31 research outputs found
How Can and Would People Protect From Online Tracking?
Online tracking is complex and users find itchallenging to protect themselves from it. While the aca-demic community has extensively studied systems andusers for tracking practices, the link between the dataprotection regulations, websites’ practices of presentingprivacy-enhancing technologies (PETs), and how userslearn about PETs and practice them is not clear. Thispaper takes a multidimensional approach to find such alink. We conduct a study to evaluate the 100 top EUwebsites, where we find that information about PETsis provided far beyond the cookie notice. We also findthat opting-out from privacy settings is not as easy asopting-in and becomes even more difficult (if not impos-sible) when the user decides to opt-out of previously ac-cepted privacy settings. In addition, we conduct an on-line survey with 614 participants across three countries(UK, France, Germany) to gain a broad understand-ing of users’ tracking protection practices. We find thatusers mostly learn about PETs for tracking protectionvia their own research or with the help of family andfriends. We find a disparity between what websites offeras tracking protection and the ways individuals reportto do so. Observing such a disparity sheds light on whycurrent policies and practices are ineffective in support-ing the use of PETs by users
Texture to the Rescue : Practical Paper Fingerprinting based on Texture Patterns
In this article, we propose a novel paper fingerprinting technique based on analyzing the translucent patterns revealed when a light source shines through the paper. These patterns represent the inherent texture of paper, formed by the random interleaving of wooden particles during the manufacturing process. We show that these patterns can be easily captured by a commodity camera and condensed into a compact 2,048-bit fingerprint code. Prominent works in this area (Nature 2005, IEEE S&P 2009, CCS 2011) have all focused on fingerprinting paper based on the paper "surface." We are motivated by the observation that capturing the surface alone misses important distinctive features such as the noneven thickness, random distribution of impurities, and different materials in the paper with varying opacities. Through experiments, we demonstrate that the embedded paper texture provides a more reliable source for fingerprinting than features on the surface. Based on the collected datasets, we achieve 0% false rejection and 0% false acceptance rates. We further report that our extracted fingerprints contain 807 degrees of freedom (DoF), which is much higher than the 249 DoF with iris codes (that have the same size of 2,048 bits). The high amount of DoF for texturebased fingerprints makes our method extremely scalable for recognition among very large databases; it also allows secure usage of the extracted fingerprint in privacy-preserving authentication schemes based on error correction techniques
A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards
With recent developments in deep learning, the ubiquity of micro-phones and
the rise in online services via personal devices, acoustic side channel attacks
present a greater threat to keyboards than ever. This paper presents a
practical implementation of a state-of-the-art deep learning model in order to
classify laptop keystrokes, using a smartphone integrated microphone. When
trained on keystrokes recorded by a nearby phone, the classifier achieved an
accuracy of 95%, the highest accuracy seen without the use of a language model.
When trained on keystrokes recorded using the video-conferencing software Zoom,
an accuracy of 93% was achieved, a new best for the medium. Our results prove
the practicality of these side channel attacks via off-the-shelf equipment and
algorithms. We discuss a series of mitigation methods to protect users against
these series of attacks.Comment: This paper was already accepted in 2023 IEEE European Symposium on
Security and Privacy Workshop, SiLM'23 (EuroS&PW
On secure E-voting over blockchain
This paper discusses secure methods to conduct e-voting over a blockchain in three different settings: decentralized voting, centralized remote voting and centralized polling station voting. These settings over almost all voting scenarios that occur in practice. A proof-of-concept implementation for decentralized voting over Ethereum’s blockchain is presented. This work demonstrates the suitable use of a blockchain not just as a public bulletin board, but more importantly, as a trustworthy
computing platform that enforces the correct execution of the voting protocol in a publicly verifiable manner. We also discuss scaling up a blockchain-based voting application for national elections. We show that for national-scale elections the major verifiability problems can be addressed without having to depend on any blockchain. However, a blockchain remains a viable option to realize a public bulletin board, which has the advantage of being a “preventive” measure to stop retrospective changes on previously published records as opposed to a “detective” measure like the use of mirror websites
On Secure E-Voting over Blockchain
This article discusses secure methods to conduct e-voting over a blockchain in three different settings: decentralized voting, centralized remote voting, and centralized polling station voting. These settings cover almost all voting scenarios that occur in practice. A proof-of-concept implementation for decentralized voting over Ethereum's blockchain is presented. This work demonstrates the suitable use of a blockchain not just as a public bulletin board but, more importantly, as a trustworthy computing platform that enforces the correct execution of the voting protocol in a publicly verifiable manner. We also discuss scaling up a blockchain-based voting application for national elections. We show that for national-scale elections the major verifiability problems can be addressed without having to depend on any blockchain. However, a blockchain remains a viable option to realize a public bulletin board, which has the advantage of being a "preventive"measure to stop retrospective changes on previously published records as opposed to a "detective"measure like the use of mirror websites. CCS Concepts: • Security and privacy
In private, secure, conversational FinBots we trust
In the past decade, the financial industry has experienced a technology
revolution. While we witness a rapid introduction of conversational bots for
financial services, there is a lack of understanding of conversational user
interfaces (CUI) features in this domain. The finance industry also deals with
highly sensitive information and monetary transactions, presenting a challenge
for developers and financial providers. Through a study on how to design
text-based conversational financial interfaces with N=410 participants, we
outline user requirements of trustworthy CUI design for financial bots. We
posit that, in the context of Finance, bot privacy and security assurances
outweigh conversational capability and postulate implications of these
findings. This work acts as a resource on how to design trustworthy FinBots and
demonstrates how automated financial advisors can be transformed into trusted
everyday devices, capable of supporting users' daily financial activities.Comment: Proceedings of the CHI 2021 Workshop on Let's Talk About CUIs:
Putting Conversational User Interface Design into Practice, May 8, 2021 in
Yokohama, Japa
End-to-End Verifiable E-Voting Trial for Polling Station Voting
On 2 May 2019, during the UK local elections, an e-voting trial was conducted in Gateshead, using a touch-screen end-to-end verifiable e-voting system. This was the first trial of verifiable e-voting for polling station voting in the UK, and it presented a case study to envisage the future of e-voting
New advances in tamper evident technologies
PhD ThesisTampering is a thousands-years-old problem. Ancient Mesopotamian civilizations
developed mechanisms to detect tampering of their purchase
receipts on clay tablets. Today, the advances in the technology have
equipped adversaries with more modern techniques to perform attacks
on physical items (such as banknotes and passports), as well as cyber
products (software and webpages). Consequently, tampering detection
mechanisms need to be developed as new attacks emerge in both physical
and cyber domains. In this dissertation, we divide our research into two
parts, concerning tampering in physical and in cyber domains respectively.
