Phishing (ACM) (2014 Year in Review)
SoS Newsletter- Advanced Book Block
 |
Phishing (ACM) |
This set of bibliographical references is about phishing. All works cited here were published by ACM and posted in its digital library during 2014.
Teh-Chung Chen, Torin Stepan, Scott Dick, James Miller; An Anti-Phishing System Employing Diffused Information; ACM Transactions on Information and System Security (TISSEC) Volume 16 Issue 4, April 2014, Article No. 16. Doi: 10.1145/2584680 The phishing scam and its variants are estimated to cost victims billions of dollars per year. Researchers have responded with a number of anti-phishing systems, based either on blacklists or on heuristics. The former cannot cope with the churn of phishing sites, while the latter usually employ decision rules that are not congruent to human perception. We propose a novel heuristic anti-phishing system that explicitly employs gestalt and decision theory concepts to model perceptual similarity. Our system is evaluated on three corpora contrasting legitimate Web sites with real-world phishing scams. The proposed system’s performance was equal or superior to current best-of-breed systems. We further analyze current anti-phishing warnings from the perspective of warning theory, and propose a new warning design employing our Gestalt approach.
Keywords: Phishing, compression-based learning(ID#: 15-4479)
URL: http://doi.acm.org/10.1145/2584680
Rucha Tembe, Olga Zielinska, Yuqi Liu, Kyung Wha Hong, Emerson Murphy-Hill, Chris Mayhorn, Xi Ge; Phishing in International Waters: Exploring Cross-National Differences In Phishing Conceptualizations Between Chinese, Indian And American Samples; HotSoS '14 Proceedings of the 2014 Symposium and Bootcamp on the Science of Security , April 2014, Article No. 8. Doi: 10.1145/2600176.2600178 One hundred-sixty four participants from the United States, India and China completed a survey designed to assess past phishing experiences and whether they engaged in certain online safety practices (e.g., reading a privacy policy). The study investigated participants' reported agreement regarding the characteristics of phishing attacks, types of media where phishing occurs and the consequences of phishing. A multivariate analysis of covariance indicated that there were significant differences in agreement regarding phishing characteristics, phishing consequences and types of media where phishing occurs for these three nationalities. Chronological age and education did not influence the agreement ratings; therefore, the samples were demographically equivalent with regards to these variables. A logistic regression analysis was conducted to analyze the categorical variables and nationality data. Results based on self-report data indicated that (1) Indians were more likely to be phished than Americans, (2) Americans took protective actions more frequently than Indians by destroying old documents, and (3) Americans were more likely to notice the "padlock" security icon than either Indian or Chinese respondents. The potential implications of these results are discussed in terms of designing culturally sensitive anti-phishing solutions.
Keywords: China, India, cultural differences, nationality, online privacy, phishing, susceptibility (ID#: 15-4480)
URL: http://doi.acm.org/10.1145/2600176.2600178
Bastian Braun, Martin Johns, Johannes Koestler, Joachim Posegga; PhishSafe: Leveraging Modern Javascript API's For Transparent and Robust Protection; CODASPY '14 Proceedings of the 4th ACM Conference on Data And Application Security And Privacy, March 2014, Pages 61-72. Doi: 10.1145/2557547.2557553 The term "phishing" describes a class of social engineering attacks on authentication systems, that aim to steal the victim's authentication credential, e.g., the username and password. The severity of phishing is recognized since the mid-1990's and a considerable amount of attention has been devoted to the topic. However, currently deployed or proposed countermeasures are either incomplete, cumbersome for the user, or incompatible with standard browser technology. In this paper, we show how modern JavaScript API's can be utilized to build PhishSafe, a robust authentication scheme, that is immune against phishing attacks, easily deployable using the current browser generation, and requires little change in the end-user's interaction with the application. We evaluate the implementation and find that it is applicable to web applications with low efforts and causes no tangible overhead.
