Everything but the kitchen sink: determining the effect of multiple attacks on privacy preserving technology users

  • Authors:

  • Jason W. Clark

  • Affiliations:

  • George Mason University, Fairfax, VA

  • Venue:
  • NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

We investigate the degree to which privacy preserving technologies (PPT) are able to protect an organization against a variety of attacks aimed at undermining their privacy. We studied a PPT at a United States based organization and executed multiple attacks associated with network monitoring, phishing, and online social networks (OSNs). To begin, we received written authorization to conduct this study from the General Counsel of the case study organization and completed a formal application with the George Mason University Human Subject Review Board. Next, we surveyed 160 of the PPT users to get an idea of their background and security knowledge when it comes to privacy and anonymization on the Internet. We incorporated a network monitoring solution to monitor the websites and the actions performed by the users while on the PPT. The point of the phishing attack was to determine what additional information the users were willing to give up. We found that 92 of the 160 (58 percent) participants fell victim to our phishing campaign. The last attack phase shows the extent to which information made freely available on an online social network can negatively impact the anonymization offered by the PPT. We were able to determine the (Facebook) profiles of 34 of the 160 participants (21 percent). Upon completion of the attacks, we compiled the information and presented it to the users as security awareness training.