SPRITZ Group (Security and Privacy Research Group)---Team Members

Workshop on PC and mobile security protection and updates

The SPRITZ Security and Privacy Research Group at the University of Padua, in collaboration with Clusit (The Italian Association for Computer Security) organizes the "2014 SPRITZ Workshop on PC and mobile security protection and updates". This event is organized within the framework of the European Cyber Security Month (ECSM).

Date: October 8th, 2014

Schedule: From 9 to 12 am

Address: University of Padua, Department of Mathematics, Via Trieste, 63 - Padua, Italy

Room: Meeting room at 7th floor of Torre Archimede

Youtube playlist: link


Speakers

  • Matteo Brunati

    IT Security Freelancer

    Talk title: [Mobile] Computer Forensics - What is like CSI in the real world?

    Abstract: What is Computer Forensics and how may we use it to study and help to solve a frauds or crimes? We will go through the basics of this multidisciplinary discipline, focusing on its principles and how they can be applied to acquire and analyze evidences on mobile and handset devices.

  • Sebastiano Gottardo

    University of Padua, IT

    Talk title: MITHYS: Mind The Hand You Shake - Protecting Mobile Devices from SSL Usage Vulnerabilities

    Abstract: Recent studies have shown that a significant number of mobile applications, often handling sensitive data such as bank accounts and login credentials, suffers from SSL vulnerabilities. Most of the time, these vulnerabilities are due to improper use of the SSL protocol (in particular, in its handshakephase), resulting in applications exposed to man-in-the-middle attacks. In this talk, we present MITHYS, a system able to: (i) detect applications vulnerable to man-in-the-middle attacks, and (ii) protect them against these attacks. We demonstrate the feasibility of our proposal by means of a prototype implementation in Android, named MITHYSApp. A thorough set of experiments assesses the validity of our solution in detecting and protecting mobile applications from man-in-the-middle attacks, without introducing significant overheads. Finally, MITHYSApp does not require any special permissions nor OS modifications, as it operates at the application level. These features make MITHYSApp immediately deployable on a large user base.

  • Riccardo Spolaor

    University of Padua, IT

    Talk title: Can't you hear me knocking: Identification of user actions on Android apps via traffic analysis

    Abstract: While smartphone usage become more and more pervasive, people start also asking to which extent such devices can be maliciously exploited as "tracking devices". The concern is not only related to an adversary taking physical or remote control of the device (e.g., via a malicious app), but also to what a passive adversary (without the above capabilities) can observe from the device communications. Work in this latter direction aimed, for example, at inferring the apps a user has installed on his device, or identifying the presence of a specific user within a network. In this talk, we move a step forward: we investigate to which extent it is feasible to identify the specific actions that a user is doing on his mobile device, by simply eavesdropping the device's network traffic. In particular, we aim at identifying actions like browsing someone's profile on a social network, posting a message on a friend's wall, or sending an email. We design a system that achieves this goal starting from (encrypted) IP packets: it works through identification of network flows and application of machine learning techniques. We did a complete implementation of this system and run a thorough set of experiments, which shows that it can achieve accuracy and precision higher than 95%, for most of the considered actions.

  • Matteo Brunati

    IT Security Freelancer

    Talk title: Let's talk about MitMo - Today malware attacks through mobile devices

    Abstract: Malicious software has been around since the Internet dawn, and it evolved through the decades as more and different devices have been used to access online data. We will go through an overview of one specific family of this malicious software, the Online Banking Malware, trying to understand its attacks vectors and how these vectors are exploited to control people or steel information from them. In particular, we will dig into some recent versions of those malwares, which not only attack personal computers, but also personal mobile devices such as smartphones, opening the business for new attack types such as the Man-in-the-Mobile (MitMo).