Search

Your search keyword '"Li, Wanpeng"' showing total 373 results
Start Over Author "Li, Wanpeng"
373 results on '"Li, Wanpeng"'

1. Simple But Not Secure: An Empirical Security Analysis of Two-factor Authentication Systems

Author

Wang, Zhi, Yang, Xin, Chen, Du, Gao, Han, Tian, Meiqi, Jia, Yan, and Li, Wanpeng

Subjects
Computer Science - Cryptography and Security
Abstract

To protect users from data breaches and phishing attacks, service providers typically implement two-factor authentication (2FA) to add an extra layer of security against suspicious login attempts. However, since 2FA can sometimes hinder user experience by introducing additional steps, many websites aim to reduce inconvenience by minimizing the frequency of 2FA prompts. One approach to achieve this is by storing the user's ``Remember the Device'' preference in a cookie. As a result, users are only prompted for 2FA when this cookie expires or if they log in from a new device. To understand and improve the security of 2FA systems in real-world settings, we propose SE2FA, a vulnerability evaluation framework designed to detect vulnerabilities in 2FA systems. This framework enables us to analyze the security of 407 2FA systems across popular websites from the Tranco Top 10,000 list. Our analysis and evaluation found three zero-day vulnerabilities on three service providers that could allow an attacker to access a victim's account without possessing the victim's second authentication factor, thereby bypassing 2FA protections entirely. A further investigation found that these vulnerabilities stem from design choices aimed at simplifying 2FA for users but that unintentionally reduce its security effectiveness. We have disclosed these findings to the affected websites and assisted them in mitigating the risks. Based on the insights from this research, we provide practical recommendations for countermeasures to strengthen 2FA security and address these newly identified threats.

Published
2024

2. Single-cell transcriptomic landscape deciphers olfactory neuroblastoma subtypes and intra-tumoral heterogeneity

Author

Yang, Jingyi, Song, Xiaole, Zhang, Huankang, Liu, Quan, Wei, Ruoyan, Guo, Luo, Yuan, Cuncun, Chen, Fu, Xue, Kai, Lai, Yuting, Wang, Li, Shi, Junfeng, Zhou, Chengle, Wang, Juan, Yu, Yingxuan, Mei, Qibing, Hu, Li, Wang, Huan, Zhang, Chen, Zhang, Qianqian, Li, Houyong, Gu, Ye, Zhao, Weidong, Yu, Huapeng, Wang, Jingjing, Liu, Zhuofu, Li, Han, Zheng, Shixing, Liu, Juan, Yang, Lu, Li, Wanpeng, Xu, Rui, Chen, Jiani, Zhou, Yumin, Cheng, Xiankui, Yu, Yiqun, Wang, Dehui, Sun, Xicai, and Yu, Hongmeng

Published
2024
Full Text
View/download PDF

15. Van der Waals nanomesh electronics on arbitrary surfaces

Author

Meng, You, Li, Xiaocui, Kang, Xiaolin, Li, Wanpeng, Wang, Wei, Lai, Zhengxun, Wang, Weijun, Quan, Quan, Bu, Xiuming, Yip, SenPo, Xie, Pengshan, Chen, Dong, Li, Dengji, Wang, Fei, Yeung, Chi-Fung, Lan, Changyong, Liu, Chuntai, Shen, Lifan, Lu, Yang, Chen, Furong, Wong, Chun-Yuen, and Ho, Johnny C.

Published
2023
Full Text
View/download PDF

21. Application of a new information priority accumulated grey model with time power to predict short-term wind turbine capacity

Author

Xia, Jie, Ma, Xin, Wu, Wenqing, Huang, Baolian, and Li, Wanpeng

Subjects
Statistics - Applications
Abstract

Wind energy makes a significant contribution to global power generation. Predicting wind turbine capacity is becoming increasingly crucial for cleaner production. For this purpose, a new information priority accumulated grey model with time power is proposed to predict short-term wind turbine capacity. Firstly, the computational formulas for the time response sequence and the prediction values are deduced by grey modeling technique and the definite integral trapezoidal approximation formula. Secondly, an intelligent algorithm based on particle swarm optimization is applied to determine the optimal nonlinear parameters of the novel model. Thirdly, three real numerical examples are given to examine the accuracy of the new model by comparing with six existing prediction models. Finally, based on the wind turbine capacity from 2007 to 2017, the proposed model is established to predict the total wind turbine capacity in Europe, North America, Asia, and the world. The numerical results reveal that the novel model is superior to other forecasting models. It has a great advantage for small samples with new characteristic behaviors. Besides, reasonable suggestions are put forward from the standpoint of the practitioners and governments, which has high potential to advance the sustainable improvement of clean energy production in the future.

Published
2019
Full Text
View/download PDF

22. Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking

Author

Al-Fannah, Nasser Mohammed, Li, Wanpeng, and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Browser fingerprinting is a relatively new method of uniquely identifying browsers that can be used to track web users. In some ways it is more privacy-threatening than tracking via cookies, as users have no direct control over it. A number of authors have considered the wide variety of techniques that can be used to fingerprint browsers; however, relatively little information is available on how widespread browser fingerprinting is, and what information is collected to create these fingerprints in the real world. To help address this gap, we crawled the 10,000 most popular websites; this gave insights into the number of websites that are using the technique, which websites are collecting fingerprinting information, and exactly what information is being retrieved. We found that approximately 69\% of websites are, potentially, involved in first-party or third-party browser fingerprinting. We further found that third-party browser fingerprinting, which is potentially more privacy-damaging, appears to be predominant in practice. We also describe \textit{FingerprintAlert}, a freely available browser extension we developed that detects and, optionally, blocks fingerprinting attempts by visited websites.

