What's inside a node? Malicious IPFS nodes under the magnifying glass

InterPlanetary File System~(IPFS) is one of the most promising decentralized off-chain storage mechanisms, particularly relevant for blockchains, aiming to store the content forever, thus it is crucial to understand its composition, deduce actor intent and investigate its operation and impact. Beyond the network functionality that IPFS offers, assessing the quality of nodes, i.e. analysing and categorising node software and data, is essential to mitigate possible risks and exploitation of IPFS. To this end, in this work we took three daily snapshots of IPFS nodes within a month and analysed each node (by IP address) individually, using threat intelligence feeds. The above enabled us to quantify the number of potentially malicious and/or abused nodes. The outcomes lead us to consider using a filter to isolate malicious nodes from the network, an approach we implemented as a prototype and used for assessment of effectiveness.Comment: To appear at the 38th International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2023

On the unbearable lightness of FIPS 140-2 randomness tests

Random number generation is critical to many applications. Gaming, gambling, and particularly cryptography all require random numbers that are uniform and unpredictable. For testing whether supposedly random sources feature particular characteristics commonly found in random sequences, batteries of statistical tests are used. These are fundamental tools in the evaluation of random number generators and form part of the pathway to certification of secure systems implementing them. Although there have been previous studies into this subject becker2013stealthy, RNG manufacturers and vendors continue to use statistical tests known to be of dubious reliability, in their RNG verification processes. Our research shows that FIPS-140-2 cannot identify adversarial biases effectively, even very primitive ones. Concretely, this work illustrates the inability of the FIPS 140 family of tests to detect bias in three obviously flawed PRNGs. Deprecated by official standards, these tests are nevertheless still widely used, for example in hardware-level self-test schemes incorporated into the design of many True RNGs (TRNGs). They are also popular with engineers and cryptographers for quickly assessing the randomness characteristics of security primitives and protocols, and even with manufacturers aiming to market the randomness features of their products to potential customers. In the following, we present three biased-by-design RNGs to show in explicit detail how simple, glaringly obvious biases are not detected by any of the FIPS 140-2 tests. One of these RNGs is backdoored, leaking key material, while others suffer from significantly reduced unpredictability in their output sequences. To make our point even more straightforward, we show how files containing images can also fool the FIPS 140 family of tests. We end with a discussion on the security issues affecting an interesting and active project to create a randomness beacon. Their authors only tested the quality of their randomness with the FIPS 140 family of tests, and we will show how this has led them to produce predictable output that, albeit passing FIPS fails other randomness tests quite catastrophically

Integrating AI-driven threat intelligence and forecasting in the cyber security exercise content generation lifecycle

The escalating complexity and impact of cyber threats require organisations to rehearse responses to cyber-attacks by routinely conducting cyber security exercises. However, the effectiveness of these exercises is limited by the exercise planners’ ability to replicate real-world scenarios in a timely manner that is, most importantly, tailored to the training audience and sector impacted. To address this issue, we propose the integration of AI-driven sectorial threat intelligence and forecasting to identify emerging and relevant threats and anticipate their impact in different industries. By incorporating such automated analysis and forecasting into the design of cyber security exercises, organisations can simulate real-world scenarios more accurately and assess their ability to respond to emerging threats. Fundamentally, our approach enhances the effectiveness of cyber security exercises by tailoring the scenarios to reflect the threats that are more relevant and imminent to the sector of the targeted organisation, thereby enhancing its preparedness for cyber attacks. To assess the efficacy of our forecasting methodology, we conducted a survey with domain experts and report their feedback and evaluation of the proposed methodology

Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks

Dynamic malware analysis involves the debugging of the associated binary files and the monitoring of changes in sandboxed environments. This allows the investigator to manipulate the code execution path and environment to develop an understanding of the malware’s internal workings, aims and modus operandi. However, the latest state of the art malware may incor- porate anti-virtual environment (VM) and anti-debugging countermeasures (i.e. to determine whether the malware is being executed in a VM or us- ing a debugger prior to payload execution). We argue that for the malware to be effective, it will need to support an array of anti-detection and eva- sion mechanisms. In essence, from the malware’s perspective, it needs to adopt a “defence in depth” paradigm to achieve its underlying business logic functionality. Beyond the malicious uses, software vendors to preserve the intellectual property rights of their products often resort to similar methods to deter competitors from gaining intelligence from the binaries or prevent customers from using their products in unauthorised hardware. In this work, we illustrate how Windows architecture impedes the work of debuggers when they analyse with armoured binaries. The debugger and the malware have the same privileges, so the attacker may manipulate theaddress space that the debugger operates and, e.g. bypass detection. We showcase this by presenting a new framework (ANTI), which automates the procedure of integrating anti-debugging and anti-VM in the binary. Specifi- cally, ANTI introduces an anti-hooking method targeting Windows binaries, where hooks applied by state of the art debuggers are removed and injects its code in other processes. This significantly compounds the challenge of binary analysis. Our extensive evaluation also demonstrates that ANTI successfully circumvents detection from state-of-the-art detection methods. Therefore, ANTI illustrates that current tools for dynamic analysis have serious implementation gaps that allow for binaries to bypass them. More alarmingly, ANTI shows how one can use well-known methods to “resurrect” old attacks

