Research on how the the ecosystem of commercial pay-per-install (PPI) is structured and the role it plays in the proliferation of unwanted software
This blog post shows how to create a reliable and realistic-looking malicious USB key that can be used in a drop attack.
Here are the 5 ways I bulletproof my credit cards against identity theft, and you can use them yourself very easily. As a bonus, at the end of the post I have added an experimental step to defend against the recent chip downgrading attack.
Every year, close to 600,000 sites are hacked. Given the scale of the problem, notifying users to prevent harm and webmasters so they can clean up their sites is critical to combat hacking. This post looks at the effectiveness of the current warning strategies used by Google and their long-term impact.
This paper study how effective the Google's notifications sent to webmasters of hacked web sites are based of over 760000 hacking incidents from July 2014 and June 2015.
As an experiment we dropped nearly 300 USB sticks on the UIUC campus to assess if USB drop attacks work and see if concerns about USB security were justified. We found out that at least 48% of the drive were plugged. This blog post summarizes how we ran the study, highlights the key findings, looks at what motivates people to plug in USB sticks, and discusses possible mitigations to improve USB security.
In this research paper we investigate if people do plug random USB drives and found out that 45-98% do. We analyze the factors that affect opening rate and people motivation for plug-in in their computers those insecure drives.
This post provides an in-depth analysis of the lessons we learned while protecting Gmail users and their inboxes. We felt it was about time to share the key lessons we learned the hard way while protecting Gmail for over a decade, so everyone involved in building an online product can benefit from them. To that effect, with the help of various Gmail safety leaders and long-time engineers, I distilled these lessons into a 25-minute talk for Enigma called “Lessons learned while protecting Gmail”. While such a short talk is great at providing an overview, it forces you to leave out details that provide deeper insights. This blog is, therefore, meant to fill this gap by sharing a more complete explanation for the lessons that need one and it complements my talk on the subject.
Big data weaponization and malware-based espionage are usually associated with governments; however, they don’t own a monopoly on such activities. Also, online poker uses big data to profile user behavior. Players search for fish (bad players) and they use malware to spy on and rip off infected players at the (online) poker table. This blog post is a brief tour of some of the darkest aspects of online poker.
This post summarizes which equipement the FBI use to seize the content of servers and laptops despite many of them use full disk encryption and which defenses exist.
This post looks at how an attacker can intercept and read emails sent from one email provider to another by performing a DNS MX record hijacking attack. While our research on the state of email delivery security indicates that this attack is less pervasive than the TLS downgrade attack discussed in a previous post, it is equally effective at defeating email in-transit encryption. This post explains how this attack works, how it can be mitigated and to what extent it also affects the security of a website.
Follow these ten easy steps to improve your online security and privacy quickly.
Over the last two years, the number of encrypted emails received by Gmail has almost doubled, as I reported earlier on the Google security blog. This very encouraging trend is sadly accompanied with an increase of SMTP TLS downgrade attacks, which prevent encryption of emails in transit as discussed in our research paper on the state of email transport security. This blog post explains how such an attack is performed and why there is no simple “patch” for it.
Multi-year study that measure how email security has evolved from 2013 to 2015. Highlight progress made on deployment of email security technologies and uncover attacks against SMTP happening in the wild.
Research about the security and memorability of secret questions based of their deployment at Google. This paper won best student paper award at WWW'15.
19.5% of HTTPS-enabled sites in Alexa's Top 1 Million trigger or will soon trigger a Chrome security warning because they are using the now deprecated SHA-1 signature algorithm to sign their HTTPS certificate. Soon those sites will be flagged by all major browsers as insecure.
This is the story of how — and why — Google switched to numeric captchas. Captchas are these wiggly words used as a puzzle to tell humans apart from computers. Over the last few years, based on my work that began at Stanford, I’ve been working on designing a more user-friendly captcha for Google that […]