References of "Lenzini, Gabriele 50002200"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailPakeMail: Authentication and Key Management in Decentralized Secure Email and Messaging via PAKE
Vazquez Sandoval, Itzel UL; Atashpendar, Arash; Lenzini, Gabriele UL et al

in Obaidat, Mohammad S.; Ben-Othman, Jalel (Eds.) E-Business and Telecommunications - 17th International Conference on E-Business and Telecommunications, ICETE 2020, Online Event, July 8-10, 2020, Revised Selected Papers. (2021, October)

We propose the use of password-authenticated key exchange (PAKE) for achieving and enhancing entity authentication (EA) and key management (KM) in the context of decentralized end-to-end encrypted email ... [more ▼]

We propose the use of password-authenticated key exchange (PAKE) for achieving and enhancing entity authentication (EA) and key management (KM) in the context of decentralized end-to-end encrypted email and secure messaging, i.e., without a public key infrastructure or a trusted third party. This not only simplifies the EA process by requiring users to share only a low-entropy secret such as a memorable word, but it also allows us to establish a high-entropy secret key. This approach enables a series of cryptographic enhancements and security properties, which are hard to achieve using out-of-band (OOB) authentication. We first study a few vulnerabilities in voice-based OOB authentication, in particular a combinatorial attack against lazy users, which we analyze in the context of a secure email solution. We then propose tackling public key authentication by solving the problem of secure equality test using PAKE and discuss various protocols and their properties. This method enables the automation of important KM tasks such as key renewal and future key pair authentications, reduces the impact of human errors and lends itself to the asynchronous nature of email and modern messaging. It also provides cryptographic enhancements including multi-device synchronization, and secure secret storage/retrieval, and paves the path for forward secrecy, deniability and post-quantum security.We also discuss the use of auditable PAKEs for mitigating a class of online guess and abort attacks in authentication protocols. We present an implementation of our proposal, called PakeMail, to demonstrate the feasibility of the core idea and discuss some of its cryptographic details, implemented features and efficiency aspects. We conclude with some design and security considerations, followed by future lines of work. [less ▲]

Detailed reference viewed: 21 (0 UL)
See detailAddressing Hate Speech with Data Science: An Overview from Computer Science Perspective
Lenzini, Gabriele UL; Srba; Pikuliak, Matus et al

E-print/Working paper (2021)

From a computer science perspective, addressing on-line hate speech is a challenging task that is attracting the attention of both industry (mainly social media platform owners) and academia. In this ... [more ▼]

From a computer science perspective, addressing on-line hate speech is a challenging task that is attracting the attention of both industry (mainly social media platform owners) and academia. In this chapter, we provide an overview of state-of-the-art data-science approaches - how they define hate speech, which tasks they solve to mitigate the phenomenon, and how they address these tasks. We limit our investigation mostly to (semi-)automatic detection of hate speech, which is the task that the majority of existing computer science works focus on. Finally, we summarize the challenges and the open problems in the current data-science research and the future directions in this field. Our aim is to prepare an easily understandable report, capable to promote the multidisciplinary character of hate speech research. Researchers from other domains (e.g., psychology and sociology) can thus take advantage of the knowledge achieved in the computer science domain but also contribute back and help improve how computer science is addressing that urgent an d socially relevant issue which is the prevalence of hate speech in social media. [less ▲]

Detailed reference viewed: 73 (5 UL)
Full Text
Peer Reviewed
See detailCut-and-Mouse and Ghost Control: Exploiting Antivirus Software with Synthesized Inputs
Genç, Ziya Alper UL; Lenzini, Gabriele UL; Sgandurra, Daniele

in Digital Threats: Research and Practice (2021), 2(1),

To protect their digital assets from malware attacks, most users and companies rely on antivirus (AV) software. AVs' protection is a full-time task against malware: This is similar to a game where malware ... [more ▼]

