Physical Sciences and Mathematics Commons^™

Analysis And Improvement On A Biometric-Based Remote User Authentication Scheme Using Smart Cards, Fengtong Wen, Willy Susilo, Guomin Yang

Research Collection School Of Computing and Information Systems

In a recent paper (BioMed Research International, 2013/491289), Khan et al. proposed an improved biometrics-based remote user authentication scheme with user anonymity. The scheme is believed to be secure against password guessing attack, user impersonation attack, server masquerading attack, and provide user anonymity, even if the secret information stored in the smart card is compromised. In this paper, we analyze the security of Khan et al.’s scheme, and demonstrate that their scheme doesn’t provide user anonymity. This also renders that their scheme is insecure against other attacks, such as off-line password guessing attack, user impersonation attacks. Subsequently, we propose a …

Evaluating Single Sign On Security Failure In Cloud Services, Brian Cusack, Eghbal Zadeh

Australian Information Security Management Conference

The business use of cloud computing services is motivated by the ease of use and the potential financial cost reductions. Service failure may occur when the service provider does not protect information or when the use of the services becomes overly complex and difficult. The benefits also bring optimisation challenges for the information owners who must assess the service security risk and the degree to which new human behaviours are required. In this research we look at the risk of identity theft when ease of service access is provided through a Single Sign On (SSO) authorisation and ask: What are …

The Challeges In Implementing Security In Spontaneous Ad Hoc Networks, Alastair Nisbet

Australian Information Security Management Conference

Mobile Ad Hoc Networks (MANETS) promise much in the ability to rapidly deploy a wireless network in a fashion where no prior planning is needed and the network can be running efficiently and with high security within minutes. Natural disaster response, military, education and business provide areas where MANETS can offer significant advantages in communication where infrastructure networks may take days to set up or may be impossible to implement. This research reviews a selection of MANET protocols to show the progression of the research and the issues that are yet to be addressed. It discusses the challenges to researchers …

Timing Attack Detection On Bacnet Via A Machine Learning Approach, Michael N. Johnstone, Matthew Peacock, J I. Den Hartog

Australian Information Security Management Conference

Building Automation Systems (BAS), alternatively known as Building Management Systems (BMS), which centralise the management of building services, are often connected to corporate networks and are routinely accessed remotely for operational management and emergency purposes. The protocols used in BAS, in particular BACnet, were not designed with security as a primary requirement, thus the majority of systems operate with sub-standard or non-existent security implementations. As intrusion is thus likely easy to achieve, intrusion detection systems should be put in place to ensure they can be detected and mitigated. Existing intrusion detection systems typically deal only with known threats (signature-based approaches) …

Evaluating Policy Layer Security Controls For Value Realisation In Secure Systems, Brian Cusack, Maher Al-Khazrajy

Australian Information Security Management Conference

A strategic question for any business is: What value do control frameworks give? The question concerns the costs associated with implementing and maintaining control frameworks compared with the benefits gained. Each control framework contains many controls that may or may not benefit a situation and this research is aimed at testing different selections and combinations of controls to forecast probable impacts on business outcomes. The scope of the research is limited to a representative set of security controls and the lesser question: What are the criteria for selecting the most effective and efficient security control configurations for best business value? …

Ransomware: Emergence Of The Cyber-Extortion Menace, Nikolai Hampton, Zubair A. Baig

Australian Information Security Management Conference

Ransomware is increasingly posing a threat to the security of information resources. Millions of dollars of monetary loss have been afflicted on end-users and corporations alike through unlawful deployment of ransomware. Through malware injection into end-user devices and subsequent extortion of their system or data, ransomware has emerged as a threat requiring immediate attention and containment by the cyber-security community. We conduct a detailed analysis of the steps of execution involved in ransomware deployment to facilitate readiness of the cyber-security community in containing the rapid proliferation of ransomware. This paper examines the evolution of malware over a period of 26 …

