NYU Center for Cybersecurity tackles creepware, Tor, Facebook, and more at notable symposium

Each year since 1980, the Institute of Electrical and Electronics Engineers (IEEE) has held its annual Symposium on Security and Privacy, and the event is now widely acknowledged as a premier forum for researchers and practitioners in the field. Although the 2020 edition took place virtually, it lived up to its reputation for presenting cutting-edge research on topics that affect anyone who has ever logged onto a website or browsed the internet.

Among the presenters were those from NYU Tandon and the NYU Center for Cybersecurity (CCS), an interdisciplinary research institute dedicated to training cybersecurity professionals and shaping the public discourse and policy, legal, and technological landscape on issues of cybersecurity and online privacy.

Editing Wikipedia anonymously

User-generated content sites such as Wikipedia routinely block contributions from users of privacy-enhancing proxies like Tor because of the perception that proxies are a source of vandalism, spam, and abuse. That ignores the fact that most individuals using proxies — from journalists seeking to protect their sources to citizens living in countries where internet access is excessively restricted — are upstanding people and there are few compelling reasons to ban them from making what could be valuable contributions to crowdsourced sites.

NYU Tandon Associate Professor of Computer Science and Engineering Rachel Greenstadt and Tandon doctoral student Chau Tran, along with colleagues from the University of Washington and Drexel, authored “Are Anonymity-Seekers Just Like Everybody Else? An Analysis of Contributions to Wikipedia from Tor,” which was presented during the symposium. In the paper, they describe examining more than 11,000 edits made by Tor users able to bypass Wikipedia’s Tor ban between 2007 and 2018. They found that those users, on average, contributed higher-quality changes to articles than IP editors (who are non-logged-in users identified by their IP addresses).  

The scourge of creepware

Technology increasingly facilitates interpersonal attacks such as stalking, abuse, and other forms of harassment. (The domestic-violence charity Refuge reports that the vast majority of the cases it sees involve technology-based abuse of some kind.) Abusers often use mobile devices to deploy “creepware” — software that allows them to track or spy on others. It’s hard to detect those apps, however, because many have misleadingly innocuous names such as “Family Locator for Android.”

Associate Professor of Computer Science and Engineering Damon McCoy, along with colleagues from Cornell Tech and the NortonLifeLock Research Group, presented “The Many Kinds of Creepware Used for Interpersonal Attacks.” In it, they describe their development of a new algorithm, CreepRank, that uses the principle of guilt by association to help surface previously unknown examples of creepware, which they then characterize through a combination of quantitative and qualitative methods. They discovered apps used for harassment, impersonation, fraud, information theft, concealment, and even apps that purport to defend victims against such threats, and as a result of their work, the Google Play Store has already removed hundreds of apps for policy violations.

More transparent ads

McCoy, along with doctoral student Laura Edelson and Tobias Lauinger, also presented “A Security Analysis of the Facebook Ad Library,” in which they explain that actors engaged in election disinformation are using online advertising platforms to spread political messages, and in response to this threat, online advertising networks have started making political advertising on their platforms more transparent in order to enable third parties to detect malicious advertisers.

The authors devised a set of methodologies and performed a security analysis of Facebook’s U.S. Ad Library, which is their political advertising transparency product. They found that there were several weaknesses that enable a malicious advertiser to avoid accurate disclosure of their political ads and propose a clustering-based method to detect advertisers engaged in undeclared coordinated activity.  The method identified 16 clusters of likely inauthentic communities that spent more than $4 million on political advertising, supporting the idea that transparency can be a promising tool for combating disinformation.

Hidden backdoors

Along with researchers from Ohio State University and Germany’s  CISPA Helmholtz Center for Information Security, Assistant Professor of Computer Science and Engineering Brendan Dolan-Gavitt presented “Automatic Uncovering of Hidden Behaviors from Input Validation in Mobile Apps,” in which they explain that while mobile apps  available through markets such as the Google Play Store or the Apple App Store have rich and useful functionality that is publicly exposed to end-users, they also contain hidden behaviors that are not disclosed, such as backdoors and blacklists

In the paper, they showed that the input validation behavior — the way the mobile apps process and respond to data entered by users — can serve as a powerful tool for uncovering such hidden functionality, and they developed a tool, INPUTSCOPE, that automatically detects both the execution context of user input validation and also the content involved in the validation, to automatically expose the secrets of interest.

How Secure is Dragonfly Handshake?

NYU Center for Cyber Security member Mathy Vanhoef, a post-doctoral researcher at NYU Abu Dhabi delivered a presentation, "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd" with Eyal Ronen of Tel Aviv University. Modern Wi-Fi networks use the old WPA2 protocol to protect transmitted data. The Wi-Fi Alliance recently announced the new and more secure WPA3 protocol which uses the Dragonfly handshake, which is meant to render the password of a network nearly impossible to crack. The researchers found, however, that even with the new protocol, an attacker within range of a victim can still recover the password. If the victim uses no extra protection such as HTTPS, this allows an attacker to steal sensitive information such as passwords and emails.