Hello, I am Marco Lancini

Information Security Engineer


I’m a M.Sc. graduate in Engineering of Computing Systems, now working as a Security Consultant at MWR Infosecurity.

I currently hold the OSCP  and CREST CRT certifications. I am a contributor of the OWASP Project, and have also both published and presented at several security conferences including ACSAC, CCS, DeepSEC, Bsides, and NATO’s CYCON.

Certifications

    OSCPCREST CRT

Personal Info

  • NameMarco Lancini
  • LocationEngland, UK
  • e-mailinfo (àŧ) marcolancini.it

Publications

Go to next/previous page

Conference Papers

  • Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication
    November 2014   -   PDF | BibTeX | ACM

    Conference: Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS '14), Scottsdale, AZ. (acceptance: 19.4%)
    Authors: Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, Angelos D. Keromytis

  • Social Authentication: Vulnerabilities, Mitigations, and Redesign
    November 2014   -   PDF | BibTeX

    Conference: Proceedings of the DeepSec Conferences - Magdeburger Journal zur Sicherheitsforschung, Vienna, Austria.
    Authors: Marco Lancini

  • All Your Face Are Belong to Us: Breaking Facebook’s Social Authentication
    December 2012   -   PDF | BibTeX | ACM

    Conference: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Orlando, FL. (acceptance: 19%)
    Authors: Iasonas Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos D. Keromytis and Stefano Zanero
    Subsequent Talks: Hek.SI 2013 (Ljubljana, Slovenia), HackCon 2013 (Oslo, Norway). Also covered by ComputerWorld

Talks

  • Enhancing Mobile Malware: an Android RAT Case Study
    November 2014   -   slides

    Conference: BSides Vienna, Vienna, Austria.

  • Social Authentication: Vulnerabilities, Mitigations, and Redesign
    November 2014   -   slides | video

    Conference: DEEPSEC, Vienna, Austria.

  • Social Authentication: Vulnerabilities, Mitigations, and Redesign (short version)
    June 2014   -   slides | video

    Conference: International Conference on Cyber Conflict (CyCon), by NATO CCDCOE (Cooperative Cyber Defence Centre of Excellence), Tallinn, Estonia.
    Session: Student Paper Session with Best Student Thesis Award

Projects

Go to next/previous page

Side Projects

  • 500 Lines or Less
    ongoing   -   Official Page

  • IEEE Technical Reviewer
    ongoing

    Technical Reviewer in the peer review process of some IEEE Journals (i.e., "Transactions on Emerging Topics in Computing (TETCSI)").

  • AndroRAT++
    September - November 2013   -   BSides Talk

    AndroRAT++ is a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application (AndroRAT). The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information, and using the device for malicious purposes. The attacker can also attempt to escalate his privileges in order to gain complete access to the device's resources. An exploit kit has been embedded in the source code of AndroRAT++: the attacker can then silently obtain root privileges and, therefore, complete access to the device.

  • OWASP Top 10 2013
    June - December 2013   -   OWASP Top 10 Official Page

    As first contribution to the OWASP Project, I was assigned to team responsible for the translation of the Top 10 2013 in Italian.

  • Social Authentication: Vulnerabilities, Mitigations, and Redesign [MSc Thesis]
    August 2011 - April 2013   -   Full Thesis | Slides

    We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.

    Awards
    1. NATO CCDCOE Best Student Thesis Award, as the best thesis published on cyber defence topics. Awarded during the International Conference on Cyber Conflict (CyCon 2014), Tallinn
    2. 'Innovation in Information Security' Thesis Award (Premio Tesi Clusit: 'Innovare la sicurezza delle informazioni'), as the 2nd best thesis published in Italy in 2013. Awarded during the Security Summit 2014, Milan"
    Papers
    1. All Your Face Are Belong to Us: Breaking Facebook's Social Authentication
    2. Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication


Contact

Go to next/previous page


© 2016 Marco Lancini