Archive Pages Design$type=blogging

randomposts

How the way you type can shatter anonymity—even on Tor

Security researchers have refined a long-theoretical profiling technique into a highly practical atta...




Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online.
The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity.
The prospect of widely available databases that identify users based on subtle differences in their typing was unsettling enough to researchers Per Thorsheim and Paul Moore that they have created a Chrome browser plugin that's designed to blunt the threat. The plugin caches the input keystrokes and after a brief delay relays them to the website in at a pseudo-random rate. Thorsheim, a security expert who organizes the annual PasswordsCon conference, and Moore, an information security consultant at UK-based Urity Group, conceived the plugin after thinking through all the ways the typing profiles could be used to compromise online anonymity.

Profiling Tor users

"The risk may seem small when you consider one single website collecting this type of information," Runa Sandvik, an independent security researcher and former Tor developer, told Ars. "The real concern with behavioral profiling is when it is being done by multiple big websites owned by the same company or organization. The risk to anonymity and privacy is that you can profile me and log what I am doing on one page and then compare that to the profile you have built on another page. Suddenly, the IP address I am using to connect to these two sites matters much less."
Sandvik said she visited this profiling demo site using a fully updated Tor browser, and the site was able to construct a profile of her unique typing habits. That means Tor-anonymized websites—either because their operators are malicious or are cooperating with law enforcement agencies—can use similar profiling scripts that track people across both public and darkweb destinations. While the Tor browser limits the amount of JavaScript that sites can run, it allowed all the code needed to make the demo profiling app work during Sandvik's experiment. Had JavaScript been disabled altogether, the profiling would have been blocked. So while blocking JavaScript is useful, that approach might not make a difference against a profiling app that found a means other than JavaScript to measure typing characteristics.
The gathering of unique keystroke characteristics is an example of what's known as behavioral biometrics, or the measurement of something a person does, such as speaking, walking, or typing. So far, Thorsheim and Moore say, several banking websites appear to be using keystroke profiling to perform an additional layer of authentication on site users. In theory, such an approach could allow the sites to detect account hijackings, even when the attacker enters the correct username and password. Given the potential benefit of behavioral biometrics, the Chrome plugin can whitelist specific websites that are using it for good. (Moore has more about the extension here.)
To be fair, behavioral biometrics is by no means a new field of study. As evidenced by this Slashdot thread from 2007, people have long recognized the potential of using it to identify people behind a keyboard. There's also a huge library of research papers showing how to profile and de-anonymize browsers connecting over Tor. Still, if banks and other sites can use the technique to create reliable and accurate profiles of customers, it stands to reason that governments around the world can and do profile people of interest.
"As soon as somebody manages to build a biometric profile of your keystrokes at a network/website where you are otherwise completely anonymous, that same profile can be used to identify you at other sites you're using, where identifiable information is available about you," Thorsheim wrote in a blog post published Tuesday. "Your favorite government agency—pick your country—could set up spoofed and fake pages on the darkweb as well as in the real world, in order to identify people across them. For oppressive regimes, this is most certainly of high interest."

arstechnica.com
Listing image by Adikos.

COMMENTS

Name

A well-known writer is 'done' with Apple Music abdominal exercises acne acne control acne cure acne home remedies acne medicine acne treatment acne treatments Acne vulgaris ACNES Apple Apple iPhone Beauty Best cardio exercise Best cardio for weight loss Best cardio to lose weight best hosting best skin peel blackheads Budget car rentals budget travel Car Rental Coupons Car Rentals Car Rentals 24Hrs Cardio Cardio Workouts For Weight Loss - Simple And Enjoyable cardiovascular CareFCA Cheap Car Rentals 24 cheap cars cheap flights cheap hotels Cheap Rental Cars Cheap travel cheap vacation comedones Components Cortana Intel crowds css cure for back acne Customer data Dedicated hosting Dedicated server hosting Dev & Design dev and design Discount Car Rentals dry skin Ecommerce web hosting Europe Car Rentals exercise exercising Facebook FAQ FAQS Firefox devs testing feature to find and nuke noisy tabs Fitness Flash Ford's high-tech lighting system makes driving at night safer get rid of acne Good cardiovascular workouts Google health health products health tips How to how to cure acne How to moisturize Skin How to reduce pimples overnight How to Select a Cheap Dedicated Server How to treat asthma at home hydrogen peroxide Internet & Telecom interval training iPhone Looking For Cheap Cell Phone Service low carbohydrate diet Mac malware OS X Mobile app development mobile development moisturizer cream Most effective cardio workouts Natural skin care remedies nesw Network monitoring tools News Nike Fuelband nutrition PATONG BEACH PayPal relists after split from eBay Phromthep Cape phuket landmarks Phuket Thailand pimples Samsung Samsung Galaxy Note 5 Samsung Galaxy S6 Edge Plus Samsung Gear A Samsung Unveils Galaxy Tab S2 search SEO Tools server side programming Significant Flash exploit mitigations are live in v18.0.0.209 skin care skin peel skin types Small business phone service spots Street Fighter V: A New Way to Play tca peel Tech the Essential Tablet for Experiencing Digital Content Thunderstrike Transportation Travel treat asthma treating acne US LLC web design web development ireland web hosting web hosting coupon web hosting review Web Optimization weight loss diet whiteheads Windows 10 working out xhtml zit control
false
ltr
item
Beauty Tips&Travel Guide: How the way you type can shatter anonymity—even on Tor
How the way you type can shatter anonymity—even on Tor
http://cdn.arstechnica.net/wp-content/uploads/2015/07/GREYC-Keystroke-Dynamics-demo-2-640x361.png
Beauty Tips&Travel Guide
https://beauty4travel.blogspot.com/2015/07/how-way-you-type-can-shatter.html
https://beauty4travel.blogspot.com/
http://beauty4travel.blogspot.com/
http://beauty4travel.blogspot.com/2015/07/how-way-you-type-can-shatter.html
true
8058167521457884032
UTF-8
Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago