Elie Bursztein

Elie Bursztein

Elie Bursztein
Born France
Residence US
Citizenship French
Nationality French
Fields Computer Security
Institutions Google
Stanford University
Alma mater École Normale Supérieure de Cachan, 2008
EPITA, 2004
Doctoral advisor Jean Goubault-Larrecq
Known for CAPTCHA security
Applied cryptography
Anti-Fraud and Abuse
Game security
Web security

Elie Bursztein leads the anti-abuse research team at Google.[r 1] He is best known for his research on anti-fraud and abuse,[r 2] his novel attacks against web service and video games and his work on applied cryptography.[p 1][p 2] Prior to Google Bursztein was a post-doctoral fellow in computer science at Stanford University where he focused on CAPTCHAs security[p 3][p 4] and usability.[p 5][p 6]

Education

Elie Bursztein obtained his computer engineering degree from EPITA [r 3] in 2004, his master's degree in computer science from Paris 7/ ENS, in 2004 (under the supervision of Patrick Cousot) and his PhD in computer science from École Normale Supérieure de Cachan in 2008 (under the supervision of Jean Goubault-Larrecq). His PhD thesis tilted "Anticipation games. Théorie des jeux appliqués à la sécurité réseau" (Anticipation game. Game theory applied to network security) showed how to combine model-checking, temporal logic and game theory to find the optimal responses to network attacks. At Stanford University, he was a post-doctoral fellow with the Stanford Security Laboratory, a unit of the computer science department that focuses on network and computer security.

Research

Anti-Fraud and Abuse

In 2014 Bursztein published the first study on Account manual hijackers.[p 7][r 2] With Kurt Thomas et al. he published how Google attempt to reduce phone verified account fraud.[p 8] In 2015 with Kurt Thomas et al. he received the S&P best practical award for his study of malicious ads injectors.[p 9][r 4] With Joseph Bonneau et al. he got the WWW'15 best student paper award[r 5] for publishing the first practical study on secret questions security and usability using Google data.[p 10][r 6]

Applied Cryptography

In 2009 Bursztein presented the first complete analysis of the Microsoft DPAPI (Data Protection Application Programming Interface) with Jean Michel Picod.[p 2] In 2011 with J. Lagarenne, M. Hamburg and D. Boneh he used private set intersection protocols to defend against game map hacking.[p 1] In 2014 with Adam Langley he made Chrome on mobile ~3x time faster by implementing a new TLS cipher suite that uses the algorithms ChaCha20 and Poly1305.[r 7]

CAPTCHA

Bursztein's research on CAPTCHAs aims to make the puzzles easier for humans to solve and harder for computers to crack. His main contributions are an easier captcha for Human used by Recaptcha[p 5] and a generic algorithm to break text based captcha.[p 3]

In 2009, Bursztein showed with Steven Bethard that eBay audio captchas were broken.[p 11] In 2010, he studied with S. Bethard, C. Fabry, D. Jurafsky and J. C. Mitchell how humans perform on real world CAPTCHAS by running a large scale study.[p 6] In 2011, he demonstrated with R. Beauxis, H. Paskov, D. Perito, C. Fabry and J. Mitchell that non-continuous audio CAPTCHA were ineffective.[p 4] Bursztein was part of a team of Stanford researchers that broke NuCaptcha's security, despite the company's claims of being the "next generation" of video-based CAPTCHA security. He told CNET News in 2012 that "we are able to break NuCaptcha's video scheme with over 90 percent success."[r 8]

Game security

In 2010 at Defcon he showed how to build a generic map hack software.[p 12] In 2012 at Defcon he demonstrated how to fuzz online games including diablo 3 and league of legend.[r 9] In 2014 at Defcon he showed how to use machine learning to predict what the opponent will play for the card based game Hearthstone.[p 13] At Blizzard request the tool was never made public.[r 10]

Web security

Some of his notable achievements in web and mobile security include:

Awards

Notable awards:

