Publications

    2020

  • A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints
    Victor Le Pochat, Tim Van hamme, Sourena Maroofi, Tom Van Goethem, Davy Preuveneers, Andrzej Duda, Wouter Joosen, Maciej Korczyński
    27th Annual Network and Distributed System Security Symposium (NDSS), 2020.
    Abstract
    X
    A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints

    In 2016, law enforcement dismantled the infrastructure of the Avalanche bulletproof hosting service, the largest takedown of a cybercrime operation so far. The malware families supported by Avalanche use Domain Generation Algorithms (DGAs) to generate random domain names for controlling their botnets. The takedown proactively targets these presumably malicious domains; however, as coincidental collisions with legitimate domains are possible, investigators must first classify domains to prevent undesirable harm to website owners and botnet victims.

    The constraints of this real-world takedown (proactive decisions without access to malware activity, no bulk patterns and no active connections) mean that approaches from the state of the art cannot be applied. The problem of classifying thousands of registered DGA domain names therefore required an extensive, painstaking manual effort by law enforcement investigators. To significantly reduce this effort without compromising correctness, we develop a model that automates the classification. Through a synergetic approach, we achieve an accuracy of 97.6% with ground truth from the 2017 and 2018 Avalanche takedowns; for the 2019 takedown, this translates into a reduction of 76.9% in manual investigation effort. Furthermore, we interpret the model to provide investigators with insights into how benign and malicious domains differ in behavior, which features and data sources are most important, and how the model can be applied according to the practical requirements of a real-world takedown.

    Cite
    X
    Cite (click to select)
    @inproceedings{LePochat2020avalanche,
      author = "{Le Pochat}, Victor and {Van hamme}, Tim and Maroofi, Sourena and {Van Goethem}, Tom and Preuveneers, Davy and Duda, Andrzej and Joosen, Wouter and Korczy\'{n}ski, Maciej",
      title = "A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints",
      booktitle = {Proceedings of the 27th Annual Network and Distributed System Security Symposium},
      series = {NDSS 2020},
      year = 2020,
      doi = {10.14722/ndss.2020.24161},
    }
  • 2019

  • Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites Ranking
    Victor Le Pochat, Tom Van Goethem, Wouter Joosen
    12th USENIX Workshop on Cyber Security Experimentation and Test (CSET), 2019.
    Abstract
    X
    Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites Ranking

    Although researchers often use top websites rankings for web measurements, recent studies have shown that due to the inherent properties and susceptibility to manipulation of these rankings, they potentially have a large and unknown influence on research results and conclusions. As a response, we provide Tranco, a research-oriented approach for aggregating these rankings transparently and reproducibly.

    We analyze the long-term properties of the Tranco ranking and determine whether it contains a balanced set of domains. We compute how well Tranco captures websites that are responsive, regularly visited and benign. Through one year of rankings, we also examine how the default parameters of Tranco create a stable, robust and comprehensive ranking.

    Through our evaluation, we provide an understanding of the characteristics of Tranco that are important for research and of the impact of parameters on the ranking composition. This informs researchers who want to use Tranco in a sound and reproducible manner.

    Cite
    X
    Cite (click to select)
    @inproceedings{le2019evaluating,
      title={Evaluating the long-term effects of parameters on the characteristics of the Tranco top sites ranking},
      author={Le Pochat, Victor and Van Goethem, Tom and Joosen, Wouter},
      booktitle={12th {USENIX} Workshop on Cyber Security Experimentation and Test ({CSET} 19)},
      year={2019}
    }
  • Purchased Fame: Exploring the Ecosystem of Private Blog Networks
    Tom Van Goethem, Najmeh Miramirkhani, Wouter Joosen, Nick Nikiforakis
    In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2019.
    Abstract
    X
    Purchased Fame: Exploring the Ecosystem of Private Blog Networks

    For many, a browsing session starts by entering relevant keywords in a popular search engine. The websites that users thereafter land on are often determined by their position in the search results. Although little is known about the proprietary ranking algorithms employed by popular search engines, it is strongly suspected that the incoming links have a significant influence on the outcome. This has lead to the inception of various black-hat SEO techniques that aim to deceive search engines to promote a specific website.

    In this paper, we present the first extensive study on the ecosystem of a novel type of black-hat SEO, namely the trade of artificially created backlinks through private blog networks (PBNs). Our study is three-pronged: first, we perform an exploratory analysis, through which we capture intrinsic information of the ecosystem and measure the effectiveness of backlinks. Next, we develop and present an ML-driven methodology that detects PBN sites with an accuracy of 98.7% by leveraging various content-based and linking-based features intrinsic to the operation of the ecosystem. Finally, in a large-scale experiment involving more than 50,000 websites, we expose large networks of backlink operations, finding thousands of websites engaged in PBNs.

    Cite
    X
    Cite (click to select)
    @inproceedings{van2019purchased,
      title={Purchased Fame: Exploring the Ecosystem of Private Blog Networks},
      author={Van Goethem, Tom and Miramirkhani, Najmeh and Joosen, Wouter and Nikiforakis, Nick},
      booktitle={Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security},
      pages={366--378},
      year={2019}
    }
  • Mobile Friendly or Attacker Friendly? A Large-scale Security Evaluation of Mobile-first Websites
    Tom Van Goethem, Victor Le Pochat, Wouter Joosen
    In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2019.
    Abstract
    X
    Mobile Friendly or Attacker Friendly? A Large-scale Security Evaluation of Mobile-first Websites

    In the last few years, traffic generated by mobile devices has surpassed desktop visits. In order to provide users with the best browsing experience, many website owners specifically tailor their site to mobile devices. While some websites make use of reactive designs, many others opt to create an entirely new “mobile-first” website, typically hosted on a subdomain of the desktop site. These mobile-first sites provide a unique viewpoint on how organizations handle security: the mobile version of a site is typically developed several years after the desktop site by the same organization. Through a large-scale security analysis on 10,222 domains with both a desktop and mobile-first version, we find several strong indicators that security is generally applied consistently across the different parts of an organization’s web estate. Overall, we find relatively few differences between the desktop and mobile versions of a website, both on the adoption and the implementation of security features, indicating that these are applied reactively rather than proactively during the design phase.

    Cite
    X
    Cite (click to select)
    @inproceedings{van2019mobile,
      title={Mobile Friendly or Attacker Friendly? A Large-scale Security Evaluation of Mobile-first Websites},
      author={Van Goethem, Tom and Le Pochat, Victor and Joosen, Wouter},
      booktitle={Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security},
      pages={206--213},
      year={2019}
    }
  • A Smörgåsbord of Typos: Exploring International Keyboard Layout Typosquatting
    Victor Le Pochat, Tom Van Goethem, Wouter Joosen
    4th International Workshop on Traffic Measurements for Cybersecurity (WTMC), 2019.
    Abstract
    X
    A Smörgåsbord of Typos: Exploring International Keyboard Layout Typosquatting

    Typosquatting is the malicious practice of registering domains that result from typos made when users try to visit popular domains. Previous works have only considered the US English keyboard layout, but of course other layouts are widely used around the world. In this paper, we uncover how typosquatters are also targeting communities that use these other layouts by examining typo domains on non-US English keyboards for 100 000 popular domains. We find that German users are the most targeted, with over 15 000 registered typo domains. Companies such as Equifax and Amazon have defensively registered such domains but are often incomplete; moreover, other major companies ignore them altogether and allow malicious actors to capitalize on their brand. Parking domains or advertising them for sale remains the most popular monetization strategy of squatters on at least 40% of registered domains, but we also see more harmful practices, such as a scam website that spoofs a local newspaper. This proves that domain squatters also consider typos on non-US English keyboards to be valuable, and that companies should be more alert in claiming these domains

    Cite
    X
    Cite (click to select)
    @inproceedings{le2019smorgaasbord,
      title={A Sm{\"o}rg{\aa}sbord of Typos: Exploring International Keyboard Layout Typosquatting},
      author={Le Pochat, Victor and Van Goethem, Tom and Joosen, Wouter},
      booktitle={2019 IEEE Security and Privacy Workshops (SPW)},
      pages={187--192},
      year={2019},
      organization={IEEE}
    }
    • Best paper award
  • Funny Accents: Exploring Genuine Interest in Internationalized Domain Names
    Victor Le Pochat, Tom Van Goethem, Wouter Joosen
    In Proceedings of the 20th Passive and Active Measurement Conference (PAM), 2019.
    Abstract
    X
    Funny Accents: Exploring Genuine Interest in Internationalized Domain Names

    International Domain Names (IDNs) were introduced to support non-ASCII characters in domain names. In this paper, we explore IDNs that hold genuine interest, i.e. that owners of brands with diacritical marks may want to register and use. We generate 15 276 candidate IDNs from the page titles of popular domains, and see that 43% are readily available for registration, allowing for spoofing or phishing attacks. Meanwhile, 9% are not allowed by the respective registry to be registered, preventing brand owners from owning the IDN. Based on WHOIS records, DNS records and a web crawl, we estimate that at least 50% of the 3 189 registered IDNs have the same owner as the original domain, but that 35% are owned by a different entity, mainly domain squatters; malicious activity was not observed. Finally, we see that application behavior toward these IDNs remains inconsistent, hindering user experience and therefore widespread uptake of IDNs, and even uncover a phishing vulnerability in iOS Mail.

    Cite
    X
    Cite (click to select)
    @inproceedings{LePochat2019funnyaccents,
      author = "{Le Pochat}, Victor and {Van Goethem}, Tom and Joosen, Wouter",
      title = "Funny Accents: Exploring Genuine Interest in Internationalized Domain Names",
      booktitle = {Proceedings of the 20th Passive and Active Measurement Conference},
      series = {PAM 2019},
      year = 2019,
    }
  • Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation
    Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, Wouter Joosen
    In Proceedings of the 26th Network and Distributed System Security Symposium (NDSS), 2019.
    Abstract
    X
    Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation

    In order to evaluate the prevalence of security and privacy practices on a representative sample of the Web, researchers rely on website popularity rankings such as the Alexa list. While the validity and representativeness of these rankings are rarely questioned, our findings show the contrary: we show for four main rankings how their inherent properties (similarity, stability, representativeness, responsiveness and benignness) affect their composition and therefore potentially skew the conclusions made in studies. Moreover, we find that it is trivial for an adversary to manipulate the composition of these lists. We are the first to empirically validate that the ranks of domains in each of the lists are easily altered, in the case of Alexa through as little as a single HTTP request. This allows adversaries to manipulate rankings on a large scale and insert malicious domains into whitelists or bend the outcome of research studies to their will. To overcome the limitations of such rankings, we propose improvements to reduce the fluctuations in list composition and guarantee better defenses against manipulation. To allow the research community to work with reliable and reproducible rankings, we provide Tranco, an improved ranking that we offer through an online service available at https://tranco-list.eu.

    Cite
    X
    Cite (click to select)
    @inproceedings{LePochat2019tranco,
      author = "{Le Pochat}, Victor and {Van Goethem}, Tom and Tajalizadehkhoob, Samaneh and Korczy\'{n}ski, Maciej and Joosen, Wouter",
      title = "Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation",
      booktitle = {Proceedings of the 26th Annual Network and Distributed System Security Symposium},
      series = {NDSS 2019},
      year = 2019,
      doi = {10.14722/ndss.2019.23386},
    }
  • 2018

  • Idea: Visual Analytics for Web Security
    Victor Le Pochat, Tom Van Goethem, Wouter Joosen
    International Symposium on Engineering Secure Software and Systems, 2018.
    Abstract
    X
    Idea: Visual Analytics for Web Security

    The growing impact of issues in web security has led researchers to conduct large-scale measurements aimed at analyzing and understanding web-related ecosystems. Comprehensive solutions for data collection on a large set of websites have been developed, but analysis practices remain ad hoc, requiring additional efforts and slowing down investigations. A promising approach to data analysis is visual analytics, where interactive visualizations are used to speed up data exploration. However, this approach has not yet been applied to web security, and creating such a solution requires addressing domain-specific challenges. In this paper, we show how visual analytics can help in analyzing the data from web security studies. We present a case study of leveraging an interactive visualization tool to replicate a security study, and evaluate a prototype tool implementing visual analytics techniques designed for web security. We conclude that such a tool would provide a solution that allows researchers to more effectively study web security issues.

    Cite
    X
    Cite (click to select)
    @inproceedings{le2018idea,
      title={Idea: Visual Analytics for Web Security},
      author={Le Pochat, Victor and Van Goethem, Tom and Joosen, Wouter},
      booktitle={International Symposium on Engineering Secure Software and Systems},
      pages={124--132},
      year={2018},
      organization={Springer}
    }
  • Poster: Towards Visual Analytics for Web Security Data
    Victor Le Pochat, Tom Van Goethem, Wouter Joosen
    Passive and Active Measurement (PAM), 2018.
    Cite
    X
    Cite (click to select)
    @article{lepochat2018towards,
      title={Towards Visual Analytics for Web Security Data},
      author={Le Pochat, Victor and Van Goethem, Tom and Joosen, Wouter},
      booktitle={International Conference on Passive and Active Network Measurement},
      year={2018}
    }
  • Automated Feature Extraction for Website Fingerprinting through Deep Learning
    Vera Rimmer, Davy Preuveneers, Marc Juarez, Tom Van Goethem, Wouter Joosen
    In Proceedings of the 25th Network and Distributed System Security Symposium (NDSS), 2018.
    Abstract
    X
    Automated Feature Extraction for Website Fingerprinting through Deep Learning

    Several studies have shown that the network traffic that is generated by a visit to a website over Tor reveals information specific to the website through the timing and sizes of network packets. By capturing traffic traces between users and their Tor entry guard, a network eavesdropper can leverage this meta-data to reveal which website Tor users are visiting. The success of such attacks heavily depends on the particular set of traffic features that are used to construct the fingerprint. Typically, these features are manually engineered and, as such, any change introduced to the Tor network can render these carefully constructed features ineffective. In this paper, we show that an adversary can automate the feature engineering process, and thus automatically deanonymize Tor traffic by applying our novel method based on deep learning. We collect a dataset comprised of more than three million network traces, which is the largest dataset of web traffic ever used for website fingerprinting, and find that the performance achieved by our deep learning approaches is comparable to known methods which include various research efforts spanning over multiple years. The obtained success rate exceeds 96% for a closed world of 100 websites and 94% for our biggest closed world of 900 classes. In our open world evaluation, the most performant deep learning model is 2% more accurate than the state-of-the-art attack. Furthermore, we show that the implicit features automatically learned by our approach are far more resilient to dynamic changes of web content over time. We conclude that the ability to automatically construct the most relevant traffic features and perform accurate traffic recognition makes our deep learning based approach an efficient, flexible and robust technique for website fingerprinting.

    Cite
    X
    Cite (click to select)
    @inproceedings{rimmer2018automated,
      title={Automated Website Fingerprinting through Deep Learning},
      author={Rimmer, Vera and Preuveneers, Davy and Juarez, Marc and Van Goethem, Tom and Joosen, Wouter},
      booktitle={Network \& Distributed System Security Symposium (NDSS)},
      year={2018}
    }
  • 2017

  • Herding Vulnerable Cats: a Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting
    Samaneh Tajalizadehkhoob, Tom Van Goethem, Maciej Korczyński, Arman Noroozian, Rainer Böhme, Tyler Moore, Wouter Joosen, Michel van Eeten
    In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (CCS), 2017.
    Abstract
    X
    Herding Vulnerable Cats: a Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting

    Hosting providers play a key role in fighting web compromise, but their ability to prevent abuse is constrained by the security practices of their own customers. Shared hosting, offers a unique perspective since customers operate under restricted privileges and providers retain more control over configurations. We present the first empirical analysis of the distribution of web security features and software patching practices in shared hosting providers, the influence of providers on these security practices, and their impact on web compromise rates. We construct provider-level features on the global market for shared hosting – containing 1,259 providers – by gathering indicators from 442,684 domains. Exploratory factor analysis of 15 indicators identifies four main latent factors that capture security efforts: content security, webmaster security, web infrastructure security and web application security. We confirm, via a fixed-effect regression model, that providers exert significant influence over the latter two factors, which are both related to the software stack in their hosting environment. Finally, by means of GLM regression analysis of these factors on phishing and malware abuse, we show that the four security and software patching factors explain between 10% and 19% of the variance in abuse at providers, after controlling for size. For web-application security for instance, we found that when a provider moves from the bottom 10% to the best-performing 10%, it would experience 4 times fewer phishing incidents. We show that providers have influence over patch levels–even higher in the stack, where CMSes can run as client-side software–and that this influence is tied to a substantial reduction in abuse levels.

    Cite
    X
    Cite (click to select)
    @inproceedings{tajalizadehkhoob2017herding,
      title={Herding Vulnerable Cats: a Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting},
      author={Tajalizadehkhoob, Samaneh and Van Goethem, Tom and Korczy{\'n}ski, Maciej and Noroozian, Arman and B{\"o}hme, Rainer and Moore, Tyler and Joosen, Wouter and van Eeten, Michel},
      booktitle={Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security},
      year={2017},
      organization={ACM}
    }
  • The Wolf of Name Street: Hijacking Domains through their Nameservers
    Thomas Vissers, Timothy Barron, Tom Van Goethem, Wouter Joosen, Nick Nikiforakis
    In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (CCS), 2017.
    Abstract
    X
    The Wolf of Name Street: Hijacking Domains through their Nameservers

    The functionality and security of all domain names are contingent upon their nameservers. When these nameservers, or requests to them, are compromised, all domains that rely on them are a!ected. In this paper, we study the exploitation of con”guration issues (typosquatting and outdated WHOIS records) and hardware errors (bitsquatting) to seize control over nameservers’ requests to hijack domains. We perform a large-scale analysis of 10,000 popular nameserver domains, in which we map out existing abuse and vulnerable entities. We con”rm the capabilities of these attacks through realworld measurements. Overall, we find that over 12,000 domains are susceptible to near-immediate compromise, while 52.8M domains are being targeted by nameserver bitsquatters that respond with rogue IP addresses. Additionally, we determine that 1.28M domains are at risk of a denial-of-service attack by relying on an outdated nameserver.

    Cite
    X
    Cite (click to select)
    @inproceedings{vissers2017thewolf,
      title={The Wolf of Name Street: Hijacking Domains through their Nameservers},
      author={Vissers, Thomas and Barron, Timothy and Van Goethem, Tom and Joosen, Wouter and Nikiforakis, Nick},
      booktitle={Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security},
      year={2017},
      organization={ACM}
    }
  • One Side-Channel to Bring Them All and in the Darkness Bind Them: Associating Isolated Browsing Sessions
    Tom Van Goethem, Wouter Joosen
    11th USENIX Workshop on Offensive Technologies (WOOT), 2017.
    Abstract
    X
    One Side-Channel to Bring Them All and in the Darkness Bind Them: Associating Isolated Browsing Sessions

    Online tracking and fingerprinting is becoming increasingly more prevalent and pervasive. The privacy threats associated with these practices have given rise to a wide variety of privacy-enhancing solutions. However, as these solutions retroactively apply patches to existing browsers in an attempt to thwart potential attacks, it is of key importance that the complete threat surface is known such that all risks can be considered. In this paper we evaluate the browser’s threat surface with regard to fingerprinting and tracking in the context of isolated browsing sessions, i.e. regular versus incognito sessions or sessions across different browsers. We uncover and evaluate three types of side-channels, and show how an adversary can exploit these to track users across sessions and even reveal the IP address of Tor users when they use a concurrent browsing session.

    Cite
    X
    Cite (click to select)
    @inproceedings{van2017one,
      title={One Side-Channel to Bring Them All and in the Darkness Bind Them: Associating Isolated Browsing Sessions},
      author={Van Goethem, Tom and Joosen, Wouter},
      booktitle={WOOT},
      year={2017}
    }
  • 2016

  • Request and Conquer: Exposing Cross-Origin Resource Size
    Tom Van Goethem, Mathy Vanhoef, Frank Piessens, Wouter Joosen
    25th USENIX Security Symposium (USENIX Security), 2016.
    Abstract
    X
    Request and Conquer: Exposing Cross-Origin Resource Size

    Numerous initiatives are encouraging website owners to enable and enforce TLS encryption for the communication between the server and their users. Although this encryption, when configured properly, completely prevents adversaries from disclosing the content of the traffic, certain features are not concealed, most notably the size of messages. As modern-day web applications tend to provide users with a view that is tailored to the information they entrust these web services with, it is clear that knowing the size of specific resources, an adversary can easily uncover personal and sensitive information.

    In this paper, we explore various techniques that can be employed to reveal the size of resources. As a result of this in-depth analysis, we discover several design flaws in the storage mechanisms of browsers, which allows an adversary to expose the exact size of any resource in mere seconds. Furthermore, we report on a novel size-exposing technique against Wi-Fi networks. We evaluate the severity of our attacks, and show their worrying consequences in multiple real-world attack scenarios. Furthermore, we propose an improved design for browser storage, and explore other viable solutions that can thwart size-exposing attacks.

