End-user Security Research Articles

End User Security using Smart Devices with Ability to Access IoT services

This paper explores the security issues of smart devices in IoT environments and proposes solutions to enhance end-user protection. A qualitative approach, including a comprehensive literature review, was used to identify key security issues and best practices. Key vulnerabilities in IoT device security include insecure communication channels, weak authentication mechanisms, outdated firmware and software, and a lack of standardized security protocols. Current security practices among end-users show limited awareness and inconsistent implementation. Recommendations include adopting universal security standards, enhancing user education through regular programs, promoting advanced security tools like multi-factor authentication, and simplifying device management with user-friendly interfaces. This paper offers a comprehensive analysis of IoT security issues and practical recommendations to create a safer IoT ecosystem, ensuring technological advancements do not compromise user security.

Survey of techniques to detect common weaknesses in program binaries

Software vulnerabilities resulting from coding weaknesses and poor development practices are common. Attackers can exploit these vulnerabilities and impact the security and privacy of end-users. Most end-user software is distributed as program binaries. Therefore, to increase trust in third-party software, researchers have built techniques and tools to detect and resolve different classes of coding weaknesses in binary software. Our work is motivated by the need to survey the state-of-the-art and understand the capabilities and challenges faced by binary-level techniques that were built to detect the most important coding weaknesses in software binaries. Therefore, in this paper, we first show the most critical coding weaknesses for compiled programming languages. We then survey, explore, and compare the static techniques that were developed to detect each such coding weakness in software binaries. Our other goal in this work is to discover and report the state of published open-source implementations of static binary-level security techniques. For the open-source frameworks that work as documented, we independently evaluate their effectiveness in detecting code vulnerabilities on a suite of program binaries. To our knowledge, this is the first work that surveys and independently evaluates the performance of state-of-the-art binary-level techniques to detect weaknesses in binary software.

MFEMDroid: A Novel Malware Detection Framework Using Combined Multitype Features and Ensemble Modeling

The continuous malicious attacks on Internet of Things devices pose a potential threat to the economic and private information security of end-users, especially on the dominant Android devices. Combining static analysis methods with deep Learning is a promising approach to defend against that. This kind of method has two limitations: the first is that the current single-permission mechanism is not insufficient to regulate interapplication resource acquisition; another problem is that current work on feature learning is dedicated to modifying a single network structure, which may result in a suboptimal solution. In this study, to solve the abovementioned problems, we propose a novel malware detection framework MFEMDroid, which combines multitype features analysis and ensemble modeling. The Provider feature, facilitating information requests between applications (apps) and serving as an indispensable data storage method, plays a vital role in characterizing app behavior. Hence, we extract permissions and Provider features to comprehensively characterize app behavior and probe potentially dangerous combinations between or within these features. To address oversparse datasets and reduce feature learning overhead, we employ an auto-encoder for feature dimensionality reduction. Furthermore, we design an ensemble network based on SENet, ResNet, and the evolutionary convolutional neural network Squeeze Excitation Residual Network (SEResNet) to explore the hidden associations between different types of features from multiple perspectives. We performed extensive experiments to evaluate its method performance on real-world samples. The evaluation results demonstrate that the proposed framework can detect malware with an accuracy of 95.38%, which is much better than state-of-the-art solutions. These promising experimental results show that MFEMDroid is an effective approach to detect Android malware.

Multiauthority Ciphertext Policy-Attribute-Based Encryption (MA-CP-ABE) with Revocation and Computation Outsourcing for Resource-Constraint Devices

Fog computing accredits by utilizing the network edge while still rendering the possibility to interact with the cloud. Nevertheless, the features of fog computing are encountering several security challenges. The security of end users and/or fog servers brings a significant dilemma in implementing fog computing. The computational power of the resources constrains Internet of Things (IoT) devices in the fog-computing environment. Therefore, an attacker can easily attack. The traditional methods like attribute-based encryption (ABE) techniques are inappropriate for resource-constraint devices with protracted computing and limited computational capabilities. In this regard, we investigate a multiauthority ciphertext policy-attribute-based encryption (MA-CP-ABE) method that enables multiauthority attribute revocation and computation outsourcing. Moreover, the encryption and decryption processes of resource-constraint IoT devices are outsourced to the fog nodes. In this way, it also reduces the computational burden of the resource-constraint IoT devices. Hence, we propose MA-CP-ABE for encryption and decryption, attribute revocation and outsourcing by reducing the computational burden and securing the system. We compare the computational offloading approach with the existing techniques to prove that the proposed approach outperforms the existing approaches. The proposed method reduces the operation time for the encryption and decryption process. We outsource cryptography operations to the fog node, reducing the end user’s computational cost. Eventually, simulated outcomes are used to assess the algorithm’s computational cost.

