Talks

@Unpublished{	  yen_ddsbheu_talk_2021,
  abstract	= {We discovered and disclosed vulnerabilities in most of the
		  OMG Data Distribution Service (DDS) implementations. DDS
		  enables crucial technologies like autonomous driving,
		  healthcare machinery, military tactical systems, or missile
		  launch stations. Notably, DDS is used by NASA at the KSC,
		  by SIEMENS for smart grid applications, by Volkswagen and
		  Bosch for autonomous valet parking systems, by NAV CANADA
		  for ATC, and by the Robot Operating System 2 (ROS2) to
		  control industrial and consumer robots.
		  
		  Designed around industrial-level requirements, DDS sits
		  deep in the control network, allowing an arbitrary number
		  of endpoints like sensors or actuators to communicate
		  transparently, with an abstract API based on familiar data
		  type specifications (e.g., C structs) and simple function
		  calls, regardless of the complexity of the data.
		  
		  We approached DDS from the bottom up, and we will show you
		  how we wrote a Scapy layer to guide you through the packet
		  structure. Although network fuzzing wasn't directly
		  effective, it greatly helped us to master the tiny details
		  of DDS. This led us to find an amplification vulnerability
		  in the standard, which allows an attacker to redirect flood
		  an arbitrary host. DDS configuration is highly dependent on
		  XML, JSON, YAML, or similar formats, which make them
		  another attack vector. By writing a Radamsa-based file
		  fuzzer we found a parsing vulnerability in RTI DDS
		  Connector, so an attacker can use a malicious configuration
		  file to gain initial access. We then focus on fuzzing the
		  message interpretation routines in all implementations.
		  Using concrete examples, we explain how to pick good fuzz
		  targets and prepare them for popular frameworks like
		  OSS-Fuzz and UnicornAFL.
		  
		  We take you from knowing nothing about DDS to efficiently
		  researching new vulnerabilities, which we encourage other
		  researchers, DDS users and implementors to do. We report on
		  our interactions with some of the DDS implementors, which
		  we believe is the first concrete step towards securing this
		  critical protocol in the long run. We release fuzzing
		  harnesses and a Scapy layer to decode the DDS RTPS layer.},
  author	= {Yen, Ta-Lun and Maggi, Federico and Boasson, Erik},
  date		= {2021-11-08},
  eventtitle	= {Black Hat Briefings Europe},
  file		= {files/talks/yen_ddsbheu_talk_2021.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {London, UK},
  shorttitle	= {DDSBHEU},
  title		= {The Data Distribution Service (DDS) Protocol is Critical:
		  Let's Use it Securely!},
  url		= {https://www.blackhat.com/eu-21/briefings/schedule/index.html#the-data-distribution-service-dds-protocol-is-critical-lets-use-it-securely-24934}
}

@Unpublished{	  mayoral-vilches_smallwonderbhus_talk_2021,
  abstract	= {Security in robotics is nothing really new if one
		  considers modern OT and IT approaches, and most security
		  practices translate directly to robots. However, there's
		  almost no security culture amongst robot makers.
		  
		  Building a robot requires careful selection of components
		  that interact across networks while meeting timing
		  deadlines. It isn't uncommon for robot components to be
		  compromised or fail over time, leading to complete system
		  malfunction. Given the expensive prices of these machines
		  (we focus on robots in the 25K-70K USD range), it's only
		  reasonable to consider the need for securing and repairing
		  robots.
		  
		  We introduce and promote systematic "robot teardown" as an
		  approach to repair robots by understanding their internals
		  (still obscure). Needless to say, robot teardown is an
		  essential practice in robot security. We show several
		  "tricks from the trade" and the legal implications learned
		  by porting reverse-engineering practices into the
		  less-explored field of robotics. We explain how we a)
		  discovered more than 90 security vulnerabilities in robots
		  from Teradyne (MiR and UR) over a period of two years
		  (never discussed publicly before), b) gained repairing
		  capabilities on these robots, c) show evidence of planned
		  obsolescence by comparing two sequentially released robot
		  controllers, and d) demonstrate how robot hacking leads us
		  to repurpose an older controller (previous version) from
		  Universal Robots with their newer robots (arms) maintaining
		  full capabilities and demonstrating that there's no need to
		  re-spend thousands of dollars again.
		  
		  Similar to Ford in the 1920s with cars, most robot
		  manufacturers nowadays employ planned obsolescence
		  practices and organize dealers and system integrators into
		  "private networks", providing repair parts only to
		  "certified" companies to make repairs more difficult and
		  evade competition. We wrap up by advocating for a "Right to
		  Repair'' in robotics to reduce robot e-waste and promote
		  systematic teardowns for the benefit of security
		  research.},
  author	= {Mayoral-Vilches, Víctor and Maggi, Federico},
  date		= {2021-07-31},
  eventtitle	= {Black Hat Briefings USA},
  file		= {files/talks/mayoral-vilches_smallwonderbhus_talk_2021.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Las Vegas, US},
  shorttitle	= {SmallWonderBHUS},
  title		= {Small Wonder: Uncovering Planned Obsolescence Practices in
		  Robotics and What This Means for Cybersecurity},
  url		= {https://www.blackhat.com/us-20/briefings/schedule/index.html#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523}
}

@Unpublished{	  maggi_smscs3sthlm_talk_2020,
  abstract	= {Last year we performed a security analysis on a testbed
		  smart manufacturing system using a variety of
		  "unconventional" attack vectors. Striving to think very
		  much outside the box, we wanted to understand which
		  overlooked conditions and attacker capabilities make
		  certain attacks possible, and their consequences.
		  
		  Through concrete PoCs, we'll describe what unconventional
		  attack vectors and very creative attackers can achieve, as
		  well as how they can be stopped by current security
		  solutions.
		  
		  We'll first show how a remote attacker can indirectly
		  compromise an engineering workstation to backdoor the
		  automation logic of an industrial robot. Then, we'll reveal
		  how the attack has been carried out via a malicious
		  software extension that targets the simulation and offline
		  programming (OLP) platform. The attendees will learn that
		  such malicious extensions have full capabilities on the
		  target system, but we'll explain what they are and how they
		  can be stopped.
		  
		  Our second entry point is an industry-grade embedded
		  device. These devices, often dubbed as "IIoT devices" offer
		  great programming flexibility—compared to, say, PLCs—at
		  the price of more responsibility for the programmers. The
		  proliferation of customizable IIoT devices along with the
		  many 3rd-party development libraries are the perfect target
		  for software supply-chain attacks. We'll show how we
		  trojanized a simple temperature-measurement library to
		  implement an ARP-based DoS attack, along with inaccurate
		  temperature data-points, which can cause cascade effects
		  down the data-processing pipeline. We'll argue that
		  detecting violations in the software supply-chain is hard
		  in large, distributed enterprises, but their effects can be
		  mitigated with proper network partitioning.
		  
		  The last step of our security analysis focused on lateral
		  movements to complex, programmable machines such as
		  industrial robots. We observe that, movement-instructions
		  aside, industrial robot programming languages have
		  statements, loops, conditions, network sockets, serial
		  communication, etc. With access to low-level system
		  resources like files, network, memory, and peripherals,
		  task programs are a powerful, overlooked payload. Not only
		  we show that task programs are susceptible to
		  input-validation vulnerabilities, we also show that they're
		  rich enough to implement malware-like functionalities,
		  given that the runtime environment provides no resource
		  isolation. As a result, task programs have unmediated
		  access to the entire system.
		  
		  We'll share cases of vulnerable and malicious task
		  programs, and how to discover such patterns, including some
		  vulnerabilities we found in real-world code.
		  
		  We conclude by discussing the remediation steps that can be
		  adopted by developers and vendors to mitigate our findings
		  in the medium and long term.},
  author	= {Maggi, Federico},
  date		= {2020-10-21},
  eventtitle	= {CS3STHLM},
  file		= {files/talks/maggi_smscs3sthlm_talk_2020.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Stocholm, Sweden},
  shorttitle	= {SMSCS3STHLM},
  title		= {Hidden Attack Surfaces of Modern Industrial Automation
		  Systems},
  url		= {https://cs3sthlm.se/agenda/}
}

@Unpublished{	  maggi_otrazorhitcon_talk_2020,
  abstract	= {What if a perfectly patched industrial manufacturing
		  machine can still harbor for vulnerabilities where no one
		  is looking? What if the powerful programming languages used
		  to program these machines can go beyond simple movement
		  instructions, and actually allow threat actors to hide
		  malware into the logic?
		  
		  Industrial robot OEMs provide proprietary, legacy
		  programming languages to automate these complex machines.
		  Mostly offering movement primitives, theseprogramming
		  languages also give access to low-level system resources
		  like files, network sockets, and some even allow memory and
		  program pointer. While useful, these features may lead to
		  insecure programming patterns such as input-validation
		  vulnerabilities. Also, they’re powerful enough to allow
		  the implementation of advanced malware functionalities,
		  with an underlying runtime environment that provides no
		  resource isolation.
		  
		  After going through the technical features of the languages
		  by eight leading OEMs, we'll share cases of vulnerable and
		  malicious usage. We'll then present a static code analyzer
		  that we created and patented, to scan robotic programs and
		  discover unsafe code patterns. Our evaluation on 100
		  automation task program files show that insecure patterns
		  are indeed found in real-world code, and that static source
		  code analysis is an effective defense tool in the short
		  term.},
  author	= {Maggi, Federico and Pogliani, Marcello and Quarta, Davide
		  and Zanero, Stefano and Balduzzi, Marco},
  date		= {2020-09-12},
  eventtitle	= {HITCON},
  file		= {files/talks/maggi_otrazorhitcon_talk_2020.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Taiwan},
  shorttitle	= {OTRazorHITCON},
  title		= {Guarding the Factory Floor: Catching Insecure Industrial
		  Robot Programs},
  url		= {https://hitcon.org/2020/agenda/93ba0758-bd84-43ae-9da0-b389fde2803b/}
}

@Unpublished{	  maggi_otrazorbhus_talk_2020,
  abstract	= {In this talk, we delve into industrial robot programming,
		  focusing on the security issues arising from the design and
		  implementation choices of these platforms.
		  
		  Industrial robot manufacturers provide proprietary,
		  domain-specific programming languages to operate these
		  complex machines. Mostly focused on movement instructions,
		  such programming languages also provide access to low-level
		  system resources like files and network access, and some
		  even allow dynamic code loading. While useful, these
		  features can lead to unsafe programming patterns such as
		  input-validation vulnerabilities or malware-like
		  functionalities, especially if the underlying environment
		  provides no resource isolation like those found in modern
		  operating systems.
		  
		  After describing the technical features of the languages by
		  eight leading manufacturers, we'll share several cases of
		  vulnerable and malicious usage. We'll then present a static
		  code analyzer that we created and patented, to scan robotic
		  programs and discover unsafe code patterns. Our evaluation
		  on 50 automation programs show that unsafe patterns are
		  indeed found in real-world code, and that static source
		  code analysis is an effective defense tool in the short
		  term.
		  
		  We conclude by discussing the remediation steps that can be
		  adopted by developers and vendors to mitigate such issues
		  in the medium and long term.},
  author	= {Maggi, Federico and Pogliani, Marcello and Quarta, Davide
		  and Zanero, Stefano and Balduzzi, Marco},
  date		= {2020-08-05},
  eventtitle	= {Black Hat Briefings USA},
  file		= {files/talks/maggi_otrazorbhus_talk_2020.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Las Vegas, US},
  shorttitle	= {OTRazorBHUS},
  title		= {OTRazor: Static Code Analysis for Vulnerability Discovery
		  in Industrial Automation Scripts},
  url		= {https://www.blackhat.com/us-20/briefings/schedule/index.html#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523}
}

@Unpublished{	  balduzzi_industrialradioshitb_talk_2019,
  abstract	= {Radio-frequency (RF) remote controllers are widely used in
		  multiple industrial applications like manufacturing,
		  construction and transportation. Cranes, drillers and
		  diggers, among others, are commonly equipped with RF
		  controllers, which have become the weakest link in
		  safety-critical IIoT applications.
		  
		  Our security assessment revealed a lack of important
		  security features at different levels, with vendors using
		  obscure proprietary protocols instead of standards. As a
		  consequence, this technology appeared to be vulnerable to
		  attacks like replay, command injection, e-stop abuse,
		  malicious repairing and reprogramming. Together with ZDI,
		  we ran into a 6-months responsible disclosure process and
		  then released 10 security advisories.
		  
		  In this presentation, we share the findings of our research
		  and make use of demos to discuss the problems in detail. We
		  conclude providing recommendations for all parties involved
		  in the life-cycle of these devices, from vendors to users
		  and system integrators.},
  author	= {Balduzzi, Marco and Maggi, Federico},
  date		= {2019-05-10},
  eventtitle	= {Hack In The Box Amsterdam},
  file		= {files/talks/balduzzi_industrialradioshitb_talk_2019.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Amsterdam, The Netherlands},
  shorttitle	= {IndustrialRadiosHITB},
  title		= {Hey Operator, Where’s Your Crane? Attacking Industrial
		  Remote Controllers},
  url		= {https://conference.hitb.org/hitbsecconf2019ams/sessions/hey-operator-wheres-your-crane-attacking-industrial-remote-controllers/}
}

@Unpublished{	  maggi_rfquack_talk_2019,
  abstract	= {RFQuack is the versatile RF-analysis tool that quacks!
		  It's a library firmware that allows you to sniff,
		  manipulate, and transmit data over the air. And if you're
		  not happy how the default firmware functionalities, we made
		  it easy to extend. Consider it as the hardware-modular and
		  developer-friendly version of the great YardStick One,
		  which is based on the CC1111 radio chip. Differently from
		  that and other RF dongles, RFQuack is designed to be
		  agnostic with respect to the radio chip. So if you want to
		  use, say, the RF69, you can do it. If you need to use the
		  CC110L or CC1120, you can do it. Similarly to RFCat,
		  RFQuack has console based, Python scriptable, client that
		  allows you to set parameters, receive, transmit, and so
		  on.},
  author	= {Maggi, Federico},
  date		= {2019-05-09},
  eventtitle	= {HITB Amsterdam},
  file		= {files/talks/maggi_rfquack_talk_2019.pdf},
  howpublished	= {Peer-reviewed Demo},
  location	= {Amsterdam, The Netherlands},
  shorttitle	= {RFQuack},
  title		= {RFQuack: The RF-Analysis Tool That Quacks},
  url		= {https://github.com/trendmicro/RFQuack}
}

@Unpublished{	  maggi_m2mhmi_talk_2019,
  abstract	= {MQTT and CoAP provide data connectivity for practically
		  any kind of "machines". This talk will cover the results of
		  our security analysis of MQTT and CoAP, which uncovered
		  issues in the design specifications, vulnerable product
		  implementations, and hundreds of thousands unsecured,
		  open-to-the-world deployments. Despite the fixes in the
		  design specifications, it is hard for developers to keep up
		  with a changing standard when a technology becomes
		  pervasive. Also, the market of this technology is very wide
		  because the barrier to entry is fairly low. This led to a
		  multitude of fragmented implementations. Our findings have
		  been acknowledged by the vendors, by the MQTT Technical
		  Committee, which released a note to help identify the
		  risks, and received the attention of several other
		  organizations. Using MQTT and CoAP as case study, we will
		  provide recommendations at various levels, in the hope to
		  see a significant reduction in the number of insecure
		  deployments in the future.},
  author	= {Maggi, Federico},
  date		= {2019-04-04},
  eventtitle	= {Hannover Messe},
  file		= {files/talks/maggi_m2mhmi_talk_2019.pdf},
  howpublished	= {Selected Talk},
  location	= {Hannover, Germany},
  shorttitle	= {M2MHMI},
  title		= {Machine-to-Machine Protocol Security: The Case of MQTT and
		  CoAP},
  url		= {https://www.hannovermesse.de/event/machine-to-machine-protocol-security-the-case-of-mqtt-and-coap/VOR/90582}
}

@Unpublished{	  maggi_mqttbheu_talk_2018,
  abstract	= {Two popular machine-to-machine (M2M) protocols—MQTT &
		  CoAP—are slowly forming the backbone of many IoT
		  infrastructures, including critical industry environments.
		  They are used to provide data connectivity for practically
		  any kind of "machines". We found out that these protocols
		  are affected by security and privacy issues that impact
		  several market verticals, applications, products, and
		  brands.
		  
		  This talk provides a security analysis of MQTT & CoAP at
		  the design, implementation, and deployment level. We found
		  issues in the design specifications, vulnerable product
		  implementations, and hundreds of thousands unsecured,
		  open-to-the-world deployments. These issues show the risk
		  that endpoints could be open to denial-of-service attacks
		  and, in some cases, full control by an adversary. Despite
		  the fixes in the design specifications, it is hard for
		  developers to keep up with a changing standard when a
		  technology becomes pervasive. Also, the market of this
		  technology is very wide because the barrier to entry is
		  fairly low. This led to a multitude of fragmented
		  implementations.
		  
		  We analyzed the source code of the most common MQTT
		  implementations, and discovered common flaws—mostly
		  originating from misinterpretation of the standard. In
		  particular, we found issues in how multibyte strings, UTF-8
		  characters, and regular-expressions are parsed. Combined
		  with standard features that force servers to retain
		  messages and clients to request acknowledgement the
		  delivery of every message, such bugs can lead to persistent
		  denial of service. Our findings have been acknowledged by
		  the MQTT Technical Committee, which released a note to help
		  identify the risks.
		  
		  Alongside this, we've analyzed hundreds of millions MQTT &
		  CoAP messages obtained from hundreds of thousands server.
		  Despite previous efforts that tried to raise awareness, we
		  still found exposed data related to various industry
		  sectors and sensitive information, including credentials
		  and network infrastructure details. Moreover, we found out
		  that MQTT is being used beyond messaging, to transport
		  binary data, most likely for OTA update purposes, which
		  certainly raises a red flag.
		  
		  Using MQTT & CoAP as a concrete example of modern M2M
		  technology, we will provide recommendations at various
		  levels (standardization bodies, vendors, developers, and
		  users) in the hope to see a significant reduction in the
		  number of insecure deployments in the future, and a more
		  responsible position by standardization bodies.},
  author	= {Maggi, Federico and Quarta, Davide},
  date		= {2018-12-06},
  eventtitle	= {Black Hat Briefings Europe},
  file		= {files/talks/maggi_mqttbheu_talk_2018.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {London, UK},
  shorttitle	= {MQTTBHEU},
  title		= {When Machines Can't Talk: Security and Privacy Issues of
		  Machine-to-Machine Data Protocols},
  url		= {https://www.blackhat.com/eu-18/briefings/schedule/#when-machines-cant-talk-security-and-privacy-issues-of-machine-to-machine-data-protocols-12722}
}

@Unpublished{	  maggi_webdefacementhitb_talk_2018,
  abstract	= {Web defacement is the practice of altering a website after
		  its compromise. The altered pages, called defaced pages,
		  can negatively affect the reputation and business of the
		  victim. While investigating several campaigns, we observed
		  that the artifacts left by these attackers allow an expert
		  analyst to investigate their modus operandi and social
		  structure, and expand from single attacks to a group of
		  related incidents. However, manually performing such
		  analysis on millions of events is tedious, and poses
		  scalability challenges.
		  
		  From these observations, we conceived an automated system
		  that efficiently builds intelligence information out of raw
		  events. Our approach streamlines the analysts job by
		  automatically recognizing web campaigns, and assigning
		  meaningful textual labels to them. Applied to a
		  comprehensive dataset of 13 million incidents, our approach
		  allowed us to conduct what we believe been the first
		  large-scale investigation of this form. In addition, our
		  approach is meant to be adopted operationally by analysts
		  to identify live campaigns in the real world.
		  
		  We analyze the social structure of modern web attackers,
		  which includes lone individuals as well as actors that
		  cooperate in teams. We look into their motivations, and we
		  draw a parallel between the time line of word-shaping
		  events and web campaigns, which represent the evolution of
		  the interests and orientation of modern attackers.},
  author	= {Maggi, Federico},
  date		= {2018-11-28},
  eventtitle	= {Hack In The Box Dubai},
  file		= {files/talks/maggi_webdefacementhitb_talk_2018.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Dubai, United Arab Emirates},
  shorttitle	= {WebDefacementHITB},
  title		= {Using Machine-Learning to Investigate Web Campaigns at
		  Large},
  url		= {https://conference.hitb.org/hitbsecconf2018dxb/sessions/using-machine-learning-to-investigate-web-campaigns-at-large/}
}

@Unpublished{	  maggi_ir_talk_2018,
  author	= {Maggi, Federico},
  date		= {2018-11-16},
  eventtitle	= {Trend Micro Direction},
  file		= {files/talks/maggi_ir_talk_2018.pdf},
  howpublished	= {Talk},
  location	= {Tokyo, JP},
  shorttitle	= {IR},
  title		= {Safety Risks and Threats in Industrial Automation Systems:
		  The Case of Industrial Radio Remote Controllers},
  url		= {https://direction.trendmicro.com/sess/}
}

@Unpublished{	  maggi_iiothmi_talk_2018,
  abstract	= {Despite the focus on future-generation equipment, legacy
		  industrial machines will continue to exist. In terms of
		  cybersecurity risks, what happens when these machines must
		  be connected? We've answered this question by taking a
		  close look at a previous-generation industrial robot, one
		  of the most widespread industrial machine, used practically
		  in every sector, including for manufacturing. Besides the
		  software vulnerabilities that we have found, which we
		  consider "natural" in embedded software, we focused on the
		  root cause of these vulnerabilities and we will discuss our
		  thoughts and practical recommendations with the audience.
		  We will provide a demo of what happens when an attacker
		  compromises an industrial robot, explaining how a software
		  flaw can go all the way down to affecting the quality of
		  the manufactured goods. Beyond robots, the entire factory
		  features more and more embedded systems, which are a
		  critical entry point for an external attacker, and thus
		  need to properly be secured.},
  author	= {Maggi, Federico},
  date		= {2018-04-09},
  eventtitle	= {Hannover Messe},
  file		= {files/talks/maggi_iiothmi_talk_2018.pdf},
  howpublished	= {Selected Talk},
  location	= {Hannover, Germany},
  shorttitle	= {IIoTHMI},
  title		= {The impact of legacy machines on future manufacturing
		  cybersecurity},
  url		= {http://www.hannovermesse.de/event/the-impact-of-legacy-machines-on-future-manufacturing-cybersecurity/VOR/83621}
}

@Unpublished{	  continella_shieldfsbhus_talk_2017,
  abstract	= {Preventive and reactive security measures can only
		  partially mitigate the damage caused by modern ransomware
		  attacks. The remarkable amount of illicit profit and the
		  cybercriminals' increasing interest in ransomware schemes
		  demonstrate that current defense solutions are failing, and
		  a large number of users are actually paying the ransoms. In
		  fact, pure-detection approaches (e.g., based on analysis
		  sandboxes or pipelines) are not sufficient, because, when
		  luck allows a sample to be isolated and analyzed, it is
		  already too late for several users! Moreover, modern
		  ransomware implements several techniques to prevent
		  detection by common AV. Similarly, for performance reasons,
		  backups leave a small-but-important window of recent files
		  unprotected.
		  
		  We believe that a forward-looking solution is to equip
		  modern operating systems with generic, practical
		  self-healing capabilities against this serious threat.
		  
		  In this talk, we will present ShieldFS, a drop-in driver
		  that makes the Windows native filesystem immune to
		  ransomware attacks, even when detection fails ShieldFS
		  dynamically toggles a protection layer that acts as a
		  copy-on-write mechanism whenever its detection component
		  reveals suspicious activity. For this, ShieldFS monitors
		  the filesystem's internals to update a set of adaptive
		  models that profile the system activity over time. This
		  detection is based on a study of the filesystem activity of
		  over 2,245 applications, and takes into account the entropy
		  of write operations, frequency of read, write, and
		  folder-listing operations, fraction of files renamed, and
		  the file-type usage statistics. Additionally, ShieldFS
		  monitors the memory pages of each "potentially malicious"
		  process, searching for traces of the typical block cipher
		  key schedules.
		  
		  We will show how ShieldFS can shadow the write operations.
		  Whenever one or more processes violate our detection
		  component, their operations are deemed malicious and the
		  side effects on the filesystem are transparently rolled
		  back.
		  
		  Last, we will demo how effective ShieldFS is against
		  samples from state of the art ransomware families, showing
		  that it is able to detect the malicious activity at runtime
		  and transparently recover all the original files.},
  author	= {Continella, Andrea and Guagnelli, Alessandro and Zingaro,
		  Giovanni and De Pasquale, Giulio and Barenghi, Alessandro
		  and Zanero, Stefano and Maggi, Federico},
  date		= {2017-07-27},
  eventtitle	= {Black Hat Briefings USA},
  file		= {files/talks/continella_shieldfsbhus_talk_2017.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Las Vegas, US},
  shorttitle	= {ShieldFSBHUS},
  title		= {ShieldFS: The Last Word in Ransomware-resilient File
		  Systems},
  url		= {https://www.blackhat.com/us-17/briefings.html#shieldfs-the-last-word-in-ransomware-resilient-file-systems}
}

@Unpublished{	  balduzzi_defplorexbhus_talk_2017,
  abstract	= {The security industry as a whole---including operation
		  centers, providers and telcos---loves collecting data.
		  Researchers are not different! A sort of common feeling is
		  that the more data someone collects, the more
		  self-confident he becomes about, say, a threat or another
		  phenomenon. However, large volumes of data imply more
		  processing resources needed, especially in extracting
		  meaningful and useful information if the data is highly
		  unstructured. As a result, manual data analysis is often
		  the only choice, with security professionals like
		  pen-testers, reversers and analysts processing data through
		  tedious repetitive operations.
		  
		  Given this situation, and our research lab suffering from
		  similar problems, we have spent the first half of 2017
		  implementing a flexible toolkit based on open-source
		  libraries for efficiently analyzing millions of deface
		  pages and web incidents. Our tool, DefPloreX, uses a
		  combination of machine-learning and visualization
		  techniques to practically turn original unstructured data
		  into meaningful high-level descriptions. Real-time
		  information on incidents, breaches, attacks and
		  vulnerabilities, for example, are efficiently processed and
		  condensed into objects that are easily browsable -- making
		  them suitable for efficient large-scale eCrime forensics
		  and investigations.
		  
		  DefPloreX ingests plain CSV inputs about web incidents to
		  analyze, explores their resources with headless browsers,
		  extracts features from deface pages, and uploads the
		  resulting data to an Elastic index. Distributed headless
		  browsers are coordinated via Celery. Using Python Panda,
		  NumPy and PyTables, DefPloreX provides offline "views" of
		  the data, allowing easy pivoting and exploration. Our
		  toolkit automatically groups similar deface pages in
		  clusters and organizes web incidents in campaigns.
		  Requiring only one pass, clustering is intrinsically
		  parallel and not memory bound. DefPloreX offers text- and
		  web-based UIs, which can be queried using a simple language
		  for investigations and forensics.},
  author	= {Balduzzi, Marco and Maggi, Federico and Ciancaglini,
		  Vincenzo and Flores, Ryan and Gu, Lion},
  date		= {2017-07-27},
  eventtitle	= {Black Hat Arsenal USA},
  file		= {files/talks/balduzzi_defplorexbhus_talk_2017.pdf},
  howpublished	= {Peer-reviewed Demo},
  location	= {Las Vegas, US},
  shorttitle	= {DefPloreXBHUS},
  title		= {DefPloreX: A Machine Learning Toolkit for Large-scale
		  e-Crime Forensics},
  url		= {https://www.blackhat.com/us-17/arsenal.html#defplorex-a-machine-learning-toolkit-for-large-scale-ecrime-forensics}
}

@Unpublished{	  quarta_robosecbhus_talk_2017,
  abstract	= {Industrial robots are complex cyber-physical systems used
		  for manufacturing, and a critical component of any modern
		  factory. These robots aren't just electromechanical devices
		  but include complex embedded controllers, which are often
		  interconnected with other computers in the factory network,
		  safety systems, and to the Internet for remote monitoring
		  and maintenance. In this scenario, industrial routers also
		  play a key role, because they directly expose the robot's
		  controller. Therefore, the impact of a single, simple
		  vulnerability can grant attackers an easy entry point.
		  