Keywords: phishing, protection, web security (ID#: 15-4481)
URL: http://doi.acm.org/10.1145/2557547.2557553
Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, Stefan Savage; Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild; IMC '14 Proceedings of the 2014 Conference on Internet Measurement Conference, November 2014, Pages 347-358. Doi: 10.1145/2663716.2663749 Online accounts are inherently valuable resources---both for the data they contain and the reputation they accrue over time. Unsurprisingly, this value drives criminals to steal, or hijack, such accounts. In this paper we focus on manual account hijacking---account hijacking performed manually by humans instead of botnets. We describe the details of the hijacking workflow: the attack vectors, the exploitation phase, and post-hijacking remediation. Finally we share, as a large online company, which defense strategies we found effective to curb manual hijacking.
Keywords: google, hijacking, phishing (ID#: 15-4482)
URL: http://doi.acm.org/10.1145/2663716.2663749
Adrian Dabrowski, Katharina Krombholz, Johanna Ullrich, Edgar R. Weippl; QR Inception: Barcode-in-Barcode Attacks; SPSM '14 Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, November 2014, Pages 3-10. Doi: 10.1145/2666620.2666624 2D barcodes offer many benefits compared to 1D barcodes, such as high information density and robustness. Before their introduction to the mobile phone ecosystem, they have been widely used in specific applications, such as logistics or ticketing. However, there are multiple competing standards with different benefits and drawbacks. Therefore, reader applications as well as dedicated devices have to support multiple standards. In this paper, we present novel attacks based on deliberately caused ambiguities when especially crafted barcodes conform to multiple standards. Implementation details decide which standard the decoder locks on. This way, two users scanning the same barcode with different phones or apps will receive different content. This potentially opens way for multiple problems related to security. We describe how embedding one barcode symbology into another can be used to perform phishing attacks as well as targeted exploits. In addition, we evaluate the extent to which popular 2D barcode reader applications on smartphones are susceptible to these barcode-in barcode attacks. We furthermore discuss mitigation techniques against this type of attack.
Keywords: barcode, packet-in-packet, protocol decoding ambiguity, qr, security, steganography (ID#: 15-4483)
URL: http://doi.acm.org/10.1145/2666620.2666624
Adwait Nadkarni, Vasant Tendulkar, William Enck; NativeWrap: Ad Hoc Smartphone Application Creation for End Users; WiSec '14 Proceedings of the 2014 ACM Conference On Security And Privacy In Wireless & Mobile Networks, July 2014, Pages 13-24. Doi: 10.1145/2627393.2627412 Smartphones have become a primary form of computing. As a result, nearly every consumer, company, and organization provides an "app" for the popular smartphone platforms. Many of these apps are little more than a WebView widget that renders downloaded HTML and JavaScript content. In this paper, we argue that separating Web applications into separate OS principals has valuable security and privacy advantages. However, in the current smartphone application ecosystem, many such apps are fraught with privacy concerns. To this end, we propose NativeWrap as an alternative model for security and privacy conscious consumers to access Web content. NativeWrap "wraps" the domain for given URL into a native platform app, applying best practices for security configuration. We describe the design of a prototype of NativeWrap for the Android platform and test compatibility on the top 250 Alexa Websites. By using NativeWrap, third-party developers are removed from platform code, and users are placed in control of privacy sensitive operation.
Keywords: mobile applications, smartphone security, web browsers (ID#: 15-4484)
URL: http://doi.acm.org/10.1145/2627393.2627412
Ping Chen, Nick Nikiforakis, Lieven Desmet, Christophe Huygens; Security Analysis of the Chinese Web: How Well Is It Protected?; SafeConfig '14 Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation, November 2014, pages 3-9. Doi: 10.1145/2665936.2665938 As the web rapidly expands and gets integrated into the daily lives of more and more people, so does the number of cyber attacks against it. To defend against attackers, website operators can utilize a wide range of defense mechanisms, both at the server-side, as well as the client-side of their web applications. From a security-metrics standpoint, the presence or absence of these mechanisms can be used as a security indicator of any given website. In this paper, through a large-scale analysis of the 10,000 most popular Chinese websites, we analyze the security of the Chinese web by investigating the usage of client-side security policies, and evaluating the discovered HTTPS implementations. We show that, when compared to popular websites of the rest of the world, a significant fraction of Chinese websites lag behind on the adoption of good security practices. Among other findings, we report on the fact that 6% of websites inadvertently leak private user information, such as Chinese identity numbers, by placing spreadsheet files with sensitive content in directories indexed by search engines.
