Shahryar Baki, Rakesh M. Verma, Arjun Mukherjee, O. Gnawali
We focus on email-based attacks, a rich field with well-publicized consequences. We show how current Natural Language Generation (NLG) technology allows an attacker to generate masquerade attacks on scale, and study their effectiveness with a within-subjects study. We also gather insights on what parts of an email do users focus on and how users identify attacks in this realm, by planting signals and also by asking them for their reasoning. We find that: (i) 17% of participants could not identify any of the signals that were inserted in emails, and (ii) Participants were unable to perform better than random guessing on these attacks. The insights gathered and the tools and techniques employed could help defenders in: (i) implementing new, customized anti-phishing solutions for Internet users including training next-generation email filters that go beyond vanilla spam filters and capable of addressing masquerade, (ii) more effectively training and upgrading the skills of email users, and (iii) understanding the dynamics of this novel attack and its ability of tricking humans.
{"title":"Scaling and Effectiveness of Email Masquerade Attacks: Exploiting Natural Language Generation","authors":"Shahryar Baki, Rakesh M. Verma, Arjun Mukherjee, O. Gnawali","doi":"10.1145/3052973.3053037","DOIUrl":"https://doi.org/10.1145/3052973.3053037","url":null,"abstract":"We focus on email-based attacks, a rich field with well-publicized consequences. We show how current Natural Language Generation (NLG) technology allows an attacker to generate masquerade attacks on scale, and study their effectiveness with a within-subjects study. We also gather insights on what parts of an email do users focus on and how users identify attacks in this realm, by planting signals and also by asking them for their reasoning. We find that: (i) 17% of participants could not identify any of the signals that were inserted in emails, and (ii) Participants were unable to perform better than random guessing on these attacks. The insights gathered and the tools and techniques employed could help defenders in: (i) implementing new, customized anti-phishing solutions for Internet users including training next-generation email filters that go beyond vanilla spam filters and capable of addressing masquerade, (ii) more effectively training and upgrading the skills of email users, and (iii) understanding the dynamics of this novel attack and its ability of tricking humans.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"322 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77989106","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Dennis Felsch, Christian Mainka, Vladislav Mladenov, Jörg Schwenk
Real-time editing tools like Google Docs, Microsoft Office Online, or Etherpad have changed the way of collaboration. Many of these tools are based on Operational Transforms (OT), which guarantee that the views of different clients onto a document remain consistent over time. Usually, documents and operations are exposed to the server in plaintext -- and thus to administrators, governments, and potentially cyber criminals. Therefore, it is highly desirable to work collaboratively on encrypted documents. Previous implementations do not unleash the full potential of this idea: They either require large storage, network, and computation overhead, are not real-time collaborative, or do not take the structure of the document into account. The latter simplifies the approach since only OT algorithms for byte sequences are required, but the resulting ciphertexts are almost four times the size of the corresponding plaintexts. We present SECRET, the first secure, efficient, and collaborative real-time editor. In contrast to all previous works, SECRET is the first tool that (1.) allows the encryption of whole documents or arbitrary sub-parts thereof, (2.) uses a novel combination of tree-based OT with a structure preserving encryption, and (3.) requires only a modern browser without any extra software installation or browser extension. We evaluate our implementation and show that its encryption overhead is three times smaller in comparison to all previous approaches. SECRET can even be used by multiple users in a low-bandwidth scenario. The source code of SECRET is published on GitHub as an open-source project:https://github.com/RUB-NDS/SECRET/
{"title":"SECRET: On the Feasibility of a Secure, Efficient, and Collaborative Real-Time Web Editor","authors":"Dennis Felsch, Christian Mainka, Vladislav Mladenov, Jörg Schwenk","doi":"10.1145/3052973.3052982","DOIUrl":"https://doi.org/10.1145/3052973.3052982","url":null,"abstract":"Real-time editing tools like Google Docs, Microsoft Office Online, or Etherpad have changed the way of collaboration. Many of these tools are based on Operational Transforms (OT), which guarantee that the views of different clients onto a document remain consistent over time. Usually, documents and operations are exposed to the server in plaintext -- and thus to administrators, governments, and potentially cyber criminals. Therefore, it is highly desirable to work collaboratively on encrypted documents. Previous implementations do not unleash the full potential of this idea: They either require large storage, network, and computation overhead, are not real-time collaborative, or do not take the structure of the document into account. The latter simplifies the approach since only OT algorithms for byte sequences are required, but the resulting ciphertexts are almost four times the size of the corresponding plaintexts. We present SECRET, the first secure, efficient, and collaborative