“I’m unique, just like you: Human side-channels and their implications for security and privacy”

Presented at 44CON 2019, Sept. 12, 2019, 3:30 p.m. (59 minutes)

Almost everything about us – our handwriting, DNA, faces, voices, fingerprints, even our eyes – can be used to distinguish us from the seven billion other people on the planet. These physical identifiers can allow law enforcement to trace back real-world crimes to offenders, and enable biometric authentication mechanisms. However, such identifiers are often irrelevant when it comes to attempting to track or disrupt threat actors. In this talk, I will discuss, explore, and explain identifiers which are unintentional, non-physical, and generated as a result of human behaviours and activities, but which can still be used to uniquely identify and/or track individual users in the digital realm. I call these identifiers “human side-channels”, and will explore how they work; how they can be used for both attack and defence; and how they can be countered. I’ll examine three human side-channels in particular: forensic linguistics; behavioural signatures; and cultural references. I will start by exploring the theories underpinning these side-channels, which are rooted in personality psychology and the concepts of consistency and distinctiveness as a result of our unique experiences, training, and feedback. I’ll then explore how they work; walk through case studies and examples/demos of using them practically in security contexts; and discuss how they could be practically applied to investigate and track threat actors, in situations ranging from hostile social media profiles to post-compromise exfiltration and privilege escalation. I’ll also examine the privacy implications of each technique, and how such characteristics – which are much harder to recognise, obfuscate, or spoof – could be used to erode privacy. I’ll go into detail regarding possible countermeasures to disguise your own human side-channels, and I’ll wrap up by outlining some ideas for future research in these areas.

Presenters:

• Matt Wixey - PWC
  Matt is the Research Lead for the PwC Cyber Security practice in the UK, and is a PhD candidate at University College London. Prior to joining PwC, Matt led a technical R&D team for a law enforcement agency in the UK. His research interests include antivirus and sandboxing technologies, unconventional attack vectors, side-channels, and radio security.

Links:

• https://44con2019.sched.com/event/Tdfj/matt-wixey-im-unique-just-like-you-human-side-channels-and-their-implications-for-security-and-privacy
• https://infocon.org/cons/44CON/44CON 2019/Human Side-Channels And Their Implications For Security And Privacy - Matt Wixey.mp4
• https://infocon.org/cons/44CON/44CON 2019/Human Side-Channels And Their Implications For Security And Privacy - Matt Wixey.eng.srt (subtitles)

Similar Presentations:

• VB2015 / Stego-malware in Google Play. Findings and limitations
• Black Hat USA 2019 / I'm Unique, Just Like You: Human Side-Channels and Their Implications for Security and Privacy
• DEF CON 26 (2018) / Betrayed by the keyboard: How what you type can give you away