Tracking personal data

Tracking of personal data on the Web

Navigating the Web gets easier by the day as corporate monitoring of our emails and browsing habits fine-tune the algorithms that serve us personalized ads and recommendations. But convenience comes at a cost. In the wrong hands, our personal information can be used against us, to discriminate on housing and health insurance, and overcharge on goods and services, among other risks.

“The Web is like the Wild West,” says Roxana Geambasu, a computer scientist at Columbia Engineering and the Data Science Institute. “There’s no oversight of how our data are being collected, exchanged and used.” Continue reading

Hidden Malware

Scientists stop and search malware hidden in shortened urls on Twitter

Cyber-criminals are taking advantage of real-world events with high volumes of traffic on Twitter in order to post links to websites which contain malware.

To combat the threat, computer scientists have created an intelligent system to identify malicious links disguised in shortened urls on Twitter. They will test the system in the European Football Championships next summer. The research is co-funded by the Engineering and Physical Sciences Research Council (EPSRC) and the Economic and Social Research Council (ESRC). Continue reading

Think twice about android root

In recent years the practice of Android rooting, that is the process of allowing an Android phone or tablet to bypass restrictions set by carriers, operating systems or hardware manufacturers, has become increasingly popular.

Many rooting methods essentially operate by launching an exploit (or malicious code) against a vulnerability in the Android system. Due to the fact that Android systems are so diverse and fragmented and that Android systems have a notoriously long update cycle (typically due to the hold time at mobile carriers), the window of vulnerabilities is typically very large. Continue reading

Researchers find vulnerabilities in use of certificates for Web security

Consumers use the Internet for banking, emailing, shopping and much more nowadays. With so much personal and private information being transmitted over the Web, Internet users must be able to rely on and trust the sites they are accessing. For security purposes, websites use certificates to establish encrypted communications. When a site becomes compromised, its certificate should be revoked.

A new study offers the first end-to-end evaluation of the Web’s certificate revocation ecosystem, which includes website administrators that obtain and revoke certificates, certificate authorities that publish a list of revoked certificates, and browsers that check the revocation list to authenticate a website. Continue reading

Cyberattacks studied through the lens of EEG and eye tracking

University of Alabama at Birmingham researchers have conducted a study that provides new insights on users’ susceptibility to, and capability to detect, cyber-criminal attacks such as malware and phishing attacks.

The study analyzed users’ brain activity and eye gaze movements as they were subjected to these attacks. This new research was presented at the 2015 ACM Conference on Computer and Communications Security last week in Denver.

This study from researchers within the UAB College of Arts and Sciences Department of Computer and Information Sciences and Center for Information Assurance and Joint Forensics Research was based on the knowledge that detecting malware and phishing attacks are user-centered functions, but little is understood about the user behavior underlying these tasks.

There is some prior knowledge on this topic regarding users’ performance in these security tasks, but UAB’s research took the work to the next level by studying users in a near-reality setting and evaluating more than one neurophysiological measure during a single study.

Researchers took a three-dimensional approach to this study by looking at what the users’ task performance was through evaluating how they process the tasks of detecting cyberattacks with neural activity, which was captured using electroencephalogram, or EEG, cognitive metrics and with eye gaze patterns, which were captured using an eye-tracker.

The evaluation process tested users on phishing attacks, which use malicious email to collect personal and financial information, as well as Web-based malware attacks, which deploy software to infect computers with viruses while users browse the Web.

“By looking at these three measures together, we were able to show that users do not spend enough time analyzing key phishing indicators, and often fail at detecting phishing attacks even when they are mentally engaged in the task and subconsciously processing real sites differently from fake sites,” said Nitesh Saxena, Ph.D., the director of the Security and Privacy In Emerging computing and networking Systems (SPIES) lab and associate professor of computer and information sciences at UAB. “Under malware attacks, we found the opposite to be true. Users were found to be frequently reading, possibly comprehending and eventually heading the message embedded in the malware warning (such as the one provided by common browsers).”

“Overall, the way users respond to and process malware warnings is good news,” said UAB graduate student Ajaya Neupane, co-author of the article with Saxena. “The gaze patterns show that users are reading the warnings, the neural activity shows that users are undergoing high workload and are highly engaged when warnings were displayed, and the task accuracy shows that users heed warnings a large majority of the time.”

Also, for phishing attacks, a direct correlation was found between the users’ attention control, which is considered a personality trait, measured via a paper-and-pencil test, and how accurate they were at detection.

“We believe that means the users’ susceptibility to phishing attacks is a function of their personality traits,” Saxena said. “The more attentive they are by nature, the more likely they are to detect the phishing attacks.”

These results give researchers the foundation upon which to begin designing mechanisms that will use real-time neural and eye-gaze features that can automatically infer a user’s alertness state, and determine whether or not the user’s response should be relied upon. Most interestingly, the insight that users’ brains can subconsciously detect phishing attacks, even though users themselves may fail at detecting them, can be used to build future automated phishing detection mechanisms based on neural activity.

“We can begin thinking about developing ways to automatically detect whether users are attentive or inattentive, and whether they subconsciously detected a phishing attack,” Neupane said. “Our research suggests that combining neural and ocular features might provide a robust detection system, which would result in higher user security measures.”

This study was conducted in collaboration with researchers from Syracuse University.

Story Source:

The above post is reprinted from materials provided by University of Alabama at Birmingham. The original item was written by Katherine Shonesy.