File hosting services (FHSs) are used daily by thousands of people as a way of storing and sharing files. These services normally rely on a security-throughobscurity approach to enforce access control: For each uploaded file, the user is given a secret URI that she can share with other users of her choice. In this paper, we present a study of 100 file hosting services and we show that a significant percentage of them generate secret URIs in a predictable fashion, allowing attackers to enumerate their services and access their file list. Our experiments demonstrate how an attacker can access hundreds of thousands of files in a short period of time, and how this poses a very big risk for the privacy of FHS users. Using a novel approach, we also demonstrate that attackers are aware of these vulnerabilities and are already exploiting them to get access to other users’ files. Finally we present SecureFS, a client-side protection mechanism which can protect a user’s files when uploaded to insecure FHSs, even if the files end up in the possession of attackers. 1

Abstract. Social networks are some of the largest and fastest growing online services today. Facebook, for example, has been ranked as the second most visited site on the Internet, and has been reporting growth rates as high as 3 % per week. One of the key features of social networks is the support they provide for finding new friends. For example, social network sites may try to automatically identify which users know each other in order to propose friendship recommendations. Clearly, most social network sites are critical with respect to user’s security and privacy due to the large amount of information available on them, as well as their very large user base. Previous research has shown that users of online social networks tend to exhibit a higher degree of trust in friend requests and messages sent by other users. Even though the problem of unsolicited messages in social networks (i.e., spam) has already been studied in detail, to date, reverse social engineering attacks in social networks have not received any attention. In a reverse social engineering attack, the attacker does not initiate contact with the victim. Rather, the victim is tricked into contacting the attacker herself. As a result, a high degree of trust is established between the victim and the attacker as the victim is the entity that established the relationship. In this paper, we present the first user study on reverse social engineering attacks in social networks. That is, we discuss and show how attackers, in practice, can abuse some of the friend-finding features that online social networks provide with the aim of launching reverse social engineering attacks. Our results demonstrate that reverse social engineering attacks are feasible and effective in practice.

Abstract: Online social network (OSN) usage has led to personal details being presented on online profiles readily. This can cause profile owners to be vulnerable to social engineering attacks. Our approach to quantifying vulnerability consists of a model with three components: individual, relative and absolute vulnerabilities. The individual vulnerability is calculated by allocating weights to profile attribute values disclosed which may contribute towards the personal vulnerability of the profile owner. The relative vulnerability is the collective vulnerability of the profiles ’ friends. The absolute vulnerability is the overall vulnerability for the profile which considers the individual and relative vulnerabilities. This paper extends research done on axioms based on the vulnerability model, by stating propositions to explore the effects of different operators on the profiles relative and absolute vulnerabilities. The case studies show that our approach offers a formal background for estimating how attributes and operator changes influence the individual, relative and absolute vulnerability of OSN profiles.

the U.S. Department of Education is intended or should be inferred.