		  Industrial robots must follow three fundamental laws:
		  accurately "read" from the physical world through sensors
		  and "write" (i.e. perform actions) through actuators,
		  refuse to execute self-damaging control logic, and most
		  importantly, echoing Asimov, never harm humans. By
		  combining a set of vulnerabilities we discovered on a real
		  robot, we will demonstrate how remote attackers are able to
		  violate such fundamental laws up to the point where they
		  can alter the manufactured product, physically damage the
		  robot, steal industry secrets, or injure humans.
		  
		  We will cover in-depth technical aspects (e.g., reverse
		  engineering and vulnerability details, and attack PoCs),
		  alongside a broader discussion on the security posture of
		  industrial routers and robots: Why these devices are
		  attractive for attackers? What could they achieve? Are they
		  hard to compromise? How can their security be improved?},
  author	= {Quarta, Davide and Pogliani, Marcello and Polino, Mario
		  and Maggi, Federico and Zanero Stefano},
  date		= {2017-07-27},
  eventtitle	= {Black Hat Briefings USA},
  file		= {files/talks/quarta_robosecbhus_talk_2017.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Las Vegas, US},
  shorttitle	= {RoboSecBHUS},
  title		= {Breaking the Laws of Robotics: Attacking Industrial
		  Robots},
  url		= {https://www.blackhat.com/us-17/briefings.html#breaking-the-laws-of-robotics-attacking-industrial-robots}
}

@Unpublished{	  mavroudis_silverdogbh_talk_2016,
  abstract	= {Cross-device tracking (XDT) technologies are currently the
		  ``Holy Grail'' for marketers because they allow to track
		  the user's visited content across different devices to then
		  push relevant, more targeted content. For example, if a
		  user clicks on a particular advertisement while browsing
		  the web at home, the advertisers are very interested in
		  collecting this information to display, later on, related
		  advertisements on other devices belonging to the same user
		  (e.g., phone, tablet).
		  
		  Currently, the most recent innovation in this area is
		  ultrasonic cross-device tracking (uXDT), which is the use
		  of the ultrasonic spectrum as a communication channel to
		  "pair" devices for the aforementioned tracking purposes.
		  Technically, this pairing happens through a receiver
		  application installed on the phone or tablet. The business
		  model is that users will receive rewards or useful services
		  for keeping those apps active, pretty much like it happens
		  for proximity-marketing apps (e.g., Shopkick), where users
		  receive deals for walk-ins recorded by their
		  indoor-localizing apps.
		  
		  This talk will describe and demonstrate the practical
		  security and privacy risks that arise with the adoption of
		  uXDT-enabled systems. The uXDT technology has caught the
		  attention of major companies (e.g., IDG Ventures, Google,
		  Nestle, Dominos), many of which either invested in uXDT
		  providers (e.g., SilverPush, Signal360, Audible Magic), or
		  approached such companies as clients. Unfortunately,
		  unbeknownst to the users, we found that numerous mobile
		  applications, some with millions of downloads, include uXDT
		  advertising frameworks that actively listen for
		  ultrasounds, with no opt-out option for the users! Security
		  experts and the authorities (e.g., the Federal Trade
		  Commission) have promptly raised concerns about uXDT, but
		  until now no comprehensive security analysis of the
		  technology has been released.
		  
		  In this talk, we will explore the uXDT ecosystem, dig into
		  the inner workings of popular uXDT frameworks, and perform
		  an in-depth technical analysis of the underlying
		  technology, exposing both implementation & design
		  vulnerabilities, and critical security & privacy
		  shortcomings that we discovered. In the offensive part of
		  our talk, we will demonstrate (through practical demo
		  sessions) how an attacker can exploit uXDT frameworks to
		  reveal the true IP addresses of users who browse the
		  Internet through anonymity networks (e.g., VPNs or Tor).
		  Moreover, we will describe how an attacker can tamper with
		  the "pairing" process or affect the results of the
		  advertising/bidding algorithms. For example, an attacker
		  equipped with a simple beacon-emitting device (e.g., a
		  smartphone) can walk into a Starbucks at peak hour and
		  launch a profile-corruption attack against all customers
		  currently taking advantage of uXDT-enabled apps.
		  
		  In the defensive part of our talk, we will introduce three
		  countermeasures that we designed, implemented, and will
		  publicly release. These include (1) a mobile application
		  that detects ultrasound beacons "in the air" with the goal
		  of raising awareness, (2) a browser extension that acts as
		  a personal firewall by selectively filtering ultrasonic
		  beacons, and (3) an brand-new OS permission control in
		  Android that allows applications to declaratively ask
		  access to the ultrasound spectrum. We will go into the
		  technical details and provide remediation advice useful
		  both for the users and developers.},
  author	= {Mavroudis, Vasilios and Hao, Shuang and Fratantonio,
		  Yanick and Maggi, Federico and Vigna, Giovanni and Kruegel,
		  Christopher},
  date		= {2016-11-03},
  eventtitle	= {Black Hat Briefings Europe},
  file		= {files/talks/mavroudis_silverdogbh_talk_2016.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {London, UK},
  shorttitle	= {SilverDogBH},
  title		= {Talking Behind Your Back: Attacks and Countermeasures of
		  Ultrasonic Cross-Device Tracking},
  url		= {https://blackhat.com/eu-16/briefings/schedule/#talking-behind-your-back-attacks-and-countermeasures-of-ultrasonic-cross-device-tracking-4864}
}

@Unpublished{	  maggi_greateatlonbheu_talk_2016,
  abstract	= {While we have grown accustomed to stealthy malware,
		  specifically written to gain and maintain control of the
		  victim machines to abuse their resources, ransomware really
		  comes as a "plot twist"! After 10+ years of stealthy
		  malware, spread mainly for building botnets and steal
		  information, for the second time we're witnessing a growth
		  of disruptive malware, and an interest for direct and fast
		  profit. Ransomware is a particularly striking example of
		  disruptive malware, both on mobile and desktop targets:
		  While traditional mass malware must fly under the radar to
		  fulfill its goals, a ransomware attack that remains
		  unaccountable has failed miserably. It must show up to
		  inform and frighten the victim! As a result, the human
		  psychological response to the attack plays a significant
		  role in the success of ransomware schemes. And, given the
		  remarkable revenue, the scheme seems to be working fairly
		  well.
		  
		  This talk will describe the technical impact of disruptive
		  malware and its game-changing approach, which made us (at
		  least) rethink our incident-response plans. We will focus
		  on mobile ransomware as a representative, extreme case
		  study. Albeit not very studied, we are currently tracking
		  10 distinct families, and collected tenths of thousands
		  distinct samples in three months. In this talk, we will go
		  through the most notorious families such as Koler, SLocker,
		  Svpeng (and mention the other notable ones), overviewing
		  their social-engineering tricks and how they are
		  technically implemented. This will include, for instance,
		  how an app can effectively lock a device to forcefully
		  display the typical threatening message that informs the
		  victim of what just happened, or how crypto and file-system
		  APIs are (ab)used to surreptitiously encrypt the valuable
		  data.
		  
		  After having overviewed these aspects, we will describe how
		  they can be effectively detected with specific static
		  features. We will present a lightweight Smali emulator to
		  track the instruction sequences that implement
		  device-locking mechanisms. To detect malicious encryption
		  attempts, we will present a static, dataflow-based
		  program-analysis technique and tool that track file-system
		  operations (e.g., file listing, file reading) to determine
		  if they are "connected" to encryption flows. Since the most
		  recent families have started to abuse the
		  device-administration API (e.g., to lock the device),
		  obfuscated method names and reflection to hinder automatic
		  static analysis, we will show a couple of counter-tricks.
		  Last, we will show how the threatening messages can be
		  recognized from normal text using a language-analysis
		  technique, which classifies text based on the appearance of
		  key terms frequently found in ransomware samples but not in
		  benign sources. Since static program-analysis approaches
		  like ours can be time and resource consuming, we describe a
		  fast triaging pre-filtering technique to quickly discard
		  strikingly benign applications. This filter is generic and
		  ransomware-agnostic. Thus, in principle, it could be
		  applied to any app-vetting pipeline.
		  
		  With this talk we will release the source code of a
		  prototype that implements (part of) the described
		  techniques, and a dataset comprising tenths of thousands of
		  ransomware applications targeting the Android platform,
		  each labeled with the set of features that characterize
		  their statically-extracted behavior.},
  author	= {Maggi, Federico and Zanero, Stefano},
  date		= {2016-11-03},
  eventtitle	= {Black Hat Briefings Europe},
  file		= {files/talks/maggi_greateatlonbheu_talk_2016.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {London, UK},
  shorttitle	= {GreatEatlonBHEU},
  title		= {Pocket-sized Badness: Why Ransomware Comes as a Plot Twist
		  in the Cat-Mouse Game},
  url		= {https://www.blackhat.com/eu-16/briefings.html}
}

@Unpublished{	  maggi_banksealer_talk_2016,
  author	= {Maggi, Federico},
  date		= {2016-04-15},
  eventtitle	= {Hek.si},
  file		= {files/talks/maggi_banksealer_talk_2016.pdf},
  howpublished	= {Invited Talk},
  location	= {Ljubljana, Slovenia},
  shorttitle	= {BankSealer},
  title		= {Fast and Transparent Online Banking Fraud Detection and
		  Investigation}
}

@Unpublished{	  maggi_mobilemalware_talk_2015,
  author	= {Maggi, Federico and Fratantonio, Yanick},
  date		= {2015-11-11},
  eventtitle	= {Science and Engineering Council of Santa Barbara},
  file		= {files/talks/maggi_mobilemalware_talk_2015.pdf},
  howpublished	= {Invited Talk},
  location	= {Santa Barbara, CA},
  shorttitle	= {MobileMalware},
  title		= {Malware on Mobile: The What, The Why, and The How}
}

@Unpublished{	  maggi_droydseuss_talk_2015,
  author	= {Maggi, Federico},
  date		= {2015-09-11},
  eventtitle	= {Android Security Symposium},
  file		= {files/talks/maggi_droydseuss_talk_2015.pdf},
  howpublished	= {Invited Talk},
  location	= {Vienna, Austria},
  shorttitle	= {DroydSeuss},
  title		= {A walk through the construction of the first mobile
		  malware tracker},
  url		= {https://usmile.at/symposium/program}
}

@Unpublished{	  maggi_mobileransomware_talk_2015,
  author	= {Maggi, Federico},
  date		= {2015-06-03},
  eventtitle	= {6th National Conference on Cyber Warfare},
  file		= {files/talks/maggi_mobileransomware_talk_2015.pdf},
  howpublished	= {Invited Talk},
  location	= {Milano, Italy},
  shorttitle	= {MobileRansomware},
  title		= {Mobile Ransomware},
  url		= {http://www.infowar.it/}
}

@Unpublished{	  maggi_cybercrimethreatanalysis_talk_2015,
  author	= {Maggi, Federico},
  date		= {2015-04-20},
  file		= {files/talks/maggi_cybercrimethreatanalysis_talk_2015.pdf},
  howpublished	= {Invited Talk},
  location	= {Università degli Studi di Trento},
  shorttitle	= {CybercrimeThreatAnalysis},
  title		= {From Cybercrime to Threat Analysis}
}

@Unpublished{	  maggi_threatanalysis_talk_2015,
  author	= {Maggi, Federico},
  date		= {2015-03-18},
  eventtitle	= {Catedra Europa},
  file		= {files/talks/maggi_threatanalysis_talk_2015.pdf},
  howpublished	= {Invited Talk},
  shorttitle	= {ThreatAnalysis},
  title		= {From Cybercrime to Threat Analysis},
  url		= {http://www.uninorte.edu.co/web/catedra-europa}
}

@Unpublished{	  maggi_cybercrime_talk_2014,
  author	= {Maggi, Federico},
  date		= {2014-10-13},
  eventtitle	= {5th National Conference on Cyber Warfare},
  file		= {files/talks/maggi_cybercrime_talk_2014.pdf},
  howpublished	= {Invited Talk},
  location	= {Milano, Italy},
  shorttitle	= {Cybercrime},
  title		= {Current and Future Cybercrime Tactics},
  url		= {http://www.infowar.it/past/2014_october/index.php}
}

@Unpublished{	  maggi_andradar_talk_2014,
  author	= {Maggi, Federico},
  date		= {2014-10-11},
  eventtitle	= {HackInBo},
  file		= {files/talks/maggi_andradar_talk_2014.pdf},
  howpublished	= {Invited Talk},
  location	= {Bologna, Italy},
  shorttitle	= {AndRadar},
  title		= {Come to the Dark Side: We have Apps!},
  url		= {http://www.hackinbo.it/}
}

@Unpublished{	  maggi_androidre_talk_2014,
  author	= {Maggi, Federico},
  date		= {2014-09-25},
  eventtitle	= {2nd SysSec Summer Institution},
  file		= {files/talks/maggi_androidre_talk_2014.pdf},
  howpublished	= {Invited Lecture},
  location	= {Amsterdam, The Netherlands},
  shorttitle	= {AndroidRe},
  title		= {Static Analysis of Android Applications},
  url		= {http://www.syssec-project.eu/events/summer-school-2014/program/}
}

