Technological Impediments to B2C Electronic Commerce: An Update

In 1999, Rose et al. identified six categories of technological impediments inhibiting the growth of electronic commerce: (1) download delays, (2) interface limitations, (3) search problems, (4) inadequate measures of Web application success, (5) security, and (6) a lack of Internet standards. This paper updates findings in the original paper by surveying the practitioner literature for the five-year period from June 1999 to June 2004. We identify how advances in technology both partially resolve concerns with the original technological impediments, and inhibit their full resolution. We find that, despite five years of technological progress, the six categories of technological impediments remain relevant. Furthermore, the maturation of e-Commerce increased the Internet\u27s complexity, making these impediments harder to address. Two kinds of complexity are especially relevant: evolutionary complexity, and skill complexity. Evolutionary complexity refers to the need to preserve the existing Internet and resolve impediments simultaneously. Unfortunately, because the Internet consists of multiple incompatible technologies, philosophies, and attitudes, additions to the Internet infrastructure are difficult to integrate. Skill complexity refers to the skill sets necessary for managing e-Commerce change. As the Internet evolves, more skills become relevant. Unfortunately, individuals, companies and organizations are unable to master and integrate all necessary skills. As a result, new features added to the Internet do not consider all relevant factors, and are thus sub-optimal. NOTE THAT THIS ARTICLE IS APPROXIMATELY 600kb. IF YOU USE A SLOW MODEM, IT MAY TAKE A WHILE TO LOA

Building and evaluating an inconspicuous smartphone authentication method

Tese de mestrado em Engenharia Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2013Os smartphones que trazemos connosco estão cada vez mais entranhados nas nossas vidas intimas. Estes dispositivos possibilitam novas formas de trabalhar, de socializar, e ate de nos divertirmos. No entanto, também criaram novos riscos a nossa privacidade. Uma forma comum de mitigar estes riscos e configurar o dispositivo para bloquear apos um período de inatividade. Para voltar a utiliza-lo, e então necessário superar uma barreira de autenticação. Desta forma, se o aparelho cair das mãos de outra pessoa, esta não poderá utiliza-lo de forma a que tal constitua uma ameaça. O desbloqueio com autenticação e, assim, o mecanismo que comummente guarda a privacidade dos utilizadores de smartphones. Porem, os métodos de autenticação atualmente utilizados são maioritariamente um legado dos computadores de mesa. As palavras-passe e códigos de identificação pessoal são tornados menos seguros pelo facto de as pessoas criarem mecanismos para os memorizarem mais facilmente. Alem disso, introduzir estes códigos e inconveniente, especialmente no contexto móvel, em que as interações tendem a ser curtas e a necessidade de autenticação atrapalha a prossecução de outras tarefas. Recentemente, os smartphones Android passaram a oferecer outro método de autenticação, que ganhou um grau de adoção assinalável. Neste método, o código secreto do utilizador e uma sucessão de traços desenhados sobre uma grelha de 3 por 3 pontos apresentada no ecrã táctil. Contudo, quer os códigos textuais/numéricos, quer os padrões Android, são suscetíveis a ataques rudimentares. Em ambos os casos, o canal de entrada e o toque no ecrã táctil; e o canal de saída e o visual. Tal permite que outras pessoas possam observar diretamente a introdução da chave; ou que mais tarde consigam distinguir as marcas deixadas pelos dedos na superfície de toque. Alem disso, estes métodos não são acessíveis a algumas classes de utilizadores, nomeadamente os cegos. Nesta dissertação propõe-se que os métodos de autenticação em smartphones podem ser melhor adaptados ao contexto móvel. Nomeadamente, que a possibilidade de interagir com o dispositivo de forma inconspícua poderá oferecer aos utilizadores um maior grau de controlo e a capacidade de se auto-protegerem contra a observação do seu código secreto. Nesse sentido, foi identificada uma modalidade de entrada que não requer o canal visual: sucessões de toques independentes de localização no ecrã táctil. Estes padrões podem assemelhar-se (mas não estão limitados) a ritmos ou código Morse. A primeira contribuição deste trabalho e uma técnica algorítmica para a deteção destas sucessões de toques, ou frases de toque, como chaves de autenticação. Este reconhecedor requer apenas uma demonstração para configuração, o que o distingue de outras abordagens que necessitam de vários exemplos para treinar o algoritmo. O reconhecedor foi avaliado e demonstrou ser preciso e computacionalmente eficiente. Esta contribuição foi enriquecida com o desenvolvimento de uma aplicação Android que demonstra o conceito. A segunda contribuição e uma exploração de fatores humanos envolvidos no uso de frases de toque para autenticação. E consubstanciada em três estudos com utilizadores, em que o método de autenticação proposto e comparado com as alternativas mais comuns: PIN e o padrão Android. O primeiro estudo (N=30) compara os três métodos no que que diz respeito a resistência a observação e à usabilidade, entendida num sentido lato, que inclui a experiencia de utilização (UX). Os resultados sugerem que a usabilidade das três abordagens e comparável, e que em condições de observação perfeitas, nos três casos existe grande viabilidade de sucesso para um atacante. O segundo estudo (N=19) compara novamente os três métodos mas, desta feita, num cenário de autenticação inconspícua. Com efeito, os participantes tentaram introduzir os códigos com o dispositivo situado por baixo de uma mesa, fora do alcance visual. Neste caso, demonstra-se que a autenticação com frases de toque continua a ser usável. Já com as restantes alternativas existe uma diminuição substancial das medidas de usabilidade. Tal sugere que a autenticação por frases de toque suporta a capacidade de interação inconspícua, criando assim a possibilidade de os utilizadores se protegerem contra possíveis atacantes. O terceiro estudo (N=16) e uma avaliação de usabilidade e aceitação do método de autenticação com utilizadores cegos. Neste estudo, são também elicitadas estratégias de ocultação suportadas pela autenticação por frases de toque. Os resultados sugerem que a técnica e também adequada a estes utilizadores.As our intimate lives become more tangled with the smartphones we carry, privacy has become an increasing concern. A widely available option to mitigate security risks is to set a device so that it locks after a period of inactivity, requiring users to authenticate for subsequent use. Current methods for establishing one's identity are known to be susceptible to even rudimentary observation attacks. The mobile context in which interactions with smartphones are prone to occur further facilitates shoulder-surfing. We submit that smartphone authentication methods can be better adapted to the mobile context. Namely, the ability to interact with the device in an inconspicuous manner could offer users more control and the ability to self-protect against observation. Tapping is a communication modality between a user and a device that can be appropriated for that purpose. This work presents a technique for employing sequences of taps, or tap phrases, as authentication codes. An efficient and accurate tap phrase recognizer, that does not require training, is presented. Three user studies were conducted to compare this approach to the current leading methods. Results indicate that the tapping method remains usable even under inconspicuous authentications scenarios. Furthermore, we found that it is appropriate for blind users, to whom usability barriers and security risks are of special concern

Dissection of Modern Malicious Software

The exponential growth of the number of malicious software samples, known by malware in the specialized literature, constitutes nowadays one of the major concerns of cyber-security professionals. The objectives of the creators of this type of malware are varied, and the means used to achieve them are getting increasingly sophisticated. The increase of the computation and storage resources, as well as the globalization have been contributing to this growth, and fueling an entire industry dedicated to developing, selling and improving systems or solutions for securing, recovering, mitigating and preventing malware related incidents. The success of these systems typically depends of detailed analysis, often performed by humans, of malware samples captured in the wild. This analysis includes the search for patterns or anomalous behaviors that may be used as signatures to identify or counter-attack these threats. This Master of Science (Ms.C.) dissertation addresses problems related with dissecting and analyzing malware. The main objectives of the underlying work were to study and understand the techniques used by this type of software nowadays, as well as the methods that are used by specialists on that analysis, so as to conduct a detailed investigation and produce structured documentation for at least one modern malware sample. The work was mostly focused in malware developed for the Operating Systems (OSs) of the Microsoft Windows family for desktops. After a brief study of the state of the art, the dissertation presents the classifications applied to malware, which can be found in the technical literature on the area, elaborated mainly by an industry community or seller of a security product. The structuring of the categories is nonetheless the result of an effort to unify or complete different classifications. The families of some of the most popular or detected malware samples are also presented herein, initially in a tabular form and, subsequently, via a genealogical tree, with some of the variants of each previously described family. This tree provides an interesting perspective over malware and is one of the contributions of this programme. Within the context of the description of functionalities and behavior of malware, some advanced techniques, with which modern specimens of this type of software are equipped to ease their propagation and execution, while hindering their detection, are then discussed with more detail. The discussion evolves to the presentation of the concepts related to the detection and defense against modern malware, along with a small introduction to the main subject of this work. The analysis and dissection of two samples of malware is then the subject of the final chapters of the dissertation. A basic static analysis is performed to the malware known as Stuxnet, while the Trojan Banker known as Tinba/zuzy is subdued to both basic and advanced dynamic analysis. The results of this part of the work emphasize difficulties associated with these tasks and the sophistication and dangerous level of samples under investigation.O crescimento exponencial do número de amostras de software malicioso, conhecido na gíria informática como malware, constitui atualmente uma das maiores preocupações dos profissionais de cibersegurança. São vários os objetivos dos criadores deste tipo de software e a forma cada vez mais sofisticada como os mesmos são alcançados. O aumento da computação e capacidade de armazenamento, bem como a globalização, têm contribuído para este crescimento, e têm alimentado toda uma indústria dedicada ao desenvolvimento, venda e melhoramento de sistemas ou soluções de segurança, recuperação, mitigação e prevenção de incidentes relacionados com malware. O sucesso destes sistemas depende normalmente da análise detalhada, feita muitas vezes por humanos, de peças de malware capturadas no seu ambiente de atuação. Esta análise compreende a procura de padrões ou de comportamentos anómalos que possam servir de assinatura para identificar ou contra-atacar essas ameaças. Esta dissertação aborda a problemática da análise e dissecação de malware. O trabalho que lhe está subjacente tinha como objetivos estudar e compreender as técnicas utilizadas por este tipo de software hoje em dia, bem como as que são utilizadas por especialistas nessa análise, de forma a conduzir uma investigação detalhada e a produzir documentação estruturada sobre pelo menos uma amostra de malware moderna. O trabalho focou-se, sobretudo, em malware desenvolvido para os sistemas operativos da família Microsoft Windows para computadores de secretária. Após um breve estudo ao estado da arte, a dissertação apresenta as classificações de malware encontradas na literatura técnica da especialidade, principalmente usada pela indústria, resultante de um esforço de unificação das mesmas. São também apresentadas algumas das famílias de malware mais detetadas da atualidade, inicialmente através de uma tabela e, posteriormente, através de uma árvore geneológica, com algumas das variantes de cada uma das famílias descritas previamente. Esta árvore fornece uma perspetiva interessante sobre malware e constitui uma das contribuições deste programa de mestrado. Ainda no âmbito da descrição de funcionalidades e comportamentos do malware, são expostas, com algum detalhe, algumas técnicas avançadas com as quais os programas maliciosos mais modernos são por vezes munidos com o intuito a facilitar a sua propagação e execução, dificultando a sua deteção. A descrição evolui para a apresentação dos conceitos adjacentes à deteção e combate ao malware moderno, assim como para uma pequena introdução ao tema principal deste trabalho. A análise e dissecação de duas amostras de malware moderno surgem nos capítulos finais da dissertação. Ao malware conhecido por Stuxnet é feita a análise básica estática, enquanto que ao Trojan Banker Tinba/zusy é feita e demonstrada a análise dinâmica básica e avançada. Os resultados desta parte são demonstrativos do grau de sofisticação e perigosidade destas amostras e das dificuldades associadas a estas tarefas

The Internet of Things Will Thrive by 2025

This report is the latest research report in a sustained effort throughout 2014 by the Pew Research Center Internet Project to mark the 25th anniversary of the creation of the World Wide Web by Sir Tim Berners-LeeThis current report is an analysis of opinions about the likely expansion of the Internet of Things (sometimes called the Cloud of Things), a catchall phrase for the array of devices, appliances, vehicles, wearable material, and sensor-laden parts of the environment that connect to each other and feed data back and forth. It covers the over 1,600 responses that were offered specifically about our question about where the Internet of Things would stand by the year 2025. The report is the next in a series of eight Pew Research and Elon University analyses to be issued this year in which experts will share their expectations about the future of such things as privacy, cybersecurity, and net neutrality. It includes some of the best and most provocative of the predictions survey respondents made when specifically asked to share their views about the evolution of embedded and wearable computing and the Internet of Things

