Stanford Security Lunch
Spring 2019

Get announcements: Mail Ical

April 03, 2019 Preventing Account Hijacking

Speaker:  Kurt Thomas

Abstract:  A recent survey from PEW found that—more than hate and harassment and more than misinformation—people are most concerned with the threat of identity theft and stolen data. This talk will provide a deep dive into the current landscape of account hijacking threats such as password washing, phishing, malware, and targeted operations and how best to protect users from each attack. We’ll show how underground markets provide a unique vantage point to measure the reach of attackers and their techniques. From these insights, we show why password-only authentication is obsolete, and how we’ve adopted a risk-aware, defense-in-depth approach to help keep users safe.

April 10, 2019 Private Communication without Synchronization

Speaker:  Saba Eskandarian

Abstract:  Rendezvous is a communication system that cryptographically protects metadata. Unlike all existing systems for metadata-hiding communication, Rendezvous does not require users to communicate in synchronous messaging rounds: Rendezvous provides meaningful metadata-hiding guarantees even if different users interact with the system at different rates. A Rendezvous deployment consists of a three-server cluster, and the system protects user privacy even if an active attacker controls one of the servers and any number of users. Every pair of Rendezvous users shares a secret virtual address that points to a unique mailbox stored at the servers. By cryptographically protecting accesses to virtual addresses, the honest servers prevent malicious servers and users from learning which mailbox has been updated when. By applying new cryptographic tools for detecting disruption attacks by malicious clients, Rendezvous reduces the bandwidth cost per message from O(√N) to O(logN) bits in an N-user deployment, which yields 4× and 8× overall performance improvements on the server and client sides, respectively, and reduces communication costs by one or more orders magnitude. Finally, we discuss how Rendezvous might apply in practice to protect communication between journalists and sources. This is joint work with Henry Corrigan-Gibbs, Matei Zharia, and Dan Boneh.

April 17, 2019 Measuring Abuse at Scale

Speaker:  David Freeman

Abstract:  The most difficult part of fighting abuse on a large consumer platform is not figuring out how to detect and block the bad guys — it's figuring out whether they're there in the first place. What's the “background level” of spam and fake accounts? How can we figure out what our detection systems are missing? Any metric that tries to answer these questions must have a number of properties: * It must be directionally correct — properly reflecting both new attacks and new interventions. * It must be actionable — able to be sliced up to surface specific examples. * It must avoid feedback loops — measure independently of what we've already found. * It must be robust to adversarial manipulation — decreases indicate a true drop in activity rather than adversaries avoiding the metric. * It must be scalable — able to adapt to new problems. In this talk I will present several approaches that Facebook's integrity teams have used to measure and prioritize their problems. I will discuss pros and cons of using user reports, human labeling, and automated labeling, and offer scenarios in which each of these should and shouldn't be used. Armed with these tools, you can go back to your product and find out exactly how much abuse it's attracting...the results could change your life!

April 24, 2019 TBA

May 01, 2019 TBA

Speaker:  Serge Egelman

May 08, 2019 TBA

May 15, 2019 TBA

Speaker:  Saba Eskandarian

May 22, 2019 TBA

Speaker:  Florian Tramer

May 29, 2019 TBA

Speaker:  Aloni Cohen

June 05, 2019 TBA