Innovating Additional Layer 2 Security Requirements For A Protected Stack, Brian Cusack, Raymond Lutui

Australian Information Security Management Conference

Security is only as good as the weakest link and if the weakness is at a low level in the communication stack then every other Layer has potential to inherit the problem. The OSI Layer model has defined the theoretical architecture for network communications (ISO/IEC 7498-1). Standardisation assures that each element of an internetwork uses the same model and hence a message can be moved intelligibly and correctly between participants. The OSI model divides communications into seven hierarchical Layers that provide the necessary services from the application Layer through to the physical Layer of electricity (ISO/IEC 7498-2). Each Layer is …

An Empirical Comparison Of Widely Adopted Hash Functions In Digital Forensics: Does The Programming Language And Operating System Make A Difference?, Satyendra Gurjar, Ibrahim Baggili, Frank Breitinger, Alice E. Fischer

Electrical & Computer Engineering and Computer Science Faculty Publications

Hash functions are widespread in computer sciences and have a wide range of applications such as ensuring integrity in cryptographic protocols, structuring database entries (hash tables) or identifying known files in forensic investigations. Besides their cryptographic requirements, a fundamental property of hash functions is efficient and easy computation which is especially important in digital forensics due to the large amount of data that needs to be processed when working on cases. In this paper, we correlate the runtime efficiency of common hashing algorithms (MD5, SHA-family) and their implementation. Our empirical comparison focuses on C-OpenSSL, Python, Ruby, Java on Windows and …

Cybersecurity Vulnerabilities In Medical Devices: A Complex Environment And Multifaceted Problem, Patricia A.H. Williams, Andrew J. Woodward

Research outputs 2014 to 2021

The increased connectivity to existing computer networks has exposed medical devices to cybersecurity vulnerabilities from which they were previously shielded. For the prevention of cybersecurity incidents, it is important to recognize the complexity of the operational environment as well as to catalog the technical vulnerabilities. Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. A review of the factors that contribute to such a potentially insecure environment, together with the identification of the vulnerabilities, is important for understanding why these vulnerabilities persist and what the solution space should look like. This …

Design, Testing And Implementation Of A New Authentication Method Using Multiple Devices, Cagri Cetin

USF Tampa Graduate Theses and Dissertations

Authentication protocols are very common mechanisms to confirm the legitimacy of someone’s or something’s identity in digital and physical systems.

This thesis presents a new and robust authentication method based on users’ multiple devices. Due to the popularity of mobile devices, users are becoming more likely to have more than one device (e.g., smartwatch, smartphone, laptop, tablet, smart-car, smart-ring, etc.). The authentication system presented here takes advantage of these multiple devices to implement authentication mechanisms. In particular, the system requires the devices to collaborate with each other in order for the authentication to succeed. This new authentication protocol is robust …

Analysis Of Password Cracking Methods & Applications, John A. Chester

Williams Honors College, Honors Research Projects

This project examines the nature of password cracking and modern applications. Several applications for different platforms are studied. Different methods of cracking are explained, including dictionary attack, brute force, and rainbow tables. Password cracking across different mediums is examined. Hashing and how it affects password cracking is discussed. An implementation of two hash-based password cracking algorithms is developed, along with experimental results of their efficiency.

Security Frameworks For Machine-To-Machine Devices And Networks, Michael Demblewski

CCE Theses and Dissertations

Attacks against mobile systems have escalated over the past decade. There have been increases of fraud, platform attacks, and malware. The Internet of Things (IoT) offers a new attack vector for Cybercriminals. M2M contributes to the growing number of devices that use wireless systems for Internet connection. As new applications and platforms are created, old vulnerabilities are transferred to next-generation systems. There is a research gap that exists between the current approaches for security framework development and the understanding of how these new technologies are different and how they are similar. This gap exists because system designers, security architects, and …

An Electroencephalogram (Eeg) Based Biometrics Investigation For Authentication: A Human-Computer Interaction (Hci) Approach, Ricardo J. Rodriguez

CCE Theses and Dissertations

Encephalogram (EEG) devices are one of the active research areas in human-computer interaction (HCI). They provide a unique brain-machine interface (BMI) for interacting with a growing number of applications. EEG devices interface with computational systems, including traditional desktop computers and more recently mobile devices. These computational systems can be targeted by malicious users. There is clearly an opportunity to leverage EEG capabilities for increasing the efficiency of access control mechanisms, which are the first line of defense in any computational system.

Access control mechanisms rely on a number of authenticators, including “what you know”, “what you have”, and “what you …

Ciphercard: A Token-Based Approach Against Camera-Based Shoulder Surfing Attacks On Common Touchscreen Devices, Teddy Seyed, Xing-Dong Yang, Anthony Tang, Saul Greenberg, Jiawei Gu, Bin Zhu, Xiang Ciao

Research Collection School Of Computing and Information Systems

We present CipherCard, a physical token that defends against shoulder-surfing attacks on user authentication on capacitive touchscreen devices. When CipherCard is placed over a touchscreen’s pin-pad, it remaps a user’s touch point on the physical token to a different location on the pin-pad. It hence translates a visible user password into a different system password received by a touchscreen, but is hidden from observers as well as the user. CipherCard enhances authentication security through Two-Factor Authentication (TFA), in that both the correct user password and a specific card are needed for successful authentication. We explore the design space of CipherCard, …

Design And Implementation Of Ir And Laser-Based Electronic Ciphering Systems, Feyzi̇ Akar, Osman Aşkin

Turkish Journal of Electrical Engineering and Computer Sciences

This paper describes the design and implementation of infrared (IR) and laser-based electronic ciphering systems for use in both indoor and outdoor wireless remote control applications. To communicate between a user and a lock module in a secure way, the proposed systems utilize IR and laser frequencies instead of radio frequencies. Each proposed system has its specific security design. A new communication protocol is also generated, which is compatible for use with IR and laser technologies. The proposed electronic ciphering systems' prototypes are realized together with software and hardware components. They are instrumented using the peripheral interface controller series microcontrollers. …

Rfid Card Security For Public Transportation Applications Based On A Novel Neural Network Analysis Of Cardholder Behavior Characteristics, Gürsel Düzenli̇

Turkish Journal of Electrical Engineering and Computer Sciences

This paper proposes a novel approach that applies neural network forecasting to security for closed-loop prepaid cards based on low-cost technologies such as RFID and 1-Wire. The security vulnerability of low-cost RFID closed-loop prepaid card systems originates mostly from the card itself. Criminal organizations counterfeit or clone card data. Although high-security prepaid cards exist, they are often too expensive for transport ticketing, and even their security is not guaranteed for a well-defined period of time. Therefore, data encryption systems are used widely against counterfeiting with success. However, it has not been possible to develop countermeasures with comparable success against cloning. …

Managing Wireless Security Risks In Medical Services, Brian Cusack, Akar Kyaw

Australian eHealth Informatics and Security Conference

Medical systems are designed for a range of end users from different professional skill groups and people who carry the devices in and on their bodies. Open, accurate, and efficient communication is the priority for medical systems and consequently strong protection costs are traded against the utility benefits for open systems. In this paper we assess the vulnerabilities created by the professional and end user expectations, and theorise ways to mitigate wireless security vulnerabilities. The benefits of wireless medical services are great in terms of efficiencies, mobility, and information management. These benefits may be realised by treating the vulnerabilities and …

Security Of Electronic Health Records In A Resource Limited Setting: The Case Of Smart-Care Electronic Health Record In Zambia, Keith Mweebo

Australian eHealth Informatics and Security Conference

This paper presents a case study of security issues related to the operationalization of smart-care, an electronic medical record (EMR) used to manage Human Immunodeficiency Virus (HIV) health information in Zambia. The aim of the smart-care program is to link up services and improve access to health information, by providing a reliable way to collect, store, retrieve and analyse health data in a secure way. As health professionals gain improved access to patient health information electronically, there is need to ensure this information is secured, and that patient privacy and confidentiality is maintained. During the initial stages of the program …

Authentication In Saas By Implementing Double Security Measures, Muhamet Gërvalla, Shkëlqim Berisha

UBT International Conference

Growing trends of services offered in the field of Cloud Computing are increasing on daily basis. These services are divided into three models: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Despite this, much interest is shown to the usage of Software as a Service (SaaS) model. This model offers the usage of software’s that are hosted in Cloud that can be accessed by using web browsers or through “thin client”. Security and privacy are two most important problems that can occur in this model. Authentication through password is one of the …

A Privacy Risk Scoring Framework For Mobile, Jedidiah Spencer Montgomery

Theses and Dissertations

Protecting personal privacy has become an increasingly important issue as computers become a more integral part of everyday life. As people begin to trust more personal information to be contained in computers they will question if that information is safe from unwanted intrusion and access. With the rise of mobile devices (e.g., smartphones, tablets, wearable technology) users have enjoyed the convenience and availability of stored personal information in mobile devices, both in the operating system and within applications.For a mobile application to function correctly it needs permission or privileges to access and control various resources and controls on the mobile …

Amulet: A Secure Architecture For Mhealth Applications For Low-Power Wearable Devices, Andrés Molina-Markham, Ronald Peterson, Joseph Skinner, Tianlong Yun, Bhargav Golla, Kevin Freeman, Travis Peters, Jacob Sorber, Ryan Halter, David Kotz

Dartmouth Scholarship

Interest in using mobile technologies for health-related applications (mHealth) has increased. However, none of the available mobile platforms provide the essential properties that are needed by these applications. An mHealth platform must be (i) secure; (ii) provide high availability; and (iii) allow for the deployment of multiple third-party mHealth applications that share access to an individual's devices and data. Smartphones may not be able to provide property (ii) because there are activities and situations in which an individual may not be able to carry them (e.g., while in a contact sport). A low-power wearable device can provide higher availability, remaining …

Chatter: Classifying Malware Families Using System Event Ordering, Aziz Mohaisen, Andrew G. West, Allison Mankin, Omar Alrawi

Andrew G. West

Using runtime execution artifacts to identify malware and its associated "family" is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, use of these fine-granularity data points makes these techniques computationally expensive. Moreover, the signatures and heuristics this analysis produces are often circumvented by subsequent malware authors.

To this end we propose CHATTER, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse …

Ios Device Forensics, Lauren Drish

All Capstone Projects

Many people today have an iPhone, iPad or iPod. Not many would realize that valuable information is stored on these devices. When a crime occurs, an iOS Device could hold key information to help solve said crime that criminals are not aware are present on the device. This can include GPS information as well as application history on the device itself.

The project I wish to do and complete is to create a class where students can learn the about iOS Forensics. Student will be able to learn the basics of an iDevice, as well as how to work with …

Singapore Management University Establishes A New Research Centre On Secure Mobile Computing Technologies And Solutions, Singapore Management University

SMU Press Releases

The Singapore Management University (SMU) has announced today the establishment of a new centre of research excellence that focuses on mobile computing security. Funded by Singapore’s National Research Foundation (NRF), the Secure Mobile Centre is developing efficient and scalable technologies and solutions that strengthen the security of mobile computing systems, applications and services. The Secure Mobile Centre is led by a team of five faculty members from SMU’s School of Information Systems who specialise in information security and trust: Professor Robert DENG (Centre Director), Professor PANG Hwee Hwa, Associate Professor LI Yingjiu, Associate Professor DING Xuhua and Assistant Professor Debin …

