Presentation is loading. Please wait.

Presentation is loading. Please wait.

Can Ferris Bueller Still Have His Day Off

Published byAri Gunardi Modified over 6 years ago

Similar presentations

Presentation on theme: "Can Ferris Bueller Still Have His Day Off"— Presentation transcript:

1 Can Ferris Bueller Still Have His Day Off
Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era Benn Greenstein Ramakrishna Gummadi Jeffrey Pang Mike Y. Chen Tadayoshi Kohno Srinivasan Seshan David Wetherall Presented by: Ryan Genato

2 Overview Background The Paper Other Methods Bibliography Introduction
Scenarios Challenges Conclusions Other Methods Bibliography

3 Firstly, an introduction…
Ferris Bueller’s Day Off 1986 Matthew Broderick, Alan Ruck, Mia Sara, Charlie Sheen Ferris Bueller fakes being sick in order to have a day on the town. Evading his school Dean and family, he is able to live the day students dream of, and doing so very smoothly.

4 Introduction There is a heightened level of wireless connectivity
Wireless networks are vulnerable to eavesdropping Eavesdropping can infringe on location privacy So the paper looks at the issue of location privacy on wireless connectivity, with the question if Ferris can repeat his antics with today’s modern technology. This question, to my dismay, doesn’t really get revisited and is more of a humorous comparison than a driving force to the paper. But we’ll revisit the question in my presentation. For now, the paper looks at the prevalence of wireless networks in today’s society. These networks are more vulnerable to eavesdropping than wired networks, as data is transmitted through the air and merely being in range of the signal is enough to intercept this information.

5 Scenarios Provider cross-referencing corporate info with public network info (that they serve) Leveraging persistent addressing (MAC) Monitoring an individual’s network access Leveraging probe request frames (SSID) Extrapolating provider network statistics Leveraging packet sequence numbers So the authors illustrate three scenarios wherein wireless information can reveal identifiable information. The authors make sure to discern between a provider and an individual, as both parties may be at risk in their given scenarios. The first involves the provider using information from their corporate network, on which an employee is logged, and cross-referencing it with their database of users from their publicly-served wireless network. Consider this company to be someone like Verizon, Charter, etc. The company can then determine, by matching MAC addresses on each database, if a person from their corporate database is actively using their public wireless. Which can mean, that person has called out sick but is, in reality, out and about. Second, an individual or provider can monitor the SSID names broadcasted by a user, a functionality enabled by default in Windows XP, to determine the user’s identity, or find out the user’s wireless connection history. The list of SSIDs can be used to probabilistically determine the user; as the authors found over 28% of users had a unique SSID they were broadcasting, making the potential for identifying the user pretty good. Conversely the list of SSIDs can reveal what other networks the user has connected to in the past, which allows for some creepy research, such as comparing the SSID names to a database and getting a list of the locations/spots that these wireless networks originate from. Effectively an attacker could find out what coffee shop a user frequents, their workplace, and even their home address. More on this later, but after doing some research it’s interesting to note that Windows Vista and Windows 7 allow you to specify whether a wireless network is broadcast or non-broadcast. So a client will only send probe requests to non-broadcast wireless networks. Third, two providers that are operating on shared resources, such as AT&T and Verizon, can monitor these shared resources in order to estimate the network activity of the other provider. Since each packet includes a packet sequence number, recording a few of these over a set period of time and multiplying it out can give a good estimate of how many packets are sent out in a week, month, etc.

6 Challenges Balancing the need for names to address devices with keeping them from being identifiable by name Discover and use resources without revealing the action or past history Designing protocols to avoid leaking identifying information through physical characteristics of transmissions, control information, etc. So the scenarios provided by the authors bring up some legitimate issues. What can be done to help? One area involves the use of naming systems to address devices. The fact that these names are typically unique (think MAC address) allows for these names to be used as identifiers. Use of a pseudonym or a rotating MAC address helps, but the authors claim that this would still leave the possibility open for users to be matched by other factors, such as IP address. They consider encryption but concede that this would add in computational overhead or require an overhaul of existing network protocols. Another area, covered in the second scenario, is that of being able to use resources without revealing the action of doing so, or any past history of the action. The authors suggest the use of an anonymous messaging scheme where all the actions (such as discovery, authentication, and service binding) are encrypted. This would make it difficult to uncover an access point but again introduces overhead. The extent of their challenge analysis really boils down to the need to design protocols to avoid leaking any information that can be used to identify a user. Easier said than done. Encryption again is the go-to solution, but the authors admit that the flexibility of wireless protocols makes it easy to identify any extraordinary behavior, and would require a large portion of the packets, including the control parameters of the connection to be encrypted. So after looking at these challenges the authors do not come up with an effective solution. Not to their discredit – this is a difficult problem.

