Submitted Successfully!
To reward your contribution, here is a gift for you: A free trial for our video production service.
Thank you for your contribution! You can also upload a video entry or images related to this topic.
Version Summary Created by Modification Content Size Created at Operation
1 handwiki -- 1273 2022-10-10 01:32:47

Video Upload Options

We provide professional Video Production Services to translate complex research into visually appealing presentations. Would you like to try it?

Confirm

Are you sure to Delete?
Cite
If you have any further questions, please contact Encyclopedia Editorial Office.
HandWiki. Elie Bursztein. Encyclopedia. Available online: https://encyclopedia.pub/entry/30349 (accessed on 18 November 2024).
HandWiki. Elie Bursztein. Encyclopedia. Available at: https://encyclopedia.pub/entry/30349. Accessed November 18, 2024.
HandWiki. "Elie Bursztein" Encyclopedia, https://encyclopedia.pub/entry/30349 (accessed November 18, 2024).
HandWiki. (2022, October 20). Elie Bursztein. In Encyclopedia. https://encyclopedia.pub/entry/30349
HandWiki. "Elie Bursztein." Encyclopedia. Web. 20 October, 2022.
Elie Bursztein
Edit

Elie Bursztein (born 1 June 1980) leads the anti-abuse research team at Google.[r 1] He is best known for his research on anti-fraud and abuse,[r 2] his novel attacks against web service and video games and his work on applied cryptography.[p 1][p 2] Prior to Google Bursztein was a post-doctoral fellow in computer science at Stanford University, where he focused on CAPTCHAs security[p 3][p 4] and usability.[p 5][p 6]

video games anti-fraud anti-abuse

1. Education

Elie Bursztein obtained his computer engineering degree from EPITA[1] in 2004, his master's degree in computer science from Paris 7/ ENS, in 2004 (under the supervision of Patrick Cousot) and his PhD in computer science from École Normale Supérieure de Cachan in 2008 (under the supervision of Jean Goubault-Larrecq). His PhD thesis tilted "Anticipation games. Théorie des jeux appliqués à la sécurité réseau" (Anticipation game. Game theory applied to network security) showed how to combine model-checking, temporal logic and game theory to find the optimal responses to network attacks. At Stanford University, he was a post-doctoral fellow with the Stanford Security Laboratory, a unit of the computer science department that focuses on network and computer security.

2. Research

2.1. Anti-Fraud and Abuse

In 2014 Bursztein published the first study on Account manual hijackers.[2][3] With Kurt Thomas et al. he published how Google attempt to reduce phone verified account fraud.[4] In 2015 with Kurt Thomas et al. he received the S&P best practical award for his study of malicious ads injectors.[5][6] With Joseph Bonneau et al. he got the WWW'15 best student paper award[7] for publishing the first practical study on secret questions security and usability using Google data.[8][9]

2.2. Applied Cryptography

In 2009 Bursztein presented the first complete analysis of the Microsoft DPAPI (Data Protection Application Programming Interface) with Jean Michel Picod.[10] In 2011 with J. Lagarenne, M. Hamburg and D. Boneh he used private set intersection protocols to defend against game map hacking.[11] In 2014 with Adam Langley he made Chrome on mobile roughly three times faster by implementing a new TLS cipher suite that uses the algorithms ChaCha20 and Poly1305.[12]

2.3. CAPTCHA

Bursztein's research on CAPTCHAs aims to make the puzzles easier for humans to solve and harder for computers to crack. His main contributions are an easier captcha for Human used by Recaptcha[13] and a generic algorithm to break text-based captcha.[14]

In 2009, Bursztein showed with Steven Bethard that eBay audio captchas were broken.[15] In 2010, he studied with S. Bethard, C. Fabry, D. Jurafsky and J. C. Mitchell how humans perform on real world CAPTCHAS by running a large-scale study.[16] In 2011, he demonstrated with R. Beauxis, H. Paskov, D. Perito, C. Fabry and J. Mitchell that non-continuous audio CAPTCHA were ineffective.[17] Bursztein was part of a team of Stanford researchers that broke NuCaptcha's security, despite the company's claims of being the "next generation" of video-based CAPTCHA security. He told CNET News in 2012 that "we are able to break NuCaptcha's video scheme with over 90 percent success."[18]

2.4. Game Security

In 2010 at Defcon he showed how to build a generic map hack software.[19] In 2012 at Defcon he demonstrated how to fuzz online games including Diablo 3 and League of Legends.[20] In 2014 at Defcon he showed how to use machine learning to predict what the opponent will play for the card based game Hearthstone.[21] At Blizzard's request the tool was never made public.[22]

2.5. Web Security

Some of his notable achievements in web and mobile security include:

  • 2013 Reported a bug that prompted Apple to fix a security flaw in its application store that relied on unencrypted connections, potentially allowing attackers to steal passwords.[23]
  • 2011 Released a tool that allowed the public to query Microsoft's public Wi-Fi database for the locations of wireless devices.[24] This disclosure prompted the company to enact better privacy protections a few days later.[25]
  • 2011 Created a tool called OWADE, meaning Offline Windows Analysis and Data Extraction, that bypassed encryption on a Windows PC's hard drive for forensics purposes.[26]
  • 2010 Demonstrated how to perform HTTPS caching attack against Internet Explorer 8 and Firefox 3.6.[27] This novel technique is the number 4 of the 2010 top ten web hacking techniques.
  • 2010 Analyzed with Gaurav Aggarwal, Collin Jackson and Dan Boneh browsers' private modes.[28][29]
  • 2010 Invented with Gustav Rydstedt, Baptiste Gourdin and Dan Boneh the tap-jacking attack, which exploits mobile phone weakness to make click-jacking more effective.[30]
  • 2010 Studied clickjacking defense with Gustav Rydstedt, Dan Boneh, and Collin Jackson.[31][32]
  • 2009 Invented XCS attacks with Hristo Bojinov and Dan Boneh.[33][34]
  • 2009 Discovered more than 40 vulnerabilities in embedded web interfaces with Hristo Bojinov, Eric Lovelett and Dan Boneh

3. Awards

Notable awards:

  • 2015: WWW best student paper award[7] for the paper Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google.[8]
  • 2015: S&P Distinguished Practical Paper award[35] for the paper Ad Injection at Scale: Assessing Deceptive Advertisement Modifications.[5]
  • 2011: S&P best student paper award[36] for the paper OpenConflict: Preventing Real Time Map Hacks in Online Games.[11]
  • 2010: 4th of the top ten web hacking techniques[37] for his HTTPS caching attack technique.[27]
  • 2008: WISPT best paper award for the paper Probabilistic Protocol Identification for Hard to Classify Protocol.[38]

4. Research Publications

  1. 1.0 1.1 1.2 E. Bursztein; M. Hamburg; J. Lagarenne; D. Boneh (2011). "OpenConflict: Preventing Real Time Map Hacks in Online Games". IEEE. https://www.elie.net/publication/openconflict-preventing-real-time-map-hacks-in-online-games. 
  2. 2.0 2.1 J. M. Picod; E. Bursztein (2010). "Reversing DPAPI and Stealing Windows Secrets Offline". Blackhat. https://www.elie.net/publication/reversing-dpapi-and-stealing-windows-secrets-offline. 
  3. 3.0 3.1 E. Bursztein; J. Aigrain; A. Mosciki; J. C. Mitchell (2014). "The end is nigh: generic solving of text-based CAPTCHAs". Usenix. https://www.elie.net/publication/the-end-is-nigh-generic-solving-of-text-based-captchas. 
  4. 4.0 4.1 E. Bursztein; R. Beauxis; H.Paskov; D. Perito; C. Fabry; J. C. Mitchell (2011). "The failure of noise-based non-continuous audio captchas". IEEE. pp. 19–31. doi:10.1109/SP.2011.14. https://www.elie.net/publication/the-failure-of-noise-based-non-continuous-audio-captchas. 
  5. 5.0 5.1 E. Bursztein; A. Moscicki; C. Fabry; S. Bethard; J. C. Mitchell; D. Jurafsky (2014). "Easy does it: More usable captchas". ACM. pp. 2637–2646. doi:10.1145/2556288.2557322. https://www.elie.net/publication/easy-does-it-more-usable-captchas. 
  6. 6.0 6.1 E. Bursztein; S. Bethard; C. Fabry; D. Jurafsky; J. C. Mitchell (2010). "How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation". IEEE. pp. 399–413. doi:10.1109/SP.2010.31. https://www.elie.net/publication/how-good-are-humans-at-solving-captchas-a-large-scale-evaluation. 
  7. E. Bursztein; B. Benko; D. Margolis; T. Pietraszek; A. Archer; A. Aquino; A. Pitsillidis; S. Savage (2014). "Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild". ACM. pp. 347–358. doi:10.1145/2663716.2663749. https://www.elie.net/publication/handcrafted-fraud-and-extortion-manual-account-hijacking-in-the-wild. 
  8. K. Thomas; D. Iatskiv; E. Bursztein; T. Pietraszek; C. Grier; D. McCoy (2014). "Dialing Back Abuse on Phone Verified Accounts". ACM. pp. 465–476. doi:10.1145/2660267.2660321. https://www.elie.net/publication/dialing-back-abuse-on-phone-verified-accounts. 
  9. 9.0 9.1 K. Thomas; E. Bursztein; C. Grier; G. Ho; N. Jagpal; A. Kapravelos; D. McCoy; A. Nappa et al. (2015). "Ad injection at scale: Assessing deceptive advertisement modifications". IEEE. https://www.elie.net/publication/ad-injection-at-scale-assessing-deceptive-advertisement-modifications. 
  10. 10.0 10.1 J Bonneau; E Bursztein; I Caron; R Jackson; M Williamson (2015). "Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google". World Wide Web. https://www.elie.net/publication/secrets-lies-and-account-recovery-lessons-from-the-use-of-personal-knowledge-questions-at-google. 
  11. E. Bursztein; S. Bethard (2009). "Decaptcha: Breaking 75% of eBay Audio CAPTCHAs". Usenix. https://www.elie.net/publication/decaptcha-breaking-75-percents-of-ebay-audio-captchas. 
  12. E. Bursztein; J. Lagarenne (2010). "Kartograph". Defcon. https://www.elie.net/publication/kartograph. 
  13. E. Bursztein; C. Bursztein (2014). "Kartograph". Defcon. https://www.elie.net/publication/i-am-a-legend. 
  14. 14.0 14.1 E. Bursztein; B. Gourdin; D. Boneh (2009). "Bad memories". Blackhat. https://www.elie.net/publication/bad-memories. 
  15. G. Aggarwal; E. Bursztein E.; C. Jackson; D. Boneh (2010). "An Analysis of Private Browsing Modes in Modern Browsers". Usenix. https://www.elie.net/publication/an-analysis-of-private-browsing-modes-in-modern-browsers. 
  16. G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites". IEEE. https://www.elie.net/publication/busting-frame-busting-a-study-of-clickjacking-vulnerabilities-on-popular-sites. 
  17. H. Bojinov; E. Bursztein; D. Boneh (2009). "XCS: cross channel scripting and its impact on web applications". ACM. pp. 420–431. https://www.elie.net/publication/xcs-cross-channel-scripting-and-its-impact-on-web-applications. 
  18. E. Bursztein (2008). "Probabilistic Protocol Identification for Hard to Classify Protocol". Springer. pp. 49–63. doi:10.1007/978-3-540-79966-5_4. https://www.elie.net/publication/probabilistic-protocol-identification-for-hard-to-classify-protocol. 

References

  1. "Elie Burszstein, anti-Fraud and Abuse Research Lead @ Google". https://www.crunchbase.com/person/elie-bursztein#/entity. 
  2. E. Bursztein; B. Benko; D. Margolis; T. Pietraszek; A. Archer; A. Aquino; A. Pitsillidis; S. Savage (2014). "Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild". ACM. pp. 347–358. doi:10.1145/2663716.2663749. https://www.elie.net/publication/handcrafted-fraud-and-extortion-manual-account-hijacking-in-the-wild. 
  3. Andrea Peterson. "Inside the world of professional e-mail account hijackers". Washington Post. https://www.washingtonpost.com/blogs/the-switch/wp/2014/11/06/inside-the-world-of-professional-e-mail-account-hijackers/. 
  4. K. Thomas; D. Iatskiv; E. Bursztein; T. Pietraszek; C. Grier; D. McCoy (2014). "Dialing Back Abuse on Phone Verified Accounts". ACM. pp. 465–476. doi:10.1145/2660267.2660321. https://www.elie.net/publication/dialing-back-abuse-on-phone-verified-accounts. 
  5. K. Thomas; E. Bursztein; C. Grier; G. Ho; N. Jagpal; A. Kapravelos; D. McCoy; A. Nappa et al. (2015). "Ad injection at scale: Assessing deceptive advertisement modifications". IEEE. https://www.elie.net/publication/ad-injection-at-scale-assessing-deceptive-advertisement-modifications. 
  6. Russell Brandom. "Google survey finds more than five million users infected with adware". The Verge. https://www.theverge.com/2015/5/6/8557843/google-adware-survey-ad-injectors-security-malware. 
  7. "WWW – World Wide Web conference 2015 award list". WWW. http://www.www2015.it/award-papers/. 
  8. J Bonneau; E Bursztein; I Caron; R Jackson; M Williamson (2015). "Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google". World Wide Web. https://www.elie.net/publication/secrets-lies-and-account-recovery-lessons-from-the-use-of-personal-knowledge-questions-at-google. 
  9. Victor Luckerson. "Stop Using This Painfully Obvious Answer For Your Security Questions". Time. http://time.com/3892793/security-questions-answer/. 
  10. J. M. Picod; E. Bursztein (2010). "Reversing DPAPI and Stealing Windows Secrets Offline". Blackhat. https://www.elie.net/publication/reversing-dpapi-and-stealing-windows-secrets-offline. 
  11. E. Bursztein; M. Hamburg; J. Lagarenne; D. Boneh (2011). "OpenConflict: Preventing Real Time Map Hacks in Online Games". IEEE. https://www.elie.net/publication/openconflict-preventing-real-time-map-hacks-in-online-games. 
  12. Stephen Shankland. "New algorithms speed secure communications for Chrome on Android". Cnet. http://www.cnet.com/news/new-algorithms-speed-secure-communications-for-chrome-on-android/. 
  13. E. Bursztein; A. Moscicki; C. Fabry; S. Bethard; J. C. Mitchell; D. Jurafsky (2014). "Easy does it: More usable captchas". ACM. pp. 2637–2646. doi:10.1145/2556288.2557322. https://www.elie.net/publication/easy-does-it-more-usable-captchas. 
  14. E. Bursztein; J. Aigrain; A. Mosciki; J. C. Mitchell (2014). "The end is nigh: generic solving of text-based CAPTCHAs". Usenix. https://www.elie.net/publication/the-end-is-nigh-generic-solving-of-text-based-captchas. 
  15. E. Bursztein; S. Bethard (2009). "Decaptcha: Breaking 75% of eBay Audio CAPTCHAs". Usenix. https://www.elie.net/publication/decaptcha-breaking-75-percents-of-ebay-audio-captchas. 
  16. E. Bursztein; S. Bethard; C. Fabry; D. Jurafsky; J. C. Mitchell (2010). "How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation". IEEE. pp. 399–413. doi:10.1109/SP.2010.31. https://www.elie.net/publication/how-good-are-humans-at-solving-captchas-a-large-scale-evaluation. 
  17. E. Bursztein; R. Beauxis; H.Paskov; D. Perito; C. Fabry; J. C. Mitchell (2011). "The failure of noise-based non-continuous audio captchas". IEEE. pp. 19–31. doi:10.1109/SP.2011.14. https://www.elie.net/publication/the-failure-of-noise-based-non-continuous-audio-captchas. 
  18. McCullagh, Declan (12 February 2012). "Stanford University researchers break NuCaptcha video security". CNET. http://news.cnet.com/8301-31921_3-57376332-281/stanford-university-researchers-break-nucaptcha-video-security/. 
  19. E. Bursztein; J. Lagarenne (2010). "Kartograph". Defcon. https://www.elie.net/publication/kartograph. 
  20. "Defcon 20 Hacking Conference". Defcon. https://www.defcon.org/html/defcon-20/dc-20-speakers.html. 
  21. E. Bursztein; C. Bursztein (2014). "Kartograph". Defcon. https://www.elie.net/publication/i-am-a-legend. 
  22. "I am a legend: Hacking Hearthstone with machine learning Defcon talk wrap-up". Elie Bursztein. https://www.elie.net/blog/hearthstone/i-am-a-legend-hacking-hearthstone-with-machine-learning-defcon-talk-wrap-up. 
  23. Honorof, Marshall (11 March 2013). "Apple Fixes App Store Security Risk". NBC News. http://www.nbcnews.com/id/51136852/ns/technology_and_science-tech_and_gadgets/t/apple-fixes-app-store-security-risk/. 
  24. McCullagh, Declan (29 July 2011). "Stanford researcher exposes Microsoft's Wi-Fi database". CNET. http://news.cnet.com/8301-31921_3-20085575-281/stanford-researcher-exposes-microsofts-wi-fi-database/. 
  25. McCullagh, Declan (1 August 2011). "Microsoft curbs Wi-Fi location database". CNET. http://news.cnet.com/8301-31921_3-20086489-281/microsoft-curbs-wi-fi-location-database/. 
  26. "Offline Windows Analysis and Data Extraction (OWADE) – Forensics too to expose all your online activity". http://thehackernews.com/2011/09/offline-windows-analysis-and-data.html. 
  27. E. Bursztein; B. Gourdin; D. Boneh (2009). "Bad memories". Blackhat. https://www.elie.net/publication/bad-memories. 
  28. G. Aggarwal; E. Bursztein E.; C. Jackson; D. Boneh (2010). "An Analysis of Private Browsing Modes in Modern Browsers". Usenix. https://www.elie.net/publication/an-analysis-of-private-browsing-modes-in-modern-browsers. 
  29. Ward, Mark (6 August 2010). "Private browsing modes leak data". BBC News (London). https://www.bbc.co.uk/news/technology-10891355. 
  30. Lemos, Robert (11 August 2010). "Mobile Flaw Could Cloak Clicks". Technology Review (Boston). http://www.technologyreview.com/communications/26057/. 
  31. G. Rydstedt; E. Bursztein; D. Boneh; C. Jackson (2010). "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular sites". IEEE. https://www.elie.net/publication/busting-frame-busting-a-study-of-clickjacking-vulnerabilities-on-popular-sites. 
  32. "Twitter Security Contributors List". http://apiwiki.twitter.com/w/page/22554667/Security-Contributors. 
  33. H. Bojinov; E. Bursztein; D. Boneh (2009). "XCS: cross channel scripting and its impact on web applications". ACM. pp. 420–431. https://www.elie.net/publication/xcs-cross-channel-scripting-and-its-impact-on-web-applications. 
  34. "XCS attacks at BlackHat09". https://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Bojinov. 
  35. "S&P – Security And Privacy Symposium 2015 award list". IEEE. http://www.ieee-security.org/TC/SP2015/awards.html. 
  36. "S&P – Security And Privacy Symposium 2011 award list". IEEE. http://www.ieee-security.org/TC/SP2011/awards.html. 
  37. Grossman, Jeremiah. "Top Ten Web Hacking Techniques of 2010 (Official)". http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html. 
  38. E. Bursztein (2008). "Probabilistic Protocol Identification for Hard to Classify Protocol". Springer. pp. 49–63. doi:10.1007/978-3-540-79966-5_4. https://www.elie.net/publication/probabilistic-protocol-identification-for-hard-to-classify-protocol. 
More
Information
Subjects: Others
Contributor MDPI registered users' name will be linked to their SciProfiles pages. To register with us, please refer to https://encyclopedia.pub/register :
View Times: 535
Entry Collection: HandWiki
Revision: 1 time (View History)
Update Date: 20 Oct 2022
1000/1000
ScholarVision Creations