Rational Cybersecurity for Business

Use the guidance in this comprehensive field guide to gain the support of your top executives for aligning a rational cybersecurity plan with your business. You will learn how to improve working relationships with stakeholders in complex digital businesses, IT, and development environments. You will know how to prioritize your security program, and motivate and retain your team. Misalignment between security and your business can start at the top at the C-suite or happen at the line of business, IT, development, or user level. It has a corrosive effect on any security project it touches. But it does not have to be like this. Author Dan Blum presents valuable lessons learned from interviews with over 70 security and business leaders. You will discover how to successfully solve issues related to: risk management, operational security, privacy protection, hybrid cloud management, security culture and user awareness, and communication challenges. This open access book presents six priority areas to focus on to maximize the effectiveness of your cybersecurity program: risk management, control baseline, security culture, IT rationalization, access control, and cyber-resilience. Common challenges and good practices are provided for businesses of different types and sizes. And more than 50 specific keys to alignment are included. What You Will Learn Improve your security culture: clarify security-related roles, communicate effectively to businesspeople, and hire, motivate, or retain outstanding security staff by creating a sense of efficacy Develop a consistent accountability model, information risk taxonomy, and risk management framework Adopt a security and risk governance model consistent with your business structure or culture, manage policy, and optimize security budgeting within the larger business unit and CIO organization IT spend Tailor a control baseline to your organization’s maturity level, regulatory requirements, scale, circumstances, and critical assets Help CIOs, Chief Digital Officers, and other executives to develop an IT strategy for curating cloud solutions and reducing shadow IT, building up DevSecOps and Disciplined Agile, and more Balance access control and accountability approaches, leverage modern digital identity standards to improve digital relationships, and provide data governance and privacy-enhancing capabilities Plan for cyber-resilience: work with the SOC, IT, business groups, and external sources to coordinate incident response and to recover from outages and come back stronger Integrate your learnings from this book into a quick-hitting rational cybersecurity success plan Who This Book Is For Chief Information Security Officers (CISOs) and other heads of security, security directors and managers, security architects and project leads, and other team members providing security leadership to your busines

AN ENHANCEMENT ON TARGETED PHISHING ATTACKS IN THE STATE OF QATAR

The latest report by Kaspersky on Spam and Phishing, listed Qatar as one of the top 10 countries by percentage of email phishing and targeted phishing attacks. Since the Qatari economy has grown exponentially and become increasingly global in nature, email phishing and targeted phishing attacks have the capacity to be devastating to the Qatari economy, yet there are no adequate measures put in place such as awareness training programmes to minimise these threats to the state of Qatar. Therefore, this research aims to explore targeted attacks in specific organisations in the state of Qatar by presenting a new technique to prevent targeted attacks. This novel enterprise-wide email phishing detection system has been used by organisations and individuals not only in the state of Qatar but also in organisations in the UK. This detection system is based on domain names by which attackers carefully register domain names which victims trust. The results show that this detection system has proven its ability to reduce email phishing attacks. Moreover, it aims to develop email phishing awareness training techniques specifically designed for the state of Qatar to complement the presented technique in order to increase email phishing awareness, focused on targeted attacks and the content, and reduce the impact of phishing email attacks. This research was carried out by developing an interactive email phishing awareness training website that has been tested by organisations in the state of Qatar. The results of this training programme proved to get effective results by training users on how to spot email phishing and targeted attacks

"What social media ""likes"": a discourse analysis of the Google, Facebook and Twitter blogs"

Google, Facebook and Twitter are arguably synonymous with social media (Vaidhyanathan, 2011; Yakolev, 2007; Levy, 2009). Selling the attention spans of internet users to advertisers using content almost entirely created by the labour of others, makes these organizations leaders in a media environment that is beginning to redefine the relationship between consumers (or prosumers), technology, and the modern digital organization (Drache, 2008; Lessig, 2008; Rainie & Wellman, 2012; Castells, 2010; Shirky, 2010). As such, these organizations often get caught in between public action and other forms of online protest, such as the Arab Spring (Castells, 2012) and their practical business needs to maintain discursive control. This dissertation examines the tension between corporate control and user participation as it manifests on the official Google Facebook and Twitter corporate blogs. This research employs critical discourse analysis (Fairclough, 1995) supported by corpus linguistics techniques (Stubbs, 1996) to analyze each entry from the official Google, Facebook and Twitter corporate blogs between 2006 and 2011. When taken together, the discourses from these three corporate blogs reveal an underlying media logic, otherwise known as social media logic (van Dijck, 2013) that drives these sites, and directs the actions of people who engage with these sites. Put simply, all three sites have an organizational discourse on the blogs which makes technological develop seem both necessary and inevitable. They construct a techno-centrism which often comes at the expense of the people who both develop the technologies, and the end users. These discourses support the commercialization of these sites, but do not support the view that these technologies are somehow inherently democratic (Shirky, 2010). Fortunately however, the fact that the business models of social media sites depend on the free contributions of user-generated content, means that should the people who use these sites decide to fight for change with respect to these organizations, they would be uniquely positioned to do so