International Journal of Information Privacy, Security and Integrity (8 papers in press)
A SECURE ONE TIME PASSWORD PROTOCOL SCHEMA
by Nawaf Aljohani, Joseph Shelton, Kaushik Roy
Abstract: Since the invention of the internet, text-based passwords have been utilized to authenticate users. This method is the most prevalent form of authentication but it has many drawbacks. An alternative password protocol is necessary to overcome the drawbacks in the traditional password system. This research proposes a novel password protocol that overcomes most password attacks. This research highlights many password attacks and shows how the proposed protocol mitigates them. Instead of a single static password being used to authenticate an individual, passwords are created based on the users input in three password boxes and the proposed protocol reorders the textboxes randomly. A hacker can capture a password generated by login requests, but password attacks will be mitigated due to the non-deterministic random order in each login request. The proposed password protocol architecture makes any captured data worthless.
Keywords: Text-based passwords; Password schema; Password-based authentication; Static password; Keyloggers; Observe attack; Guessing attack; Intercepting network; Non-deterministic.
Extending Disposable Feature Templates for Mitigating Replay Attacks
by Joseph Shelton, John Jenkins, Kaushik Roy
Abstract: Replay attacks on biometric based access control systems are dangerous if counter-measures are not instilled to mitigate these attacks. An attacker can capture packets along an unsecure network and replay them at a later time to gain unauthorized access. Traditional biometric systems use a single feature extraction method to represent an individual, making captured data hard to change. Previous work has been done to represent an individual using a set of randomly chosen, unique extractors for each access attempt. However, there are a limited number of unique extractors that can be created. This work seeks to extend the number of unique representations that can be created by evolving a set of unique masks to apply on unique representations of templates. The results on this work shows that templates with masks applied on them are unique enough from one another to mitigate replay attacks while maintaining a high recognition accuracy.
Keywords: periocular recognition; genetic and evolutionary computations; feature extraction; feature selection; cyber security; biometrics; artificial intelligence; replay attacks; privacy; authentication.
Security and Privacy Implications of Do Not Track
by Alexander Pons, Andrew Del A Rosa, Silvia Vidaurre, Luis Vargas, Eugene Pons
Abstract: In todays world where the lines between privacy and security are becoming blurred, what control if any is maintained by the consumer. User privacy in regards to internet tracking is a new and continuous topic among many technological discussions. While this issue is fairly new, the discussion on topics related to privacy and user tracking have existed for some time. As technology progresses, transparency on the manner in which user information is acquired and applied to formulate a user profile, is an issue of concern. Many companies promote their adherence to privacy and their respect towards the Do Not Track option available in most browsers, but how much transparency in the process is afforded to the consumer. The study conducted focuses on the level of understanding consumers have in regards to privacy issues and the cost and benefit of implementing a technology that users might not understand or use.
Keywords: Privacy; Security; Internet; Web; Tracking; Awareness; Marketing; Digital footprint.
Text Based Steganography
by Robert Lockwood, Kevin Curran
Abstract: Steganography is the art of hiding information within other less conspicuous information to prevent eavesdropping by way of hiding its existence in the first place. Image based steganography is the most common form but text based steganography can also be used. Text Based Steganography can be generally classified as format based, linguistic and random/statistical generation. In general random and statistical generated methods create a cover text but do not necessarily make semantic sense; that is the subject matter of each sentence has little or no relation to the next sentence. Linguistic Steganography can use natural language processing to hide information but again is still subject to analysis particularly if the basis for the cover text is an existing document.
Here we examine the leading methods of text based steganography. We evaluate a variety of steganographic techniques including Open Space Encoding, Synonym Replacement, UK / US English Translation Algorithm and Wayners Mimic Functions using five benchmarks which compare speed, capacity, complexity, compromisability and size. We find that the best methods to hide information should not use a single scheme, but a hybrid of many schemes. In order to further hide information, text should be compressed, encrypted and then hidden in a cover document.
