Design and analysis of a social botnet Boshmaf, Yazan; Muslukhov, Ildar; Beznosov, Konstantin ...
Computer networks,
02/2013, Letnik:
57, Številka:
2
Journal Article
Recenzirano
Odprti dostop
Online Social Networks (OSNs) have attracted millions of active users and have become an integral part of today’s web ecosystem. Unfortunately, in the wrong hands, OSNs can be used to harvest private ...user data, distribute malware, control botnets, perform surveillance, spread misinformation, and even influence algorithmic trading. Usually, an adversary starts off by running an infiltration campaign using hijacked or adversary-owned OSN accounts, with an objective to connect with a large number of users in the targeted OSN. In this article, we evaluate how vulnerable OSNs are to a large-scale infiltration campaign run by socialbots: bots that control OSN accounts and mimic the actions of real users. We adopted the design of a traditional web-based botnet and built a prototype of a Socialbot Network (SbN): a group of coordinated programmable socialbots. We operated our prototype on Facebook for 8weeks, and collected data about user behavior in response to a large-scale infiltration campaign. Our results show that (1) by exploiting known social behaviors of users, OSNs such as Facebook can be infiltrated with a success rate of up to 80%, (2) subject to user profile privacy settings, a successful infiltration can result in privacy breaches where even more private user data are exposed, (3) given the economics of today’s underground markets, running a large-scale infiltration campaign might be profitable but is still not particularly attractive as a sustainable and independent business, (4) the security of socially-aware systems that use or integrate OSN platforms can be at risk, given the infiltration capability of an adversary in OSNs, and (5) defending against malicious socialbots raises a set of challenges that relate to web automation, online-offline identity binding, and usable security.
In this paper, we performed a longitudinal field study with 41 participants, who installed our monitoring framework on their Android smartphones and ran it for at least 20 days. We examined how ...unlocking mechanisms perform in the wild in terms of time it takes to authenticate and error-rate, and how the users’ choices of the unlocking mechanisms are linked to the different patterns of smartphone usage. Based on our findings, we offer insights into improving Android unlocking mechanisms and related user experience.
Smartphones store sensitive and confidential data, e.g., business related documents or emails. If a smartphone is stolen, such data are at risk of disclosure. To mitigate this risk, modern ...smartphones allow users to enable data encryption, which uses a locking password to protect the data encryption key. Unfortunately, users either do not lock their devices at all, due to usability issues, or use weak and easy to guess 4-digit PINs. This makes the current approach of protecting confidential data-at-rest ineffective against password guessing attackers. To address this problem we design, implement and evaluate the Sidekick system — a system that uses a wearable device to decouple data encryption and smartphone locking. Evaluation of the Sidekick system revealed that the proposal can run on an 8-bit System-on-Chip, uses only 4 Kb/20 Kb of RAM/ROM, allows data encryption key fetching in less than two seconds, while lasting for more than a year on a single coin-cell battery.
The socialbot network Boshmaf, Yazan; Muslukhov, Ildar; Beznosov, Konstantin ...
Proceedings of the 27th Annual Computer Security Applications Conference,
12/2011
Conference Proceeding
Online Social Networks (OSNs) have become an integral part of today's Web. Politicians, celebrities, revolutionists, and others use OSNs as a podium to deliver their message to millions of active web ...users. Unfortunately, in the wrong hands, OSNs can be used to run astroturf campaigns to spread misinformation and propaganda. Such campaigns usually start off by infiltrating a targeted OSN on a large scale. In this paper, we evaluate how vulnerable OSNs are to a large-scale infiltration by socialbots: computer programs that control OSN accounts and mimic real users. We adopt a traditional web-based botnet design and built a Socialbot Network (SbN): a group of adaptive socialbots that are orchestrated in a command-and-control fashion. We operated such an SbN on Facebook---a 750 million user OSN---for about 8 weeks. We collected data related to users' behavior in response to a large-scale infiltration where socialbots were used to connect to a large number of Facebook users. Our results show that (1) OSNs, such as Facebook, can be infiltrated with a success rate of up to 80%, (2) depending on users' privacy settings, a successful infiltration can result in privacy breaches where even more users' data are exposed when compared to a purely public access, and (3) in practice, OSN security defenses, such as the Facebook Immune System, are not effective enough in detecting or stopping a large-scale infiltration as it occurs.
OpenID and OAuth are open and simple Web SSO protocols that have been adopted by major service providers, and millions of supporting Web sites. However, the average user’s perception of Web SSO is ...still poorly understood. Through several user studies, this work investigates users’ perceptions and concerns when using Web SSO for authentication. We found that our participants had several misconceptions and concerns that impeded their adoption. This ranged from their inadequate mental models of Web SSO, to their concerns about personal data exposure, and a reduction in perceived Web SSO value due to the employment of password management practices. Informed by our findings, we offer a Web SSO technology acceptance model, and suggest design improvements.
Does my password go up to eleven? Egelman, Serge; Sotirakopoulos, Andreas; Muslukhov, Ildar ...
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems,
04/2013
Conference Proceeding
Password meters tell users whether their passwords are "weak" or "strong." We performed a laboratory experiment to examine whether these meters influenced users' password selections when they were ...forced to change their real passwords, and when they were not told that their passwords were the subject of a study. We observed that the presence of meters yielded significantly stronger passwords. We performed a followup field experiment to test a different scenario: creating a password for an unimportant account. In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts. We conclude that meters result in stronger passwords when users are forced to change existing passwords on "important" accounts and that individual meter design decisions likely have a marginal impact.
OpenID and OAuth are open and simple Web SSO protocols that have been adopted by major service providers, and millions of supporting Web sites. However, the average useras perception of Web SSO is ...still poorly understood. Through several user studies, this work investigates usersa perceptions and concerns when using Web SSO for authentication. We found that our participants had several misconceptions and concerns that impeded their adoption. This ranged from their inadequate mental models of Web SSO, to their concerns about personal data exposure, and a reduction in perceived Web SSO value due to the employment of password management practices. Informed by our findings, we offer a Web SSO technology acceptance model, and suggest design improvements.
Recent research suggests that 88% of Android applications that use Java cryptographic APIs make at least one mistake, which results in an insecure implementation. It is unclear, however, if these ...mistakes originate from code written by application or third-party library developers. Understanding the responsible party for a misuse case is important for vulnerability disclosure. In this paper, we bridge this knowledge gap and introduce source attribution to the analysis of cryptographic API misuse. We developed BinSight, a static program analyzer that supports source attribution, and we analyzed 132K Android applications collected in years 2012, 2015, and 2016. Our results suggest that third-party libraries are the main source of cryptographic API misuse. In particular, 90% of the violating applications, which contain at least one call-site to Java cryptographic API, originate from libraries. When compared to 2012, we found the use of ECB mode for symmetric ciphers has significantly decreased in 2016, for both application and third-party library code. Unlike application code, however, third-party libraries have significantly increased their reliance on static encryption keys for symmetric ciphers and static IVs for CBC mode ciphers. Finally, we found that the insecure RC4 and DES ciphers were the second and the third most used ciphers in 2016.
While previous work on smartphone (un)locking has revealed real world usage patterns, several aspects still need to be explored. In this paper, we fill one of these knowledge gaps: the interplay ...between age and smartphone authentication behavior. To do this, we performed a two-month long field study (N = 134). Our results indicate that there are indeed significant differences across age. For instance, younger participants were more likely to use biometric unlocking mechanisms and older participants relied more on auto locks.
PDF
