Securing fog computing with a decentralised user authentication approach based on blockchain

The use of low-cost sensors in IoT over high-cost devices has been considered less expensive. However, these low-cost sensors have their own limitations such as the accuracy, quality, and reliability of the data collected. Fog computing offers solutions to those limitations; nevertheless, owning to its intrinsic distributed architecture, it faces challenges in the form of security of fog devices, secure authentication and privacy. Blockchain technology has been utilised to offer solutions for the authentication and security challenges in fog systems. This paper proposes an authentication system that utilises the characteristics and advantages of blockchain and smart contracts to authenticate users securely. The implemented system uses the email address, username, Ethereum address, password and data from a biometric reader to register and authenticate users. Experiments showed that the proposed method is secure and achieved performance improvement when compared to existing methods. The comparison of results with state-of-the-art showed that the proposed authentication system consumed up to 30% fewer resources in transaction and execution cost; however, there was an increase of up to 30% in miner fees

Software security requirements management as an emerging cloud computing service

© 2016 Elsevier Ltd. All rights reserved.Emerging cloud applications are growing rapidly and the need for identifying and managing service requirements is also highly important and critical at present. Software Engineering and Information Systems has established techniques, methods and technology over two decades to help achieve cloud service requirements, design, development, and testing. However, due to the lack of understanding of software security vulnerabilities that should have been identified and managed during the requirements engineering phase, we have not been so successful in applying software engineering, information management, and requirements management principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security cannot just be added after a system has been built and delivered to customers as seen in today's software applications. This paper provides concise methods, techniques, and best practice requirements engineering and management as an emerging cloud service (SSREMaaES) and also provides guidelines on software security as a service. This paper also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators. This paper illustrates our approach for a large cloud system Amazon EC2 service

Sustainable Development Report: Blockchain, the Web3 & the SDGs

This is an output paper of the applied research that was conducted between July 2018 - October 2019 funded by the Austrian Development Agency (ADA) and conducted by the Research Institute for Cryptoeconomics at the Vienna University of Economics and Business and RCE Vienna (Regional Centre of Expertise on Education for Sustainable Development).Series: Working Paper Series / Institute for Cryptoeconomics / Interdisciplinary Researc

Reconciliation of anti-money laundering instruments and European data protection requirements in permissionless blockchain spaces

Artykuł ten zmierza do pogodzenia wymagań unijnego rozporządzenia o ochronie danych osobowych (RODO) i instrumentów przeciwdziałania praniu brudnych pieniędzy i finansowania terroryzmu (AML/CFT) wykorzystywanych w dostępnych publicznie ekosystemach permissionless bazujących na technologi rozproszonych rejestrów (DLT). Dotychczasowe analizy skupiają się zazwyczaj jedynie na jednej z tych regulacji. Natomiast poddanie analizie ich wzajemnych oddziaływań ujawnia brak ich koherencji w sieciach permissionless DLT. RODO zmusza członków społeczności blockchain do wykorzystywania technologii anonimizujących dane albo przynajmniej zapewniających silną pseudonimizację, aby zapewnić zgodność przetwarzania danych z wymogami RODO. Jednocześnie instrumenty globalnej polityki AML/CFT, które są obecnie implementowane w wielu państwach stosowanie do wymogów ustanawianych przez Financial Action Task Force (FATF), przeciwdziałają wykorzystywaniu technologii anonimizacyjnych wbudowanych w protokoły sieci blockchain. Rozwiązania proponowane w tym artykule mają na celu spowodowanie kształtowania sieci blockchain w taki sposób, aby jednocześnie zabezpieczały one dane osobowe użytkowników zgodnie z wysokimi wymogami RODO, jednocześnie adresując ryzyka AML/CFT kreowane przez transakcje w takiej anonimowej lub silnie pseudonimowej przestrzeni. Poszukiwanie nowych instrumentów polityki państw jest konieczne aby zapewnić że państwa nie będą zwalczać rozwoju wszystkich anonimowych sieci blockchian, gdyż jest to konieczne do zapewnienia ich zdolność do realizacji wysokich wymogów RODO w zakresie ochrony danych przetwarzanych na blockchain. Ten artykuł wskazuje narzędzia AML/CFT, które mogą być pomocne do tworzenia blockchainów wspierających prywatność przy jednoczesnym zapewnieniu wykonalności tych narzędzi AML/CFT. Pierwszym z tych narzędzi jest wyjątkowy dostęp państwa do danych transakcyjnych zapisanych na zasadniczo nie-trantsparentnym rejestrze, chronionych technologiami anonimizacyjnymi. Takie narzędzie powinno być jedynie opcjonalne dla danej sieci (finansowej platformy), jak długo inne narzędzia AML/CFT są wykonalne i są zapewniane przez sieć. Jeżeli żadne takie narzędzie nie jest dostępne, a dana sieć nie zapewni wyjątkowego dostępu państwu (państwom), wówczas regulacje powinny pozwalać danemu państwu na zwalczanie danej sieci (platformy finansowej) jako całości. Efektywne narzędzia w tym zakresie powinny obejmować uderzenie przez państwo (państwa) w wartość natywnej kryptowaluty, a nie ściganie indywidualnych jej użytkowników. Takie narzędzia mogą obejmować atak (cyberatak) państwa lub państw który podważy zaufanie użytkowników do danej sieci.This article is an attempt to reconcile the requirements of the EU General Data Protection Regulation (GDPR) and anti-money laundering and combat terrorist financing (AML/CFT) instruments used in permissionless ecosystems based on distributed ledger technology (DLT). Usually, analysis is focused only on one of these regulations. Covering by this research the interplay between both regulations reveals their incoherencies in relation to permissionless DLT. The GDPR requirements force permissionless blockchain communities to use anonymization or, at the very least, strong pseudonymization technologies to ensure compliance of data processing with the GDPR. At the same time, instruments of global AML/CFT policy that are presently being implemented in many countries following the recommendations of the Financial Action Task Force, counteract the anonymity-enhanced technologies built into blockchain protocols. Solutions suggested in this article aim to induce the shaping of permissionless DLT-based networks in ways that at the same time would secure the protection of personal data according to the GDPR rules, while also addressing the money laundering and terrorist financing risks created by transactions in anonymous blockchain spaces or those with strong pseudonyms. Searching for new policy instruments is necessary to ensure that governments do not combat the development of all privacy-blockchains so as to enable a high level of privacy protection and GDPR-compliant data processing. This article indicates two AML/CFT tools which may be helpful for shaping privacy-blockchains that can enable the feasibility of such tools. The first tool is exceptional government access to transactional data written on non-transparent ledgers, obfuscated by advanced anonymization cryptography. The tool should be optional for networks as long as another effective AML/CFT measures are accessible for the intermediaries or for the government in relation to a given network. If these other measures are not available and the network does not grant exceptional access, the regulations should allow governments to combat the development of those networks. Effective tools in that scope should target the value of privacy-cryptocurrency, not its users. Such tools could include, as a tool of last resort, state attacks which would undermine the trust of the community in a specific network

