Improv Workshop


To celebrate the end of the academic quarter, Security and Privacy Lab members participated in an improvisation team building workshop facilitated by an instructor from Unexpected Productions. Not only is improv funny and fun, it also provides surprisingly relevant lessons for research and collaboration — such as the “Yes, and…” mindset for brainstorming.

Google Advanced Protection Program

Congratulations to Security Lab alum Alexei Czeskis and the team he led at Google for launching Google’s Advanced Protection Program! According to the website, “the Advanced Protection Program safeguards the personal Google Accounts of anyone at risk of targeted attacks – like journalists, activists, business leaders, and political campaign teams.” Thanks to Alexei and his team for helping keep Google’s users safe. Consider signing up to better protect your own Google account!

Security Lab at the Allen School’s Industry Affiliates Research Day

The Security and Privacy Lab hosted two sessions of research talks at the Allen School’s Industry Affiliates Research Day today. Presentations included:

  • Kiron Lebeck on “Securing Augmented Reality Output”
  • Peter Ney on “Computer Security, Privacy, and DNA Sequencing. Compromising Computers with Synthetic DNA, Privacy Leaks, and More”
  • Camille Cobb on “Privacy in Online Dating”
  • Eric Zeng on “End User Security & Privacy Concerns with Smart Homes”
  • Ivan Evtimov on “Robust Physical-World Attacks on Deep Learning Models”
  • Lucy Simko on “Recognizing and Imitating Programmer Style”
  • Alex Takakuwa on “Moving to New Devices in the FIDO Ecosystem”
  • Peter Ney on “SeaGlass: Enabling City-Wide IMSI-Catcher Detection”

Thanks to all the speakers for the great talks and to all the attendees for joining us!

Rewriting History: Manipulating the Archived Web from the Present

Web archives such as the Internet Archive’s Wayback Machine are used for a variety of important uses today, including citations and evidence in journalism, scientific articles, and legal proceedings. In a new paper, Security Lab PhD alumna Ada Lerner (now an assistant professor at Wellesley College) and Lab co-directors Yoshi Kohno, and Franzi Roesner show how a malicious actor might be able to manipulate what users see when they view archived pages. The image on the right shows a proof-of-concept example in which a 2011 snapshot of a website has been temporarily modified to show 2017 content.

For more details about how these attacks work and how to defend against them, see the Rewriting History project website or read the full conference paper. Dr. Lerner will be presenting this work this week at the ACM Conference on Computer and Communications Security (CCS) 2017.

We disclosed our results to the Wayback Machine before publication, and we are extremely grateful to Mark Graham and his team at the Internet Archive for their prompt and thoughtful responses in taking action to mitigate these attacks! They have already implemented Content-Security Policy headers, which instruct client browsers not to load content from outside the Archive, blocking many vulnerabilities to one of our attacks. Additionally, they launched a new feature, described in this blog post, which shows users of the Archive the relationship of the timestamps of subresources to the snapshot currently being viewed. This information can help expert users better interpret archival snapshots and catch “anachronistic” requests which may result in benign or malicious modifications to the view of a page.

With this paper, we are also releasing Tracking Excavator, a tool for measuring web tracking in the Archive. Tracking Excavator is described in more detail in our paper from USENIX Security 2016.

Kimberly Ruth Awarded WRF Fellowship

Congratulations to Kimberly Ruth on receiving a Washington Research Foundation Fellowship! These fellowships “recognize and support undergraduates who achieve a high level of accomplishment in research, particularly in areas relevant to the development of new technologies.” Since her freshman year, Kimberly has been an undergraduate researcher in the UW CSE Security and Privacy Lab, co-advised by Professors Tadayoshi Kohno and Franziska Roesner. Her current research focus is on the security and privacy implications of emerging augmented reality (AR) technologies. Read the full award citation here — congratulations Kimberly!

Security Lab researchers uncover how online advertising can be used to track individuals

(Cross-posted from Allen School News.)

Map of tracked individual's morning commute route

This map, representing an individual’s morning commute, shows the locations where the research team was able to track the person’s movements through location-based ads.

Online ads may not only be trying to sell you something; they may be selling you out. That’s according to a team of researchers in the Allen School’s Security and Privacy Research Lab, who recently discovered how easy it is for someone with less than honorable intentions to turn online ads into a surveillance tool. They found that, for as little as $1,000, a person or organization could conceivably purchase ads that will enable them to track someone’s location and app use via their mobile phone — gaining access to potentially sensitive personal information about that individual’s dating preferences, health, religious and political affiliation, and more. The team hopes that by sharing its findings publicly, it will raise awareness among online advertisers, mobile service providers, and customers about a potential new cybersecurity threat.

This threat stems from how the existing online advertising ecosystem enables ad purchasers to precisely target consumers based on their geographic location, interests, and browsing history for marketing purposes. The problem, as researchers explained in a UW News release, is that the same infrastructure can be exploited by people and organizations other than advertisers to precisely target individuals in ways that could compromise their privacy and security. According to former Allen School Ph.D. student Paul Vines, lead author on the project, it would be easy for anyone from a foreign agent to a jealous spouse to sign up with an online advertising service and track another individual.

“If you want to make the point that advertising networks should be more concerned with privacy, the boogeyman you usually pull out is that big corporations know so much about you. But people don’t really care about that,” Vines explained in a Wired article about the project. “[T]he potential person using this information isn’t some large corporation motivated by profits and constrained by potential lawsuits. It can be a person with relatively small amounts of money and very different motives.”

As the team discovered, online advertising can deliver fairly detailed information about a person’s behavior. For example, the researchers were able to determine an individual user’s location within a distance of 8 meters based on where their ads were being served. By establishing a grid of hyperlocal ads, the team was able to discern an individual’s daily routine based on where ads were served to the user’s device at various points along the way.

The team refers to this method of information gathering as ADINT, or “advertising intelligence,” reminiscent of well-known intelligence collection tactics such as SIGINT (signals intelligence) and HUMINT (human intelligence). To test the capabilities of ADINT, Vines and his coauthors — Allen School professors Franziska Roesner and Tadayoshi Kohno — purchased a series of ads through a demand-side provider, or DSP, which is an entity that facilitates the purchase and delivery of targeted advertising. They set up their ads to target a mix of 10 actual users and 10 facsimile users with the help of each device’s unique mobile advertising identifier (MAID), which functions as a sort of “whole device” tracking cookie. The team then repurposed the tools designed to deliver relevant ads for commercial purposes to instead collect information on each user’s whereabouts and behavior.

Tadayoshi Kohno, Franziska Roesner, Paul Vines

The ADINT research team, from left: Tadayoshi Kohno, Franziska Roesner, and Paul Vines Dennis Wise/University of Washington

Movement was not the only thing they could track; it turns out that ad purchasers have the ability to learn a lot about a person by viewing what apps they use, including popular dating and fitness-tracking apps. The team’s experiments also revealed that the individual being tracked does not need to actually click on an ad in order for ADINT to work, because purchasers can see where the ad is being served regardless of whether the target interacts with it.

“To be very honest, I was shocked at how effective this was,” said Kohno, who co-directs the Allen School’s Security and Privacy Research Lab with Roesner. “There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision.”

The team surmises that ADINT attacks could be driven by a variety of motives, from criminal intent, to political ideology, to financial profit. According to Roesner, the ease with which the team was able to deploy targeted ads against individuals calls for heightened awareness and vigilance — not just within the computer security community, but on the part of the policy and regulatory communities, as well.

“We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks,” she explained, “and so that there can be a broad public discussion about how we as a society might try to prevent them.”

The team will present its findings at the Association for Computing Machinery’s Workshop on Privacy in the Electronic Society taking place in Dallas, Texas later this month.

To learn more about ADINT, visit the project website here. Read the UW News release here and the Wired feature here, and check out additional coverage by The Verge, Mashable, and Mic.

Franziska Roesner honored with Emerging Leader Award from UT Austin

(Cross-posted from Allen School News.)

Franziska Roesner holding her Emerging Leader AwardAllen School professor and Ph.D. alumna Franziska Roesner, co-director of the Privacy and Security Research Lab, received the 2017 Emerging Leader Award from the College of Natural Sciences at The University of Texas at Austin. Roesner, who earned her bachelor’s degree in 2008 from UT Austin before her arrival at the Allen School as a graduate student, was inducted into the college’s Hall of Honor at a ceremony last night.

Calling Roesner a “formidable force and leader in the world of computer security and privacy,” the college cited her work to identify the privacy risks to children of internet-connected toys, evaluate and address journalists’ security needs, and safeguard the privacy of web users as evidence of her growing leadership in the field. It also highlighted Roesner’s growing reputation as a leading voice on privacy and security related to emerging technologies such as augmented reality and the Internet of Things.

The Emerging Leader Award was created to recognize graduates of the college “who, in deed or action, reflect and recognize the importance of his or her education at The University.” Nominees are evaluated based on their contributions to their profession, recognition by their peers, and demonstrated ability, integrity, and stature. The winners are individuals in whom the faculty, staff, students, and fellow alumni will “take pride in and be inspired by their recognition.”

We certainly are inspired by the many contributions she has made to the field of computer science and to the Allen School community — and as our friends in Austin note, “Roesner has only just begun to make her mark.” This is turning into a banner year for Roesner, who previously earned a TR35 Award and a NSF CAREER Award.

Read the full citation here.

Congratulations, Franzi!

1 2 3 4 20