[Show abstract][Hide abstract] ABSTRACT: We present Tracking Protection in the Mozilla Firefox web browser. Tracking
Protection is a new privacy technology to mitigate invasive tracking of users'
online activity by blocking requests to tracking domains. We evaluate our
approach and demonstrate a 67.5% reduction in the number of HTTP cookies set
during a crawl of the Alexa top 200 news sites. Since Firefox does not download
and render content from tracking domains, Tracking Protection also enjoys
performance benefits of a 44% median reduction in page load time and 39%
reduction in data usage in the Alexa top 200 news sites.
[Show abstract][Hide abstract] ABSTRACT: In an effort to hinder attackers from compromising user accounts, Facebook launched a form of two-factor authen-tication called social authentication (SA), where users are required to identify photos of their friends to complete a log-in attempt. Recent research, however, demonstrated that attackers can bypass the mechanism by employing face recog-nition software. Here we demonstrate an alternative attack that employs image comparison techniques to identify the SA photos within an offline collection of the users' photos. In this paper, we revisit the concept of SA and design a system with a novel photo selection and transformation process, which generates challenges that are robust against these attacks. The intuition behind our photo selection is to use photos that fail software-based face recognition, while remaining recognizable to humans who are familiar with the depicted people. The photo transformation process creates challenges in the form of photo collages, where faces are transformed so as to render image matching techniques ineffective. We experimentally confirm the robustness of our approach against three template matching algorithms that solve 0.4% of the challenges, while requiring four orders of magnitude more processing effort.. Furthermore, when the transformations are applied, face detection software fails to detect even a single face. Our user studies confirm that users are able to identify their friends in over 99% of the photos with faces unrecognizable by software, and can solve over 94% of the challenges with transformed photos.
ACM Conference on Computer and Communications Security (CCS); 01/2014
[Show abstract][Hide abstract] ABSTRACT: Password-based authentication is the dominant form of access control in web services. Unfortunately, it proves to be more and more inadequate every year. Even if users choose long and complex passwords, vulnerabilities in the way they are managed by a service may leak them to an attacker. Recent incidents in popular services such as LinkedIn and Twitter demonstrate the impact that such an event could have. The use of one-way hash functions to mitigate the problem is countered by the evolution of hardware which enables powerful password-cracking platforms. In this paper we propose SAuth, a protocol which employs authentication synergy among different services. Users wishing to access their account on service S will also have to authenticate for their account on service V, which acts as a vouching party. Both services S and V are regular sites visited by the user everyday (e.g., Twitter, Facebook, Gmail). Should an attacker acquire the password for service S he will be unable to log in unless he also compromises the password for service V and possibly more vouching services. SAuth is an extension and not a replacement of existing authentication methods. It operates one layer above without ties to a specific method, thus enabling different services to employ heterogeneous systems. Finally we employ password decoys to protect users that share a password across services.
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security; 11/2013
[Show abstract][Hide abstract] ABSTRACT: Over the past few years, a large and ever increasing number of Web sites have incorporated one or more social login platforms and have encouraged users to log in with their Facebook, Twitter, Google, or other social networking identities. Research results suggest that more than two million Web sites have already adopted Facebook’s social login platform, and the number is increasing sharply. Although one might theoretically refrain from such social login features and cross-site interactions, usage statistics show that more than 250 million people might not fully realize the privacy implications of opting-in. To make matters worse, certain Web sites do not offer even the minimum of their functionality unless users meet their demands for information and social interaction. At the same time, in a large number of cases, it is unclear why these sites require all that personal information for their purposes. In this paper, we mitigate this problem by designing and developing a framework for minimum information disclosure in social login interactions with third-party sites. Our example case is Facebook, which combines a very popular single sign-on platform with information-rich social networking profiles. Whenever users want to browse to a Web site that requires authentication or social interaction using a Facebook identity, our system employs, by default, a Facebook session that reveals the minimum amount of information necessary. Users have the option to explicitly elevate that Facebook session in a manner that reveals more or all of the information tied to their social identity. This enables users to disclose the minimum possible amount of personal information during their browsing experience on third-party Web sites.
International Journal of Information Security 10/2012; 11(5). DOI:10.1007/s10207-012-0173-6 · 0.94 Impact Factor
Proceedings of the 21st USENIX conference on Security symposium; 08/2012
[Show abstract][Hide abstract] ABSTRACT: As the Internet has entered everyday life and become tightly bound to telephony, both in the form of Voice over IP technology as well as Internet-enabled cellular devices, several attacks have emerged that target both landline and mobile devices. We present a variation of an existing attack, that exploits smartphone devices to launch a DoS attack against a telephone device by issuing a large amount of missed calls. In that light, we conduct an excessive study of Phone CAPTCHA usage for preventing attacks that render telephone devices unusable, and provide information on the design and implementation of our system that protects landline devices. Subsequently, we propose the integration of Phone CAPTCHAs in smartphone software as a countermeasure against a series of attacks that target such devices. We also present various enhancements to strengthen CAPTCHAs against automated attacks. Finally, we conduct a user study to measure the applicability of our enhanced Phone CAPTCHAs.