Published
2019
Full Text
View/download PDF

24. OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect

Author

Li, Wanpeng, Mitchell, Chris J, and Chen, Thomas

Subjects
Computer Science - Cryptography and Security
Abstract

Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation., Comment: 20 pages, 6 figures. arXiv admin note: substantial text overlap with arXiv:1801.07983

Published
2019

28. Establishment of Endoscopic Surgical Innovative System of Recurrent Nasopharyngeal Carcinoma

Author

ZHANG Huankang, DU Kun, LIU Quan, XUE Kai, GU Ye, ZHAO Weidong, LI Wanpeng, SONG Xiaole, ZHAO Keqing, LI Han, HU Li, LIU Qiang, YU Huapeng, GU Yurong, SUN Xicai, and YU Hongmeng

Subjects
recurrent nasopharyngeal carcinoma, endoscopic surgery, internal carotid artery, temporalis muscle flap, skull base repair, Neoplasms. Tumors. Oncology. Including cancer and carcinogens, RC254-282
Abstract

Nasopharyngeal carcinoma (NPC) is a common malignant tumor in China. Radiotherapy is the first-line treatment. After appropriate radiotherapy, about 5%-15% patients experience recurrence. In view of the poor efficacy and high incidence of severe late toxicities associated with re-irradiation, salvage surgery by the transnasal endoscopic approach is recommended for recurrent NPC (rNPC). Compared with re-irradiation, endoscopic surgery can better prolong survival, improve the quality of life, and reduce complications and medical expenses of patients with rNPC. However, the complexity of the nasopharyngeal skull base enhances the difficulty and risk of surgery. Expanding the boundary of surgical resection remains a clinical challenge for otolaryngologists. In this regard, to help more advanced patients with rNPC, the surgical innovative system of NPC needs to be established by multi-disciplinary cooperation, involving skull base anatomy-based investigation, appropriate administration of the internal carotid artery (ICA), repair of skull base defect, and establishment of various types of endoscopic endonasal nasopharyngectomy.

Published
2022
Full Text
View/download PDF

30. Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect

Author

Li, Wanpeng, Mitchell, Chris J, and Chen, Thomas

Subjects
Computer Science - Cryptography and Security
Abstract

Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect., Comment: 18 pages, 3 figures

Published
2018

33. Not All Browsers Are Created Equal: Comparing Web Browser Fingerprintability

Author

Al-Fannah, Nasser Mohammed and Li, Wanpeng

Subjects
Computer Science - Cryptography and Security
Abstract

Browsers and their users can be tracked even in the absence of a persistent IP address or cookie. Unique and hence identifying pieces of information, making up what is known as a fingerprint, can be collected from browsers by a visited website, e.g. using JavaScript. However, browsers vary in precisely what information they make available, and hence their fingerprintability may also vary. In this paper, we report on the results of experiments examining the fingerprintable attributes made available by a range of modern browsers. We tested the most widely used browsers for both desktop and mobile platforms. The results reveal significant differences between browsers in terms of their fingerprinting potential, meaning that the choice of browser has significant privacy implications.

Published
2017

37. Improving the security of real world identity management systems

Author

Li, Wanpeng

Subjects
005.8, identity management, OAuth 2.0, OpenID Connect, Authentication, Identity Management Systems, Authorization
Abstract

Although identity management systems (notably OAuth 2.0 and OpenID Connect) have been widely adopted by a range of Relying Parties and Identity Providers, it is not yet clear whether practical implementations of these systems are actually secure. In this thesis we investigate this question. In doing so we describe two large-scale empirical studies of the security of real-world identity management systems; the purposes of these studies include identifying areas for improvement in the design and implementation of the systems, as well as addressing issues acting as barriers to adoption. As part of the underlying goal of improving operational security, a new scheme is also proposed to enhance user security for OpenID Connect. In the first of the two studies we examined 60 Relying Parties (RPs) and ten Identity Providers (IdPs) supporting OAuth 2.0 based identity management services in China. In the second study we considered 103 RPs supporting OpenID Connect-based identity management using Google as the IdP. In both cases we recorded and carefully analysed the browser-relayed messages sent between the RP and IdP, identifying a number of major security vulnerabilities, some with very serious potential consequences for end user security. We further designed and implemented proof-of-concept attacks to demonstrate the seriousness of the vulnerabilities we identified. We also reported the vulnerabilities to the most seriously affected parties, helped them to fix the problem, as well as providing detailed recommendations for both IdPs and RPs, designed to reduce the risk of such vulnerabilities occurring in the future. To improve user security when using OpenID Connect, a novel client-based scheme is proposed, designed to mitigate phishing attacks and to provide a consistent user interface. A prototype of the scheme is described, which allows for greater user control during the authentication process.

Published
2017

42. Analysing the Security of Google's implementation of OpenID Connect

Author

Li, Wanpeng and Mitchell, Chris J

Subjects
Computer Science - Cryptography and Security
Abstract

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.

Published
2015

Catalog

Books, media, physical & digital resources
See catalog results