Privacy in Public, and Security without Barriers · PDF fileQueries. GINGERs-iPhone.local: ......
91
Privacy in Public, and Security without Barriers Prasant Mohapatra University of California, Davis
Transcript of Privacy in Public, and Security without Barriers · PDF fileQueries. GINGERs-iPhone.local: ......
Privacy in Public, and Security without Barriers
Prasant MohapatraUniversity of California, Davis
Privacy in Public• Privacy: Identity and all related information• Public: Physical space and cyber space• Privacy in public space, privacy in social networks,
privacy in cyberspace – sounds like an oxymoron!• Consequence: Identity theft, surveillance, information
overload, targeted advertisements• Although highly desirable to have privacy in public, the
first step should be the awareness and quantification of privacy leak
• Privacy in public: Can we maintain some level of privacy while in public?
2
Security without Barriers• Although desirable, security impacts performance and
usage convenience• Imposes several barriers – quality of experience,
performance, utility• Exploiting the performance barriers as signatures for
facilitating security - forensics• Simplifying authentication while maintaining robustness• Hard to enforce security without barriers – can we
minimize or obfuscate those?
3
Organization
• Privacy in Publico Privacy leakageo Privacy Preserving Tracking
• Security without Barrierso Secret Message Sharing in Social Networkso Live Video Forensicso Sensor Assisted Authentication
• Concluding Remarks
4
Characterizing Privacy Leakage
Motivation:
o What is leaked in public?o Quantifying privacy leakageo Enhance user awareness of privacy protectiono Improve website/app privacy designo Improve network protocol design
5
Privacy leakage sources
• Client devices• Website-browsing content• Profiled ads from third party advertiser• A combination of these sources reveals a
significant amount of private information
6
Our Methodology• Look at DNS packets, Probe Request Frames from user
deviceso For user name information o Location informationo Other information
• Concatenating the “host”, “directory” and “filename” in the HTTP header fields.o For website urlso For website contento For ad content
• Count the pieces of privacy information (privacy units) leaked in different privacy categories
7
Privacy Leak from User Device• Device nickname
o Many users set device nicknames as their own names o Example: device nick name in a Multicast DNS packet
Domain Name System (query)Flags: 0x0000 (Standard query)QueriesGINGERs-iPhone.local: type ANY, class IN, "QU"
• Broadcasting SSID listo SSID list reveals the user’s previous accessed networkso Example: SSID in a Probe Request Frame
IEEE 802.11 wireless LAN management frameTag: SSID parameter set: UC Davis
8
Privacy Leak from Web Accesses• Privacy info source
o URL linko Content in the website
• Possible inferenceo Home countryo Hobbyo Locationo Interest merchandizeo Age rangeo Gendero Other
9
An example:
GET/plugins/activity.php?site=www.cnn.com&action&width=210&height=190&header=false&colorscheme=light&linktarget=_blank&border_color=white&font&recommendations=true HTTP/1.1\r\nReferer: http://www.cnn.com/\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB7.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; AskTbORJ/5.14.1.20007; MALC)\r\nHost: www.facebook.com\r\n
HTT
P re
ques
t
10
Leaked Information
• The content:
o Ballot Measure Race - 2012 Election Center - Elections & Politics from
o people recommended this.
o Maryland, Maine, Washington approve same-sex marriage; 2 states legalize pot
o 2,770 people recommended this.
o Jay-Z: '99 problems but Mitt ain't one' - CNN.com Videoo 1,717 people recommended this.
• This website content infers user’s location and political interest.