Keywords: chinese websites, security metrics, security policies, web security (ID#: 15-4485)
URL: http://doi.acm.org/10.1145/2665936.2665938
Sauvik Das, Adam D.I. Kramer, Laura A. Dabbish, Jason I. Hong; Increasing Security Sensitivity With Social Proof: A Large-Scale Experimental Confirmation; CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 739-749. November 2014. Doi: 10.1145/2660267.2660271 One of the largest outstanding problems in computer security is the need for higher awareness and use of available security tools. One promising but largely unexplored approach is to use social proof: by showing people that their friends use security features, they may be more inclined to explore those features, too. To explore the efficacy of this approach, we showed 50,000 people who use Facebook one of 8 security announcements'7 variations of social proof and 1 non-social control-to increase the exploration and adoption of three security features: Login Notifications, Login Approvals, and Trusted Contacts. Our results indicated that simply showing people the number of their friends that used security features was most effective, and drove 37% more viewers to explore the promoted security features compared to the non-social announcement (thus, raising awareness). In turn, as social announcements drove more people to explore security features, more people who saw social announcements adopted those features, too. However, among those who explored the promoted features, there was no difference in the adoption rate of those who viewed a social versus a non-social announcement. In a follow up survey, we confirmed that the social announcements raised viewer's awareness of available security features.
Keywords: facebook, persuasion, security, security feature adoption, social cybersecurity, social influence (ID#: 15-4486)
URL: http://doi.acm.org/10.1145/2660267.2660271
Ting-Fang Yen, Victor Heorhiadi, Alina Oprea, Michael K. Reiter, Ari Juels; An Epidemiological Study of Malware Encounters in a Large Enterprise; CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 1117-1130. Doi: 10.1145/2660267.2660330 We present an epidemiological study of malware encounters in a large, multi-national enterprise. Our data sets allow us to observe or infer not only malware presence on enterprise computers, but also malware entry points, network locations of the computers (i.e., inside the enterprise network or outside) when the malware were encountered, and for some web-based malware encounters, web activities that gave rise to them. By coupling this data with demographic information for each host's primary user, such as his or her job title and level in the management hierarchy, we are able to paint a reasonably comprehensive picture of malware encounters for this enterprise. We use this analysis to build a logistic regression model for inferring the risk of hosts encountering malware; those ranked highly by our model have a >3x higher rate of encountering malware than the base rate. We also discuss where our study confirms or refutes other studies and guidance that our results suggest.
Keywords: enterprise security, logistic regression, malware encounters, measurement (ID#: 15-4487)
URL: http://doi.acm.org/10.1145/2660267.2660330
Gianluca Stringhini, Oliver Hohlfeld, Christopher Kruegel, Giovanni Vigna; The Harvester, The Botmaster, And The Spammer: On The Relations Between The Different Actors In The Spam Landscape; ASIA CCS '14 Proceedings of the 9th ACM Symposium On Information, Computer And Communications security, June 2014, Pages 353-364. Doi: 10.1145/2590296.2590302 A spammer needs three elements to run a spam operation: a list of victim email addresses, content to be sent, and a botnet to send it. Each of these three elements are critical for the success of the spam operation: a good email list should be composed of valid email addresses, a good email content should be both convincing to the reader and evades anti-spam filters, and a good botnet should efficiently sent spam. Given how critical these three elements are, figures specialized on one of these elements have emerged in the spam ecosystem. Email harvesters crawl the web and compile email lists, botmasters infect victim computers and maintain efficient botnets for spam dissemination, and spammers rent botnets and buy email lists to run spam campaigns. Previous research suggested that email harvesters and botmasters sell their services to spammers in a prosperous underground economy. No rigorous research has been performed, however, on understanding the relations between these three actors. This paper aims to shed some light on the relations between harvesters, botmasters, and spammers. By disseminating email addresses on the Internet, fingerprinting the botnets that contact these addresses, and looking at the content of these emails, we can infer the relations between the actors involved in the spam ecosystem. Our observations can be used by researchers to develop more effective anti-spam systems.
