"We explore how to manage a portfolio of passwords. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that
approaches justified by loss-minimization alone, and those that ignore important attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we propose, model
and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and user effort. Our findings directly challenge accepted wisdom and conventional advice. We
find, for example, that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal. We give an optimal solution for how to group accounts for re-use, and model-based principles for
"We conduct a security analysis of five popular web-based password managers. Unlike ‘local’ password managers, web-based password managers run in the browser. We identify four key security
concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an
attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the
vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study
suggests that it remains to be a challenge for the password managers to be secure. To guide future development of password managers, we provide guidance for password managers. Given the diversity of
vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers."
"The FTC has brought enforcement actions addressing a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware, peer-to-peer file sharing,
and mobile. These matters include over 130 spam and spyware cases and more than 40 general privacy lawsuits."
"A cyberespionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to the energy supply in the affected countries. The Dragonfly group, which is also known by other vendors as Energetic Bear, are a capable group who are evolving over time and targeting primarily the energy sector and related industries. They have been in operation since at least 2011 but may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus to US and European energy firms in early 2013. More recent targets have included companies related to industrial control systems."
"The 2014 EMC Privacy Index surveyed 15,000 people in 15 countries to produce a ranking of nations based on consumer perceptions and attitudes about data privacy, and their willingness to trade privacy for greater convenience and benefits online."
”[…] smartphones are actually spy phones. But they don’t need to be. If we had enough open wireless networks available, we could change that. Startup companies—and open source projects—could
make devices that used the open networks without reporting your location and communications to phone companies. Devices that skip smoothly from one open wireless network to another don’t provide the kind
of granular information about your intimate activities that the current single-carrier systems do. We have two choices: let mobile privacy stay dead forever, or build an alternative open wireless
"We have built PlayDrone, a system that uses various hacking techniques to circumvent Google security to successfully crawl Google Play. […] We further show that […] Android applications
contain thousands of leaked secret authentication keys which can be used by malicious users to gain unauthorized access to server resources through Amazon Web Services and compromise user accounts on
Facebook. We worked with service providers, including Amazon, Facebook, and Google, to identify and notify customers at risk, and make the Google Play store a safer place."
"We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it
did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice — not to run untrusted executables
— if there was a direct incentive, and how much this incentive would need to be."
"We sought to re-examine the conclusions of the classic paper Why Johnny Can’t Encrypt, which portrayed a usability crisis in security software by documenting the inability of average users to
correctly send secure email through Pretty Good Privacy (PGP). While the paper’s authors primarily focused on user-interface concerns, we turned our attention to the terminology underlying the protocol.
We developed a new set of metaphors with the goal of representing cryptographic actions (sign, encrypt, etc.) rather than primitives (public and private keys). Our objects were chosen such that their
real-world analogs would correctly represent the security properties of PGP. Since these metaphors now corresponded to physical actions, we also introduced new forms of documentation that explored
narrative techniques for explaining secure email to non-technical users. In quiz-based testing, we found that, while our new metaphors did not dramatically outperform traditional PGP, we were able to
convey equivalent levels of understanding with far shorter documentation. Subsequent lab testing confirmed that metaphors with physical analogs and the accompanying briefer instructions greatly eased the
process of using secure email. Our results indicate that crafting new metaphors to facilitate these alternative forms of documentation is a fruitful avenue for explaining otherwise challenging security
concepts to nontechnical users."
"EMV, also known as ‘Chip and PIN’, is the leading system for card payments worldwide. […] We have discovered two serious problems: a widespread implementation flaw and a deeper, more
difficult to fix flaw with the EMV protocol itself."
"After studying other e-voting systems around the world, the team was particularly alarmed by the Estonian I-voting system. It has serious design weaknesses that are exacerbated by weak
operational management. It has been built on assumptions which are outdated and do not reflect the contemporary reality of state-level attacks and sophisticated cybercrime. These problems stem from
fundamental architectural problems that cannot be resolved with quick fixes or interim steps. While we believe e-government has many promising uses, the Estonian I-voting system carries grave risks —
elections could be stolen, disrupted, or cast into disrepute. In light of these problems, our urgent recommendation is that to maintain the integrity of the Estonian electoral process, use of the Estonian
I-voting system should be immediately discontinued."
"This report describes eight frequently-arising computer security issues in an online environment that relate to data protection, together with a summary of good practice for how to guard
against each issue. In many ICO data breach cases, the measures which could have prevented the breach or reduced the level of harm to individuals would have been simple to implement."
"Snapchat, the developer of a popular mobile messaging app, has agreed to settle Federal Trade Commission charges that it deceived consumers with promises about the disappearing nature of
messages sent through the service. The FTC case also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from
misuse and unauthorized disclosure. In fact, the case alleges, Snapchat’s failure to secure its Find Friends feature resulted in a security breach that enabled attackers to compile a database of 4.6
million Snapchat usernames and phone numbers."
"The SSL man-in-the-middle attack uses forged SSL certificates to intercept encrypted connections between clients and servers. However, due to a lack of reliable indicators, it is still
unclear how commonplace these attacks occur in the wild. In this work, we have designed and implemented a method to detect the occurrence of SSL man-in-the-middle attack on a top global website, Facebook.
Over 3 million real-world SSL connections to this website were analyzed. Our results indicate that 0.2% of the SSL connections analyzed were tampered with forged SSL certificates, most of them related to
antivirus software and corporate-scale content filters. We have also identified some SSL connections intercepted by malware. Limitations of the method and possible defenses to such attacks are also
"Foremost among the tactics many attackers are using is ‘deceptive downloads.’ In more than 95% of the 110 countries/regions we studied, deceptive downloads were a top threat. Cybercriminals
are secretly bundling malicious items with legitimate content such as software, games or music. Taking advantage of people’s desire to get a good deal, cybercriminals are bundling malware with free
programs and free software packages that can be downloaded online. For example, a typical scenario is someone that has a file they downloaded from a website that they can’t open because they don’t appear
to have the right software installed to open it. As a result, they search online and come across a free software download that might help them open the file. The free download also comes with other add-
ons. In addition to what the person thought they were getting, the download also installs malware. The malware may be installed immediately or at a later date as it assesses the victim’s computer’s
profile. It could be months or even years before the victim notices the infection, as often these malicious items operate behind the scenes with the only visible effect being slower performance on the
system that was infected."