fbpx

[This article is originally published in eurekalert.org - Uploaded by AIRS Member: Jasper Solander] 

Security researchers at UC San Diego and Stanford have discovered four new ways to expose Internet users' browsing histories. These techniques could be used by hackers to learn which websites users have visited as they surf the web.

The techniques fall into the category of "history sniffing" attacks, a concept dating back to the early 2000s. But the attacks demonstrated by the researchers at the 2018 USENIX Workshop on Offensive Technologies (WOOT) in Baltimore can profile or 'fingerprint' a user's online activity in a matter of seconds, and work across recent versions of major web browsers.

All of the attacks the researchers developed in their WOOT 2018 paper worked on Google Chrome. Two of the attacks also worked on a range of other browsers, from Mozilla Firefox to Microsoft Edge, as well as various security-focused research browsers. The only browser which proved immune to all of the attacks is the Tor Browser, which doesn't keep a record of browsing history in the first place.

"My hope is that the severity of some of our published attacks will push browser vendors to revisit how they handle history data, and I'm happy to see folks from Mozilla, Google, and the broader World Wide Web Consortium (W3C) community already engage in this," said Deian Stefan, an assistant professor in computer science at the Jacobs School of Engineering at UC San Diego and the paper's senior author.

"History sniffing": smelling out your trail across the web

Most Internet users are by now familiar with "phishing;" cyber-criminals build fake websites which mimic, say, banks, to trick them into entering their login details. The more the phisher can learn about their potential victim, the more likely the con is to succeed. For example, a Chase customer is much more likely to be fooled when presented with a fake Chase login page than if the phisher pretends to be Bank of America.

After conducting an effective history sniffing attack, a criminal could carry out a smart phishing scheme, which automatically matches each victim to a faked page corresponding to their actual bank. The phisher preloads the attack code with their list of target banking websites, and conceals it in, for example, an ordinary-looking advertisement. When a victim navigates to a page containing the attack, the code runs through this list, testing or 'sniffing' the victim's browser for signs that it's been used to visit each target site. When one of these sites tests positive, the phisher could then redirect their victim to the corresponding faked version.

The faster the attack, the longer the list of target sites an attacker can 'sniff' in a reasonable amount of time. The fastest history sniffing attacks have reached rates of thousands of URLs tested per second, allowing attackers to quickly put together detailed profiles of web surfers' online activity. Criminals could put this sensitive data to work in a number of ways besides phishing: for example, by blackmailing users with embarrassing or compromising details of their browsing histories.

History sniffing can also be deployed by legitimate, yet unscrupulous, companies, for purposes like marketing and advertising. A 2010 study from UC San Diego documented widespread commercial abuse of previously known history sniffing attack techniques before these were subsequently fixed by browser vendors.

"You had internet marketing firms popping up, hawking pre-packaged, commercial history sniffing 'solutions', positioned as analytics tools," said Michael Smith, a computer science Ph.D. student at UC San Diego and the paper's lead author. The tools purported to offer insights into the activity of their clients' customers on competitors' websites, as well as detailed profiling information for ad targeting--but at the expense of those customers' privacy.

"Though we don't believe this is happening now, similar spying tools could be built today by abusing the flaws we discovered," said Smith.

New attacks

The attacks the researchers developed, in the form of JavaScript code, cause web browsers to behave differently based on whether a website had been visited or not. The code can observe these differences--for example, the time an operation takes to execute or the way a certain graphic element is handled--to collect the computer's browsing history. To design the attacks, researchers exploited features that allow programmers to customize the appearance of their web page--controlling fonts, colors, backgrounds, and so forth--using Cascading Style Sheets (CSS), as well as a cache meant to improve to the performance of web code.

The researchers' four attacks target flaws in relatively new browser features. For example, one attack takes advantage of a feature added to Chrome in 2017, dubbed the "CSS Paint API", which lets web pages provide custom code for drawing parts of their visual appearance. Using this feature, the attack measures when Chrome re-renders a picture linked to a particular target website URL, in a way invisible to the user. When a re-render is detected, it indicates that the user has previously visited the target URL. "This attack would let an attacker check around 6,000 URLs a second and develop a profile of a user's browsing habits at an alarming rate," said Fraser Brown, a Ph.D. student at Stanford, who worked closely with Smith.

Though Google immediately patched this flaw--the most egregious of the attacks that the researchers developed--the computer scientists describe three other attacks in their WOOT 2018 paper that, put together, work not only on Chrome but Firefox, Edge, Internet Explorer but on Brave as well. The Tor Browser is the only browser known to be totally immune to all the attacks, as it intentionally avoids storing any information about a user's browsing history.

As new browsers add new features, these kinds of attacks on privacy are bound to resurface.