A Survey and Analysis of TLS Interception Mechanisms and Motivations: Exploring how end-to-end TLS is made “end-to-me” for web traffic

TLS is an end-to-end protocol designed to provide confidentiality and integrity guarantees that improve end-user security and privacy. While TLS helps defend against pervasive surveillance of intercepted unencrypted traffic, it also hinders several common beneficial operations typically performed by middleboxes on the network traffic. Consequently, various methods have been proposed that “bypass” the confidentiality goals of TLS by playing with keys and certificates essentially in a man-in-the-middle solution, as well as new proposals that extend the protocol to accommodate third parties, delegation schemes to trusted middleboxes, and fine-grained control and verification mechanisms. We first review the use cases expecting plain HTTP traffic and discuss the extent to which TLS hinders these operations. We retain 19 scenarios where access to unencrypted traffic is still relevant and evaluate the incentives of the stakeholders involved. Second, we survey 30 schemes by which TLS no longer delivers end-to-end security and by which the notion of an “end” changes, including caching middleboxes such as Content Delivery Networks. Finally, we compare each scheme based on deployability and security characteristics and evaluate their compatibility with the stakeholders’ incentives. Our analysis leads to a number of key findings, observations, and research questions that we believe will be of interest to practitioners, policy makers, and researchers.

Maintaining a Secure Foundation of Cybersecurity Awareness while Reducing eWaste and Carbon Output through Ethical User Actions and Sustainable Green Computing

To better understand how we can help reduce the climate crisis, this research examined user computing activities in detail to analyze and identify eWaste actions causing unknown catastrophic climate degradation. Countless individuals are oblivious to the damage and devastation being caused to the climate by even a single user. As the world becomes more technologically based than ever before, the global impact on the planet has never been greater. This study examines in great detail end-users’ normal computer usage to identify where, how, and why they are generating excess eWaste. We argue that the resultant data collected will provide support for our theory, positing that increasing consumer awareness of better computational practices can lead to positive actions to reduce eWaste. This research study utilized a multiple case study approach to achieve our stated research objectives; recognizing computer actions identified as most detrimental to the climate by level of eWaste (CO2e output) and introducing alternative user actions that are ethical, green, and produce less eWaste. In addition to helping reduce the overall user-level carbon footprint and eWaste output, the sustainability of these alternative user actions can be maintained with zero reduction in privacy or security for end users. Results from this study contribute to the extant body of literature across multiple disciplines, including privacy, green computing, information system science and technology, cybersecurity, and sustainable computing.

Pareto-optimal Defenses for the Web Infrastructure: Theory and Practice

The integrity of the content a user is exposed to when browsing the web relies on a plethora of non-web technologies and an infrastructure of interdependent hosts, communication technologies, and trust relations. Incidents like the Chinese Great Cannon or the MyEtherWallet attack make it painfully clear: the security of end users hinges on the security of the surrounding infrastructure: routing, DNS, content delivery, and the PKI. There are many competing, but isolated proposals to increase security, from the network up to the application layer. So far, researchers have focused on analyzing attacks and defenses on specific layers. We still lack an evaluation of how, given the status quo of the web, these proposals can be combined, how effective they are, and at what cost the increase of security comes. In this work, we propose a graph-based analysis based on Stackelberg planning that considers a rich attacker model and a multitude of proposals from IPsec to DNSSEC and SRI. Our threat model considers the security of billions of users against attackers ranging from small hacker groups to nation-state actors. Analyzing the infrastructure of the Top 5k Alexa domains, we discover that the security mechanisms currently deployed are ineffective and that some infrastructure providers have a comparable threat potential to nations. We find a considerable increase of security (up to 13% protected web visits) is possible at a relatively modest cost, due to the effectiveness of mitigations at the application and transport layer, which dominate expensive infrastructure enhancements such as DNSSEC and IPsec.

