An Accessible Web CAPTCHA Design for Visually Impaired Users

In the realm of computing, CAPTCHAs are used to determine if a user engaging with a system is a person or a bot. The most common CAPTCHAs are visual in nature, requiring users to recognize images comprising distorted characters or objects. For people with visual impairments, audio CAPTCHAs are accessible alternatives to standard visual CAPTCHAs. Users are required to enter or say the words in an audio-clip when using Audio CAPTCHAs. However, this approach is time-consuming and vulnerable to machine learning algorithms, since automated speech recognition (ASR) systems could eventually understand the content of audio with the improvement of the technique. While adding background noise may deceive ASR systems temporarily, it may cause people to have difficulties de- ciphering the information, thus reducing usability. To address this, we designed a more secure and accessible web CAPTCHA based on the capabilities of people with visually impairments, obviating the need for sight via the use of audio and movement, while also using object detection techniques to enhance the accessibility of the CAPTCHA

Toward Robust Video Event Detection and Retrieval Under Adversarial Constraints

The continuous stream of videos that are uploaded and shared on the Internet has been leveraged by computer vision researchers for a myriad of detection and retrieval tasks, including gesture detection, copy detection, face authentication, etc. However, the existing state-of-the-art event detection and retrieval techniques fail to deal with several real-world challenges (e.g., low resolution, low brightness and noise) under adversary constraints. This dissertation focuses on these challenges in realistic scenarios and demonstrates practical methods to address the problem of robustness and efficiency within video event detection and retrieval systems in five application settings (namely, CAPTCHA decoding, face liveness detection, reconstructing typed input on mobile devices, video confirmation attack, and content-based copy detection). Specifically, for CAPTCHA decoding, I propose an automated approach which can decode moving-image object recognition (MIOR) CAPTCHAs faster than humans. I showed that not only are there inherent weaknesses in current MIOR CAPTCHA designs, but that several obvious countermeasures (e.g., extending the length of the codeword) are not viable. More importantly, my work highlights the fact that the choice of underlying hard problem selected by the designers of a leading commercial solution falls into a solvable subclass of computer vision problems. For face liveness detection, I introduce a novel approach to bypass modern face authentication systems. More specifically, by leveraging a handful of pictures of the target user taken from social media, I show how to create realistic, textured, 3D facial models that undermine the security of widely used face authentication solutions. My framework makes use of virtual reality (VR) systems, incorporating along the way the ability to perform animations (e.g., raising an eyebrow or smiling) of the facial model, in order to trick liveness detectors into believing that the 3D model is a real human face. I demonstrate that such VR-based spoofing attacks constitute a fundamentally new class of attacks that point to a serious weaknesses in camera-based authentication systems. For reconstructing typed input on mobile devices, I proposed a method that successfully transcribes the text typed on a keyboard by exploiting video of the user typing, even from significant distances and from repeated reflections. This feat allows us to reconstruct typed input from the image of a mobile phone’s screen on a user’s eyeball as reflected through a nearby mirror, extending the privacy threat to include situations where the adversary is located around a corner from the user. To assess the viability of a video confirmation attack, I explored a technique that exploits the emanations of changes in light to reveal the programs being watched. I leverage the key insight that the observable emanations of a display (e.g., a TV or monitor) during presentation of the viewing content induces a distinctive flicker pattern that can be exploited by an adversary. My proposed approach works successfully in a number of practical scenarios, including (but not limited to) observations of light effusions through the windows, on the back wall, or off the victim’s face. My empirical results show that I can successfully confirm hypotheses while capturing short recordings (typically less than 4 minutes long) of the changes in brightness from the victim’s display from a distance of 70 meters. Lastly, for content-based copy detection, I take advantage of a new temporal feature to index a reference library in a manner that is robust to the popular spatial and temporal transformations in pirated videos. My technique narrows the detection gap in the important area of temporal transformations applied by would-be pirates. My large-scale evaluation on real-world data shows that I can successfully detect infringing content from movies and sports clips with 90.0% precision at a 71.1% recall rate, and can achieve that accuracy at an average time expense of merely 5.3 seconds, outperforming the state of the art by an order of magnitude.Doctor of Philosoph

