An Interest In:
Web News this Week
- March 30, 2024
- March 29, 2024
- March 28, 2024
- March 27, 2024
- March 26, 2024
- March 25, 2024
- March 24, 2024
Some of Our Sources
- Slashdot
- Technology Review
- Team Treehouse
- Six Revisions
- Abduzeedo
- Creative Curio
- My Ink Blog
- Line 25
- Specky Boy
- Dev To
Help Webnuz
Referal links:
August 10, 2019 12:03 am
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/l6vW1edSAdo/researchers-show-how-europes-data-protection-laws-can-dox-people
Researchers Show How Europe's Data Protection Laws Can Dox People
An anonymous reader quotes a report from Motherboard: Europe's controversial privacy law, the General Data Protection Regulator -- better known as GDPR -- has been hailed by some as a solution to tech companies' pervasive data collection and tracking. What maybe no one saw coming is that GDPR can become another tool in the arsenal of enterprising and malicious social engineers, hackers, and people who want to dox and harass others. That's what Ph.D student and cybersecurity researcher James Pavur discovered when he and his fiance -- and co-author on their paper -- Casey Knerr made an unusual wager about using GDPR's right of access requests -- a mechanism that allows Europeans to ask any company about what data they have on themselves -- with the goal of extracting sensitive information. Along with his fiance Knerr, who also works in the infosec industry -- and with her full consent -- Pavur devised a clever, yet very simple experiment. He started with just Knerr's full name, a couple of email addresses, phone numbers, and any other low-hanging fruit that he could find online. In other words, "the weakest possible form of attack," as he put it in his paper. Then, he sent requests to 75 companies, and then to another 75 using the new data -- such as home addresses -- he found through the first wave of requests using an email address designed to look like that of Knerr. Thanks to these requests, Pavur was able to get his fiance's Social Security Number, date of birth, mother's maiden name, passwords, previous home addresses, travel and hotel logs, high school grades, partial credit card numbers, and whether she had ever been a user of online dating services. "Pavur and Knerr said 25 percent of companies never responded. Two thirds of companies, including online data services, responded with enough information to reveal that Pavur's fiance had an account with them. Of those who responded, 25 percent provided sensitive data without properly verifying the identity of the sender. Another 15 percent requested data that could have easily been forged, while 40 percent requested identifying information that would've been relatively hard to fake, according to the study.Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/l6vW1edSAdo/researchers-show-how-europes-data-protection-laws-can-dox-people
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot