Sviluppo di un sistema low-cost per lo studio dell'equilibrio posturale

Scopo di questo studio è stato quello di sviluppare un sistema a costo contenuto per la valutazione dell’equilibrio posturale statico, avente prestazioni comparabili a quelle della strumentazione professionale attualmente impiegataope

PILOT: Password and PIN Information Leakage from Obfuscated Typing Videos

This paper studies leakage of user passwords and PINs based on observations of typing feedback on screens or from projectors in the form of masked characters that indicate keystrokes. To this end, we developed an attack called Password and Pin Information Leakage from Obfuscated Typing Videos (PILOT). Our attack extracts inter-keystroke timing information from videos of password masking characters displayed when users type their password on a computer, or their PIN at an ATM. We conducted several experiments in various attack scenarios. Results indicate that, while in some cases leakage is minor, it is quite substantial in others. By leveraging inter-keystroke timings, PILOT recovers 8-character alphanumeric passwords in as little as 19 attempts. When guessing PINs, PILOT significantly improved on both random guessing and the attack strategy adopted in our prior work [4]. In particular, we were able to guess about 3% of the PINs within 10 attempts. This corresponds to a 26-fold improvement compared to random guessing. Our results strongly indicate that secure password masking GUIs must consider the information leakage identified in this paper

Human Interactions in Cybersecurity: Threats and Opportunities

Over the years, many cybersecurity breaches have been attributed to human error, considering human factors as one of the weakest links in the security chain. In fact, human factors are exploited by cybercriminals, causing significant losses of money and reputation to organizations. According to Verizon’s 2021 Data Breach Investigations, 85% of breaches involved a human element, while 61% involved stolen or compromised credentials, causing an average breach cost of more than $3 million. To prevent cyberattacks, organizations focus on training employees and developing new policies, while also trying to maintain a balance between the complexity of security systems and their usability. However, the unpredictability of human behavior, the fast evolution of the digital world, and the increasing availability of technological resources for cybercriminals pose new and evolving cybersecurity challenges in anticipating both cyber threats in new environments and the rise of new threats in systems considered secure to date. On the other hand, the complexity and uniqueness of human behavior give new opportunities for designing new solutions to mitigate threats, improving the security of organizations and users. In this thesis, we investigate human interactions and cybersecurity, focusing on two ain aspects: (i) developing new attacks, based on human interaction, against existing and consolidated authentication methods (i.e., PIN pads), and (ii) proposing new methods leveraging human behavior in multiple contexts to enhance the security of users and organizations. The first part of this thesis demonstrates the effectiveness of three attacks against the security of PIN-based authentication systems, focusing on Automated Teller Machines (ATMs) PIN pads. ATMs have become an indispensable part of the banking ecosystem such that according to the European Central Bank, in 2019 only in Europe, more than 11 billion withdrawal and deposit transactions were made. In particular, we show how ATM PIN pads are exposed to security threats related to human factors even if users have policy-compliant behaviors. We analyze different attack scenarios depending on the sources of information available to the attacker (e.g., video, audio, thermal, typing style). The results show that in the worst-case scenario for the victim, our attacks can reconstruct up to 94% of the 5-digit PINs typed within three attempts. In the second part of this thesis, we show how the variability and unpredictability of human behavior can be exploited to increase the security of systems and users. We develop new human-based approaches focusing on three different contexts: (i) new methods for bot detection in social networks (i.e., Twitter) relying on the stylistic consistency of posts over time, (ii) a new framework for identifying fake and genuine expressions from videos, and (iii) a new de-authentication method based on the detection of physically blurred faces. Results demonstrate the efficacy of the proposed approaches, achieving an F1-score up to 98% in human-bot detection, an accuracy up to 90% in fake sadness detection, and accuracy in de-authenticating users up to 100% under 3 seconds of grace period. This thesis highlights the need for more effort in designing security solutions that focus on human factors, showing the direction for further investigation in analyzing human interactions in cybersecurity

Sviluppo e sperimentazione di un software per lo studio dell'equilibrio posturale con metodi non convenzionali

Lo studio propone una soluzione economica alternativa all’utilizzo della strumentazione professionale classica per la valutazione dell’equilibrio posturale statico. Come strumento di misura sostitutivo si è utilizzato la pedana Nintendo Wii Balance Board. Utilizzando la procedura del test di Romberg si è proceduto alla validazione dei risultati, inoltre è stata implementata un'interfaccia user-friendly corredata da un set di parametri, sempre puntando al contenimento dei cost

Interazioni Umane in Cybersecurity: Minacce e Opportunità

Nel corso degli anni, molte violazioni della sicurezza informatica sono state attribuite all'errore umano, considerando i fattori umani come uno degli anelli più deboli della catena della sicurezza. Nella pratica, i fattori umani vengono sfruttati dai criminali informatici, causando significative perdite di denaro e di reputazione alle organizzazioni. Secondo il Data Breach Investigations report 2021 di Verizon, l'85% delle violazioni ha coinvolto un elemento umano, mentre il 61% ha coinvolto credenziali rubate o compromesse, causando un costo medio di violazione di più di 3 milioni di dollari. Per prevenire i cyberattacchi, le organizzazioni si concentrano sulla formazione dei dipendenti e sullo sviluppo di nuove policy, cercando anche di mantenere un equilibrio tra la complessità dei sistemi di sicurezza e la loro usabilità. Tuttavia, l'imprevedibilità del comportamento umano, la rapida evoluzione del mondo digitale e la crescente disponibilità di risorse tecnologiche per i criminali informatici pongono nuove sfide sia nell'anticipare le minacce informatiche in nuovi ambienti, sia per l’insorgere di nuove minacce nei sistemi considerati sicuri fino ad oggi. D'altra parte, la complessità e l'unicità del comportamento umano aprono possibilità per la progettazione di nuove soluzioni per mitigare le minacce, migliorando la sicurezza delle organizzazioni e degli utenti. In questa tesi, indaghiamo le interazioni umane e la sicurezza informatica, concentrandoci su due aspetti principali: (i) lo sviluppo di nuovi attacchi, basati sull'interazione umana, contro metodi di autenticazione esistenti e consolidati (PIN pad), e (ii) la proposta di nuovi metodi che sfruttano il comportamento umano in diversi contesti per migliorare la sicurezza degli utenti e delle organizzazioni. La prima parte di questa tesi, dimostra l'efficacia di tre attacchi contro la sicurezza dei sistemi di autenticazione basati sul PIN, concentrandosi sui PIN pad degli Automated Teller Machines (ATM). Gli ATM sono diventati una parte indispensabile dell'ecosistema bancario tanto che, secondo la Banca Centrale Europea, nel 2019 solo in Europa sono state effettuate più di 11 miliardi di operazioni di prelievo e deposito. In particolare, mostriamo come i PIN pad degli ATM siano esposti a minacce di sicurezza legate a fattori umani anche se gli utenti hanno comportamenti conformi alle policy. Analizziamo diversi scenari di attacco a seconda delle fonti di informazione disponibili per l'attaccante (ad esempio, video, audio, termico, stile di digitazione). I risultati mostrano che nello scenario peggiore per la vittima, i nostri attacchi possono ricostruire fino al 94% dei PIN a 5 cifre digitati entro tre tentativi. Nella seconda parte di questa tesi, mostriamo come la variabilità e l'imprevedibilità del comportamento umano possano essere sfruttate per aumentare la sicurezza dei sistemi e degli utenti. Sviluppiamo nuovi approcci human-based concentrandoci su tre diversi contesti: (i) nuovi metodi per il rilevamento dei bot nei social network (ad esempio, Twitter) basati sulla coerenza stilistica dei post nel tempo, (ii) un nuovo framework per identificare espressioni false e genuine dai video, e (iii) un nuovo metodo di de-autenticazione basato sul rilevamento di volti fisicamente sfocati. I risultati dimostrano l'efficacia degli approcci proposti, raggiungendo un F1-score fino al 98% nella classificazione dell'uomo-bot, un'accuratezza fino al 90% nell'individuazione della tristezza fasulla, e un'accuratezza nella de-autenticazione degli utenti fino al 100% sotto 3 secondi di periodo di grazia. Questa tesi evidenzia la necessità di maggiori sforzi nella progettazione di soluzioni di sicurezza che si concentrino sui fattori umani, mostrando la direzione per ulteriori indagini nell'analisi delle interazioni umane nella cybersecurity.Over the years, many cybersecurity breaches have been attributed to human error, considering human factors as one of the weakest links in the security chain. In fact, human factors are exploited by cybercriminals, causing significant losses of money and reputation to organizations. According to Verizon's 2021 Data Breach Investigations, 85% of breaches involved a human element, while 61% involved stolen or compromised credentials, causing an average breach cost of more than $3 million. To prevent cyberattacks, organizations focus on training employees and developing new policies, while also trying to maintain a balance between the complexity of security systems and their usability. However, the unpredictability of human behavior, the fast evolution of the digital world, and the increasing availability of technological resources for cybercriminals pose new and evolving cybersecurity challenges in anticipating both cyber threats in new environments and the rise of new threats in systems considered secure to date. On the other hand, the complexity and uniqueness of human behavior give new opportunities for designing new solutions to mitigate threats, improving the security of organizations and users. In this thesis, we investigate human interactions and cybersecurity, focusing on two main aspects: (i) developing new attacks, based on human interaction, against existing and consolidated authentication methods (i.e., PIN pads), and (ii) proposing new methods leveraging human behavior in multiple contexts to enhance the security of users and organizations. The first part of this thesis demonstrates the effectiveness of three attacks against the security of PIN-based authentication systems, focusing on Automated Teller Machines (ATMs) PIN pads. ATMs have become an indispensable part of the banking ecosystem such that according to the European Central Bank, in 2019 only in Europe, more than 11 billion withdrawal and deposit transactions were made. In particular, we show how ATM PIN pads are exposed to security threats related to human factors even if users have policy-compliant behaviors. We analyze different attack scenarios depending on the sources of information available to the attacker (e.g., video, audio, thermal, typing style). The results show that in the worst-case scenario for the victim, our attacks can reconstruct up to 94% of the 5-digit PINs typed within three attempts. In the second part of this thesis, we show how the variability and unpredictability of human behavior can be exploited to increase the security of systems and users. We develop new human-based approaches focusing on three different contexts: (i) new methods for bot detection in social networks (i.e., Twitter) relying on the stylistic consistency of posts over time, (ii) a new framework for identifying fake and genuine expressions from videos, and (iii) a new de-authentication method based on the detection of physically blurred faces. Results demonstrate the efficacy of the proposed approaches, achieving an F1-score up to 98% in human-bot detection, an accuracy up to 90% in fake sadness detection, and accuracy in de-authenticating users up to 100% under 3 seconds of grace period. This thesis highlights the need for more effort in designing security solutions that focus on human factors, showing the direction for further investigation in analyzing human interactions in cybersecurity