11
Privacy leak from Profiled Advertising
o Most of the ads pushed to the user are based on profiling from third party advertisers
o Possible inferences of ads:o Interest in merchandizeo Hobbyo Age rangeo Gendero Locationo other
12
An example:
GET /pagead/ads?client=ca-pub-7712942546971716&output=html&h=200&slotname=1003552717&w=200&flash=11.1.111&url=h ttp%3A%2F%2Fwww.uzivoradio.com%2Fs-beograd.html&dt=1336765628611&shv=r20120502&js v=r20110914&saldr=1&prev_slotnames=0178323763&correlator=1336765558769&frm=20&adk =174632003&ga_vid=1235498640.1336765628&ga_sid=1336765628&ga_hid=1546525153&ga_fc =0&u_tz=-240&u_his=4&u_java=0&u_h=1347&u_w=1004&u_ah=1347&u_aw=1004&u_cd=32&u_npl ug=1&u_nmime=2&dff=sans-serif&dfs=16&adx=0&ady=286&biw=1004&bih=1347&oid=3&ref=http%3A%2F%2Fwww.uzivoradio.com%2Findex.php%3Fstrana%3Dprivacy&fu=0&ifi=2&dtd=M&xpc =bvF8Tksvg2&p=http%3A//www.uzivoradio.com HTTP/1.1 Host: googleads.g.doubleclick.net Accept-Encoding: gzip Referer
HTT
P re
ques
t
13
Privacy LeakContent:
Hr Service Custom Solution/Free Consultations Experienced Consultants-Call Today.www.InfinitiHR.comBelmont TV - Since 1943 3D, LED, LCD, & Plasma TV Sale. Free Delivery & Setup. 3 Locations.www.BelmontTV.com
Loc: Olney, MARYLAND
Loc: ARLINGTON,VIRGINIA
LAUREL, MARYLAND
WHEATON, MARYLAND
ADAD
14
Evaluation
• Real data from 40 airports in multiple countries
• We evaluate the privacy leakage of travelers by pieces of information (privacy unit) concerning their identity, location, social relationship, financial condition and other personal information
15
Results: Privacy Leakage• Photo: website (facebook)• Hobby: website• Name: device name, social website (facebook,
amazon, etc), other website content, apps• Home country: email, website• Shopping interest: website• Location: website content, facebook, ads, apps• Gender: facebook• Travel itinerary: website
16
Websites Accessed in Different Datasets
17
Leaked Information
18
Leaked Information in Different Datasets (1)
19
Leaked Information in Different Datasets (2)
20
Third Party Ads in Different Datasets
21
Privacy Leakage Inferences• Privacy leakages are high in public Wi-Fi
hotspots• Sensitive information is exposed from user
devices, website browsing, profiled ads in DNS, HTTP and other network protocols
• We characterize the leakage of travelers privacy based on real world airport datasets
• Our work triggers the alarm to safeguard the privacy leakages in public area
22
Organization
• Privacy in Publico Privacy leakageo Privacy Preserving Tracking
• Security without Barrierso Secret Message Sharing in Social Networkso Live Video Forensicso Sensor Assisted Authentication
• Concluding Remarks
23
ALPS: Privacy-Preserving Location Tracking
Continuous Location-based Services
• Periodically and automatically records user’s whereabouts: Location trace
• With more coherent spatio-temporal data: o Better analyze user behavioro Better predict user requirement
• Applicationso Macro-scale: traffic monitoring,
urban planningo Micro-scale: trajectory sharing,
digital personal trainer
Top-right: Nike+; Button-right: Google Latitude
25
Greater Risk to User Privacy
26
Location Privacy Preservation Mechanisms (LPPM)
• Aim at protecting location privacyo Location is treated and protected independently
• Degrade the quality of location sampleso Accuracy: perturbation, dummy locationso Precision: spatial cloaking, temporal obfuscation
27
Trace Privacy Preservation Challenges
• Challenge from correlation in location trace
• Challenge from the advancing capability of adversary
• Challenge from diverse privacy preferences of user
28
Correlation in Location Trace• Location samples are correlated Spatially as
well as Temporally• Correlation can be exploited to partially remove
privacy protection• Example: spatial cloaking
29
Adversary with Contextual Information
• Correlation in trace is determined and can be inferred from contexto Geographic context: road network, dead zoneo Mobility context: speed limit, mode of transport
• Map matching techniques
30
Privacy Diversity: Personalized Privacy
• Different parts of a trace may possess very diverse privacy and QoS requirements
• LPPM should not only capture this personalized preference, but also protect it.