A proposed defense

The researchers propose a bold fix to these issues: they believe browsers should set explicit boundaries controlling how users' browsing histories are used to display web pages from different sites. One major source of information leakage was the mechanism which colors links either blue or purple depending on whether the user has visited their destination pages, so that, for example, someone clicking down a Google search results page can keep their place. Under the researchers' model, clicking links on one website (e.g., Google) wouldn't affect the color of links appearing on another website (e.g., Facebook). Users could potentially grant exceptions to certain websites of their choosing. The researchers are prototyping this fix and evaluating the trade-offs of such a privacy-conscious browser.

Categorized in Internet Privacy

 Source: This article was Published techworm.net By DION DASSANAYAKE - Contributed by Member: Logan Hochstetler

GOOGLE Chrome users can now download a new update which could make surfing the web on the market-leading browser faster than ever before.

Google Chrome is undoubtedly the world’s most popular browser - and it doesn’t look like it will be giving up that crown anytime soon.

Latest figures from NetMarketShare analyzing web browser usage for the first seven months of 2018 put Google Chrome in a hugely commanding lead.

Their stats give Google Chrome a massive 62.43 percent slice of the web browser market.

Chrome’s nearest rival, Internet Explorer, languishes behind on 11.90 percent with Firefox is not far off on 10.30 percent.

Microsoft’s newer Edge browser, which is bundled in with Windows 10, has just a 4.38 percent share of the web browser market.

But despite having such a huge lead over the competition, Google isn’t resting on its laurels.

The search engine giant has just pushed out an update for Google Chrome which could make web browsing faster than ever before.

Chrome version 68 was rolled out recently and brings with it a number of improvements to the browser.

And one of the update’s most eye-catching features was revealed by a programmer working on Chrome.

The new feature, revealed by Philip Walton, is called Page Lifecycle API.

But while it doesn’t have the catchiest of names, the update could bring a big performance improvement to Chrome users.

The new feature helps with RAM usage, suspending web pages which Chrome is not using so the browser doesn’t take up memory unnecessarily.

On Twitter, the Google engineer posted: “I just published a massive article on the new Page Lifecycle API, which allows browsers to better manage resources if you have a zillion tabs open!

“It's full advice + best practices that's the result of months of research & cross-browser testing”.

Google Chrome extensions explained

In a post online, Walton added: “Modern browsers today will sometimes suspend pages or discard them entirely when system resources are constrained.

“In the future, browsers want to do this proactively, so they consume less power and memory.

“The Page Lifecycle API, shipping in Chrome 68, provides lifecycle hooks so your pages can safely handle these browser interventions without affecting the user experience.”

The catch, however, is that web developers have to enable this as well on their end for Google Chrome to help free up RAM resources.

In other Chrome news, Express.co.uk recently reported on how the browser has been given a hidden new redesign.

However, it is only available to users that navigate through some simple tricks.

Google has been busy at work on the huge new look for Chrome and now iPhone users can get their hands on an early version.

Chrome has now moved the tab button to the bottom of the screen in addition to the forward and back buttons on the iOS app.

Google Chrome

Google Chrome - Latest update includes the feature to help free-up RAM (Image: GOOGLE)

A search feature also sits in the middle of the two for quick Google queries.

While the top of the screen stays mostly clear when browsing and is only disrupted to bring down the URL bar.

And Incognito mode is easily accessed from the top of the tab page while a large blue button exists at the bottom to open a new web page.

Apple users need to head to a special URL to access the redesign.

If you’re wondering how to access the new look Chrome on your iPhone then click here.

Categorized in Search Engine

For various PC problems, we recommend to use this tool.

This tool will repair most computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Quickly fix PC issues and prevent others from happening with this software:

  1. Download ReimagePlus (100% safe download and endorsed by us).
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues. 

A new search engine has surface which brings a new approach to the concept of browsing. While fighting the likes of Google upfront is definitely an uphill battle, StartPage is looking to fill in a niche that currently doesn’t have any competition for the aforementioned developer. The new search engine experience focuses on searching for private images.

This opens up a lot of new possibilities but also opens the door for many concerns which need to be addressed, regarding safety. Many see this as a dangerous endeavor because it can potentially lead to ISP’s being able to sell customer sensitive information without needing to ask them. This is so because following the concept of this new search engine, sensitive information could be available straight in its search history.

It can get complicated fast

The situation is a bit more complicated than meets the eye as it is very hard to tell where the legal line is and if StartPage has crossed it. Speaking of lines, this developer is operating from across the border as it is based in the Netherlands. The US authorities have no jurisdiction there obviously so they can’t really intervene for as far as most are concerned.

This has allowed StartPage to use proxy to secure click through and also make it so users can search without being detected. The developer also released something called Instant Answers. Instant Answers can be very helpful as it used to search for important information and facilitate users even further.

It’s more than meets the eye

Many are concerned on what this search engine is able to accomplish truly and what kind of security vulnerabilities are featured on it. StartPage recognized the need of communicating and informing the public about what its product actually does, so it released a statement.