Sustainable Development Report: Blockchain, the Web3 & the SDGs

This is an output paper of the applied research that was conducted between July 2018 - October 2019 funded by the Austrian Development Agency (ADA) and conducted by the Research Institute for Cryptoeconomics at the Vienna University of Economics and Business and RCE Vienna (Regional Centre of Expertise on Education for Sustainable Development).Series: Working Paper Series / Institute for Cryptoeconomics / Interdisciplinary Researc

GUIDE FOR THE COLLECTION OF INSTRUSION DATA FOR MALWARE ANALYSIS AND DETECTION IN THE BUILD AND DEPLOYMENT PHASE

During the COVID-19 pandemic, when most businesses were not equipped for remote work and cloud computing, we saw a significant surge in ransomware attacks. This study aims to utilize machine learning and artificial intelligence to prevent known and unknown malware threats from being exploited by threat actors when developers build and deploy applications to the cloud. This study demonstrated an experimental quantitative research design using Aqua. The experiment\u27s sample is a Docker image. Aqua checked the Docker image for malware, sensitive data, Critical/High vulnerabilities, misconfiguration, and OSS license. The data collection approach is experimental. Our analysis of the experiment demonstrated how unapproved images were prevented from running anywhere in our environment based on known vulnerabilities, embedded secrets, OSS licensing, dynamic threat analysis, and secure image configuration. In addition to the experiment, the forensic data collected in the build and deployment phase are exploitable vulnerability, Critical/High Vulnerability Score, Misconfiguration, Sensitive Data, and Root User (Super User). Since Aqua generates a detailed audit record for every event during risk assessment and runtime, we viewed two events on the Audit page for our experiment. One of the events caused an alert due to two failed controls (Vulnerability Score, Super User), and the other was a successful event meaning that the image is secure to deploy in the production environment. The primary finding for our study is the forensic data associated with the two events on the Audit page in Aqua. In addition, Aqua validated our security controls and runtime policies based on the forensic data with both events on the Audit page. Finally, the study’s conclusions will mitigate the likelihood that organizations will fall victim to ransomware by mitigating and preventing the total damage caused by a malware attack

A Trust-by-Design Framework for the Internet of Things

The Internet of Things (IoT) is an environment where interconnected entities can interact and can be identifiable, usable, and controllable via the Internet. However, in order to interact among them, such IoT entities must trust each other. Trust is difficult to define because it concerns different aspects and is strongly dependent on the context. For this reason, a holistic approach allowing developers to consider and implement trust in the IoT is highly desirable. Nevertheless, trust is usually considered among different IoT entities only when they have to interact among them. In fact, without considering it during the whole System Developmente Life Cycle (SDLC) there is the possibility that security issues will be raised. In fact, without a clear conception of the possible threats during the development of the IoT entity, the lack of planning can be insufficient in order to protect the IoT entity. For this reason, we believe that it is fundamental to consider trust during the whole SDLC in order to carefully plan how an IoT entity will perform trust decisions and interact with the other IoT entities. To fulfill this goal, in this thesis work, we propose a trust-by-design framework for the IoT that is composed of a K-Model and several transversal activities. On the one hand, the K-Model covers the SDLC from the need phase to the utilization phase. On the other hand, the transversal activities will be implemented differently depending on the phases. A fundamental aspect that we implement in this framework is the relationship that trust has with other related domains such as security and privacy. Thus we will also consider such domains and their characteristics in order to develop a trusted IoT entity

Blockchain-Based Digitalization of Logistics Processes—Innovation, Applications, Best Practices

Blockchain technology is becoming one of the most powerful future technologies in supporting logistics processes and applications. It has the potential to destroy and reorganize traditional logistics structures. Both researchers and practitioners all over the world continuously report on novel blockchain-based projects, possibilities, and innovative solutions with better logistic service levels and lower costs. The idea of this Special Issue is to provide an overview of the status quo in research and possibilities to effectively implement blockchain-based solutions in business practice. This Special Issue reprint contained well-prepared research reports regarding recent advances in blockchain technology around logistics processes to provide insights into realized maturity