DC-Area Anonymity, Privacy, and Security Seminar

Summer 2017 Seminar
Friday, June 9th, 2017
1:00 p.m. - 4:30 p.m.

Location: Information Technology and Engineering building (ITE), Room 456
University of Maryland Baltimore County
Hosts: Adam Aviv and Ravi Kuber

1:00 p.m. - 1:25 p.m.
Speaker: Paul Syverson (U.S. Naval Research Laboratory)
Title: Onions in the Crosshairs: when The Man really is out to get you
Abstract: We introduce and investigate targeting adversaries who selectively attack users of Tor or other secure-communication networks. We argue that attacks by such adversaries are more realistic and more significant threats to those most relying on Tor's protection than are attacks in prior analyses of Tor security. Previous research and Tor design decisions have focused on protecting against adversaries who are equally interested in any user of the network. Our adversaries selectively target users — e.g., those who visit a particular website or chat on a particular private channel — and essentially disregard Tor users other than these. We investigate two example cases where particular users might be targeted: a cabal conducting meetings on a private IRC channel; and users visiting a particular .onion website. In general for our adversaries, compromise is much faster and provides more feedback and possibilities for adaptation than do attacks examined in prior work. We describe adversaries both attempting to learn the size of a cabal meeting online (or of a set of sufficiently active visitors to a targeted site) and attempting to identify guards of each targeted user. We compare the threat of targeting adversaries versus previously considered adversaries, and we briefly sketch possible countermeasures for resisting targeting adversaries.

1:25 p.m. - 1:50 p.m.
Speaker: Ian Miers (Johns Hopkins University)
Title: 0-RTT Forward Secure Encryption
Abstract: Forward security ensures that stolen keys cannot be used to decrypt past messages. Typically this can only be achieved via interactive key exchange protocols. In this talk I will detail a new approach for forward secrecy, complete with software implementations, that requires neither interaction between the sender and receiver nor tightly synchronized clocks. This can be used in asynchronous messaging protocols and for TLS 0-RTT handshakes.

1:50 p.m. - 2:20 p.m.
Coffee Break

2:20 p.m. - 2:45 p.m.
Speaker: Daniel Votipka (University of Maryland, College Park)
Title: A Comparison of Hacker and Software Tester Communities
Abstract: Finding security vulnerabilities in software is a critical task for any organization, which still requires human effort, even though automation has made significant strides in recent years. The task of vulnerability discovery typically falls on traditional software testers within an organization and/or white-hat hackers, either through bug bounty programs or contracting. This talk explores the experiences, skills, processes, motivations, and mental models of these two communities. We describe our interview study which focuses on how these groups find bugs, how they have developed the necessary skills, and the challenges they face and give some preliminary findings.

2:45 p.m. - 3:10 p.m.
Speaker: Adam J. Aviv (United States Naval Academy)
Title: Baseline Measurements of Shoulder Surfing Attacks on Smartphone Unlock Authentication
Abstract: Shoulder surfing, or observation attacks, are when an attacker observes the authentication procedure with the intent of recreating (or learning) the authentication information, which could be, for example, a PIN, unlock Pattern, or text-based password. There has been significant work done in designing authentication systems to prevent such attacks, but there has been little work in understanding how vulnerable the current authentication systems are to shoulder surfing, essentially providing a baseline for improvement to compare other systems against. In this talk, I'll present the results of a study to understand what the baseline shoulder surfing threats are to smartphone based unlock authentication systems, such as 4- and 6-digit PINS, 4- and 6-length Android unlock patterns with visible lines, and similar patterns entered without visible lines. Using a methodology where survey participants act as attackers, viewing controlled videos of authentication under different settings, that there are significant differences between authentication methods, but that 6-digit PINS, in aggregate, provide a surprisingly robust defense to casual observation attacks even after multiple views by the attacker, while pattern based techniques, even without visible lines, are wholly vulnerable with non-visible lines being less so than visible lines even after the attacker has a single view.

3:10 p.m. - 3:40 p.m.
Coffee Break

3:40 p.m. - 4:05 p.m.
Speaker: Kristopher Micinski (University of Maryland, College Park)
Title: User Interactions and Permission Use on Android
Abstract: Android and other mobile operating systems ask users for authorization before allowing apps to access sensitive resources such as contacts and location. We hypothesize that such authorization systems could be improved by becoming more integrated with the app's user interface. In this paper, we conduct two studies to test our hypothesis. First, we use AppTracer, a dynamic analysis tool we developed, to measure to what extent user interactions and sensitive resource use are related in existing apps. Second, we conduct an online survey to examine how different interactions with the UI affect users' expectations about whether an app accesses sensitive resources. Our results suggest that user interactions such as button clicks can be interpreted as authorization, reducing the need for separate requests; but that accesses not directly tied to user interactions should be separately authorized, possibly when apps are first launched.

4:05 p.m. - 4:30 p.m.
Speaker: Flynn Wolf (University of Maryland, Baltimore County)
Title: An Exploratory Qualitative Study of Security-Conscious Users of Mobile Authentication
Abstract: A study has been undertaken to better understand the mental models and practices of security conscious users from academia, industry, and government, from an explorative qualitative approach, noting that mobile authentication studies have largely overlooked the mindset of users who have considered their behavior in terms of detailed knowledge of risk. A set of preliminary findings are presented, alongside implications for development of security methods derived from these views.

Directions: The seminar will be held in room 456 of the Information Technology and Engineering building (ITE 456, UMBC, 1000 Hilltop Circle, Baltimore MD 21250). On the campus map, the ITE building is in grid square G4.

By Car: Attendees should park in the metered visitor spaces. The nearest lots with such spaces are Lot 9 and the Administration Drive Garage (top floor). See the parking map to locate these and other parking options. Visitor parking is $2.00 per hour and payable by MasterCard, Visa or exact currency, no change provided. More information about parking is available from UMBC Parking Services.

By Public Transit: See the UMBC Visitors Guide for public-transit options. Nearby train stations include Halethorpe Rail Station, about 2 miles from the ITE building and serviced by a MARC train, St. Denis Station (3 miles, MARC), and BWI Rail Station (7 miles, MARC and Amtrak). The 77 public bus is a good option for getting to campus. It goes from close to Halethorpe Station to UMBC. A taxi or ride-share is another good option to get to UMBC from the train station. The taxi can stop close to the ITE building at the intersection between Hilltop Circle and UMBC Boulevard.