Hello, I am Marco Lancini
Information Security Engineer
I’m a M.Sc. graduate in Engineering of Computing Systems, now working as a Security Consultant at MWR Infosecurity.
I currently hold the OSCP and CREST CRT certifications. I am a contributor of the OWASP Project, and have also both published and presented at several security conferences including ACSAC, CCS, DeepSEC, Bsides, and NATO’s CYCON.
e-mailinfo (àŧ) marcolancini.it
Faces in the Distorting Mirror: Revisiting Photo-based Social AuthenticationNovember 2014 - PDF | BibTeX | ACM
Conference: Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS '14), Scottsdale, AZ. (acceptance: 19.4%)
Authors: Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, Angelos D. Keromytis
Social Authentication: Vulnerabilities, Mitigations, and RedesignNovember 2014 - PDF | BibTeX
Conference: Proceedings of the DeepSec Conferences - Magdeburger Journal zur Sicherheitsforschung, Vienna, Austria.
Authors: Marco Lancini
All Your Face Are Belong to Us: Breaking Facebook’s Social AuthenticationDecember 2012 - PDF | BibTeX | ACM
Conference: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Orlando, FL. (acceptance: 19%)
Authors: Iasonas Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos D. Keromytis and Stefano Zanero
Subsequent Talks: Hek.SI 2013 (Ljubljana, Slovenia), HackCon 2013 (Oslo, Norway). Also covered by ComputerWorld
Enhancing Mobile Malware: an Android RAT Case StudyNovember 2014 - slides
Conference: BSides Vienna, Vienna, Austria.
Social Authentication: Vulnerabilities, Mitigations, and RedesignNovember 2014 - slides | video
Conference: DEEPSEC, Vienna, Austria.
Social Authentication: Vulnerabilities, Mitigations, and Redesign (short version)June 2014 - slides | video
Conference: International Conference on Cyber Conflict (CyCon), by NATO CCDCOE (Cooperative Cyber Defence Centre of Excellence), Tallinn, Estonia.
Session: Student Paper Session with Best Student Thesis Award
500 Lines or Lessongoing - Official Page
IEEE Technical Reviewerongoing
Technical Reviewer in the peer review process of some IEEE Journals (i.e., "Transactions on Emerging Topics in Computing (TETCSI)").
AndroRAT++September - November 2013 - BSides Talk
AndroRAT++ is a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application (AndroRAT). The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information, and using the device for malicious purposes. The attacker can also attempt to escalate his privileges in order to gain complete access to the device's resources. An exploit kit has been embedded in the source code of AndroRAT++: the attacker can then silently obtain root privileges and, therefore, complete access to the device.
OWASP Top 10 2013June - December 2013 - OWASP Top 10 Official Page
As first contribution to the OWASP Project, I was assigned to team responsible for the translation of the Top 10 2013 in Italian.
Social Authentication: Vulnerabilities, Mitigations, and Redesign [MSc Thesis]August 2011 - April 2013 - Full Thesis | Slides
We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
- NATO CCDCOE Best Student Thesis Award, as the best thesis published on cyber defence topics. Awarded during the International Conference on Cyber Conflict (CyCon 2014), Tallinn
- 'Innovation in Information Security' Thesis Award (Premio Tesi Clusit: 'Innovare la sicurezza delle informazioni'), as the 2nd best thesis published in Italy in 2013. Awarded during the Security Summit 2014, Milan"
- All Your Face Are Belong to Us: Breaking Facebook's Social Authentication
- Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication