Workshop Program

Vulnerability risk assessment is a crucial process in security management, and the CVSS score is the standard-de-facto risk metric for software vulnerabilities. In this manuscript I show that current risk assessment methodologies do not fit real "in the wild" attack data. I also present my three-steps plan to identify an Internet-scale risk assessment methodology that accounts for attacker economics and opportunities. Eventually, I want to provide answers like the following: "If we deploy this security measure, the fraction of our users affected by this type of cyber attacks will be less than X%".

Malware code has forensic value, as evident from recent studies drawing relationships between creators of Duqu and Stuxnet through similarity of their code. We present FuncTracker, a system developed on top of Palantir, to discover, visualize, and explore relationships between malware code, with the intent of drawing connections over very large corpi of malware – millions of binaries consisting of terabytes of data. To address such scale we forego the classic data-mining methods requiring pairwise comparison of feature vectors, and instead represent a malware as a set of hashes over carefully selected features. To ensure that a hash match implies a strong match we represent individual functions using hashes of semantic features, in lieu of syntact features commonly used in the literature. A graph representing a collection of malware is formed by function hashes representing nodes, making it possible to explore the collection using classic graph operations supported by Palantir. By annotating the nodes with additional information, such as the location and time where the malware was discovered, one can use the relationship within malware to make connections between otherwise unrelated clues.

Botnets continue to pose a significant threat to Internet security, and their detection remains a focus of academic and industry research. Some of the most successful botnet measurement and remediation efforts rely heavily on sinkholing the botnet's command and control (C&C) domains. Essentially, sinkholing consists of re-writing the DNS resource records of C&C domains to point to one or more sinkhole IP addresses, thus directing victim C&C communications to the sinkhole operator (e.g., law enforcement).

Sinkholes are typically managed in collaboration with domain registrars and/or registries, and the owner of the network range where the botnet C&C is sinkholed. Registrars often play a critical role in remediating abusive domains (e.g., by invoking rapid take-down terms commonly found in domain registration contracts, such as the "Uniform Rapid Suspension System"). Collaboration with the sinkhole network range owners is needed to endure the possible IP reputation damage to their IP space, since sinkholes may appear as real C&Cs to others.

While some sinkhole IPs are publicly known or can be easily discovered (see Section 2.1), most are jealously kept as trade secrets by their operators, to protect proprietary black lists of remediated domains. Therefore, third-party researchers are often unable to distinguish between malicious C&C sites and remediated domains pointed to sinkholes.

In some cases, this stove-piping of sinkhole information can cause "friendly fire", whereby security operators or law enforcement may take down an already sinkholed C&C. This results in disrupting remediation effort, and may in some cases bring more harm to the botnet victims (whose infected clients may turn to secondary or backup C&C domains not being remediated). It is therefore useful to build technologies capable of identifying whether or not a C&C domain and/or IP are part of a sinkholing effort.

One significant trend in online user authentication is using Web Single Sign-On (SSO) systems. Especially, open Web SSO standards such as OpenID and OAuth are rapidly gaining adoption on the Web, and they enable over one billion user accounts. However, the large-scale threat from phishing attacks to real-world Web SSO systems has been significantly underestimated and insufficiently analyzed. In this paper, we (1) pinpoint what are really unique in Web SSO phishing, (2) provide one example to illustrate how the identity providers (IdPs) of Web SSO systems can be spoofed with ease and precision, (3) present a preliminary user study to demonstrate the high effectiveness (20 out of 28, or 71% of participants became "victims") of Web SSO phishing attacks, and (4) call for a collective effort to effectively defend against the insidiousWeb SSO phishing attacks.

WebView is a technique to mingle web and native applications for mobile devices. The fact that its main incentive requires making data stored on, as well as the functionality of mobile devices, directly accessible to active web content, is not without consequences to security.

In this paper, we present a threat scenario that targets WebView apps and show its practical applicability in a case study of selected apps. We further show results of our examination of over 287,000 apps in regard to WebView-related vulnerabilities.