Keywords: botnets, cybercrime, spam, underground economy (ID#: 15-4488)
URL: http://doi.acm.org/10.1145/2590296.2590302
Andreas Mayer, Marcus Niemietz, Vladislav Mladenov, Jörg Schwenk; Guardians of the Clouds: When Identity Providers Fail; CCSW '14 Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security, November 2014, Pages 105-116. Doi: 10.1145/2664168.2664171 Many cloud-based services offer interfaces to Single Sign-On (SSO) systems. This helps companies and Internet users to keep control over their data: By using an Identity Provider (IdP), they are able to enforce various access control strategies (e.g., RBAC) on data processed in the cloud. On the other hand, IdPs provide a valuable single point of attack: If the IdP can be compromised, all cloud services are affected, including well-protected applications such as Google Apps and Salesforce. This increases the impact of the attack by several orders of magnitude. In this paper, we analyze the security of six real-world SAML-based IdPs (OneLogin, Okta, WSO2 Stratos, Cloudseal, SSOCircle, and Bitium) which are used to protect cloud services. We present a novel attack technique (ACS Spoofing), which allows the adversary to successfully impersonate the victim in four of these SSO systems. To complete our survey on IdP security, we additionally evaluated the security of these six IdPs against well-known web attacks, and we were successful against four of them. In summary, we were able to break all six SSO systems. We present a online penetration test tool, ACSScanner, which is able to detect ACS Spoofing vulnerabilities on arbitrary IdPs. Additionally, we discuss several countermeasures for each attack type, ranging from simple whitelisting to the signing of authentication requests, and from anti-CSRF tokens and HTTP-Only cookies to cookie-TLS-bindings. We have implemented a combination of two advanced countermeasures.
Keywords: holder-of-key, identity theft, saml, sso, web security (ID#: 15-4489)
URL: http://doi.acm.org/10.1145/2664168.2664171
Matthew F. Der, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker; Knock It Off: Profiling The Online Storefronts Of Counterfeit Merchandise; KDD '14 Proceedings of the 20th ACM SIGKDD International Conference On Knowledge Discovery And Data Mining, April 2014, Pages 1759-1768. Doi: 10.1145/2623330.2623354 We describe an automated system for the large-scale monitoring of Web sites that serve as online storefronts for spam-advertised goods. Our system is developed from an extensive crawl of black-market Web sites that deal in illegal pharmaceuticals, replica luxury goods, and counterfeit software. The operational goal of the system is to identify the affiliate programs of online merchants behind these Web sites; the system itself is part of a larger effort to improve the tracking and targeting of these affiliate programs. There are two main challenges in this domain. The first is that appearances can be deceiving: Web pages that render very differently are often linked to the same affiliate program of merchants. The second is the difficulty of acquiring training data: the manual labeling of Web pages, though necessary to some degree, is a laborious and time-consuming process. Our approach in this paper is to extract features that reveal when Web pages linked to the same affiliate program share a similar underlying structure. Using these features, which are mined from a small initial seed of labeled data, we are able to profile the Web sites of forty-four distinct affiliate programs that account, collectively, for hundreds of millions of dollars in illicit e-commerce. Our work also highlights several broad challenges that arise in the large-scale, empirical study of malicious activity on the Web.