31
Objective• Can we design a LPPM that can:
oResist correlation exploiting attack from contextual-aware adversaries
o Support personalized privacyo Take a mobile-centric and distributed
approachoMinimize the energy and communication
overhead
32
Location-based Service Model
GPS
Cellular Mobile User
LBS Provider
Wi-Fi Positioning Eavesdropper
Adversary
LPPM
33
Adversary Model• Goals
o To reconstruct actual trace from obfuscated traceo To extract user’s personalized privacy preference
• Knowledgeo Localization technologies available o Obfuscation algorithmo Mobility patterno Geographic/topology information
• Map-matching attack
34
Our solution: Adaptive Context-aware Perturbation Framework
Localization Technologies
GPS WPS CID ...
Synthesizer
Perturbed Trace
Separation Tier
Choice
Loca
tion
Sam
ple
Conformation Tier
Reconstructor
NR Adversary DL Adversary
HMMAdversary
Evaluator
Distortion Metric
Reconstructed Trace
Actual Trace
Feedback
LBS UpdateTimer
Distortion Score
...
Privacy Profile
35
Two-Tier Perturbation• Separation Tier:
o Inject noise by choosing from various localization means
o Proportional parameter: A probabilistic control knob for adjusting privacy level
• Conformation Tier: o Reintroduce artificial correlation to perturbed trace
according to context constraints
36
Online Evaluation and Feedback• Modular adversary emulator
o Nearest-Road (NR) Adversaryo Distance-Limit (DL) Adversaryo Hidden-Markov-Model (HMM) Adversary
• Resulted distortion score from emulated reconstruction: o Reflects user’s privacy level at the presence of
adversaryo Provides feed back to setting appreciate proportional
parameter
37
Experiment• Implement the scheme on Android platform with three
available localization technologies• Three map-matching adversary emulator for
reconstructor module• Collect real-life driving traces from two places• Distortion-based metric
38
Performance against Reconstruction
39
Performance in Personalized Privacy
Davis Trace Mountain View Trace
40
Visual Comparison
41
Summarizing Privacy Preserving Tracking
• Protecting privacy of location trace poses several new challengeso Contextual-aware map matching adversary exploiting correlation
in traceo User requirement about personalized privacy for trace
• We propose and design a scheme that meets these challengeso Neutralize the advance capability of map-matching adversaryo Achieve trade-off between privacy and QoS that satisfies
personal privacy requirement
42
Organization
• Privacy in Publico Privacy leakageo Privacy Preserving Tracking
• Security without Barrierso Secret Message Sharing in Social Networkso Live Video Forensicso Sensor Assisted Authentication
• Concluding Remarks
43
Background and Motivation Photo-sharing on online social networks (OSNs) has exploded. Steganography can be used to hide secret messages in images
uploaded – but not easy! Chipping away at censorship firewalls
Photo sharing sites often process uploaded images (e.g., resizing) Official specifications not available Interfere with the use of steganography
Need to exchange secret keys to encrypt hidden messages Steganography does not offer perfect secrecy The availability of out-of-band channel may be difficult
44
Goal and Contributions
How can we provide an effective covert channel using images uploaded on online photo sharing sites ? With the goal of answering this question, we make
the following contributions: Understand how hidden data in images is affected due
to processing on online sites Propose a new simple way of embedding information in
photos to preserve the integrity of secret messages Propose an in-band approach for bootstrapping secret
conversations using uploaded images
45
Feasibility of secret embedding in OSNs
In-depth measurement study of photos uploaded on popular sharing sites Google+, Facebook,Twitter, and Flickr Upload and then download of images, examine if the
message is preserved Steganography tools GhostHost
Embedding after the JPEG End-of-Image marker
