When Cryptographic Ransomware Poses Cyber Threats: Ethical Challenges and Proposed Safeguards for Cybersecurity Researchers

Scientific Conference (2022, June 10)

Cryptographic ransomware, a malware capable of destroying data, is a serious threat if used against providers of critical infrastructures such as healthcare, energy supply chains, banking services, and ... [more ▼]

Cryptographic ransomware, a malware capable of destroying data, is a serious threat if used against providers of critical infrastructures such as healthcare, energy supply chains, banking services, and transport systems. Used as such, ransomware may qualify as cyber weapon, but the current discussion around cyber and information warfare is not sufficiently legally regulated. This delegates the safe governance thereof to the application of ethical principles but leaves researchers working on ransomware in doubt about the double-use nature of their work and what code of conduct to follow. Although some existing biomedical research ethical principles have been repurposed for ICT research, in the context of recent threats posed by ransomware attacks, these efforts need an urgent rethink, especially when it involves the research of cybersecurity researchers dealing specifically with ransomware. This paper does not offer solutions, but rather describes the complexity, nature and extent of ethical challenges raised by cybersecurity research and invites the cybersecurity research community to enter into active discussions around the need to consider the development of an appropriate research ethics framework in the domain of cybersecurity. [less ▲]

Complex, but in a good way? How to represent encryption to non-experts through text and visuals – Evidence from expert co-creation and a vignette experiment

in Computers in Human Behavior Reports (2022), 4

An ongoing discussion in the field of usable privacy and security debates whether security mechanisms should be visible to end-users during interactions with technology, or hidden away. This paper ... [more ▼]

An ongoing discussion in the field of usable privacy and security debates whether security mechanisms should be visible to end-users during interactions with technology, or hidden away. This paper addresses this question using a mixed-methods approach, focusing on encryption as a mechanism for confidentiality during data transmission on a smartphone application. In study 1, we conducted a qualitative co-creation study with security and Human-Computer Interaction (HCI) experts (N = 9) to create appropriate textual and visual representations of the security mechanism encryption in data transmission. We investigated this question in two contexts: online banking and e-voting. In study 2, we put these ideas to the test by presenting these visual and textual representations to non-expert users in an online vignette experiment (N = 2180). We found a statistically significant and positive effect of the textual representation of encryption on perceived security and understanding, but not on user experience (UX). More complex text describing encryption resulted in higher perceived security and more accurate understanding. The visual representation of encryption had no statistically significant effect on perceived security, UX or understanding. Our study contributes to the larger discussion regarding visible instances of security and their impact on user perceptions. [less ▲]

Privacy-preserving Copy Number Variation Analysis with Homomorphic Encryption

Scientific Conference (2022)

Innovative pharma-genomics and personalized medicine services are now possible thanks to the availability for processing and analysis of a large amount of genomic data. Operating on such databases, is ... [more ▼]

Innovative pharma-genomics and personalized medicine services are now possible thanks to the availability for processing and analysis of a large amount of genomic data. Operating on such databases, is possible to test for predisposition to diseases by searching for genomic variants on whole genomes as well as on exomes, which are collections of protein coding regions called exons. Genomic data are therefore shared amongst research institutes, public/private operators, and third parties, creating issues of privacy, ethics, and data protection because genome data are strictly personal and identifying. To prevent damages that could follow a data breach—a likely threat nowadays—and to be compliant with current data protection regulations, genomic data files should be encrypted, and the data processing algorithms should be privacy-preserving. Such a migration is not always feasible: not all operations can be implemented straightforwardly to be privacypreserving; a privacy-preserving version of an algorithm may not be as accurate for the purpose of biomedical analysis as the original; or the privacy-preserving version may not scale up when applied to genomic data processing because of inefficiency in computation time. In this work, we demonstrate that at least for a wellknown genomic data procedure for the analysis of copy number variants called copy number variations (CNV) a privacy-preserving analysis is possible and feasible. Our algorithm relies on Homomorphic Encryption, a cryptographic technique to perform calculations directly on the encrypted data. We test our implementation for performance and reliability, giving evidence that it is practical to study copy number variations and preserve genomic data privacy. Our proof-of-concept application successfully and efficiently searches for a patient’s somatic copy number variation changes by comparing the patient gene coverage in the whole exome with a healthy control exome coverage. Since all the genomics data are securely encrypted, the data remain protected even if they are transmitted or shared via an insecure environment like a public cloud. Being this the first study for privacy-preserving copy number variation analysis, we demonstrate the potential of recent Homomorphic Encryption tools in genomic applications. [less ▲]

