[Colloq] Personal Data In a Box / Smartphone Vulnerabilities (Hamed Haddadi/Alastair Beresford)

Dave Choffnes choffnes at ccs.neu.edu
Fri Nov 13 15:35:39 EST 2015


I'm pleased to announce that we'll have two fantastic privacy and security
researchers coming next Wednesday (11/18). They will be speaking
(sequentially) in 366 WVH from 1:30-3pm, and there are still slots
available for 1-on-1 meetings. Please attend the talks and sign up for
slots if you are interested!

Dave

********
Talk 1 (meeting slots available here:
https://wiki.ccs.neu.edu/display/VISCHED/Hamed+Haddadi)
********
Hamed Haddadi (QMUL)
Title: Personal Data, Thinking Inside the Box

Abstract:
We are in a ‘personal data gold rush’ driven by advertising being the
primary revenue source for most online companies. These companies
accumulate extensive personal data about individuals with minimal concern
for us, the subjects of this process. There is a critical need to provide
technologies that enable alternative practices, so that individuals can
participate in the collection, management and consumption of their personal
data. However, personal data from individuals, and their (IoT) devices can
be useful for a number of purposes such as personalised services or health
monitoring. In this talk I discuss the Databox, a personal networked device
(and associated services) that collates and mediates access to personal
data, allowing us to recover control of our online lives. We hope the
Databox is a first step to re-balancing power between us, the data
subjects, and the corporations that collect and use our data.


Bio:
Hamed is the Lecturer in Digital Media at EECS School in Queen Mary
University of London and a Research Scientist at Qatar Computing Research
Institute. He is interested in Networked Systems & Social Computing. He
enjoys designing and building systems that enable better use of our digital
footprint, while respecting users' privacy. He is also broadly interested
in sensing applications and Human-Data Interaction. He is currently serving
as the Information Services Director for the ACM SIGCOMM Executive
Committee.

He studied for BEng/MSc/PhD at University College London and the University
of Cambridge. He was a postdoctoral researcher at Max Planck Institute for
Software Systems in Germany, and a postdoctoral research fellow at
Department of Pharmacology, University of Cambridge and The Royal
Veterinary College, University of London. He has spent time working and
collaborating with Intel Research, Microsoft Research, AT&T Research,
Telefonica, and Sony Europe. When not in the office, he prefers to be on a
ski slope or in a kayak.

http://www.eecs.qmul.ac.uk/~hamed/

********
Talk 2 (meeting slots available here:
https://wiki.ccs.neu.edu/display/VISCHED/Alastair+Beresford+%28Cambridge%29%2C+November+18th
********
Alastair Beresford (Cambridge)
Title: Smartphone vulnerabilities

Abstract: Smartphones today support a large number of applications
written by a diverse collection of third-party developers. How secure
are the applications and the platforms that support them? What kinds of
vulnerabilities exist, and how many phones are vulnerable today? To
begin to answer this question, we examine data from the Device Analyzer
project, a measurement platform which has collected information from
over 23,000 Android phones around the world over the last four years. We
find that, on average, 87% of devices were exposed to known
privilege-escalation attacks which allow a malicious app to gain root on
the device. We also quantify the risk of an alternative attack vector:
the JavaScript-to-Java interface vulnerability. This vulnerability
allows untrusted JavaScript running in a WebView to break out of the
JavaScript sandbox, allowing remote code execution on Android phones.
While this vulnerability was first reported in December 2012, we predict
that the fix will not be deployed to 95% of devices until January 2018,
over 5 years after the release of the fix. The talk finishes with some
thoughts on why the security of smartphones is better than the above
data might naively suggest, together with some approaches on how we
might improve platform security further in the future.


More information about the Colloq mailing list