Cashing out crypto: state of practice in ransom payments

The fast pace of blockchain technology and cryptocurrencies’ evolution makes people vulnerable to financial fraud and provides a relatively straightforward monetisation mechanism for cybercriminals, in particular ransomware groups which exploit crypto’s pseudo-anonymity properties. At the same time, regulatory efforts for addressing crimes related to crypto assets are emerging worldwide. In this work, we shed light on the current state of practice of ransomware monetisation to provide evidence of their payment traceability, explore future trends, and—above all—showcase that over-regulating cryptocurrencies is not the best way to mitigate their risks. For that purpose, first, we provide an overview of the legislative initiatives currently taken by the USA, the EU, and the OECD to regulate cryptocurrencies, showing that strict laws and the divergences between the regulatory regimes can hardly efficiently regulate the global phenomenon of cryptocurrency, which transcends borders and states. Next, we focus on illicit payments in bitcoin to ransomware groups, illustrating how these payments are siphoned off and how criminals cash out the ransom, often leaving traceable evidence behind. To this end, we leverage a publicly available dataset and a set of state-of-the-art blockchain analysis tools to identify payment patterns, trends, and transaction trails, which are provided in an anonymised form. Our work reveals that a significant amount of illicit bitcoin transactions can be easily traced, and consequently, many cyber crimes like ransomware can actually be tracked down and investigated with existing tools and laws, thus providing fertile ground for better and fairer legislation on crypto

Analytical framework for Adaptive Compressive Sensing for Target Detection within Wireless Visual Sensor Networks

Wireless visual sensor networks (WVSNs) are composed of a large number of visual sensor nodes covering a specifc geographical region. This paper addresses the target detection problem within WVSNs where visual sensor nodes are left unattended for long-term deployment. As battery energy is a critical issue it is always challenging to maximize the network's lifetime. In order to reduce energy consumption, nodes undergo cycles of active-sleep periods that save their battery energy by switching sensor nodes ON and OFF, according to predefined duty cycles. Moreover, adaptive compressive sensing is expected to dynamically reduce the size of transmitted data through the wireless channel, saving communication bandwidth and consequently saving energy. This paper derives for the first time an analytical framework for selecting node's duty cycles and dynamically choosing the appropriate compression rates for the captured images and videos based on their sparsity nature. This reduces energy waste by reaching the maximum compression rate for each dataset without compromising the probability of detection. Experiments were conducted on different standard datasets resembling different scenes; indoor and outdoor, for single and multiple targets detection. Moreover, datasets were chosen with different sparsity levels to investigate the effect of sparsity on the compression rates. Results showed that by selecting duty cycles and dynamically choosing the appropriate compression rates, the desired performanc

Privacy-aware event data recorders: Cryptography meets the automotive industry again

10.1109/MCOM.2013.6685767Vehicles are equipped with more technology with each passing day. Acronyms such as ABS (anti-lock braking system), EBD (electronic brakeforce distribution) or EPS (electric power steering) have become commonplace, and are used as synonyms for safety and comfort. On the contrary, others like EDR (event data recorder) are not as popular. EDR, commonly known as automotive black boxes, are devices used to collect data about a vehicle and its occupants, which can be accessed after an accident to clarify its cause. With the upcoming regulation of the National Highway Traffic Safety Administration requiring manufacturers to include EDR in all new vehicles, privacy advocates have raised some alarms related to the storage of and access to these data. In this article, we propose a novel privacy-aware solution for the EDR of modern vehicles. Our solution is based on modern cryptographic primitives like timed release encryption (TRE), and it guarantees the privacy of the vehicle¿s occupants while allowing the full functionality of EDR in case of emergency

Unearthing malicious campaigns and actors from the blockchain DNS ecosystem

Blockchain DNS has emerged as an alternative solution to traditional DNS to address many of its inherent drawbacks. In this regard, a blockchain DNS approach is decentralised, resilient, provides high availability, and prevents censorship. Unfortunately, despite these desirable features, the major blockchain DNS solutions to date, Namecoin and Emercoin have been repeatedly reported for malicious abuse, ranging from malware distribution to phishing. In this work, we perform a longitudinal analysis of both these chains trying to identify and quantify the penetration of malicious actors in their ecosystems. To this end, we apply a haircut blacklisting policy and the intelligence collected from various engines to perform a taint analysis on the metadata existing in these blockchains, aiming to identify malicious acts through the merge of identifying information. Our analysis provides an automated validation methodology that supports the various reports about the wide-scale abuse of these solutions showing that malicious actors have already obtained an alarming and extensive share of these platforms

Invoice #31415 attached: Automated analysis of malicious Microsoft Office documents

Microsoft Office may be by far the most widely used suite for processing documents, spreadsheets, and presentations. Due to its popularity, it is continuously utilised to carry out malicious campaigns. Threat actors, exploiting the platform's dynamic features, use it to launch their attacks and penetrate millions of hosts in their campaigns. This work explores the modern landscape of malicious Microsoft Office documents, exposing the means that malware authors use. We leverage a taxonomy of the tools used to weaponise Microsoft Office documents and explore the modus operandi of malicious actors. Moreover, we generated and publicly shared a specially crafted dataset, which relies on incorporating benign and malicious documents containing many dynamic features such as VBA macros and DDE. The latter is crucial for a fair and realistic analysis, an open issue in the current state of the art. This allows us to draw safe conclusions on the malicious features and behaviour. More precisely, we extract the necessary features with an automated analysis pipeline to efficiently and accurately classify a document as benign or malicious using machine learning with an F1 score above 0.98, outperforming the current state of the art detection algorithms