Miércoles 31 de Mayo
“Tales of Fails: Broken Promises of Privacy” Claudio Soriente
While encryption is considered the silver bullet against security threats by many, in this talk we show several application domains where state-of-the-art encryption fails to protect user privacy.
First, we look at is Internet browsing. Tracking users within and across websites is the base for profiling their interests, demographic types, and other information that can be monetized through targeted advertising and big data analytics. The advent of HTTPS was supposed to make profiling harder for anyone beyond the communicating end-points. We examine to what extent this is true. We first show that by knowing the domain that a user visits, either through the Server Name Indication of the TLS protocol or through DNS, an eavesdropper can already derive basic profiling information, especially for domains whose content is homogeneous. For domains carrying a variety of categories that depend on the particular page that a user visits, i.e., news portals, e-commerce sites, etc., the basic profiling technique fails. Still, accurate profiling remains possible through traffic fingerprinting that uses network traffic signatures to infer the exact page that a user is browsing, even under HTTPS.
We also show that session layer encryption fails to protect user privacy in the context of mobile applications. We show that by monitoring the traffic generated by a mobile device and using off-the-shelf machine learning, an eavesdropper can infer which apps are installed on the device. We also show that for specific apps and actions, an adversary can infer which action the user is carrying out (e.g., posting on Feacebook).
Later we focus on cloud storage systems. Most existing cloud storage providers rely on data deduplication in order to significantly save storage costs. While the literature has thoroughly analyzed client-side information leakage associated with the use of data deduplication techniques in the cloud, no previous work has analyzed the information leakage associated with metadata available to a curious cloud provider. We address this problem and analyze information leakage associated with data deduplication on a curious storage server. We show that even if the data is encrypted using a key not known by the storage server, the latter can still acquire considerable information about the stored files and even determine which files are stored. We validate our results both analytically and experimentally using a number of real storage datasets.
Claudio Soriente is a researcher at Telefónica Research and Development (Barcelona, Spain) since October 2015. Previously, he was with the Institute of Information Security at the Swiss Federal Institute of Technology (ETH) Zürich and a Juan de la Cierva fellow at the Universidad Politécnica de Madrid. He received a Ph.D. in Networked System from the University of California at Irvine (advisor Prof. Gene Tsudik). During his Ph.D. studies he had the opportunity to work with great people at IBM Zurich Research Laboratory, at INRIA Rhône-Alpes and at the UNESCO Chair in Data Privacy.
Jueves 1 de Junio
“Data Security and Privacy in the Cloud” Pierangela Samarati
The “cloud” has become a successful paradigm for conveniently storing, accessing, processing, and sharing information. With its significant benefits of scalability and elasticity, the cloud paradigm has appealed companies and users, which are more and more resorting to the multitude of available cloud providers for storing and processing data. Unfortunately, such a convenience comes at the price of loss of control over these data by their owner and of consequent new security threats
that can limit the potential widespread adoption and acceptance of the cloud computing paradigm.
In this tutorial, I will discuss security and privacy issues arising in the cloud scenario, addressing problems related to guaranteeing confidentiality and integrity of data stored or processed by external providers.
Pierangela Samarati is a Professor at the Department of Computer Science of the Università degli Studi di Milano, Italy. Her main research interests are access control policies, models and systems, data security and privacy, information system security, and information protection in general.
She is the project coordinator of the ESCUDO-CLOUD project, funded by the EC H2020 programme, and she has participated in several projects involving different aspects of information protection.
On these topics she has published more than 250 peer-reviewed articles in international journals, conference proceedings, and book chapters. She has been Computer Scientist in the Computer Science Laboratory at SRI, CA (USA). She has been a visiting researcher at the Computer Science Department of Stanford University, CA (USA), and at the Center for Secure Information Systems of George Mason University, VA (USA). She is the chair of the IEEE Systems Council Technical Committee on Security and Privacy in Complex Information Systems (TCSPCIS), of the ERCIM Security and Trust Management Working Group (STM), and of the Steering Committees of the European Symposium On Research In Computer Security (ESORICS) and of the ACM Workshop on Privacy in the Electronic Society (WPES). She is member of several steering committees.
She is ACM Distinguished Scientist (named 2009) and IEEE Fellow (named 2012).
She has received the IEEE Computer Society Technical Achievement Award (2016).
She has been awarded the IFIP TC11 Kristian Beckman Award (2008) and the IFIP WG 11.3 Outstanding Research Contributions Award (2012). She has served as General Chair, Program Chair, and program committee member of several international conferences and workshops.
Viernes 2 de Junio
“Cryptocurrency and Blockchain Technology: Challenges and Opportunities” William Knottenbelt
The meteoric rise of blockchain-enabled cryptocurrencies, and Bitcoin in particular, has received global attention, not least from governments, entrepreneurs and researchers. Cryptocurrencies provide an attractive alternative to traditional fiat currencies via a distributed, trustless and self-governing framework which not only
enables low-friction financial transactions around the globe but also preserves the freedom and privacy of spending inherent in cash transactions. This talk will cover some of the challenges and opportunities posed by this emerging technology and will outline ongoing directions of research in the Imperial College Centre for Cryptocurrency Research and Engineering.