The role of effort in security and privacy behaviours online

As more and more aspects of users’ lives go online, they can interact with each other, access services and purchase goods with unprecedented convenience and speed. However, this also means that users’ devices and data become more vulnerable to attacks. As security is often added to tools and services as an after-thought, it tends to be poorly integrated into the processes and part of the effort of securing is often offloaded onto the user. Users are goal-driven and they go online to get things done, protecting their security and privacy might therefore not be a priority. The six studies described in this dissertation examine the role of effort in users’ security and privacy behaviours online. First, two security studies use authentication diaries to examine the user effort required for authentication to organisational and online banking systems respectively. Second, two further studies are laboratory evaluations of proposed mechanisms for authentication and verification. Third, two privacy studies examine the role of effort in users’ information disclosure in webforms and evaluate a possible solution that could help users manage how much they disclose. All studies illustrate the different coping strategies users develop to manage their effort. They show that demanding too much effort can affect productivity, cause frustration and undermine the security these mechanisms were meant to offer. The work stresses the importance of conducting methodologically robust user evaluations of both proposed and deployed mechanisms in order to improve user satisfaction and their security and privacy

A Survey of Social Network Forensics

Social networks in any form, specifically online social networks (OSNs), are becoming a part of our everyday life in this new millennium especially with the advanced and simple communication technologies through easily accessible devices such as smartphones and tablets. The data generated through the use of these technologies need to be analyzed for forensic purposes when criminal and terrorist activities are involved. In order to deal with the forensic implications of social networks, current research on both digital forensics and social networks need to be incorporated and understood. This will help digital forensics investigators to predict, detect and even prevent any criminal activities in different forms. It will also help researchers to develop new models / techniques in the future. This paper provides literature review of the social network forensics methods, models, and techniques in order to provide an overview to the researchers for their future works as well as the law enforcement investigators for their investigations when crimes are committed in the cyber space. It also provides awareness and defense methods for OSN users in order to protect them against to social attacks

Améliorer la sécurité et la vie privée sur le Web à travers les empreintes de navigateur