Keywords: Steganography; Text based steganography; cryptography; security.
Automatic detection of DDoS attacks to notification services
by J. Jenny Li, Tony Savor
Abstract: A notification service alerts a large number of recipients to important or emergency events in a timely manner. A denial of service (DoS) attack inserts unnecessary traffic to slow down or chock the notification service and a distributed DoS (DDoS) comes from seemingly various sources. The challenge of automated detection of DDoS attacks lies in distinguishing attacks from temporary surge of normal notification traffic. This paper proposes an 'escalation hierarchy' method to detect such types of DDoS intrusions by monitoring performance degradation at various levels of social events. Our trial of the method on an industrial large-scale notification service showed the effectiveness of our method through automating both consistency checking of measurement data and identification of causes for performance degradation.
Keywords: notification service; combinatorial testing; covering array; DDoS attack.
Isolating malicious content scripts of browser extensions
by Kailas Patil
Abstract: In recent years, browser extensions gain great popularity among users, as they significantly enhance functionality and improve the usability of web browsers. Browser extensions can have high privileges to access web page content, thus recent browsers, such as Chrome, controls their capabilities with permissions. However, permission control is not effective to control the behaviours of content scripts injected into web sessions. Once injected into victim web sessions, malicious content scripts can perform all sorts of actions in a web application without user's knowledge. Therefore, content scripts pose serious threats to the confidentiality and integrity of web application data. To address this problem, we propose a mechanism, SessionGuard, which isolates content scripts in an isolated environment, called the shadow DOM. With the shadow DOM, SessionGuard provides content scripts an encrypted view of web application data, and controls their access to the original DOM. We have developed a proof-of-concept prototype in the Google Chrome web browser with little effect on normal browsing experience. Our experiments with real-world browser extensions demonstrate the effectiveness of the SessionGuard in protecting the confidentiality and integrity of web application data against malicious content scripts.
Keywords: browser extensions; malicious content scripts; web application integrity; shadow DOM; injection attacks; information privacy; security; integrity.
Secure and privacy-oriented obfuscation scheme for smart metering in smart grid via dynamic aggregation and lightweight perturbation
by Oladayo Olufemi Olakanmi
Abstract: Smart metering in smart grid system has raised several condemnations based on its security and privacy invasiveness. The major techniques adopted to mitigate the security and privacy invasions of smart metering are aggregation and perturbation. However, aggregating smart meters' measurements is not enough to secure or preserve the privacy of consumers in either spatial or temporal metering. More so, the existence of perfect perturbation technique which can efficiently reconstruct data during the reconstruction phase has been a major challenge in existing perturbation schemes. In this paper, a scheme that combines aggregation and perturbation to secure smart meters' measurements and preserve consumer privacy is proposed. The scheme dynamically changes the topology and direction of aggregation in neighbourhood area network during spatial and temporal aggregation. It efficiently combines perturbation and aggregation techniques. A novel perturbs generation method was proposed for the perturbation scheme with dynamic constraint-based topology generation method. The simulation results showed that the scheme not only prevented gleaning of the metering but made it difficult for the adversary to perform pre-target attack on any of the smart meters in the network.
Keywords: smart metering; topology; spatial aggregation; temporal aggregation; privacy invasion; Smart grid.
An experiment of hit-and-run wireless attacks
by J. Jenny Li, Jing-Chiou Liou
Abstract: Most security research focuses on protection from security threats. In this paper, we surveyed potential attacks to wireless networks, especially the usage of virtual machine infrastructure to carry out hit-and-run type of attacks. In the study of attacks, we demonstrate how to use a virtual machine to gain access and control to wireless routers while hiding attacker identities. We illustrate such attacks on our own private wireless network, as well as neighbourhood networks with granted permissions. Besides identifying the vulnerabilities of wireless routers, we studied the damages that can be done through such attacks and propose some solutions to detect and protect against this kind of hit-and-run attacks.
Keywords: router; wireless security; virtual machine.