122,662 research outputs found
Actor-network procedures: Modeling multi-factor authentication, device pairing, social interactions
As computation spreads from computers to networks of computers, and migrates
into cyberspace, it ceases to be globally programmable, but it remains
programmable indirectly: network computations cannot be controlled, but they
can be steered by local constraints on network nodes. The tasks of
"programming" global behaviors through local constraints belong to the area of
security. The "program particles" that assure that a system of local
interactions leads towards some desired global goals are called security
protocols. As computation spreads beyond cyberspace, into physical and social
spaces, new security tasks and problems arise. As networks are extended by
physical sensors and controllers, including the humans, and interlaced with
social networks, the engineering concepts and techniques of computer security
blend with the social processes of security. These new connectors for
computational and social software require a new "discipline of programming" of
global behaviors through local constraints. Since the new discipline seems to
be emerging from a combination of established models of security protocols with
older methods of procedural programming, we use the name procedures for these
new connectors, that generalize protocols. In the present paper we propose
actor-networks as a formal model of computation in heterogenous networks of
computers, humans and their devices; and we introduce Procedure Derivation
Logic (PDL) as a framework for reasoning about security in actor-networks. On
the way, we survey the guiding ideas of Protocol Derivation Logic (also PDL)
that evolved through our work in security in last 10 years. Both formalisms are
geared towards graphic reasoning and tool support. We illustrate their workings
by analysing a popular form of two-factor authentication, and a multi-channel
device pairing procedure, devised for this occasion.Comment: 32 pages, 12 figures, 3 tables; journal submission; extended
references, added discussio
Factors Influencing People’s Intention to Adopt E-Banking: An Empirical Study of Consumers in Shandong Province, China
E-Banking is growing at an unprecedented rate and has become a truly worldwide phenomenon, offering convenience, flexibility and interactivity for those that can, and know how to access it. This is clearly evidence in China. However, despite such growth and popularity, some users still have reservations about using Information and communication technology (ICT) in their daily banking activities, perhaps due to deep routed cultural factors that cause consumers to question the efficacy of such changes. Through the application of a technology acceptance framework, and empirical evidence from 52 E-Banking user questionnaires and four key market segment interviews, the research explores the factors that influence consumers’ intention to adopt E-Banking in Shandong Province of China. The findings highlight that perceived usefulness and perceived credibility are significant factors which have a positive influence on consumers’ intention to utilise E-Banking, while perceived ease of use and perceived cost are less significant. Unpacking the reasons for resistance to the use of E-Banking highlighted that “difficult to operate”, “unnecessary to use it” and “worry about the security” are key drivers and therefore challenges for the service providers. Based on the results, recommendations are drawn for banks, involving focusing on the significant factors, avoiding weaknesses and optimising strengths of E-Banking and ultimately developing more accurate market positioning strategies to align and manage consumer expectations and maximise potential acceptance
“This is the way ‘I’ create my passwords ...":does the endowment effect deter people from changing the way they create their passwords?
The endowment effect is the term used to describe a phenomenon that manifests as a reluctance to relinquish owned artifacts, even when a viable or better substitute is offered. It has been confirmed by multiple studies when it comes to ownership of physical artifacts. If computer users also "own", and are attached to, their personal security routines, such feelings could conceivably activate the same endowment effect. This would, in turn, lead to their over-estimating the \value" of their existing routines, in terms of the protection they afford, and the risks they mitigate. They might well, as a consequence, not countenance any efforts to persuade them to adopt a more secure routine, because their comparison of pre-existing and proposed new routine is skewed by the activation of the endowment effect.In this paper, we report on an investigation into the possibility that the endowment effect activates when people adopt personal password creation routines. We did indeed find evidence that the endowment effect is likely to be triggered in this context. This constitutes one explanation for the failure of many security awareness drives to improve password strength. We conclude by suggesting directions for future research to confirm our findings, and to investigate the activation of the effect for other security routines
POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers
It is known that attackers can exfiltrate data from air-gapped computers
through their speakers via sonic and ultrasonic waves. To eliminate the threat
of such acoustic covert channels in sensitive systems, audio hardware can be
disabled and the use of loudspeakers can be strictly forbidden. Such audio-less
systems are considered to be \textit{audio-gapped}, and hence immune to
acoustic covert channels.
In this paper, we introduce a technique that enable attackers leak data
acoustically from air-gapped and audio-gapped systems. Our developed malware
can exploit the computer power supply unit (PSU) to play sounds and use it as
an out-of-band, secondary speaker with limited capabilities. The malicious code
manipulates the internal \textit{switching frequency} of the power supply and
hence controls the sound waveforms generated from its capacitors and
transformers. Our technique enables producing audio tones in a frequency band
of 0-24khz and playing audio streams (e.g., WAV) from a computer power supply
without the need for audio hardware or speakers. Binary data (files,
keylogging, encryption keys, etc.) can be modulated over the acoustic signals
and sent to a nearby receiver (e.g., smartphone). We show that our technique
works with various types of systems: PC workstations and servers, as well as
embedded systems and IoT devices that have no audio hardware at all. We provide
technical background and discuss implementation details such as signal
generation and data modulation. We show that the POWER-SUPPLaY code can operate
from an ordinary user-mode process and doesn't need any hardware access or
special privileges. Our evaluation shows that using POWER-SUPPLaY, sensitive
data can be exfiltrated from air-gapped and audio-gapped systems from a
distance of five meters away at a maximal bit rates of 50 bit/sec
- …