@Unpublished{	  maggi_virtualization_talk_2014,
  author	= {Maggi, Federico},
  date		= {2014-07-27},
  eventtitle	= {5th Int. Summer Institution on Information Security and
		  Protection},
  file		= {files/talks/maggi_virtualization_talk_2014.pdf},
  howpublished	= {Invited Lecture},
  location	= {Verona, Italy},
  shorttitle	= {Virtualization},
  title		= {Virtualization},
  url		= {http://issisp2014.di.univr.it/}
}

@Unpublished{	  maggi_phoenixhoneynet_talk_2014,
  abstract	= {Modern botnets rely on domain-generation algorithms (DGAs)
		  to build resilient command-and-control infrastructures.
		  Recent works focus on recognizing automatically generated
		  domains (AGDs) from DNS traffic, which potentially allows
		  to identify previously unknown AGDs to hinder or disrupt
		  botnets' communication capabilities. The state-of-the-art
		  approaches require to deploy low-level DNS sensors to
		  access data whose collection poses practical and privacy
		  issues, making their adoption problematic. We propose a
		  mechanism that overcomes the above limitations by analyzing
		  DNS traffic data through a combination of linguistic and
		  IP-based features of suspicious domains. In this way, we
		  are able to identify AGD names, characterize their DGAs and
		  isolate logical groups of domains that represent the
		  respective botnets. Moreover, our system enriches these
		  groups with new, previously unknown AGD names, and produce
		  novel knowledge about the evolving behavior of each tracked
		  botnet. We used our system in real-world settings, to help
		  researchers that requested intelligence on suspicious
		  domains and were able to label them as belonging to the
		  correct botnet automatically. Additionally, we ran an
		  evaluation on 1,153,516 domains, including AGDs from both
		  modern (e.g., Bamital) and traditional (e.g., Conficker,
		  Torpig) botnets. Our approach correctly isolated families
		  of AGDs that belonged to distinct DGAs, and set
		  automatically generated from non-automatically generated
		  domains apart in 94.8 percent of the cases.},
  author	= {Maggi, Federico},
  date		= {2014-05-14},
  eventtitle	= {Honeynet Workshop},
  file		= {files/talks/maggi_phoenixhoneynet_talk_2014.pdf},
  howpublished	= {Invited Talk},
  location	= {Warsaw, Poland},
  shorttitle	= {PhoenixHoneynet},
  title		= {Tracking and Characterizing Botnets Using Automatically
		  Generated Domains}
}

@Unpublished{	  maggi_phoenixgoogle_talk_2014,
  author	= {Maggi, Federico},
  date		= {2014-05},
  eventtitle	= {Google Tech Talk},
  file		= {files/talks/maggi_phoenixgoogle_talk_2014.pdf},
  howpublished	= {Invited Talk},
  location	= {Google, Mountain View, CA, USA},
  shorttitle	= {PhoenixGoogle},
  title		= {Phoenix & Cerberus: Botnet Tracking via Precise DGA
		  Characterization}
}

@Unpublished{	  maggi_androidmalware_talk_2014,
  author	= {Maggi, Federico},
  date		= {2014-01-03},
  file		= {files/talks/maggi_androidmalware_talk_2014.pdf},
  howpublished	= {Invited Talk},
  location	= {Qualcomm, San Diego, USA},
  shorttitle	= {AndroidMalware},
  title		= {Malicious Android Apps: Overview, Status and Dilemmas},
  url		= {http://s.maggi.cc/android-malware-2013}
}

@Unpublished{	  maggi_phoenixinfosek_talk_2013,
  author	= {Maggi, Federico},
  date		= {2013-11-20},
  eventtitle	= {InfoSek},
  file		= {files/talks/maggi_phoenixinfosek_talk_2013.pdf},
  howpublished	= {Invited Talk},
  location	= {Nova Gorica, Slovenia},
  shorttitle	= {PhoenixInfosek},
  title		= {Modern Botnets and the Rise of Automatically Generated
		  Domains}
}

@Unpublished{	  maggi_andrototalinfosek_talk_2013,
  author	= {Maggi, Federico},
  date		= {2013-11-20},
  eventtitle	= {InfoSek},
  file		= {files/talks/maggi_andrototalinfosek_talk_2013.pdf},
  howpublished	= {Invited Talk},
  location	= {Nova Gorica, Slovenia},
  shorttitle	= {AndroTotalInfosek},
  title		= {AndroTotal: A Scalable Framework for Android Antivirus
		  Testing}
}

@Unpublished{	  maggi_andrototalsecure_talk_2013,
  abstract	= {Although there are controversial opinions regarding how
		  large the mobile malware phenomenon is in terms of absolute
		  numbers, hype aside, the amount of new Android malware
		  variants is increasing. This trend is mainly due to the
		  fact that, as it happened with traditional malware, the
		  authors are striving to repackage, obfuscate, or otherwise
		  transform the executable code of their malicious apps in
		  order to evade mobile security apps. There are about 85 of
		  these apps only on the official marketplace. However, it is
		  not clear how effective they are. Indeed, the sandboxing
		  mechanism of Android does not allow (security) apps to
		  audit other apps. We present AndroTotal, a publicly
		  available tool, malware repository and research framework
		  that aims at mitigating the above challenges, and allow
		  researchers to automatically scan Android apps against an
		  arbitrary set of malware detectors. We implemented
		  AndroTotal and released it to the research community in
		  April 2013. So far, we collected 18,758 distinct submitted
		  samples and received the attention of several research
		  groups (1,000 distinct accounts), who integrated their
		  malware-analysis services with ours.},
  author	= {Maggi, Federico},
  date		= {2013-10-09},
  eventtitle	= {Secure},
  file		= {files/talks/maggi_andrototalsecure_talk_2013.pdf},
  howpublished	= {Invited Talk},
  location	= {Warsaw, Poland},
  shorttitle	= {AndroTotalSecure},
  title		= {AndroTotal: A Scalable Framework for Android Antimalware
		  Testing}
}

@Unpublished{	  maggi_andrototalmit_talk_2013,
  abstract	= {Although there are controversial opinions regarding how
		  large the mobile malware phenomenon is in terms of absolute
		  numbers, hype aside, the amount of new Android malware
		  variants is increasing. This trend is mainly due to the
		  fact that, as it happened with traditional malware, the
		  authors are striving to repackage, obfuscate, or otherwise
		  transform the executable code of their malicious apps in
		  order to evade mobile security apps. There are about 85 of
		  these apps only on the official marketplace. However, it is
		  not clear how effective they are. Indeed, the sandboxing
		  mechanism of Android does not allow (security) apps to
		  audit other apps. We present AndroTotal, a publicly
		  available tool, malware repository and research framework
		  that aims at mitigating the above challenges, and allow
		  researchers to automatically scan Android apps against an
		  arbitrary set of malware detectors. We implemented
		  AndroTotal and released it to the research community in
		  April 2013. So far, we collected 18,758 distinct submitted
		  samples and received the attention of several research
		  groups (1,000 distinct accounts), who integrated their
		  malware-analysis services with ours.},
  author	= {Maggi, Federico},
  date		= {2013-05},
  eventtitle	= {MIT CSAIL-POLIMI Workshop},
  file		= {files/talks/maggi_andrototalmit_talk_2013.pdf},
  howpublished	= {Invited Talk},
  location	= {MIT, Boston, Massachussets, USA},
  shorttitle	= {AndroTotalMIT},
  title		= {AndroTotal: A Scalable Framework for Android Antimalware
		  Testing}
}