Research publications

  1. 1 2 3 E. Bursztein; M. Hamburg; J. Lagarenne; D. Boneh (2011). "OpenConflict: Preventing Real Time Map Hacks in Online Games". S&P'11 - Symposium on Security and Privacy. IEEE.
  2. 1 2 J. M. Picod; E. Bursztein (2010). "Reversing DPAPI and Stealing Windows Secrets Offline". Blackhat DC 2010. Blackhat.
  3. 1 2 E. Bursztein; J. Aigrain; A. Mosciki; J. C. Mitchell (2014). "The end is nigh: generic solving of text-based CAPTCHAs". WoOT'14 - Workshop On Offensive Technology. Usenix.
  4. 1 2 E. Bursztein, R. Beauxis, H.Paskov, D. Perito, C. Fabry, J. C. Mitchell (2011). https://www.elie.net/publication/the-failure-of-noise-based-non-continuous-audio-captchas |url= missing title (help). S&P'11 - Symposium on Security and Privacy. IEEE. pp. 19–31. doi:10.1109/SP.2011.14.
  5. 1 2 E. Bursztein; A. Moscicki; C. Fabry; S. Bethard; J. C. Mitchell; D. Jurafsky (2014). "Easy does it: More usable captchas". CHI'14 - SIGCHI Conference on Human Factors in Computing Systems. ACM. pp. 2637–2646. doi:10.1145/2556288.2557322.
  6. 1 2 E. Bursztein; S. Bethard; C. Fabry; D. Jurafsky; J. C. Mitchell (2010). "How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation". Symposium on Security and Privacy (S&P), 2010. IEEE. pp. 399–413. doi:10.1109/SP.2010.31.
  7. E. Bursztein; B. Benko; D. Margolis; T. Pietraszek; A. Archer; A. Aquino; A. Pitsillidis; S. Savage (2014). "Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild". IMC '14 - Conference on Internet Measurement Conference. ACM. pp. 347–358. doi:10.1145/2663716.2663749.
  8. K. Thomas, D. Iatskiv, E. Bursztein, T, Pietraszek, C. Grier, D. McCoy (2014). "Dialing Back Abuse on Phone Verified Accounts". CCS '14 - SIGSAC Conference on Computer and Communications Security. ACM. pp. 465–476. doi:10.1145/2660267.2660321.
  9. 1 2 K. Thomas; E. Bursztein; C. Grier; G. Ho; N. Jagpal; A. Kapravelos; D. McCoy; A. Nappa; V. Paxson; P. Pearce; N. Provos; M. A. Rajab (2015). "Ad injection at scale: Assessing deceptive advertisement modifications". S&P'15 - Symposium on Security and Privacy. IEEE.
  10. 1 2 J Bonneau; E Bursztein; I Caron; R Jackson; M Williamson (2015). "Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google". WWW'15 - International Conference on World Wide Web. World Wide Web.
  11. E. Bursztein; S. Bethard (2009). "Decaptcha: Breaking 75% of eBay Audio CAPTCHAs". WoOT'09 - USENIX Workshop on Offensive Technologies. Usenix.
  12. E. Bursztein; J. Lagarenne (2010). "Kartograph". Defcon 18. Defcon.
  13. E. Bursztein; C. Bursztein (2014). "Kartograph". Defcon 23. Defcon.
  14. 1 2 E. Bursztein; B. Gourdin; D. Boneh (2009). "Bad memories". Blackhat USA 2010. Blackhat.
  15. G. Aggarwal; E. Bursztein E.; C. Jackson; D. Boneh (2010). "An Analysis of Private Browsing Modes in Modern Browsers". 19th Usenix Security Symposium. Usenix.
  16. G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites". 3rd Web 2.0 Security and Privacy workshop. IEEE.
  17. H. Bojinov; E. Bursztein; D. Boneh (2009). "XCS: cross channel scripting and its impact on web applications". CCS'09 - SIGSAC conference on Computer and communications security. ACM. pp. 420–431.
  18. E. Bursztein (2008). "Probabilistic Protocol Identification for Hard to Classify Protocol". Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks. Springer. pp. 49–63. doi:10.1007/978-3-540-79966-5_4.

Other references

  1. "Elie Bursztein's Google Research page". Research at Google. Google. Retrieved 15 June 2015.
  2. 1 2 Andrea Peterson. "Inside the world of professional e-mail account hijackers". Washington Post. Retrieved 15 June 2015.
  3. "Elie Burszstein, anti-Fraud and Abuse Research Lead @ Google".
  4. Russell Brandom. "Google survey finds more than five million users infected with adware". The Verge. Retrieved 15 June 2015.
  5. 1 2 "WWW - World Wide Web conference 2015 award list". WWW. Retrieved 15 June 2015.
  6. Victor Luckerson. "Stop Using This Painfully Obvious Answer For Your Security Questions". Time. Retrieved 15 June 2015.
  7. Stephen Shankland. "New algorithms speed secure communications for Chrome on Android". Cnet. Retrieved 15 June 2015.
  8. McCullagh, Declan (12 February 2012). "Stanford University researchers break NuCaptcha video security". CNET.
  9. "Defcon 20 Hacking Conference". Defcon.
  10. "I am a legend: Hacking Hearthstone with machine learning Defcon talk wrap-up". Elie Bursztein. Retrieved 15 June 2015.
  11. Honorof, Marshall (11 March 2013). "Apple Fixes App Store Security Risk". NBC News.
  12. McCullagh, Declan (29 July 2011). "Stanford researcher exposes Microsoft's Wi-Fi database". CNET.
  13. McCullagh, Declan (1 August 2011). "Microsoft curbs Wi-Fi location database". CNET.
  14. "Offline Windows Analysis and Data Extraction (OWADE) - Forensics too to expose all your online activity".
  15. Ward, Mark (6 August 2010). "Private browsing modes leak data". BBC News. London.
  16. Lemos, Robert (11 August 2010). "Mobile Flaw Could Cloak Clicks". Technology Review. Boston.
  17. "Twitter Security Contributors List".
  18. "XCS attacks at BlackHat09".
  19. "S&P - Security And Privacy Symposium 2015 award list". IEEE. Retrieved 15 June 2015.
  20. "S&P - Security And Privacy Symposium 2011 award list". IEEE. Retrieved 15 June 2015.
  21. Grossman, Jeremiah. "Top Ten Web Hacking Techniques of 2010 (Official)".

External links

This article is issued from Wikipedia - version of the 10/3/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.