Let’s Encrypt: an automated certificate authority to encrypt the entire web

Let's encrypt: an automated certificate authority to encrypt the entire web, Aas et al., CCS'19 This paper tells the story of Let's Encrypt, from it's early beginnings in 2012/13 all the way to becoming the world's largest HTTPS Certificate Authority (CA) today - accounting for more currently valid certificates than all other browser-trusted CAs combined. … Continue reading Let’s Encrypt: an automated certificate authority to encrypt the entire web

Watching you watch: the tracking system of over-the-top TV streaming devices

Watching you watch: the tracking ecosystem of over-the-top TV streaming devices, Moghaddam et al., CCS'19 The results from this paper are all too predictable: channels on Over-The-Top (OTT) streaming devices are insecure and riddled with privacy leaks. The authors quantify the scale of the problem, and note that users have even less viable defence mechanisms … Continue reading Watching you watch: the tracking system of over-the-top TV streaming devices

“I was told to buy a software or lose my computer: I ignored it.” A study of ransomware

"I was told to buy a software or lose my computer. I ignored it": a study of ransomware Simoiu et al., SOUPS 2019 This is a very easy to digest paper shedding light on the prevalence of ransomware and the characteristics of those most likely to be vulnerable to it. The data comes from a … Continue reading “I was told to buy a software or lose my computer: I ignored it.” A study of ransomware

Invisible mask: practical attacks on face recognition with infrared

Invisible mask: practical attacks on face recognition with infrared Zhou et al., arXiv’18 You might have seen selected write-ups from The Morning Paper appearing in ACM Queue. The editorial board there are also kind enough to send me paper recommendations when they come across something that sparks their interest. So this week things are going … Continue reading Invisible mask: practical attacks on face recognition with infrared

Detecting and characterizing lateral phishing at scale

Detecting and characterizing lateral phishing at scale Ho et al., USENIX Security Symposium 2019 This is an investigation into the phenomenon of lateral phishing attacks. A lateral phishing attack is one where a compromised account within an organisation is used to send out further phishing emails (typically to other employees within the same organisation). So … Continue reading Detecting and characterizing lateral phishing at scale

In-toto: providing farm-to-table guarantees for bits and bytes

in-toto: providing farm-to-table guarantees for bits and bytes Torres-Arias et al., USENIX Security Symposium 2019 Small world with high risks did a great job of highlighting the absurd risks we’re currently carrying in many software supply chains. There are glimmers of hope though. This paper describes in-toto, and end-to-end system for ensuring the integrity of … Continue reading In-toto: providing farm-to-table guarantees for bits and bytes

Small world with high risks: a study of security threats in the npm ecosystem

Small world with high risks: a study of security threats in the npm ecosystem Zimmermann et al., USENIX Security Symposium 2019 This is a fascinating study of the npm ecosystem, looking at the graph of maintainers and packages and its evolution over time. It’s packed with some great data, and also helps us quantify something … Continue reading Small world with high risks: a study of security threats in the npm ecosystem