AI-big data analytics for building automation and management systems: a survey, actual challenges and future perspectives

In theory, building automation and management systems (BAMSs) can provide all the components and functionalities required for analyzing and operating buildings. However, in reality, these systems can only ensure the control of heating ventilation and air conditioning system systems. Therefore, many other tasks are left to the operator, e.g. evaluating buildings’ performance, detecting abnormal energy consumption, identifying the changes needed to improve efficiency, ensuring the security and privacy of end-users, etc. To that end, there has been a movement for developing artificial intelligence (AI) big data analytic tools as they offer various new and tailor-made solutions that are incredibly appropriate for practical buildings’ management. Typically, they can help the operator in (i) analyzing the tons of connected equipment data; and; (ii) making intelligent, efficient, and on-time decisions to improve the buildings’ performance. This paper presents a comprehensive systematic survey on using AI-big data analytics in BAMSs. It covers various AI-based tasks, e.g. load forecasting, water management, indoor environmental quality monitoring, occupancy detection, etc. The first part of this paper adopts a well-designed taxonomy to overview existing frameworks. A comprehensive review is conducted about different aspects, including the learning process, building environment, computing platforms, and application scenario. Moving on, a critical discussion is performed to identify current challenges. The second part aims at providing the reader with insights into the real-world application of AI-big data analytics. Thus, three case studies that demonstrate the use of AI-big data analytics in BAMSs are presented, focusing on energy anomaly detection in residential and office buildings and energy and performance optimization in sports facilities. Lastly, future directions and valuable recommendations are identified to improve the performance and reliability of BAMSs in intelligent buildings.

Effects of Personal Factors and Organizational Reinforcing Tools in Decreasing Employee Engagement in Unhygienic Cyber Practices

Employee engagement in unhygienic cyber practices (UCP) is a concern for organizations across the world. The purpose of this paper is to explore the effects of personal and environmental factors in decreasing workers’ engagement in UCP in a developing country: A personal-environment-behavior model was adapted for the study. Data was collected from working MBA students in Ethiopia. The key results show that the personal factor of self-regulation related to acceptable cyber practices decreases workers’ engagement in UCP, while self-efficacy did not. The environmental factor of computer monitoring (CM) decrease workers’ engagement in UCP, while the availability of security education and training awareness (SETA) programs did not. Both CM and SETA have positive effects in improving self-efficacy. Only SETA programs positively impact self-regulation. This study adds to the understanding of end-user security behavior by focusing on UCP with insights from a developing country.

GNSS spoofing detection technology based on Doppler frequency shift difference correlation

Global navigation satellite system (GNSS) spoofing interference poses a great threat to the security of end users. Based on the same propagation path characteristics of the spoofing signals transmitted by a single antenna spoofing device, this paper proposes a method against single antenna spoofing jamming utilizing the Fréchet distance of Doppler frequency difference. When the receiver moves, the Doppler data in a window are fitted via the leastsquares method, and the Fréchet distance between the two satellite signals is calculated to obtain the similarity evaluation value between them. The detection of spoofing signal is carried out based on the evaluation value. We use real data to verify the detection performance of the method, and the experimental results show that the method can effectively distinguish the spoofing signal from the authentic signal. In addition, the method has low computational complexity and requires less additional information, which makes it possible to apply it in the anti-spoofing module of a GNSS receiver.

THE EFFECTS OF PERSUASIVE TECHNOLOGY FOR INFLUENCING END-USERS’ INFORMATION SECURITY AWARENESS

In today’s digital world, information assets have grown in importance, demanding measures to ensure their protection. Ubiquitously, end-users are having trouble ensuring the security of their personal information. The human factor is a major source of vulnerability in the field of information security. Traditional techniques that can be used to influence information security awareness (ISA) remain prohibitively expensive, time-consuming, and repetitive. In light of these challenges, this study proposes persuasive technology to influence end-users security awareness and behaviour intention. Based on our research, persuasive technology is effective in changing end-users attitudes and behaviours. In this context, this study assesses the effectiveness of persuasive technology use for influencing end-users’ ISA. In addition, this research establishes an integrated model for improving end-users’ ISA by incorporating relevant literature and multiple empirically verified theories, including Fogg Behaviour Model (FBM), Protection Motivation Theory (PMT), Theory of Planned Behaviour (TPB), and Technology Acceptance Model (TAM). The integrated model has been proposed based on the main categories of FBM (motivation, ability, and trigger) to identify the effects of key factors in the persuasive technology context for influencing end-user ISA and behaviour intention. The prototype was developed by implementing the persuasive factors of the proposed model to measure the effectiveness of persuasive technology. Quantitative data from an experiment were gathered from 100 participants to validate the proposed research model using the paired sample T-test and partial least squares (PLS) to assess security awareness in the context of persuasive technology. The research findings show that using persuasive technology has a positive influence on ISA. The results also indicate the research model significantly predicts the key factors affecting security awareness and behaviour intention with respect to persuasive technology. Thus, this study suggests a model for the creation and development of a proactive and customised security awareness system. Therefore, persuasive technology, in general, has a positive effect on users’ security awareness and the intention of security behaviour

One bad apple can spoil your IPv6 privacy

IPv6 is being more and more adopted, in part to facilitate the millions of smart devices that have already been installed at home. Unfortunately, we find that the privacy of a substantial fraction of end-users is still at risk, despite the efforts by ISPs and electronic vendors to improve end-user security, e.g., by adopting prefix rotation and IPv6 privacy extensions. By analyzing passive data from a large ISP, we find that around 19% of end-users' privacy can be at risk. When we investigate the root causes, we notice that a single device at home that encodes its MAC address into the IPv6 address can be utilized as a tracking identifier for the entire end-user prefix---even if other devices use IPv6 privacy extensions. Our results show that IoT devices contribute the most to this privacy leakage and, to a lesser extent, personal computers and mobile devices. To our surprise, some of the most popular IoT manufacturers have not yet adopted privacy extensions that could otherwise mitigate this privacy risk. Finally, we show that third-party providers, e.g., hypergiants, can track up to 17% of subscriber lines in our study.

IoT security certifications: Challenges and potential approaches

The Internet of Things (IoT) has changed how we interact with the world around us. Many devices are moving from offline to online mode, connecting between them and the Internet, offering more functionality to users. Despite the increase in the quality of life for users provided by IoT devices, it is also necessary to establish trust in the privacy and security of end-users. With this level of connectivity, the amount of data exchanged between devices also increases, inducing malicious activities. One of the main problems is the lack of regulation in the IoT industry, especially between different manufacturers. There are no formal security rules, and manufacturers may not choose to install security mechanisms. Therefore, it is necessary to promote the adoption of security measures. One way to do this is by using IoT devices and systems certification. In recent years, IoT certifications have emerged. Meanwhile, the European Union has passed the Cyber Security Act to unify and regulate security certifications in member states. Our work collects the requirements that different IoT environments and application scenarios impose on certifications and discusses the current certifications’ status according to those requirements. In addition, we also explored how EU measures apply to IoT and, where applicable, how certifications implement them, highlighting future research challenges.

Realizing a Downstream-Access Network Using Continuous-Variable Quantum Key Distribution

Quantum key distribution (QKD), which enables the secure distribution of symmetric keys between two legitimate parties, is highly useful in future network security. An access network that connects multiple end users with one network backbone can be combined with QKD to build security for end users in a scalable and cost-effective way. In this paper, we show that a downstream-access network can be implemented using continuous-variable (CV) QKD. The security analysis is conducted independently with other network nodes, which greatly relax the trustfulness requirement on the network nodes. The security is then obtained against other network parties even when the quantum signals are broadcast throughout the network. The passive beam splitter is sufficient to deterministically distribute the quantum signals, and standard CV QKD systems can be directly fitted in the downstream-access network, which makes it more applicable for practical implementations. Numerous simulation results are provided to demonstrate the performance of the CV QKD downstream-access network, where up to 64 end users are shown to be feasible to access the network. We provide the security-analysis framework for realizing CV QKD in the downstream-access network, which will boost the diversity for constructing practical CV QKD networks.

A revocable and outsourced multi-authority attribute-based encryption scheme in fog computing

Fog computing is a revolutionary technology for the next generation to bridge the gap between cloud data centers and end-users. Fog computing is not a counterfeit for cloud computing but a persuasive counterpart. It also accredits by utilizing the network edge while still rendering the possibility to interact with the cloud. Nevertheless, the features of fog computing are encountering several security challenges. The security of end-users and/or fog servers brings a significant dilemma in implementing fog computing. Moreover, in conventional cloud computing, the attribute-based encryption (ABE) technology is not appropriate for end-users due to restricted computing resources, i.e., limited resources, high end-to-end delay, and transmission capability. Hence, the revocation and outsourcing mechanisms become inappropriate between end-users and cloud servers. In this regard, this paper recommends a multi-authority attribute-based encryption (MA-ABE) technique to support revocation and outsource the attributes to fog computation. We present an attribute revocation scheme based on cipher-text attribute-based encryption by introducing the attribute group keys. In this process, the secret keys are dynamically altered and realized the requirement of immediate attribute revocations. Hence, we provide the complete encryption and decryption process for end-users and fog servers based on multi-authority, attribute revocation, and outsourcing computation, while most of the existing scheme lack to incorporate all these parameters. Our scheme also outsources the complicated encryption and decryption tasks to the fog server that significantly improves the overall computation efficiency compared to the state-of-the-art work.

