BATTLE AGAINST PHISHING

Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users. There are two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields. Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This imag e creates a "skin" that automatica lly customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the users browser to independently compute the image that it expects to receive from the server. To authenticate cont ent from the se rver, the user can visually verify that the images match. We contrast our work with existing anti - phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himse lf the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the us er only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators

Assessment and hardening of IOT development boards

© IFIP International Federation for Information Processing 2019. Internet of Things (IoT) products became recently an essential part of any home in conjunction with the great advancements in internet speeds and services. The invention of IoT based devices became an easy task that could be performed through the widely available IoT development boards. Raspberry Pi is considered one of the advanced development boards that have high hardware capabilities with a reasonable price. Unfortunately, the security aspect of such products is overlooked by the developers, revealing a huge amount of threats that result in invading the privacy and the security of the users. In this research, we directed our study to SSH due to its extensive adoption by the developers. It was found that due to the nature of the Raspberry Pi and development boards, the Raspberry Pi generates predictable and weak keys which make it easy to be utilized by MiTM attack. In this paper, Man in The Middle (MiTM) attack was conducted to examine the security of different variations provided by the SSH service, and various hardening approaches were proposed to resolve the issue of SSH weak implementation and weak keys

Users\u27 Perspectives and Attitudes Towards Web Application Security

The Internet has become an integral part of the society in many parts of the world. However, as the Internet becoming more important and useful, the problems with Web security have also increased. More people today have experienced Web security threats such as viruses, spyware, keyloggers, and phishing; and a not insignificant number have encountered financial fraud because of the online activities they conducted. This research investigated the security concerns and level of awareness of users in regards to the use of web applications, by identifying users\u27 concerns of web applications, examining the relationship of users\u27 technical knowledge and users\u27 attitudes, as well as investigating the types of web applications that dictate users\u27 concerns towards security. The findings from a survey of 124 respondents within this research indicated that nearly all respondents, across genders and education levels had high levels of awareness of Internet security issues. This research found that the length of users\u27 involvement in actively using the Internet drives their level of understanding of Internet security. In terms of the way the users conducted online activities, this research found that younger respondents were less fearful than older respondents. Based on the findings of this research, it is hoped that users\u27 education regarding web application security can be more effectively developed in this increasingly web-centric society

Implementation of Captcha as Graphical Passwords For Multi Security

To validate human users, passwords play a vital role in computer security. Graphical passwords offer more security than text-based passwords, this is due to the reason that the user replies on graphical passwords. Normal users choose regular or unforgettable passwords which can be easy to guess and are prone to Artificial Intelligence problems. Many harder to guess passwords involve more mathematical or computational complications. To counter these hard AI problems a new Captcha technology known as, Captcha as Graphical Password (CaRP), from a novel family of graphical password systems has been developed. CaRP is both a Captcha and graphical password scheme in one. CaRP mainly helps in hard AI problems and security issues like online guess attacks, relay attacks, and shoulder-surfing attacks if combined with dual view technologies. Pass-points, a new methodology from CaRP, addresses the image hotspot problem in graphical password systems which lead to weak passwords. CaRP also implements a combination of images or colors with text which generates session passwords, that helps in authentication because with session passwords every time a new password is generated and is used only once. To counter shoulder surfing, CaRP provides cheap security and usability and thus improves online security. CaRP is not a panacea; however, it gives protection and usability to some online applications for improving online security

A generic framework for process execution and secure multi-party transaction authorization

Process execution engines are not only an integral part of workflow and business process management systems but are increasingly used to build process-driven applications. In other words, they are potentially used in all kinds of software across all application domains. However, contemporary process engines and workflow systems are unsuitable for use in such diverse application scenarios for several reasons. The main shortcomings can be observed in the areas of interoperability, versatility, and programmability. Therefore, this thesis makes a step away from domain specific, monolithic workflow engines towards generic and versatile process runtime frameworks, which enable integration of process technology into all kinds of software. To achieve this, the idea and corresponding architecture of a generic and embeddable process virtual machine (ePVM), which supports defining process flows along the theoretical foundation of communicating extended finite state machines, are presented. The architecture focuses on the core process functionality such as control flow and state management, monitoring, persistence, and communication, while using JavaScript as a process definition language. This approach leads to a very generic yet easily programmable process framework. A fully functional prototype implementation of the proposed framework is provided along with multiple example applications. Despite the fact that business processes are increasingly automated and controlled by information systems, humans are still involved, directly or indirectly, in many of them. Thus, for process flows involving sensitive transactions, a highly secure authorization scheme supporting asynchronous multi-party transaction authorization must be available within process management systems. Therefore, along with the ePVM framework, this thesis presents a novel approach for secure remote multi-party transaction authentication - the zone trusted information channel (ZTIC). The ZTIC approach uniquely combines multiple desirable properties such as the highest level of security, ease-of-use, mobility, remote administration, and smooth integration with existing infrastructures into one device and method. Extensively evaluating both, the ePVM framework and the ZTIC, this thesis shows that ePVM in combination with the ZTIC approach represents a unique and very powerful framework for building workflow systems and process-driven applications including support for secure multi-party transaction authorization

Malware-Resistant Protocols for Real-World Systems

Cryptographic protocols are widely used to protect real-world systems from attacks. Paying for goods in a shop, withdrawing money or browsing the Web; all these activities are backed by cryptographic protocols. However, in recent years a potent threat became apparent. Malware is increasingly used in attacks to bypass existing security mechanisms. Many cryptographic protocols that are used in real-world systems today have been found to be susceptible to malware attacks. One reason for this is that most of these protocols were designed with respect to the Dolev-Yao attack model that assumes an attacker to control the network between computer systems but not the systems themselves. Furthermore, most real-world protocols do not provide a formal proof of security and thus lack a precise definition of the security goals the designers tried to achieve. This work tackles the design of cryptographic protocols that are resilient to malware attacks, applicable to real-world systems, and provably secure. In this regard, we investigate three real-world use cases: electronic payment, web authentication, and data aggregation. We analyze the security of existing protocols and confirm results from prior work that most protocols are not resilient to malware. Furthermore, we provide guidelines for the design of malware-resistant protocols and propose such protocols. In addition, we formalize security notions for malware-resistance and use a formal proof of security to verify the security guarantees of our protocols. In this work we show that designing malware-resistant protocols for real-world systems is possible. We present a new security notion for electronic payment and web authentication, called one-out-of-two security, that does not require a single device to be trusted and ensures that a protocol stays secure as long as one of two devices is not compromised. Furthermore, we propose L-Pay, a cryptographic protocol for paying at the point of sale (POS) or withdrawing money at an automated teller machine (ATM) satisfying one-out-of-two security, FIDO2 With Two Displays (FIDO2D) a cryptographic protocol to secure transactions in the Web with one-out-of-two security and Secure Aggregation Grouped by Multiple Attributes (SAGMA), a cryptographic protocol for secure data aggregation in encrypted databases. In this work, we take important steps towards the use of malware-resistant protocols in real-world systems. Our guidelines and protocols can serve as templates to design new cryptographic protocols and improve security in further use cases