    Cite
    X
    Cite (click to select)
    @incollection{van2016request,
      title={Request and Conquer: Exposing Cross-Origin Resource Size},
      author={Van Goethem, Tom and Vanhoef, Mathy and Piessens, Frank and Joosen, Wouter},
      booktitle={Proceedings of the 25th USENIX Security Symposium},
      year={2016}
    }
  • HEIST: HTTP Encrypted Information can be Stolen through TCP-windows
    Tom Van Goethem, Mathy Vanhoef
    Black Hat USA, 2016.
    Abstract
    X
    HEIST: HTTP Encrypted Information can be Stolen through TCP-windows

    Over the last few years, a worryingly number of attacks against SSL/TLS and other secure channels have been discovered. Fortunately, at least from a defenders perspective, these attacks require an adversary capable of observing or manipulating network traffic. This prevented a wide and easy exploitation of these vulnerabilities. In contrast, we introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the browser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic.

    HEIST abuses weaknesses and subtleties in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. In particular, we discover a side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. Concretely, this means that compressionbased attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites.

    Finally, we explore the reach and feasibility of exploiting HEIST. We show that attacks can be performed on virtually every web service, even when HTTP/2 is used. In fact, HTTP/2 allows for more damaging attack techniques, further increasing the impact of HEIST. In short, HEIST is a set of novel attack techniques that brings network-level attacks to the browser, posing an imminent threat to our online security and privacy

    Cite
    X
    Cite (click to select)
    @inproceedings{vanhoef2016heist,
      title={HEIST: HTTP Encrypted Information can be Stolen through TCP-windows},
      author={Vanhoef, Mathy and Van Goethem, Tom},
      booktitle={Black Hat US Briefings, Las Vegas, USA},
      year={2016}
    }
  • Accelerometer-based Device Fingerprinting for Multi-factor Mobile Authentication
    Tom Van Goethem, Wout Scheepers, Davy Preuveneers, Wouter Joosen
    Engineering Secure Software and Systems (ESSoS), 2016.
    Abstract
    X
    Accelerometer-based Device Fingerprinting for Multi-factor Mobile Authentication

    Due to the numerous data breaches, often resulting in the disclosure of a substantial amount of user passwords, the classic authentication scheme where just a password is required to log in, has become inadequate. As a result, many popular web services now employ risk-based authentication systems where various bits of information are requested in order to determine the authenticity of the authentication request. In this risk assessment process, values consisting of geo-location, IP address and browser-fingerprint information, are typically used to detect anomalies in comparison with the user’s regular behavior.

    In this paper, we focus on risk-based authentication mechanisms in the setting of mobile devices, which are known to fall short of providing reliable device-related information that can be used in the risk analysis process. More specifically, we present a web-based and low-effort system that leverages accelerometer data generated by a mobile device for the purpose of device re-identification. Furthermore, we evaluate the performance of these techniques and assess the viability of embedding such a system as part of existing risk-based authentication processes.

    Cite
    X
    Cite (click to select)
    @incollection{van2016accelerometer,
      title={Accelerometer-Based Device Fingerprinting for Multi-factor Mobile Authentication},
      author={Van Goethem, Tom and Scheepers, Wout and Preuveneers, Davy and Joosen, Wouter},
      booktitle={Engineering Secure Software and Systems},
      pages={106--121},
      year={2016},
      publisher={Springer}
    }
  • It's Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services
    Zubair Rafique, Tom Van Goethem, Wouter Joosen, Christophe Huygens, Nick Nikiforakis
    In Proceedings of the 23rd Network and Distributed System Security Symposium (NDSS), 2016.
    Abstract
    X
    It's Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services

    Recent years have seen extensive growth of services enabling free broadcasts of live streams on the Web. Free live streaming (FLIS) services attract millions of viewers and make heavy use of deceptive advertisements. Despite the immense popularity of these services, little is known about the parties that facilitate it and maintain webpages to index links for free viewership.

