Educational and Laboratory System for Studying Man-in-the-Middle Attacks and Ways to Protect against Them

For the implementation of the Master’s program “Business Continuity and Information Security Maintenance” in the field of specialty 10.04.01 “Information Security”, a software shell of the educational laboratory complex (ELC) designed to study the “Man in the middle” network attacks has been developed in the NRNU MEPhI. In the framework of the ELC four basic attacks of this type are modeled: UDP Hijacking, Session Hijacking, TCP Hijacking and Bucket brigade attack. The paper presents two ELC applications: the instructor’s application and the student’s application. To assess the students’ knowledge after performing laboratory work, the “Testing” module for assessing progress testing has been created, which includes questions for testing using the ELC software shell. Methodical instructions on performance of laboratory work have been written. Within the framework of the “Protected Information Systems” discipline of the Information Security of Banking Systems Department of the NNIU MEPhI, implementing the above-mentioned Mastre’s program, a successful approbation of the developed ELC has been carried out. In conclusion the ways to further improvement of the ELC are suggested

An Owner-managed Indirect-Permission Social Authentication Method for Private Key Recovery

In this paper, we propose a very secure and reliable owner-self-managed private key recovery method. In recent years, Public Key Authentication (PKA) method has been identified as the most feasible online security solution. However, losing the private key also implies the risk of losing the ownership of the assets associated with the private key. For key protection, the commonly adopted something-you-x solutions require a new secret to protect the target secret and fall into a circular protection issue as the new secret has to be protected too. To resolve the circular protection issue and provide a truly secure and reliable solution, we propose separating the permission and possession of the private key. Then we create secret shares of the permission using the open public keys of selected trustees while having the owner possess the permission-encrypted private key. Then by applying the social authentication method, one may easily retrieve the permission to recover the private key. Our analysis shows that our proposed indirect-permission method is six orders of magnitude more secure and reliable tha

Systems and models for secure fallback authentication

Fallback authentication (FA) techniques such as security questions, Email resets, and SMS resets have significant security flaws that easily undermine the primary method of authentication. Security questions have been shown to be often guessable. Email resets assume a secure channel of communication and pose the threat of the avalanche effect; where one compromised email account can compromise a series of other accounts. SMS resets also assume a secure channel of communication and are vulnerable to attacks on telecommunications protocols. Additionally, all of these FA techniques are vulnerable to the known adversary. The known adversary is any individual with elevated knowledge of a potential victim, or elevated access to a potential victim's devices that uses these privileges with malicious intent, undermining the most commonly used FA techniques. An authentication system is only as strong as its weakest link; in many cases this is the FA technique used. As a result of that, we explore one new and one altered FA system: GeoPassHints a geographic authentication system paired with a secret note, as well as GeoSQ, an autobiographical authentication scheme that relies on location data to generate questions. We also propose three models to quantify the known adversary in order to establish an improved measurement tool for security research. We test GeoSQ and GeoPassHints for usability, security, and deployability through a user study with paired participants (n=34). We also evaluate the models for the purpose of measuring vulnerabilities to the known adversary by correlating the scores obtained in each model to the successful guesses that our participant pairs made

Usable Security Heuristics for Instant Messaging Application Development

As instant messaging (IM) applications have become more popular, the privacy and security concerns associated with their usage has become ever more relevant. As with many software programs, IM applications have a history of security vulnerabilities. Although IM application usage is globally increasing, it has been found that currently no generally recognised standards exist to aid IM application developers when developing the usability of the security features they implement. The problem is further exacerbated as research suggests that typical users have neither the requisite understanding of the available IM security features, nor the capacity to make full use of those protection features. The primary objective of this study is to create a set of usable security heuristics to assist developers of instant messaging applications to consider the usability of the security features implemented in these applications. This primary objective is further divided into several secondary objectives, which collectively aim to address the proposed problem. Therefore, the secondary objectives are to determine IM security risks and their related implications on users; to identify and investigate existing security and usability heuristics, guidelines, standards and best practices for mobile application development; to map the identified security and usability heuristics, guidelines, standards and best practices to IM applications; and to develop a prototype to demonstrate the applicability of the proposed usable security heuristics to a typical IM application. First, a comprehensive literature study is used to determine and understand the information security threats relevant to IM applications, how IM applications operate, the security features implemented by IM applications and the potential impact the relevant information security threats could have on IM application users. Thereafter, a further literature review and content analysis are used to identify and investigate existing heuristics, guidelines, standards, and best practices for mobile application development. The findings from the content analysis, in combination with the previously identified threats to IM applications, are then mapped to IM applications, and a preliminary set of usable security heuristics for IM application development is established. This preliminary set of usable security heuristics undergoes multiple iterations of refinement to establish the proposed set of usable security heuristics for IM application development. Furthermore, an expert review is conducted to validate the proposed set of usable security heuristics from the perspectives of security, usability, and mobile application development. In addition, the expert review was also used to determine the efficacy, utility, and quality of the proposed usable security heuristics. To further validate the proposed heuristics, a proof-of-concept prototype is used, in addition to the expert review, to demonstrate the applicability of the proposed set of usable security heuristics to a typical IM application. Such a set of usable security heuristics would be useful for IM application developers and would result in the vi improved implementation of usable security, leading to an improvement in the security of IM applications. The proposed set of usable security heuristics therefore adds a further contribution to this research area, providing a solid foundation for future research.Thesis (MA) -- Faculty of Engineering, the Built Environment, and Technology, 202

Usable Security Heuristics for Instant Messaging Application Development

As instant messaging (IM) applications have become more popular, the privacy and security concerns associated with their usage has become ever more relevant. As with many software programs, IM applications have a history of security vulnerabilities. Although IM application usage is globally increasing, it has been found that currently no generally recognised standards exist to aid IM application developers when developing the usability of the security features they implement. The problem is further exacerbated as research suggests that typical users have neither the requisite understanding of the available IM security features, nor the capacity to make full use of those protection features. The primary objective of this study is to create a set of usable security heuristics to assist developers of instant messaging applications to consider the usability of the security features implemented in these applications. This primary objective is further divided into several secondary objectives, which collectively aim to address the proposed problem. Therefore, the secondary objectives are to determine IM security risks and their related implications on users; to identify and investigate existing security and usability heuristics, guidelines, standards and best practices for mobile application development; to map the identified security and usability heuristics, guidelines, standards and best practices to IM applications; and to develop a prototype to demonstrate the applicability of the proposed usable security heuristics to a typical IM application. First, a comprehensive literature study is used to determine and understand the information security threats relevant to IM applications, how IM applications operate, the security features implemented by IM applications and the potential impact the relevant information security threats could have on IM application users. Thereafter, a further literature review and content analysis are used to identify and investigate existing heuristics, guidelines, standards, and best practices for mobile application development. The findings from the content analysis, in combination with the previously identified threats to IM applications, are then mapped to IM applications, and a preliminary set of usable security heuristics for IM application development is established. This preliminary set of usable security heuristics undergoes multiple iterations of refinement to establish the proposed set of usable security heuristics for IM application development. Furthermore, an expert review is conducted to validate the proposed set of usable security heuristics from the perspectives of security, usability, and mobile application development. In addition, the expert review was also used to determine the efficacy, utility, and quality of the proposed usable security heuristics. To further validate the proposed heuristics, a proof-of-concept prototype is used, in addition to the expert review, to demonstrate the applicability of the proposed set of usable security heuristics to a typical IM application. Such a set of usable security heuristics would be useful for IM application developers and would result in the vi improved implementation of usable security, leading to an improvement in the security of IM applications. The proposed set of usable security heuristics therefore adds a further contribution to this research area, providing a solid foundation for future research.Thesis (MA) -- Faculty of Engineering, the Built Environment, and Technology, 202