Coin.AI: A Proof-of-Useful-Work Scheme for Blockchain-based Distributed Deep Learning

One decade ago, Bitcoin was introduced, becoming the first cryptocurrency and establishing the concept of "blockchain" as a distributed ledger. As of today, there are many different implementations of cryptocurrencies working over a blockchain, with different approaches and philosophies. However, many of them share one common feature: they require proof-of-work to support the generation of blocks (mining) and, eventually, the generation of money. This proof-of-work scheme often consists in the resolution of a cryptography problem, most commonly breaking a hash value, which can only be achieved through brute-force. The main drawback of proof-of-work is that it requires ridiculously large amounts of energy which do not have any useful outcome beyond supporting the currency. In this paper, we present a theoretical proposal that introduces a proof-of-useful-work scheme to support a cryptocurrency running over a blockchain, which we named Coin.AI. In this system, the mining scheme requires training deep learning models, and a block is only mined when the performance of such model exceeds a threshold. The distributed system allows for nodes to verify the models delivered by miners in an easy way (certainly much more efficiently than the mining process itself), determining when a block is to be generated. Additionally, this paper presents a proof-of-storage scheme for rewarding users that provide storage for the deep learning models, as well as a theoretical dissertation on how the mechanics of the system could be articulated with the ultimate goal of democratizing access to artificial intelligence.Comment: 17 pages, 5 figure

Novel Attacks and Defenses in the Userland of Android

In the last decade, mobile devices have spread rapidly, becoming more and more part of our everyday lives; this is due to their feature-richness, mobility, and affordable price. At the time of writing, Android is the leader of the market among operating systems, with a share of 76% and two and a half billion active Android devices around the world. Given that such small devices contain a massive amount of our private and sensitive information, the economic interests in the mobile ecosystem skyrocketed. For this reason, not only legitimate apps running on mobile environments have increased dramatically, but also malicious apps have also been on a steady rise. On the one hand, developers of mobile operating systems learned from security mistakes of the past, and they made significant strides in blocking those threats right from the start. On the other hand, these high-security levels did not deter attackers. In this thesis, I present my research contribution about the most meaningful attack and defense scenarios in the userland of the modern Android operating system. I have emphasized "userland'' because attack and defense solutions presented in this thesis are executing in the userspace of the operating system, due to the fact that Android is slightly different from traditional operating systems. After the necessary technical background, I show my solution, RmPerm, in order to enable Android users to better protect their privacy by selectively removing permissions from any app on any Android version. This operation does not require any modification to the underlying operating system because we repack the original application. Then, using again repackaging, I have developed Obfuscapk; it is a black-box obfuscation tool that can work with every Android app and offers a free solution with advanced state of the art obfuscation techniques -- especially the ones used by malware authors. Subsequently, I present a machine learning-based technique that focuses on the identification of malware in resource-constrained devices such as Android smartphones. This technique has a very low resource footprint and does not rely on resources outside the protected device. Afterward, I show how it is possible to mount a phishing attack -- the historically preferred attack vector -- by exploiting two recent Android features, initially introduced in the name of convenience. Although a technical solution to this problem certainly exists, it is not solvable from a single entity, and there is the need for a push from the entire community. But sometimes, even though there exists a solution to a well-known vulnerability, developers do not take proper precautions. In the end, I discuss the Frame Confusion vulnerability; it is often present in hybrid apps, and it was discovered some years ago, but I show how it is still widespread. I proposed a methodology, implemented in the FCDroid tool, for systematically detecting the Frame Confusion vulnerability in hybrid Android apps. The results of an extensive analysis carried out through FCDroid on a set of the most downloaded apps from the Google Play Store prove that 6.63% (i.e., 1637/24675) of hybrid apps are potentially vulnerable to Frame Confusion. The impact of such results on the Android users' community is estimated in 250.000.000 installations of vulnerable apps

Breaking Into the Vault: Privacy, Security and Forensic Analysis of Android Vault Applications

In this work we share the first account for the forensic analysis, security and privacy of Android vault applications. Vaults are designed to be privacy enhancing as they allow users to hide personal data but may also be misused to hide incriminating files. Our work has already helped law enforcement in the state of Connecticut to reconstruct 66 incriminating images and 18 videos in a single criminal case. We present case studies and results from analyzing 18 Android vault applications (accounting for nearly 220 million downloads from the Google Play store) by reverse engineering them and examining the forensic artifacts they produce. Our results showed that 12/18 obfuscated their code and 5/18 applications used native libraries hindering the reverse engineering process of these applications. However, we still recovered data from the applications without root access to the Android device as we were able to ascertain hidden data on the device without rooting for 10/18 of the applications. 6/18 of the vault applications were found to not encrypt photos they stored, and 8/18 were found to not encrypt videos. 7/18 of the applications were found to store passwords in cleartext. We were able to also implement a swap attack on 5/18 applications where we achieved unauthorized access to the data by swapping the files that contained the password with a self-created one. In some cases, our findings illustrate unfavorable security implementations of privacy enhancing applications, but also showcase practical mechanisms for investigators to gain access to data of evidentiary value. In essence, we broke into the vaults

Development and Implementation of an E-Commerce Database Application to Support St. Paul A.M.E. Church

This project proposal is an endeavor to implement modern technology into long-standing processes at St. Paul African Methodist Episcopal (A.M.E.) Church. The modern technology is e-Commerce. The long-standing process is the method of paying tithes in a collection plate and ordering books, tapes etc. through a designated individual or committee. The goal of this project is to research realistic solutions and develop a practical plan to implement the project. Throughout this process, special care is taken to select resources that are moderately priced and straightforward to implement, this is to increase the probability of a successful implementation

Enabling modular design of an application-level auto-scaling and orchestration framework using tosca-based application description templates

This paper presents a novel approach to writing TOSCA templates for application reusability and portability in a modular auto-scaling and orchestration framework (MiCADO). The approach defines cloud resources as well as application containers in a flexible and generic way, and allows for those definitions to be extended with specific properties related to a desired container orchestrator chosen at deployment time. The approach is demonstrated in a proof-of-concept where only a minor change was required to a previously used application template in order to achieve the successful deployment and lifecycle management of the popular web authoring tool Wordpress on a new realization of the MiCADO framework featuring a different container orchestrator

An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices

Security experts recommend password managers to help users generate, store, and enter strong, unique passwords. Prior research confirms that managers do help users move towards these objectives, but it also identified usability and security issues that had the potential to leak user data or prevent users from making full use of their manager. In this dissertation, I set out to measure to what extent modern managers have addressed these security issues on both desktop and mobile environments. Additionally, I have interviewed individuals to understand their password management behavior. I begin my analysis by conducting the first security evaluation of the full password manager lifecycle (generation, storage, and autofill) on desktop devices, including the creation and analysis of a corpus of 147 million generated passwords. My results show that a small percentage of generated passwords are weak against both online and offline attacks, and that attacks against autofill mechanisms are still possible in modern managers. Next, I present a comparative analysis of autofill frameworks on iOS and Android. I find that these frameworks fail to properly verify webpage security and identify a new class of phishing attacks enabled by incorrect handling of autofill within WebView controls hosted in apps. Finally, I interview users of third-party password managers to understand both how and why they use their managers as they do. I find evidence that many users leverage multiple password managers to address issues with existing managers, as well as provide explanations for why password reuse continues even in the presence of a password manager. Based on these results, I conclude with recommendations addressing the attacks and usability issues identified in this work

BEGINNING THE INFORMATION SECURITY JOURNEY FOR SMALL AND MEDIUM ENTERPRISES THROUGH BUSINESS CONTINUITY PLANNING AND INFRASTRUCTURE AUTOMATION

Technology has become an essential component of enterprises, driving productivity, innovation, and defining entire processes and product categories. However, these advances come with additional risk; the devices that drive an enterprise can fail at any time or be attacked by malicious actors. Larger enterprises have learned to deal with these risks, but small and medium-sized enterprises (SMEs) have been largely left behind. This project sought to investigate the cybersecurity-related problems SMEs experience and what SMEs can do to solve them. In addition, the project examines the types of information security incidents that occur within SMEs and their financial preparedness for such security incidents. The literature findings are that SMEs lack financial preparedness for information security and natural disasters, lack an effective company culture that generates and keeps, and need a more technical or operational approach to improve information security performance. Given these observations, cost-effective solutions are presented for Incident Response Testing, Business Continuity Planning, Employee Training, and DevSecOps Automation. Suggested areas of future research include developing Infrastructure Automation strategies for SMEs, focusing on employee training and validation processes. Additional real-world data about information security breaches must also be brought forward and analyzed to assess business risk correctly