    This paper presents a comprehensive analysis of the FLIS ecosystem by mapping all parties involved in the anonymous broadcast of live streams, discovering their modus operandi, and quantifying the consequences for common Internet users who utilize these services. We develop an infrastructure that enables us to perform more than 850,000 visits by identifying 5,685 free live streaming domains, and analyze more than 1 Terabyte of traffic to map the parties that constitute the FLIS ecosystem. On the one hand, our analysis reveals that users of FLIS websites are generally exposed to deceptive advertisements, malware, malicious browser extensions, and fraudulent scams. On the other hand, we find that FLIS parties are often reported for copyright violations and host their infrastructure predominantly in Europe and Belize. At the same time, we encounter substandard advertisement set-ups by the FLIS parties, along with potential trademark infringements through the abuse of domain names and logos of popular TV channels.

    Given the magnitude of the discovered abuse, we engineer features that characterize FLIS pages and build a classifier to identify FLIS pages with high accuracy and low false positives, in an effort to help human analysts identify malicious services and, whenever appropriate, initiate content-takedown requests.

    Cite
    X
    Cite (click to select)
    @aicle{rafique2016s,
      title={It's Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services},
      author={Rafique, M Zubair and Van Goethem, Tom and Joosen, Wouter and Huygens, Christophe and Nikiforakis, Nick},
      booktitle={Proceedings of the 23rd Network and Distributed System Security Symposium (NDSS 2016)},
      pages={1--15},
      year={2016},
      organization={Internet Society}
    }
  • 2015

  • The Clock is Still Ticking: Timing Attacks in the Modern Web
    Tom Van Goethem, Wouter Joosen, Nick Nikiforakis
    In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015.
    Abstract
    X
    The Clock is Still Ticking: Timing Attacks in the Modern Web

    Web-based timing attacks have been known for over a decade, and it has been shown that, under optimal network conditions, an adversary can use such an attack to obtain information on the state of a user in a cross-origin website. In recent years, desktop computers have given way to laptops and mobile devices, which are mostly connected over a wireless or mobile network. These connections often do not meet the optimal conditions that are required to reliably perform cross-site timing attacks.

    In this paper, we show that modern browsers expose new side-channels that can be used to acquire accurate timing measurements, regardless of network conditions. Using several real-world examples, we introduce four novel web-based timing attacks against modern browsers and describe how an attacker can use them to obtain personal information based on a user’s state on a cross-origin website. We evaluate our proposed attacks and demonstrate that they significantly outperform current attacks in terms of speed, reliability, and accuracy. Furthermore, we show that the nature of our attacks renders traditional defenses, i.e., those based on randomly delaying responses, moot and discuss possible server-side defense mechanisms.

    Cite
    X
    Cite (click to select)
    @inproceedings{van2015clock,
      title={The Clock is Still Ticking: Timing Attacks in the Modern Web},
      author={Van Goethem, Tom and Joosen, Wouter and Nikiforakis, Nick},
      booktitle={Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security},
      pages={1382--1393},
      year={2015},
      organization={ACM}
    }
  • Maneuvering Around Clouds: Bypassing Cloud-based Security Providers
    Thomas Vissers, Tom Van Goethem, Wouter Joosen, Nick Nikiforakis
    In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), 2015.
    Abstract
    X
    Maneuvering Around Clouds: Bypassing Cloud-based Security Providers

    The increase of Distributed Denial-of-Service (DDoS) attacks in volume, frequency, and complexity, combined with the constant required alertness for mitigating web application threats, has caused many website owners to turn to Cloud-based Security Providers (CBSPs) to protect their infrastructure. These solutions typically involve the rerouting of traffic from the original website through the CBSP’s network, where malicious traffic can be detected and absorbed before it ever reaches the servers of the protected website. The most popular Cloud-based Security Providers do not require the purchase of dedicated traffic-rerouting hardware, but rely solely on changing the DNS settings of a domain name to reroute a website’s traffic through their security infrastructure. Consequently, this rerouting mechanism can be completely circumvented by directly attacking the website’s hosting IP address. Therefore, it is crucial for the security and availability of these websites that their real IP address remains hidden from potential attackers.

