I Know Where You are and What You are Sharing: Exploiting P2P Communications to Invade Users' Privacy

In this paper, we show how to exploit real-time communication applications to determine the IP address of a targeted user. We focus our study on Skype, although other real-time communication applications may have similar privacy issues. We first design a scheme that calls an identified targeted user inconspicuously to find his IP address, which can be done even if he is behind a NAT. By calling the user periodically, we can then observe the mobility of the user. We show how to scale the scheme to observe the mobility patterns of tens of thousands of users. We also consider the linkability threat, in which the identified user is linked to his Internet usage. We illustrate this threat by combining Skype and BitTorrent to show that it is possible to determine the file-sharing usage of identified users. We devise a scheme based on the identification field of the IP datagrams to verify with high accuracy whether the identified user is participating in specific torrents. We conclude that any Internet user can leverage Skype, and potentially other real-time communication systems, to observe the mobility and file-sharing usage of tens of millions of identified users.Comment: This is the authors' version of the ACM/USENIX Internet Measurement Conference (IMC) 2011 pape

DEFENDING AGAINST SPEAR PHISHING: MOTIVATING USERS THROUGH FEAR APPEAL MANIPULATIONS

Phishing is a pervasive form of online fraud that causes billions in losses annually. Spear phishing is a highly targeted and successful type of phishing that uses socially engineered emails to defraud most of its recipients. Unfortunately, anti-phishing training campaigns struggle with effectively fighting this threat—partially because users see security as a secondary priority, and partially because users are rarely motivated to undergo lengthy training. An effective training approach thus needs to be non-disruptive and brief as to avoid being onerous, and yet, needs to inspire dramatic behavioral change. This is a tremendous, unsolved challenge that we believe can be solved through a novel application of theory: Using fear appeals and protection-motivation theory (PMT), we outline how brief training can educate users and evoke protection motivation. We further invoke construal-level theory (CLT) to explain how fear appeals can stimulate threat perceptions more quickly and more powerfully. This research-in-progress study further proposes a field experiment to verify the effectiveness of our proposed training approach in an ecologically valid environment. Overall, we (1) improve training based on PMT and CLT, (2) expand PMT for guiding fear appeal design; and (3) demonstrate a full application of CLT

Assessing Generational Differences in Susceptibility to Social Engineering Attacks. A Comparison Between Millennial and Baby Boomer Generations

Digitaalse ühiskonna ajastul on sotsiaalse manipuleerimise ründed (social engineering attacks)väga edukad ja kahjuks kasutajad ei suuda ennast selliste rünnakute vastu kaitsta. Sotsiaalne manipuleerimine (social engineering) on keeruline probleem, mistõttu on väga raske eristada kõige kaitsetumaid kasutajaid. Sellised ründed ei ole suunatud ainult noorte ja töötajate vastu, vaid on laiaulatuslikud sõltumata vanusest. Tehnoloogia kiire kasvu ja selle ebasihipärase kasutamise tõttu on kõik selliste rünnakute poolt mõjutatud, kõik on haavatavad (Purkait, 2012; Aggarwal et al., 2012). Kasutajaid peetakse turvalisuse "nõrgimaks lüliks" (Mohebzada et al., 2012; Mitnick and Simon, 2011), ja seega konfidentsiaalse info kaitsmine peaks olema kõikide inimeste eesmärk. Hoolimata sellest, et on olemas erinevaid lahendusi kasutajate koolitamiseks selliste rünnakute vältimiseks, andmepüük on jätkuvalt edukas (Dhamija et al., 2006). See on eelkõige seetõttu, et küberteadlikkuse koolitused, teoreetilised kursused või raamistikud eeldatakse olevat võrdselt efektiivsed kõikidele kasutajatele vaatamata nende vanusest, kuigi kogemus näitab et see ei ole tõsi (Alseadoon, 2014). Selleks, et koolitused saaksid olla efektiivsed, on oluline et need on koostatud lähtudes sotsiaalse manipuleerimise turvanõrkustest, mis on erinevatel vanusegruppidel erinevad. Käesoleva töö eesmärgiks on põlvkondade unikaalsete tunnuste (demograafilised ja isikulised) ja nende haavatavuste faktorite määratlemine. Sellealusel on loodud raamistik, mis on võimalik rakendada ja mis addresseerib neid nõrkusi. Arvesse võttes probleemi keerikust, käesolev uurimistöö näitab, et on vaja läbi viia edasisi uurimusi laiemast perspektiivist lähtuvalt lisades "põlvkondade" elemendi uurimiseesmärkidesse, et kas on erinevusi haavatuse riskide osas läbi põlvkondade. Käesolev uurimistöö kasutab nii kvalitatiivseid kui kvantitatiivseid meetodeid eesmärkide saavutamiseks. Andmekogumise rünnaku efektiivsuse hindamisel analüüsitakse kasutajate käitumist ning antakse sellele psühholoogiline tõlgendus. Esimene uurimisküsimus keskendub sotsiaalne manipulatsiooni haavatavuse faktorite määratlemisele ja kvantitatiivsed andmed (statistiline analüüs) näitavad, et põlvkond on oluline element potentsiaalsete sotsiaalse manipulatsiooni ohvrite eristamisel, kusjuures arvutikasutusoskus ja haridustase ei määra olulist rolli hindamaks kasutajate tõenäosust langeda selliste rünnakute ohvriks. Eelpool toodud faktorite ja ka eelnevate uuringute alusel, ei ole ka sugu määrav faktor haavatavuse ennustamisel (Parsons et al., 2013). Teine uurimisküsimus püüab selgitada, mis põhjustab põlvkondade haavatavuse erinevusi ning uuringu tulemused näitavad, et Y-põlvkonna isikuomadused, sh teadvus, ekstravertsus ja meeldivus on põhifaktorid, mis mõjutavad haavatavust. Viimasena, lisaks tugeva aluse loomisel edaspidiseks põlvkondade haavatavuse uurimisel, pakub käesolev töö välja raamistiku, milles on eeltoodud leiud arvesse võetud ja mille eesmärk on vähendada Y-põlvkonna haavatust sotsiaalse manipuleerimise rünnakutele. Käesoleva magistritöö unikaalsus seisneb üldises lähenemisviisis: alates ulatuslikus kirjanduse ülevaates "põlvkondade" haavatavuse faktorite määratlemisega, statistilise analüüsiga haavatavuste hindamiseks ja lõpetades lahenduse väljapakkumisega, mis aitab lahendada "põlvkondade" turvalisuse probleemi.In the age of digital society Social Engineering attacks are very successful and unfortunately users still cannot protect themselves against these threats. Social Engineering is a very complex problem, which makes it difficult to differentiate among vulnerable users. These attacks not only target young users or employees, they select massively, regardless of the users' age. Due to the rapid growth of technology and its misuse, everyone is affected by these attacks, everyone is vulnerable to them (Purkait, 2012; Aggarwal et al., 2012). Users are considered the "weakest link" of security (Mohebzada et al., 2012; Mitnick and Simon, 2011) and as such, protecting confidential information should be the ultimate goal of all people. However, despite the fact that a number of different strategies exists to educate or train endusers to avoid these attacks, they still do, phishing still succeeds (Dhamija et al., 2006). This is mainly because the existing security awareness trainings, theoretical courses, or frameworks are expected to be equally effective for all users regardless of their age, but experience has shown that this is not true (Alseadoon, 2014). In order for these security trainings to be effective, it is essential that they are composed based on the Social Engineering security weaknesses attributed differently to different generations. Identifying unique characteristics (demographic and personality) of generations, determinants of their vulnerability is what this work aims to do. Then frameworks crafted based on that information (addressing these weaknesses) would be of use and worth implementing. Therefore, taking into consideration the complexity of this problem, this study suggests that there is a need to research it from a broader perspective, adding the "generation" element into the study focus to find out if there is indeed any difference in susceptibility among generational cohorts. In order to do so, this research will adapt both qualitative and quantitative methods towards reaching its objectives. Collected-data of users' performance in a phishing assessment are analyzed and psychological translation of results is provided. Thus, the first research question seeks to address what factors determinate endusers vulnerability to Social Engineering, and results from quantitative data (statistical analysis) show that generation is an important element to differentiate potential victims of Social Engineering, whilst computer-efficacy or educational level do not play any noteworthy role in predicting endusers' likelihood of falling for these threats. In consistency with the above elements and previous studies, also gender is shown no potentiality in predicting susceptibility (Parsons et al., 2013). The second research question deems to explain what makes generations differ in susceptibility and this study's findings propose that generation Y personality traits such as consciousness, extraversion and agreeableness are key influencers of their shown vulnerability. Finally, along with establishing strong foundations for future research in studying generations susceptibility to Social Engineering, this thesis employ these findings in proposing a framework aiming to lessen millennial likelihood to Social Engineering victimization. The originality of this study lies on its overall approach: starting with an exhaustive literature review towards identifying factors impacting generations' susceptibility level, then statistically measuring their vulnerability, to finish with a solution proposal crafted to suit the observed generational security weaknesses

Assessment of Web-based Information Security Awareness Courses

Veebipõhised Infojulgeoleku Teadlikkuse Kursused on tavapäraselt soovitatud \n\rküberjulgeoleku strateegiates, aitamaks konstrueerida julgeoleku kultuuri, mis oleks \n\rvõimeline adresseerima infosüsteemi rikkumisi, põhjustatud kasutajate vigade poolt, kelle \n\rhooletus või eeskirjade teadmatus võib ohtu seada infosüsteemide vara. Veebipõhiste \n\rInfojulgeoleku Teadlikkuse Kursuste mõju uurimises esineb lõhe - need ei muuda osavõtjate \n\rkäitumist olulisel määral, mis puudutab kuuletumist ja töökust, resulteerudes järjepidevates \n\rnõrkustes. Käesoleva töö eesmärk on panustada teoreetilise ja empiirilise analüüsiga \n\rVeebipõhiste Infojulgeoleku Teadlikkuse Kursuste potentsiaalsete tugevuste ja nõrkuste \n\rkohta. Samuti panustada kahe valmis rakendatava praktilise töövahendiga veebipõhiste või \n\rvahendatud andmejulgeoleku teadlikkuse ning õpetuse kursuste kujundajatele ja \n\rarvustajatele. Uuringu disain püüab vastata kahele uurimisküsimusele. Esimene on \n\rmiinimumkriteeriumi formuleerimise kohta, mida saaks rakendada Veebipõhistes \n\rAndmeturbe Teadlikkuse Kursustes, et toetada nende tõelist mõju töötajate kuuletumisele \n\rja töökusele, andes tulemuseks üksteist kriteeriumit kursuste hinnanguks ning \n\rkontrollnimekirja. Teine küsimus puudutab olemasoleva kursuse kuuletumise ja töökuse \n\rsuhtes tõelist mõju uurivat reguleeritud katset, kasutades kalastusründe meile hariduslike \n\rvahenditena, mis kinnitab eelnevalt tehtud teoreetilisi oletusi. Miinimumkriteeriumi \n\rarendamine ning selle süstemaatiline rakendamine taotleb muutusi käitumises, rõhutab \n\rditsiplinaarintegratsiooni tähtsust küberjulgeoleku uurimistegevuses ning propageerib \n\rkindla kuuletumise ja töökuse julgeoleku kultuuri, mis oleks võimeline toetama \n\rorganisatsioonide kaitset infosüsteemi ohtude eest. Selles uurimuses näidatud tulemused \n\rpakuvad, et positiivsete tulemuste saavutamine olemasolevates infojulgeoleku testides, \n\rmis järgnevad julgeoleku kursustele, ei näita tingimata, et need töökust või infojulgeoleku \n\reeskirjadele kuuletust mõjutaks. Need esialgsed järeldused koguvad tõendeid käesolevas \n\rtöös sõnastatud soovituste rakendamise tähtsuse kohta.\n\rVõtmesõnad:Information security awareness web-based courses are commonly recommended in cyber security strategies to help build a security culture capable of addressing information systems breaches caused by user mistakes whose negligence or ignorance of policies may endanger information systems assets. A research gap exists on the impact of Information Security Awareness Web-Based Courses: these are failing in changing to a significant degree the behavior of participants regarding compliance and diligence, which translates into continuous vulnerabilities. The aim of this work is to contribute with a theoretical and empirical analysis on the potential strengths and weaknesses of Information Security Awareness Web-Based Courses and with two practical tools readily applicable for designers and reviewers of web-based or mediatized courses on information security awareness and education. The research design seeks to respond two research questions. The first on the formulation of a minimum set of criteria that could be applied to Information Security Awareness Web-Based Courses, to support their real impact on employee’s diligence and compliance, resulting in eleven criteria for courses’ assessment and a checklist. The second, about a controlled experiment to explore the actual impact of an existing course, in respect to diligence and compliance using phishing emails as educational tools, that reaffirms the theoretical assumptions arrived to earlier. The development of minimum criteria and their systematic implementation pursue behavioral change, emphasizes the importance of disciplinary integration in cyber security research, and advocates for the development of a solid security culture of diligence and compliance, capable of supporting the protection of organizations from information system threats. The results gathered in this study suggest that achieving positive results in the existing information security tests that follow security awareness courses does not necessarily imply that diligence or information security policies compliance are affected. These preliminary findings accumulate evidence on the importance of implementing the recommendations formulated in this work

Usando o twitter para detecção de usuários vulneráveis a phishing

Trabalho de Conclusão de Curso (graduação)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência da Computação, 2018.Este trabalho relata pesquisa sobre o desenvolvimento de um modelo matemático-computacional para detecção de usuários de contas do twitter que podem ser vulneráveis a phishing. Por meio da condução de uma pesquisa exploratória e descritiva, de abordagem quantitativa, embasada por uma série de experimentos, verificou-se a existência de possíveis correlações entre a autoridade (estruturalmente calculada em um grafo) de uma conta no twitter, entre outros atributos, e a vulnerabilidade de seu usuário a um ataque de phishing. Foram desenvolvidas 4 versões de um experimento de coleta de dados, envolvendo a realização de pseudo-ataques em aproximadamente 1287 contas, ao longo de 38 dias. Os resultados foram analisados por meio de regressão logística. A análise concluiu que é possível realizar uma perfilização com os atributos que levam supostas vítimas a caírem no golpe, possibilitando ataques com uma precisão melhor que a escolha aleatória, além disso é possível construir uma ferramenta que realiza ataques de engenharia social automatizada no twitter.This works reports the development of a mathematical-computational model to perform the detection of twitter accounts who may be vulnerable to phishing attacks. Through descriptive, exploratory and quantitative research based on a series of experiments, it verifies the existence of correlations between some attributes of twitter accounts and vulnerability of their users to phishing attacks. Four different incremental versions of experiments were performed, envolving fake phishing attacks directed to approximately 1287 twitter accounts extended across 38 days. The results were analysed through logistic regression. Analysis, confirm that it’s possible perform a victm profiling based on account attributes, making possible do attacks with precision better than a random choice, and moreover, that is possible to build and run a tool to perform automated social engineering attacks

Examining the interplay between universal behavioural tendencies, online social networks and social capital

