Stanford Security Lunch
Winter 2023

Get announcements:

January 11, 2023 Ethical hacking (and phishing) of connected households

Speaker:  Fredrik Heiding

Abstract:  Connected devices have become an integral part of modern homes, and modern household devices, such as vacuum cleaners and refrigerators, are often connected to networks. This connectivity introduces an entry point for cyber attackers; unfortunately, many IoT devices commonly found in households are vulnerable to attacks. This presentation will disclose a vulnerability assessment of 22 devices from five categories related to connected homes: smart door locks, smart cameras, smart cars/garages, smart appliances, and miscellaneous smart home devices. In total, 17 vulnerabilities were discovered and published as new CVEs. Some CVEs received critical severity rankings from the National Vulnerability Database (NVD), reaching 9.8/10. The devices are already being sold and used worldwide, and the discovered vulnerabilities could lead to severe consequences for residents, such as an attacker gaining physical access to the house. In addition to the published CVEs, 52 weaknesses were discovered that might be published as new CVEs later. The tests are conducted using a vulnerability assessment methodology specifically created for IoT, consisting of four key elements: attack surface decomposition, compilation of top 100 weaknesses, lightweight risk scoring, and step-by-step penetration testing guidelines. Lastly, social engineering is discussed, where the GPT language models are used to facilitate efficient large-scale phishing attacks using automated creation of phishing kits and emails.

January 18, 2023 Social Lunch

Speaker:  None


January 25, 2023 Aardvark: An Asynchronous Authenticated Dictionary with Applications to Account-based Cryptocurrencies

Speaker:  Derek Ting-Haye Leung

Abstract:  We design Aardvark, a novel authenticated dictionary with short proofs of correctness for lookups and modifications. Our design reduces storage requirements for transaction validation in cryptocurrencies by outsourcing data from validators to untrusted servers, which supply proofs of correctness of this data as needed. In this setting, short proofs are particularly important because proofs are distributed to many validators, and the transmission of long proofs can easily dominate costs. A proof for a piece of data in an authenticated dictionary may change whenever any (even unrelated) data changes. This presents a problem for concurrent issuance of cryptocurrency transactions, as proofs become stale. To solve this problem, Aardvark employs a versioning mechanism to safely accept stale proofs for a limited time. On a dictionary with 100 million keys, operation proof sizes are about 1KB in a Merkle Tree versus 100–200B in Aardvark. Our evaluation shows that a 32-core validator processes 1492–2941 operations per second, saving about 800× in storage costs relative to maintaining the entire state.

February 01, 2023 Social Lunch

Speaker:  None


February 08, 2023 Post-Digital Safety in Digitally-Mediated Offline Interactions

Speaker:  Veronica Rivera

Abstract:  The boundaries between online and offline life are often blurred as more technologies enable the digital mediation of offline interactions (DMOIs). The definition of safety has taken a paradigm shift beyond traditional technological security thinking; some researchers urge us to focus on post-digital safety, or people’s safety holistically, rather than strictly online threats. To answer these calls, we apply a mixed-methods approach to better understand the core harms that manifest in DMOIs, the protective safety behaviors people employ to mitigate these harms, and the prevalence of harms and behaviors. We begin by systematizing existing work that focuses on post-digital harms and protective behaviors. We supplement this work by investigating the prevalence of these behaviors among two exemplar populations who engage in DMOIs: gig workers and online daters. Drawing on these we build a taxonomy and threat model for DMOIs that provide a shared language to describe the threats, behaviors, and actors involved. Further, we provide directions for researchers to reimagine defensive tools to support safety in DMOIs and offer guidance for future post-digital safety research and design.

February 15, 2023 Lessons learned from years of hacking banks

Speaker:  Thai Duong

Abstract:  In this talk, we share our experiences and lessons learned from hacking computer systems to steal money and data from banks in developing countries. Over the past few years, we have simulated targeted attacks on the largest banks in South East Asia, with their consent. For each bank, it took us an average of 5 days to infiltrate their computer network and a few more weeks to get the money out. We have never failed to steal money. We could even steal money automatically from millions of accounts. When working with leaders and engineers at these banks, we found that they care a great deal about security, and spend a lot of time, effort, money on it, even sacrifice product usability and employee productivity for the sake of safety. Then why are their systems and products so fragile? This talk is an attempt to review what they did wrong and the lessons that we have learned that hopefully are useful to all who want to build secure software systems.