Elie Bursztein

Anti-Fraud and Abuse Research Lead at Google

Experiences

Present2014

Anti-Fraud and Abuse Research Lead

Google Inc. Moutain View, CA, USA
20142013

Senior Research Scientist

Google Inc. Moutain View, CA, USA
20132012

Research Scientist

Google Inc. Moutain View, CA, USA
20122008

Researcher

Stanford University Stanford, CA, USA
20082004

Adjunct Professor

PGSM Paris, France
20062002

CEO

Option Sarl Paris, France
20042002

Instuctor

EPITA Paris, France
20022000

Advanced Tech Support

Club-Internet Paris, France

Education

20082005

Ph.D Computer science, Security

Ecole Normale Supérieure Paris-Saclay Paris, France
20042003

Master in Computer Science

Université Paris Diderot Paris, France
20041998

Engineering degree in Systems, Networks and Security

EPITA Paris, France

Selected talks

2018

How to successfully harness AI to combat fraud and abuse

Elie Bursztein RSA, San Francisco, USA
2017

Hunting down Gooligan — retrospective analysis

Elie Bursztein, Oren Koriat Botconf, Montpellier, France
2017

Attacking encrypted USB keys the hard(ware) way

Jean-Michel Picod, Rémi Audebert, Elie Bursztein Black Hat USA, Las Vegas, USA
2017

Tracking desktop ransomware payments end to end

Luca Invernizzi, Kylie McRoberts, Elie Bursztein Black Hat USA, Las Vegas, USA
2017

How we created the first SHA-1 collision and what it means for hash security

Elie Bursztein Black Hat USA & Defcon 25, Las Vegas, USA
2017

Targeted Attack Against Corporate Inboxes A Gmail Perspective

Elie Bursztein RSA, San Francisco, USA
2016

Cheating at poker - James Bond Style

Elie Bursztein, Celine Bursztein, Jean-Michel Picod Defcon 24, Las Vegas
2016

Does dropping usb drives really work?

Elie Bursztein Black Hat USA, Las Vegas, USA
2016

Lessons learned while protecting Gmail

Elie Bursztein Enigma first edition, San Francisco, USA
2014

I am a legend: hacking hearthstone with machine learning

Elie Bursztein, Celine Bursztein Defcon 22, Las Vegas
2012

Fuzzing online games

Elie Bursztein, Patrick Samy Defcon 20, Las Vegas, USA
2011

Beyond files recovery owade cloud-based forensic

Elie Bursztein, Ivan Fontarensky, Matthieu Martin, Jean-Michel Picod Black Hat USA, Las Vegas, USA
2010

Kartograph

Elie Bursztein, Jocelyn Lagarenne, Dan Boneh Defcon 18, Las Vegas, USA
2010

Bad memories

Elie Bursztein, Baptiste Gourdin, Dan Boneh Black Hat USA / Defcon 18, Las Vegas, USA
2010

Reversing dpapi and stealing windows secrets offline

Jean-Michel Picod, Elie Bursztein Black Hat DC, Washington, USA
2009

Embedded management interfaces emerging massive insecurity

Hristo Bojinov, Elie Bursztein Black Hat USA, Las Vegas, USA

Selected publications

Tracking desktop ransomware payments end to end  

Danny Yuxing Huang, Maxwell Aliapoulios, Vector Guo, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy Security and Privacy, San Francisco, USA

Three years of the Right to be Forgotten  

Theo Bertram , Elie Bursztein , Stephanie Caro , Hubert Chao , Rutledge Chin Feman , Peter Fleischer , Albin Gustafsson , Jess Hemerly , Chris Hibbert , Luca Invernizzi , Lanah Kammourieh Donnelly , Jason Ketover , Jay Laefer , Paul Nicholas , Yuan Niu , Harjinder Obhi , David Price , Andrew Strait , Kurt Thomas , Al Verney Under Submission, Feb

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials  

Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, Vijay Eranti, Angelika Moscicki, Daniel Margolis, Vern Paxson, Elie Bursztein Computer and Communications Security, Dallas, USA

The first collision for full SHA-1  

Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov Crypto, Santa Barbara, USA

Understanding the Mirai Botnet  

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, Yi Zhou Usenix Security, Vancouver, Canada

Pinning Down Abuse on Google Maps  

Danny Y. Huang, Doug Grundman, Kurt Thomas, Abhishek Kumar, Elie Bursztein, Kirill Levchenko, Alex C. Snoeren World Wide Web, Perth, Australia

The Security Impact of HTTPS Interception  

Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J Alex Halderman, Vern Paxson Network and Distributed Systems Symposium, San Diego, USA

Investigating commercial pay-per-install and the distribution of unwanted software  

Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-Andre Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy Usenix Security, Austin, USA

Cloak of visibility: detecting when machines browse a different web  

Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, Elie Bursztein Security and Privacy, San Jose

Remedying web hijacking notification effectiveness and webmaster comprehension  

Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, Vern Paxson Word Wide Web, Montreal, Canada

Users really do plug in usb drives they find  

Matthew Tischer, Zakir Durumeric, Sam Foster, Sunny Duan, Alec Mori, Elie Bursztein, Michael Bailey Security and Privacy, San Jose, USA

Neither snow nor rain nor mitm . . . an empirical analysis of email delivery security  

Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, J. Alex Halderman IMC, Tokyo

Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google  

Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, Mike Williamson 22nd international conference on World Wide Web, Florence, Italy

Ad injection at scale: assessing deceptive advertisement modifications  

Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon McCoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos, Moheeb Abu Rajab Security and Privacy, Oakland

Handcrafted fraud and extortion: manual account hijacking in the wild  

Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek, Andy Archer, Allan Aquino, Andreas Pitsillidis, Stefan Savage Internet Measurement Conference, Vancouver, Canada

Dialing back abuse on phone verified accounts  

Kurt Thomas, Dmytro Latskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier, Damon McCoy Conference on Computer and Communications Security, Scottsdale, USA

Cloak and swagger: understanding data sensitivity through the lens of user anonymity  

Sai Teja Peddinti, Aleksandra Korolova, Elie Bursztein, Geetanjali Sampemane Security And Privacy, San Jose

Online microsurveys for user experience research  

Victoria Schwanda Sosik, Elie Bursztein, Sunny Consolvo, David Huffaker, Gueorgi Kossinets, Kerwell Liao, Paul McDonald, Aaron Sedley Human Factors in Computing Systems, Vancouver

Easy does it: more usable captchas  

Elie Bursztein, Angelika Moscicki, Celine Fabry, Steven Bethard, John C. Mitchell, Dan Jurafsky Conference on Human Factors in Computing Systems, Toronto, Canada

Sessionjuggler secure web login from an untrusted terminal using session hijacking  

Elie Bursztein, Chinmay Soman, Dan Boneh, John C. Mitchell World Wide Web, Lyon, France

Text-based captcha strengths and weaknesses  

Elie Bursztein, Matthieu Martin, John C. Mitchell Computer and Communications Security, Chicago, USA

Towards secure embedded web interfaces  

Baptiste Gourdin, Chinmay Soman, Hristo Bojinov, Elie Bursztein Usenix Security, San Francisco, USA

The failure of noise-based non-continuous audio captchas  

Elie Bursztein, Romain Bauxis, Hristo Paskov, Daniele Perito, Celine Fabry, John C. Mitchell Security and Privacy, Oakland, USA

Openconflict preventing real time map hacks in online games  

Elie Bursztein, Jocelyn Lagarenne, Mike Hamburg, Dan Boneh Security and Privacy, Oakland, USA

An analysis of private browsing modes in modern browsers  

Gaurav Aggarwal, Elie Bursztein, Collin Jackson, Dan Boneh Usenix Security, Washington, USA

State of the art automated black-box web application vulnerability testing  

Jason Bau, Elie Bursztein, Divij Gupta, John C. Mitchell Security and Privacy, Oakland, USA

How good are humans at solving captchas a large scale evaluation  

Elie Bursztein, Steven Bethard, Celine Fabry, Dan Jurafsky, John C. Mitchell Security and Privacy, Oakland, USA

Xcs cross channel scripting and its impact on web applications  

Hristo Bojinov, Elie Bursztein, Dan Boneh Computer and Communications Security, Chicago, USA

Selected press articles

Apr 2018

AI can help cybersecurity - if it can fight through the hype

How to successfully harness AI to combat fraud and abuse Wired
Feb 2018

People Have Asked Google to Remove 2.4 Million Links About Them. Here's What They Want to Forget

Three years of the Right to be Forgotten Fortune
Feb 2018

Droit à l’oubli : en presque quatre ans, Google a reçu plus de 650 000 demandes

Three years of the Right to be Forgotten Le Monde
Feb 2018

Recht auf Vergessenwerden: Google erhielt bislang 2,4 Millionen URL-Löschanfragen

Three years of the Right to be Forgotten Heise Online
Feb 2018

Google has received 2.4 million URL removal requests under EU 'right to be forgotten' laws

Three years of the Right to be Forgotten The Verge
Nov 2017

Google investigators find hackers swipe nearly 250,000 passwords a week

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials Mashable
Nov 2017

Google says hackers steal almost 250,000 web logins each week

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials CNN
Jul 2017

Ransomware 'here to stay', warns Google study

Tracking desktop ransomware payments end to end BBC
Jul 2017

Google ransomware tracking finds vicious infection cycle

Tracking desktop ransomware payments end to end USA Today
Jul 2017

Google Warns Ransomware Boom Scored Crooks $2 Million A Month

Tracking desktop ransomware payments end to end Forbes
Feb 2017

Google Team Cracks Longtime Pillar of Internet Security

The first collision for full SHA-1 WSJ
Feb 2017

Google breaks SHA-1 web crypto for good

The first collision for full SHA-1 ZDnet
Feb 2017

Google Just 'Shattered' An Old Crypto Algorithm -- Here's Why That's Big For Web Security

The first collision for full SHA-1 Forbes
Feb 2017

Google just cracked one of the building blocks of web encryption

The first collision for full SHA-1 The Verge
Oct 2016

The mobile phone that lets you cheat at ANY card game: Handset has secret sensors to read cards

Cheating at poker - James Bond Style Daily Mail
Aug 2016

The state of cyber security: we're all screwed

Users really do plug in usb drives they find The Guardian
Nov 2015

Gmail to warn when messages take unencrypted routes

Neither snow nor rain nor mitm . . . an empirical analysis of email delivery security Daily Mail
May 2015

Your Password Security Questions Are Terrible, And They’re Not Fooling Anyone

Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google Huffington Post
May 2015

Google Study Shows Security Questions Aren’t All That Secure

Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google Tech Crunch
May 2015

Google Reveals the Problem With Password Security Questions

Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google ABC News
May 2015

Stop Using This Painfully Obvious Answer For Your Security Questions

Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google Time
May 2015

Those secret security answers may not be so secure

Secrets, lies, and account recovery: lessons from the use of personal knowledge questions at google CBS News
May 2015

Busted! Google Names Key Culprits In Scammy Ad Software

Ad injection at scale: assessing deceptive advertisement modifications Forbes
May 2015

One in 20 web users infected with ad injection software

Ad injection at scale: assessing deceptive advertisement modifications The Guardian
May 2015

Ad Injection: Yet Another Challenge for Online Advertising

Ad injection at scale: assessing deceptive advertisement modifications The Wall Street Journal
Nov 2014

Gone in 180 Seconds: Hackers Quickly Raid E-Mails in Search of 'Wire Transfer' and Sex Photos

Handcrafted fraud and extortion: manual account hijacking in the wild Bloomberg
Nov 2014

This is how your Gmail account got hacked

Handcrafted fraud and extortion: manual account hijacking in the wild CNN
Nov 2014

Google Study Finds Email Scams Are More Effective Than You’d Expect

Handcrafted fraud and extortion: manual account hijacking in the wild Huffington Post
Nov 2014

Hijackers get up close and personal with hacked accounts

Handcrafted fraud and extortion: manual account hijacking in the wild USA Today
Nov 2014

Inside the world of professional e-mail account hijackers

Handcrafted fraud and extortion: manual account hijacking in the wild The Washington Post
Feb 2012

Stanford researchers crack video CAPTCHA

How we broke the nucaptcha video scheme and what we propose to fix it The Verge
Feb 2012

Stanford University researchers break NuCaptcha video security

How we broke the nucaptcha video scheme and what we propose to fix it CNET
Nov 2011

Stanford Software Cracks Most Captchas

Text-based captcha strengths and weaknesses NBC News
Oct 2011

Captcha security not much of a gotcha

Text-based captcha strengths and weaknesses CBS News
Sep 2011

Forensic Tool Unlocks Online History

Beyond files recovery owade cloud-based forensic WSJ
Sep 2011

New forensics tool can expose encrypted online activity

Beyond files recovery owade cloud-based forensic CBS News