The orthodox paradigm in defending against automated social-engineering attacks in large-scale, socio-technical systems is reactive and victim-agnostic. Defenses generally focus on identifying the attacks or the attackers (e.g., phishing emails, socialbot inﬁltrations, malware offered for download), but do not consider the victims of these attacks in their design.
To improve the status quo, we propose in our upcoming NSPW’16 paper to identify, even if imperfectly, the vulnerable user population; the users that are likely to fall victim to such attacks. Once identiﬁed, information about the vulnerable population can be used in two ways. First, the vulnerable population can be inﬂuenced by the defender through several means including: education, specialized user experience, extra protection layers and watchdogs. In the same vein, this information be used to ﬁne-tune and reprioritize defense mechanisms to offer differentiated protection, possibly at the cost of additional friction generated by the defense mechanism. Secondly, information about the vulnerable population can be used to identify an attack, or compromised users, based on differences between the general and the vulnerable population. This position paper considers the implications of the proposed paradigm on existing defenses in three areas, phishing of user credentials, malware distribution and socialbot inﬁltration, and discusses how using knowledge of the vulnerable population can enable more robust defenses.
With almost two billion smartphone users in the world, it is clear that smartphones have become an important part of our daily life. Vast storage space allows users to keep large amounts of sensitive data, e.g., SMS messages and photos, on their devices. Unfortunately, smartphones are easy to get lost or stolen. This puts all sensitive data stored on the device at risk of disclosure. To mitigate this risk, all modern mobile platforms encrypt data with a data encryption key (DEK) and protect this DEK with a key encryption key (KEK), which is never stored on the device. However, all modern systems derive KEK from weak user authentication secrets, such as 4-digits PINs. In addition, more than 20% of smartphone users disable screen locks, because they find available authentication methods, such as Draw-A-Secret or PIN, unusable. All this makes current approaches to protect the confidentiality of data-at-rest ineffective.
Our recent work, entitled “Decoupling data-at-rest encryption and smartphone locking with wearable devices,” addresses this problem. We propose to use wearable devices for encryption key management. In particular, we designed, implemented, and evaluated Sidekick – a system that uses a wearable device to store KEKs. This system effectively mitigates brute-force attacks on KEK by substantially increasing the KEK’s search space. The proposed system is also practical: First, KEK retrieval operation takes two seconds at most, which is less than what it takes users to authenticate with two most common authenticating methods in Android OS (PIN and Draw-a-Secret). Thus, one can completely hide the added latency if KEK is fetched in parallel with smartphone unlocking process. Second, the wearable device we used can run for at least a year on a single coin-cell battery, with a session key being renewed at least twice a day.
I will be serving on the Program Committee for the 15th ACM Workshop on Privacy in the Electronic Society (WPES 2016), held in conjunction with the ACM CCS 2016 conference.
The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of electronic privacy, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present these communities’ perspectives on technological issues. Checkout the full Call for Papers here.
Paper submission deadline: July 27, 2016 @11:59 PM American Samoa time.