    In this paper, we discuss existing, as well as novel “origin-exposing” attack vectors which attackers can leverage to discover the IP address of the server where a website protected by a CBSP is hosted. To assess the impact of the discussed origin-exposing vectors on the security of CBSP-protected websites, we consolidate all vectors into Cloudpiercer, an automated origin-exposing tool, which we then use to conduct the first large-scale analysis of the effectiveness of the origin-exposing vectors. Our results show that the problem is severe: 71.5% of the 17,877 CBSP-protected websites that we tested, expose their real IP address through at least one of the evaluated vectors. The results of our study categorically demonstrate that a comprehensive adoption of CBSPs is harder than just changing DNS records. Our findings can steer CBSPs and site administrators towards effective countermeasures, such as proactively scanning for origin exposure and using appropriate network configurations that can greatly reduce the threat.

    Cite
    X
    Cite (click to select)
    @inproceedings{vissers2015maneuvering,
      title={Maneuvering Around Clouds: Bypassing Cloud-based Security Providers},
      author={Vissers, Thomas and Van Goethem, Tom and Joosen, Wouter and Nikiforakis, Nick},
      booktitle={Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security},
      pages={1530--1541},
      year={2015},
      organization={ACM}
    }
  • 2014

  • Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals
    Tom Van Goethem, Frank Piessens, Wouter Joosen, Nick Nikiforakis
    In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS), 2014.
    Abstract
    X
    Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals

    In the current web of distrust, malware, and server compromises, convincing an online consumer that a website is secure, can make the difference between a visitor and a buyer. Third-party security seals position themselves as a solution to this problem, where a trusted external company vouches for the security of a website, and communicates it to visitors through a security seal which the certified website can embed in its pages.

    In this paper, we explore the ecosystem of third-party security seals focusing on their security claims, in an attempt to quantify the difference between the advertised guarantees of security seals, and reality. Through a series of automated and manual experiments, we discover a real lack of thoroughness from the side of the seal providers, which results in obviously insecure websites being certified as secure. Next to the incomplete protection, we demonstrate how malware can trivially evade detection by seal providers and detail a series of attacks that are actually facilitated by seal providers. Among other things, we show how seals can give more credence to phishing attacks, and how the current architecture of third-party security seals can be used as a completely passive vulnerability oracle, allowing attackers to focus their energy on websites with known vulnerabilities.

    Cite
    X
    Cite (click to select)
    @inproceedings{van2014clubbing,
      title={Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals},
      author={Van Goethem, Tom and Piessens, Frank and Joosen, Wouter and Nikiforakis, Nick},
      booktitle={Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security},
      pages={918--929},
      year={2014},
      organization={ACM}
    }
  • Large-scale Security Analysis of the Web: Challenges and Findings
    Tom Van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, Wouter Joosen
    In Proceedings of the 7th International Conference on Trust & Trustworthy Computing (TRUST), 2014.
    Abstract
    X
    Large-scale Security Analysis of the Web: Challenges and Findings

    As the web expands in size and adoption, so does the interest of attackers who seek to exploit web applications and exfiltrate user data. While there is a steady stream of news regarding major breaches and millions of user credentials compromised, it is logical to assume that, over time, the applications of the bigger players of the web are becoming more secure. However, as these applications become resistant to most prevalent attacks, adversaries may be tempted to move to easier, unprotected targets which still hold sensitive user data.

    In this paper, we report on the state of security for more than 22,000 websites that originate in 28 EU countries. We first explore the adoption of countermeasures that can be used to defend against common attacks and serve as indicators of “security consciousness”. Moreover, we search for the presence of common vulnerabilities and weaknesses and, together with the adoption of defense mechanisms, use our findings to estimate the overall security of these websites. Among other results, we show how a website’s popularity relates to the adoption of security defenses and we report on the discovery of three, previously unreported, attack variations that attackers could have used to attack millions of users.

    Cite
    X
    Cite (click to select)
    @inproceedings{van2014arge,
      title={Large-scale security analysis of the web: Challenges and findings},
      author={Van Goethem, Tom and Chen, Ping and Nikiforakis, Nick and Desmet, Lieven and Joosen, Wouter},
      booktitle={Proceedings of the 7th International Conference on Trust \& Trustworthy Computing (TRUST 2014)},
      year={2014}
    }

Presentations

Program committee memberships

  • Workshop on Traffic Measurements for Cybersecurity (WTMC) - 2018, 2019, 2020
  • Workshop on Attackers and Cyber-Crime Operations (WACCO) - 2019, 2020
  • Security and Trust Management (STM) - 2019