Keywords: email spam, web page classification (ID#: 15-4490)
URL: http://doi.acm.org/10.1145/2623330.2623354
Warren He, Devdatta Akhawe, Sumeet Jain, Elaine Shi, Dawn Song; ShadowCrypt: Encrypted Web Applications for Everyone; CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 1028-1039. Doi: 10.1145/2660267.2660326 A number of recent research and industry proposals discussed using encrypted data in web applications. We first present a systematization of the design space of web applications and highlight the advantages and limitations of current proposals. Next, we present ShadowCrypt, a previously unexplored design point that enables encrypted input/output without trusting any part of the web applications. ShadowCrypt allows users to transparently switch to encrypted input/output for text-based web applications. ShadowCrypt runs as a browser extension, replacing input elements in a page with secure, isolated shadow inputs and encrypted text with secure, isolated cleartext. ShadowCrypt's key innovation is the use of Shadow DOM, an upcoming primitive that allows low-overhead isolation of DOM trees. Evaluation results indicate that ShadowCrypt has low overhead and of practical use today. Finally, based on our experience with ShadowCrypt, we present a study of 17 popular web applications, across different domains, and the functionality impact and security advantages of encrypting the data they handle.
Keywords: privacy, shadow dom, web security (ID#: 15-4491)
URL: http://doi.acm.org/10.1145/2660267.2660326
Mohit Sethi, Elena Oat, Mario Di Francesco, Tuomas Aura; Secure Bootstrapping Of Cloud-Managed Ubiquitous Displays; UbiComp '14 Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing, September 2014, Pages 739-750. Doi: 10.1145/2632048.2632049 Eventually, all printed signs and bulletins will be replaced by electronic displays, which are wirelessly connected to the Internet and cloud-based services. Deploying such ubiquitous displays can be cumbersome since they need to be correctly configured and authorized to access both the Internet and the necessary services, despite the fact that they have minimal input capabilities and may be in inaccessible locations. Our goal is to enable easy and secure configuration of ubiquitous displays such as digital signage and advertisements, which are managed by cloud services and show HTML5 content. In our solution, the display shows a QR code which, when scanned by the user with a camera phone, allows automatic configuration of the wireless network along with the content to be shown. This is accomplished by a long-term trust relation configured between the cloud service and the wireless access network. We build on existing technologies and standard protocols, including RADIUS and EAP, without requiring new software to be installed on the phone or changes to the network infrastructure.
Keywords: EAP, QR code, WiFi, access-point, bootstrapping, cloud, configuration, digital signage, displays, security, smart phone (ID#: 15-4492)
URL: http://doi.acm.org/10.1145/2632048.2632049
Ting-Kai Huang, Bruno Ribeiro, Harsha V. Madhyastha, Michalis Faloutsos; The Socio-Monetary Incentives Of Online Social Network Malware Campaigns; COSN '14 Proceedings of the Second ACM Conference On Online Social networks, October 2014, Pages 259-270. Doi: 10.1145/2660460.2660478 Online social networks (OSNs) offer a rich medium of malware propagation. Unlike other forms of malware, OSN malware campaigns direct users to malicious websites that hijack their accounts, posting malicious messages on their behalf with the intent of luring their friends to the malicious website, thus triggering word-of-mouth infections that cascade through the network compromising thousands of accounts. But how are OSN users lured to click on the malicious links? In this work, we monitor 3.5 million Facebook accounts and explore the role of pure monetary, social, and combined socio-monetary psychological incentives in OSN malware campaigns. Among other findings we see that the majority of the malware campaigns rely on pure social incentives. However, we also observe that malware campaigns using socio-monetary incentives infect more accounts and last longer than campaigns with pure monetary or social incentives. The latter suggests the efficiency of an epidemic tactic surprisingly similar to the mechanism used by biological pathogens to cope with diverse gene pools.
Keywords: labor markets, monetary incentives, osn malware, social incentives (ID#: 15-4493)
URL: http://doi.acm.org/10.1145/2660460.2660478
Tiffany Hyun-Jin Kim, H. Colleen Stuart, Hsu-Chun Hsiao, Yue-Hsun Lin, Leon Zhang, Laura Dabbish, Sara Kiesler; YourPassword: Applying Feedback Loops To Improve Security Behavior Of Managing Multiple Passwords; ASIA CCS '14 Proceedings of the 9th ACM Symposium On Information, Computer And Communications Security, June 2014, Pages 513-518. Doi: 10.1145/2590296.2590345 Various mechanisms exist to secure users' passwords, yet users continue to struggle with the complexity of multiple password management. We explore the effectiveness of a feedback loop to improve users' password management. We introduce YourPassword, a web-based application that uses feedback to inform users about the security of their password behavior. YourPassword has two main components: a password behavior checker that converts password strengths into numerical scores and a dashboard interface that visualizes users' overall password behavior and provides visual feedback in real time. YourPassword not only provides a total score on all passwords, but also visualizes when passwords are too similar to each other. To test the efficacy of YourPassword, we conducted a between-subjects experiment and think-aloud test with 48 participants. Participants either had access to YourPassword, an existing commercial password checker, or no password tool (control condition). YourPassword helped participants improve their password behavior as compared with the commercial tool or no tool.
