: Empirical benefits of training to phishing susceptibility. In: Information Security and Privacy Research, pp. 457–464 (2012)
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Communications of the ACM 50(10), 94–100 (2007)
Jones, H., Soltren, J.: Facebook: Threats to privacy. In: Project MAC: MIT Project on Mathematics and Computing (2005)
Lamping, U., Warnicke, E.: Wireshark user’s guide. Interface 4, 6 (2004)
Lipford, H.R., Besmer, A., Watson, J.: Understanding privacy settings in facebook with an audience view. In: Proceedings of the 1st Conference on Usability, Psychology, and Security, pp. 1–8 (2008)
Luo, W., Xie, Q., Hengartner, U.: Facecloak: An architecture for user privacy on social networking sites. In: International Conference on Computational Science and Engineering, CSE 2009, vol. 3, pp. 26–33 (2009)
Makridakis, A., Athanasopoulos, E., Antonatos, S., Antoniades, D., Ioannidis, S., Markatos, E.P.: Designing malicious applications in social networks. In: IEEE Network Special Issue on Online Social Networks (2010)
Moody, G., Galletta, D., Walker, J., Dunn, B.: Which phish get caught? an exploratory study of individual susceptibility to phishing (2011)
Orebaugh, A., Ramirez, G., Burke, J.: Wireshark & Ethereal network protocol analyzer toolkit. Syngress Media Inc. (2007)
Serjantov, A., Murdoch, S.J.: Message Splitting Against the Partial Adversary. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 26–39. Springer, Heidelberg (2006)
Singh, K., Bhola, S., Lee, W.: xbook: Redesigning privacy control in social networking platforms. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 249–266. USENIX Association (2009)
Sirivianos, M., Kim, K., Yang, X.: Facetrust: Assessing the credibility of online personas via social networks. In: Proceedings of the 4th USENIX Conference on Hot Topics in Security, p. 2. USENIX Association (2009)
Warren, C., Laslett, B.: Privacy and secrecy: A conceptual comparison. Journal of Social Issues 33(3), 43–51 (1977)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Clark, J.W. (2012). Everything But the Kitchen Sink: Determining the Effect of Multiple Attacks on Privacy Preserving Technology Users. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-34210-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34209-7
Online ISBN: 978-3-642-34210-3
eBook Packages: Computer ScienceComputer Science (R0)
