• Publications
  • Influence
CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data
TLDR
CryptoDrop is presented, an early-warning detection system that alerts a user during suspicious file activity that significantly mitigates the amount of victim data loss and can be parameterized for rapid detection with low false positives.
Mo(bile) Money, Mo(bile) Problems
TLDR
P pervasive vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions, and steal financial records are uncovered.
Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World
TLDR
This paper performs the first in-depth measurement analysis of branchless banking applications and uncover pervasive and systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and myriad other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions in flight, and steal financial records.
*droid: Assessment and Evaluation of Android Application Analysis Tools
TLDR
The first systematization of Android security research that analyzes applications is performed, characterizing the work published in more than 17 top venues since 2010 and finding not only that significant work remains to be done in terms of research coverage but also that the tools suffer from significant issues.
Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways
TLDR
From this data, a range of services sending extremely sensitive plaintext data and implementing low entropy solutions for one-use codes are identified, and insights into the prevalence of SMS spam and behaviors indicating that public gateways are primarily used for evading account creation policies that require verified phone numbers are offered.
Making USB Great Again with USBFILTER
TLDR
The proposed USBFILTER system provides a level of granularity and extensibility that reduces the uncertainty of USB connectivity and ensures unauthorized devices are unable to communicate with the host.
SoK: "Plug & Pray" Today – Understanding USB Insecurity in Versions 1 Through C
TLDR
This work survey and categorize USB attacks and defenses, unifying observations from both peer-reviewed research and industry, and develops the first formal verification of the recently released USB Type-C Authentication specification, and uncover fundamental flaws in the specification's design.
Fear the Reaper: Characterization and Fast Detection of Card Skimmers
TLDR
The Skim Reaper is developed, a detector which takes advantage of the physical properties and constraints necessary for many skimmers to steal card data and provides the first robust and portable mechanism for detecting card skimmers.
OnionDNS: A seizure-resistant top-level Domain
TLDR
This work creates OnionDNS, an anonymous top-level domain (TLD) and resolution service for the Internet, and demonstrates that the delisting of domains from DNS can be mitigated in an efficient and secure manner.
Kiss from a Rogue: Evaluating Detectability of Pay-at-the-Pump Card Skimmers
TLDR
Common gas pump security indicators are shown to be ineffective at empowering consumers to detect tampering, but may be providing a false sense of security, and stronger, reliable, inexpensive measures must be developed to protect consumers and merchants from fraud.
...
1
2
3
...