Security Policies That Make Sense For Complex Systems: Comprehensible Formalism For The System Consumer, Rhonda R. Henning

CCE Theses and Dissertations

Information Systems today rarely are contained within a single user workstation, server, or networked environment. Data can be transparently accessed from any location, and maintained across various network infrastructures. Cloud computing paradigms commoditize the hardware and software environments and allow an enterprise to lease computing resources by the hour, minute, or number of instances required to complete a processing task. An access control policy mediates access requests between authorized users of an information system and the system's resources. Access control policies are defined at any given level of abstraction, such as the file, directory, system, or network, and can be …

Mapping The Consensual Knowledge Of Security Risk Management Experts, David J. Brooks

David J Brooks Dr.

The security industry comprises of diverse and multidisciplined practitioners, originating from many disciplines. It has been suggested that the industry has an undefined knowledge structure, although security experts contain a rich knowledge structure. There has also been limited research mapping security expert knowledge structure, reducing the ability of tertiary educators to provide industry focused teaching and learning. The study utilized multidimensional scaling (MDS) and expert interviews to map the consensual knowledge structure of security experts in their understanding of security risk. Security risk concepts were extracted and critiqued from West Australian university courses. Linguistic analysis categorised the more utilized security …

Development Of Water Meter For Secure Communication In The Advanced Metering Infrastructure, Sugwon Hong, Hyung Mo Park

International Conference on Hydroinformatics

The Advanced Metering Infrastructure (AMI) is one of the integral components of the smart water grid where water consumption data is collected, stored, and transferred to the utility Meter Data Management System (MDMS). The organizations which are directly involved in promoting and developing the Smart Water Grid have tried to figure out the operating scenarios in the overall domain from the smart meters up to MDMS, and logical/physical components that should be expected to exist to perform those operations in the full extent. One of the daunting tasks in realizing the services in the AMI is the security issue. Unlike …

Integrating Visual Mnemonics And Input Feedback With Passphrases To Improve The Usability And Security Of Digital Authentication, Kevin Juang

All Dissertations

The need for both usable and secure authentication is more pronounced than ever before. Security researchers and professionals will need to have a deep understanding of human factors to address these issues. Due to their ubiquity, recoverability, and low barrier of entry, passwords remain the most common means of digital authentication. However, fundamental human nature dictates that it is exceedingly difficult for people to generate secure passwords on their own. System-generated random passwords can be secure but are often unusable, which is why most passwords are still created by humans. We developed a simple system for automatically generating mnemonic phrases …

Streets: Game-Theoretic Traffic Patrolling With Exploration And Exploitation, Matthew Brown, Sandhya Saisubramanian, Pradeep Varakantham, Milind Tambe

Research Collection School Of Computing and Information Systems

To dissuade reckless driving and mitigate accidents, cities deploy resources to patrol roads. In this paper, we present STREETS, an application developed for the city of Singapore, which models the problem of computing randomized traffic patrol strategies as a defenderattacker Stackelberg game. Previous work on Stackelberg security games has focused extensively on counterterrorism settings. STREETS moves beyond counterterrorism and represents the first use of Stackelberg games for traffic patrolling, in the process providing a novel algorithm for solving such games that addresses three major challenges in modeling and scale-up. First, there exists a high degree of unpredictability in travel times …

A Wearable System That Knows Who Wears It, Cory Cornelius, Ronald Peterson, Joseph Skinner, Ryan Halter, David Kotz

Dartmouth Scholarship

Body-area networks of pervasive wearable devices are increasingly used for health monitoring, personal assistance, entertainment, and home automation. In an ideal world, a user would simply wear their desired set of devices with no configuration necessary: the devices would discover each other, recognize that they are on the same person, construct a secure communications channel, and recognize the user to which they are attached. In this paper we address a portion of this vision by offering a wearable system that unobtrusively recognizes the person wearing it. Because it can recognize the user, our system can properly label sensor data or …