The taxonomy introduces a categorization of reconnaissance techniques based on the source as third-party, human-, and system-based information gathering. Then, we provide a taxonomy and detailed overview of adversarial reconnaissance techniques. First, we discuss what types of information adversaries seek, and how and when they can obtain this information. We summarize and analyze the methods, tactics, and tools that adversaries use to conduct reconnaissance activities throughout the attack process. The key to the success of these attacks is information that adversaries collect throughout the phases of the cyber kill chain. Furthermore, we analyzed the authentication practices implemented in third-party tracking services to exercise the access right.Īdversaries are often able to penetrate networks and compromise systems by exploiting vulnerabilities in people and systems. We found that purposes declared in cookie policies do not comply with the purpose specification principle in 95% of cases in our automatized audit. Finally, we investigate the legal compliance of purposes for 20,218 third-party cookies. We found out that this technique can be used to track users across websites even when third-party cookies are deprecated. To the best of our knowledge, our study is the first to detect and measure cookie respawning via browser and machine fingerprint. Second, we studied the combination of both stateful and stateless web tracking techniques. We found that 76% of these websites fail to comply with the GDPR requirements on a valid explicit consent.
As a follow up of this first work, we made a qualitative study, and reported on the analysis on 176 websites of medical doctors and hospitals. We demonstrated that popular methods to detect tracking, based on EasyList&EasyPrivacy and on Disconnect lists respectively miss 25.22% and 30.34% of the trackers that we detect. We further audited the legal compliance of websites within the EU data Protection legal framework by assessing their compliance with the General Data Protection Regulation (GDPR) and the ePrivacy Directive.First, we proposed a fine-grained behavioral classification of tracking based on the analysis of invisible pixels. In this thesis, we detected and measured web tracking technologies.