Gridchain: an investigation of privacy for the future local distribution grid

As part of building the smart grid, there is a massive deployment of so-called smart meters that aggregate information and communicate with the back-end office, apart from measuring properties of the local network. Detailed measurements and communication of, e.g., consumption allows for remote billing, but also in finding problems in the distribution of power and overall to provide data to be used to plan future upgrades of the network. From a security perspective, a massive deployment of such Internet of Things (IoT) components increases the risk that some may be compromised or that collected data are used for privacy-sensitive inference of the consumption of households. In this paper, we investigate the privacy concerns regarding detailed readings of smart meters for billing purposes. We present Gridchain, a solution where households can opt-in to hide their consumption patterns and thus make Non-Intrusive Load Monitoring (NILM) more challenging. Households form groups where they can trade real consumption among themselves to achieve reported consumption that would be resistant to NILM. Gridchain is built on a publish/subscribe model and uses a permissioned blockchain to record any trades, meaning that dishonest households can be discovered and punished if they steal from other households in the group or the electricity company in the end. We implement and release a proof of concept of Gridchain and use public datasets to allow reproducibility. Our results show that even if an attacker has access to the reported electricity consumption of any member of a Gridchain group, this reported consumption is significantly far from the actual consumption to allow for a detailed fingerprint of the household activities

Modelling Cryptographic Distinguishers Using Machine Learning

Cryptanalysis is the development and study of attacks against cryptographic primitives and protocols. Many cryptographic properties rely on the difficulty of generating an adversary who, given an object sampled from one of two classes, correctly distinguishes the class used to generate that object. In the case of cipher suite distinguishing problem, the classes are two different cryptographic primitives. In this paper, we propose a methodology based on machine learning to automatically generate classifiers that can be used by an adversary to solve any distinguishing problem. We discuss the assumptions, a basic approach for improving the advantage of the adversary as well as a phenomenon that we call the “blind spot paradox”. We apply our methodology to generate distinguishers for the NIST (DRBG) cipher suite problem. Finally, we provide empirical evidence that the distinguishers might statistically have some advantage to distinguish between the DRBG used

Hardening the security analysis of browser extensions

Browser extensions boost the browsing experience by a range of features from automatic translation and grammar correction to password management, ad blocking, and remote desktops. Yet the power of extensions poses significant privacy and security challenges because extensions can be malicious and/or vulnerable. We observe that there are gaps in the previous work on analyzing the security of browser extensions and present a systematic study of attack entry points in the browser extension ecosystem. Our study reveals novel password stealing, traffic stealing, and inter-extension attacks. Based on a combination of static and dynamic analysis we show how to discover extension attacks, both known and novel ones, and study their prevalence in the wild. We show that 1,349 extensions are vulnerable to inter-extension attacks leading to XSS. Our empirical study uncovers a remarkable cluster of "New Tab"extensions where 4,410 extensions perform traffic stealing attacks. We suggest several avenues for the countermeasures against the uncovered attacks, ranging from refining the permission model to mitigating the attacks by declarations in manifest files

After you, please: browser extensions order attacks and countermeasures

Browser extensions are small applications executed in the browser context that provide additional capabilities and enrich the user experience while surfing the web. The acceptance of extensions in current browsers is unquestionable. For instance, Chrome\u27s official extension repository has more than 63,000 extensions, with some of them having more than 10M users. When installed, extensions are pushed into an internal queue within the browser. The order in which each extension executes depends on a number of factors, including their relative installation times. In this paper, we demonstrate how this order can be exploited by an unprivileged malicious extension (i.e., one with no more permissions than those already assigned when accessing web content) to get access to any private information that other extensions have previously introduced. We propose a solution that does not require modifying the core browser engine, since it is implemented as another browser extension. We prove that our approach effectively protects the user against usual attackers (i.e., any other installed extension) as well as against strong attackers having access to the effects of all installed extensions (i.e., knowing who did what). We also prove soundness and robustness of our approach under reasonable assumptions

Are chrome extensions compliant with the spirit of least privilege?

Extensions are small applications installed by users and enrich the user experience of browsing the Internet. Browsers expose a set of restricted APIs to extensions. To be used, extensions need to list the permissions associated with these APIs in a mandatory extension file named manifest. In particular, Chrome’s permission ecosystem was designed in the spirit of the least privilege. Yet, this paper demonstrates that 39.8% of the analyzed extensions provided by the official Web Store are compliant with the spirit of least privilege. Also, we develop: (1) a browser extension to make aware regular users of the permissions the extensions they install; (2) a web app where extensions developers can check whether their extensions are compliant with the spirit of the least privileged; and (3) a set of scripts that can be part of the vendors’ acceptance criteria such that when developers upload their extensions to the official repositories, the scripts automatically analyze the extensions and generate a report about the permissions and the usage

Secure publish-subscribe protocols for heterogeneous medical wireless body area networks

Security and privacy issues in medical wireless body area networks (WBANs) constitute a major unsolved concern because of the challenges posed by the scarcity of resources in WBAN devices and the usability restrictions imposed by the healthcare domain. In this paper, we describe a WBAN architecture based on the well-known publish-subscribe paradigm. We present two protocols for publishing data and sending commands to a sensor that guarantee confidentiality and fine-grained access control. Both protocols are based on a recently proposed ciphertext policy attribute-based encryption (CP-ABE) scheme that is lightweight enough to be embedded into wearable sensors. We show how sensors can implement lattice-based access control (LBAC) policies using this scheme, which are highly appropriate for the eHealth domain. We report experimental results with a prototype implementation demonstrating the suitability of our proposed solution.This work was supported by the MINECO grant TIN2013-46469-R (SPINY: Security and Privacy in the Internet of You)

Clipaha: A Scheme to Perform Password Stretching on the Client

Password security relies heavily on the choice of password by the user but also on the one-way hash functions used to protect stored passwords. To compensate for the increased computing power of attackers, modern password hash functions like Argon2, have been made more complex in terms of computational power and memory requirements. Nowadays, the computation of such hash functions is performed usually by the server (or authenticator) instead of the client. Therefore, constrained Internet of Things devices cannot use such functions when authenticating users. Additionally, the load of computing such functions may expose servers to denial of service attacks. In this work, we discuss client-side hashing as an alternative. We propose Clipaha, a client-side hashing scheme that allows using high-security password hashing even on highly constrained server devices. Clipaha is robust to a broader range of attacks compared to previous work and covers important and complex usage scenarios. Our evaluation discusses critical aspects involved in client-side hashing. We also provide an implementation of Clipaha in the form of a web library and benchmark the library on different systems to understand its mixed JavaScript and WebAssembly approach\u27s limitations. Benchmarks show that our library is 50\% faster than similar libraries and can run on some devices where previous work fails

Ludificación de la Historia de Veterinaria: Fase II

En esta convocatoria se ha aprovechado la experiencia del anterior proyecto y se ha continuado con la metodología de la ludificación o gamificación como herramienta de aprendizaje mejorando y adaptando más aun la metodología a los fines de docencia del grado. Se ha logrado incrementar la motivación entre el alumnado y se ha añadido un nuevo componente: el efecto integrador o identitario del alumnado, profesorado y PAS con la profesión y el centro. Los productos obtenidos como material audiovisual y textos y las representaciones se han expuesto en actos conmemorativos o celebraciones del centro. Por otro lado se ha incrementado el repositorio de material didáctico que con cada proyecto se elabora. En este nuevo proyecto se han realizado interpretaciones histórico-teatrales de personajes relevantes en la historia de la veterinaria, realizadas por los propios alumnos matriculados y profesores, abordando distintas problemáticas de profesionales o en diferentes períodos históricos. Entre los productos elaborados están los textos con los guiones elaborados, 9 videos con escenificaciones y 20 breves presentaciones de personajes. Otro de los productos finales en formato de video de 6,19 minutos de duración se ha presentado ante la comunidad universitaria en la Gala atrévete de la Facultad de Veterinaria de 2019, ante más de doscientos alumnos y profesores. Los productos y el proyecto han sido presentados dentro de una comunicación oral en el XXIV Congreso Nacional y XV Iberoamericano de Historia de la Veterinaria que tuvo lugar en Almería del 26 al 28 de octubre de 2018. El impacto del proyecto se ha podido verificar a lo largo de los meses de escenificación por el nivel de actividad de las redes sociales entre los alumnos y la asistencia de más profesores y alumnos incluso no involucrados, con deseo de aprender y ver esta nueva herramienta docente

Mortality and pulmonary complications in patients undergoing surgery with perioperative SARS-CoV-2 infection: an international cohort study

Background: The impact of severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) on postoperative recovery needs to be understood to inform clinical decision making during and after the COVID-19 pandemic. This study reports 30-day mortality and pulmonary complication rates in patients with perioperative SARS-CoV-2 infection. Methods: This international, multicentre, cohort study at 235 hospitals in 24 countries included all patients undergoing surgery who had SARS-CoV-2 infection confirmed within 7 days before or 30 days after surgery. The primary outcome measure was 30-day postoperative mortality and was assessed in all enrolled patients. The main secondary outcome measure was pulmonary complications, defined as pneumonia, acute respiratory distress syndrome, or unexpected postoperative ventilation. Findings: This analysis includes 1128 patients who had surgery between Jan 1 and March 31, 2020, of whom 835 (74·0%) had emergency surgery and 280 (24·8%) had elective surgery. SARS-CoV-2 infection was confirmed preoperatively in 294 (26·1%) patients. 30-day mortality was 23·8% (268 of 1128). Pulmonary complications occurred in 577 (51·2%) of 1128 patients; 30-day mortality in these patients was 38·0% (219 of 577), accounting for 81·7% (219 of 268) of all deaths. In adjusted analyses, 30-day mortality was associated with male sex (odds ratio 1·75 [95% CI 1·28–2·40], p\textless0·0001), age 70 years or older versus younger than 70 years (2·30 [1·65–3·22], p\textless0·0001), American Society of Anesthesiologists grades 3–5 versus grades 1–2 (2·35 [1·57–3·53], p\textless0·0001), malignant versus benign or obstetric diagnosis (1·55 [1·01–2·39], p=0·046), emergency versus elective surgery (1·67 [1·06–2·63], p=0·026), and major versus minor surgery (1·52 [1·01–2·31], p=0·047). Interpretation: Postoperative pulmonary complications occur in half of patients with perioperative SARS-CoV-2 infection and are associated with high mortality. Thresholds for surgery during the COVID-19 pandemic should be higher than during normal practice, particularly in men aged 70 years and older. Consideration should be given for postponing non-urgent procedures and promoting non-operative treatment to delay or avoid the need for surgery. Funding: National Institute for Health Research (NIHR), Association of Coloproctology of Great Britain and Ireland, Bowel and Cancer Research, Bowel Disease Research Foundation, Association of Upper Gastrointestinal Surgeons, British Association of Surgical Oncology, British Gynaecological Cancer Society, European Society of Coloproctology, NIHR Academy, Sarcoma UK, Vascular Society for Great Britain and Ireland, and Yorkshire Cancer Research