Skip navigation

Category Archives: WEIS 2011

WEIS 2011 :: Session 2 :: Identity :: Negative Information Looms Longer Than Positive Information

Laura Brandimarte
Alessandro Acquisti
Joachin Vosgerau

Twitter transcript

#weis2011 How does information related to past events and retrieved today get discounted? Why does neg valence receive more weight?

#weis2011 how do we improve trustworthyness?

#weis2011 "designers of modern tech do not understand human fallibility and design systems w/o taking them into account" < true #weis2011 the reason why bad sticks better than good is that they way it gets discounted may be different. #weis2011 experiments were survey based & randomized. all were students < not sure that's random enough or broad enough selection #weis2011 (me) I hope they make the slides avail. ton of good info I just can't capture (and I don't have an e-copy) #weis2011 "good" information only matters if it's _recent_. "bad" information is not discounted at all. it "sticks" < huge e-implications

WEIS 2011 :: Session 2 :: Identity :: Economic Tussles in Federated Identity Management

Susan Landau
Tyler Moore

Presentation [PDF]

Tyler presented really well and it’s a great data set and problem to investigate. He & Susan shed a ton of light on an area most folks never think about. Well done.

Twitter transcript

#weis2011 this looks to be a "must read" resource for anyone embarking on a federated identity management (FIM) system.

#weis2011 Tussle #1: Who gets to collect transactional data? FIMs generate a TON of data. Diff FIMs benefit svc prvdrs, others id prvdrs

#weis2011 Facebook is a HUGE FIM, both id provider & service provider < and u thought it was just for congresscritters to show private parts #weis2011 FIM platforms that share social graph data attract more service providers < so much for privacy #weis2011 Tussle #2: who sets rules for authentication in FIMs? Time to market is primary concern. Users want "easy" < security loses #weis2011 Tussle #3: What happens when things go wrong? svc unavail == no login; unauth users can be incorrectly authenticated; lots of finger pointing

WEIS 2011 :: Session 2 :: Identity :: Social Networks, Personalized Advertising & Privacy Controls

Catherine Tucker

Presentation [PDF]

Catherine’s talk was really good. She handled questions well and is a very dynamic speaker. I’m looking forward to the paper.

Twitter transcript

#weis2011 Premise of the study was to see what impact privacy controls enablement/usage have on advertising. It's an empirical study #data!

#weis2011 click through rates DOUBLED for personalized ads after the fb privacy controls policy change

#weis2011 it's been a "slightly augment the slides with humor" for the remaining slides. Good data. View the slides & paper (when avail)

WEIS 2011 :: Session 2 :: Identity :: The Inconvenient Truth About Web Certificates

Nevena Vratonjic
Julien Freudiger
Vincent Bindschaedler
Jeane-Pierre Hubaux

Presentation [PDF]

Twitter transcript

#weis2011 Overview of basic ssl/tls/https concepts. Asking: how prevalent is https, what are problems with https?

#weis2011 Out of their large sample, only 1/3 (34.7%) have support for https, login is worse! only 22.6% < #data!

#weis2011 (me) just like Microsoft for patches/vulns, everyone uses Bank of America for https & identity examples. #sigh

#weis2011 More Certificates 101, but a good venn diagram explaining what authentication success looks like w/%ages. rly good visualization.

#weis2011 domain mismatch accounts for over 80% of certificate authentication failures. why? improper reuse. it has a simple solution (SNI)

#weis2011 the team did a very thorough analysis that puts data behind what most folks have probably assumed. #dataisspiffy

#weis2011 We've created a real mess for users with certs. EV certs help, but are expensive and not pervasive (***6%***!)

