Enhancing security and privacy in online social networks
Sonia Jahid


Social networks have traditionally had some strange ways of dealing with security and privacy, and bring new challenges. How do we handle it if you leave a comment on a private photo and that later becomes public? Right now many networks would make the comment public, but does that make sense?

Sonia Jahid notes that one of the oddities of the social network is that traditionally we don't go through a 3rd party to talk to our friends, and some of the challenges towards a private and secure social network stem from that change. She proposes looking at a more decentralized model, but this forces us to make new decisions and answer new questions. For example, where is data going to be stored? (will I keep it myself? what if I'm offline?) What does access control mean for social networks? How do those models change if the network is decentralized? How can one efficiently provide something like a news feed for a distributed network?

I think one of the key insights of this talk is that while these questions may not seem that urgent for a facebook status update (what if you don't care about those?), many of these questions come up in other applications. For example, medical record sharing can be likened to a social network, where patients, doctors, hospitals, specialists, etc. all want to share some data while keeping other data private. And bringing the problem into the healthcare space brings other challenges: what if we need a "in case of emergency break glass" policy where if the patient is hospitalized while traveling, her medical data can still be accessed by the hospital that admits her. What if the patient wishes to see an audit listing everyone who has accessed her data? (How can we make that possible while keeping that information private from other folk?)

There's clearly some really interesting problems in this space!

Securing Online Reputation Systems
Yuhong Liu



Trust exists between people who know each other, but what if we want to trust people we may not know? This is the goal of reputation systems, but these ratings can be easily manipulated. Yuhong Liu points out a movie rating that was exceptionally high while the movie was during its promotional period, but fell rapidly once it had been out a while. Her research includes detecting such ratings manipulation.

For a single attacker, common strategies include increasing the cost of obtaining single userids, investigating statistically aberrant ratings, or giving users trust values, but all of these can be worked around, so Yuhong Liu's research includes a defense where she builds a statistical model based on the idea that items have intrinsic quality which is unlikely to change rapidly. She found that colluding users often share statistical patterns, making it possible to detect them.

One of the interesting things about this talk was a question from the audience about the complexity of this model: Because the first pass of the model uses a threshold to determine areas of interest in the ratings, we can avoid doing larger checks constantly and can focus only on regions of interest, making this much more feasible as far as run time goes. Handy!

On Detecting Deception
Sadia Afroz



Deception: adversarial behaviour that disrupts regular behaviour of a system

Sadia Afroz's work involves detecting deception three areas:
1. in writing where an author pretends to be another author.
2. websites pretending to be other webites (phishing)
3. blog comments (are the legit or are they spam?)

All of these are interesting cases, but I was most fascinated by the fact that her algorithm was fairly good at detecting short-term detection (e.g. a single article aping someone else's style) but had more difficulty detecting long-term deception like in the case of Amina/Thomas MacMaster. (This might be interesting to badgerbag?) Are long-term personas actually a different type of "deception" ?

---

All in all, lots of food for thought in this session. I've also uploaded my raw notes to the GHC12 wiki in case anyone wants a bit more detail than in this blog post.

Note: If you're one of the speakers and feel I accidentally mis-represented your talk or want me to remove a photo of you for any reason, please contact me at terri(a)zone12.com and I'd be happy to get things fixed for you!

I was at Security BSides Ottawa last weekend. I don't have much time to blog about it right now because I'm writing a paper, but here's what Pete Hillier and Dan Menard had to say about the individual talks.

As an academic, I find un-conference events a little strange. Normally, when I go out to a conference, I can expect every single talk to be about a brand new research idea, or some twist on an old one. There's a lot to be said for hearing existing ideas phrased well or talks showing off existing technologies, but it always takes me a while to move from one mindset to another. It's also lovely to hear people who are largely there because they like speaking and are willing to put work into their presentation skills. Definitely some quality talks to be had. And one that I didn't like (sorry, but mathematical formal methods for security are one of those things that always sounds great on paper but has been a great disappointment to me in practice), but I almost feel like it'd be disappointing if I agreed with everything!

I wish that some of these talks could be brought to even more general venues. Many were fun, but very much preaching to the choir. I'll bet the Star Trek talk, for example, could be rejigged nicely to take it in to a high school or undergraduate CS event. If anyone from BSides would be interested in doing talks at Carleton, you might want to talk to our undergraduate society or others at the school.

The other strange thing for me comes in meeting people who are working in industry, something I get to do surprisingly (embarrassingly) rarely as an academic. I learned some useful things from my lunch partners about the state of security in the trenches, especially how Ottawa as a government town has a particularly interesting landscape. And of course, Ron's now inspired me to go take a look at nmap scripts, which sound like exactly the sort of hacky security fun I needed: the type that comes in small debuggable chunks I can use as a diversion from research when I need a break but don't want to leave the security headspace.

So yeah, great people, interesting talks, and overall I felt it worthwhile despite the lack of research-level novelty that I take for granted in my usual conferences. Looking forwards to next time!

What would you want to learn in a short course on web security? What do you wish other people knew about web security?

I'm preparing curricula for a day and a half of training, and I'd love some suggestions and advice on what to cover.

Bank being sued for teaching customers bad security habits

Really short version: Turns out, it's a terrible idea to teach your customers bad habits.

Longer verison: And by bad habits, we mean the digital equivalent of saying, "of course our agents hang out in dark alleys. You should totally go there and give your wallet to strangers if they ask."

Every time Facebook makes a major change, you can hear outrage spread across the globe. Polls spring up with "Do you hate the new Facebook?" and yes is always in the lead. Your friends whine about it incessantly in their status messages. Petitions start asking Facebook to change things back.

It's easy to dismiss the fuss as a bunch of people who need to learn to move on. But it turns out, people are not wrong to hate every change in Facebook. They just might not be right for the reasons that they think.

As a web security researcher, I spend a lot of time thinking about what makes sites more secure, or more insecure. Every major change is likely to introduce new bugs, even as it may fix others. And the way the security model of the web works, any "minor" bug might result in major damage to you, as an individual. People store their whole lives on Facebook, and that means that a minor bug might let anyone in on their own, private stuff.

So every time the interface changes, you should probably be afraid that Facebook may be accidentally or intentionally allowing the entire world access to your stuff.

Does that mean "I hate the new Facebook!" is the new "GIRLS ONLY, NO BROTHERS ALLOWED!!!!" taped to the door? As in, you're worried Dad will leave the door open after vacuuming and you'll find your brother has played with your toys? Uncool, but really, no one who's over the age of 14 will care?

Turns out the security reality says the stakes are a lot higher. Many people keep a lot of private stuff in Facebook. It's more like Facebook said they were coming in to paint your apartment walls, but they rearranged all the furniture too and you have this feeling that they left the door unlocked and thus let strangers traipse through your apartment, maybe installing a wiretap and stealing your panties while they're there. Facebook makes a lousy landlord. Or at least a creepy one.

I don't know how to end this post. As long as Facebook is your landlord, you're subject to their whims, and you might as well get used to it. But if changes in Facebook leave you feeling maybe a little violated, that's probably exactly how you should feel.