Data Exfiltration by Hotjar Revisited

Session replay scripts allow website owners to record the interaction of each web site visitor and aggregate the interaction to reveal the interests and problems of the visitors. However, previous research identified such techniques as privacy intrusive. This position paper updates the information on data collection by Hotjar. It revisits the previous findings to detect and describe the changes. The default policy to gather inputs changed; the recording script gathers only information from explicitly allowed input elements. Nevertheless, Hotjar does record content reflecting users' behaviour outside input HTML elements. Even though we propose changes that would prevent the leakage of the reflected content, we argue that such changes will most likely not appear in practice. The paper discusses improvements in handling TLS. Not only do web page operators interact with Hotjar through encrypted connections, but Hotjar scripts do not work on sites not protected by TLS. Hotjar respects the Do Not Track signal; however, users need to connect to Hotjar even in the presence of the Do Not Track setting. Worse, malicious web operators can trick Hotjar into recording sessions of users with the active Do Not Track setting. Finally, we propose and motivate the extension of GDPR Art. 25 obligations to processors.Comment: WEBIST, 19th International Conference on Web Information Systems and Technologies, https://www.insticc.org/node/technicalprogram/WEBIST/202

FormLock for JavaScript Restrictor

Tato práce se zaměřuje na problematiku ochrany osobních údajů při vyplňování formulářů na internetu. V této práci je analyzováno řešení ve formě webového rozšíření Formlock, které upozorňuje uživatele na potenciálně nebezpečné formuláře a snaží se jej chránit před únikem těchto dat třetím stranám. Rozšíření Formlock je analyzováno a na základě získaných poznatků je navržena jak integrace do rozšíření Javascript Restrictor, tak vylepšení současných opatření. Nově implementovaná opatření jsou otestována a jsou vyhodnoceny možnosti k jejich budoucímu rozšíření.This thesis focuses on protecting personally identifiable information (PII) during filling and submitting of web forms. Formlock, a prototype trying to resolve the PII leakage caused by forms by warning the user about the potentially malicious web forms and giving them an option to try and prevent the leak, is tested and then it's defensive capabilities are improved and integrated into Javascript Restrictor. Lastly, the new and integrated measures are tested and their possible future improvements are evaluated.

Environmental Disasters Data Management Workshop Report

The Environmental Disasters Data Management (EDDM) project seeks to foster communication between collectors, managers, and users of data within the scientific research community, industry, NGOs, and government agencies, with a goal to identify and establish best practices for orderly collection, storage, and retrieval. The Coastal Response Research Center (CRRC) is assisting NOAA’s Office of Response and Restoration (ORR) with this effort. The objectives of the EDDM project are to: Engage the community of data users, data managers, and data collectors to foster a culture of applying consistent terms and concepts, data flow, and quality assurance and control; Provide oversight in the establishment and integration of foundational, baseline data collected prior to an environmental event, based on user requirements; Provide best‐practice guidance for data and metadata management; Suggest infrastructure design elements to facilitate quick and efficient search, discovery, and retrieval of data; Define the characteristics of a “gold standard” data management plan for appropriate data sampling, formatting, reliability, and retrievability; and Deliver workshop conclusions to end users in order to promote the use of the protocols, practices, or recommendations identified by participants

Online Privacy in Mobile and Web Platforms: Risk Quantification and Obfuscation Techniques

The wide-spread use of the web and mobile platforms and their high engagement in human lives pose serious threats to the privacy and confidentiality of users. It has been demonstrated in a number of research works that devices, such as desktops, mobile, and web browsers contain subtle information and measurable variation, which allow them to be fingerprinted. Moreover, behavioural tracking is another form of privacy threat that is induced by the collection and monitoring of users gestures such as touch, motion, GPS, search queries, writing pattern, and more. The success of these methods is a clear indication that obfuscation techniques to protect the privacy of individuals, in reality, are not successful if the collected data contains potentially unique combinations of attributes relating to specific individuals. With this in view, this thesis focuses on understanding the privacy risks across the web and mobile platforms by identifying and quantifying the privacy leakages and then designing privacy preserving frameworks against identified threats. We first investigate the potential of using touch-based gestures to track mobile device users. For this purpose, we propose and develop an analytical framework that quantifies the amount of information carried by the user touch gestures. We then quantify users privacy risk in the web data using probabilistic method that incorporates all key privacy aspects, which are uniqueness, uniformity, and linkability of the web data. We also perform a large-scale study of dependency chains in the web and find that a large proportion of websites under-study load resources from suspicious third-parties that are known to mishandle user data and risk privacy leaks. The second half of the thesis addresses the abovementioned identified privacy risks by designing and developing privacy preserving frameworks for the web and mobile platforms. We propose an on-device privacy preserving framework that minimizes privacy leakages by bringing down the risk of trackability and distinguishability of mobile users while preserving the functionality of the existing apps/services. We finally propose a privacy-aware obfuscation framework for the web data having high predicted risk. Using differentially-private noise addition, our proposed framework is resilient against adversary who has knowledge about the obfuscation mechanism, HMM probabilities and the training dataset

