Cybersecurity, our digital anchor: A European perspective

The Report ‘Cybersecurity – Our Digital Anchor’ brings together research from different disciplinary fields of the Joint Research Centre (JRC), the European Commission's science and knowledge service. It provides multidimensional insights into the growth of cybersecurity over the last 40 years, identifying weaknesses in the current digital evolution and their impacts on European citizens and industry. The report also sets out the elements that potentially could be used to shape a brighter and more secure future for Europe’s digital society, taking into account the new cybersecurity challenges triggered by the COVID-19 crisis. According to some projections, cybercrime will cost the world EUR 5.5 trillion by the end of 2020, up from EUR 2.7 trillion in 2015, due in part to the exploitation of the COVID-19 pandemic by cyber criminals. This figure represents the largest transfer of economic wealth in history, more profitable than the global trade in all major illegal drugs combined, putting at risk incentives for innovation and investment. Furthermore, cyber threats have moved beyond cybercrime and have become a matter of national security. The report addresses relevant issues, including: - Critical infrastructures: today, digital technologies are at the heart of all our critical infrastructures. Hence, their cybersecurity is already – and will become increasingly – a matter of critical infrastructure protection (see the cases of Estonia and Ukraine). - Magnitude of impact: the number of citizens, organisations and businesses impacted simultaneously by a single attack can be huge. - Complexity and duration of attacks: attacks are becoming more and more complex, demonstrating attackers’ enhanced planning capabilities. Moreover, attacks are often only detected post-mortem . - Computational power: the spread of malware also able to infect mobile and Internet of Things (IoT) devices (as in the case of Mirai botnet), hugely increases the distributed computational power of the attacks (especially in the case of denial of services (DoS)). The same phenomenon makes the eradication of an attack much more difficult. - Societal aspects: cyber threats can have a potentially massive impact on society, up to the point of undermining the trust citizens have in digital services. As such services are intertwined with our daily life, any successful cybersecurity strategy must take into consideration the human and, more generally, societal aspects. This report shows how the evolution of cybersecurity has always been determined by a type of cause-and-effect trend: the rise in new digital technologies followed by the discovery of new vulnerabilities, for which new cybersecurity measures must be identified. However, the magnitude and impacts of today's cyber attacks are now so critical that the digital society must prepare itself before attacks happen. Cybersecurity resilience along with measures to deter attacks and new ways to avoid software vulnerabilities should be enhanced, developed and supported. The ‘leitmotiv’ of this report is the need for a paradigm shift in the way cybersecurity is designed and deployed, to make it more proactive and better linked to societal needs. Given that data flows and information are the lifeblood of today’s digital society, cybersecurity is essential for ensuring that digital services work safely and securely while simultaneously guaranteeing citizens’ privacy and data protection. Thus, cybersecurity is evolving from a technological ‘option’ to a societal must. From big data to hyperconnectivity, from edge computing to the IoT, to artificial intelligence (AI), quantum computing and blockchain technologies, the ‘nitty-gritty’ details of cybersecurity implementation will always remain field-specific due to specific sectoral constraints. This brings with it inherent risks of a digital society with heterogeneous and inconsistent levels of security. To counteract this, we argue for a coherent, cross-sectoral and cross-societal cybersecurity strategy which can be implemented across all layers of European society. This strategy should cover not only the technological aspects but also the societal dimensions of ‘behaving in a cyber-secure way’. Consequently, the report concludes by presenting a series of possible actions instrumental to building a European digital society secure by design.JRC.E.3-Cyber and Digital Citizens' Securit

Neither Denied nor Exposed: Fixing WebRTC Privacy Leaks

To establish peer-to-peer connections and achieve realtime web-based communication, the WebRTC framework requires address information of the communicating peers. This means that users behind, say, NAT or firewalls normally rely on the ICE framework for the sake of negotiating information about the connection and media transferring. This typically involves STUN/TURN servers, which assist the peers discover each other's IP:port from a public perspective, and relay traffic if direct connection fails. Nevertheless, this IP:port private information can be easily captured by anyone who owns the corresponding STUN/TURN server. While this is acceptable for a user that deliberately initiates a WebRTC connection, it becomes a worrisome privacy issue for those being unaware that such a connection is attempted. Even though this problem is known in the related literature, no practical solution has been proposed so far. To this end, and for the sake of detecting and preventing in realtime the execution of STUN/TURN clandestine, privacy-invading requests, we introduce two different kinds of solutions (a) a browser extension, and (b) an HTTP gateway, implemented in both C++ and Golang. Both solutions detect any WebRTC API call before it happens and inform accordingly the end-user about the webpage's intentions. We meticulously evaluate the proposed schemes in terms of performance and demonstrate that even in the worst case, the latency introduced is tolerable.JRC.E.3-Cyber and Digital Citizens' Securit

