Authored by Preston Robinette, Diego Lopez, Taylor Johnson
Ongoing national discourse and legal proceedings on the security and integrity of election and voting processes has focused significant scrutiny on the methods, processes, and people involved in administering this vital piece in our democracy. The COVID-19 pandemic necessitated the broadening of vote-by-mail opportunities for constituents to allow for safe and accessible access to cast a ballot. For example, in Maryland, nearly half of the more than 3 million voters (74.5% of the eligible voters) cast their ballot using Maryland’s vote-by-mail option in the 2020 General Election, and 27% of the nearly 2 million voters (47.4% of the eligible voters) utilized Maryland’s vote-by-mail option in the 2022 General Election. Maryland residents can also to permanently choose to vote by mail, receiving a ballot for each election. In recognition that election and voting processes and equipment security and integrity are of “vital national interest”, the U.S. Department of Homeland Security (DHS) labeled them as critical infrastructure within the Government Facilities sector in 2017. The nearly 1 million poll workers needed nationwide to administer a General Election are oftentimes the first line of defense in maintaining the integrity and security of elections. This paper extends our prior work reported in the Baltimore Business Review – A Maryland Journal that analyzed the cyber, physical, and insider threats in various in-person voting processes and equipment and developed poll worker training modules for those threats in partnership with Maryland Boards of Elections. Specifically, this paper further contributes to improving the security and integrity of election infrastructure through cyber, physical, and insider threat training for poll workers explicitly for the vote-by-mail processes. Specifically, this paper details the design, validation, and dissemination of a vote-by-mail threat training module.  https://elections.maryland.gov/press_room/2020_stats/Nov%203%20Election%20Report_Final.pdf  https://www.elections.maryland.gov/about/documents/03a_Administrators%20Report_December_2022.pdf https://www.dhs.gov/topics/election-security
Authored by Vanessa Gregorio, Josh Dehlinger, Natalie Scala
The security concerns surrounding the 2016 and 2020 United States Presidential Elections have underscored the critical importance of election security, prompting a renewed emphasis on preventing, detecting, and mitigating emerging threats associated with election infrastructure. With their pivotal role as the first line of defense on Election Day, poll workers bear the responsibility of identifying and thwarting any potential threats that may arise. Moreover, they possess unsupervised access to the U.S. critical infrastructure elections equipment at polling places and are entrusted with administering the election processes at their local precincts. However, despite their crucial role, poll workers receive minimal, if any, specific training on security threats prior to elections. To address this gap, this research investigates poll worker threat awareness through developing, piloting, and empirically evaluating online training modules aimed at teaching poll workers to identify and mitigate potential cyber, physical, and insider threats that may arise prior to, and on, Election Day. Through statistical analysis of a pre-post-test study involving eligible and current poll workers, this research demonstrates the effectiveness of these training modules to significantly enhance poll workers' understanding of cyber, physical, and insider threats associated with the processes of three critical areas in voting: electronic pollbooks, the scanning unit, and provisional voting. The implications of this work emphasize the need for resources for election officials and managers to provide effective and comprehensive poll worker training and, thus, ensure the security and integrity of U.S. election processes.
Authored by Preston Robinette, Diego Lopez, Serena Serbinowska, Kevin Leach, Taylor Johnson
The edge computing-based Internet of Things (IoT) offers beneﬁts in terms of efﬁciency, low latency, security, and privacy. However, programming models and platforms for this edge-based IoT are still an open problem, particularly regarding security and privacy. This paper proposes concrete and realizable ideas for building a secure programming platform called Secure Swarm Programming Platform (SSPP) to ensure platform-level security for the edge-based IoT while utilizing existing systemlevel security mechanisms. SSPP’s easy-to-use software components can enable static and dynamic security analysis of IoT applications, preventing vulnerabilities and detecting intrusions. Software deployed through SSPP can be remotely attested by a veriﬁer on the edge, ensuring it remains untampered with. This paper also plans out future research and evaluation of SSPP’s programmability, security, and remote attestation.
Authored by Hokeun Kim
In the context of cloud environments, data providers entrust their data to data consumers in order to allow further computing on their own IT infrastructure. Usage control measures allow the data provider to restrict the usage of its data even on the data consumer’s system. Two of these restrictions can be the geographic location and time limitations. Current solutions that could be used to enforce such constraints can be easily manipulated. These include solutions based on the system time, organizational agreements, GPS-based techniques or simple delay measurements to derive the distance to known reference servers.
Authored by Hendrik Felde, Jean-Luc Reding, Michael Lux
Conﬁdential computing services enable users to run or use applications in Trusted Execution Environments (TEEs) leveraging secure hardware, like Intel SGX or AMD SEV, and verify them by performing remote attestation. Typically this process is very rigid and not always aligned with the trust assumptions of the users regarding the hardware identities, stakeholders and software that are considered trusted. In our work, we enable the users to tailor their trust boundaries according to their security concerns and remotely attest the different TEEs speciﬁcally based on those.
