The landscape of domain name typosquatting: techniques and countermeasures

May 20, 2016 ~ Adrian Colyer ~ 7 Comments

The landscape of domain name typosquatting: techniques and countermeasures - Spaulding et al. arXiv upload 9 Mar 2016. We round up our series of posts on internet deceptions by looking at domain squatting. My "favourite" advanced technique is bitsquatting, which turns out to be a great demonstration of the inevitable failures that occur with sufficient ... Continue Reading

Understanding malvertising through ad-injecting browser extensions

May 19, 2016 ~ Adrian Colyer ~ 1 Comment

Understanding malvertising through ad-injecting browser extensions- Xing et al., WWW 2015. Be careful what browser extensions you install. Some ad networks have started to offer browser extension developers an opportunity to monetise their work, and in this study Xing et al. show that of the 292 Chrome browser extensions in their survey which inject ads, ... Continue Reading

Knowing your enemy: understanding and detecting malicious web advertising

May 18, 2016 ~ Adrian Colyer ~ 1 Comment

Knowing your enemy: understanding and detecting malicious web advertising - Li at al. CCS, 2012 ... hackers and con-artists have found web ads to be a low-cost and highly effective means to conduct malicious and fraudulent activities. In this paper, we broadly refer to such ad-related malicious activities as malvertising, which can happen to any ... Continue Reading

Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds

March 25, 2016 ~ Adrian Colyer ~ Leave a comment

Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds - Wang et al. 2016 Who owns your data? With cloud services, 'your' data is typically spread across multiple walled gardens, one per service. I'm reminded of a great line from "On the duality of resilience and privacy:" It is a truth universally acknowledged ... Continue Reading

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks

March 15, 2016 ~ Adrian Colyer ~ 1 Comment

A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks - Heartfield and Loukas 2015 This paper is concerned with semantic social engineering: the manipulation of the user-computer interface to deceive a user and ultimately breach a computer system's information security. Semantic attack exploits include phishing, file masquerading (disguising file ... Continue Reading

Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google

March 14, 2016 ~ Adrian Colyer ~ 3 Comments

Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google - Bonneau et al. 2015 What was your mother's maiden name? What was your city of birth? What was the name of your first school? I don't know about you, but I always groan inwardly when a website asks such ... Continue Reading

Not-quite-so-broken TLS: lessons in re-engineering a security protocol specification and implementation

February 23, 2016 ~ Adrian Colyer ~ 7 Comments

Not-quite-so-broken TLS: lessons in re-engineering a security protocol specification and implementation - Kaloper-Meršinjak et al. 2015 Update: fixed broken paper link above. On the surface this is a paper about a TLS implementation, but the really interesting story to me is the attempt to 'do it right,' and the techniques and considerations involved in that ... Continue Reading

Capability Myths Demolished

February 16, 2016 ~ Adrian Colyer ~ 4 Comments

Capability Myths Demolished - Miller et. al 2003 Pretty much everyone is familiar with an ACL-based approach to security. Despite having been around for a very long time, the capabilities approach to security is less well-known. Today's paper choice provides an excellent introduction to the capabilities model and how it compares to ACLs. Along the ... Continue Reading

Prudent Engineering Practice for Cryptographic Protocols

December 4, 2015 ~ Adrian Colyer ~ 2 Comments

Prudent Engineering Practice for Cryptographic Protocols - Abadi & Needham, 1994 Prudent engineering practice for cryptographic protocols for most of us is not to design cryptographic protocols! Today's paper serves to highlight how even the experts can get it wrong, and presents 11 design principles for cryptographic protocols - some of which may be useful ... Continue Reading

Fast and Vulnerable: A Story of Telematic Failures

December 3, 2015 ~ Adrian Colyer ~ Leave a comment

Fast and Vulnerable: A Story of Telematic Failures - Foster et al. 2015 Yesterday we saw just how much damage can be done by an adversary that is able to infiltrate the CAN bus of a car. Today's paper shows that it's possible to gain access to the bus remotely... Telematic control units (TCU) are ... Continue Reading

the morning paper

a random walk through Computer Science research, by Adrian Colyer
Made delightfully fast by strattic

Security