WOOT & IEEE S&P: Jordy Gennissen

A while back, I had the pleasure of joining IEEE Security & Privacy (S&P / Oakland) and the Workshop On Offensive Technologies (WOOT) on behalf of Royal Holloway.

In part, this was to present my latest research project at WOOT: an online puzzle game where solutions off-load exploit writers and aid vulnerability severity analysis.


In S&P, Royal Holloway presented multiple more projects.

Guido from the S3Lab presented his work on the formal analysis of web payment APIs. Through their analysis, they found two vulnerabilities that could be leveraged by online vendors to overcharge the customer, e.g. by forcing to pay the required amount with multiple payment methods. The vulnerabilities have been acknowledged and patched, making the world a safer place.

We also had a great (online) presentation from Lenka on security properties of Telegram.They studied the non-conventional symmetric cryptography used in Telegram under normal usage, exploited the flaws, and both propose a fix and prove the effectiveness of their fix.If you're still unsure whether to read their paper: they received the best paper award!


S&P is a known venue that presents good research, but WOOT is not as well known.To give some idea about the atmosphere, I consider it a smaller, more academically focused version of Blackhat: the focus is on practical and clever attacks. In WOOT, the novelty is often in the ingenuity and creativity of the solution, paired with a large amount of work.To illustrate, I'll quickly discuss one presentation from this year called "Interactive History Sniffing with Dynamically-Generated QR Codes and CSS Difference Blending".

In HTML/CSS, we can set the colour of URLs. More interestingly, we can change the text colour based on whether the person visiting the website has already been to that URL. As a CAPTCHA, this has been used to turn 'visited' links to the same colour as the background, rendering the link invisible.With about 10 characters inside the CAPTCHA, each containing one unique link, the CAPTCHA response will tell us exactly what links have been previously visited by our victim.


The paper they presented this year took this idea to the next level.Instead of creating a CAPTCHA, they created a QR code with potentially hundreds of links.Through a clever xor operation built with relative CSS colourisation, the authors managed to create a correct QR code including error-correcting code - no matter what links you have and haven't visited.When scanning the QR code, the attacker knows exactly what links you visited prior (and what computer/smartphone combination has the same user).Although conceptually rather simple, it is very creative and the amount of effort is huge.Truthfully, it inspired me to return to WOOT and enjoy everyone's wit.


Last but not least, I didn't discuss my own research project. I could explain for hours (as I certainly have to some people) but the basic concept lies around solving the heap layout manipulation problem (which is done for heap exploits). We do so by presenting a visual, interactive online puzzle game called Hack the Heap.You can play the game at https://hacktheheap.io/ - where you can find the paper and additional information too.Happy puzzling!



Comments

Post a Comment

Popular posts from this blog

Post-PhD thoughts on the Cyber Security field: Amy Ertan, 2017 CDT Cohort, now Cyber and Hybrid Policy Officer at NATO HQ in Brussels.

It has been just over a year since I successfully completed my viva – a milestone that initially felt both terrifying and insurmountable when I first joined the CDT. Now, I have the privilege of reflecting on my PhD journey and how its opportunities have shaped my present. I also wish to inspire curious students to embrace the full potential of the CDT and similar programs.   When I first came across the CDT application form, I initially envisioned transforming from a disillusioned city worker into a technical cyber security wizard, focusing on governance or incident response – as those were the only cyber security functions I was familiar with at the time. Very quickly, the CDT taught me that cyber security encompasses a vast and comprehensive range of approaches, offering me a holistic perspective on the field. Supported by the CDT, I engaged with exciting research and practitioner communities to learn about security governance, feminist and critical approaches, geography, the philos
Read more

Remote working and Cyber Security: Georgia Crossland and Amy Ertan

Image
Introducing the project The shift to remote working represents a huge shift for employees and organisations alike, introducing significant implications for cyber security. Amy Ertan and Georgia Crossland are currently working on a research project, in collaboration with the Research Institute for Sociotechnical Cyber Security (RISCS) and funded by the UK National Cyber Security Centre (NCSC), on the impact of remote working on cyber security and wellbeing. This blog post will give an overview of a section of this project, how remote working impacts cyber security. In response to COVID-19, in March 2020, organisations across the world made the rapid shift away from physical office working to remote working, wherever possible. This shift has had a significant impact across many aspects of organisations. This blog post will offer a high-level overview of how the cyber threat landscape was impacted for many organisations and may further change organisational cyber resilience. Remote workin
Read more

New Publication: Remote Working and (In)Security?: Amy Ertan

Image
A recent research report by CDT researchers Amy Ertan and Georgia Crossland has been published with the Research Institute for Sociotechnical Cyber Security (RISCS). The report examines ‘The Impact of Pandemic-Driven Remote Working on Employee Wellbeing, the Psychological Contract and Cyber Security’, with research carried out through a series of interviews with senior cyber security colleagues between January and April 2021. The full report can be found on the RISCS website: New publication: Remote Working and (In)Security | RISCS. Context In the UK and around the world, the impact of COVID-19 represented a total shift away from what was considered ‘normal living’. One aspect of this change was the rapid transition to remote working as people were encouraged to work from home and limit contact with others as far as possible through repeated lockdown conditions. Fellow CDT colleague Georgia Crossland and I were curious to explore how remote working has impacted the experiences - and se
Read more