[Show abstract][Hide abstract] ABSTRACT: Social networking is one of the most popular Internet activities, with millions of users from around the world. The time spent on sites like Facebook or LinkedIn is constantly increasing at an impressive rate. At the same time, users populate their online profile with a plethora of information that aims at providing a complete and accurate representation of themselves. Attackers may duplicate a user's online presence in the same or across different social networks and, therefore, fool other users into forming trusting social relations with the fake profile. By abusing that implicit trust transferred from the concept of relations in the physical world, they can launch phishing attacks, harvest sensitive user information, or cause unfavorable repercussions to the legitimate profile's owner. In this paper we propose a methodology for detecting social network profile cloning. We present the architectural design and implementation details of a prototype system that can be employed by users to investigate whether they have fallen victims to such an attack. Our experimental results from the use of this prototype system prove its efficiency and also demonstrate its simplicity in terms of deployment by everyday users. Finally, we present the findings from a short study in terms of profile information exposed by social network users.
Pervasive Computing and Communications Workshops (PERCOM Workshops), 2011 IEEE International Conference on; 04/2011
[Show abstract][Hide abstract] ABSTRACT: number of security-related research topics are based on the monitoring of dark IP address space. Unfortunately there is large
administrative overhead associated with the dynamic assignment of a specific subnet for monitoring purposes, such as the deployment
of a honeypot farm or a distributed intrusion detection system. In this paper, we propose a system that enables the dynamic
allocation of an unadvertised IP address subnet for use by a monitoring sensor. The system dynamically selects network subnets
that have been allocated to the organization but are not being advertised, advertises them, and subsequently forwards all
received traffic destined to the selected subnet to a monitoring sensor.
[Show abstract][Hide abstract] ABSTRACT: Short URLs have become ubiquitous. Especially popular within social networking services, short URLs have seen a significant increase in their usage over the past years, mostly due to Twitter's restriction of message length to 140 characters. In this paper, we provide a first characterization on the usage of short URLs. Specifically, our goal is to examine the content short URLs point to, how they are published, their popularity and activity over time, as well as their potential impact on the performance of the web. Our study is based on traces of short URLs as seen from two different perspectives: i) collected through a large-scale crawl of URL shortening services, and ii) collected by crawling Twitter messages. The former provides a general characterization on the usage of short URLs, while the latter provides a more focused view on how certain communities use shortening services. Our analysis highlights that domain and website popularity, as seen from short URLs, significantly differs from the distributions provided by well publicised services such as Alexa. The set of most popular websites pointed to by short URLs appears stable over time, despite the fact that short URLs have a limited high popularity lifetime. Surprisingly short URLs are not ephemeral, as a significant fraction, roughly 50%, appears active for more than three months. Overall, our study emphasizes the fact that short URLs reflect an "alternative" web and, hence, provide an additional view on web usage and content consumption complementing traditional measurement sources. Furthermore, our study reveals the need for alternative shortening architectures that will eliminate the non-negligible performance penalty imposed by today's shortening services.
Proceedings of the 20th International Conference on World Wide Web, WWW 2011, Hyderabad, India, March 28 - April 1, 2011; 03/2011
[Show abstract][Hide abstract] ABSTRACT: Over the past few months we are seeing a large and ever increasing number of Web sites encouraging users to log in with their Facebook, Twitter, or Gmail identity, or personalize their browsing experience through a set of plug-ins that interact with the users' social profile. Research results suggest that more than two million Web sites have already adopted Facebook's social plug-ins, and the number is increasing sharply. Although one might theoretically refrain from such single sign-on platforms and cross-site interactions, usage statistics show that more than 250 million people might not fully realize the privacy implications of opting-in. To make matters worse, certain Web sites do not offer even the minimum of their functionality unless the users meet their demands for information and social interaction. At the same time, in a large number of cases, it is unclear why these sites require all that personal information for their purposes. In this paper we mitigate this problem by designing and developing a framework for minimum information disclosure across third-party sites with single sign-on interactions. Our example case is Facebook, which combines a very popular single sign-on platform with information-rich social networking profiles. When a user wants to browse a Web site that requires authentication or social interaction with his Facebook identity, our system employs, by default, a Facebook session that reveals the minimum amount of information necessary. The user has the option to explicitly elevate that Facebook session in a manner that reveals more or all of the information tied to his social identity. This enables users to disclose the minimum possible amount of personal information during their browsing experience on third-party Web sites.