In each part, we propose a new method for tampering detection.
In the rst part, we propose a novel paper ngerprinting technique based
on analysing the translucent patterns revealed when a light source shines
through the paper. These patterns represent the inherent texture of paper,
formed by the random interleaving of wooden particles during the
manufacturing process. We show these patterns can be easily captured
by a commodity camera and condensed into to a compact 2048-bit ngerprint
code. Prominent works in this area (Nature 2005, IEEE S&P 2009,
CCS 2011) have all focused on ngerprinting paper based on the paper
\surface". We are motivated by the observation that capturing the surface
alone misses important distinctive features such as the non-even thickness,
the random distribution of impurities, and di erent materials in the paper
with varying opacities. Through experiments, we demonstrate that the
embedded paper texture provides a more reliable source for ngerprinting
than features on the surface. Based on the collected datasets, we achieve
0% false rejection and 0% false acceptance rates. We further report that
our extracted ngerprints contain 807 degrees-of-freedom (DoF), which
is much higher than the 249 DoF with iris codes (that have the same
size of 2048 bits). The high amount of DoF for texture-based ngerprints
makes our method extremely scalable for recognition among very
large databases; it also allows secure usage of the extracted ngerprint
in privacy-preserving authentication schemes based on error correction
techniques.
In the second part, we address an important real-world problem: how
to ensure the integrity of delivering web content in the presence of manin-
the-browser (MITB) attacks by malicious web extensions? Browser
extensions have powerful privileges to manipulate a user's view of a web
page by modifying the underlying Document Object Model (DOM). To
demonstrate the threat, we implement two attacks on real-world online
banking websites (HSBC and Barclays) and show how a malicious extension
can covertly compromise the user's bank accounts. To address this
problem, we propose a cryptographic protocol called DOMtegrity to ensure
the end-to-end integrity of a web page's DOM from delivering at a
server to the nal display in a client's browser. The novelty of our solution
lies in exploiting subtle di erences between browser extensions and
in-line JavaScript code in terms of their rights to access WebSocket channels,
as well as leveraging the latest Web Crypto API support added in
modern browsers. We show how DOMtegrity prevents the earlier attacks
and a whole range of man-in-the-browser attacks that involve maliciously
changing the DOM structure of a web page. We conduct experiments
on more than 14,000 real-world extensions to evaluate the e ectiveness of
DOMtegrity and its compatibility with existing extensions. To the best
of our knowledge, DOMtegrity is the rst solution that e ectively protects
the integrity of DOM against malicious extensions without needing
to modify the existing browser architecture or requiring extra hardware
What Is This Sensor and Does This App Need Access to It?
Mobile sensors have already proven to be helpful in different aspects of people’s everyday lives such as fitness, gaming, navigation, etc. However, illegitimate access to these sensors results in a malicious program running with an exploit path. While the users are benefiting from richer and more personalized apps, the growing number of sensors introduces new security and privacy risks to end users and makes the task of sensor management more complex. In this paper, first, we discuss the issues around the security and privacy of mobile sensors. We investigate the available sensors on mainstream mobile devices and study the permission policies that Android, iOS and mobile web browsers offer for them. Second, we reflect the results of two workshops that we organized on mobile sensor security. In these workshops, the participants were introduced to mobile sensors by working with sensor-enabled apps. We evaluated the risk levels perceived by the participants for these sensors after they understood the functionalities of these sensors. The results showed that knowing sensors by working with sensor-enabled apps would not immediately improve the users’ security inference of the actual risks of these sensors. However, other factors such as the prior general knowledge about these sensors and their risks had a strong impact on the users’ perception. We also taught the participants about the ways that they could audit their apps and their permissions. Our findings showed that when mobile users were provided with reasonable choices and intuitive teaching, they could easily self-direct themselves to improve their security and privacy. Finally, we provide recommendations for educators, app developers, and mobile users to contribute toward awareness and education on this topic