An eye for deception: A case study in utilizing the human-as-a-security-sensor paradigm to detect zero-day semantic social engineering attacks

In a number of information security scenarios, human beings can be better than technical security measures at detecting threats. This is particularly the case when a threat is based on deception of the user rather than exploitation of a specific technical flaw, as is the case of spear-phishing, application spoofing, multimedia masquerading and other semantic social engineering attacks. Here, we put the concept of the humanas-a-security-sensor to the test with a first case study on a small number of participants subjected to different attacks in a controlled laboratory environment and provided with a mechanism to report these attacks if they spot them. A key challenge is to estimate the reliability of each report, which we address with a machine learning approach. For comparison, we evaluate the ability of known technical security countermeasures in detecting the same threats. This initial proof of concept study shows that the concept is viable

A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed web- sites and scareware to name a few. This paper presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial

PENINGKATAN KEAMANAN DATA END-TO-END SMART DOOR MENGGUNAKAN ADVANCED ENCRYPTION STANDARD

Smart Home is one form of implementation of Internet of Things technology in the form of smart homes that can carry out management, monitoring, even reporting. In addition, smart homes can be equipped with security equipment such as Smart Door that can open or lock the door automatically when recognizing the homeowner's face. However, the current Smart Door model has a disadvantage where the stored data on the server and the device are not secured end-to-end. The homeowners' image data on the device is not encrypted with a specific algorithm and validation. Thus, the outside parties can use this high-risk problem to enter the house unnoticed. They disguised themselves as the homeowner by entering false data on the device. Based on this problem, this study has a purpose to increase the model's end-to-end security by implementing the Advanced Encryption Standard algorithm. In addition to increase the security level, the Truncated Decimal-converted SHA-1 checksum validation is added to prevent modifications in each image data. From the results of the model comparison experiment, there was an increase in device resource needs as much as 0.81% increase in process time; 18% CPU usage; 5.3% data usage; and 5.04% for the use of the entire process of memory. But the increase in performance needs is not comparable to the security features presented by the Advanced Encryption Standard algorithm in securing data and servers. So that with improvisation this security is expected to improve the data security of homeowners from outside parties.Smart Home merupakan salah satu bentuk implementasi teknologi Internet of Things dalam bentuk rumah cerdas yang dapat melalukan manajemen, pemantauan, bahkan pelaporan. Selain itu rumah cerdas dapat dilengkapi dengan peralatan keamanan seperti smart door yang dapat membuka maupun mengunci pintu secara otomatis ketika mengenali wajah pemilik rumah. Namun model smart door ini memiliki kelemahan yang di mana data yang tersimpan di dalam server maupun perangkat tidak diamankan secara end-to-end. Perangkat yang menyimpan data-data gambar pemilik rumah tidak dienkripsi dengan algoritma tertentu maupun  validasi keaslian data gambar. Sehingga masalah ini dapat dimanfaatkan pihak luar dengan melakukan masquerading atau menyamar dengan cara memasukkan data palsu di dalam perangkat. Berdasarkan masalah yang sudah dideskripsikan, penelitian ini memiliki tujuan untuk meningkatkan keamanan data end-to-end model dengan algoritma Advanced Encryption Standard. Selain itu, penelitian ini juga melengkapi tingkat keamanan dengan validasi integritas data terenkripsi menggunakan teknik Truncated Decimal-converted SHA-1 Checksum untuk membuat nilai hash unik yang dapat mencegah modifikasi di masing-masing data gambar. Dari hasil eksperimen perbandingan model yang dilakukan, terjadi kenaikan kebutuhan sumber daya perangkat sebanyak 0,81% peningkatan waktu proses, 18% penggunaan CPU, 5,3% penggunaan data, dan 5,04% untuk penggunaan memori seluruh proses. Namun peningkatan kebutuhan kinerja ini tidak sebanding dengan fitur keamanan yang dihadirkan oleh algoritma Advanced Encryption Standard dalam mengamankan data perangkat dan server. Sehingga dengan improvisasi keamanan ini diharapkan dapat meningkatkan keamanan data pemilik rumah dari pihak luar

Security and privacy problems in voice assistant applications: A survey

Voice assistant applications have become omniscient nowadays. Two models that provide the two most important functions for real-life applications (i.e., Google Home, Amazon Alexa, Siri, etc.) are Automatic Speech Recognition (ASR) models and Speaker Identification (SI) models. According to recent studies, security and privacy threats have also emerged with the rapid development of the Internet of Things (IoT). The security issues researched include attack techniques toward machine learning models and other hardware components widely used in voice assistant applications. The privacy issues include technical-wise information stealing and policy-wise privacy breaches. The voice assistant application takes a steadily growing market share every year, but their privacy and security issues never stopped causing huge economic losses and endangering users' personal sensitive information. Thus, it is important to have a comprehensive survey to outline the categorization of the current research regarding the security and privacy problems of voice assistant applications. This paper concludes and assesses five kinds of security attacks and three types of privacy threats in the papers published in the top-tier conferences of cyber security and voice domain

A survey on security analysis of Amazon echo devices

Since its launch in 2014, Amazon Echo family of devices has seen a considerable increase in adaptation in consumer homes and offices. With a market worth millions of dollars, Echo is used for diverse tasks such as accessing online information, making phone calls, purchasing items, and controlling the smart home. Echo offers user-friendly voice interaction to automate everyday tasks making it a massive success. Though many people view Amazon Echo as a helpful assistant at home or office, few know its underlying security and privacy implications. In this paper, we present the findings of our research on Amazon Echo’s security and privacy concerns. The findings are divided into different categories by vulnerability or attacks. The proposed mitigation(s) to the vulnerabilities are also presented in the paper. We conclude that though numerous privacy concerns and security vulnerabilities associated with the device are mitigated, many vulnerabilities still need to be addressed

Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework

The notion that the human user is the weakest link in information security has been strongly, and, we argue, rightly contested in recent years. Here, we take a step further showing that the human user can in fact be the strongest link for detecting attacks that involve deception, such as application masquerading, spearphishing, WiFi evil twin and other types of semantic social engineering. Towards this direction, we have developed a human-as-a-security-sensor framework and a practical implementation in the form of Cogni-Sense, a Microsoft Windows prototype application, designed to allow and encourage users to actively detect and report semantic social engineering attacks against them. Experimental evaluation with 26 users of different profiles running Cogni-Sense on their personal computers for a period of 45 days has shown that human sensors can consistently outperform technical security systems. Making use of a machine learning based approach, we also show that the reliability of each report, and consequently the performance of each human sensor, can be predicted in a meaningful and practical manner. In an organisation that employs a human-as-a-security-sensor implementation, such as Cogni-Sense, an attack is considered to have been detected if at least one user has reported it. In our evaluation, a small organisation consisting only of the 26 participants of the experiment would have exhibited a missed detection rate below 10%, down from 81% if only technical security systems had been used. The results strongly point towards the need to actively involve the user not only in prevention through cyber hygiene and user-centric security design, but also in active cyber threat detection and reporting