Re: [perpass] A reminder, the Network is the Enemy...

Bjoern Hoehrmann <derhoermi@gmx.net> Thu, 21 November 2013 04:00 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B6AC1AE09B for <perpass@ietfa.amsl.com>; Wed, 20 Nov 2013 20:00:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.425
X-Spam-Level:
X-Spam-Status: No, score=-2.425 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SV49DL8UxZ6 for <perpass@ietfa.amsl.com>; Wed, 20 Nov 2013 20:00:38 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id B6D931ADBCC for <perpass@ietf.org>; Wed, 20 Nov 2013 20:00:37 -0800 (PST)
Received: from netb.Speedport_W_700V ([91.35.13.37]) by mail.gmx.com (mrgmx102) with ESMTPA (Nemesis) id 0MHrk1-1Vfm0C3q5V-003f0U for <perpass@ietf.org>; Thu, 21 Nov 2013 05:00:26 +0100
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Ted Lemon <mellon@fugue.com>
Date: Thu, 21 Nov 2013 05:00:12 +0100
Message-ID: <92lq89dapmn0u21t519plhamifqcdjfv80@hive.bjoern.hoehrmann.de>
References: <9B79CCC3-853E-42F4-8390-ED0EE019C275@icsi.berkeley.edu> <B4A3135B-1391-4794-BE23-D823962C294C@fugue.com> <dbeq89lhsqj0krnes41rnrodc6sjmcecr8@hive.bjoern.hoehrmann.de> <55D41CD1-7D56-4DF5-98A5-8EFFBF86C42A@fugue.com>
In-Reply-To: <55D41CD1-7D56-4DF5-98A5-8EFFBF86C42A@fugue.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:ydozInnOj3d0E1Gs38Cjeox2pzCGoq3hrlhVBI9fg/NILZ68luS +s3SkJW/ifqvSlT4l7jkpwsyjAT1kUHqqbGxngDePPXK7KLa9mvnHNqmwtHmett8gpk/ShQ Q2TMN4ZEqTh6i6ZJtiMQeIE5K9/P/EvrZ1CESqoO8m0YhXTWrADycwPXloGvB5wAU1xW5/X A5Nb4G9V0wNa6CJGfJ+BA==
Cc: perpass <perpass@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [perpass] A reminder, the Network is the Enemy...
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 04:00:40 -0000

* Ted Lemon wrote:
>On Nov 20, 2013, at 5:43 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
>> Online advertisers are happy to help you identify your targets and put
>> code on their computers, <http://en.wikipedia.org/wiki/Malvertising>.
>
>Malvertising is a scattershot approach, not a targeted approach.   If
>you have access to a lot of demographic data, you may with some
>difficulty be able to target an attack to an individual, but scraping
>the HTTP at the server is a _lot_ easier.   Making that impossible
>increases the cost of this type of attack significantly.

Modern ads are complex computer programs running on your computer with
access to information the ad network associates with "you", information
associated with the page the ad is on, and the ability to probe your
computer for more information. Instead of scanning through the network
traffic the attacker would use these data sources to identify you and
attack once identified.

Silly example: let's say the ad can know which page it is loaded on and
it can persist information that is available when the ad is loaded from
the page by the user again. Now that page is https://example.com/~user
and the ad is shown to all who visit that page. After some time the ad
knows (perhaps through a synchronising server) which user has visited
that page most frequently and can infer that's the actual user "user".

If an attacker wanted to target someone attending the most recent IETF
meeting they might start with booking ads for "People who normally
reside in X but are on visit in Vancouver" during the first week of
November 2013. Someone with an interest in internationalisation, Uni-
code and all that stuff? Probe the system for unusual fonts.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/