Are Software Updates Useless Against Advanced Persistent Threats?

A dilemma worth Shakespeare's Hamlet is increasingly haunting companies and security researchers: ``to update or not to update, this is the question``. From the perspective of recommended common practices by software vendors the answer is unambiguous: you should keep your software up-to-date. But is common sense always good sense? We argue it is not

Pareto-Optimal Defenses for the Web Infrastructure: Theory and Practice

The integrity of the content a user is exposed to when browsing the web relies on a plethora of non-web technologies and an infrastructure of interdependent hosts, communication technologies, and trust relations. Incidents like the Chinese Great Cannon or the MyEtherWallet attack make it painfully clear: the security of end users hinges on the security of the surrounding infrastructure: routing, DNS, content delivery, and the PKI. There are many competing, but isolated proposals to increase security, from the network up to the application layer. So far, researchers have focus on analyzing attacks and defenses on specific layers. We still lack an evaluation of how, given the status quo of the web, these proposals can be combined, how effective they are, and at what cost the increase of security comes. In this work, we propose a graph-based analysis based on Stackelberg planning that considers a rich attacker model and a multitude of proposals from IPsec to DNSSEC and SRI. Our threat model considers the security of billions of users against attackers ranging from small hacker groups to nation-state actors. Analyzing the infrastructure of the Top 5k Alexa domains, we discover that the security mechanisms currently deployed are ineffective and that some infrastructure providers have a comparable threat potential to nations. We find a considerable increase of security (up to 13% protected web visits) is possible at relatively modest cost, due to the effectiveness of mitigations at the application and transport layer, which dominate expensive infrastructure enhancements such as DNSSEC and IPsec

A Calculus of Tracking: Theory and Practice

Online tracking techniques, the interactions among trackers, and the economic and social impact of these procedures in the advertising ecosystem have received increasing attention in the last years. This work proposes a novel formal model that describes the foundations on which the visible process of data sharing behaves in terms of the network configurations of the Internet (included CDNs, shared cookies, etc.). From our model, we define relations that can be used to evaluate the impact of different privacy mitigations and determine if websites should comply with privacy regulations. We show that the calculus, based on a fragment of intuitionistic logic, is tractable and constructive: any formal derivation in the model corresponds to an actual tracking practice that can be implemented given the current configuration of the Internet. We apply our model on a dataset obtained from OpenWPM to evaluate the effectiveness of tracking mitigations up to Alexa Top 100

Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats

Software updates reduce the opportunity for exploitation. However, since updates can also introduce breaking changes, enterprises face the problem of balancing the need to secure software with updates with the need to support operations. We propose a methodology to quantitatively investigate the effectiveness of software updates strategies against attacks of Advanced Persistent Threats (APTs). We consider strategies where the vendor updates are the only limiting factors to cases in which enterprises delay updates from 1 to 7 months based on SANS data. Our manually curated dataset of APT attacks covers 86 APTs and 350 campaigns from 2008 to 2020. It includes information about attack vectors, exploited vulnerabilities (e.g. 0-days vs public vulnerabilities), and affected software and versions. Contrary to common belief, most APT campaigns employed publicly known vulnerabilities. If an enterprise could theoretically update as soon as an update is released, it would face lower odds of being compromised than those waiting one (4.9x) or three (9.1x) months. However, if attacked, it could still be compromised from 14% to 33% of the times. As in practice enterprises must do regression testing before applying an update, our major finding is that one could perform 12% of all possible updates restricting oneself only to versions fixing publicly known vulnerabilities without significant changes to the odds of being compromised compared to a company that updates for all versions

Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent Threats

Software updates reduce the opportunity for exploitation. However, since updates can also introduce breaking changes, enterprises face the problem of balancing the need to secure software with updates with the need to support operations. We propose a methodology to quantitatively investigate the effectiveness of software updates strategies against attacks of Advanced Persistent Threats (APTs). We consider strategies where the vendor updates are the only limiting factors to cases in which enterprises delay updates from 1 to 7 months based on SANS data. Our manually curated dataset of APT attacks covers 86 APTs and 350 campaigns from 2008 to 2020. It includes information about attack vectors, exploited vulnerabilities (e.g., 0-days versus public vulnerabilities), and affected software and versions. Contrary to common belief, most APT campaigns employed publicly known vulnerabilities. If an enterprise could theoretically update as soon as an update is released, it would face lower odds of being compromised than those waiting one (4.9x) or three (9.1x) months. However, if attacked, it could still be compromised from 14% to 33% of the times. As in practice enterprises must do regression testing before applying an update, our major finding is that one could perform 12% of all possible updates restricting oneself only to versions fixing publicly known vulnerabilities without significant changes to the odds of being compromised compared to a company that updates for all versions

