Knowing your enemy: understanding and detecting malicious web advertising - Li at al. CCS, 2012 ... hackers and con-artists have found web ads to be a low-cost and highly effective means to conduct malicious and fraudulent activities. In this paper, we broadly refer to such ad-related malicious activities as malvertising, which can happen to any … Continue reading Knowing your enemy: understanding and detecting malicious web advertising
Tag: Security
Papers relating to security, encryption, attacks and defenses.
Diplomat: Using Delegations to Protect Community Repositories
Diplomat: Using Delegations to Protect Community Repositories - Kuppusamy et al. 2016 Community repositories, such as Docker Hub, Python Package Index (PyPI), RubyGems, and SourceForge provide an easy way for a developer to disseminate software... [they] are immensely popular and collectively serve more than a billion packages per year. Unfortunately, the popularity of these repositories … Continue reading Diplomat: Using Delegations to Protect Community Repositories
Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds
Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds - Wang et al. 2016 Who owns your data? With cloud services, 'your' data is typically spread across multiple walled gardens, one per service. I'm reminded of a great line from "On the duality of resilience and privacy:" It is a truth universally acknowledged … Continue reading Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds
A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks
A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks - Heartfield and Loukas 2015 This paper is concerned with semantic social engineering: the manipulation of the user-computer interface to deceive a user and ultimately breach a computer system's information security. Semantic attack exploits include phishing, file masquerading (disguising file … Continue reading A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks
Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google
Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google - Bonneau et al. 2015 What was your mother's maiden name? What was your city of birth? What was the name of your first school? I don't know about you, but I always groan inwardly when a website asks such … Continue reading Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google
Not-quite-so-broken TLS: lessons in re-engineering a security protocol specification and implementation
Not-quite-so-broken TLS: lessons in re-engineering a security protocol specification and implementation - Kaloper-Meršinjak et al. 2015 Update: fixed broken paper link above. On the surface this is a paper about a TLS implementation, but the really interesting story to me is the attempt to 'do it right,' and the techniques and considerations involved in that … Continue reading Not-quite-so-broken TLS: lessons in re-engineering a security protocol specification and implementation
Capability Myths Demolished
Capability Myths Demolished - Miller et. al 2003 Pretty much everyone is familiar with an ACL-based approach to security. Despite having been around for a very long time, the capabilities approach to security is less well-known. Today's paper choice provides an excellent introduction to the capabilities model and how it compares to ACLs. Along the … Continue reading Capability Myths Demolished
Prudent Engineering Practice for Cryptographic Protocols
Prudent Engineering Practice for Cryptographic Protocols - Abadi & Needham, 1994 Prudent engineering practice for cryptographic protocols for most of us is not to design cryptographic protocols! Today's paper serves to highlight how even the experts can get it wrong, and presents 11 design principles for cryptographic protocols - some of which may be useful … Continue reading Prudent Engineering Practice for Cryptographic Protocols
Fast and Vulnerable: A Story of Telematic Failures
Fast and Vulnerable: A Story of Telematic Failures - Foster et al. 2015 Yesterday we saw just how much damage can be done by an adversary that is able to infiltrate the CAN bus of a car. Today's paper shows that it's possible to gain access to the bus remotely... Telematic control units (TCU) are … Continue reading Fast and Vulnerable: A Story of Telematic Failures
Experimental Security Analysis of a Modern Automobile
Experimental Security Analysis of a Modern Automobile - Foster et al . 2010 Today's paper gives us a frightening insight into the (lack of) security of the distributed computing systems controlling modern cars. The results described were obtained from testing a 2009 model year car. Surely today's cars are better than this? In the UK, … Continue reading Experimental Security Analysis of a Modern Automobile
the morning paper 