Items from Security and Privacy track
Number of items: 6.
and Strufe, Thorsten
and Balzarotti, Davide
and Kirda, Engin All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks.
Social networking sites have been increasingly gaining popularity. Well-known sites such as Facebook have been reporting growth rates as high as 3% per week . Many social networking sites have millions of registered users who use these sites to share photographs, contact long-lost friends, establish new business contacts and to keep in touch. In this paper, we investigate how easy it would be for a potential attacker to launch automated crawling and identity theft attacks against a number of popular social networking sites in order to gain access to a large volume of personal user information. The ﬁrst attack we present is the automated identity theft of existing user proﬁles and sending of friend requests to the contacts of the cloned victim. The hope, from the attacker’s point of view, is that the contacted users simply trust and accept the friend request. By establishing a friendship relationship with the contacts of a victim, the attacker is able to access the sensitive personal information provided by them. In the second, more advanced attack we present, we show that it is effective and feasible to launch an automated, cross-site proﬁle cloning attack. In this attack, we are able to automatically create a forged proﬁle in a network where the victim is not registered yet and contact the victim’s friends who are registered on both networks. Our experimental results with real users show that the automated attacks we present are effective and feasible in practice.
Squicciarini, Anna C.
and Shehab, Mohamed
and Paci, Federica Collective Privacy Management in Social Networks.
Social Networking is one of the major technological phe- nomena of the Web 2.0, with hundreds of millions of people participating. Social networks enable a form of self expres- sion for users, and help them to socialize and share content with other users. In spite of the fact that content sharing represents one of the prominent features of existing Social Network sites, Social Networks yet do not support any mech- anism for collaborative management of privacy settings for shared content. In this paper, we model the problem of collaborative enforcement of privacy policies on shared data by using game theory. In particular, we propose a solu- tion that offers automated ways to share images based on an extended notion of content ownership. Building upon the Clarke-Tax mechanism, we describe a simple mechanism that promotes truthfulness, and that rewards users who pro- mote co-ownership. We integrate our design with inference techniques that free the users from the burden of manually selecting privacy preferences for each picture. To the best of our knowledge this is the first time such a protection mechanism for Social Networking has been pro- posed. In the paper, we also show a proof-of-concept appli- cation, which we implemented in the context of Facebook, one of today’s most popular social networks. We show that supporting these type of solutions is not also feasible, but can be implemented through a minimal increase in overhead to end-users.
and Hong, Jason I. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval.
Phishing is a signiﬁcant security threat to the Internet, which causes tremendous economic loss every year. In this paper, we proposed a novel hybrid phish detection method based on information extraction (IE) and information retrieval (IR) techniques. The identity-based component of our method detects phishing webpages by directly discovering the inconsistency between their identity and the identity they are imitating. The keywords-retrieval component utilizes IR algorithms exploiting the power of search engines to identify phish. Our method requires no training data, no prior knowledge of phishing signatures and speciﬁc implementations, and thus is able to adapt quickly to constantly appearing new phishing patterns. Comprehensive experiments over a diverse spectrum of data sources with 11449 pages show that both components have a low false positive rate and the stacked approach achieves a true positive rate of 90.06% with a false positive rate of 1.95%.
and Wills, Craig Privacy Diffusion on the Web: A Longitudinal Perspective.
For the last few years we have studied the diffusion of private information about users as they visit various Web sites triggering data gathering aggregation by third parties. This paper reports on our longitudinal study consisting of multiple snapshots of our examination of such diffusion over four years. We examine the various technical ways by which third-party aggregators acquire data and the depth of userrelated information acquired. We study techniques for protecting against this privacy diffusion as well as limitations of such techniques. We introduce the concept of secondary privacy damage. Our results show increasing aggregation of user-related data by a steadily decreasing number of entities. A handful of companies are able to track users’ movement across almost all of the popular Web sites. Virtually all the protection techniques have signiﬁcant limitations highlighting the seriousness of the problem and the need for alternate solutions.
and Getoor, Lise To Join or Not to Join: The Illusion of Privacy in Social Networks with Mixed Public and Private User Profiles.
In order to address privacy concerns, many social media websites allow users to hide their personal proﬁles from the public. In this work, we show how an adversary can exploit an online social network with a mixture of public and private user proﬁles to predict the private attributes of users. We map this problem to a relational classiﬁcation problem and we propose practical models that use friendship and group membership information (which is often not hidden) to infer sensitive attributes. The key novel idea is that in addition to friendship links, groups can be carriers of signiﬁcant information. We show that on several well-known social media sites, we can easily and accurately recover the information of private-proﬁle users. To the best of our knowledge, this is the ﬁrst work that uses link-based and group-based classiﬁcation to study privacy implications in social networks with mixed public and private user proﬁles.
and Krishnamurthi, Shriram
and Jim, Trevor Using Static Analysis for Ajax Intrusion Detection.
About this site
This website has been set up for WWW2009 by Christopher Gutteridge of the University of Southampton, using our EPrints software.
Add your Slides, Posters, Supporting data, whatnots...
If you are presenting a paper or poster and have slides or supporting material you would like to have permentently made public at this website, please email
firstname.lastname@example.org - Include the file(s), a note to say if they are presentations, supporting material or whatnot, and the URL of the paper/poster from this site. eg. http://www2009.eprints.org/128/
It's impractical to add all the workshops at WWW2009 by hand, but if you can provide me with the metadata in a machine readable way, I'll have a go at importing it. If you are good at slinging XML, my ideal import format is visible at http://www2009.eprints.org/import_example.xml
We (Southampton EPrints Project) intend to preserve the files and HTML pages of this site for many years, however we will turn it into flat files for long term preservation. This means that at some point in the months after the conference the search, metadata-export, JSON interface, OAI etc. will be disabled as we "fossilize" the site. Please plan accordingly. Feel free to ask nicely for us to keep the dynamic site online longer if there's a rally good (or cool) use for it...
- WWW2009 EPrints supports OAI 2.0 with a base URL of http://www2009.eprints.org/cgi/oai2
- The JSON URL is http://www2009.eprints.org/cgi/json?callback=function&eprintid=number
To prevent google killing the server by hammering these tools, the /cgi/ URL's are denied to robots.txt - ask Chris if you want an exception made.
Feel free to contact me (Christopher Gutteridge) with any other queries or suggestions. ...Or if you do something cool with the data which we should link to!
These are not directly related to the EPrints set up, but may be of use to delegates.
- Social tool links
- I've put links in the page header to the WWW2009 stuff on flickr, facebook and to a page which will let you watch the #www2009 tag on Twitter. Not really the right place, but not yet made it onto the main conference homepage. Send me any suggestions for new links.