Nikolaos Tsalis

Security Busters

URL blacklists are used by the majority of modern web browsers as a means to protect users from rogue web sites, i.e. those serving malware and/or hosting phishing scams. There is a plethora of URL blacklists/reputation services, out of which Googles Safe Browsing and Microsofts SmartScreen stand out as the two most commonly used ones. Frequently, such lists are the only safeguard web browsers implement against such threats. In this paper, we examine the level of protection that is offered by popular web browsers on iOS, Android and desktop (Windows) platforms, against a large set of phishing and malicious URL. The results reveal that most browsers - especially those for mobile devices - offer limited protection against such threats. As a result, we propose and evaluate a countermeasure, which can be used to significantly improve the level of protection offered to the users, regardless of the web browser or platform they are using.

Mobile devices: A phisher's paradise

Mobile devices - especially smartphones - have gained widespread adoption in recent years, due to the plethora of features they offer. The use of such devices for web browsing and accessing email services is also getting continuously more popular. The same holds true with other more sensitive online activities, such as online shopping, contactless payments, and web banking. However, the security mechanisms that are available on smartphones and protect their users from threats on the web are not yet mature, as well as their effectiveness is still questionable. As a result, smartphone users face increased risks when performing sensitive online activities with their devices, compared to desktop/laptop users. In this paper, we present an evaluation of the phishing protection mechanisms that are available with the popular web browsers of Android and iOS. Then, we compare the protection they offer against their desktop counterparts, revealing and analyzing the significant gap between the two.

In Cloud We Trust: Risk-Assessment-as-a-Service

Cloud computing is an emerging paradigm that allows adoption of on-demand services in a cost-effective way. Migrating services to the Cloud also means been exposed to new threats and vulnerabilities, thus, resulting in a modified assessment of risk. Assessing risk in the Cloud remains an open research issue, as it requires a given level of trust of the Cloud service provider for providing assessment data and implementing controls. This paper surveys existing knowledge, regarding risk assessment for the Cloud, and highlights the requirements for the design of a cloud-targeted method that is offered as a service, which is also in compliance with the specific characteristics of the Cloud.

Evaluating the Manageability of Web Browsers Controls

The proliferation of smartphones has introduced new challenges in web browsing security. These devices often have limited resources and small size, which may limit the security ‘arsenal’ of their user. This, however, does not seem to deter smartphone users from accessing the Web via their devices. On the same time, the popularity of browser-based exploits among attackers is also on the rise, especially in the form of Blackhole exploit kit, i.e. frameworks that attack browsers using 0-day exploits (e.g., in Java, Flash). In this context, the paper contributes by comparing the availability and manageability of security controls that are offered by popular smartphone and desktop browsers. It also provides insights about their preconfigured protection against web threats.

Return on Security Investment for Cloud Platforms

Cloud migration is a complex decision because of the multiple parameters that contribute for or against it (e.g. available budget, costs, performance, etc.). One of these parameters is information security and the investment required in order to ensure it. A potential client needs to evaluate various deployment options and Cloud Service Providers (CSP). This paper proposes a set of metrics focused on the assessment of security controls of a cloud deployment, in terms of cost and mitigation. Such an approach can support the client to decide whether she selects to deploy part of her services, data or infrastructure to a CSP, or not.

Browser Blacklists: The Utopia of Phishing Protection

Mobile devices - especially smartphones - have gained widespread adoption in recent years, due to the plethora of features they offer. The use of such devices for web browsing, accessing email services and social networking is also getting continuously more popular. The same holds true for other more sensitive online activities, such as online shopping, contactless payments, and web banking. However, the security mechanisms available on smartphones are not yet mature, while their effectiveness is still questionable. As a result, smartphone users face increased risks when performing sensitive online activities with their devices, compared to desktop/laptop users. In this paper, we present an evaluation of the phishing protection mechanisms that are available with the popular web browsers of the Android and iOS platform. Following, we compare the protection they offer against their desktop counterparts, revealing and analyzing the significant gap between the two. Finally, we provide a comparison between the Safe Browsing API implementation in Google Chrome and the Safe Browsing Lookup API, revealing significant inconsistencies between the two mechanisms.

An Intensive Analysis of Security and Privacy Browser Add-Ons

Browsers enable the user to surf over the Internet and access web sites that may include social media, email service, etc. However, such an activity incorporates various web threats (e.g. tracking, malicious content, etc.) that may imperil the user’s data and any sensitive information involved. Therefore, web browsers offer pre-installed security controls to protect users from these threats. Third-party browser software (i.e. add-ons) is also available that enhances these pre-installed security controls, or substitutes them. In this paper, we examine the available security controls that exist in modern browsers to reveal any gaps in the offered security protection. We also study the available security and privacy add-ons and observe whether the above mentioned gaps (i.e. when a security control is unavailable) are covered or need to be revisited.