Show Me Your Cookie And I Will Tell You Who You Are

With the success of Web applications, most of our data is now stored on various third-party servers where they are processed to deliver personalized services. Naturally we must be authenticated to access this personal information, but the use of personalized services only restricted by identification could indirectly and silently leak sensitive data. We analyzed Google Web Search access mechanisms and found that the current policy applied to session cookies could be used to retrieve users' personal data. We describe an attack scheme leveraging the search personalization (based on the same SID cookie) to retrieve a part of the victim's click history and even some of her contacts. We implemented a proof of concept of this attack on Firefox and Chrome Web browsers and conducted an experiment with ten volunteers. Thanks to this prototype we were able to recover up to 80% of the user's search click history

ASMA: towards adaptive secured multipath in MANETs

As they are used to create open communities, Mobile Ad hoc NETworks (MANETs) are not favourable environments to establish trust, which is necessary to provide security. Multipath routing mechanisms within infrastructureless networks environment seems appropriate and useful to enhance security protection. In fact, the level of trust can be increased so as many of potential security attacks are detected, revealed and stopped. Nevertheless an excessive control overhead is always generated. In this paper, we propose a global framework that integrates a set of concepts and mechanisms aiming at enhancing security in highly dynamic decentralized ad hoc networks. Our solution focuses on authentication, routing securing, trust management with reliable estimation of trust. A large panoply of attacks are prevented using our various mechanisms.8th IFIP/IEEE International conference on Mobile and Wireless CommunicationRed de Universidades con Carreras en Informática (RedUNCI

A Critical Look at Decentralized Personal Data Architectures

While the Internet was conceived as a decentralized network, the most widely used web applications today tend toward centralization. Control increasingly rests with centralized service providers who, as a consequence, have also amassed unprecedented amounts of data about the behaviors and personalities of individuals. Developers, regulators, and consumer advocates have looked to alternative decentralized architectures as the natural response to threats posed by these centralized services. The result has been a great variety of solutions that include personal data stores (PDS), infomediaries, Vendor Relationship Management (VRM) systems, and federated and distributed social networks. And yet, for all these efforts, decentralized personal data architectures have seen little adoption. This position paper attempts to account for these failures, challenging the accepted wisdom in the web community on the feasibility and desirability of these approaches. We start with a historical discussion of the development of various categories of decentralized personal data architectures. Then we survey the main ideas to illustrate the common themes among these efforts. We tease apart the design characteristics of these systems from the social values that they (are intended to) promote. We use this understanding to point out numerous drawbacks of the decentralization paradigm, some inherent and others incidental. We end with recommendations for designers of these systems for working towards goals that are achievable, but perhaps more limited in scope and ambition

ASMA: towards adaptive secured multipath in MANETs

As they are used to create open communities, Mobile Ad hoc NETworks (MANETs) are not favourable environments to establish trust, which is necessary to provide security. Multipath routing mechanisms within infrastructureless networks environment seems appropriate and useful to enhance security protection. In fact, the level of trust can be increased so as many of potential security attacks are detected, revealed and stopped. Nevertheless an excessive control overhead is always generated. In this paper, we propose a global framework that integrates a set of concepts and mechanisms aiming at enhancing security in highly dynamic decentralized ad hoc networks. Our solution focuses on authentication, routing securing, trust management with reliable estimation of trust. A large panoply of attacks are prevented using our various mechanisms.8th IFIP/IEEE International conference on Mobile and Wireless CommunicationRed de Universidades con Carreras en Informática (RedUNCI

No need to ask the Android: Bluetooth-Low-Energy scanning without the location permission

International audienceBluetooth-Low-Energy (BLE) scanning can be misused by applications to determine a device location. In order to prevent unconsented location tracking by applications, Android conditions the use of some BLE functions to the prior obtention of the location permission and the activation of the location setting. In this paper, we detail a vulnerability that allows applications to perform BLE scans without the location permission. We present another flaw allowing to bypass the active location requirement. Together those flaws allow an application to fully circumvent the location restrictions applying to BLE scanning. The presented vulnerability affects devices running Android 6 up to 11 and could be misused by application developers to track the location of users. This vulnerability has been disclosed to Google and assigned the CVE-2021-0328