A Systematic Literature Review of Empirical Methods and Risk Representation in Usable Privacy and Security Research

in ACM Transactions on Computer-Human Interaction (2021), 28(6), 50

Usable privacy and security researchers have developed a variety of approaches to represent risk to research participants. To understand how these approaches are used and when each might be most ... [more ▼]

Usable privacy and security researchers have developed a variety of approaches to represent risk to research participants. To understand how these approaches are used and when each might be most appropriate, we conducted a systematic literature review of methods used in security and privacy studies with human participants. From a sample of 633 papers published at five top conferences between 2014 and 2018 that included keywords related to both security/privacy and usability, we systematically selected and analyzed 284 full-length papers that included human subjects studies. Our analysis focused on study methods; risk representation; the use of prototypes, scenarios, and educational intervention; the use of deception to simulate risk; and types of participants. We discuss benefits and shortcomings of the methods, and identify key methodological, ethical, and research challenges when representing and assessing security and privacy risk. We also provide guidelines for the reporting of user studies in security and privacy. [less ▲]

PakeMail: Authentication and Key Management in Decentralized Secure Email and Messaging via PAKE

in Obaidat, Mohammad S.; Ben-Othman, Jalel (Eds.) E-Business and Telecommunications - 17th International Conference on E-Business and Telecommunications, ICETE 2020, Online Event, July 8-10, 2020, Revised Selected Papers. (2021, October)

We propose the use of password-authenticated key exchange (PAKE) for achieving and enhancing entity authentication (EA) and key management (KM) in the context of decentralized end-to-end encrypted email ... [more ▼]

We propose the use of password-authenticated key exchange (PAKE) for achieving and enhancing entity authentication (EA) and key management (KM) in the context of decentralized end-to-end encrypted email and secure messaging, i.e., without a public key infrastructure or a trusted third party. This not only simplifies the EA process by requiring users to share only a low-entropy secret such as a memorable word, but it also allows us to establish a high-entropy secret key. This approach enables a series of cryptographic enhancements and security properties, which are hard to achieve using out-of-band (OOB) authentication. We first study a few vulnerabilities in voice-based OOB authentication, in particular a combinatorial attack against lazy users, which we analyze in the context of a secure email solution. We then propose tackling public key authentication by solving the problem of secure equality test using PAKE and discuss various protocols and their properties. This method enables the automation of important KM tasks such as key renewal and future key pair authentications, reduces the impact of human errors and lends itself to the asynchronous nature of email and modern messaging. It also provides cryptographic enhancements including multi-device synchronization, and secure secret storage/retrieval, and paves the path for forward secrecy, deniability and post-quantum security.We also discuss the use of auditable PAKEs for mitigating a class of online guess and abort attacks in authentication protocols. We present an implementation of our proposal, called PakeMail, to demonstrate the feasibility of the core idea and discuss some of its cryptographic details, implemented features and efficiency aspects. We conclude with some design and security considerations, followed by future lines of work. [less ▲]

"Unless One Does the Research, It May Seem as Just a Useless Battery-Consuming App" - Field Notes on COVID-19 Contact Tracing Applications

in Digital Threats: Research and Practice (2021)

Globally, countries have been developing contact tracing applications to control the spread of the Coronavirus (COVID-19) disease. In this work, we present the findings of eight focus groups we conducted ... [more ▼]

Globally, countries have been developing contact tracing applications to control the spread of the Coronavirus (COVID-19) disease. In this work, we present the findings of eight focus groups we conducted with participants living in France and Germany, to explore why they decided to adopt, or not adopt, a contact tracing application as well as understand how they perceived the benefits/drawbacks and the threat model of a contact tracing application. [less ▲]