7 Conclusions “This paper argues that wireless networks pose new threats to privacy” Prior efforts to anonymize communication still leak explicit identifiable information The paper concludes with a few remarks, which I find quite obvious. The paper argues that wireless networks pose new threats to privacy. This is a no brainer. Admittedly the authors do a good job in concretely illustrating both situations and specific protocol items that could cause these threats to privacy to exist. And that is what they had set out to do. But I am interested in finding solutions. As I mentioned earlier they never really get back to their tagline question, until the very last line in the paper. So Ferris really can’t have his day off? Let’s talk about this.

8 Other Methods Foursquare, Facebook Seekdroid, Lookout, Find My iPhone
Google Maps, WiGLE, Skyhook In addition to the scenarios outlined by the authors there are other ways to locate a person. And assuming the person does not work at a company that serves public Internet, two of the three scenarios are already ruled out. So let’s consider some other methods of spoiling Ferris’ day: Foursquare and Facebook. The obvious choices. Users post updates to these websites from their computers and mobile phones, and using the magic of GPS can add in their location. Great if you want to earn street-cred as mayor of your local hotspot, but bad if you’re trying to conceal where you are. As they say, the user is the weakest link in security. Let’s go deeper and consider mobile devices, which are becoming ubiquitous with the population. Applications such as Seekdroid and Lookout for Android, and Find My iPhone for iOS are designed to tap into a phone’s GPS and information when it is lost or stolen. Great if these aforementioned situations happen to you, but bad if an attacker gains access to your credentials. Suddenly an attacker can use the technologies that are supposed to keep you secure against you. Back in 2010 there was a large amount of controversy that erupted regarding Google Maps. Essentially while their cars were roaming, taking pictures for Street View, they were also keeping tabs on the open wireless networks in the area, mapping them to their GPS coordinates. We’re talking MAC addresses being linked to latitude/longitude positions. What’s worse, they were also recording the MAC addresses of any connected devices to these networks. Google has since claimed that they will no longer being recording this information via Maps cars, but merely by the users using their Android devices. Ha. An API exploit was found that could query Google Maps with a MAC address and return the GPS information Mas has on record. WiGLE and Skyhook are two other services that aim at doing the same thing. So if you were able to find out what wireless network a user was connected to, if it has a unique enough name you can look it up on one of these databases and find out a pretty accurate guess at where it’s coming from. Fun stuff.

9 Conclusions Wireless location privacy issues will only continue to grow as an issue as wireless connectivity increases Security is limited by our standards and protocols, but also by human vulnerability So in conclusion, wireless location privacy issues are bad. And they will only increase in severity and public awareness as time goes by. The security responses are limited by the protocols in place, but also victim to the human element. My advise? If you’re going to take the day off, use your cell phone’s data network and tether your laptop to it. If you’re using your cell phone as a wireless hotspot, pick a common name like “linksys” or “netgear”. It’s not as easy to sniff cellular networks, but while you’re using them do not be dumb and check-in to Foursquare. Also if a company was really inclined, they could check a public profile that is updated automatically, such as your Battlefield 3 Battlelog to find that you’re not in bed, sick, you’re home gaming.

10 Bibliography "Wireless LAN Service Overview." TechNet. N.p., n.d. Web. 12 Mar McCullagh, Declan. "Removing your Wi-Fi network from Google's map." CNET. N.p., 14 Nov Web. 12 Mar Riley, Steve. "Myth vs. reality: Wireless SSIDs." TechNet Blogs. N.p., 16 Oct Web. 12 Mar

Download ppt "Can Ferris Bueller Still Have His Day Off"

Similar presentations

Securing A Wireless Home Network. Wireless Facts Range about 50 - 200 feet from access point Security anyone can eavesdrop on an unsecured wireless network.

Securing A Wireless Home Network. Wireless Facts Range about feet from access point Security anyone can eavesdrop on an unsecured wireless network.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
“All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps.

“All your layer are belong to us” Rogue APs, DHCP/DNS Servers, and Fake Service Traps.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
How secure are 802.11b Wireless Networks? By Ilian Emmons University of San Diego.

How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,

Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.

Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.

1 Tryst: Making Local Service Discovery Confidential Jeffrey Pang Ben Greenstein Srinivasan Seshan David Wetherall.
Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.

Link Setup Time (ms) Details : How do sender and receiver synchronize i ? Discovery/binding messages: infrequent and narrow interface  short term linkability.
802.11 User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.

User Fingerprinting Jeff Pang, Ben Greenstein, Ramki Gummadi, Srini Seshan, and David Wetherall Most slides borrowed from Ben.
Wireless Security Focus on Encryption Steps to secure a Wi-Fi Network.

Wireless Security Focus on Encryption Steps to secure a Wi-Fi Network.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Wireless Networking 102.

Wireless Networking 102.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Wireless Network Security Dr. John P. Abraham Professor UTPA.

Wireless Network Security Dr. John P. Abraham Professor UTPA.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Similar presentations

Ads by Google