An Analysis of Social Engineering Principles in Effective Phishing

in Proc. of the 5th International Workshop on Socio-Technical Security and Trust (2015)

Principles of Persuasion in Social Engineering and Their Use in Phishing

in T. Tryfonas, I. Askoxylakis (Ed.) Human Aspects of Information Security, Privacy, and Trust Third International Conference, HAS 2015 (2015)

Research on marketing and deception has identified principles of persuasion that in influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different ... [more ▼]

Research on marketing and deception has identified principles of persuasion that in influence human decisions. However, this research is scattered: it focuses on specific contexts and produces different taxonomies. In regard to frauds and scams, three taxonomies are often referred in the literature: Cialdini's principles of influence, Gragg's psychological triggers, and Stajano et al. principles of scams. It is unclear whether these relate but clearly some of their principles seem overlapping whereas others look complementary. We propose a way to connect those principles and present a merged and reviewed list for them. Then, we analyse various phishing emails and show that our principles are used therein in specific combinations. Our analysis of phishing is based on peer review and further research is needed to make it automatic, but the approach we follow, together with principles we propose, can be applied more consistently and more comprehensively than the original taxonomies. [less ▲]

4.2 Social Dynamics Metrics-Working Group Report

in Socio-Technical Security Metrics (2015)

Individuals continually interact with security mechanisms when performing tasks in everyday life. These tasks may serve personal goals or work goals, be individual or shared. These interactions can be ... [more ▼]

Individuals continually interact with security mechanisms when performing tasks in everyday life. These tasks may serve personal goals or work goals, be individual or shared. These interactions can be influenced by peers and superiors in the respective environments (workplace, home, public spaces), by personality traits of the users, as well as by contextual constraints such as available time, cognitive resources, and perceived available effort. All these influencing factors, we believe, should be considered in the design, implementation and maintenance of good socio-technical security mechanisms. Therefore, we need to observe reliable socio-technical data, and then transform them into meaningful and helpful metrics for user interactions and influencing factors. More precisely, there are three main questions that the group discussed: 1. What data do we need to observe and what of this data we actually can observe and measure? 2. How can we observe and measure? 3. What can we do with the results of the observations? [less ▲]

Maybe Poor Johnny Really Cannot Encrypt - The Case for a Complexity Theory for Usable Security

in Proceedings of the New Security Paradigm Workshop (2015)

This paper discusses whether usable security is unattainable for some security tasks due to intrinsic bounds of human cognitive capacities. Will Johnny ever be able to encrypt? Psychology and neuroscience ... [more ▼]

This paper discusses whether usable security is unattainable for some security tasks due to intrinsic bounds of human cognitive capacities. Will Johnny ever be able to encrypt? Psychology and neuroscience literature shows that there are upper bounds on the human capacity for executing cognitive tasks and for information processing. We argue that the usable security discipline should scientifically understand human capacities for security tasks, i.e., what we can realistically expect from people. We propose a framework for evaluation of human capacities in security that assigns socio-technical systems to complexity classes according to their security and usability. The upper bound of human capacity is considered the point at which people start experiencing cognitive strain while performing a task, because cognitive strain demonstrably leads to errors in the task execution. The ultimate goal of the work we initiate in this paper is to provide designers of security mechanisms or policies with the ability to say:“This feature of the security mechanism X or this security policy element Y is inappropriate, because this evidence shows that it is beyond people’s capacity". [less ▲]

Generating attacks in SysML activity diagrams by detecting attack surfaces

in Journal of Ambient Intelligence and Humanized Computing (2015), 6(3), 361-373

In the development process of a secure system is essential to detect as early as possible the system’s vulnerable points, the so called attack surfaces, and to estimate how feasible it would be that known ... [more ▼]

In the development process of a secure system is essential to detect as early as possible the system’s vulnerable points, the so called attack surfaces, and to estimate how feasible it would be that known attacks breach through them. Even if attack surfaces can be sometimes detected automatically, mapping them against known attacks still is a step apart. Systems and attacks are not usually modelled in compatible formalisms. We develop a practical framework that automates the whole process. We formalize a system as SysML activity diagrams and in the same formalism we model libraries of patterns taken from standard catalogues of social engineering and technical attacks. An algorithm that we define, navigates the system’s diagrams in search for its attack surfaces; then it evaluates the possibility and the probability that the detected weak points host attacks among those in the modelled library. We prove the correctness and the completeness of our approach and we show how it works on a use case scenario. It represents a very common situation in the domain of communication and data security for corporations. [less ▲]

Secure exams despite malicious management

in Twelfth Annual International Conference on Privacy, Security and Trust (PST), Ryerson University, Toronto, July 23-24, 2014 (2014)

A Conceptual Framework to Study Socio-Technical Security

in Lecture Notes in Computer Science (2014)

We propose an operational framework for a social, technical and contextual analysis of security. The framework provides guidelines about how to model a system as a layered set of interacting elements, and ... [more ▼]

We propose an operational framework for a social, technical and contextual analysis of security. The framework provides guidelines about how to model a system as a layered set of interacting elements, and proposes two methodologies to analyse technical and social vulnerabilities. We show how to apply the framework in a use case scenario. [less ▲]

A Socio-Technical Methodology for the Security and Privacy Analysis of Services

in IEEE 38th Annual International Computers, Software and Applications Conference Workshops, 27–29 July 2014, Västerås, Sweden (2014)

On the verifiability of (electronic) exams

Report (2014)

The main concern for institutions that organize exams is to detect when students cheat. Actually more frauds are possible and even authorities can be dishonest. If institutions wish to keep exams a ... [more ▼]

The main concern for institutions that organize exams is to detect when students cheat. Actually more frauds are possible and even authorities can be dishonest. If institutions wish to keep exams a trustworthy business, anyone and not only the authorities should be allowed to look into an exam’s records and verify the presence or the absence of frauds. In short, exams should be verifiable. However, what verifiability means for exams is unclear and no tool to analyze an exam’s verifiability is available. In this paper we address both issues: we formalize several individual and universal verifiability properties for traditional and electronic exams, so proposing a set of verifiability properties and clarifying their meaning, then we implement our framework in ProVerif, so making it a tool to analyze exam verifiability. We validate our framework by analyzing the verifiability of two existing exam systems – an electronic and a paper-and-pencil system. [less ▲]

DEMO: Demonstrating a Trust Framework for Evaluating GNSS Signal Integrity

in Proceedings of 20th ACM Conference on Computer and Communications Security (CCS'13) (2013, November)

Through real-life experiments, it has been proved that spoofing is a practical threat to applications using the free civil service provided by Global Navigation Satellite Systems (GNSS). In this paper, we ... [more ▼]

Through real-life experiments, it has been proved that spoofing is a practical threat to applications using the free civil service provided by Global Navigation Satellite Systems (GNSS). In this paper, we demonstrate a prototype that can verify the integrity of GNSS civil signals. By integrity we intuitively mean that civil signals originate from a GNSS satellite without having been artificially interfered with. Our prototype provides interfaces that can incorporate existing spoofing detection methods whose results are then combined into an overall evaluation of the signal’s integrity, which we call integrity level. Considering the various security requirements from different applications, integrity levels can be calculated in many ways determined by their users. We also present an application scenario that deploys our prototype and offers a public central service – localisation assurance certification. Through experiments, we successfully show that our prototype is not only effective but also efficient in practice. [less ▲]