real-time editor. In contrast to all previous works, SECRET is the first tool that (1.) allows the encryption of whole documents or arbitrary sub-parts thereof, (2.) uses a novel combination of tree-based OT with a structure preserving encryption, and (3.) requires only a modern browser without any extra software installation or browser extension. We evaluate our implementation and show that its encryption overhead is three times smaller in comparison to all previous approaches. SECRET can even be used by multiple users in a low-bandwidth scenario. The source code of SECRET is published on GitHub as an open-source project:https://github.com/RUB-NDS/SECRET/","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"18 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84338738","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Delay-based Internet geolocation techniques are repeatedly positioned as well suited for security-sensitive applications, e.g., location-based access control, and credit-card verification. We present new strategies enabling adversaries to accurately control the forged location. Evaluation showed that using the new strategies, adversaries could misrepresent their true locations by over 15000km, and in some cases within 100km of an intended geographic location. This work significantly improves the adversary's control in misrepresenting its location, directly refuting the appropriateness of current techniques for security-sensitive applications. We finally discuss countermeasures to mitigate such strategies.
{"title":"Accurate Manipulation of Delay-based Internet Geolocation","authors":"A. Abdou, A. Matrawy, P. V. Oorschot","doi":"10.1145/3052973.3052993","DOIUrl":"https://doi.org/10.1145/3052973.3052993","url":null,"abstract":"Delay-based Internet geolocation techniques are repeatedly positioned as well suited for security-sensitive applications, e.g., location-based access control, and credit-card verification. We present new strategies enabling adversaries to accurately control the forged location. Evaluation showed that using the new strategies, adversaries could misrepresent their true locations by over 15000km, and in some cases within 100km of an intended geographic location. This work significantly improves the adversary's control in misrepresenting its location, directly refuting the appropriateness of current techniques for security-sensitive applications. We finally discuss countermeasures to mitigate such strategies.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"50 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85610331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Mobile Security 1","authors":"N. Asokan","doi":"10.1145/3248560","DOIUrl":"https://doi.org/10.1145/3248560","url":null,"abstract":"","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"49 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85367302","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Privacy","authors":"Cong Wang","doi":"10.1145/3248558","DOIUrl":"https://doi.org/10.1145/3248558","url":null,"abstract":"","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"18 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75337121","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Tom Chothia, M. Ordean, Joeri de Ruiter, Richard J. Thomas
This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves. Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1% chance of being able to take control of a train.
{"title":"An Attack Against Message Authentication in the ERTMS Train to Trackside Communication Protocols","authors":"Tom Chothia, M. Ordean, Joeri de Ruiter, Richard J. Thomas","doi":"10.1145/3052973.3053027","DOIUrl":"https://doi.org/10.1145/3052973.3053027","url":null,"abstract":"This paper presents the results of a cryptographic analysis of the protocols used by the European Rail Traffic Management System (ERTMS). A stack of three protocols secures the communication between trains and trackside equipment; encrypted radio communication is provided by the GSM-R protocol, on top of this the EuroRadio protocol provides authentication for a train control application-level protocol. We present an attack which exploits weaknesses in all three protocols: GSM-R has the same well known weaknesses as the GSM protocol, and we present a new collision attack against the EuroRadio protocol. Combined with design weaknesses in the application-level protocol, these vulnerabilities allow an attacker, who observes a MAC collision, to forge train control messages. We demonstrate this attack with a proof of concept using train control messages we have generated ourselves. Currently, ERTMS is only used to send small amounts of data for short sessions, therefore this attack does not present an immediate danger. However, if EuroRadio was to be used to transfer larger amounts of data trains would become vulnerable to this attack. Additionally, we calculate that, under reasonable assumptions, an attacker who could monitor all backend control centres in a country the size of the UK for 45 days would have a 1% chance of being able to take control of a train.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"50 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90757536","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Personal Identification Numbers (PINs) are ubiquitously used in embedded computing systems where user input interfaces are constrained. Yet, little attention has been paid to this important kind of authentication credentials, especially for 6-digit PINs which dominate in Asian countries and are gaining popularity worldwide. Unsurprisingly, many fundamental questions (e.g., what's the distribution that human-chosen PINs follow?) remain as intact as about fifty years ago when they first arose. In this work, we conduct a systematic investigation into the characteristics, distribution and security of both 4-digit PINs and 6-digit PINs that are chosen by English users and Chinese users. Particularly, we, for the first time, perform a comprehensive comparison of the PIN characteristics and security between these two distinct user groups. Our results show that there are great differences in PIN choices between these two groups of users, a small number of popular patterns prevail in both groups, and surprisingly, over 50% of every PIN datasets can be accounted for by just the top 5%~8% most popular PINs. What's disturbing is the observation that, as online guessing is a much more serious threat than offline guessing in the current PIN-based systems, longer PINs only attain marginally improved security: human-chosen 4-digit PINs can offer about 6.6 bits of security against online guessing and 8.4 bits of security against offline guessing, and this figure for 6-digit PINs is 7.2 bits and 13.2 bits, respectively. We, for the first time, reveal that Zipf's law is likely to exist in PINs. Despite distinct language/cultural backgrounds, both user groups choose PINs with almost the same Zipf distribution function, and such Zipf PIN-distribution from one source (about which we may know little information) can be well predicted by real-world attackers by running Markov-Chains with PINs from another known source. Our Zipf theory would have foundational implications for analyzing PIN-based protocols and for designing PIN creation policies, while our security measurements provide guidance for bank agencies and financial authorities that are planning to conduct PIN migration from 4-digits to 6-digits.
{"title":"Understanding Human-Chosen PINs: Characteristics, Distribution and Security","authors":"Ding Wang, Qianchen Gu, Xinyi Huang, Ping Wang","doi":"10.1145/3052973.3053031","DOIUrl":"https://doi.org/10.1145/3052973.3053031","url":null,"abstract":"Personal Identification Numbers (PINs) are ubiquitously used in embedded computing systems where user input interfaces are constrained. Yet, little attention has been paid to this important kind of authentication credentials, especially for 6-digit PINs which dominate in Asian countries and are gaining popularity worldwide. Unsurprisingly, many fundamental questions (e.g., what's the distribution that human-chosen PINs follow?) remain as intact as about fifty years ago when they first arose. In this work, we conduct a systematic investigation into the characteristics, distribution and security of both 4-digit PINs and 6-digit PINs that are chosen by English users and Chinese users. Particularly, we, for the first time, perform a comprehensive comparison of the PIN characteristics and security between these two distinct user groups. Our results show that there are great differences in PIN choices between these two groups of users, a small number of popular patterns prevail in both groups, and surprisingly, over 50% of every PIN datasets can be accounted for by just the top 5%~8% most popular PINs. What's disturbing is the observation that, as online guessing is a much more serious threat than offline guessing in the current PIN-based systems, longer PINs only attain marginally improved security: human-chosen 4-digit PINs can offer about 6.6 bits of security against online guessing and 8.4 bits of security against offline guessing, and this figure for 6-digit PINs is 7.2 bits and 13.2 bits, respectively. We, for the first time, reveal that Zipf's law is likely to exist in PINs. Despite distinct language/cultural backgrounds, both user groups choose PINs with almost the same Zipf distribution function, and such Zipf PIN-distribution from one source (about which we may know little information) can be well predicted by real-world attackers by running Markov-Chains with PINs from another known source. Our Zipf theory would have foundational implications for analyzing PIN-based protocols and for designing PIN creation policies, while our security measurements provide guidance for bank agencies and financial authorities that are planning to conduct PIN migration from 4-digits to 6-digits.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"145 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76873162","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Baljit Singh, Dmitry Evtyushkin, J. Elwell, Ryan D. Riley, I. Cervesato
Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine learning to train a detector to distinguish between benign applications and malware. In this work, we provide a more comprehensive analysis of the applicability of using machine learning and HPCs for a specific subset of malware: kernel rootkits. We design five synthetic rootkits, each providing a single piece of rootkit functionality, and execute each while collecting HPC traces of its impact on a specific benchmark application. We then apply machine learning feature selection techniques in order to determine the most relevant HPCs for the detection of these rootkits. We identify 16 HPCs that are useful for the detection of hooking based roots, and also find that rootkits employing direct kernel object manipulation (DKOM) do not significantly impact HPCs. We then use these synthetic rootkit traces to train a detection system capable of detecting new rootkits it has not seen previously with an accuracy of over 99%. Our results indicate that HPCs have the potential to be an effective tool for rootkit detection, even against new rootkits not previously seen by the detector.
{"title":"On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters","authors":"Baljit Singh, Dmitry Evtyushkin, J. Elwell, Ryan D. Riley, I. Cervesato","doi":"10.1145/3052973.3052999","DOIUrl":"https://doi.org/10.1145/3052973.3052999","url":null,"abstract":"Recent work has investigated the use of hardware performance counters (HPCs) for the detection of malware running on a system. These works gather traces of HPCs for a variety of applications (both malicious and non-malicious) and then apply machine learning to train a detector to distinguish between benign applications and malware. In this work, we provide a more comprehensive analysis of the applicability of using machine learning and HPCs for a specific subset of malware: kernel rootkits. We design five synthetic rootkits, each providing a single piece of rootkit functionality, and execute each while collecting HPC traces of its impact on a specific benchmark application. We then apply machine learning feature selection techniques in order to determine the most relevant HPCs for the detection of these rootkits. We identify 16 HPCs that are useful for the detection of hooking based roots, and also find that rootkits employing direct kernel object manipulation (DKOM) do not significantly impact HPCs. We then use these synthetic rootkit traces to train a detection system capable of detecting new rootkits it has not seen previously with an accuracy of over 99%. Our results indicate that HPCs have the potential to be an effective tool for rootkit detection, even against new rootkits not previously seen by the detector.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"92 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85846874","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Embedded Systems Security 2","authors":"M. Maniatakos","doi":"10.1145/3248563","DOIUrl":"https://doi.org/10.1145/3248563","url":null,"abstract":"","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"22 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82822062","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In a sensor spoofing attack, an adversary modifies the physical environment in a certain way so as to force an embedded system into unwanted or unintended behaviors. This usually requires a thorough understanding of the system's control logic. The conventional methods for discovering this logic are manual code inspection and experimentation. In this paper, we design a directed, compositional symbolic execution framework that targets software for the popular MSP430 family of microcontrollers. Using our framework, an analyst can generate traces of sensor readings that will drive an MSP430-based embedded system to a chosen point in its code. As a case study, we use our system to generate spoofed wireless signals used as sensor inputs into AllSee, a recently proposed low-cost gesture recognition system. We then experimentally confirm that AllSee recognizes our adversarially synthesized signals as "gestures."
{"title":"Using Program Analysis to Synthesize Sensor Spoofing Attacks","authors":"I. Pustogarov, T. Ristenpart, Vitaly Shmatikov","doi":"10.1145/3052973.3053038","DOIUrl":"https://doi.org/10.1145/3052973.3053038","url":null,"abstract":"In a sensor spoofing attack, an adversary modifies the physical environment in a certain way so as to force an embedded system into unwanted or unintended behaviors. This usually requires a thorough understanding of the system's control logic. The conventional methods for discovering this logic are manual code inspection and experimentation. In this paper, we design a directed, compositional symbolic execution framework that targets software for the popular MSP430 family of microcontrollers. Using our framework, an analyst can generate traces of sensor readings that will drive an MSP430-based embedded system to a chosen point in its code. As a case study, we use our system to generate spoofed wireless signals used as sensor inputs into AllSee, a recently proposed low-cost gesture recognition system. We then experimentally confirm that AllSee recognizes our adversarially synthesized signals as \"gestures.\"","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"36 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86727403","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: