• Publications
  • Influence
Understanding the Mirai Botnet
TLDR
It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets.
Text-based CAPTCHA strengths and weaknesses
TLDR
It is found that 13 current visual CAPTCHAs based on distorted characters that are augmented with anti-segmentation techniques from popular web sites are vulnerable to automated attacks.
State of the Art: Automated Black-Box Web Application Vulnerability Testing
TLDR
The results show the promise and effectiveness of automated tools, as a group, and also some limitations, and in particular, "stored" forms of Cross Site Scripting and SQL Injection vulnerabilities are not currently found by many tools.
How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation
TLDR
Evidence from a week’s worth of eBay captchas suggests that the solving accuracies found in the study are close to real-world values, and that improving audioCaptchas should become a priority, as nearly 1% of all captchAs are delivered as audio rather than images.
An Analysis of Private Browsing Modes in Modern Browsers
TLDR
This work proposes and experiments with a workable policy that lets users safely run extensions in private browsing mode and surveys its implementation in different browsers to suggest that private browsing is used differently from how it is marketed.
The End is Nigh: Generic Solving of Text-based CAPTCHAs
TLDR
The effectiveness and universality of the results suggests that combining segmentation and recognition is the next evolution of catpcha solving, and that it supersedes the sequential approach used in earlier works.
Neither Snow Nor Rain Nor MITM...: An Empirical Analysis of Email Delivery Security
TLDR
This work presents the first report on global adoption rates of SMTP security extensions, including: STARTTLS, SPF, DKIM, and DMARC, and presents evidence of such attacks in the wild, highlighting seven countries where more than 20% of inbound Gmail messages arrive in cleartext due to network attackers.
Busting frame busting a study of clickjacking vulnerabilities on popular sites
TLDR
This work studies frame busting practices for the Alexa Top-500 sites and shows that all can be circumvented in one way or another.
Kamouflage: Loss-Resistant Password Management
TLDR
Kamouflage is implemented as a replacement for the built-in Firefox password manager, and performance measurements and the results from experiments with large real-world password sets are provided to evaluate the feasibility and effectiveness of the approach.
Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google
TLDR
It appears next to impossible to find secret questions that are both secure and memorable according to question strength and memorability, and it is shown that secret answers have surprisingly poor memorability.
...
1
2
3
4
5
...