Navigating the Phishing Landscape: A Novel Stage Model Unveiling the Journey of Individuals Exposed to Phishing Attempts

The focus of this master thesis is to understand the process and stages individuals go through when exposed to a phishing attack. To achieve this objective, we will closely examine the responses of individuals throughout the phishing process and establish connections between their cognitive processes and actions, drawing upon relevant literature. By integrating these insights, we will construct a holistic phishing stage model. Consequently, our research question, "How can we identify and understand the stages involved in the phishing process?" will guide our investigation. For this thesis, we conducted a qualitative study where we interviewed nine individuals from seven different IT consultant firms in Norway. We utilized the theoretical framework to create a holistic phishing stage model. The findings lead to the creation of a phishing stage model consisting of a pre-stage and three main stages with constituent activities that explain the flow from stage to stage. The findings reveal that individuals rely on technical solutions in more ways than we initially thought. Warnings in the delivery stage of emails affects the potential victim in the later stages, especially when they explore the content of a phishing message. Ignoring phishing attempts were found to be prevalent in the younger interview candidates. Interestingly those who reported phishing attempts were found to do so in two different ways, either officially or unofficially. The unofficial reporting consisted of altering coworkers through word of mouth or other communication channels. In contrast, official reporting was the way intended by company policies. This study offers a valuable model that effectively explains the stages individuals go through during the phishing process. This research enhances our understanding of said phenomenon by shedding light on phishing attacks from the victim’s standpoint. The insight gained from this thesis advances our understanding and offers valuable guidance for developing preventive measures, educational initiatives, training programs, and robust cybersecurity strategies. Furthermore, the model presented in this study serves as a valuable tool for identifying focal points in training efforts, thus enabling organizations to address vulnerabilities and effectively enhance their defenses against phishing attacks

DecodingTrust: A Comprehensive Assessment of Trustworthiness in GPT Models

Generative Pre-trained Transformer (GPT) models have exhibited exciting progress in capabilities, capturing the interest of practitioners and the public alike. Yet, while the literature on the trustworthiness of GPT models remains limited, practitioners have proposed employing capable GPT models for sensitive applications to healthcare and finance - where mistakes can be costly. To this end, this work proposes a comprehensive trustworthiness evaluation for large language models with a focus on GPT-4 and GPT-3.5, considering diverse perspectives - including toxicity, stereotype bias, adversarial robustness, out-of-distribution robustness, robustness on adversarial demonstrations, privacy, machine ethics, and fairness. Based on our evaluations, we discover previously unpublished vulnerabilities to trustworthiness threats. For instance, we find that GPT models can be easily misled to generate toxic and biased outputs and leak private information in both training data and conversation history. We also find that although GPT-4 is usually more trustworthy than GPT-3.5 on standard benchmarks, GPT-4 is more vulnerable given jailbreaking system or user prompts, potentially due to the reason that GPT-4 follows the (misleading) instructions more precisely. Our work illustrates a comprehensive trustworthiness evaluation of GPT models and sheds light on the trustworthiness gaps. Our benchmark is publicly available at https://decodingtrust.github.io/

Navigating the Phishing Landscape: A Novel Stage Model Unveiling the Journey of Individuals Exposed to Phishing Attempts

The focus of this master thesis is to understand the process and stages individuals go through when exposed to a phishing attack. To achieve this objective, we will closely examine the responses of individuals throughout the phishing process and establish connections between their cognitive processes and actions, drawing upon relevant literature. By integrating these insights, we will construct a holistic phishing stage model. Consequently, our research question, "How can we identify and understand the stages involved in the phishing process?" will guide our investigation. For this thesis, we conducted a qualitative study where we interviewed nine individuals from seven different IT consultant firms in Norway. We utilized the theoretical framework to create a holistic phishing stage model. The findings lead to the creation of a phishing stage model consisting of a pre-stage and three main stages with constituent activities that explain the flow from stage to stage. The findings reveal that individuals rely on technical solutions in more ways than we initially thought. Warnings in the delivery stage of emails affects the potential victim in the later stages, especially when they explore the content of a phishing message. Ignoring phishing attempts were found to be prevalent in the younger interview candidates. Interestingly those who reported phishing attempts were found to do so in two different ways, either officially or unofficially. The unofficial reporting consisted of altering coworkers through word of mouth or other communication channels. In contrast, official reporting was the way intended by company policies. This study offers a valuable model that effectively explains the stages individuals go through during the phishing process. This research enhances our understanding of said phenomenon by shedding light on phishing attacks from the victim’s standpoint. The insight gained from this thesis advances our understanding and offers valuable guidance for developing preventive measures, educational initiatives, training programs, and robust cybersecurity strategies. Furthermore, the model presented in this study serves as a valuable tool for identifying focal points in training efforts, thus enabling organizations to address vulnerabilities and effectively enhance their defenses against phishing attacks