Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis.

Slides:

Advertisements

Similar presentations

Securing Passwords against Dictionary Attacks

Advertisements

Learning to Suggest: A Machine Learning Framework for Ranking Query Suggestions Date: 2013/02/18 Author: Umut Ozertem, Olivier Chapelle, Pinar Donmez,

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

Secure Lync mobile Authentication

Secure SharePoint mobile connectivity

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.

By : Adham Suwan Mohammed Zaza Ahmed Mafarjeh. Achieving Security through Kinect using Skeleton Analysis (ASKSA)

Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Outline of presentation Brief introduction of Facebook as a social networking tool Research questions Methods Findings and Results Some Experimentation.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Miscreant of Social Networks Paper1: Social Honeypots, Making Friends With A Spammer Near You Paper2: Social phishing Kai and Isaac.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Department Of Computer Engineering

Midterm Presentation Undergraduate Researchers: Graduate Student Mentor: Faculty Mentor: Jordan Cowart, Katie Allmeroth Krist Culmer Dr. Wenjun (Kevin)

Vision-Based Biometric Authentication System by Padraic o hIarnain Final Year Project Presentation.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

A Measurement-driven Analysis of Information Propagation in the Flickr Social Network WWW09 报告人：徐波.

Incident Response Updated 03/20/2015

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.

資安新聞簡報報告者：劉旭哲、曾家雄. Spam down, but malware up 報告者：劉旭哲.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

The High School Profiling Attack: How Privacy Laws Can Increase Minors’ Risk Ratan Dey, Yuan Ding, Keith W. Ross Dept. of Computer Science and Engineering.

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

Network and Systems Security By, Vigya Sharma (2011MCS2564) FaisalAlam(2011MCS2608) DETECTING SPAMMERS ON SOCIAL NETWORKS.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

CIS 450 – Network Security Chapter 8 – Password Security.

Event Management & ITIL V3

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

Red Flag Training IDENTITY THEFT PREVENTION PROGRAM OVERVIEW AUTOMOTIVE.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Detecting Dominant Locations from Search Queries Lee Wang, Chuang Wang, Xing Xie, Josh Forman, Yansheng Lu, Wei-Ying Ma, Ying Li SIGIR 2005.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

Jump to first page Applications of Artificial Intelligence Mike Scavezze March 28, 2000.

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

11 Chapter 1 Introduction to Research © 2009 John Wiley & Sons Ltd.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

I can be You: Questioning the use of Keystroke Dynamics as Biometrics —Paper by Tey Chee Meng, Payas Gupta, Debin Gao Presented by: Kai Li Department of.

MINING COLOSSAL FREQUENT PATTERNS BY CORE PATTERN FUSION FEIDA ZHU, XIFENG YAN, JIAWEI HAN, PHILIP S. YU, HONG CHENG ICDE07 Advisor: Koh JiaLing Speaker:

The new protocol of freenet Taken from Ian Clarke and Oskar Sandberg (The Freenet Project)

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.

Wil Haywood Rossana Bua Rhishi Katoch Kelvyn Araujo-Valdez Steve Kim.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Socialbots and its implication On ONLINE SOCIAL Networks Md Abdul Alim, Xiang Li and Tianyi Pan Group 18.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, and Angelos D. Keromytis. In Proceedings.

PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.

Shoulder-Surfing Safe Login in a Partially Observable Attacker Model (Short Paper) FC 2010 Toni Perković joint work with Mario Čagalj and Nitesh Saxena.

I can be You: Questioning the use of Keystroke Dynamics as Biometrics Tey Chee Meng, Payas Gupta, Debin Gao Ke Chen.

A Mobile Library Management System Advisor: Dr. Shen Student: Ananta Gampaa November 8 th,2005.

A Framework to Predict the Quality of Answers with Non-Textual Features Jiwoon Jeon, W. Bruce Croft(University of Massachusetts-Amherst) Joon Ho Lee (Soongsil.

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

/16 Final Project Report By Facializer Team Final Project Report Eagle, Leo, Bessie, Five, Evan Dan, Kyle, Ben, Caleb.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Exposing Private Information by Timing Web Applications Stephen Kleinheider.

By Hello Team Awesome World™.  To avoid strangers using others’ keys, cards, and passwords to enter the buildings, our team will develop a face recognition-based.

Some Great Open Source Intrusion Detection Systems (IDSs)

Ethical, Social, and Political Issues in E-commerce

Submitted by: Ala Berawi Sujod Makhlof Samah Hanani Supervisor:

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Autonomous Network Alerting Systems and Programmable Networks

Exposing Private Information by Timing Web Applications

Presentation transcript:

Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis and Angelos D. Keromytis, Columbia University, USA

Outline Introduction How Social Authentication Works Advantages and Shortcomings Attack Surface Estimation Breaking Social Authentication Face Recognition as a Service Experimental Evaluation Remediation and Limitations Conclusions

Introduction Facebook reports over 900 million active users as of March In 2011, Facebook has released a two-factor authentication mechanism, referred to as Social Authentication.

How Social Authentication Works Friend list A user must have at least 50 friends. Tagged photos The user’s friend must be tagged in an adequate number of photos. Face SA tests must be solvable by humans within the 5 minute (circa) time window enforced by Facebook. Triggering the user logs in from a different geographical location. uses a new device for the first time to access his account.

Advantages and Shortcomings Advantages Facebook’s SA is less cumbersome, especially because users have grown accustomed to tagging friends in photos. Shortcomings The number of friends can influence the applicability and the usability of SA. Their friends have erroneously tagged for fun or as part of a contest which required them to do so. Bypass the SA test by providing their date of birth.

Attack Surface Estimation The attacker has compromised the user’s credential. Facebook designed SA as a protection mechanism against strangers. we provide an empirical calculation of the probabilities of each phase of our attack. P(F) = 47% of the user’s have their friends list public. P(P) = 71% of them (236,752) exposed at least one public photo album. Attacker can try to befriend the friends of his victim to gain access to their private photos with a chance of P(B) ≃ 70% to succeed.

Attack Surface Estimation (Cont.)

Breaking Social Authentication Step 1: Crawling Friend List Python’s urllib HTTP library and regular expression MongoDB database GridFS filesystem Step 2: Issuing Friend Requests Step 3: Photo Collection/Modeling Photo collection Face Extraction and Tag Matching – OpenCV toolkit Facial Modeling – sklearn library Step 4: Name Lookup

Breaking Social Authentication

Face Recognition as a Service Face.com was recently acquired by Facebook. The service exposes an API through which developers can supply a set of photos to use as training data and then query the service with a new unknown photo for the recognition of known individuals. faces.detect – identify any existing faces tags.save - to label the good photos with the respective UIDs of their owners face.train faces.recongnize

Experimental Evaluation Overall Dataset

Experimental Evaluation (Cont.) Breaking SA: Determined Attacker shows the number of pages solved correctly out of 7.

Experimental Evaluation (Cont.) Breaking SA: Determined Attacker shows the CPU-time required to solve the full test

Breaking SA: Casual Attacker Implementation 11 dummy accounts play the role of victims. Selenium – login these account in a automated fashion. Tor - take advantage of the geographic dispersion of its exit nodes. face.com – solved SA test Result 22% (28/127) of tests solved 5-7 of the 7 test pages. 56% (71/127) of tests solved 3-4 of the 7 test pages. 44 seconds on average

Breaking SA: Casual Attacker (Cont.) In about 25% of the photos face.com was unable to detect a human face. in 50% of the photos face.com was able to detect a human face but marked it as unrecognizable. in the last 25% of the photos a face was detected but did not match any of the faces in our training set.

Ethical Consideration We never took advantage of accepted requests to collect photos or other private information otherwise unavailable; we solely collected public photos.

Compromise Prevention Users can add certain devices to a list of recognized, trusted devices. a user who fails to complete an SA challenge is redirected to an alert page, upon the next successful login, which reports the attempted login.

Slowing Sown Attacker CAPTCHAs may create a technical obstacle to automated attacks, but they should not be considered a definitive countermeasure. The presence of suggested names in SA tests is the major disadvantage of the current implementation as it greatly limits the search space for adversaries.

Conclusions on average, 42% of the data used to generate the second factor, thus, gaining the ability to identify randomly selected photos of the victim’s friends. Given that information, we managed to solve 22% of the real Facebook SA tests presented to us during our experiments and gain a significant advantage to an additional 56% of the tests with answers for more than half of pages of each test.