A Graph-Based Stratified Sampling Methodology for the Analysis of (Underground) Forums

Researchers analyze underground forums to study abuse and cybercrime activities. Due to the size of the forums and the domain expertise required to identify criminal discussions, most approaches employ supervised machine learning techniques to automatically classify the posts of interest. Human annotation is costly. How to select samples to annotate that account for the structure of the forum? We present a methodology to generate stratified samples based on information about the centrality properties of the population and evaluate classifier performance. We observe that by employing a sample obtained from a uniform distribution of the post degree centrality metric, we maintain the same level of precision but significantly increase the recall (+30%) compared to a sample whose distribution is respecting the population stratification. We find that classifiers trained with similar samples disagree on the classification of criminal activities up to 33% of the time when deployed on the entire forum.</p

Mapping the geographic origin of captive and confiscated Hermann’s tortoises: a genetic toolkit for conservation and forensic analyses

The illegal trade has been threatening tortoise populations worldwide for decades. Nowadays, however, DNA typing and forensic genetic approaches allow us to investigate the geographic origin of confiscated animals and to relocate them into the wild, providing that suitable molecular tools and reference data are available. Here we assess the suitability of a small panel of microsatellite markers to investigate patterns of illegal translocations and to assist forensic genetic applications in the endangered Mediterranean land tortoise Testudo hermanni hermanni. Specific allelic ladders were created for each locus and tested on several reference samples. We used the microsatellite panel to (i) increase our understanding of the population genetic structure in wild populations with new data from previously unsampled geographic areas (overall 461 wild individuals from 28 sampling sites); (ii) detect the presence of non-native individuals in wild populations; and (iii) identify the most likely geographic area of origin of 458 confiscated individuals hosted in Italian seizure and recovery centers. Our analysis initially identified six major genetic clusters corresponding to different geographic macro-areas along the Mediterranean range. Long-distance migrants among wild populations, due to translocations, were found and removed from the reference database. Assignment tests allowed us to allocate approximately 70 % of confiscated individuals of unknown origin to one of the six Mediterranean macro-areas. Most of the assigned tortoises belonged to the genetic cluster corresponding to the area where the respective captivity center was located. However, we also found evidence of long-distance origins of confiscated individuals, especially in centers along the Adriatic coast and facing the Balkan regions, a well-known source of illegally traded individuals. Our results clearly show that the microsatellite panel and the reference dataset can play a beneficial role in reintroduction and repatriation projects when confiscated individuals need to be re-assigned to their respective macro-area of origin before release, and can assist future forensic genetic applications in detecting the illegal trade and possession of Testudo hermanni individuals

Effects on the incidence of cardiovascular events of the addition of pioglitazone versus sulfonylureas in patients with type 2 diabetes inadequately controlled with metformin (TOSCA.IT): a randomised, multicentre trial

Background The best treatment option for patients with type 2 diabetes in whom treatment with metformin alone fails to achieve adequate glycaemic control is debated. We aimed to compare the long-term effects of pioglitazone versus sulfonylureas, given in addition to metformin, on cardiovascular events in patients with type 2 diabetes. Methods TOSCA.IT was a multicentre, randomised, pragmatic clinical trial, in which patients aged 50\ue2\u80\u9375 years with type 2 diabetes inadequately controlled with metformin monotherapy (2\ue2\u80\u933 g per day) were recruited from 57 diabetes clinics in Italy. Patients were randomly assigned (1:1), by permuted blocks randomisation (block size 10), stratified by site and previous cardiovascular events, to add-on pioglitazone (15\ue2\u80\u9345 mg) or a sulfonylurea (5\ue2\u80\u9315 mg glibenclamide, 2\ue2\u80\u936 mg glimepiride, or 30\ue2\u80\u93120 mg gliclazide, in accordance with local practice). The trial was unblinded, but event adjudicators were unaware of treatment assignment. The primary outcome, assessed with a Cox proportional-hazards model, was a composite of first occurrence of all-cause death, non-fatal myocardial infarction, non-fatal stroke, or urgent coronary revascularisation, assessed in the modified intention-to-treat population (all randomly assigned participants with baseline data available and without any protocol violations in relation to inclusion or exclusion criteria). This study is registered with ClinicalTrials.gov, number NCT00700856. Findings Between Sept 18, 2008, and Jan 15, 2014, 3028 patients were randomly assigned and included in the analyses. 1535 were assigned to pioglitazone and 1493 to sulfonylureas (glibenclamide 24 [2%], glimepiride 723 [48%], gliclazide 745 [50%]). At baseline, 335 (11%) participants had a previous cardiovascular event. The study was stopped early on the basis of a futility analysis after a median follow-up of 57\uc2\ub73 months. The primary outcome occurred in 105 patients (1\uc2\ub75 per 100 person-years) who were given pioglitazone and 108 (1\uc2\ub75 per 100 person-years) who were given sulfonylureas (hazard ratio 0\uc2\ub796, 95% CI 0\uc2\ub774\ue2\u80\u931\uc2\ub726, p=0\uc2\ub779). Fewer patients had hypoglycaemias in the pioglitazone group than in the sulfonylureas group (148 [10%] vs 508 [34%], p&lt;0\uc2\ub70001). Moderate weight gain (less than 2 kg, on average) occurred in both groups. Rates of heart failure, bladder cancer, and fractures were not significantly different between treatment groups. Interpretation In this long-term, pragmatic trial, incidence of cardiovascular events was similar with sulfonylureas (mostly glimepiride and gliclazide) and pioglitazone as add-on treatments to metformin. Both of these widely available and affordable treatments are suitable options with respect to efficacy and adverse events, although pioglitazone was associated with fewer hypoglycaemia events. Funding Italian Medicines Agency, Diabete Ricerca, and Italian Diabetes Society

Dietary intake and major food sources of polyphenols in people with type 2 diabetes: The TOSCA.IT Study

none200nononeVitale, M.; Masulli, M.; Rivellese, A.A.; Bonora, E.; Cappellini, F.; Nicolucci, A.; Squatrito, S.; Antenucci, D.; Barrea, A.; Bianchi, C.; Bianchini, F.; Fontana, L.; Fornengo, P.; Giorgino, F.; Gnasso, A.; Mannucci, E.; Mazzotti, A.; Nappo, R.; Palena, A.P.; Pata, P.; Perriello, G.; Potenziani, S.; Radin, R.; Ricci, L.; Romeo, F.; Santini, C.; Scarponi, M.; Serra, R.; Timi, A.; Turco, A.A.; Vedovato, M.; Zavaroni, D.; Grioni, S.; Riccardi, G.; Vaccaro, O; Rivellese, Angela Albarosa; Cocozza, Sara; Auciello, Stefania; Turco, Anna Amelia; Bonora, Enzo; Cigolini, Massimo; Pichiri, Isabella; Brangani, Corinna; Tomasetto, Elena; Perriello, Gabriele; Timi, Alessia; Squatrito, Sebastiano; Sinagra, Tiziana; Longhitano, Sara; Tropea, Vanessa; Ballardini, Giorgio; Babini, Anna Carla; Ripani, Raffaella; Gregori, Giovanna; Dolci, Maria; Bruselli, Laura; Salutini, Isabella; Mori, Mary; Baccetti, Fabio; Lapolla, Annunziata; Sartore, Giovanni; Burlina, Silvia; Chilelli, Nino Cristiano; Buzzetti, Raffaella; Venditti, Chiara; Potenziani, Stella; Carlone, Angela; Galluzzo†, Aldo; Giordano, Carla; Torregrossa, Vittoria; Corsi, Laura; Cuneo, Giacomo; Corsi, Simona; Tizio, Biagio; Clemente, Gennaro; Citro, Giuseppe; Natale, Maria; Salvatore, Vita; Di Cianni, Graziano; Lacaria, Emilia; Russo, Laura; Iannarelli, Rossella; de Gregorio, Antonella; Sciarretta, Filomena; D’Andrea, Settimio; Montani, Valeria; Cannarsa, Emanuela; Dolcetti, Katia; Cordera, Renzo; Bonabello, Laura Affinito; Mazzucchelli, Chiara; Giorda, Carlo Bruno; Romeo, Francesco; Bonetto, Caterina; Antenucci, Daniela; Baldassarre, Maria Pompea Antonia; Iovine, Ciro; Nappo, Rossella; Ciano, Ornella; Dall’Aglio, Elisabetta; Mancastroppa, Giovanni; Grimaldi, Franco; Tonutti, Laura; Boemi, Massimo; D’Angelo, Federica; Leotta, Sergio; Fontana, Lucia; Lauro, Davide; Rinaldi, Maria Elena; Cignarelli, Mauro; la Macchia, Olga; Fariello, Stefania; Tomasi, Franco; Zamboni, Chiara; Dozio, Nicoletta; Trevisan, Roberto; Scaranna, Cristiana; Del Prato, Stefano; Miccoli, Roberto; Bianchi, Cristina; Garofolo, Monia; Pugliese, Giuseppe; Salvi, Laura; Rangel, Graziela; Vitale, Martina; Anichini, Roberto; Tedeschi, Anna; Corsini, Elisa; Cucinotta, Domenico; Di Benedetto, Antonino; Giunta, Loretta; Ruffo, Maria Concetta; Bossi, Antonio Carlo; Carpinter, Rita; Dotta, Francesco; Ceccarelli, Elena; Bartolo, Paolo Di; Caselli, Chiara; Luberto, Alessandra; Santini, Costanza; Mazzotti, Arianna; Calbucci, Giovanni; Consoli, Agostino; Ginestra, Federica; Calabrese, Maria; Zogheri, Alessia; Ricci, Lucia; Giorgino, Francesco; Laviola, Luigi; Ippolito, Claudia; Tarantino, Lucia; Avogaro, Angelo; Vedovato, Monica; Gnasso, Agostino; Carallo, Claudio; Scicchitano, Caterina; Zavaroni, Donatella; Livraga, Stefania; Perin, Paolo Cavallo; Forrnengo, Paolo; Prinzis, Tania; de Cosmo, Salvatore; Palena, Antonio Pio; Bacci, Simonetta; Mannucci, Edoardo; Lamanna, Caterina; Pata, Pietro; Lettina, Gabriele; Aiello, Antimo; Barrea, Angelina; Lalli, Carlo; Scarponi, Maura; Franzetti, Ivano; Radin, Raffaella; Serra, Rosalia; Petrachi, Francesca; Asprino, Vincenzo; Capra, Claudio; Cigolini, Massimo; Forte, Elisa; Potenziani, Stella; Reggiani, Giulio Marchesini; Forlani, Gabriele; Montesi, Luca; Mazzella, Natalia; Piatti, Pier Marco; Monti, Lucilla; Stuccillo, Michela; Auletta, Pasquale; Petraroli, Ettore; Capobianco, Giuseppe; Romano, Geremia; Cutolo, Michele; de