@Unpublished{	  maggi_soauth_talk_2013,
  abstract	= {Two-factor authentication is widely used by high-value
		  services to prevent adversaries from compromising accounts
		  using stolen credentials. Facebook has recently released a
		  two-factor authentication mechanism, referred to as Social
		  Authentication, which requires users to identify some of
		  their friends in randomly selected photos. A recent study
		  has provided a formal analysis of social authentication
		  weaknesses against attackers inside the victim's social
		  circles. In this paper, we extend the threat model and
		  study the attack surface of social authentication in
		  practice, and show how any attacker can obtain the
		  information needed to solve the challenges presented by
		  Facebook. We implement a proof-of-concept system that
		  utilizes widely available face recognition software and
		  cloud services, and evaluate it using real public data
		  collected from Facebook. Under the assumptions of
		  Facebook's threat model, our results show that an attacker
		  can obtain access to (sensitive) information for at least
		  42% of a user's friends that Facebook uses to generate
		  social authentication challenges. By relying solely on
		  publicly accessible information, a casual attacker can
		  solve 22% of the social authentication tests in an
		  automated fashion, and gain a significant advantage for an
		  additional 56% of the tests, as opposed to just guessing.
		  Additionally, we simulate the scenario of a determined
		  attacker placing himself inside the victim's social circle
		  by employing dummy accounts. In this case, the accuracy of
		  our attack greatly increases and reaches 100% when 120
		  faces per friend are accessible by the attacker, even
		  though it is very accurate with as little as 10 faces.},
  author	= {Maggi, Federico},
  date		= {2013-04},
  eventtitle	= {Hek.si},
  file		= {files/talks/maggi_soauth_talk_2013.pdf},
  howpublished	= {Invited Talk},
  location	= {Ljubljana, Slovenia},
  shorttitle	= {SoAuth},
  title		= {Our Face are Belong to us: Breaking Facebook's Social
		  Authentication}
}

@Unpublished{	  maggi_longshore_talk_2012,
  abstract	= {I gave a talk based on these slides for the first time at
		  Royal Holloway University of London, in April 2012. This
		  talk discusses the results of a research that we have
		  conducted about the impact on users of short URLs. I
		  describe a system that we designed, implemented, and
		  deployed that observes and collects the short URLs that
		  more than 7,000 real web users have encountered while
		  browsing the Web between March 2010 and April 2011 (and
		  counting). On this dataset, which comprises 16,075,693
		  distinct short URLs, we first precisely characterized the
		  usage habits observed during our collection process, and
		  the content typically referred by short URLs: Users exhibit
		  different usage habits depending on the type of content
		  they are using short URLs for. We then analyzed the abuse
		  of short URLs to hide the true URL of malicious pages: This
		  practice is not widespread, although we noticed that the
		  miscreants tend to post the same malicious short URL on
		  multiple pages. Finally, we analyzed the countermeasures of
		  shortening services against abuses of short URLs, and found
		  that they are trivially bypassed by shortening a benign URL
		  that turns malicious only a few moments after submitting it
		  to the shortening service.},
  author	= {Maggi, Federico},
  date		= {2012-05-01},
  eventtitle	= {ISG Research Seminars},
  file		= {files/talks/maggi_longshore_talk_2012.pdf},
  howpublished	= {Invited Talk},
  location	= {Royal Holloway University of London},
  shorttitle	= {LongShore},
  title		= {The Long Story of Short URLs}
}

@Unpublished{	  maggi_isnoop_talk_2011,
  abstract	= {Spying on a person is an easy and effective method to
		  obtain sensitive informations, even when the victim is well
		  protected against common digital attacks. Modern mobile
		  devices allow people to perform some information sensitive
		  actions in unsafe places, where anyone could easily observe
		  the victim while typing. What if your mobile phone has a
		  cool touchscreen interface that gives you graphical
		  feedback as you type (iPhone, Android, BlackBerry Torch)?
		  Does it make shoulder surfing easier or, worse,
		  automatable?
		  
		  We believe so, and to demonstrate it, we developed a
		  practical shoulder surfing attack that automatically
		  reconstructs the sequence of keystrokes by aiming a camera
		  at the target touchscreen while the victim is typing. Our
		  attack exploits feedback such as magnified keys, often
		  appearing in predictable positions. This feedback mechanism
		  has been adopted by the top three touchscreen vendors
		  (Apple iOS, Google Android, RIM BlackBerry); in newer
		  version of these mobile OSs, the user has no way to disable
		  it. To demonstrate the effectiveness of our approach, we
		  implemented it against the iPhone (the most popular one),
		  but it can be easily adapted to similar devices with minor
		  modifications.
		  
		  Our attack takes into account that, in real-world
		  scenarios, both the victim's device and attacker's spying
		  camera are not standing in fixed positions. To compensate
		  their movements and misalignments, our system detects and
		  rectifies the target screen before identifying keystokes.
		  By doing that, we are able to automatically recognize up to
		  97.07% of the keystrokes, with as low as 1.15% errors and
		  an average processing speed that makes it a fast and
		  quasi-real-time alternative to shoulder surfing.},
  author	= {Maggi, Federico and Volpatto, Alberto and Zanero,
		  Stefano},
  date		= {2011-12},
  eventtitle	= {Black Hat Briefings Abu Dhabi},
  file		= {files/talks/maggi_isnoop_talk_2011.pdf},
  howpublished	= {Peer-reviewed Talk},
  location	= {Abu Dhabi},
  shorttitle	= {iSnoop},
  title		= {iSnoop: How to Steal Secrets From Touchscreen Devices},
  url		= {https://www.blackhat.com/html/bh-ad-11/bh-ad-11-archives.html}
}

@Unpublished{	  maggi_phdthesisfbk_talk_2010,
  author	= {Maggi, Federico},
  date		= {2010-02-25},
  file		= {files/talks/maggi_phdthesisfbk_talk_2010.pdf},
  howpublished	= {Invited Talk},
  location	= {Fondazione Bruno Kessler, Trento},
  shorttitle	= {PhDThesisFBK},
  title		= {Detecting Anomalous Behaviors in Computer
		  Infrastructures}
}

@Unpublished{	  maggi_justintime_talk_2010,
  author	= {Maggi, Federico},
  date		= {2010-01-21},
  eventtitle	= {Computer Systems Seminar},
  file		= {files/talks/maggi_justintime_talk_2010.pdf},
  howpublished	= {Invited Talk},
  location	= {Vrije Universiteit, Amsterdam},
  shorttitle	= {JustInTime},
  title		= {Just-in-Time Training of Anomaly Detectors}
}