The Android Platform Security Model

Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This article aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model.

The Rise of Android Banking Trojans

As soon as banks began developing mobile applications to enable users to perform financial activities online, cybercriminals started formulating ways to penetrate this new channel and perform illicit transactions. For criminals, it is easier to exploit the scarce end-user security awareness and attack individual clients' devices rather than directly target the portals of banks.

The Impact of Information Technology on Information System Effectiveness in Jordanian Telecommunication Companies

This study aimed to test the impact of information technology on Information systems effectiveness in Jordanian Telecom Companies. The study adopted a five-dimensional scale to measure information technology (people, hardware, software, databases, and networks), while the information systems' effectiveness was measured through four dimensions: end-user satisfaction, system usage, system security and suitability of the system for management levels. To achieve study aims, a descriptive-analytical method was used. The study was conducted on a sample of (152) managers working in these companies. This study found that there is a high-level average for information technology dimensions and Information Systems effectiveness dimensions. Also, the results showed a significant impact of information technology dimensions (people, software, databases, and networks) except hardware on effectiveness information systems. It was also evident that there a significant impact of information technology on Information systems effectiveness dimensions (end-user satisfaction, system usage, system security and suitability of the system for management levels).

Lightweight Selective Encryption for Social Data Protection Based on EBCOT Coding

Online social media today has a large number of users and has become a huge platform to collect and share the social data generated by the end users. In addition, based on the development of social applications, the social sensing system has been greatly developed to generate, transmit, and store, which is helping the prosperous of the social computing systems. However, the violation of the security of end users’ social data stored and shared through the social computing system becomes a serious and urgent issue. The data protection on social media platforms is very different compared with the scenario of the traditional encryption algorithms, and most of the existing schemes are not suitable for data protection in the current social sensing and data-sharing system. In this article, we present a novel design based on the agnostic selective encryption concept to efficiently protect the social data based on the embedded block coding with optimized truncation system. By selectively encrypting only a small portion of the bitstreams in the middle layer of this coding system, a high level of protection and efficiency can both be achieved. We also experiment with our method on four common social data formats, and the security analysis tests are performed to verify the high protection level of our method.

Online social network security awareness: mass interpersonal persuasion using a Facebook app

Purpose Online social network (OSN) users have a high propensity to malware threats due to the trust and persuasive factors that underpin OSN models. The escalation of social engineering malware encourages a growing demand for end-user security awareness measures. The purpose of this paper is to take the theoretical cybersecurity awareness model TTAT-MIP and test its feasibility via a Facebook app, namely social network criminal (SNC). Design/methodology/approach The research employs a mixed-methods approach to evaluate the SNC app. A system usability scale measures the usability of SNC. Paired samples t-tests were administered to 40 participants to measure security awareness – before and after the intervention. Finally, 20 semi-structured interviews were deployed to obtain qualitative data about the usefulness of the App itself. Findings Results validate the effectiveness of OSN apps utilising a TTAT-MIP model – specifically the mass interpersonal persuasion (MIP) attributes. Using TTAT-MIP as a guidance, practitioners can develop security awareness systems that better leverage the intra-relationship model of OSNs. Research limitations/implications The primary limitation of this study is the experimental settings. Although the results testing the TTAT-MIP Facebook app are promising, these were set under experimental conditions. Practical implications SNC enable persuasive security behaviour amongst employees and avoid potential malware threats. SNC support consistent security awareness practices by the regular identification of new threats which may inspire the creation of new security awareness videos. Social implications The structure of OSNs is making it easier for malicious users to carry out their activities without the possibility of detection. By building a security awareness programme using the TTAT-MIP model, organisations can proactively manage security awareness. Originality/value Many security systems are cumbersome, inconsistent and non-specific. The outcome of this research provides organisations and security practitioners with a framework for designing and developing proactive and tailored security awareness systems.