Researchers Devise Hopeful Defense Against Credential Spear Phishing Attacks
September 5, 2017 | Kevin Touwnsend, Security Week

"Ultimately," conclude the researchers, "our detector's ability to identify both known and novel attacks, and the low volume and burden of alerts it imposes, suggests that our approach provides a practical path towards detecting credential spearphishing attacks."

The app for the drug store allows you to get coupons as well as refill your prescription and find nearby pharmacies. The store-locator feature contains the privacy flaw, which has resulted in the app sending out GPS coordinates to outside entities, said Serge Egelman, director of security and privacy research at the International Computer Science Institute. ICSI is affiliated with the University of California at Berkeley.

A group of researchers recently identified a real-time way to detect credential spearphishing attacks in enterprise settings. The discovery net the researchers $100,000 last week from Facebook, which awards money as part of its annual Internet Defense Prize partnership with USENIX Association.

Berkeley boffins build better spear-phishing black-box bruiser
August 18, 2017 | Thomas Claburn, The Register

In a paper presented at Usenix 2017, titled "Detecting Credential Spearphishing in Enterprise Settings," Grant Ho, Mobin Javed, Vern Paxson, and David Wagner from UC Berkeley, and Aashish Sharma of The Lawrence Berkeley National Laboratory (LBNL), describe a system that utilizes network traffic logs in conjunction with machine learning to provide real-time alerts when employees click on suspect URLs embedded in emails.

"It isn't DNS that is key for sites like StormFront or the Daily Stormer; it’s the CDN infrastructure and [denial of service] protection that keeps these sites alive," Nicholas Weaver, a computer researcher based at the International Computer Science Institute, told Ars. "CloudFlare is the key infrastructure that supports these sites."

Damon McCoy, an NYU Tandon assistant professor of computer science and engineering and one of the paper's co-authors, explained that combining these techniques to identify sex ads by both author and Bitcoin owner represents a considerable advancement in assisting law enforcement and nonprofit organizations. "There are hundreds of thousands of these ads placed every year, and any technique that can surface commonalities between ads and potentially shed light on the owners is a big boost for those working to curb exploitation," he said.

The best mobile VPNs can ensure your privacy anywhere
August 14, 2017 | Steven J. Vaughan Nichols, ZDNet

In particular, CSIRO researchers found you can't trust "free" VPN services. Narseo Vallina-Rodriguez, a researcher at the International Computer Science Institute, told Wired, "The economics didn't make much sense, because when you start looking at these applications, most of them are free, but maintaining online infrastructure is actually very expensive."

"More than 50 percent of Google Play apps targeted at children under 13—we examined more than 5,000 of the most popular (many of which have been downloaded millions of times)—appear to be failing to protect data. In fact, the apps we examined appear to regularly send potentially sensitive information—including device serial numbers, which are often paired with location data, email addresses, and other personally identifiable information—to third-party advertisers"

Prior to taking in VC funding, the San Francisco-based company has been supported by an SBIR grant, while the Bro project was initially funded by the National Science Foundation at the International Computer Science Institute.

In Depth: The dangers of buying drugs on the dark web
July 12, 2017 | Julia Holden, EU-OCS

Speaking with WIRED in January last year, Berkeley computer science researcher Nick Weaver, who has studied dark web marketplaces, said hidden site admins have learned that if they develop a trustworthy reputation, it will only be a matter of time before they are targeted by police.