This post summarizes how prevalent encrypted web traffic interception is and how it negatively affects online security according to a study we published at NDSS 2017.
This post discusses practical attacks against poker cheating devices designed to detect and jam these devices.
This talk showcases how attacks against corporate inboxes differ from the attack we observe against personal inbox from a Gmail perspective.
Research on how the the ecosystem of commercial pay-per-install (PPI) is structured and the role it plays in the proliferation of unwanted software
This blog post shows how to create a reliable and realistic-looking malicious USB key that can be used in a drop attack.
Here are the 5 ways I bulletproof my credit cards against identity theft, and you can use them yourself very easily. As a bonus, at the end of the post I have added an experimental step to defend against the recent chip downgrading attack.
Every year, close to 600,000 sites are hacked. Given the scale of the problem, notifying users to prevent harm and webmasters so they can clean up their sites is critical to combat hacking. This post looks at the effectiveness of the current warning strategies used by Google and their long-term impact.
This paper study how effective the Google's notifications sent to webmasters of hacked web sites are based of over 760000 hacking incidents from July 2014 and June 2015.
As an experiment we dropped nearly 300 USB sticks on the UIUC campus to assess if USB drop attacks work and see if concerns about USB security were justified. We found out that at least 48% of the drive were plugged. This blog post summarizes how we ran the study, highlights the key findings, looks at what motivates people to plug in USB sticks, and discusses possible mitigations to improve USB security.
In this research paper we investigate if people do plug random USB drives and found out that 45-98% do. We analyze the factors that affect opening rate and people motivation for plug-in in their computers those insecure drives.
This post provides an in-depth analysis of the lessons we learned while protecting Gmail users and their inboxes. We felt it was about time to share the key lessons we learned the hard way while protecting Gmail for over a decade, so everyone involved in building an online product can benefit from them. To that effect, with the help of various Gmail safety leaders and long-time engineers, I distilled these lessons into a 25-minute talk for Enigma called “Lessons learned while protecting Gmail”. While such a short talk is great at providing an overview, it forces you to leave out details that provide deeper insights. This blog is, therefore, meant to fill this gap by sharing a more complete explanation for the lessons that need one and it complements my talk on the subject.
Big data weaponization and malware-based espionage are usually associated with governments; however, they don’t own a monopoly on such activities. Also, online poker uses big data to profile user behavior. Players search for fish (bad players) and they use malware to spy on and rip off infected players at the (online) poker table. This blog post is a brief tour of some of the darkest aspects of online poker.
This post summarizes which equipement the FBI use to seize the content of servers and laptops despite many of them use full disk encryption and which defenses exist.
This post looks at how an attacker can intercept and read emails sent from one email provider to another by performing a DNS MX record hijacking attack. While our research on the state of email delivery security indicates that this attack is less pervasive than the TLS downgrade attack discussed in a previous post, it is equally effective at defeating email in-transit encryption. This post explains how this attack works, how it can be mitigated and to what extent it also affects the security of a website.