Mostrant de 1 a 2 de 2 entrades disponibles
-
DEIMinari: Effect of technical background on ADT acceptability
Del 30 d'abril al 30 de maig de 2025
Laboratori 231
Títol: Effect of technical background on ADT acceptability
Conferenciant: Nathan Schiele
Institució: Leiden University
Professor/a organitzador/a: Rolando Trujillo
Hora: 11h
Resum:
Attack-defense trees (ADTs) are a powerful tool for visualizing and assessing cybersecurity threats, widely endorsed for security analysis. Previous research suggested that ADTs and similar models are more suitable for experts with a deep technical (computer science) background. We conducted an empirical investigation with 102 participants, both highly technical and those with limited computer science experience, to determine how background knowledge impacts ADT acceptability. We found that participants with minimal technical expertise found ADTs intuitive and effective, showing that these visual models can be used by a wide range of stakeholders.
-
DEIMinari: The File That Contained the Keys Has Been Removed: An Empirical Analysis of Secret Leaks in Cloud Buckets and Responsible Disclosure Outcomes
Laboratori 231
Títol: The File That Contained the Keys Has Been Removed: An Empirical Analysis of Secret Leaks in Cloud Buckets and Responsible Disclosure Outcomes
Conferenciant: Olga Gadyatskaya
Institució: Leiden University
Professor/a organitzador/a: Rolando Trujillo
Hora: 11h
Resum:
With the growing reliance on cloud services for storage and deployment, securing cloud environments has become critically important. Cloud storage solutions like AWS S3, Google Cloud Storage, and Azure Blob Storage are widely used to store vast amounts of data, including sensitive configuration files used in software development. These files often contain secrets such as API keys and credentials. Misconfigured cloud buckets can inadvertently expose these secrets, leading to unauthorized access to services and security breaches.
In our recent study, we explored the issue of secret leaks in files exposed through misconfigured cloud storage. Our analysis covered a variety of file formats frequently used in development and focused on different secrets that have diverse types of impact as well as the possibility for a non-intrusive validation. By systematically scanning a large collection of publicly accessible cloud buckets, we identified 215 instances where sensitive credentials were exposed. These secrets provide unauthorized access to services like databases, cloud infrastructure, and third-party APIs, posing significant security risks.
Upon discovering these leaks, we responsibly reported them to the respective organizations and cloud service providers and measured the outcomes of the disclosure process. In my talk, I will also discuss our responsible disclosure efforts executed in partnership with CSIRT.global. Our responsible disclosure led to the remediation of 95 issues. Twenty organizations directly communicated their actions back to us, promptly addressing the issues, while the remaining fixes were implemented without direct feedback to the discloses. Our analysis shows that many organizations also are not implementing the remediation procedures correctly (e.g., they revoke public access to the bucket, but do not revoke the leaked token).
Our study, which will appear at IEEE Security & Privacy Symposium 2025, highlights the global prevalence of secret leaks in cloud storage and emphasizes the varied responses from organizations in mitigating these critical security risks.
