CAPTCHaStar! A novel CAPTCHA based on interactive shape discovery

Over the last years, most websites on which users can register (e.g., email providers and social networks) adopted CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) as a countermeasure against automated attacks. The battle of wits between designers and attackers of CAPTCHAs led to current ones being annoying and hard to solve for users, while still being vulnerable to automated attacks. In this paper, we propose CAPTCHaStar, a new image-based CAPTCHA that relies on user interaction. This novel CAPTCHA leverages the innate human ability to recognize shapes in a confused environment. We assess the effectiveness of our proposal for the two key aspects for CAPTCHAs, i.e., usability, and resiliency to automated attacks. In particular, we evaluated the usability, carrying out a thorough user study, and we tested the resiliency of our proposal against several types of automated attacks: traditional ones; designed ad-hoc for our proposal; and based on machine learning. Compared to the state of the art, our proposal is more user friendly (e.g., only some 35% of the users prefer current solutions, such as text-based CAPTCHAs) and more resilient to automated attacks.Comment: 15 page

The role of effort in security and privacy behaviours online

As more and more aspects of users’ lives go online, they can interact with each other, access services and purchase goods with unprecedented convenience and speed. However, this also means that users’ devices and data become more vulnerable to attacks. As security is often added to tools and services as an after-thought, it tends to be poorly integrated into the processes and part of the effort of securing is often offloaded onto the user. Users are goal-driven and they go online to get things done, protecting their security and privacy might therefore not be a priority. The six studies described in this dissertation examine the role of effort in users’ security and privacy behaviours online. First, two security studies use authentication diaries to examine the user effort required for authentication to organisational and online banking systems respectively. Second, two further studies are laboratory evaluations of proposed mechanisms for authentication and verification. Third, two privacy studies examine the role of effort in users’ information disclosure in webforms and evaluate a possible solution that could help users manage how much they disclose. All studies illustrate the different coping strategies users develop to manage their effort. They show that demanding too much effort can affect productivity, cause frustration and undermine the security these mechanisms were meant to offer. The work stresses the importance of conducting methodologically robust user evaluations of both proposed and deployed mechanisms in order to improve user satisfaction and their security and privacy

Plugging in trust and privacy : three systems to improve widely used ecosystems

The era of touch-enabled mobile devices has fundamentally changed our communication habits. Their high usability and unlimited data plans provide the means to communicate any place, any time and lead people to publish more and more (sensitive) information. Moreover, the success of mobile devices also led to the introduction of new functionality that crucially relies on sensitive data (e.g., location-based services). With our today’s mobile devices, the Internet has become the prime source for information (e.g., news) and people need to rely on the correctness of information provided on the Internet. However, most of the involved systems are neither prepared to provide robust privacy guarantees for the users, nor do they provide users with the means to verify and trust in delivered content. This dissertation introduces three novel trust and privacy mechanisms that overcome the current situation by improving widely used ecosystems. With WebTrust we introduce a robust authenticity and integrity framework that provides users with the means to verify both the correctness and authorship of data transmitted via HTTP. X-pire! and X-pire 2.0 offer a digital expiration date for images in social networks to enforce post-publication privacy. AppGuard enables the enforcement of fine-grained privacy policies on third-party applications in Android to protect the users privacy.Heutige Mobilgeräte mit Touchscreen haben unsere Kommunikationsgewohnheiten grundlegend geändert. Ihre intuitive Benutzbarkeit gepaart mit unbegrenztem Internetzugang erlaubt es uns jederzeit und überall zu kommunizieren und führt dazu, dass immer mehr (vertrauliche) Informationen publiziert werden. Des Weiteren hat der Erfolg mobiler Geräte zur Einführung neuer Dienste die auf vertraulichen Daten aufbauen (z.B. positionsabhängige Dienste) beigetragen. Mit den aktuellen Mobilgeräten wurde zudem das Internet die wichtigste Informationsquelle (z.B. für Nachrichten) und die Nutzer müssen sich auf die Korrektheit der von dort bezogenen Daten verlassen. Allerdings bieten die involvierten Systeme weder robuste Datenschutzgarantien, noch die Möglichkeit die Korrektheit bezogener Daten zu verifizieren. Diese Dissertation führt drei neue Mechanismen für das Vertrauen und den Datenschutz ein, die die aktuelle Situation in weit verbreiteten Systemen verbessern. WebTrust, ein robustes Authentizitäts- und Integritätssystem ermöglicht es den Nutzern sowohl die Korrektheit als auch die Autorenschaft von über HTTP übertragenen Daten zu verifizieren. X-pire! und X-pire 2.0 bieten ein digitales Ablaufdatum für Bilder in sozialen Netzwerken um Daten auch nach der Publikation noch vor Zugriff durch Dritte zu schützen. AppGuard ermöglicht das Durchsetzen von feingranularen Datenschutzrichtlinien für Drittanbieteranwendungen in Android um einen angemessen Schutz der Nutzerdaten zu gewährleisten