StegHide Embedding done at the least significant bit (LSB) of pixel values
Outguess & F5 Embedding at LSBs of DCT coefficients JPEG images are represented with a set of coefficients after Discrete Cosine
Transform (DCT)
YASS Embedding at DCT coefficients but in conjunction with error correcting codes 46
Evaluation of steganography tools onphoto sharing sites
Google+: the most generous and accommodates all the steganography tools. Twitter: the next best;
Facebook and Flickr: the least compatible with steganography YASS: image and redundancy dependent
Tool Facebook Twitter Flickr Google+GhostHost X X X √
StegHide X √ X √
OutGuess X √ X √
F5 X √ X √
YASS √* √ √* √
X = Failure; √ = Success; √* = Conditional Success
47
Impact of processing on hidden messages
Google+ Image integrity is preserved Image size limit for no resizing: 2048 pixels by 2048 pixels
Twitter Metadata fields are cleaned up
Comment field, End-of-image marker
Image size limit: 1024 pixels by 768 pixels Facebook & Flickr Metadata removed Changes in pixel values Changes in DCT coefficients
48
Changes in pixel values and DCT coefficients
Distribution of the differences in the pixel values in two colordimensions between original images and after they are uploaded on Facebook
Variations in DCT coefficients with Facebook and Flickr 49
Surviving Facebook and Flickr
Common embedding approach Embedding in the LSBs of DCT coefficients or pixel values Subject to processing changes Error correction code (ECC) overhead is high Reduce secret capacity
Question: Are there locations within an image that remain relatively unaffected? Maximum change in the pixel values is about 30 Maximum change in the DCT coefficients is 1 Embedding at higher significant bits of a DCT coefficient?
50
Embedding in the second least significantbit (2-LSB) in the DCT coefficients
We modify the open source stego tool F5 F5 embeds the secret message bits in the LSBs of non-zero
DCT coefficients. We embed in the second LSB (2-LSB) of these coefficients
Image capacity In typical images (length and width of 1000 pixels):10,000
non-zero coefficients Using 10% of the capacity can hide 125 byte secret
Visual comparison of original image (left), stego-ed with LSB (middle) and with 2-LSB (right) (10% image capacity used).
51
Enabling Private Communication
Threat model Censor can inspect all publicly available content on the OSN,
and can access privately shared content Censor does not manipulate uploaded content Censor has unlimited access to any steganalysis tool OSN users are who they claim to be
Covert channel to circumvent the censor Use cryptography in conjunction with our proposed 2-
LSB steganographic scheme
52
In-band key exchange with images A user embeds her public key in her profile photo using
steganography Scenario: A and B are friends in Facebook, B wishes to initiate
the secret communication Bootstrapping steps (three-way handshaking): B fetches A’s profile photo and extracts A’s public key KA
pu
B encrypts a request with KApu and embeds in an uploaded
image A decrypts the request signal from B’s image with his private
key KApr and knows B’s intention to communicate
A then obtains B’s public key KBpu from B’s profile.
A sends an acknowledgement (ack) signal and a symmetric key KS to B; the content is encrypted with KB
pu
B sends another ack encrypted with KS
After the bootstrapping, all the secret messages exchanged between A and B is encrypted using KS 53
Organization
• Privacy in Publico Privacy leakageo Privacy Preserving Tracking
• Security without Barrierso Secret Message Sharing in Social Networkso Live Video Forensicso Sensor Assisted Authentication
• Concluding Remarks
54
Background• Video forensics
o Source identificationo Forgery detectiono Hidden information detection
• Source identificationo Video used as evidence in a court of lawo Track down piracy crimeso Regulate individual video sources
55
Existing Work & Motivation• Existing method
