Being Social Grand ABC Session Chair: Jaeyeon Jung, Microsoft Research Privacy-Preserving Social Plugins Georgios Kontaxis, Michalis Polychronakis, and Angelos D. Keromytis, Columbia University; Evangelos P. Markatos, FORTH-ICS The widespread adoption of social plugins, such as Facebook’s Like and Google’s +1 buttons, has raised concerns about their implications to user privacy, as they enable social networking services to track a growing part of their members’ browsing activity. Existing mitigations in the form of browser extensions can prevent social plugins from tracking user visits, but inevitably disable any kind of content personalization, ruining the user experience. In this paper we propose a novel design for privacy-preserving social plugins that decouples the retrieval of user-specific content from the loading of a social plugin. In contrast to existing solutions, this design preserves the functionality of existing social plugins by delivering the same personalized content, while it protects user privacy by avoiding the transmission of user-identifying information at load time. We have implemented our design in SafeButton, an add-on for Firefox that fully supports seven out of the nine social plugins currently provided by Facebook, including the Like button, and partially due to API restrictions the other two. As privacy-preserving social plugins maintain the functionality of existing social plugins, we envisage that they could be adopted by social networking services themselves for the benefit of their members. To that end, we also present a pure JavaScript design that can be offered transparently as a service without the need to install any browser add-ons. Available Media Social Networking with Frientegrity: Privacy and Integrity with an Untrusted Provider Ariel J. Feldman, Aaron Blankstein, Michael J. Freedman, and Edward W. Felten, Princeton University

Awarded Best Student Paper! Today’s social networking services require users to trust the service provider with the confidentiality and integrity of their data. But with their history of data leaks and privacy controversies, these services are not always deserving of this trust. Indeed, a malicious provider could not only violate users’ privacy, it could equivocate and show different users divergent views of the system’s state. Such misbehavior can lead to numerous harms including surreptitious censorship. In light of these threats, this paper presents Frientegrity, a framework for social networking applications that can be realized with an untrusted service provider. In Frientegrity, a provider observes only encrypted data and cannot deviate from correct execution without being detected. Prior secure social networking systems have either been decentralized, sacrificing the availability and convenience of a centralized provider, or have focused almost entirely on users’ privacy while ignoring the threat of equivocation. On the other hand, existing systems that are robust to equivocation do not scale to the needs social networking applications in which users may have hundreds of friends, and in which users are mainly interested the latest updates, not in the thousands that may have come before. To address these challenges, we present a novel method for detecting provider equivocation in which clients collaborate to verify correctness. In addition, we introduce an access control mechanism that offers efficient revocation and scales logarithmically with the number of friends. We present a prototype implementation demonstrating that Frientegrity provides latency and throughput that meet the needs of a realistic workload. Available Media Efficient and Scalable Socware Detection in Online Social Networks Md Sazzadur Rahman, Ting-Kai Huang, Harsha V. Madhyastha, and Michalis Faloutsos, University of California, Riverside Online social networks (OSNs) have become the new vector for cybercrime, and hackers are finding new ways to propagate spam and malware on these platforms, which we refer to as socware. As we show here, socware cannot be identified with existing security mechanisms (e.g., URL blacklists), because it exploits different weaknesses and often has different intentions. In this paper, we present MyPageKeeper, a Facebook application that we have developed to protect Facebook users from socware. Here, we present results from the perspective of over 12K users who have installed MyPageKeeper and their roughly 2.4 million friends. Our work makes three main contributions. First, to enable protection of users at scale, we design an efficient socware detection method which takes advantage of the social context of posts. We find that our classifier is both accurate (97% of posts flagged by it are indeed socware and it incorrectly flags only 0.005% of benign posts) and efficient (it requires 46 ms on average to classify a post). Second, we show that socware significantly differs from traditional email spam or web-based malware. For example, website blacklists identify only 3% of the posts flagged by MyPageKeeper, while 26% of flagged posts point to malicious apps and pages hosted on Facebook (which no current antivirus or blacklist is designed to detect). Third, we quantify the prevalence of socware by analyzing roughly 40 million posts over four months; 49% of our users were exposed to at least one socware post in this period. Finally, we identify a new type of parasitic behavior, which we refer to as “Like-as-a-Service”, whose goal is to artificially boost the number of “Likes” of a Facebook page. Available Media

Invited Talk Grand DEFGH Securing Early Software Development Speaker: Riley Eller (Caezar), Security Strategist for Leviathan Security Group In this talk, I will present a trusted advisor business model for smaller security firms, especially those with a handful of extremely strong contributors plus a larger staff. The model is novel and has been successfully adapted for a series of Seattle-area start-up firms plus one international hospitality brand. Benefits to the client firm, investors, and customers include improvements to product reliability, public relations, and frequency of emergency funding appeals. Benefits to the consultants are equally attractive: stable revenue, low-volume-high-skill work, high-volume-low-skill work, and a teachable system for converting technical expertise into recurring sales. By formalizing what is already often true, the trusted security advisor becomes a specific and profitable job description. I present the idea, the pitch, and then a fast-forward client onboarding process to help the audience seed their own inventive methods for selling security services to software developers. In this talk, I will present a trusted advisor business model for smaller security firms, especially those with a handful of extremely strong contributors plus a larger staff. The model is novel and has been successfully adapted for a series of Seattle-area start-up firms plus one international hospitality brand. Benefits to the client firm, investors, and customers include improvements to product reliability, public relations, and frequency of emergency funding appeals. Benefits to the consultants are equally attractive: stable revenue, low-volume-high-skill work, high-volume-low-skill work, and a teachable system for converting technical expertise into recurring sales. By formalizing what is already often true, the trusted security advisor becomes a specific and profitable job description. I present the idea, the pitch, and then a fast-forward client onboarding process to help the audience seed their own inventive methods for selling security services to software developers. Mr. Eller’s passion for computing began with early home machines and exploded in the vibrant bulletin board (BBS) days of the late 1980s. He grew up in the emerging network security community, learning from hackers across the globe. As an adult, he became a software engineer working on systems software, wireless routing protocols, graphics subsystems, small business management, criminal justice, cryptography, and compression. Through the DEFCON and BlackHat conference series, and his 16 annual Challenge parties, Caezar met and collaborated with some of the best minds of the last decade. His contributions to security include the first printable-character exploit encoding, the first public discussion of remedies for distributed denial of service, the (patented) first general-purpose fuzzer, a method for trust in decentralized networks (now mirrored by DNSSEC), plus several wireless networking inventions. Today, Riley is the Security Strategist for Leviathan Security Group, where he coaches start-up firms through maturing their secure software development lifecycle. As a trusted advisor to these small firms, Mr. Eller also helps to liaise with investors and major account clients. Available Media