To protect their digital assets from malware attacks, most users and companies rely on antivirus (AV) software. AVs' protection is a full-time task against malware: This is similar to a game where malware, e.g., through obfuscation and polymorphism, denial of service attacks, and malformed packets and parameters, tries to circumvent AV defences or make them crash. However, AVs react by complementing signature-based detection with anomaly or behavioral analysis, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-acts, for instance, by using adversarial inputs to avoid detection, and so on. In this cat-and-mouse game, a winning strategy is trying to anticipate the move of the adversary by looking into one's own weaknesses, seeing how the adversary can penetrate them, and building up appropriate defences or attacks. In this article, we play the role of malware developers and anticipate two novel moves for the malware side to demonstrate the weakness in the AVs and to improve the defences in AVs' side. The first one consists in simulating mouse events to control AVs, namely, to send them mouse "clicks" to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling whitelisted applications, such as Notepad, by sending them keyboard events (such as "copy-and-paste") to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse. We tested these two attacks on 29 AVs, and the results show that 14 AVs are vulnerable to Ghost Control attack while all 29 AV programs tested are found vulnerable to Cut-and-Mouse. Furthermore, we also show some weaknesses in additional protection mechanisms of AVs, such as sandboxing and CAPTCHA verification. We have engaged with the affected AV companies, and we reported the disclosure communication with them and their responses. [less ▲]

Detailed reference viewed: 90 (4 UL)
Full Text
Peer Reviewed
See detailWhich Properties has an Icon? A Critical Discussion on Evaluation Methods for Standardised Data Protection Iconography
Rossi, Arianna UL; Lenzini, Gabriele UL

in Proceedings of the 8th Workshop on Socio-Technical Aspects in Security and Trust (STAST) (2021)

Following GDPR's Article12.7's proposal to use standardized icons to inform data subject in "an easily visible, intelligible and clearly legible manner," several icon sets have been developed. In this ... [more ▼]

Following GDPR's Article12.7's proposal to use standardized icons to inform data subject in "an easily visible, intelligible and clearly legible manner," several icon sets have been developed. In this paper, we firstly critically review some of those proposals. We then examine the properties that icons and icon sets should arguably fulfill according to Art.12's transparency provisions. Lastly, we discuss metrics and evaluation procedures to measure compliance with the Article. [less ▲]

Detailed reference viewed: 203 (26 UL)
Full Text
Peer Reviewed
See detailA workflow and toolchain proposal for analyzing users’ perceptions in cyber threat intelligence sharing platforms
Stojkovski, Borce UL; Lenzini, Gabriele UL

in 2021 IEEE International Conference on Cyber Security and Resilience (CSR) (2021)

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing ... [more ▼]

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing platforms has been notably less investigated by the security research community. Motivated by this research gap, we ground our work in the concrete challenge of understanding users’ perceptions of information sharing in CTI platforms. To this end, we propose a conceptual workflow and toolchain that would seek to verify whether users have an accurate comprehension of how far information travels when shared in a CTI sharing platform. We contextualize our concept within MISP as a use case, and discuss the benefits of our socio-technical approach as a potential tool for security analysis, simulation, or education/training support. We conclude with a brief outline of future work that would seek to evaluate and validate the proposed model. [less ▲]

Detailed reference viewed: 49 (10 UL)
Full Text
Peer Reviewed
See detailA workflow and toolchain proposal for analyzing users’ perceptions in cyber threat intelligence sharing platforms
Stojkovski, Borce UL; Lenzini, Gabriele UL

in 2021 IEEE International Conference on Cyber Security and Resilience (CSR) (2021)

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing ... [more ▼]

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing platforms has been notably less investigated by the security research community. Motivated by this research gap, we ground our work in the concrete challenge of understanding users’ perceptions of information sharing in CTI platforms. To this end, we propose a conceptual workflow and toolchain that would seek to verify whether users have an accurate comprehension of how far information travels when shared in a CTI sharing platform. We contextualize our concept within MISP as a use case, and discuss the benefits of our socio-technical approach as a potential tool for security analysis, simulation, or education/training support. We conclude with a brief outline of future work that would seek to evaluate and validate the proposed model. [less ▲]

Detailed reference viewed: 49 (10 UL)
Full Text
Peer Reviewed
See detailA workflow and toolchain proposal for analyzing users’ perceptions in cyber threat intelligence sharing platforms
Stojkovski, Borce UL; Lenzini, Gabriele UL

in 2021 IEEE International Conference on Cyber Security and Resilience (CSR) (2021)

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing ... [more ▼]

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing platforms has been notably less investigated by the security research community. Motivated by this research gap, we ground our work in the concrete challenge of understanding users’ perceptions of information sharing in CTI platforms. To this end, we propose a conceptual workflow and toolchain that would seek to verify whether users have an accurate comprehension of how far information travels when shared in a CTI sharing platform. We contextualize our concept within MISP as a use case, and discuss the benefits of our socio-technical approach as a potential tool for security analysis, simulation, or education/training support. We conclude with a brief outline of future work that would seek to evaluate and validate the proposed model. [less ▲]

Detailed reference viewed: 49 (10 UL)
Full Text
Peer Reviewed
See detailA workflow and toolchain proposal for analyzing users’ perceptions in cyber threat intelligence sharing platforms
Stojkovski, Borce UL; Lenzini, Gabriele UL

in 2021 IEEE International Conference on Cyber Security and Resilience (CSR) (2021)

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing ... [more ▼]

Cyber Threat Intelligence (CTI) sharing platforms are valuable tools in cybersecurity. However, despite the fact that effective CTI exchange highly depends on human aspects, cyber behavior in CTI sharing platforms has been notably less investigated by the security research community. Motivated by this research gap, we ground our work in the concrete challenge of understanding users’ perceptions of information sharing in CTI platforms. To this end, we propose a conceptual workflow and toolchain that would seek to verify whether users have an accurate comprehension of how far information travels when shared in a CTI sharing platform. We contextualize our concept within MISP as a use case, and discuss the benefits of our socio-technical approach as a potential tool for security analysis, simulation, or education/training support. We conclude with a brief outline of future work that would seek to evaluate and validate the proposed model. [less ▲]

Detailed reference viewed: 49 (10 UL)
Full Text
Peer Reviewed
See detailWhat's in a Cyber Threat Intelligence sharing platform?: A mixed-methods user experience investigation of MISP
Stojkovski, Borce UL; Lenzini, Gabriele UL; Koenig, Vincent UL et al

in Annual Computer Security Applications Conference (ACSAC ’21) (2021)

The ever-increasing scale and complexity of cyber attacks and cyber-criminal activities necessitate secure and effective sharing of cyber threat intelligence (CTI) among a diverse set of stakeholders and ... [more ▼]

The ever-increasing scale and complexity of cyber attacks and cyber-criminal activities necessitate secure and effective sharing of cyber threat intelligence (CTI) among a diverse set of stakeholders and communities. CTI sharing platforms are becoming indispensable tools for cooperative and collaborative cybersecurity. Nevertheless, despite the growing research in this area, the emphasis is often placed on the technical aspects, incentives, or implications associated with CTI sharing, as opposed to investigating challenges encountered by users of such platforms. To date, user experience (UX) aspects remain largely unexplored. This paper offers a unique contribution towards understanding the constraining and enabling factors of security information sharing within one of the leading platforms. MISP is an open source CTI sharing platform used by more than 6,000 organizations worldwide. As a technically-advanced CTI sharing platform it aims to cater for a diverse set of security information workers with distinct needs and objectives. In this respect, MISP has to pay an equal amount of attention to the UX in order to maximize and optimize the quantity and quality of threat information that is contributed and consumed. Using mixed methods we shed light on the strengths and weaknesses of MISP from an end-users’ perspective and discuss the role UX could play in effective CTI sharing. We conclude with an outline of future work and open challenges worth further exploring in this nascent, yet highly important socio-technical context. [less ▲]

Detailed reference viewed: 169 (1 UL)
Full Text
Peer Reviewed
See detail"I am definitely manipulated, even when I am aware of it. It’s ridiculous!" - Dark Patterns from the End-User Perspective
Bongard-Blanchy, Kerstin UL; Rossi, Arianna UL; Rivas, Salvador UL et al

in Proceedings of ACM DIS Conference on Designing Interactive Systems (2021)

Online services pervasively employ manipulative designs (i.e., dark patterns) to influence users to purchase goods and subscriptions, spend more time on-site, or mindlessly accept the harvesting of their ... [more ▼]

Online services pervasively employ manipulative designs (i.e., dark patterns) to influence users to purchase goods and subscriptions, spend more time on-site, or mindlessly accept the harvesting of their personal data. To protect users from the lure of such designs, we asked: are users aware of the presence of dark patterns? If so, are they able to resist them? By surveying 406 individuals, we found that they are generally aware of the influence that manipulative designs can exert on their online behaviour. However, being aware does not equip users with the ability to oppose such influence. We further find that respondents, especially younger ones, often recognise the "darkness" of certain designs, but remain unsure of the actual harm they may suffer. Finally, we discuss a set of interventions (e.g., bright patterns, design frictions, training games, applications to expedite legal enforcement) in the light of our findings. [less ▲]

Detailed reference viewed: 154 (20 UL)
Full Text
Peer Reviewed
See detail"I Personally Relate It to the Traffic Light": A User Study on Security & Privacy Indicators in a Secure Email System Committed to Privacy by Default
Stojkovski, Borce UL; Lenzini, Gabriele UL; Koenig, Vincent UL

in Proceedings of the 36th Annual ACM Symposium on Applied Computing (2021)

Improving the usability and adoption of secure (i.e. end-to-end encrypted) email systems has been a notorious challenge for over two decades. One of the open questions concerns the amount and format of ... [more ▼]

Improving the usability and adoption of secure (i.e. end-to-end encrypted) email systems has been a notorious challenge for over two decades. One of the open questions concerns the amount and format of information that should be communicated to users to inform them of the security and privacy properties with respect to different messages or correspondents. Contributing to the ongoing discussion on the usability and effectiveness of security and privacy indicators, particularly in the context of systems targeting non-expert users, this paper sheds light on users' evaluation of traffic light-inspired indicators, as a metaphor to represent different privacy states and guarantees, provided by a new system for email end-to-end encryption called p≡p. Using a mixed-methods approach, based on input gathered from 150 participants in three online studies, we highlight the pros and cons of the traffic light semantic in p≡p's context and beyond, and discuss the potential implications on the perceived security and use of such systems. [less ▲]

Detailed reference viewed: 280 (10 UL)
Full Text
Peer Reviewed
See detailThe Framework of Security-Enhancing Friction: How UX Can Help Users Behave More Securely
Distler, Verena UL; Lenzini, Gabriele UL; Lallemand, Carine UL et al

in New Security Paradigms Workshop (2020, October 26)

A growing body of research in the usable privacy and security community addresses the question of how to best influence user behavior to reduce risk-taking.We propose to address this challenge by ... [more ▼]

A growing body of research in the usable privacy and security community addresses the question of how to best influence user behavior to reduce risk-taking.We propose to address this challenge by integrating the concept of user experience (UX) into empirical usable privacy and security studies that attempt to change risktaking behavior. UX enables us to study the complex interplay between user-related, system-related and contextual factors and provides insights into the experiential aspects underlying behavior change, including negative experiences. We first compare and contrast existing security-enhancing interventions (e.g., nudges, warnings, fear appeals) through the lens of friction. We then build on these insights to argue that it can be desirable to design for moments of negative UX in security-critical situations. For this purpose, we introduce the novel concept of security-enhancing friction, friction that effectively reduces the occurrence of risk-taking behavior and ensures that the overall UX (after use) is not compromised. We illustrate how security-enhancing friction provides an actionable way to systematically integrate the concept of UX into empirical usable privacy and security studies for meeting both the objectives of secure behavior and of overall acceptable experience. [less ▲]

Detailed reference viewed: 192 (39 UL)
Full Text
Peer Reviewed
See detailTransparency by Design in Data-Informed Research: a Collection of Information Design Patterns
Rossi, Arianna UL; Lenzini, Gabriele UL

in Computer Law & Security Review (2020), 37(105402),

Oftentimes information disclosures describing personal data-gathering research activities are so poorly designed that participants fail to be informed and blindly agree to the terms, without grasping the ... [more ▼]

Oftentimes information disclosures describing personal data-gathering research activities are so poorly designed that participants fail to be informed and blindly agree to the terms, without grasping the rights they can exercise and the risks derived from their cooperation. To respond to the challenge, this article presents a series of operational strategies for transparent communication in line with legal-ethical requirements. These "transparency-enhancing design patterns" can be implemented by data controllers/researchers to maximize the clarity, navigability, and noticeability of the information provided and ultimately empower data subjects/research subjects to appreciate and determine the permissible use of their data. [less ▲]

Detailed reference viewed: 234 (38 UL)
Full Text
Peer Reviewed
See detailSystematization of threats and requirements for private messaging with untrusted servers. The case of E-mailing and instant messaging
Symeonidis, Iraklis UL; Lenzini, Gabriele UL

in International Conference on Information Systems Security and Privacy, Malta 25-27 February 2020 (2020, February)

Modern email and instant messaging applications often offer private communications. In doing so, they share common concerns about how security and privacy can be compromised, how they should face similar ... [more ▼]

Modern email and instant messaging applications often offer private communications. In doing so, they share common concerns about how security and privacy can be compromised, how they should face similar threats, and how to comply with comparable system requirements. Assuming a scenario where servers may not be trusted, we review and analyze a list of threats specifically against message delivering, archiving, and contact synchronization. We also describe a list of requirements intended for whom undertakes the task of implementing secure and private messaging. The cryptographic solutions available to mitigate the threats and to comply with the requirements may differ, as the two applications are built on different assumptions and technologies. [less ▲]

Detailed reference viewed: 165 (14 UL)
Full Text
Peer Reviewed
See detailMaking the Case for Evidence-based Standardization of Data Privacy and Data Protection Visual Indicators
Rossi, Arianna UL; Lenzini, Gabriele UL

in Journal of Open Access to Law (2020), 8(1),

Lately, icons have witnessed a growing wave of interest in the view of enhancing transparency and clarity of data processing practices in mandated disclosures. Although benefits in terms of ... [more ▼]

Lately, icons have witnessed a growing wave of interest in the view of enhancing transparency and clarity of data processing practices in mandated disclosures. Although benefits in terms of comprehensibility, noticeability, navigability of the information and user’s attention and memorization can be expected, they should also be supported by decisive empirical evidence about the efficacy of the icons in specific contexts. Misrepresentation, oversimplification, and improper salience of certain aspects over others are omnipresent risks that can drive data subjects to wrong conclusions. Cross-domain and international standardization of visual means also poses a serious challenge: if on the one hand developing standards is necessary to ensure widespread recognition and comprehension, each domain and application presents unique features that can be hardly established, and imposed, in a top-down manner. This article critically discusses the above issues and identifies relevant open questions for scientific research. It also provides concrete examples and practical suggestions for researchers and practitioners that aim to implement transparency-enhancing icons in the spirit of the General Data Protection Regulation (GDPR). [less ▲]

Detailed reference viewed: 129 (11 UL)
Full Text
Peer Reviewed
See detailAuthentication and Key Management Automation in Decentralized Secure Email and Messaging via Low-Entropy Secrets
Vazquez Sandoval, Itzel UL; Atashpendar, Arash; Lenzini, Gabriele UL

in Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (2020)

We revisit the problem of entity authentication in decentralized end-to-end encrypted email and secure messaging to propose a practical and self-sustaining cryptographic solution based on password ... [more ▼]

We revisit the problem of entity authentication in decentralized end-to-end encrypted email and secure messaging to propose a practical and self-sustaining cryptographic solution based on password-authenticated key exchange (PAKE). This not only allows users to authenticate each other via shared low-entropy secrets, e.g., memorable words, without a public key infrastructure or a trusted third party, but it also paves the way for automation and a series of cryptographic enhancements; improves security by minimizing the impact of human error and potentially improves usability. First, we study a few vulnerabilities in voice-based out-of-band authentication, in particular a combinatorial attack against lazy users, which we analyze in the context of a secure email solution. Next, we propose solving the problem of secure equality test using PAKE to achieve entity authentication and to establish a shared high-entropy secret key. Our solution lends itself to offline settings, compatible with the inherently asynchronous nature of email and modern messaging systems. The suggested approach enables enhancements in key management such as automated key renewal and future key pair authentications, multi-device synchronization, secure secret storage and retrieval, and the possibility of post-quantum security as well as facilitating forward secrecy and deniability in a primarily symmetric-key setting. We also discuss the use of auditable PAKEs for mitigating a class of online guess and abort attacks in authentication protocols. [less ▲]

Detailed reference viewed: 147 (23 UL)
Full Text
Peer Reviewed
See detailQualifying and Measuring Transparency: A Medical Data System Case Study
Spagnuelo, Dayana; Bartolini, Cesare UL; Lenzini, Gabriele UL

in Computers and Security (2020)

Transparency is a data processing principle enforced by the GDPR but purposely left open to interpretation. As such, the means to adhere to it are left unspecified. Article 29 Working Party provides ... [more ▼]