Simone, Giosetta; Caiazzo, Gennaro; Nunziata, Peppe; Sorrentino, Susy; Amelia, Umberto; Calatola, Pasqualino; Capuano, GelsominaVitale, M.; Masulli, M.; Rivellese, A. A.; Bonora, Enzo; Cappellini, F.; Nicolucci, A.; Squatrito, S.; Antenucci, D.; Barrea, A.; Bianchi, C.; Bianchini, FRANCESCA ANTONIA; Fontana, L.; Fornengo, P.; Giorgino, FRANCESCO LIBERO; Gnasso, A.; Mannucci, E.; Mazzotti, Alfredo; Nappo, R.; Palena, A. P.; Pata, P.; Perriello, G.; Potenziani, S.; Radin, R.; Ricci, Laura; Romeo, Francesco; Santini, C.; Scarponi, M.; Serra, Roberto; Timi, A.; Turco, A. A.; Vedovato, M.; Zavaroni, D.; Grioni, S.; Riccardi, Giovanna; Vaccaro, O; Rivellese, Angela Albarosa; Cocozza, Sara; Auciello, Stefania; Turco, Anna Amelia; Bonora, Enzo; Cigolini, Massimo; Pichiri, Isabella; Brangani, Corinna; Tomasetto, Elena; Perriello, Gabriele; Timi, Alessia; Squatrito, Sebastiano; Sinagra, Tiziana; Longhitano, Sara; Tropea, Vanessa; Ballardini, Giorgio; Babini, Anna Carla; Ripani, Raffaella; Gregori, Giovanna; Dolci, Maria; Bruselli, Laura; Salutini, Isabella; Mori, Mary; Baccetti, Fabio; Lapolla, Annunziata; Sartore, Giovanni; Burlina, Silvia; Chilelli, NINO CRISTIANO; Buzzetti, Raffaella; Venditti, Chiara; Potenziani, Stella; Carlone, Angela; Galluzzo†, Aldo; Giordano, Carla; Torregrossa, Vittoria; Corsi, Laura; Cuneo, Giacomo; Corsi, Simona; Tizio, Biagio; Clemente, Gennaro; Citro, Giuseppe; Natale, Maria; Salvatore, Vita; Di Cianni, Graziano; Lacaria, Emilia; Russo, Laura; Iannarelli, Rossella; de Gregorio, Antonella; Sciarretta, Filomena; D’Andrea, Settimio; Montani, Valeria; Cannarsa, Emanuela; Dolcetti, Katia; Cordera, Renzo; Bonabello, Laura Affinito; Mazzucchelli, Chiara; Giorda, Carlo Bruno; Romeo, Francesco; Bonetto, Caterina; Antenucci, Daniela; Baldassarre, Maria Pompea Antonia; Iovine, Ciro; Nappo, Rossella; Ciano, Ornella; Dall’Aglio, Elisabetta; Mancastroppa, Giovanni; Grimaldi, Franco; Tonutti, Laura; Boemi, Massimo; D’Angelo, Federica; Leotta, Sergio; Fontana, Lucia; Lauro, Davide; Rinaldi, Maria Elena; Cignarelli, Mauro; la Macchia, Olga; Fariello, Stefania; Tomasi, Franco; Zamboni, Chiara; Dozio, Nicoletta; Trevisan, Roberto; Scaranna, Cristiana; Del Prato, Stefano; Miccoli, Roberto; Bianchi, Cristina; Garofolo, Monia; Pugliese, Giuseppe; Salvi, Laura; Rangel, Graziela; Vitale, Martina; Anichini, Roberto; Tedeschi, Anna; Corsini, Elisa; Cucinotta, Domenico; Di Benedetto, Antonino; Giunta, Loretta; Ruffo, Maria Concetta; Bossi, Antonio Carlo; Carpinter, Rita; Dotta, Francesco; Ceccarelli, Elena; Bartolo, Paolo Di; Caselli, Chiara; Luberto, Alessandra; Santini, Costanza; Mazzotti, Arianna; Calbucci, Giovanni; Consoli, Agostino; Ginestra, Federica; Calabrese, Maria; Zogheri, Alessia; Ricci, Lucia; Giorgino, FRANCESCO LIBERO; Laviola, Luigi; Ippolito, Claudia; Tarantino, Lucia; Avogaro, Angelo; Vedovato, Monica; Gnasso, Agostino; Carallo, Claudio; Scicchitano, Caterina; Zavaroni, Donatella; Livraga, Stefania; Perin, Paolo Cavallo; Forrnengo, Paolo; Prinzis, Tania; de Cosmo, Salvatore; Palena, Antonio Pio; Bacci, Simonetta; Mannucci, Edoardo; Lamanna, Caterina; Pata, Pietro; Lettina, Gabriele; Aiello, Antimo; Barrea, Angelina; Lalli, Carlo; Scarponi, Maura; Franzetti, Ivano; Radin, Raffaella; Serra, Rosalia; Petrachi, Francesca; Asprino, Vincenzo; Capra, Claudio; Cigolini, Massimo; Forte, Elisa; Potenziani, Stella; Reggiani, Giulio Marchesini; Forlani, Gabriele; Montesi, Luca; Mazzella, Natalia; Piatti, Pier Marco; Monti, Lucilla; Stuccillo, Michela; Auletta, Pasquale; Petraroli, Ettore; Capobianco, Giuseppe; Romano, Geremia; Cutolo, Michele; de Simone, Giosetta; Caiazzo, Gennaro; Nunziata, Peppe; Sorrentino, Susy; Amelia, Umberto; Calatola, Pasqualino; Capuano, Gelsomin

Dietary intake and major food sources of polyphenols in people with type 2 diabetes: The TOSCA.IT Study

Purpose: Proper evaluation of polyphenols intake at the population level is a necessary step in order to establish possible associations with health outcomes. Available data are limited, and so far no study has been performed in people with diabetes. The aim of this work was to document the intake of polyphenols and their major food sources in a cohort of people with type 2 diabetes and in socio-demographic subgroups. Methods: We studied 2573 men and women aged 50â\u80\u9375 years. Among others, anthropometry was measured by standard protocol and dietary habits were investigated by food frequency questionnaire (EPIC). The intake of polyphenols was evaluated using US Department of Agriculture and Phenol-Explorer databases. Results: The mean total polyphenol intake was 683.3 ± 5.8 mg/day. Non-alcoholic beverages represented the main food source of dietary polyphenols and provided 35.5% of total polyphenol intake, followed by fruits (23.0%), alcoholic beverages (14.0%), vegetables (12.4%), cereal products and tubers (4.6%), legumes (3.7%) and oils (2.1%); chocolate, cakes and nuts are negligible sources of polyphenols in this cohort. The two most important polyphenol classes contributing to the total intake were flavonoids (47.5%) and phenolic acids (47.4%). Polyphenol intake increased with age and education level and decreased with BMI; furthermore, in the northern regions of Italy, the polyphenol intake was slightly, but significantly higher than in the central or southern regions. Conclusions: The study documents for the first time the intake of polyphenols and their main food sources in people with diabetes using validated and complete databases of the polyphenol content of food. Compared with published data, collected in people without diabetes, these results suggest a lower intake and a different pattern of intake in people with diabetes