About

My name is Nick Nikiforakis and I am an Assistant Professor in the Department of Computer Science at Stony Brook University.

While I am interested in all sorts of practical, hands-on security, the research that I've been mainly involved in for the last years concerns the analysis of large online ecosystems from a security and privacy perspective. In past work, together with the help of great colleagues, I've analyzed file-hosting services, referrer-anonymizing services, remote JavaScript inclusions, online fingerprinting companies, airline pricing, cybersquatting, security seals, and web-hosting companies. I've also proposed some countermeasures for known and less known attacks, like session hijacking, ssl stripping, weak cross-origin Flash policies and tabnabbing.

Up until recently, I was a postdoctoral researcher at the KU Leuven university in Belgium. I finished my PhD in August 2013 under the supervision of Prof. Wouter Joosen and Prof. Frank Piessens and the title of my dissertation is Towards a Secure Web: Critical Vulnerabilities and Client-Side Countermeasures.



Teaching

News

History

Publications

    2015

  1. Parking Sensors: Analyzing and Detecting Parked Domains,
    Thomas Vissers, Wouter Joosen, Nick Nikiforakis
    to appear in the 22nd Network and Distributed System Security Symposium (NDSS 2015)

  2. Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse,
    Pieter Agten, Wouter Joosen, Frank Piessens, Nick Nikiforakis
    to appear in the 22nd Network and Distributed System Security Symposium (NDSS 2015)

  3. 2014

  4. Soundsquatting: Uncovering the use of homophones in domain squatting,
    Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, Wouter Joosen
    in Proceedings of the 17th Information Security Conference (ISC 2014), Hong Kong
  5. (Best Paper Award)

  6. Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals,
    Tom Van Goethem, Frank Piessens, Wouter Joosen, Nick Nikiforakis
    in Proceedings of the 21st ACM Conference on Computer and Communications Security
    (CCS 2014), Scottsdale, Arizona, USA


  7. Security Analysis of the Chinese Web: How well is it protected?
    Ping Chen, Nick Nikiforakis, Lieven Desmet, Christoph Huygens
    in the Workshop of Cyber Security Analytics and Automation
    (SafeConfig 2014), Scottsdale, Arizona, USA

  8. Crying Wolf? On the Price Discrimination of Online Airline Tickets,
    Thomas Vissers, Nick Nikiforakis, Nataliia Bielova, Wouter Joosen
    in the 7th Workshop on Hot Topics in Privacy Enhancing Technologies
    (HotPETs 2014), Amsterdam, Netherlands

  9. Large-scale Security Analysis of the Web: Challenges and Findings,
    Tom Van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, Wouter Joosen
    in Proceedings of the 7th International Conference on Trust & Trustworthy Computing
    (TRUST 2014), Heraklion, Crete, Greece

  10. Monkey-in-the-browser: Malware and vulnerabilities in augmented browsing script markets,
    Steven Van Acker, Nick Nikiforakis, Lieven Desmet, Frank Piessens, Wouter Joosen in Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2014), Kyoto, Japan

  11. Stranger Danger: Exploring the Ecosystem of Ad-based URL Shortening Services,
    Nick Nikiforakis, Federico Maggi, Gianluca Stringhini, M Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, Stefano Zanero in Proceedings of the 23rd International World Wide Web Conference (WWW 2014), Seoul, Korea

  12. 2013

  13. A Dangerous Mix: Large-scale analysis of mixed-content websites,
    Ping Chen, Nick Nikiforakis, Lieven Desmet, Christophe Huygens in Proceedings of the 16th Information Security Conference (ISC 2013), Dallas, Texas, USA

  14. FPDetective: Dusting the web for fingerprinters,
    Güneş Acar, Marc Juárez Miró, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, Bart Preneel in Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013), Berlin, Germany

  15. HeapSentry: Kernel-assisted Protection against Heap Overflows,
    Nick Nikiforakis, Frank Piessens, Wouter Joosen in Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2013), Berlin, Germany

  16. Bitsquatting: Exploiting bit-flips for fun, or profit?,
    Nick Nikiforakis, Steven Van Acker, Wannes Meert, Lieven Desmet, Frank Piessens, Wouter Joosen in Proceedings of the 22nd International World Wide Web Conference (WWW 2013), Rio de Janeiro, Brazil

  17. Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting,
    Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna in Proceedings of the 34th IEEE Symposium of Security and Privacy (IEEE S&P 2013), San Francisco, CA, USA

  18. TabShots: Client-side detection of tabnabbing attacks,
    Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Wouter Joosen in Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China

  19. 2012

  20. You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions,
    Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens and Giovanni Vigna in Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), Raleigh, NC, USA

  21. FlowFox: a Web Browser with Flexible and Precise Information Flow Control,
    Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens
    in Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), Raleigh, NC, USA

  22. There is Safety in Numbers: Preventing Control-Flow Hijacking by Duplication,
    Job Noorman, Nick Nikiforakis, and Frank Piessens in Proceedings of the 17th Nordic Conference on Secure IT Systems (NordSec 2012), Karlskrona, Sweden

  23. DEMACRO: Defense against Malicious Cross-domain Requests,
    Sebastian Lekies, Nick Nikiforakis, Walter Tighzert, Frank Piessens and Martin Johns in Proceedings of the 15th International Symposium on Research In Attacks, Intrusions and Defenses (RAID 2012), Amsterdam, The Netherlands

  24. Serene: Self-Reliant Client-Side Protection against Session Fixation,
    Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens and Wouter Joosen in Proceedings of the 7th International Federated Conference on Distributed Computing Techniques (DAIS 2012), Stockholm, Sweden

  25. Exploring the Ecosystem of Referrer-Anonymizing Services,
    Nick Nikiforakis, Steven Van Acker, Frank Piessens and Wouter Joosen in Proceedings of the 12th Privacy Enhancing Technology Symposium (PETS 2012), Vigo, Spain

  26. Recent Developments in Low-Level Software Security,
    Pieter Agten, Nick Nikiforakis, Raoul Strackx, Willem De Groef and Frank Piessens in Proceedings of the 6th Workshop in Information Security Theory and Practice (WISTP 2012), London, UK

  27. FlashOver: Automated Discovery of Cross-site Scripting Vulnerabilities in Rich Internet Applications,
    Steven Van Acker, Nick Nikiforakis, Lieven Desmet, Wouter Joosen and Frank Piessens in Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2012), Seoul, South Korea

  28. HyperForce: Hypervisor-enForced Execution of Security-Critical Code,
    Francesco Gadaleta, Nick Nikiforakis, Jan Tobias Muhlberg and Wouter Joosen in Proceedings of the 27th IFIP International Information Security and Privacy Conference (IFIP SEC 2012), Heraklion, Crete, Greece

  29. 2011

  30. RIPE: Runtime Intrusion Prevention Evaluator,
    John Wilander, Nick Nikiforakis, Yves Younan, Mariam Kamkar and Wouter Joosen in Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC 2011), Orlando, US [source]

  31. Hello rootKitty: A lightweight invariance-enforcing framework,
    Francesco Gadaleta, Nick Nikiforakis, Yves Younan and Wouter Joosen in Proceedings of the 14th Information Security Conference (ISC 2011), Xi'an, China [Video Demo]

  32. Abusing Locality in Shared Web Hosting,
    Nick Nikiforakis, Wouter Joosen and Martin Johns in Proceedings of the 4th European Workshop on System Security (EuroSec 2011), Salzburg, Austria

  33. Exposing the Lack of Privacy in File Hosting Services,
    Nick Nikiforakis, Marco Balduzzi, Steven Van Acker, Wouter Joosen and Davide Balzarotti in Proceedings of the 4th USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 2011), Boston, US

  34. SessionShield: Lightweight Protection against Session Hijacking,
    Nick Nikiforakis,Wannes Meert, Yves Younan, Martin Johns and Wouter Joosen in Proceedings of the 3rd International Symposium on Engineering Secure Software and Systems (ESSoS 2011), Madrid, Spain

  35. 2010 and earlier

  36. ValueGuard: Protection of native applications against data-only buffer overflows,
    Steven Van Acker, Nick Nikiforakis, Pieter Philippaerts, Yves Younan and Frank Piessens in Proceedings of the Sixth International Conference on Information Systems Security (ICISS 2010), Gujarat, India

  37. HProxy: Client-side detection of SSL stripping attacks,
    Nick Nikiforakis, Yves Younan and Wouter Joosen in Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2010, Bonn, Germany

  38. Monitoring three National Research Networks for Eight Weeks: Observations and Implications,
    Demetris Antoniades, Michalis Polychronakis, Nick Nikiforakis, Evangelos P. Markatos, Yiannis Mitsos in the 6th IEEE Workshop on End-to-End Monitoring Techniques and Services (E2EMon). April 2008, Salvador, Bahia, Brazil.

  39. When Appmon met Stager,
    Nikos Nikiforakis, Demetres Antoniades, Evangelos P. Markatos, Sotiris Ioannidis, Arne Olesbo, in the 6th IEEE Workshop on End-to-End Monitoring Techniques and Services (E2EMon). April 2008, Salvador, Bahia, Brazil.

  40. Alice, what did you do last time? Fighting Phishing Using Past Activity Tests,
    Nikos Nikiforakis, Andreas Makridakis, Elias Athanasopoulos, and Evangelos P. Markatos in Proceedings of the 3rd European Conference on Computer Network Defense (EC2ND). October 2007, Heraklion, Greece.

Articles

X3

Talks

  • Microsoft Research Talks 2013 - Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask) (Video)
  • OWASP BeNeLux 2013 - Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)
  • OWASP AppSec Research 2013 - Web Fingerprinting: How, Who, Why?
  • SysSec Workshop 2013 - Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting, Invited talk
  • Web Application Security Seminar, Dagstuhl 2012 - You are what you include: Large-scale analysis of remote JavaScript inclusions
  • BruCON 2011 - Abusing locality in Shared Web Hosting
  • OWASP Netherlands Chapter meeting July 2011 - Abusing locality in Shared Web Hosting (slides)
  • OWASP BeNeLux 2010 - On the Privacy of File Sharing Services, Invited talk
  • CONFidence 201002 - Breaking Web Applications in Shared Hosting environments (slides)
  • AthCon 2010 - Alice Shares, Eve Reads: Enumerating File Hosting Services (slides)
  • OWASP AppSecDev Research 2010 - On the privacy of file sharing services

Professional Activities


Program Committe chair:

Program Commitee member:

  • USENIX Security Symposium: 2015
  • Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA): 2015
  • International World Wide Web Conference (WWW): 2015
  • International Symposium on Engineering Secure Software and Systems (ESSoS): 2015
  • European Workshop on System Security (EuroSec): 2012, 2013, 2014, 2015
  • IEEE International Conference on Embedded and Ubiquitous Computing (EUC): 2014
  • IFIP Conference on Communications and Multimedia Security (CMS): 2012, 2013
  • International Conference on Emerging Ubiquitous Systems and Pervasive Networks (EUSPN): 2013
  • IEEE Workshop on Network Measurements (IEEE WNM): 2013
  • OWASP AppSec Europe 2013 - Research Track (AppSec EU): 2013

X2

Contact

Email

nick[at]cs.stonybrook.edu

Address

Nick Nikiforakis
Computer Science Department
Stony Brook University
Stony Brook, NY 11794-4400
USA