I have been an associate professor in computer science at the University of Lille and a member of the Spirals project-team in the CRIStAL laboratory since September 2014. I obtained my PhD in Software Engineering in Grenoble in 2013, focusing on building robust self-adaptive component-based systems, and I completed a postdoctoral stay in the Inria DiverSE project-team, in Rennes, in the area of component-based software engineering. Since 2014, my research has mostly focused on (i) multi-cloud computing and (ii) security and privacy on the web. I have successfully co-advised two doctorates, Gustavo Sousa (defended July 2018) and Antoine Vastel (defended November 2019), and currently advise 3 students. I have decided to write my Habilitation pour Diriger des Recherches (HDR) in the area of privacy and security because this will be my main line of research activities for the near future. More specifically, I present the results of the research that my students, colleagues, collaborators, and I have done in the area of browser fingerprinting.Browser fingerprinting is the process of identifying devices by accessing a collection of relatively stable attributes through Web browsers. We call the generated identifiers browser fingerprints. Fingerprints are stateless identifiers and no information is stored on the client’s device. In the first half of this manuscript, we identify and study three properties of browser fingerprinting that make it both a risk to privacy, but also of use for security. The first property, uniqueness, is the power to uniquely identify a device. We performed a large scale study on fingerprint uniqueness and, although not a perfect identifier, we show its statistical qualities allow uniquely identifying a high percentage of both desktops and mobile devices [Laperdrix 2016]. The second property, linkability, is the capacity to re-identify, or link, fingerprints over time. This is arguably the main risk to privacy and enables fingerprint tracking. We show, through two algorithms, that some devices are highly trackable, while other devices’ fingerprints are too similar to be tracked over time [Vastel 2018b]. The third and final property is consistency, which refers to the capacity to verify the attributes in a fingerprint. Through redundancies, correlations or dependencies, many attributes are verifiable, making them more difficult to spoof convincingly. We show that most countermeasures to browser fingerprinting are identifiable through such inconsistencies [Vastel 2018a], a useful property for security applications.In the second half of this manuscript, we look at the same properties from a different angle. We create a solution that breaks fingerprint linkability by randomly generating usable browsing platforms that are unique and consistent [Laperdrix 2015]. We also propose an automated testing framework to provide feedback to the developers of browsers and browser extensions to assist them in reducing the uniqueness or their products [Vastel 2018c]. Finally, we look at how fingerprint consistency is exploited in-the-wild to protect websites against automated Web crawlers. We show that fingerprinting is effective and fast to block crawlers, but lacks resiliency when facing a determined adversary [Vastel 2020].Beyond the results I report in this manuscript, I draw perspectives for exploring browser fingerprinting for multi-factor authentication, with a planned large-scale deployment in the following months. I also believe there is potential in automated testing to improve privacy. And of course, we know that fingerprint tracking does not happen in a bubble, it is complementary to other techniques. I am therefore exploring other tracking techniques, such as our preliminary results around IP addresses [Mishra 2020] and caches [Mishra 2021], using ad blockers against their users, and a few other ideas to improve privacy and security on the Web.Les empreintes de navigateurs (en anglais browser fingerprinting) sont un mécanisme qui permet d’identifier les navigateurs Internet au travers de leurs caractéristiques et configurations uniques. Nous avons identifié trois propriétés des empreintes de navigateurs qui posent un risque pour la vie privée mais qui rendent possible des utilisations en sécurité. Ces propriétés sont l’unicité, qui permet de discriminer un navigateur parmi d’autres, la liaison d’empreintes, qui permet de suivre dans le temps un dispositif, et la cohérence, qui permet de vérifier une empreinte et rend difficile les contre-mesures. Dans la première moitié de ce manuscrit, nous explorons les qualités statistiques des empreintes de navigateurs, ainsi que la possibilité et l’efficacité de les tracer dans le temps, et nous concluons sur les propriétés statistiques imparfaites mais tout de même utiles de cet indicateur. Nous montrons également que les contre-mesures pour se protéger sont défaillantes et parfois même contre-productives.Dans la seconde partie de ce manuscrit, nous regardons les défenses et utilisations des empreintes de navigateur. Nous proposons un outil pour casser la liaison d’empreintes sans l’introduction d’incohérences, limitant ainsi le traçage. Nous avons également proposé un cadre de test automatisé pour réduire l’identifiabilité des navigateurs et de leurs extensions. Finalement, nous avons étudié comment l’analyse de cohérence des empreintes est utilisée sur le Web pour bloquer des robots, et nous concluons que cette technique est rapide mais manque encore de résilience, dont l’efficacité mériterait d’être améliorée contre des attaquants déterminés.Au-delà des résultats présentés dans ce manuscrit, je présente également des perspectives pour les recherches dans ce domaine particulièrement dynamique, avec notamment l’utilisation des empreintes de navigateur pour l’authentification multi-facteurs et l’utilisation des tests automatiques pour améliorer la vie privée des usagers. Nos résultats préliminaires sur l’utilisation d’adresses IP pour le traçage, les caches de navigateur, et les bloqueurs de publicité, méritent également d’être approfondis afin de continuer à renforcer la vie privée et la sécurité sur le Web

The People Inside

Our collection begins with an example of computer vision that cuts through time and bureaucratic opacity to help us meet real people from the past. Buried in thousands of files in the National Archives of Australia is evidence of the exclusionary “White Australia” policies of the nineteenth and twentieth centuries, which were intended to limit and discourage immigration by non-Europeans. Tim Sherratt and Kate Bagnall decided to see what would happen if they used a form of face-detection software made ubiquitous by modern surveillance systems and applied it to a security system of a century ago. What we get is a new way to see the government documents, not as a source of statistics but, Sherratt and Bagnall argue, as powerful evidence of the people affected by racism