Off-Path TCP Exploits of the Mixed IPID Assignment

In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond to help defend against TCP hijacking attacks. The attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, building a shared IPID counter that forms a side channel on the victim. Second, the attacker detects the presence of TCP connections by observing the shared IPID counter on the victim. Third, the attacker infers the sequence number and the acknowledgment number of the detected connection by observing the side channel of the shared IPID counter. Consequently, the attacker can completely hijack the connection, i.e., resetting the connection or poisoning the data stream. We evaluate the impacts of this off-path TCP attack in the real world. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Our experimental results show that our off-path TCP attack can be constructed within 215 seconds and the success rate is over 88%. Finally, we analyze the root cause of the exploit and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness through extensive evaluation over real applications on the Internet

Measuring Decentralization of Chinese Censorship in Three Industry Segments

What is forbidden to talk about using Chinese apps? Companies operating in China face a complex array of regulations and are liable for content voiced using their platforms. Previous work studying Chinese censorship uses (1) sample testing or (2) measures content deletion; however, these techniques produce an incomplete picture biased toward (1) the tested samples or (2) whichever topics were trending. In this dissertation, I use reverse engineering to study the code that applications use to determine whether to censor content. In doing so, I can provide a more complete and unbiased view of Chinese Internet censorship. I reverse engineer applications across three Chinese industry segments: instant messaging, live streaming, and gaming. Together this reveals over 100,000 unique blacklisted keywords from blacklists spanning hundreds of different companies. A common assumption in Chinese censorship research is that observed censorship is the result of a monolithic motive; however, in this dissertation, where I provide a more complete and unbiased view of Chinese Internet censorship, I will test three hypotheses: (1) there is little overlap between the keyword lists used by different companies, (2) there is no China-wide list of banned words or topics largely determining what Chinese companies censor, and (3) provincial-wide lists of banned words or topics do not largely determine what companies censor. These hypotheses suggest that it is largely Chinese companies that are burdened with choosing what topics to censor

“未阅先焚” 2 微信如何实现实时审查用户对话中的敏感图片

In this work, we study how Tencent implements image filtering on WeChat. We found that Tencent implements realtime, automatic censorship of chat images on WeChat based on what text is in an image and based on an image’s visual similarity to those on a blacklist. Tencent facilitates this realtime filtering by maintaining a hash index of MD5 hashes of sensitive image files.This project was supported by Open Society Foundations. We would like to thank an anonymous researcher for assistance in translating and categorizing the images featured in this report. We would also like to thank Ron Deibert for advising this work, Simon Humbert for technical assistance, as well as Masashi Crete-Nishihata, Miles Kenyon, and Adam Senft for helpful suggestions and peer review

QQ浏览器存在的隐私与安全隐患

The authors would like to thank Sarah McKune and Masashi Crete-Nishihata for assistance and peer review on this report.This report describes privacy and security issues with the Windows and Android versions of QQ Browser. Our research shows that both versions of the application transmit personally identifiable data without encryption or with easily decrypted encryption, and do not adequately protect the software update process.Jeffrey Knockel’s research for this project was supported by the Open Technology Fund’s Information Control Fellowship Program and Adam Senft’s research from the John D. and Catherine T. MacArthur Foundation (Ronald J. Deibert, Principal Investigator)

Every step you fake: a comparative analysis of fitness tracker privacy and security

Introduction Canadians, and many people around the world, are increasingly purchasing, and using, electronic devices meant to capture and record the relative levels of a person’s fitness. Unlike past fitness devices, such as pedometers, electronic fitness trackers are designed to display aggregate fitness information automatically on mobile devices and, frequently, on websites developed and controlled by the company that makes the given device. This automatic collection and dissemination of fitness data began with simply monitoring the steps a person had taken in a day. Contemporary consumer fitness wearables collect a broad range of data. The number of floors, or altitudinal changes, a person climbs a day is measured, levels and deepness of sleep, and heart rate activity are all captured by best-of-class consumer-level fitness trackers. And all of this data is of interest to the wearers of the devices, to companies interested in mining and selling collected fitness data, to insurance companies, to authorities and courts of law, and even potentially to criminals motivated to steal or access data retained by fitness companies. This report explores what information is collected by the companies which develop and sell some of the most popular wearables in North America. Moreover, it explores whether there are differences between the information that is collected by the devices and what companies say they collect, and what they subsequently provide to consumers when compelled to disclose all the personal information that companies hold about residents of Canada. In short, the project asks: Were data which are technically collected noted in companies’ privacy policies and terms of service and, if so, what protections or assurances do individuals have concerning the privacy or security of that data? What of that data is classified by the company as ‘personal’ data, which is tested by issuing legally compelling requests for the company to disclose all the personal data held on a requesting individual? Does the information received by the individual match what a company asserts is ‘personally identifiable information’ in their terms of service or privacy policies

A Tough Nut to Crack: A Further Look at Privacy and Security Issues in UC Browser

Thanks to Andrew Hilts, Sarah McKune, Jason Ng and Masashi Crete-Nishihata for assistance with this report.In this report we analyze Windows and Android versions of web browser UC Browser, and find they transmitted personally identifiable information with easily decryptable encryption and were vulnerable to arbitrary code execution during software updatesJeffrey Knockel’s research for this project was supported by the Open Technology Fund’s Information Control Fellowship Program and Adam Senft’s research from the John D. and Catherine T. MacArthur Foundation (Ronald J. Deibert, Principal Investigator). This material is based upon work supported by the U.S. National Science Foundation under Grant Nos. #1314297, #1420716, #1518523, and #1518878

阅读报告的主要发现

The Citizen Lab would like to thank Seth Hardy from Lookout for assistance with this report.This report describes privacy and security issues with Baidu Browser, a web browser for the Windows and Android platforms. Our research shows that the application transmits personal user data to Baidu servers without encryption and with easily decryptable encryption, and is vulnerable to arbitrary code execution during software updates via man-in-the-middle attacks. Much of the data leakage is the result of a shared Baidu software development kit, which affects hundreds of additional applications.Jeffrey Knockel’s research for this project was supported by the Open Technology Fund’s Information Control Fellowship Program. Sarah McKune’s research was supported by a grant from the Open Society Foundations (Ronald J. Deibert, Principal Investigator), and Adam Senft’s from the John D. and Catherine T. MacArthur Foundation (Ronald J. Deibert, Principal Investigator)