Information Security and Privacy Final

Individual RIghts GDPR (art. 15-23)

- access by the data subject - rectification - to be forgotten - restriction of processing - notification if data is being rectified or erased - data portability - to object - the right to not be subject to profiling - restrictions - state law can restrict articles 12 - 22

Browser Sandboxing

A sandbox is a tightly controlled environment where programs can be run. Sandboxes restrict what a piece of code can do, giving it just as many permissions as it needs without adding additional permissions that could be abused. Your web browser essentially runs web pages you visit in a sandbox. They're restricted to running in your browser and accessing a limited set of resources — they can't view your webcam without permission or read your computer's local files.

The session ID must be renewed after...

Any privilege level change

Laws for special audiences

Children: COPPA Californians: CalOPPA You need to have a privacy policy if you collect certain types of data If you don't restrict your audience, then need to adhere to strictest privacy policy

Your application sets a cookie with Secure attribute. What does this mean?

Client will send the cookie only over an HTTPS connection

CSRF

Cross-site Request Forgery Exploits the fact that you are being logged into a website If i carefully craft a url that sends me a certain amount of money, and you click on it, then it'll be sent. That is dependent on the session cookie that is put on your computer once you authenticate

Browser fingerprinting

Even if someone doesn't use cookies You can get fingerprint of browser When you connect to server, it sees what kind of browser you are using, the size of your display - What kind of website they should serve you depends on what computer you have Server can distinguish different users based on this information When a site you visit uses browser fingerprinting, it can learn enough information about your browser to uniquely distinguish you from all the other visitors to that site By using browser fingerprinting to piece together information about your browser and your actions online, trackers can covertly identify users over time, track them across websites, and build an advertising profile of them.

FTC

Federal Trade Commission prevents coercive monopoly Fortunately everything in the US starts from the fourth amendment Third party doctrine Location tracking You don't have any 4th amendment right with google - in principle Often companies serve for the government If you put info out can't

Laws for special domains

Health: HIPAA Finance: GLBA Required to send you form notice about what they do with your data

cookie syncing

More intricate techniques, Related to browsers on different computers Website and third party have different cookies On your computer they have seperate storage spaces and cannot interact This person in the request that is sent back to the browser includes the first party cookie, then the first party cookie coes to third party server, and can sync cookies They cannot directly access location on computer but can communicate through this form of requests

Opting out from ads

Mostly by cookies - opt out cookie - wont get ads based on your behavior

Your web page includes advertising JavaScript from a third-party service. Is it safe to assume that problems like XSS, caused by this third-party JavaScript, is not technically possible on your web page?

No The client will execute the JavaScript it is told to receive within the requested page and there is no technical proof that the JavaScript is not malicious. Naturally it is not feasible to check the JavaScript before every request a client makes (the JavaScript that is served to the client).

Placing user submitted data into a typical HTML document is always safe (XSS-wise) if you escape HTML specific characters: <, >, &, ', " from the user input? Ie. you use htmlspecialchars() funtion in PHP (with ENT_QUOTES).

No, context-specific escaping is needed Escaping HTML specific characters is suitable if the input is used in a HTML body, eg. <p>data</p>, but other contexts like HTML attributes and JavaScript has different escaping needs.

All SQL queries can be made safe using prepared statements?

No, dynamically created specifiers like "LIMIT ?" etc. needs separate validation For example, with PostgreSQL, it is possible to break the query if the bound parameter for LIMIT is not integer.

You are running Apache + PHP server. PHP runs as an Apache module: AddHandler php5-script .php You allow users to upload avatar images (in PNG format). Avatar filename is allowed to contain characters: "a-z0-9.-". Is it safe to assume you are secure against PHP code execution launched via uploaded files?

No, further configuration is needed on the server-side With the specified setting Apache will execute files like foo.php.png as PHP. The file can be even a valid PNG image, it is enough that it contains PHP code somewhere inside.

Cross-device tracking

One simple way If you always see a phone and a computer under the same IP address (which is not public or a school), it is probably the same person If you see the same website being accessed even better Or same time of websites

Canvas Fingerprinting

Painting a picture on your browser - because of differences between computers - this will look a little different on different computers Read picture and distinguish different users

HTTP cookies

Prevalent tracking of users on www User accesses website - server serves that website, server also connects to third party server, then information is returned from there and is embedded in your website That happens many times and the different websites that are loaded are shown There can be many problems with that - cross site request forgery

Ad blocking

Prevent the redirect: when you access the website and you get back that you also have to visit this ad website - the adblocker says don't do it This ads efficiency to your browser because you don't have so many redirect If this redirect goes through - ad blocker reads the size of the banner and other heuristics to hide the ad even if it is served