#weis2011 economics don't back good cert issuance practices; 0 liability on issuers; too many subcontractors; we trained users to click "OK"

#weis2011 great slide on CA success rates (hint: godaddy is #1) #sadtrombone

#weis2011 sample: 1 million web sites; less than 6% do SSL/TLS right. cheap certs == cheap "security"; policies need to change incentives

#weis2011 URL for the data is in the last slide. first question is challenging the approach for the analysis and went on for a while

WEIS 2011 :: Session 1 :: Attacks :: The Underground Economy of Fake Antivirus Software

Brett Stone-Gross
Ryan Abman
Richard A. Kemmerer
Christopher Kruegel
Douglas G Steigerwald

Presentation [PDF]

Twitter transcript

#weis2011 presenting analysis of *actual* data from 21 servers from 3 multi-million $ fake a/v ops!!! < #spiffy #weis2011 showing example of fake a/v exploit that was embedded in HTML. good walkthrough. useful slides for an orgs tech ed/brown bag sessn #weis2011 good/succinct survey of techniques blackhat seo, annoying popups, preying on user naivete. #weis2011 great graphic on the flow of the money trail in fake a/v. Brett & his colleagues paid attention to detail. #weis2011 talking about affiliate programs (think amazon associates but for bad guys) & webmoney (evil bitcoins). #weis2011 189K sales; $11mil in 3mos!! 8.4m installs. conversion rate 2.4% (wow). if it had not been stopped, fy net $ wld be 45mil! #weis2011 comparing campaigns & operations. the choice in malicious hosting provider is key. downtime reduces profits. #timeforMalCloud? #weis2011 fake a/v providers actually give refunds to help avoid bank fraud detection. Refund rates between 3-9%. #weis2011 now showing their economic statistical models (and plugging real data into them) and the back-end infrastructure that runs the biz #weis2011 (me) the bad guys have better metrics, better partnerships & rely on naivete of users. the good guys don't share anything w/anyone #weis2011 the threshold for payment processors to terminate a bad account is when bad transactions (chargbacks) hit 10%. virt no incentive

WEIS 2011 :: Session 1 :: Attacks :: Sex, Lies & Cyber-crime Survey

Presentation [PDF]

WEIS 2011 :: Session 1 :: Attacks :: Where Do All The Attacks Go?

Dinei Florncio
Cormac Herley

Presentation [PDF]

Twitter transcript

#weis2011 New threat model (that may scale). Rather than use individual users & attackers, use population of users, pop of attackers

#weis2011 assumption/proposition: attacker attacks when Expected{gain} > Expected{loss}

#weis2011 (me) more good math on the slides. using the populations, they made a probability model to predict detection/succumb/gain & cost

#weis2011 model has a core of "sum of efforts defense" (vs weakest link)

#weis2011 attacks are proven unprofitable if prob of success is too low or gain is too low < this may seem obv. but it's an intersting model #weis2011 (me) really good examples of practical example of model efficacy. mimics/validates 2011 DBIR results (does not mention DBIR) #weis2011 working though another example of using "dog's name" as password. (me) this could be a *rly* handy tool for threat modeling #weis2011 Security does not mean avoiding harm, and avoiding harm is less expensive than being secure. #weis2011 "Thinking like an attacker" does not end when an attack is found. Ask how you can use what you found to your advantage.

WEIS 2011 :: Session 1 :: Attacks :: The Impact of Immediate Disclosure on Attack Diffusion & Volume

Sam Ransbotham
Sabayasachi Mitra

Presentation [PDF]

Twitter transcript

#weis2011 Does immediate disclosure of vulns affect exploitation attempts? Looking at impact on risk/diffusion/volume

#weis2011 speaker is presenting standard attack process & security processes timelines (slides will be in the blog post)

#weis2011 the fundamental question is when from the vulnerability discovery to patch development is disclosure appropriate

#weis2011 immediate disclosure places a significant amount of pressure on defenders while aiding attackers < yep. #weis2011 penalty for MSSP, IDS/IDP/malware vendors for not doing nigh daily "software updates" is huge. a very high pressure industry. #weis2011 IDS systems produce tons of records which needs to be analyzed and understood. results may or may not be actionable. #weis2011 *Tons* of neat data on analysis of NVD data. Very data rich slides (some of them). Lots of math. #good #stuff #weis2011 immediate disclosure has significant increase in acceleration of exploit devel only slight increase in penetration #weis2011 the window may open faster, but defenders are reacting really quickly. this has effect of causing attackers to stop attacks sooner #weis2011 vendors patch vulnerabilities that have been immediately disclosed faster than "traditional" ones. #weiss answer to a q: "the data does not support immediate disclosure for all vulns. no way to extrapolate that information"