o Watermarko Defective pixelso Sensor pattern noise
• Wireless cameras become very popularo Easy to deploy, especially for large buildings, big
companies, non-professional userso Security camera, surveillance camera
Performance degrades greatly for wireless videos
56
Extract Sensor Pattern Noise
• What is sensor pattern noiseo Non-uniformity of each pixel’s sensitivity to lighto Signature of camera sensor
• Extraction stepso Extract all the noise from a frame
• Assume a frame is a mixture of a locally stationary i.i.d. signal with zero mean and a stationary white Gaussian noise
• Wiener filter o Averaging
57
Extract Sensor Pattern Noise
Add the noises from many frames together:
58
The Problem• Blurring and blocking
• Why blocking affects traditional technique?o No details in blocks, weaken the averaging resulto Introducing “grid artifacts”
59
Blocking Detection• Existing blocking detection method
o Based on boundary detection and Fourier transformo Time consuming
• Our methodo Step 1: wavelet transform (already done in noise extraction)o Step 2: add results row by row (or column by column)
60
Improved Pattern Noise Extraction
• Exclude the blocking areas• Add up clean frames and clean areas of
blocking frames to calculate sensor pattern noise
• Compare the pattern noise of a video (Nv) with the pattern noise of a camera (Nc)
( )( )( , ) v cv cv c
v cv c
corr − −=
− −
N N N NN NN N N N
61
Wireless Camera Spoofing Attack
• An attacker compromises a legitimate wireless video camera, and sends fake video to the sink using the victim’s identity
• Expedite our methodo Parallelization
• Wavelet transform, local average estimation, etc.o Selective frame processing
• Give priority in extracting pattern noise from I-frames. o Combination of wireless fingerprints
• Packet loss ratio, jitter, average signal strength, signal strength variance, and ratio of blocking frames
62
Experiment Settings• Device
o 7 wireless cameras• 4 × Linksys WVC80N• 1 × Dlink 942L• 1 × Axis M1011w• 1 × Lenovo X301 laptop webcam
o Cisco WRT160N v2 wireless router
• MPEG 4 and 802.11n
63
Performance of Block Detection
corr of Sensor Pattern Noise
Source Identification Accuracy
Summarizing this part …• We developed a fast yet reliable video
blocking detection method• We developed a source identification
method which works well for wirelessly streamed videos
• We largely improved the source identification speedo Fast enough for wireless camera spoofing attack detection
67
Organization
• Privacy in Publico Privacy leakageo Privacy Preserving Tracking
• Security without Barrierso Secret Message Sharing in Social Networkso Live Video Forensicso Sensor Assisted Authentication
• Concluding Remarks
68
Authentication in Smartphones• Authentication in smartphones
o device unlocko app logino forum/website login
• Authentication typeso Credential-based (User name / password)
• What the user knows• Identity theft• Memory burden
69
Biometric Authentication Voice
• Inconvenient, vulnerable• Requires speaking, Background noise
Fingerprint• Convenient, vulnerable• Expensive hardware required• Limited market
Face (and Iris)• Convenient, vulnerable• Inexpensive – Use mobile camera
Compelling. Let’s explore further
70
Facial Authentication• Face verification / face identification • Face recognition accuracy has been largely
improvedo Accuracy is very close to 100% o Even used for commercial payment systems
• Most smartphones have front-facing cameras; usually higher than 1M pixelso Convenient for face capturingo Quality is good enough for face recognition
71
Facial Recognition• Initially designed to “recognize” not
“authorize” • Surveillance cameras vs. Mobile Device
cameras• Facial biometric software on mobile device
cameras can be spoofed
Type Method
2D photo attack Pictures of a picture, social engineering
2D video attack Video playback, Spoof “Blink” detection
Virtual CameraSoftware
-Advanced Editing Capabilities-Playback can spoof webcam
What if obstacles are removed?