Transparency is a data processing principle enforced by the GDPR but purposely left open to interpretation. As such, the means to adhere to it are left unspecified. Article 29 Working Party provides practical guidance on how to interpret transparency, however there are no defined requirements nor ways to verify the quality of the implementation of transparency. We address this problem. We discuss and define applicable metrics for transparency, propose how measurement can be conducted in an operative system, and suggest a practical way in which these metrics can be interpreted in order to increase confidence that transparency is realised in a system. [less ▲]

Detailed reference viewed: 83 (3 UL)
Full Text
Peer Reviewed
See detailEvaluating ambiguity of privacy indicators in a secure email app
Stojkovski, Borce UL; Lenzini, Gabriele UL

in Loreti, Michele; Spalazzi, Luca (Eds.) Proceedings of the Fourth Italian Conference on Cyber Security, Ancona Italy, February 4th to 7th, 2020 (2020)

Informing laymen of security situations is a notoriously hard problem. Users are usually not cognoscenti of all the various secure and insecure situations that may arise, and this can be further worsened ... [more ▼]

Informing laymen of security situations is a notoriously hard problem. Users are usually not cognoscenti of all the various secure and insecure situations that may arise, and this can be further worsened by certain visual indicators that instead of helping users, fail to convey clear and unambiguous messages. Even in well-established and studied applications, like email clients providing end-to-end encryption, the problem seems far from being solved. Motivated to verify this claim, we studied the communication qualities of four privacy icons (in the form of coloured shapes) in conveying specific security messages, relevant for a particular secure emailing system called p≡p. We questioned 42 users in three different sessions, where we showed them 10 privacy ratings, along with their explanations, and asked them to match the rating and explanation with the four privacy icons. We compared the participants’ associations to those made by the p≡p developers. The results, still preliminary, are not encouraging. Except for the two most extreme cases, Secure and trusted and Under attack, users almost entirely missed to get the indicators’ intended messages. In particular, they did not grasp certain concepts such as Unsecure email and Secure email, which in turn were fundamental for the engineers. Our work has certain limitations and further investigation is required, but already at this stage our research calls for a closer collaboration between app engineers and icon designers. In the context of p≡p, our work has triggered a deeper discussion on the icon design choices and a potential revamp is on the way. [less ▲]

Detailed reference viewed: 103 (15 UL)
Full Text
Peer Reviewed
See detailDual-Use Research In Ransomware Attacks: A Discussion on Ransomware Defence Intelligence
Genç, Ziya Alper UL; Lenzini, Gabriele UL

in Proceedings of the 6th International Conference on Information Systems Security and Privacy (2020)

Previous research has shown that developers rely on public platforms and repositories to produce functional but insecure code. We looked into the matter for ransomware, enquiring whether also ransomware ... [more ▼]

Previous research has shown that developers rely on public platforms and repositories to produce functional but insecure code. We looked into the matter for ransomware, enquiring whether also ransomware engineers re-use the work of others and produce insecure code. By methodically reverse-engineering 128 malware executables, we have found that, out of 21 ransomware samples, 9 contain copy-paste code from public resources. Thanks to this finding, we managed to retrieve the decryption keys with which to nullify the ransomware attacks. From this fact, we recall critical cases of code disclosure in the recent history of ransomware and, arguing that ransomware are components in cyber-weapons, reflect on the dual-use nature of this research. We further discuss benefits and limits of using cyber-intelligence and counter-intelligence strategies that could be used against this threat. [less ▲]

Detailed reference viewed: 349 (11 UL)
Full Text
Peer Reviewed
See detailThe DAta Protection REgulation COmpliance Model
Bartolini, Cesare UL; Lenzini, Gabriele UL; Robaldo, Livio UL

in IEEE Security and Privacy (2019), 17(6), 37-45

Understanding whether certain technical measures comply with the General Data Protection Regulation’s (GDPR’s) principles is complex legal work. This article describes a model of the GDPR that allows for ... [more ▼]

Understanding whether certain technical measures comply with the General Data Protection Regulation’s (GDPR’s) principles is complex legal work. This article describes a model of the GDPR that allows for semiautomatic processing of legal text and the leveraging of state-of-the-art legal informatics approaches, which are useful for legal reasoning, software design, information retrieval, or compliance checking. [less ▲]

Detailed reference viewed: 208 (16 UL)