Cut-and-Mouse and Ghost Control: Exploiting Antivirus Software with Synthesized Inputs

in Digital Threats: Research and Practice (2021), 2(1),

To protect their digital assets from malware attacks, most users and companies rely on antivirus (AV) software. AVs' protection is a full-time task against malware: This is similar to a game where malware ... [more ▼]

To protect their digital assets from malware attacks, most users and companies rely on antivirus (AV) software. AVs' protection is a full-time task against malware: This is similar to a game where malware, e.g., through obfuscation and polymorphism, denial of service attacks, and malformed packets and parameters, tries to circumvent AV defences or make them crash. However, AVs react by complementing signature-based detection with anomaly or behavioral analysis, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-acts, for instance, by using adversarial inputs to avoid detection, and so on. In this cat-and-mouse game, a winning strategy is trying to anticipate the move of the adversary by looking into one's own weaknesses, seeing how the adversary can penetrate them, and building up appropriate defences or attacks. In this article, we play the role of malware developers and anticipate two novel moves for the malware side to demonstrate the weakness in the AVs and to improve the defences in AVs' side. The first one consists in simulating mouse events to control AVs, namely, to send them mouse "clicks" to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling whitelisted applications, such as Notepad, by sending them keyboard events (such as "copy-and-paste") to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse. We tested these two attacks on 29 AVs, and the results show that 14 AVs are vulnerable to Ghost Control attack while all 29 AV programs tested are found vulnerable to Cut-and-Mouse. Furthermore, we also show some weaknesses in additional protection mechanisms of AVs, such as sandboxing and CAPTCHA verification. We have engaged with the affected AV companies, and we reported the disclosure communication with them and their responses. [less ▲]

A workflow and toolchain proposal for analyzing users’ perceptions in cyber threat intelligence sharing platforms

in 2021 IEEE International Conference on Cyber Security and Resilience (CSR) (2021)

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing ... [more ▼]

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing platforms has been notably less investigated by the security research community. Motivated by this research gap, we ground our work in the concrete challenge of understanding users’ perceptions of information sharing in CTI platforms. To this end, we propose a conceptual workflow and toolchain that would seek to verify whether users have an accurate comprehension of how far information travels when shared in a CTI sharing platform. We contextualize our concept within MISP as a use case, and discuss the benefits of our socio-technical approach as a potential tool for security analysis, simulation, or education/training support. We conclude with a brief outline of future work that would seek to evaluate and validate the proposed model. [less ▲]

Which Properties has an Icon? A Critical Discussion on Evaluation Methods for Standardised Data Protection Iconography

in Proceedings of the 8th Workshop on Socio-Technical Aspects in Security and Trust (STAST) (2021)

Following GDPR's Article12.7's proposal to use standardized icons to inform data subject in "an easily visible, intelligible and clearly legible manner," several icon sets have been developed. In this ... [more ▼]

Following GDPR's Article12.7's proposal to use standardized icons to inform data subject in "an easily visible, intelligible and clearly legible manner," several icon sets have been developed. In this paper, we firstly critically review some of those proposals. We then examine the properties that icons and icon sets should arguably fulfill according to Art.12's transparency provisions. Lastly, we discuss metrics and evaluation procedures to measure compliance with the Article. [less ▲]

Data protection in the context of covid-19. A short (hi)story of tracing applications.

Book published by RomaTrE-Press (2021)

The volume presents the results of a research project (named “Legafight”) funded by the Luxembourg Fond National de la Recherche in order to verify if and how digital tracing applications could be ... [more ▼]

The volume presents the results of a research project (named “Legafight”) funded by the Luxembourg Fond National de la Recherche in order to verify if and how digital tracing applications could be implemented in the Grand-Duchy in order to counter and abate the Covid-19 pandemic. This inevitably brought to a deep comparative overview of the various existing various models, starting from that of the European Union and those put into practice by Belgium, France, Germany and Italy, with attention also to some Anglo-Saxon approaches (the UK and Australia). Not surprisingly the main issue which had to be tackled was that of the protection of the personal data collected through the tracing applications, their use by public health authorities and the trust laid in tracing procedures by citizens. Over the last 18 months tracing apps have registered a rise, a fall, and a sudden rebirth as mediums devoted not so much to collect data, but rather to distribute real time information which should allow informed decisions and be used as repositories of health certifications. [less ▲]