Information Security, 14th International Conference, ISC 2011, Xi'an, China, October 26-29, 2011. Proceedings; 01/2011
[Show abstract][Hide abstract] ABSTRACT: In this paper we propose the use of URLs as a covert channel to relay information between two or more parties. We render our technique practical, in terms of bandwidth, by employing URL-shortening services to form URL chains of hidden information. We discuss the security aspects of this technique and present proof-of-concept implementation details along with measurements that prove the feasibility of our approach.
Computer Network Defense (EC2ND), 2011 Seventh European Conference on; 01/2011
[Show abstract][Hide abstract] ABSTRACT: Adobe Flash and Microsoft Silverlight are two widely adopted plat-forms for providing Rich Internet Applications (RIA) over the World Wide Web. The need for RIAs to retrieve content hosted on differ-ent domains, in order to enrich user experience, led to the use of cross-domain policies by content providers. Cross-domain policies define the list of RIA hosting domains that are allowed to retrieve content from the content provider's domain. Misinterpretation or misconfigurations of the policies may give the opportunity to mali-cious RIAs to access and handle users' private data. In this paper we present an extensive study on the deployment and security issues of cross-domain policies in the web. Through the examination of a large set of popular and diverse (both geo-graphically and content-wise) websites, we reveal that about 50% (more than 6.500 websites) of the websites that have adopted such policies are vulnerable to attacks. Furthermore, we find such poli-cies in more than 50% of the top 500 websites, examined both globally and per-country. Additionally, we examine local sets of e-shopping websites and find that up to 83% implement weak poli-cies. Interestingly, we observe that the less popular a website is, the higher the probability that it will have a weak policy. Com-pared to previous studies there is an obvious increasing trend in the adoption of RIA but, at the same time, a decreasing trend regarding secure implementations. Through a proof-of-concept attack imple-mentation and a number of real-world examples, we highlight the security impacts of these policy misconfigurations.
[Show abstract][Hide abstract] ABSTRACT: Malicious activities, such as running botnets, phishing sites or keyloggers, require an underlying infrastruc-ture for carrying out vital operations like hosting coordination mechanisms or storing stolen information. In the past, attackers have used their own resources or compromised machines. In this paper, we discuss the emerging practice of attackers outsourcing their malicious infrastructure to the Cloud. We present our findings from the study of the first major keylogger that has employed Pastebin for storing stolen information. Furthermore, we outline the traits and features of Cloud services in facilitating malicious activities. Finally, we discuss how the nature of the Cloud may shape future security monitoring and enhance defenses against such practices.
[Show abstract][Hide abstract] ABSTRACT: Monitoring large chunks of unused IP address space yields interesting observations and useful results. However, the volume and diversity of the collected data makes the extraction of information a challenging task. Additionally, the maintenance of the monitoring infrastructure is another demanding and time-consuming effort. To overcome these problems, we present several visualization techniques that enable users to observe what happens in their unused address space over arbitrary time periods and provide the necessary tools for administrators to monitor their infrastructure. Our approach, which is based on open-source standard technologies, transforms the raw information at the network level and provides a customized and Web-accessible view. In this paper, we present the design, implementation and early experiences of the visualization techniques and tools deployed for the NoAH project, a large-scale honey pot-based infrastructure. Additionally, we provide a traffic analysis of data collected over a six month period of our infrastructure's operation. During the data collection period, we observed that the number of attackers continually increased as did the volume of traffic they generated. Furthermore, interesting patterns for specific types of traffic have been identified, such as the diurnal cycle of the traffic targeting TCP port 445 (Windows Directory Services), the port that receives the largest volume of attack traffic.
Computer Network Defense (EC2ND), 2010 European Conference on; 11/2010
[Show abstract][Hide abstract] ABSTRACT: Social networking is one of the most popular Internet activities with millions of members from around the world. However, users are unaware of the privacy risks involved. Even if they protect their private information, their name is enough to be used for malicious purposes. In this paper we demonstrate and evaluate how names extracted from social networks can be used to harvest email addresses as a first step for personalized phishing campaigns. Our blind harvesting technique uses names collected from the Facebook and Twitter networks as query terms for the Google search engine, and was able to harvest almost 9 million unique email addresses. We compare our technique with other harvesting methodologies, such as crawling the World Wide Web and dictionary attacks, and show that our approach is more scalable and efficient than the other techniques. We also present three targeted harvesting, techniques that aim to collect email addresses coupled with personal information for the creation of personalized phishing emails. By using information available in Twitter to narrow down the search space and, by utilizing the Facebook email search functionality, we are able to successfully map 43.4% of the user profiles to their actual email address. Furthermore, we harvest profiles from Google Buzz, 40% of whom provide a direct mapping to valid Gmail addresses.
Proceedings of the 2010 ACM Workshop on Privacy in the Electronic Society, WPES 2010, Chicago, Illinois, USA, October 4, 2010; 09/2010