GDPArrrrr: Using Privacy Laws to Steal Identities

Channel:
United States All Hacking Cons
Subscribers:
6,070
Published on ● Video Link: https://www.youtube.com/watch?v=kule5syZ8Ug


Duration: 21:57
6 views
0

GDPArrrrr: Using Privacy Laws to Steal Identities
James Pavur | DPhil Student, Oxford University
Location: Islander EI
Date: Thursday, August 8 | 9:00am-9:25am
Format: 25-Minute Briefings
Tracks: Policy, Human Factors

On May 25, 2018 the European Union's General Data Protection Regulation (GDPR) came into effect, bringing with it the most expansive governmental effort to regulate data security and privacy to date. Among the GDPR's many provisions is the "Right of Access," which states that individuals have the right to access their personal data. This provision can be easily abused by social engineers to steal sensitive information that does not belong to them.

My research centers on a practical case study wherein I attempted to steal as much information as possible about my fiancé (with her consent) using GDPR Subject Access Requests. In a survey of more than 150 companies, I demonstrate that organizations willingly provide highly sensitive information in response to GDPR right of access requests with little or no verification of the individual making the request. This ranges from typical sensitive identity data like addresses and credit card information to esoteric data such as a history of train journeys or a list of domains owned. While far too often no proof of identity is required at all, even in the best cases the GDPR permits someone capable of stealing or forging a driving license nearly complete access to your digital life. Moreover, the highly standardized nature of GDPR requests makes it possible to automate this process at immense scale and provides one of the most reliable general phishing attack typologies to date.

This is a solvable problem, and one which could have been incorporated into the initial GDPR if regulatory legislation were subjected to security assessments like those used for modern software. The presentation suggests possible remediations and offers a cautionary tale for future policymakers designing GDPR-inspired privacy legislation. It also suggests short-term ways in which individuals and businesses seeking to protect themselves against these attacks.

Black Hat - USA - 2019 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-07Infighting Among Russian Security Services in the Cyber Sphere
2022-01-07All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices
2022-01-07Exploring the New World : Remote Exploitation of SQLite and Curl
2022-01-07Firmware Cartography: Charting the Course for Modern Server Compromise
2022-01-07API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web
2022-01-07Fantastic Red-Team Attacks and How to Find Them
2022-01-07Arm IDA and Cross Check Reversing the Boeing 787's Core Network
2022-01-07Finding a Needle in an Encrypted Haystack: Detect the Most Prevalent Attacks on Active Directory
2022-01-07Flying a False Flag: Advanced C2, Trust Conflicts, and Domain Takeover
2022-01-07Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)
2022-01-07GDPArrrrr: Using Privacy Laws to Steal Identities
2022-01-07Finding Our Path: How We're Trying to Improve Active Directory Security
2022-01-07Ghidra - Journey from Classified NSA Tool to Open Source
2022-01-07Bounty Operations: Best Practices and Common Pitfalls to Avoid in the First 6-12 Months
2022-01-07Attacking Electric Motors for Fun and Profit
2022-01-07Death to the IOC What's Next in Threat Intelligence
2022-01-07Going Beyond Coverage-Guided Fuzzing with Structured Fuzzing
2022-01-07Debug for Bug Crack and Hack Apple Core by Itself
2022-01-07Hacking Ten Million Useful Idiots: Online Propaganda as a Socio-Technical Security Project
2022-01-07Breaking Encrypted Databases: Generic Attacks on Range Queries
2022-01-07Hacking Your Non Compete


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
protection
network
scam
fraud
malware
secure
identity
criminal
phishing
software
access
safety
theft
system
firewall
communication
business
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
cybersecurity
owned
break in
google
exploit
exploitation
recon
social engineering
James Pavur