Keywords: authentication, feedback loops, password management (ID#: 15-4494)
URL: http://doi.acm.org/10.1145/2590296.2590345
Sruti Bhagavatula, Christopher Dunn, Chris Kanich, Minaxi Gupta, Brian Ziebart; Leveraging Machine Learning to Improve Unwanted Resource Filtering; AISec '14 Proceedings of the 2014 Workshop on Artificial Intelligence and Security Workshop, November 2014, Pages 95-102. Doi: 10.1145/2666652.2666662 Advertisements simultaneously provide both economic support for most free web content and one of the largest annoyances to end users. Furthermore, the modern advertisement ecosystem is rife with tracking methods which violate user privacy. A natural reaction is for users to install ad blockers which prevent advertisers from tracking users or displaying ads. Traditional ad blocking software relies upon hand-crafted filter expressions to generate large, unwieldy regular expressions matched against resources being included within web pages. This process requires a large amount of human overhead and is susceptible to inferior filter generation. We propose an alternate approach which leverages machine learning to bootstrap a superior classifier for ad blocking with less human intervention. We show that our classifier can simultaneously maintain an accuracy similar to the hand-crafted filters while also blocking new ads which would otherwise necessitate further human intervention in the form of additional handmade filter rules.
Keywords: machine learning, web privacy, web security (ID#: 15-4495)
URL: http://doi.acm.org/10.1145/2666652.2666662
Abdullah Almaatouq, Ahmad Alabdulkareem, Mariam Nouh, Erez Shmueli, Mansour Alsaleh, Vivek K. Singh, Abdulrahman Alarifi, Anas Alfaris, Alex (Sandy) Pentland; Twitter: Who Gets Caught? Observed Trends in Social Micro-Blogging Spam; WebSci '14 Proceedings of the 2014 ACM Conference On Web Science, June 2014, Pages 33-41. Doi: 10.1145/2615569.2615688 Spam in Online Social Networks (OSNs) is a systemic problem that imposes a threat to these services in terms of undermining their value to advertisers and potential investors, as well as negatively affecting users' engagement. In this work, we present a unique analysis of spam accounts in OSNs viewed through the lens of their behavioral characteristics (i.e., profile properties and social interactions). Our analysis includes over 100 million tweets collected over the course of one month, generated by approximately 30 million distinct user accounts, of which over 7% are suspended or removed due to abusive behaviors and other violations. We show that there exist two behaviorally distinct categories of twitter spammers and that they employ different spamming strategies. The users in these two categories demonstrate different individual properties as well as social interaction patterns. As the Twitter spammers continuously keep creating newer accounts upon being caught, a behavioral understanding of their spamming behavior will be vital in the design of future social media defense mechanisms.
Keywords: account abuse, microblogging, online social networks, spam (ID#: 15-4496)
URL: http://doi.acm.org/10.1145/2615569.2615688
Ben Stock, Martin Johns; Protecting Users Against XSS-Based Password Manager Abuse; ASIA CCS '14 Proceedings of the 9th ACM Symposium On Information, Computer And Communications Security, June 2014, Pages 183-194. Doi: 10.1145/2590296.2590336 To ease the burden of repeated password authentication on multiple sites, modern Web browsers provide password managers, which offer to automatically complete password fields on Web pages, after the password has been stored once. Unfortunately, these managers operate by simply inserting the clear-text password into the document's DOM, where it is accessible by JavaScript. Thus, a successful Cross-site Scripting attack can be leveraged by the attacker to read and leak password data which has been provided by the password manager. In this paper, we assess this potential threat through a thorough survey of the current password manager generation and observable characteristics of password fields in popular Web sites. Furthermore, we propose an alternative password manager design, which robustly prevents the identified attacks, while maintaining compatibility with the established functionality of the existing approaches.
Keywords: XSS, countermeasure, cross-site scripting, password managers, passwords, web security (ID#: 15-4497)
URL: http://doi.acm.org/10.1145/2590296.2590336
Marian Harbach, Markus Hettig, Susanne Weber, Matthew Smith; Using Personal Examples To Improve Risk Communication For Security & Privacy Decisions; CHI '14 Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, April 2014, Pages 2647-2656. Doi: 10.1145/2556288.2556978 IT security systems often attempt to support users in taking a decision by communicating associated risks. However, a lack of efficacy as well as problems with habituation in such systems are well known issues. In this paper, we propose to leverage the rich set of personal data available on smartphones to communicate risks using personalized examples. Examples of private information that may be at risk can draw the users' attention to relevant information for a decision and also improve their response. We present two experiments that validate this approach in the context of Android app permissions. Private information that becomes accessible given certain permissions is displayed when a user wants to install an app, demonstrating the consequences this installation might have. We find that participants made more privacy-conscious choices when deciding which apps to install. Additionally, our results show that our approach causes a negative affect in participants, which makes them pay more attention.
Keywords: android, consequences, examples, permissions, personalization, privacy, risks, usable security (ID#: 15-4498)
URL: http://doi.acm.org/10.1145/2556288.2556978
Michael Maass, William L. Scherlis, Jonathan Aldrich; In-Nimbo Sandboxing; HotSoS '14 Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, April 2014, Article No. 1. Doi: 10.1145/2600176.2600177 Sandboxes impose a security policy, isolating applications and their components from the rest of a system. While many sandboxing techniques exist, state of the art sandboxes generally perform their functions within the system that is being defended. As a result, when the sandbox fails or is bypassed, the security of the surrounding system can no longer be assured. We experiment with the idea of in-nimbo sandboxing, encapsulating untrusted computations away from the system we are trying to protect. The idea is to delegate computations that may be vulnerable or malicious to virtual machine instances in a cloud computing environment. This may not reduce the possibility of an in-situ sandbox compromise, but it could significantly reduce the consequences should that possibility be realized. To achieve this advantage, there are additional requirements, including: (1) A regulated channel between the local and cloud environments that supports interaction with the encapsulated application, (2) Performance design that acceptably minimizes latencies in excess of the in-situ baseline. To test the feasibility of the idea, we built an in-nimbo sandbox for Adobe Reader, an application that historically has been subject to significant attacks. We undertook a prototype deployment with PDF users in a large aerospace firm. In addition to thwarting several examples of existing PDF-based malware, we found that the added increment of latency, perhaps surprisingly, does not overly impair the user experience with respect to performance or usability.
Keywords: (not provided) (ID#: 15-4499)
URL: http://doi.acm.org/10.1145/2600176.2600177
Julian Horsch, Konstantin Böttinger, Michael Weiß, Sascha Wessel, Frederic Stumpf; TrustID: Trustworthy Identities For Untrusted Mobile Devices; CODASPY '14 Proceedings of the 4th ACM Conference On Data And Application Security And Privacy; March 2014, Pages 281-288. Doi: 10.1145/2557547.2557593 Identity theft has deep impacts in today's mobile ubiquitous environments. At the same time, digital identities are usually still protected by simple passwords or other insufficient security mechanisms. In this paper, we present the TrustID architecture and protocols to improve this situation. Our architecture utilizes a Secure Element (SE) to store multiple context-specific identities securely in a mobile device, e.g., a smartphone. We introduce protocols for securely deriving identities from a strong root identity into the SE inside the smartphone as well as for using the newly derived IDs. Both protocols do not require a trustworthy smartphone operating system or a Trusted Execution Environment. In order to achieve this, our concept includes a secure combined PIN entry mechanism for user authentication, which prevents attacks even on a malicious device. To show the feasibility of our approach, we implemented a prototype running on a Samsung Galaxy SIII smartphone utilizing a microSD card SE. The German identity card nPA is used as root identity to derive context-specific identities.
Keywords: android, combined pin entry, identity derivation, identity provider, mobile security, npa, secure element, smartphone (ID#: 15-4500)
URL: http://doi.acm.org/10.1145/2557547.2557593
Jelena Isacenkova, Davide Balzarotti; Shades of Gray: A Closer Look at Emails in the Gray Area; ASIA CCS '14 Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, June 2014, Pages 377-388. Doi: 10.1145/2590296.2590344 Every day, millions of users spend a considerable amount of time browsing through the messages in their spam folders. With newsletters and automated notifications responsible for 42% of the messages in the user's inboxes, inevitably some important emails get misclassified as spam. Unfortunately, users are often unable to take security related decisions, and tools provide no assistance to easily distinguish harmless commercial messages from the ones that are most certainly malevolent. Most of the previous studies focused on the detection of spam. Instead, in this paper we look into the often overlooked area of gray emails, i.e., those messages that cannot be clearly categorized one way or the other by automated spam filters. In particular, we analyze real-world emails by grouping them into clusters of bulk email campaigns. Our approach is able to automatically classify and reduce by half the gray emails area with only 0.2% false positives. Moreover, we identify a number of campaign features that can be used to predict the campaign category and we discuss their effectiveness and their limitations. Our experiments show that a large fraction of emails in the gray area are composed of legitimate bulk emails: newsletters, notifications, and marketing offers. The latter appears to be a large e-marketing business industry that has grown into a complex infrastructure for sending legitimate bulk emails. To the best of our knowledge, this is the first real-world empirical study of such emails.
Keywords: email campaigns, newsletters, spam (ID#: 15-4501)
URL: http://doi.acm.org/10.1145/2590296.2590344
Eva Zangerle, Günther Specht; "Sorry, I Was Hacked": A Classification of Compromised Twitter Accounts; SAC '14 Proceedings of the 29th Annual ACM Symposium on Applied Computing, March 2014,Pages 587-593. Doi: 10.1145/2554850.2554894 Online social networks like Facebook or Twitter have become powerful information diffusion platforms as they have attracted hundreds of millions of users. The possibility of reaching millions of users within these networks not only attracted standard users, but also cyber-criminals who abuse the networks by spreading spam. This is accomplished by either creating fake accounts, bots, cyborgs or by hacking and compromising accounts. Compromised accounts are subsequently used to spread spam in the name of their legitimate owner. This work sets out to investigate how Twitter users react to having their account hacked and how they deal with compromised accounts. We crawled a data set of tweets in which users state that their account was hacked and subsequently performed a supervised classification of these tweets based on the reaction and behavior of the respective user. We find that 27.30% of the analyzed Twitter users change to a new account once their account was hacked. 50.91% of all users either state that they were hacked or apologize for any unsolicited tweets or direct messages.
Keywords: abuse, account compromising, machine learning, microblogging, social media, spam, twitter (ID#: 15-4502)
URL: http://doi.acm.org/10.1145/2554850.2554894
Ala' Eshmawi, Suku Nair; Semi-Synthetic Data for Enhanced SMS Spam Detection: [Using Synthetic Minority Oversampling TEchnique SMOTE]; MEDES '14 Proceedings of the 6th International Conference on Management of Emergent Digital EcoSystems, September 2014, Pages 206-212. Doi: 10.1145/2668260.2668307 In this paper, we study the effect of using Synthetic Minority Oversampling TEchnique on the detection of SMS spam. The study shows an improved spam detection performance of the classifiers trained on semi-synthetic datasets compared to the performance of the same classifiers trained on the original dataset.
Keywords: Classification, SMS Spam, Synthetic Minority Oversampling Technique (ID#: 15-4503)
URL: http://doi.acm.org/10.1145/2668260.2668307
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.