Autoantibodies against type I IFNs in patients with life-threatening COVID-19

Interindividual clinical variability in the course of severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) infection is vast. We report that at least 101 of 987 patients with life-threatening coronavirus disease 2019 (COVID-19) pneumonia had neutralizing immunoglobulin G (IgG) autoantibodies (auto-Abs) against interferon-w (IFN-w) (13 patients), against the 13 types of IFN-a (36), or against both (52) at the onset of critical disease; a few also had auto-Abs against the other three type I IFNs. The auto-Abs neutralize the ability of the corresponding type I IFNs to block SARS-CoV-2 infection in vitro. These auto-Abs were not found in 663 individuals with asymptomatic or mild SARS-CoV-2 infection and were present in only 4 of 1227 healthy individuals. Patients with auto-Abs were aged 25 to 87 years and 95 of the 101 were men. A B cell autoimmune phenocopy of inborn errors of type I IFN immunity accounts for life-threatening COVID-19 pneumonia in at least 2.6% of women and 12.5% of men

Analysis of Google Logs Retention Policies

Abstract. To preserve search log data utility, Google groups search queries in log bundles by deleting the last octet of logged IP address. Because these bundles still contain identifying information, part of these search logs can be de-anonymized [27]. Without an external audit of these search logs, it is currently impossible to evaluate their robustness against de-anonymizing attacks. In this paper, we leverage log retention policy ambiguities to show that quasi-identifiers could be stored in sanitized search query logs and could help to de-anonymize user searches. This paper refers to Google Search and Google Suggest log retention policies and shows that even with the highest degree of anonymization that Google offers, one could separate user queries with a high granularity. Because Google Suggest is queried every time a user types a character in the Google Chrome navigation box, the privacy of Chrome users could be compromised with respect to their browsing histories. Such ambiguities within log retention policies are critical and should be addressed, as anonymized logs could be shared with third parties without prior user consent.

Secured reactive routing in ad hoc networks

Dans les réseaux mobiles ad hoc ou MANET (pour Mobile Ad hoc NETwork), le routage et l acheminement des paquets sont effectués par les nœuds mobiles. Par conséquent, ces réseaux ne reposent sur aucune infrastructure et peuvent être déployés de façon autonome et spontanée. Un réseau MANET peut être le résultat d un déploiement isolé, par exemple pour établir des communications dans une zone couverte par aucun autre type de réseaux, ou peut être l extension d un réseau existant. Cette seconde catégorie de réseaux, appelée réseaux hybrides, permet à un opérateur d étendre son réseau sans nécessairement déployer de nouveaux équipements et par conséquent à moindre coût. Des standards tels que IEEE 802.11 (Wi-Fi) et IEEE 802.15 (Bluetooth) supportent des configurations de réseaux en mode ad hoc. De plus les organismes de standardisation travaillent activement à de nouvelles spécifications pour les réseaux hybrides. On peut notamment citer IEEE 802.11, IEEE 802.16 et IEEE 802.20. Cet effort de standardisation est dû aux applications prometteuses des réseaux ad hoc. En effet, les réseaux ad hoc possèdent des propriétés innovantes pour le déploiement de nouvelles applications qui pourront être développées et hébergées par les utilisateurs. Un opérateur pourra par ailleurs proposer de nouveaux services tels que le partage de fichier en mode nomade, la surveillance du voisinage, les jeux en réseau local, la diffusion de programmes locaux et personnalisés ou encore proposer un outil de sauvegarde distribuée. Néanmoins, toutes ces applications requièrent la coopération de l ensemble des utilisateurs du réseau.Ad hoc networking is a new wireless communication paradigm where routing and forwarding functions are assured by nodes so that such networks do not rely on infrastructure and can be deployed spontaneously. Ad hoc networks can be either deployed in a stand-alone fashion or attached to a network infrastructure to form hybrid mesh networks. Instances of the former category are Mobile Ad hoc NETworks (MANETs) which are spontaneous and infrastructureless emerging networks supporting a new class of mobile applications. However, most of ad hoc networks innovative and promising characteristics raise new challenging issues which are critical regarding security risks. In this thesis, our concern is to design a global security architecture aiming at securing the main network operations that may exist in both pure ad hoc or hybrid WLAN mesh networks. Our main contributions concern of the Adaptive Secured Multipath for Ad hoc networks (ASMA) architecture, the Multipath Trust based Routing Protocol (MTRP) and the On-demand Multipath CERTification (OMCERT) protocol. ASMA supports many functionalities including multipath routing, trust management, key/certificate exchange and application adaptation. We propose a global architecture for both pure and hybrid ad hoc networks. From the analysis of strengths and weaknesses of secured routing protocols, we designed a new robust routing structure called Secured Multipath Graph (SMG). SMG structure is extracted from the mesh ad hoc network for each communication to be established between a source and a destination. Especially, SMG is a robust structure based on node-disjoint path routing scheme and dynamic trust management that can be adapted.PARIS-Télécom ParisTech (751132302) / SudocSudocFranceF