A Survey on Mobile Malware Detection Techniques

Modern mobile devices are equipped with a variety of tools and services, and handle increasing amounts of sensitive information. In the same trend, the number of vulnerabilities exploiting mobile devices are also augmented on a daily basis and, undoubtedly, popular mobile platforms, such as Android and iOS, represent an alluring target for malware writers. While researchers strive to find alternative detection approaches to fight against mobile malware, recent reports exhibit an alarming increase in mobile malware exploiting victims to create revenues, climbing towards a billion-dollar industry. Current approaches to mobile malware analysis and detection cannot always keep up with future malware sophistication [2] [4]. The aim of this work is to provide a structured and comprehensive overview of the latest research on mobile malware detection techniques and pinpoint their benefits and limitations.JRC.E.3-Cyber and Digital Citizens' Securit

Two anatomists are better than one - Dual-level Android malware detection

The openness of the Android operating system and its immense penetration into the market makes it a hot target for malware writers. This work introduces Androtomist, a novel tool capable of symmetrically applying static and dynamic analysis of applications on the Android platform. Unlike similar hybrid solutions, Androtomist capitalizes on a wealth of features stemming from static analysis along with rigorous dynamic instrumentation to dissect applications and decide if they are benign or not. The focus is on anomaly detection using machine learning, but the system is able to autonomously conduct signature-based detection as well. Furthermore, Androtomist is publicly available as open source software and can be straightforwardly installed as a web application. The application itself is dual mode, that is, fully automated for the novice user and configurable for the expert one. As a proof-of-concept, we meticulously assess the detection accuracy of Androtomist against three different popular malware datasets and a handful of machine learning classifiers. We particularly concentrate on the classification performance achieved when the results of static analysis are combined with dynamic instrumentation vis-à-vis static analysis only. Our study also introduces an ensemble approach by averaging the output of all base classification models per malware instance separately, and provides a deeper insight on the most influencing features regarding the classification process. Depending on the employed dataset, for hybrid analysis, we report notably promising to excellent results in terms of the accuracy, F1, and AUC metrics.JRC.E.3-Cyber and Digital Citizens' Securit

Demystifying COVID-19 digital contact tracing: A survey on frameworks and mobile apps

The coronavirus pandemic is a new reality and it severely affects the modus vivendi of the international community. In this context, governments are rushing to devise or embrace novel surveillance mechanisms and monitoring systems to fight the outbreak. The development of digital tracing apps, which among others are aimed at automatising and globalising the prompt alerting of individuals at risk in a privacy-preserving manner is a prominent example of this ongoing effort. Very promptly, a number of digital contact tracing architectures has been sprouted, followed by relevant app implementations adopted by governments worldwide. Bluetooth, and specifically its Low Energy (BLE) power-conserving variant has emerged as the most promising short-range wireless network technology to implement the contact tracing service. This work offers the first to our knowledge, full-fledged review of the most concrete contact tracing architectures proposed so far. This endeavour does not only embrace the diverse types of architectures and systems, namely centralised, decentralised, or hybrid, but it equally addresses the client side, i.e., the apps that have been already deployed by European countries. There is also a full-spectrum adversary model section, which does not only amalgamate the previous work in the topic, but also brings new insights and angles to contemplate uponJRC.E.3-Cyber and Digital Citizens' Securit

What email servers can tell to Johnny: An empirical study of provider-to-provider email security

With hundred billions of emails sent daily, the adoption of contemporary email security standards and best practices by the respective providers are of utmost importance to everyone of us. Leaving out the user-dependent measures, say, S/MIME and PGP, this work concentrates on the current security standards adopted in practice by providers to safeguard the communications among their SMTP servers. To this end, we developed a non-intrusive tool coined MECSA, which is publicly available as a web application service to anyone who wishes to instantly assess the security status of their email provider regarding both the inbound and outbound channel. By capitalising on the data collected by MECSA over a period of 15 months, that is, about 7,650 assessments, analysing a total of 3,236 unique email providers, we detail on the adoption rate of state-of-the-art SMTP security extensions, including STARTTLS, SPF, DKIM, DMARC, and MTA-STS. Our results indicate a clear increase in encrypted connections and in the use of SPF, but also considerable retardation in the penetration rate of the rest of the standards. This tardiness is further aggravated by the still low prevalence of DNSSEC, which is also appraised for the email security space in the context of this work.JRC.E.3-Cyber and Digital Citizens' Securit

WPAxFuzz: Sniffing Out Vulnerabilities in Wi-Fi Implementations

This work attempts to provide a way of scrutinizing the security robustness of Wi-Fi implementations in an automated fashion. To this end, to our knowledge, we contribute the first full-featured and extensible Wi-Fi fuzzer. At the time of writing, the tool, made publicly available as open source, covers the IEEE 802.11 management and control frame types and provides a separate module for the pair of messages of the Simultaneous Authentication of Equals (SAE) authentication and key exchange method. It can be primarily used to detect vulnerabilities potentially existing in wireless Access Points (AP) under the newest Wi-Fi Protected Access 3 (WPA3) certification, but its functionalities can also be exploited against WPA2-compatible APs. Moreover, the fuzzer incorporates: (a) a dual-mode network monitoring module that monitors, in real time, the behavior of the connected AP stations and logs possible service or connection disruptions and (b) an attack tool used to verify any glitches found and automatically craft the corresponding exploit. We present results after testing the fuzzer against an assortment of off-the-shelf APs by different renowned vendors. Adhering to a coordinated disclosure process, we have reported the discovered issues to the affected vendors, already receiving positive feedback from some of them