Backtrack in the Outback - A Preliminary Report on Cyber Security Evaluation of Organisations in Western Australia

The authors were involved in extensive vulnerability assessment and penetration testing of over 15 large organisations across various industry sectors in the Perth CBD. The actual live testing involved a team of five people for approximately a four week period, and was black box testing. The scanning consisted of running network and web vulnerability tools, and in a few cases, exploiting vulnerability to establish validity of the tools. The tools were run in aggressive mode with no attempt made to deceive or avoid detection by IDS/IPS or firewalls. The aim of the testing was to determine firstly whether these organisations were able to detect such hostile scanning, and secondly to gauge their response. This paper does not extensively analyse the resultant empirical data from the tests this will be the subject of several other papers. Of the 15 agencies investigated, only two were able to detect the activity, and only one of these escalated this to authorities. Many had intrusion detection or prevention systems, but these did not appear to detect the scanning which was conducted. Others did not have any form of detection, only logging without active monitoring and some had no persistent logging of anything. Of those who did detect, the lack of a formal incident response and escalation plan hampered their ability to respond and escalate appropriately. Many of these organisations had recently, or very recently undergone penetration testing by external audit or IT companies, and yet there were still numerous vulnerabilities, or their system did not detect the scan. The conclusion is that organisations need to be very specific about what their needs are when engaging external agents to conduct network security testing, as current penetration testing is giving them a false sense of security

Investigating the Security and Accessibility of Voyage Data Recorder Data using a USB attack

Voyage Data Recorders (VDR) or 'black boxes' for ships hold critical navigational and sensor data that can be used as evidence in an investigation. These systems have proven extremely useful in determining the cause of several previous shipping accidents. Considering the importance of the VDR and the increasing number of cyber-attacks in the maritime sector, the likelihood of it being attacked is high. This paper examines the security and accessibility of VDR data through a malicious USB device. A USB device is used after a series of tests, detailed in this paper, found it to be a viable way to compromise a VDR system. Intensive penetration testing was performed on a VDR, and this paper presents the four key highlights from the authors’ tests. The results show that real-world VDR data might not be secure from an insider threat with little to no cyber knowledge, and future VDRs may open that up to more outsider attackers. For a device like VDR, where confidentiality, integrity and availability of data are critical, a cyber-attack could therefore lead to serious repercussions.cyber-SHIP (Research England

MAGNETO: Fingerprinting USB Flash Drives via Unintentional Magnetic Emissions

Universal Serial Bus (USB) Flash Drives are nowadays one of the most convenient and diffused means to transfer files, especially when no Internet connection is available. However, USB flash drives are also one of the most common attack vectors used to gain unauthorized access to host devices. For instance, it is possible to replace a USB drive so that when the USB key is connected, it would install passwords stealing tools, root-kit software, and other disrupting malware. In such a way, an attacker can steal sensitive information via the USB-connected devices, as well as inject any kind of malicious software into the host. To thwart the above-cited raising threats, we propose MAGNETO, an efficient, non-interactive, and privacy-preserving framework to verify the authenticity of a USB flash drive, rooted in the analysis of its unintentional magnetic emissions. We show that the magnetic emissions radiated during boot operations on a specific host are unique for each device, and sufficient to uniquely fingerprint both the brand and the model of the USB flash drive, or the specific USB device, depending on the used equipment. Our investigation on 59 different USB flash drives---belonging to 17 brands, including the top brands purchased on Amazon in mid-2019---, reveals a minimum classification accuracy of 98.2% in the identification of both brand and model, accompanied by a negligible time and computational overhead. MAGNETO can also identify the specific USB Flash drive, with a minimum classification accuracy of 91.2%. Overall, MAGNETO proves that unintentional magnetic emissions can be considered as a viable and reliable means to fingerprint read-only USB flash drives. Finally, future research directions in this domain are also discussed.Comment: Accepted for publication in ACM Transactions on Embedded Computing Systems (TECS) in September 202

DRONE DELIVERY OF CBNRECy – DEW WEAPONS Emerging Threats of Mini-Weapons of Mass Destruction and Disruption (WMDD)

Drone Delivery of CBNRECy – DEW Weapons: Emerging Threats of Mini-Weapons of Mass Destruction and Disruption (WMDD) is our sixth textbook in a series covering the world of UASs and UUVs. Our textbook takes on a whole new purview for UAS / CUAS/ UUV (drones) – how they can be used to deploy Weapons of Mass Destruction and Deception against CBRNE and civilian targets of opportunity. We are concerned with the future use of these inexpensive devices and their availability to maleficent actors. Our work suggests that UASs in air and underwater UUVs will be the future of military and civilian terrorist operations. UAS / UUVs can deliver a huge punch for a low investment and minimize human casualties.https://newprairiepress.org/ebooks/1046/thumbnail.jp

Learning from "shadow security": understanding non-compliant behaviours to improve information security management

This thesis examines employee interaction with information security in large organisations. It starts by revisiting past research in user-centred security and security management, identifying three research questions that examine (1) employee understanding of the need for security, (2) the challenges security introduces to their work, together with their responses to those challenges, and (3) how to use the emerging knowledge to improve existing organisational security implementations. Preliminary examination of an available interview data set, led to the emergence of three additional research questions, aiming to identify (4) employee actions after bypassing organisational security policy, (5) their response to perceived lack of security support from the organisation, and (6) the impact of trust relationships in the organisation on their security behaviours. The research questions were investigated in two case studies inside two large organisations. Different data collection (200 interviews and 2129 surveys) and analysis techniques (thematic analysis and grounded theory) were combined to improve outcome validity and allow for generalisability of the findings. The primary contribution of this thesis is the identification of a new paradigm for understanding employee responses to high-friction security, the shadow security: employees adapt existing mechanisms or processes, or deploy other self-devised solutions, when they consider the productivity impact of centrally-procured security as unacceptable. An additional contribution is the identification of two trust relationships in organisational environments that influence employee security behaviours: organisationemployee trust (willingness of the organisation to remain exposed to the actions of its employees, expecting them to behave securely), and inter-employee trust (willingness of employees to act in a way that renders themselves or the organisation vulnerable to the actions of another member of the organisation). The above contributions led to the creation of a structured process to better align security with organisational productive activity, together with a set of relevant metrics to assess the effectiveness of attempted improvements. The thesis concludes by presenting a case study attempting to apply the above process in an organisation, also presenting the emerging lessons for both academia and industry

A Novel User Oriented Network Forensic Analysis Tool

In the event of a cybercrime, it is necessary to examine the suspect’s digital device(s) in a forensic fashion so that the culprit can be presented in court along with the extracted evidence(s). But, factors such as existence and availability of anti-forensic tools/techniques and increasing replacement of hard disk drives with solid state disks have the ability to eradicate critical evidences and/or ruin their integrity. Therefore, having an alternative source of evidence with a lesser chance of being tampered with can be beneficial for the investigation. The organisational network traffic can fit into this role as it is an independent source of evidence and will contain a copy of all online user activities. Limitations of prevailing network traffic analysis techniques – packet based and flow based – are reflected as certain challenges in the investigation. The enormous volume and increasing encrypted nature of traffic, the dynamic nature of IP addresses of users’ devices, and the difficulty in extracting meaningful information from raw traffic are among those challenges. Furthermore, current network forensic tools, unlike the sophisticated computer forensic tools, are limited in their capability to exhibit functionalities such as collaborative working, visualisation, reporting and extracting meaningful user-level information. These factors increase the complexity of the analysis, and the time and effort required from the investigator. The research goal was set to design a system that can assist in the investigation by minimising the effects of the aforementioned challenges, thereby reducing the cognitive load on the investigator, which, the researcher thinks, can take the investigator one step closer to the culprit. The novelty of this system comes from a newly proposed interaction based analysis approach, which will extract online user activities from raw network metadata. Practicality of the novel interaction-based approach was tested by designing an experimental methodology, which involved an initial phase of the researcher looking to identify unique signatures for activities performed on popular Internet applications (BBC, Dropbox, Facebook, Hotmail, Google Docs, Google Search, Skype, Twitter, Wikipedia, and YouTube) from the researcher’s own network metadata. With signatures obtained, the project moved towards the second phase of the experiment in which a much larger dataset (network traffic collected from 27 users for over 2 months) was analysed. Results showed that it is possible to extract unique signature of online user activities from raw network metadata. However, due to the complexities of the applications, signatures were not found for some activities. The interaction-based approach was able to reduce the data volume by eliminating the noise (machine to machine communication packets) and to find a way around the encryption issue by using only the network metadata. A set of system requirements were generated, based on which a web based, client-server architecture for the proposed system (i.e. the User-Oriented Network Forensic Analysis Tool) was designed. The system functions in a case management premise while minimising the challenges that were identified earlier. The system architecture led to the development of a functional prototype. An evaluation of the system by academic experts from the field acted as a feedback mechanism. While the evaluators were satisfied with the system’s capability to assist in the investigation and meet the requirements, drawbacks such as inability to analyse real-time traffic and meeting the HCI standards were pointed out. The future work of the project will involve automated signature extraction, real-time processing and facilitation of integrated visualisation

An investigation into a digital forensic model to distinguish between “insider” and “outsider”

IT systems are attacked using computers and networks to facilitate their crimes and hide their identities, creating new challenges for corporate security investigations. There are two main types of attacker: insiders and outsiders. Insiders are trusted users who have gained authorised access to an organisation's IT resources in order to execute their job responsibilities. However, they deliberately abuse their authorised (i.e. insider) access in order to contravene an organisation’s policies or to commit computer crimes. Outsiders gain insider access to an organisation's IT objects through their ability to bypass security mechanisms without prior knowledge of the insider’s job responsibilities, an advanced method of attacking an organisation’s resources in such a way as to prevent the abnormal behaviour typical of an outsider attack from being detected, and to hide the attacker’s identity. For a number of reasons, corporate security investigators face a major challenge in distinguishing between the two types of attack. Not only is there no definitive model of digital analysis for making such a distinction, but there has to date been no intensive research into methods of doing so. Identification of these differences is attempted by flawed investigative approaches to three aspects: location from which an attack is launched, attack from within the organisation's area of control, and authorised access. The results of such unsound investigations could render organisations subject to legal action and negative publicity. To address the issue of the distinction between insider and outsider attacks, this research improves upon the first academic forensic analysis model, Digital Forensic Research Workshop (DFRWS) [63]. The outcome of this improvement is the creation of a Digital Analysis Model for Distinction between Insider and Outsider Attacks (DAMDIOA), a model that results in an improvement in the analysis investigation process, as well as the process of decision. This improvement is effected by two types of proposed decision: fixed and tailored. The first is based on a predetermined logical condition, the second on the proportion of suspicious activity. The advantage of the latter is that an organisation can adjust its threshold of tolerance for such activity based on its level of concern for the type of attack involved. This research supports the possibility of distinguishing between insider and outsider attacks by running a network simulation which carried out a number of email attack experiments to test DAMDIOA. It found that, when DAMDIOA used predetermined decisions based on legitimate activities, it was able to differentiate the type of attack in seven of the eight experiments conducted. It was the tailored decisions with threshold levels Th=0.2 and 0.3 that conferred the ability to make such distinctions. When the researcher compared legitimate activities, including users’ job responsibilities, with the current methods of distinguishing between insider and outsider attacks,the criterion of authorised access failed three times to make that distinctions. This method of distinction is useless when there is a blank or shared password. He also discovered that both the location from which an attack was launched and attacks from areas within an organisation’s control failed five times to differentiate between such attacks. There are no substantive differences between these methods. The single instance in which the proposed method failed to make these distinctions was because the number of legitimate activities equalled the number of suspicious ones. DAMDIOA has been used by two organisations for dealing with the misuse of their computers, in both cases located in open areas and weakly protected by easily guessed passwords. IT policy was breached and two accounts moved from the restricted to the unlimited Internet policy group. This model was able to identify the insiders concerned by reviewing recorded activities and linking them with the insiders’ job responsibilities. This model also highlights users’ job responsibilities as a valuable source of forensic evidence that may be used to distinguish between insider and outsider attacks. DAMDIOA may help corporate security investigators identify suspects accurately and avoid incurring financial loss for their organisations. This research also recommends many improvements to the process by which user activities are collected before the attack takes place, thereby enabling distinctions to be better drawn. It also proposes the creation of a physical and logical log management system, a centralised database for all employee activities that will reduce organisations’ financial expenditures. Suggestions are also proposed for future research to classify legitimate and suspicious activities, evaluate them, identify the important ones and standardise the process of identifying and collecting users’ job responsibilities. This work will remove some of the limitations of the proposed model.Saudi Arabian Governmen