Fourth ammendment

Right to be free from unreasonable search and seizures. Warrant should be issued upon probable cause describing the specific place to be searched

man-in-the-middle attack

SSL Hijacking a hacker placing himself between a client and a server to intercept communications between them Can pretend to each of these that you are the other If you have a certificate that can prevent this It will warn you but won't prevent you --- 1. Your computer connects to the HTTP (insecure) site. 2. The HTTP server redirects you to the HTTPS (secure) version of the same site. 3. Your computer connects to the HTTPS site. 4. The HTTPS server provides a certificate, providing positive identification of the site. 5. The connection is completed. steps 2 and 3 are compromised. The attacker's computer serves as a bridge between your computer and the secure server, intercepting any information that's passed between the two.

Applicability of the GDPR

Territorial scope - normally applicable to residents in the european union but if the services or goods are offered from other parts of the world to residents of the european union, can also apply

Application Layer

The seventh layer of the OSI model. Application layer protocols enable software programs to negotiate formatting, procedural, security, synchronization, and other requirements with the network.

Ad auctions

There is space on the website and it will be auctioned off to the second highest bidder Second highest: gives the space to the second highest bidder Works when there are two people bidding Generalized second price auction Get into problems of game theory - more complicated Websites use this

Chapter 2 of GDPR (specifically 5-9)

This chapter outlines the rules for processing and protecting personal data. processing personal data, lawfulness of processing; conditions of conset; conditions applicable to childs consent; procesing special categories of personal data.

Tracking in the app ecosystem

Two ways how to do it: Software development kits are included in apps and they for instance receive advertising identifiers - if you're an app developer can use ad mop for example The ads that you see inside an app - the little banners are web views - these are little browser, these adhere to same principles as real browser - can place cookie there

Your web server supports secure (HTTPS) connections. By design, which of the following is the best way to make sure a client will not accidentally request a page over non-secure HTTP connection?

Use HTTP Strict-Transport-Security Redirects and even completely closing the non-secure port will not help when client makes an initial (non-secure) HTTP request. If Strict-Transport-Security is in "effect", no non-secure HTTP requests will be made by the client (the browser automatically translates requests for port 80 to port 443, before the request hits the wire).

Targeting ads and Online Behavioral Advertising (OBA)

Use the data that you give them Try to learn something new about the data - about you - from the data that you gave If you apply machine learning techniques, maybe if you see that a person is buying certain things at a store this person is actually pregnant

Input validation should be based on....

Whitelisting By whitelisting, you can create a validation routine that only accepts expected data. With blacklisting, you must be able to catch all the possible unexpected data, which is error-prone and probably not feasible.

Which of the following is used to prevent Clickjacking?

X-Frame-Options HTTP Header

You use a 104-bit, cryptographically strong, random number (hexadecimal encoded, for example) as your password on a web site which stores passwords as plain MD5 hashes: md5(password). Is it safe to assume your password will be safe if the user database leaks?

Yes Having such a big random number, it is not feasible to be attacked using brute-force (no matter if the hash is not stretched). Also, broken collision resistance of MD5 has no impact on password hashing.

You concatenate and hash two inputs, input1 and input2, with SHA-256 algorithm. Is it possible that the order of the inputs fed to the SHA-256 function may have a direct effect regarding security of the hashing? sha256(input1 . input2) vs. sha256(input2 . input1)

Yes SHA-256 hash algorithm has so-called length-extension property. For example, if SHA-256 is (mis)used as a MAC by concatenating a secret key and the data to be authenticated, the order of those two matters. For more information, see rdist.root.org. Also, if the first input is not fixed-length, lack of separation between the two inputs becomes an issue.

Your application performs logging queries after certain events. Timestamp, IP address, POST payload and a type of action will be saved to a MySQL database. Is it possible for an adversary to bypass this logging query by sending specifically crafted POST payload?

Yes, further validation is needed on the input data The "catch" in this question is MySQL max_allowed_packet setting. Trying to transfer data bigger than the setting allows will error out (note the data will not get truncated, instead, the connection is closed).

Your application communicates with a third-party JSON API over the Internet. The API is accessed using an HTTPS connection, which is based on a self-signed certificate. Is the communication between your application and the API secure?

Yes, if the third-party certificate can be securely imported into your application Third-party certificates can be used to protect the communication, but the "who you are communicating with" is only possible with a trusted certificate

The FTC's "Common Law of Privacy"

You can learn so much about someone's life from location - falls under 4th ammendment

Offline and IoT tracking

You can use beacons, bluetooths that transmits signals to whatever device is listening If there's an app on your phone from a particular service then they can corralate these beacons to an app on your phone Ex: this person is standing next to a salad bar and serve you an add on that