If your bot friends are nicer and more interesting …

The most recent article (by Eagle Gamma) appeared in Infoworld in early April. Unlike earlier coverage, it discusses more recent work (Design and Analysis of a Social Botnet), in which an economic analysis of Social Botnet feasability and challenges for throttling them is discussed. I loved a comment left by one of the readers: “If your bot friends are nicer and more interesting than those so-called friends you found in high school, well ….”

The Impact of Password Meters on Password Selection

Password meters tell users whether their passwords are “weak” or “strong.” In this paper, we report on a laboratory experiment to examine whether these meters influenced users’ password selections when they were forced to change their real passwords, and when they were not told that their passwords were the subject of a study. We observed that the presence of meters yielded significantly stronger passwords. We then performed a followup field experiment to test a different scenario: creating a password for an unimportant account. In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts. We conclude that meters result in stronger passwords when users are forced to change existing passwords on “important” accounts and that individual meter design decisions likely have a marginal impact.

More details are in the paper, which will be presented at CHI ’13 held April 27-May 3.

Teaching Security and Privacy in Online Social Networks

This term, I’m teaching a graduate seminar-based course on security and privacy in online social networks.


Students in the course are reading, presenting, critiquing, and discussing most significant and most recent papers from top venues on the subject.


They also do a project related to security and write a term paper based on it. More information about can be found at the course web site.

Presentations of Term Projects in the Security Course

In my undergraduate course on security, we are holding a mini-conferenceon December 4, where each team of 3-4 students will present their term project. Project topics are diverse and practical. The mini-conference is open to public. See its schedule for location information and presentation times. The projects will be evaluated by the representatives of the high-tech industry.

Speculative authorization and its sibling ideas

Performance overhead due to the authorization delays can be reduced if the access control decisions are pre-computed beforehand and placed into the cache of the policy enforcement point (PEP). LERSSE alumni Pranab Kini has explored the design space for speculative authorizations. A journal version of his thesis has been recently published IEEE Transactions on Parallel and Distributed Systems.

This was instantiation of the third idea, which I have originally described in an NSPW paper on Flooding and Recycling Authorizations. The other two ideas were on Secondary and Approximate Authorization Model (for SAAM for Bell-LaPadula and SAAM for RBAC) and the use of publish-subscribe technologies for delivering both authorization requests and decisions.

Independent Panel on Internet Voting in British Columbia

I’ve been invited to serve on the independent panel on Internet voting appointed by Elections B.C.. Other members of the panel are Keith Archer (chair), Chief electoral officer; Lee-Ann Crane, chief administrative officer for the East Kootenay Regional District; Valerie King, professor in the department of computer science at the University of Victoria; and George Morfitt, former auditor general of B.C.

The Devil is in (Implementation) Details

It’s hard to get a security protocol right. It seems even harder to get its implementations right, even more so when millions use it on daily basis. LERSSE’s Sun-Tsai will present at ACM CCSthis October several critical vulnerabilities he has uncovered in implementation of OAuth 2.0, used by Facebook, Microsoft, Google, and many other identity providers and relying parties. These vulnerabilities allow an attacker to gain unauthorized access to the victim user’s profile and social graph, and impersonate the victim on the RP website. Closer examination reveals that these vulnerabilities are caused by a set of design decisions that trade security for implementation simplicity. To improve the security of OAuth 2.0 SSO systems in real-world settings, we suggest simple and practical improvements to the design and implementation of IdPs and RPs that can be adopted gradually by individual sites.

See the paper for details.

Systematically breaking and fixing OpenID security

Do you use OpenID? I bet you do, even if you don’t know this. OpenID 2.0 is a user-centric Web single sign-on protocol with over one billion OpenID-enabled user accounts, and tens of thousands of supporting websites. Well, the security of this protocol is clearly critical! Yet, its security analysis has only been done so far  in a partial and ad-hoc manner. LERSSE Ph.D. candidate San-Tsai Sun performed a systematic analysis of the protocol using both formal model checking and an empirical evaluation of 132 popular websites that support OpenID.Our formal analysis revealed that the protocol does not guarantee the authenticity and integrity of the authentication request, and it lacks contextual bindings among the protocol messages and the browser. The results of our empirical evaluation suggest that many OpenID-enabled websites are vulnerable to a series of cross-site request forgery attacks (CSRF) that either allow an attacker to stealthily force a victim user to sign into the OpenID supporting website and launch subsequent CSRF attacks (81%), or force a victim to sign in as the attacker in order to spoof the victim’s personal information (77%). With additional capabilities (e.g., controlling a wireless access point), the adversary can impersonate the victim on 80% of the evaluated websites, and manipulate the victim’s profile attributes by forging the extension parameters on 45% of those sites. Based on the insights from this analysis, we propose and evaluate a simple and scalable mitigation technique for OpenID-enabled websites, and an alternative man-in-the-middle defense mechanism for deployments of OpenID without SSL.

Read more in the paper.