Sviluppo di un sistema low-cost per lo studio dell'equilibrio posturale

Scopo di questo studio è stato quello di sviluppare un sistema a costo contenuto per la valutazione dell’equilibrio posturale statico, avente prestazioni comparabili a quelle della strumentazione professionale attualmente impiegat

Equilibrioception: a Method to Evaluate the Sense of Balance

In this study, we present an algorithm for the assessment of one’s own perception of balance (equilibrioception). Upright standing position is maintained by continuous updating and integration of vestibular, visual and proprioceptive information, so that a compensatory reaction can be implemented when perturbations occur. This ability to monitor and maintain balance can be considered as a physiological sense, so, as for the other senses, it is fair to assume that healthy people can perceive and evaluate differences between balance states. The aim of this study is to investigate how changes in stabilometric parametres are perceived by young, healthy adults. Participants were asked to stand still on a Wii Balance Board (WBB) with feet in a constrained position; 13 trials of 30 s each were performed by each subject, the order of Eyes Open (EO) and Eyes Closed (EC) trials being semi-randomized. At the end of each trial (except the first one), participants were asked to judge if their performance was better or worse than the one in the immediately preceding trial. SwayPath ratio data were used to calculate the Just Noticeable Difference (JND) between two consecutive trials, which was of 0.2 when participants improved their performance from one trial to the next, and of 0.4 when performance on a trial was worse than in the previous one. This “need” of a bigger difference for the worsening to be perceived seems to suggest a tendency towards overestimation of one’s own balance. Interestingly, participants’ judgement was more reliable when evaluating consecutive EC rather than EO trials, at least when performance was worsening

For Your Voice Only: Exploiting Side Channels in Voice Messaging for Environment Detection

Voice messages are an increasingly popular method of communication, accounting for more than 200 million messages a day. Sending audio messages requires a user to invest lesser effort than texting while enhancing the message’s meaning by adding an emotional context (e.g., irony). Unfortunately, we suspect that voice messages might provide much more information than intended to prying ears of a listener. In fact, speech audio waves are both directly recorded by the microphone and propagated into the environment, and possibly reflected back to the microphone. Reflected waves along with ambient noise are also recorded by the microphone and sent as part of the voice message. In this paper, we propose a novel attack for inferring detailed information about user location (e.g., a specific room) leveraging a simple WhatsApp voice message. We demonstrated our attack considering 7,200 voice messages from 15 different users and four environments (i.e., three bedrooms and a terrace). We considered three realistic attack scenarios depending on previous knowledge of the attacker about the victim and the environment. Our thorough experimental results demonstrate the feasibility and efficacy of our proposed attack. We can infer the location of the user among a pool of four known environments with 85% accuracy. Moreover, our approach reaches an average accuracy of 93% in discerning between two rooms of similar size and furniture (i.e., two bedrooms) and an accuracy of up to 99% in classifying indoor and outdoor environments.Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.Cyber SecurityElectrical Engineering, Mathematics and Computer Scienc