Space Systems: Emerging Technologies and Operations

SPACE SYSTEMS: EMERGING TECHNOLOGIES AND OPERATIONS is our seventh textbook in a series covering the world of UASs / CUAS/ UUVs. Other textbooks in our series are Drone Delivery of CBNRECy – DEW Weapons: Emerging Threats of Mini-Weapons of Mass Destruction and Disruption (WMDD); Disruptive Technologies with applications in Airline, Marine, Defense Industries; Unmanned Vehicle Systems & Operations On Air, Sea, Land; Counter Unmanned Aircraft Systems Technologies and Operations; Unmanned Aircraft Systems in the Cyber Domain: Protecting USA’s Advanced Air Assets, 2nd edition; and Unmanned Aircraft Systems (UAS) in the Cyber Domain Protecting USA\u27s Advanced Air Assets, 1st edition. Our previous six titles have received considerable global recognition in the field. (Nichols & Carter, 2022) (Nichols et al., 2021) (Nichols R. K. et al., 2020) (Nichols R. et al., 2020) (Nichols R. et al., 2019) (Nichols R. K., 2018) Our seventh title takes on a new purview of Space. Let\u27s think of Space as divided into four regions. These are Planets, solar systems, the great dark void (which fall into the purview of astronomers and astrophysics), and the Dreamer Region. The earth, from a measurement standpoint, is the baseline of Space. It is the purview of geographers, engineers, scientists, politicians, and romantics. Flying high above the earth are Satellites. Military and commercial organizations govern their purview. The lowest altitude at which air resistance is low enough to permit a single complete, unpowered orbit is approximately 80 miles (125 km) above the earth\u27s surface. Normal Low Earth Orbit (LEO) satellite launches range between 99 miles (160 km) to 155 miles (250 km). Satellites in higher orbits experience less drag and can remain in Space longer in service. Geosynchronous orbit is around 22,000 miles (35,000 km). However, orbits can be even higher. UASs (Drones) have a maximum altitude of about 33,000 ft (10 km) because rotating rotors become physically limiting. (Nichols R. et al., 2019) Recreational drones fly at or below 400 ft in controlled airspace (Class B, C, D, E) and are permitted with prior authorization by using a LAANC or DroneZone. Recreational drones are permitted to fly at or below 400 ft in Class G (uncontrolled) airspace. (FAA, 2022) However, between 400 ft and 33,000 ft is in the purview of DREAMERS. In the DREAMERS region, Space has its most interesting technological emergence. We see emerging technologies and operations that may have profound effects on humanity. This is the mission our book addresses. We look at the Dreamer Region from three perspectives:1) a Military view where intelligence, jamming, spoofing, advanced materials, and hypersonics are in play; 2) the Operational Dreamer Region; whichincludes Space-based platform vulnerabilities, trash, disaster recovery management, A.I., manufacturing, and extended reality; and 3) the Humanitarian Use of Space technologies; which includes precision agriculture wildlife tracking, fire risk zone identification, and improving the global food supply and cattle management. Here’s our book’s breakdown: SECTION 1 C4ISR and Emerging Space Technologies. C4ISR stands for Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance. Four chapters address the military: Current State of Space Operations; Satellite Killers and Hypersonic Drones; Space Electronic Warfare, Jamming, Spoofing, and ECD; and the challenges of Manufacturing in Space. SECTION 2: Space Challenges and Operations covers in five chapters a wide purview of challenges that result from operations in Space, such as Exploration of Key Infrastructure Vulnerabilities from Space-Based Platforms; Trash Collection and Tracking in Space; Leveraging Space for Disaster Risk Reduction and Management; Bio-threats to Agriculture and Solutions From Space; and rounding out the lineup is a chapter on Modelling, Simulation, and Extended Reality. SECTION 3: Humanitarian Use of Space Technologies is our DREAMERS section. It introduces effective use of Drones and Precision Agriculture; and Civilian Use of Space for Environmental, Wildlife Tracking, and Fire Risk Zone Identification. SECTION 3 is our Hope for Humanity and Positive Global Change. Just think if the technologies we discuss, when put into responsible hands, could increase food production by 1-2%. How many more millions of families could have food on their tables? State-of-the-Art research by a team of fifteen SMEs is incorporated into our book. We trust you will enjoy reading it as much as we have in its writing. There is hope for the future.https://newprairiepress.org/ebooks/1047/thumbnail.jp