Konstantin (Kosta) Beznosov news

SOUPS Features LERSSE Research

Fri, 16 Jul 2010 09:33:19 -0700

LERSSE graduate students presented their research at the Symposium on Usable Security Privacy and Security (SOUPS).

We had posters on OpenIDemail Enabled Browser, Expectations, Perceptions, and Misconceptions of Personal Firewalls, and Validating and Extending a Study on the Effectiveness of SSL Warnings.

At SOUPS Workshop on Usable Security Experiment Reports (USER), Andreas Sotirakopoulos discussed how study environment biases participant behaviours, Sara Motiee explained challenges in understanding users’ security-related knowledge, behaviour, and motivations, and Kirstie Hawkey presented (for Pooya Jaferian, who could not attend SOUPS) challenges in evaluating complex IT security management systems.

In SOUPS technical papers session, Sara Motiee presented her study of support (through LUA and UAC) for the principle of least privilege in Windows Vista and Windows 7.

LERSSE work on usable security at CHI ’10

Tue, 16 Feb 2010 15:07:36 -0800

Two posters about the research by my students Fahimeh Raja and Sara Motiee will be featured at CHI ’10.

Fahimeh continued her work on the usability of personal firewalls. She interviewed participants to understand participants’ knowledge, requirements, expectations, and misconceptions for personal firewalls. Details are in the preprint of the corresponding paper.

Sara conducted a user study and contextual interviews to understand the motives and challenges participants face when using different user accounts and the UAC approach. Most participants were not aware of or motivated to employ low-privileged accounts. Moreover, most did not understand or carefully consider the prompts. Details are in the preprint of the corresponding paper.

EECE 412 students star in security analysis

Fri, 8 Jan 2010 13:49:32 -0800

Several student projects teams in my undergraduate course in computer security have done anexcellent job analyzing real systems and finding vulnerabilities in them.
• Adnan Jiwani, Arash Malekzadeh, Neeraj Prashar, and Cloud Shao found that “Terra: Battle for the Outlands” is weak against online dictionary attacks, password snooping, denial of service, API hooks, and unauthorized e-mail sending. Their term project report provides details and suggests countermeasures.
• Maxime Perreault, David Rosberg, Peter Vautour, and David Wang found a glaring vulnerability in the misconfiguration of EASports.com, which would allow an attacker to gain admin access to the portal. Their term project report provides details and suggests countermeasures.
• Milad Mesbah and Nima Hosseinikhah discovered vulnerabilities that allow an adversary to do game fixing at PokerStars, online dictionary attack on passwords at and denial of service attacks on accounts of Casino-On-Net, phishing attacks on the users of Rushmore. Their term project report provides details and suggests countermeasures.
• Neil Gentleman, William Wong, Insoo Kwon, and Yan Yau (Keith) Kam discovered vulnerabilities in the UBC’s deployment of WPA-PEAP for ubcsecure WiFi network that would allow the adversary to recover user names and passwords of the network users. Their term project report provides details and suggests countermeasures.
• Frank Ip, Ken Ho, Jonathan Wong, and Jonathan Chau discovered vulnerabilities in XT3.com web site that would allow an adversary to perform cross-site scripting attacks. Their term project report provides details and suggests countermeasures.
• Jon Lee, Niel Paul, Choon-Sean (Steven) Cheong, and Dicky Bratawijaya discovered vulnerabilities in the protocol between the payment card and the reader of the UBC’s residence laundry that would allow the adversary to use the system without payment. Their term project report provides details and suggests countermeasures.

The web page of the course mini-conference contains links to the corresponding reports and video-clips summarizing the projects.

Security Research Advances in 2009

Mon, 30 Nov 2009 12:45:11 -0800

I presented a 2009 review of academic research in computer security at Vancouver International Security Conference. This presentation reviewed latest scientific conference reports on the cutting edge research in computer security. It presented and explained 2009 highlights from IEEE Symposium in Security and Privacy, ACM Conference in Computer and Communications Security (CCS), Symposium on Network and Distributed Systems Security (NDSS), and Symposium on Usable Privacy and Security (SOUPS).

Secure Web 2.0 Content Sharing Beyond Walled Gardens

Thu, 12 Nov 2009 06:48:52 -0800

My Ph.D. student San-Tsai Sun will be presenting at ACSAC an architecture, design, and implementation of a proposed system for Web 2.0 content sharing across content service providers (CSPs). With our approach, users use their existing email account to login to CSPs, and content owners use their email-based contact-lists to specify access policies. Users are assumed to be equipped only with a Web browser and CSPs do not need to change their existing access-control mechanisms. In addition, policy statements are URI-addressable, and the same access policies can be reused and enforced across CSPs.

Full text of the paper is available.
More information can be found on the project page.