“In addition to serving Google search results in privacy, StartPage provides a free proxy link with every search result. When users visit third-party websites through the proxy links, no one can see them or interact with their browsers — not the websites, their advertising partners, or ISP’s. This protects against spyware, viruses, and annoying targeted ads that stalk users across the Internet.”

Author : GEORGE FINLEY

Source : Windowsreport.com

Categorized in Search Engine

Raising further questions about privacy on the internet, researchers from Princeton and Stanford universities have released a study showing that a specific person's online behavior can be identified by linking anonymous web browsing histories with social media profiles.

"We show that browsing histories can be linked to social media profiles such as Twitter, Facebook or Reddit accounts," the researchers wrote in a paper scheduled for presentation at the 2017 World Wide Web Conference Perth, Australia, in April.

"It is already known that some companies, such as Google and Facebook, track users online and know their identities," said Arvind Narayanan, an assistant professor of computer science at Princeton and one of the authors of the research article. But those companies, which consumers choose to create accounts with, disclose their tracking. The new research shows that anyone with access to browsing histories -- a great number of companies and organizations -- can identify many users by analyzing public information from social media accounts, Narayanan said.

"Users may assume they are anonymous when they are browsing a news or a health website, but our work adds to the list of ways in which tracking companies may be able to learn their identities," said Narayanan, an affiliated faculty member at Princeton's Center for Information Technology Policy.

Narayanan noted that the Federal Communications Commission recently adopted privacy rules for internet service providers that allow them to store and use consumer information only when it is "not reasonably linkable" to individual users.

"Our results suggest that pseudonymous browsing histories fail this test," the researchers wrote.

In the article, the authors note that online advertising companies build browsing histories of users with tracking programs embedded on webpages. Some advertisers attach identities to these profiles, but most promise that the web browsing information is not linked to anyone's identity. The researchers wanted to know if it were possible to de-anonymize web browsing and identify a user even if the web browsing history did not include identities.

They decided to limit themselves to publicly available information. Social media profiles, particularly those that include links to outside webpages, offered the strongest possibility. The researchers created an algorithm to compare anonymous web browsing histories with links appearing in people's public social media accounts, called "feeds."

"Each person's browsing history is unique and contains tell-tale signs of their identity," said Sharad Goel, an assistant professor at Stanford and an author of the study.

The programs were able to find patterns among the different groups of data and use those patterns to identify users. The researchers note that the method is not perfect, and it requires a social media feed that includes a number of links to outside sites. However, they said that "given a history with 30 links originating from Twitter, we can deduce the corresponding Twitter profile more than 50 percent of the time."

The researchers had even greater success in an experiment they ran involving 374 volunteers who submitted web browsing information. The researchers were able to identify more than 70 percent of those users by comparing their web browsing data to hundreds of millions of public social media feeds. (The number of original participants in the study was higher, but some users were eliminated because of technical problems in processing their information.)

Yves-Alexandre de Montjoye, an assistant professor at Imperial College London, said the research shows how "easy it is to build a full-scale 'de-anonymizationer' that needs nothing more than what's available to anyone who knows how to code."

"All the evidence we have seen piling up over the years showing the strong limits of data anonymization, including this study, really emphasizes the need to rethink our approach to privacy and data protection in the age of big data," said de Montjoye, who was not involved in the project.

Source : sciencedaily.com

Categorized in Search Engine

Firefox announced the launch of its Firefox Focus browser for iOS users. Firefox claims that it is a private browser designed to not leave behind traces of internet browsing on the device. Firefox Focus aims to protect online privacy by blocking web trackers and analytics, the company said.

Firefox reports that users can browse content with the knowledge that ‘browsing history, passwords, cookies’ can be deleted with a tap of the “Erase” button, which is located next to the search bar. The company claims that browsing on Firefox Focus is faster compared to other browsers thanks to default blocking of trackers and advertisements that slow down page loading times.

“For the times when you don’t want to leave a record on your phone. You may be looking for information that in certain situations is sensitive – searches for engagement rings, flights to Las Vegas or expensive cigars, for example. And sometimes you just want a super simple, super fast Web experience – no tabs, no menus, no pop-ups,” Firefox said in a blog post.

The browser is bare-boned with a single input box for entering the URL and search functionality using Google(UK) or Yahoo (US). Firefox Focus however, lacks features such as ‘Tabs’, ‘Menus’, and other features, reports The Guardian. There is also no option to change the default search engine from Yahoo, as of yet.

Customising tracking information is found under ‘Settings’. The following trackers can be blocked- ‘advertisements’, ‘analytics’, ‘social’ and others.

Apple’s decision to allow developers write Safari integrations resulted in Firefox initially launching the ‘Focus by Firefox’ in December 2015 as a content blocker for Safari. The new app can still integrate with Safari for blocking tracking information, Firefox added.

Mozilla told Engadget that depending on how the iOS app is received, it’ll consider building an Android version of Firefox Focus. The app is currently available for free on Apple’s App Store.

Author:  Tech Desk

Source:  http://indianexpress.com/

Categorized in News & Politics

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media