72
Current Status• Android: face unlock alternative since 4.0
o But not many users are using it
• App and website logino User name / password dominates other methods
• Why facial authentication is not widely used in smartphones?o Privacy concernso Security issues
• 2D media attacks• Virtual camera attacks
o usability
73
2D Media Attack• Photo attack (print attack)
o Use user’s photo to cheat the authentication system
• Video attacko Starting from Android 4.1, eye-blink is requiredo use video to compromise the system
74
2D Media Attack (cont.)• 3D facial recognition can defend against this
attacko 3D template matchingo e.g. Toshiba Face Recognition Utility
• Difficult to use • Turning heads towards different directions -> user’s burden
o A trial takes more than 20 seconds -> much longer than entering password
o Even a genuine user may need multiple trials to pass
75
Virtual Camera Attack• Virtual camera software
o Add dynamic effects to webcams, make the video look more beautiful and live chat more interesting
o Now become very powerful: stream a pre-recorded video, make OS believe it is captured by a physical cam in real time
o Most of them are for desktop/tablet, but easy to migrate to smartphones
• Use virtual camera software to hack the facial authentication system
76
Our Method• Achieve high security and usability simultaneously
o Safe for 2D media attackso Safe for virtual camera attackso Much faster than 3D face authentication method (speed is comparable
to credential-based method):~2 sec
• How?o Only need to move the phone in front of face for a short distanceo Utilizing motion sensors in smartphoneso No need to move head and sync with directions
donemovehold 77
Counter 2D Media Attack• Idea
o Nose orientation changes when moving phone horizontally if a real 3D face
78
Nose Angle Detection• Detect nose outline
o Video frame preprocessingo Nose detection (can employ existing method)o Nose outline fitting
• Compare nose outline from two sideso Motion sensors: judge the relative position between face and
smartphone, picking correct frame intelligentlyo Light sensor: auto boost screen brightness if dark, to enhance
luminance (improve nose outline detection) 79
Counter Virtual Camera Attack
• Idea !o If real-time video captured by physical cam, small shakes in
video should be consistent with smartphone’s motion sensor readings
o Pre-recorded videos can be detectedo Assume motion sensor readings are not compromised
80
Motion Vector Correlation• Small motions extracted from the video
• Compare with small shakes extracted from motion sensors
81
Evaluations• Samsung Galaxy Nexus with 1.3M pixel front-facing
camera• Android 4.2.2• Video is 480*720@24fps, chopped to 480*640• Use Haar Cascades in OpenCV to detect face and
nose• Face recognition algorithms are orthogonal to our
method, but for completeness, we do include a PCA (principal component analysis) based facial identification module (also implemented using OpenCV)
82
Accuracy of 2D Media Attack Detection
• 9 volunteers, 180 genuine trials• Take 2 photos and 1 video for each: 180 photo
attacks and 90 video attacks
Accuracy using different edge detectors. Choose prewitt hereinafter
Accuracy under different settings
83
Accuracy of 2D Media Attack Detection (cont.)
Accuracy compared with other state-of-art approaches Accuracy under different illuminance
84
Accuracy of Virtual Camera Attack Detection
Gap between genuine trials and attacks (y axis is correlation between small motions extracted from video and motion sensor readings)
Accuracy of virtual camera attack detection
85
Authentication Time
86
Advantages• Dynamic-to-Static credential matching
o Cannot be intercepted, generated or reverse engineeredo Defends against sending OTP to same device o Defends against device cloning
• Ubiquitous o Any mobile device with a camerao Authenticate to Desktop and Mobile
• Simple (as a selfie)o no additional keystrokes
• Quicko Authenticate within 2 seconds
Device Algorithm
Face
Accelerometer
Video
87
Use Cases• Network and/or App Authentication
o BYOD - Corporations, Healthcare, Utilities, MNOs
• Device Access o Controlled/Issued devices – Government
• Financial Institutionso “High-risk” transactions, dual approval
88
Desktop Access to Enterprise
1
2
34
1. End User enters credentials, What You Know (or just enters Username…i.e. dummy terminal)2. SMS/Push Notification is sent to mobile confirming What You Have and maybe Where You Are3. In response, End User take picture proving Who You Are
a. Picture is confirmed on 4Auth server4. Successful Authentication
4Auth3a
89
For more information …
• Privacy in Publico Privacy leakage (INFOCOM 2013)o Privacy Preserving Tracking (SECON 2013)
• Security without Barrierso Secret Message Sharing in Social Networks (CNS 2014)o Live Video Forensics (INFOCOM 2014)o Sensor Assisted Authentication (MOBISYS 2014)
• Concluding Remarks
90
Thank you!
91
