Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

De-anonymizing Members of French Political Forums - Passwords13

Hash cracking meets politics.

The current political climate in France is very tense, as resentment for President Hollande is growing. The Internet provides a platform for dissenters to express their criticisms of the government; however, because France does not guarantee the freedom of speech as the United States does, many people are losing their jobs, facing intimidation by political opponents, and are even being arrested and prosecuted for the comments they make on political forums. It is for these reasons that most users on these forums strive for anonimity, out of fear for the real-world consequences. However, by exploiting a weakness in the way avatars are presented on these forums, the identities of these dissenters may be learned quite easily.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

  • Gehören Sie zu den Ersten, denen das gefällt!

De-anonymizing Members of French Political Forums - Passwords13

  1. 1. De-anonymizing Users of French Political Forums Dominique Bongard CEO and janitor, 0xcite LLC, Switzerland dominique.bongard@0xcite.ch | @reversity | www.0xcite.ch
  2. 2. What is Gravatar and how does it work Privacy attacks on Gravatar A practical example with political forums
  3. 3. A little something about me Part 0
  4. 4. §  French speaking Swiss citizen §  Reverse Engineer §  Specialized in embedded devices security
  5. 5. What is Gravatar and how does it work Part 1
  6. 6. §  Service which allows members of forums and blogs to automatically have the same profile picture on all participating sites §  Uses the MD5 hash of a person‘s email address as identifier §  Gravatar is owned by Automattic §  It is used by several major sites
  7. 7. §  Used for users who haven‘t registered an avatar §  Site administrators can also set a custom image §  MD5 hashes are also displayed for users who didn‘t register with Gravatar!
  8. 8. Privacy attacks on Gravatar Part 2
  9. 9. matt.mullenweg@automattic.com 58f266c26cd28643c9f3ae42c858dfe5! mullenweg@automattic.com 9a68676b220b1357308951c3ce0b3911! matt@automattic.com c0ccdd53794779bcc07fcae7b79c4d80!
  10. 10. §  Use a password cracking software like Hashcat §  In 2008 Abell of developer.it recovered 10% of the email addresses of 80’000 stackoverflow.com users1 §  The attack was played down with the following arguments §  Spam is not the main issue, privacy protection is 1 http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea
  11. 11. 1 http://www.developer.it/post/gravatars-why-publishing-your-email-s-hash-is-not-a-good-idea "MD5 is plenty good for obfuscating the email address of users across the wire. if you're thinking of rainbow tables, those are all geared at passwords (which are generally shorter, and less globally different from one another) and not email addresses, furthermore they are geared at generating anything that matches the hash, NOT the original data being hashed. If you are thinking about being able to reproduce a collision, you still don't necessarily get the actual email address being hashed from the data generated to create the collision. In either case the work required to both construct and operate such a monstrocity would be prohibitively costly. If we left your password laying around in the open as a plain md5 hash someone might be able to find some data (not necessarily your password) which they could use to log in as you... Leaving your email address out as an md5 hash, however, is not going to cause a violent upsurge in the number of fake rolex watch emails that you get. Lets face it there are far more lucrative, easier, ways of getting email address. I hope this helps ease your mind."
  12. 12. §  Yes emails are longer than passwords but: §  Email addresses are highly predictable §  GPU password crackers can try billions MD5 per second
  13. 13. A practical example with political forums Part 3
  14. 14. The current political context in France
  15. 15. §  Presided by François Hollande since 2012 §  Left wing social democrat (Parti Socialiste) §  Lowest satisfaction rate for a French President
  16. 16. §  Same sex marriage
  17. 17. §  Surrogacy laws (GPA) §  Assisted Reproductive Technology laws (PMA) §  Voting rights for immigrants
  18. 18. §  One radical left wing activist was killed during a fist fight1
  19. 19. §  Ordinary people and journalists often get sued for §  You may lose your job for displaying you opinions §  It can also get you harrased or physically attacked
  20. 20. §  Eric Zemmour is a right wing polemist §  He said this in the context of racial profiling by police §  He was sentenced to pay 2000 Euros for provoking racial hatred
  21. 21. De-anonymisation of French political forums’ members
  22. 22. §  Members of such forums mostly use pseudonyms §  They have a high expectation of privacy §  Some savy posters register with disposable addresses
  23. 23. §  The identity of many users can easily be discovered §  The authorities can obtain the user‘s identity with a court order to the email provider §  A political adversary can spearfish the users
  24. 24. Practical example of de-anonymisation
  25. 25. §  The main French political forum uses Gravatar §  The identity of its administator is suspected but not proved
  26. 26. §  A custom crawler was written to acquire MD5 hashes §  A beta version of Hashcat was used to crack the hashes §  45% of the email addresses were recovered
  27. 27. §  Mask up to 9 characters for the left side §  Various left side dictionaries §  Right side dictionaries of popular email domains §  A few other rules
  28. 28. gmail.com live.fr aol.com yahoo.fr gmx.fr yahoo.com hotmail.com ymail.com hotmail.fr outlook.com laposte.net bluewin.ch msn.com voila.fr
  29. 29. aliceadsl.fr cegetel.net club-internet.fr infonie.fr libertysurf.fr neuf.fr noos.fr numericable.fr orange.fr sfr.fr laposte.net wanadoo.fr
  30. 30. get2mail.fr mailinator.com yopmail.fr yopmail.com ymail.com *
  31. 31. 0 50 100 150 200 250 300
  32. 32. Addresses containing username: 13% Addresses containing numbers: 34% Addresses ending in numbers: 32% Addresses containing punctuation: 13% Addresses containing a dot: 8% Addresses containing an underscore: 3% Addresses containing a dash: 1.7% Addresses with punctuation and numbers: 4%
  33. 33. §  ....