Ildar Muslukhov

Design and analysis of a social botnet

Online Social Networks (OSNs) have attracted millions of active users and have become an integral part of todays web ecosystem. Unfortunately, in the wrong hands, OSNs can be used to harvest private user data, distribute malware, control botnets, perform surveillance, spread misinformation, and even influence algorithmic trading. Usually, an adversary starts off by running an infiltration campaign using hijacked or adversary-owned OSN accounts, with an objective to connect with a large number of users in the targeted OSN. In this article, we evaluate how vulnerable OSNs are to a large-scale infiltration campaign run by socialbots: bots that control OSN accounts and mimic the actions of real users. We adopted the design of a traditional web-based botnet and built a prototype of a Socialbot Network (SbN): a group of coordinated programmable socialbots. We operated our prototype on Facebook for 8weeks, and collected data about user behavior in response to a large-scale infiltration campaign. Our results show that (1) by exploiting known social behaviors of users, OSNs such as Facebook can be infiltrated with a success rate of up to 80%, (2) subject to user profile privacy settings, a successful infiltration can result in privacy breaches where even more private user data are exposed, (3) given the economics of todays underground markets, running a large-scale infiltration campaign might be profitable but is still not particularly attractive as a sustainable and independent business, (4) the security of socially-aware systems that use or integrate OSN platforms can be at risk, given the infiltration capability of an adversary in OSNs, and (5) defending against malicious socialbots raises a set of challenges that relate to web automation, online-offline identity binding, and usable security.

Investigating Users’ Perspectives of Web Single Sign-On: Conceptual Gaps and Acceptance Model

OpenID and OAuth are open and simple Web SSO protocols that have been adopted by major service providers, and millions of supporting Web sites. However, the average user’s perception of Web SSO is still poorly understood. Through several user studies, this work investigates users’ perceptions and concerns when using Web SSO for authentication. We found that our participants had several misconceptions and concerns that impeded their adoption. This ranged from their inadequate mental models of Web SSO, to their concerns about personal data exposure, and a reduction in perceived Web SSO value due to the employment of password management practices. Informed by our findings, we offer a Web SSO technology acceptance model, and suggest design improvements.

OpenID-enabled browser: towards usable and secure web single sign-on

OpenID is an open and promising Web single sign-on solution; however, the interaction flows provided by OpenID are inconsistent, counter-intuitive, and vulnerable to phishing attacks. In this work, we investigated the challenges web users face when using OpenID for authentication, and designed a phishing-resistant, privacy-preserving browser add-on to provide a consistent and intuitive single sign-on user experience for the average web users.

Android users in the wild: Their authentication and usage behavior

Abstract In this paper, we performed a longitudinal field study with 41 participants, who installed our monitoring framework on their Android smartphones and ran it for at least 20 days. We examined how unlocking mechanisms perform in the wild in terms of time it takes to authenticate and error-rate, and how the users’ choices of the unlocking mechanisms are linked to the different patterns of smartphone usage. Based on our findings, we offer insights into improving Android unlocking mechanisms and related user experience.

Advancing the Understanding of Android Unlocking and Usage.

1. PROBLEM MOTIVATION Given the fact that personal mobile devices provide access to and/or store a great deal of personal and sensitive data, including passwords, contacts, files, emails, etc., it is not surprising that unauthorized access to the device is one of the highest security risks for smartphone users. To protect such data and services from unauthorized access, some smartphone users lock their phones using PIN, password, biometrics and DAP (“draw a pattern”). Yet, others don’t, risking the data and online services accessible through their devices, mainly because of the inconvenience of unlocking, lack of motivation and awareness. One way to improve user behaviour is to offer them more usable unlocking mechanisms, without sacrificing the security. It remains an open problem, however, how to optimize both security and usability for smartphone unlocking mechanisms. Thus, it is important for researchers to understand the interplay between security and usability of unlocking mechanisms in situ. To this end, we are preparing a longitudinal field study, in the course of which our monitoring app installed on the participants’ Android smartphones will collect detailed relevant data.

Source Attribution of Cryptographic API Misuse in Android Applications

Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.

Workshop on inconspicuous interaction

Growing usage of interactive systems in the public space has highlighted the prevalence of conflicts between desired functionality and maintenance of privacy/social comfort. This has inspired researchers and practitioners, in communities concerned with usable security, wearable and mobile interfaces, natural user interfaces, accessibility and social interaction, to employ inconspicuous interaction styles. This workshop will bring these communities together to produce forward-looking insights that can shape the way users interact with tomorrows computers, in interactive systems that account for the social nomadic contexts where they are bound to be used.