Energy Efficiency in Public Buildings through Context-Aware Social Computing

[EN]The challenge of promoting behavioral changes in users that leads to energy savings in public buildings has become a complex task requiring the involvement of multiple technologies. Wireless sensor networks have a great potential for the development of tools, such as serious games, that encourage acquiring good energy and healthy habits among users in the workplace. This paper presents the development of a serious game using CAFCLA, a framework that allows for integrating multiple technologies, which provide both context-awareness and social computing. Game development has shown that the data provided by sensor networks encourage users to reduce energy consumption in their workplace and that social interactions and competitiveness allow for accelerating the achievement of good results and behavioral changes that favor energy savings.European Commision (EC). Funding H2020/MSCARISE. Project Code: 64179

Biometric Systems Interaction Assessment: The State of the Art

The design and implementation of effective and efficient biometric systems presents a series of challenges to information technology (IT) designers to ensure robust performance. One of the most important factors across biometric systems, aside from algorithmic matching ability, is the human interaction influence on performance. Changes in biometric system paradigms have motivated further testing methods, especially within mobile environments, where the interaction with the device has fewer environmental constraints, whichmay severely affect system performance. Testing methods involve the need for reflecting on the influence of user-system interaction on the overall system performance in order to provide information for design and testing. This paper reflects on the state of the art of biometric systems interaction assessment, leading to a comprehensive document of the relevant research and standards in this area. Furthermore, the current challenges are discussed and thus we provide a roadmap for the future of biometrics systems interaction research

Portal de gestão do utilizador da Ulisboa

Tese de mestrado, Engenharia Informática (Sistemas de Informação) Universidade de Lisboa, Faculdade de Ciências, 2017O conceito de identidade na ULisboa (Universidade de Lisboa) segue uma abordagem típica dos sistemas de IdM (Identity Management) em que qualquer indivíduo (aluno, ex-aluno, funcionário docente, não-docente ou outro) é único, e a sua informação e registo é gerido como tal, com recurso a perfilagem (uma entidade pode pertencer a uma ou a várias perfilagens, sendo a perfilagem o conceito que distingue o tipo de acesso a um determinado sistema). A gestão da informação de identidade de cada indivíduo tem origem nos processos das áreas Académica, para alunos, e de Recursos Humanos, para funcionários. Para cada indivíduo existem sistemas, procedimentos, regras e informação específica que determinam o estado da sua identidade e perfil. Foi objetivo desta tese desenvolver um sistema denominado de Portal do Utilizador (PU), que irá providenciar aos utilizadores um acesso fácil e direto respeitante à sua identidade, baseado na web. Neste documento é descrito o processo de desenvolvimento do PU implementado por mim no Departamento de Informática dos Serviços Centrais da Universidade de Lisboa. O PU estará disponível em todas as escolas da ULisboa, para alunos, ex-alunos, funcionários docentes e funcionários não docentes, e tem como objetivo centralizar as várias funcionalidades relativas à criação e gestão de identidade na ULisboa, em integração direta com o IdM da ULisboa. Estas funcionalidades incluem: criação e ativação das contas dos utilizadores da ULisboa, criação de utilizadores temporários, edição do perfil de utilizador (alteração de senha de acesso e de e-mail externo, entre outras), ativação de conta para acesso aos serviços Google e Office 365 (para utilizadores que pertencem a uma escola que não utiliza a conta única da ULisboa como conta institucional) e acesso a dados pessoais e histórico. O desenvolvimento do PU teve por base requisitos funcionais e técnicos indicados pelos Serviços Centrais da ULisboa, fundamentados nas respostas a um questionário de utilizadores, e assenta em tecnologias de engenharia de aplicações web como RichFaces, JSF, Java EE, Hibernate, JBoss, jQuery e Bootstrap.The concept of identity in ULisboa (University of Lisbon) follows a standard Identity Management (IdM) based approach. Hence, each user is unique, and at a functional level, in the processes that manages the information and their dependencies and at a technological level, in the infrastructure that stores and manages that information. The Identity Management of each user has different sources: student profile origin’s is Academic System Management based, employee profile is HR System based. Each individual profile is composed by several specifications – based in rules, procedures and systems – that establish the user’s identity status and profile. These two areas have systems, procedures, rules and specific managed information that results on a user identity and a profile. There are also a set of processes and systems out the manage core, that depends on that information to grant access privileges and verify rules. Each ULisboa Organic Unit manages their information in a different way with specific rules and procedures. The objective of this thesis is to develop a system called 'Portal do Utilizador' and deploy it on the Central Services of ULisboa, making it available to every Organic Unit, (ex-)student and employees. The “Portal de Utilizador” development was builted respecting some functional and technical requisites required by the ULisboa’s Central Services. Portal do Utilizador will be responsible to manage ULisboa accounts with direct integration of ULisboa IdM