Interaction with others is fundamental to well-being, as it serves to fulfil our basic needs. Thus humans have various behavioural tendencies, patterns of behaviour that serve as strategies to fulfil these needs. Given the increasingly crucial role of online social networks on our communication and interaction, it is important to study these factors in the online context. In this thesis we explore how universal behavioural tendencies, i.e. behavioural tendencies that have been observed across cultures, affect our online interaction and how these in turn affect social capital. Focusing on disclosure behaviour and social network structure as proxies for online interaction behaviour, this work consists of three main components developed over four studies. Firstly, we attempt to understand how the tendency to reciprocate affects individuals’ willingness to disclose information about themselves. Secondly, we study the interplay between individuals’ disclosure patterns and their positions in the network. Finally, we study how individuals, along with their differences in universal behavioural tendencies, accrue social capital from the structure of their immediate networks. Key findings include: (1) People tend to reciprocate the disclosure of personal information, both when the initial disclosure is directed towards them, and also when it is broadcast and directed to nobody in particular, (2) The centrality of individuals in a social network is related to how much information they disclose, and how much others disclose to them, and (3) Online social network structure is related to social capital, and network structure and empathy play an interconnected role in the creation of social capital. The empirical findings, discussions and methodologies presented in this work will be useful for HCI and social science researchers studying the fundamental aspects of humans’ use of social technologies.A interação com os outros é essencial para o bem-estar, visto servir para satisfazer as nossas necessidades básicas. Portanto, os seres humanos têm várias tendências comportamentais, padrões de comportamento que servem como estratégias para satisfazer essas necessidades. Dada a importância crescente das redes sociais online na nossa comunicação e interação, é importante estudar estes fatores no contexto online. Na presente tese exploramos como as tendências comportamentais universais, i.e., as tendências comportamentais observadas em diferentes culturas afetam a nossa interação online e como estas, por sua vez, afetam o capital social. Concentrando-se na divulgação comportamental e na estrutura da rede social como representantes do comportamento interativo online, este trabalho apresenta três componentes principais desenvolvidas em 4 estudos. Primeiro, tentamos compreender de que forma a tendência para a reciprocidade afeta a vontade dos indivíduos de divulgarem informações sobre eles mesmos. Segundo, estudamos a interação entre os padrões de divulgação dos indivíduos e as suas posições na rede. Finalmente, estudamos de que forma os indivíduos, juntamente com as suas diferenças nas tendências comportamentais universais, acumulam capital social a partir da estrutura das suas redes imediatas. As principais conclusões incluem: (1) As pessoas retribuem a divulgação de informação pessoal não só quando esta é dirigida ao próprio, mas de igual forma se publicada num espaço publico acessível a qualquer pessoa, (2) A centralidade dos indivíduos numa rede social está relacionada com a quantidade de informações que divulga e que os outros lhes divulgam, e (3) A estrutura da rede social online está relacionada com o capital social, e a estrutura da rede e empatia desempenham um papel próximo na criação do capital social. Os resultados empíricos, discussões e metodologias apresentados neste trabalho serão úteis para os investigadores de HCI e ciências sociais que estudam os aspetos fundamentais da utilização humana das tecnologias sociais

A model for cultivating resistance to social engineering attacks

The human being is commonly considered as being the weakest link in information security. Subsequently, as information is one of the most critical assets in an organization today, it is essential that the human element is considered in deployments of information security countermeasures. However, the human element is often neglected in this regard. Consequently, many criminals are now targeting the user directly to obtain sensitive information instead of spending days or even months trying to hack through systems. Some criminals are targeting users by utilizing various social engineering techniques to deceive the user into disclosing information. For this reason, the users of the Internet and ICT-related technologies are nowadays very vulnerable to various social engineering attacks. As a contribution to increase users’ social engineering awareness, a model – called SERUM – was devised. SERUM aims to cultivate social engineering resistance within a community through exposing the users of the community to ‘fake’ social engineering attacks. The users that react incorrectly to these attacks are instantly notified and requested to participate in an online social engineering awareness program. Thus, users are educated on-demand. The model was implemented as a software system and was utilized to conduct a phishing exercise on all the students of the Nelson Mandela Metropolitan University. The aim of the phishing exercise was to determine whether SERUM is effective in cultivating social engineering resistant behaviour within a community. This phishing exercise proved to be successful and positive results emanated. This indicated that a model like SERUM can indeed be used to educate users regarding phishing attacks

The Effect of Personality on SMS Phishing Vulnerability

In the last decade, cybercrime has sought to bypass technical security in place by focusing in people. Recently more attention has been given to the security of mobile devices. However, very little research has investigated the human factors of mobile phishing. This thesis investigates human aspects in relation to SMS phishing. Based on our findings, we present recommendations and opportunities for research that will help the security community to better understand phishing attacks and educate mobile users against them. The first study reports the results of a qualitative investigation of what people think and feel about mobile security. The study presents this investigation temporally by means of a series of interviews performed sequentially in multiple stages. A variation was noted in the users' responses and a theory was developed to explain such variation. The study proposed a grounded theory that suggested that human security attitude is strongly influenced by their agreeableness, conscientiousness and extraversion personality traits. The developed theory suggested that this general behaviour is moderated by individuals’ knowledge and past error-in-judgement experiences. The theory was tested via three further studies (one lab study and two experimental studies). The results suggest that the personality traits Assertiveness and Extraversion affect humans’ phishing vulnerability. To the best of our knowledge, the three studies are the first empirical studies of the human aspects involved in SMS phishing. The thesis embraces both quantitative and qualitative analysis approaches. The quantitative analysis helped in isolating the personality traits Assertiveness and Extraversion while the qualitative analysis helped us understand how individuals reason about their behaviour