Authored by Anna Galanou
With the development of cloud computing and edge computing, data sharing and collaboration have become increasing between cloud edge and end. Under the assistance of edge cloud, end users can access the data stored in the cloud by data owners. However, in an unprotected cloud-edge-end network environment, data sharing is vulnerable to security threats from malicious users, and data confidentiality cannot be guaranteed. Most of the existing data sharing approaches use the identity authentication mechanism to resist unauthorized accessed by illegal end users, but the mechanism cannot guarantee the credibility of the end user’s network environment. Therefore, this article proposes an approach for trusted sharing of data under cloud-edge-end collaboration (TSDCEE), in which we verify the trustworthiness of the data requester’s network environment based on the mechanism of attribute remote attestation. Finally, this article uses model checking Spin method to formally analyze TSDCEE, and verifies the security properties of TSDCEE.
Authored by Xuejian Li, Mingguang Wang
With the proliferation of IoT devices, the number of devices connected to the Internet has been rapidly increasing. An edge computing platform must ﬂexible and efﬁcient data control. Also, edge nodes are not always reliable. Edge node administrators can leak data through intentional mishandling. In this paper, we propose an edge computing platform on modular architecture that protects data and processing from interception and a processing ﬂow based on data characteristics using Intel SGX and multi-authority attribute-based encryption. In addition, we report a performance evaluation of our method.
Authored by Yuma Nishihira, Takuya Ishibashi, Yoshio Kakizaki, Toshihiro Ohigashi, Hidenobu Watanabe, Tohru Kondo, Reiji Aibara
Authored by Liquan Chen, Yiwen Miao, Chen Yu, Suhui Liu
The wide adoption of IoT gadgets and CyberPhysical Systems (CPS) makes embedded devices increasingly important. While some of these devices perform mission-critical tasks, they are usually implemented using Micro-Controller Units (MCUs) that lack security mechanisms on par with those available to general-purpose computers, making them more susceptible to remote exploits that could corrupt their software integrity. Motivated by this problem, prior work has proposed techniques to remotely assess the trustworthiness of embedded MCU software. Among them, Control Flow Attestation (CFA) enables remote detection of runtime abuses that illegally modify the program’s control ﬂow during execution (e.g., control ﬂow hijacking and code reuse attacks).
Authored by Antonio Neto, Ivan Nunes
The continuing integration of decentralized energy generators requires a more flexible power grid, which necessitates the use of stronger automation and more communication technologies between the control systems. This is accompanied by an increase in the attack surface of the power grid, such as attacks on firmware of intelligent electronic devices. This publication aims to secure intelligent electronic devices by monitoring their firmware. To achieve this aim, Trusted Computing technology such as remote attestation are integrated into the power grid domain specific communication standards to improve security in the current power grid architecture. The outcome is an appropriate conceptual information model for the IEC 61850 standard in order to be qualified to transfer remote attestation information and exchange them with the control centre. Such a solution is perfectly designed for automatic remote monitoring.
Authored by Bastian Fraune, Torben Woltjen, Björn Siemers, Richard Sethmann
Authored by Haotian Zhu, Bei Gong, Zipeng Diao, Jingxiang Sun
What Makes Customers Satisfied and Continuence Using M-Fintech Payment? The Multidimensional Investigation of Perceived Security
The perception of security when consumers use the m-fintech payment application impacts satisfaction and continuance intention. However, data security threats and legal breaches have made consumers skeptical about the continuance of m-fintech payments. Therefore, this study aims to analyze the perceived security factor as a form of consumer satisfaction and the desire to continue using it with the support of confirmation behavior. This study uses a quantitative method by surveying 357 m-fintech payment users in Jabodetabek. All collected data has been processed, cleaned, and analyzed utilizing variance-based Structural Equation Modeling statistics. The research finding has proven that all hypotheses are accepted. Perceived security significantly affects confirmation, satisfaction, and continuance intention. A confirmation significantly affects satisfaction, and satisfaction significantly affects the continuance intention of mfintech payment. The originality of this research measures perceived security formatively. The conclusions of this analysis serve as information for the digital central currency bank (CDBC) development plan based on the security level.
Authored by Ridho Ikhsan, Yudi Fernando, Vini Mariani, Anderes Gui, Ahmad Fakhrorazi, Ika Wahyuni-TD
The growth of Electric Vehicles (EVs), coupled with the deployment of large-scale extreme fast charging stations (XFCSs), has increased the attack surface for EV ecosystems. To secure such critical cyber-physical systems (CPSs), it is imperative for the system defenders to perform an in-depth analysis of potential attack vectors, evaluate possible countermeasures, and analyze attack-defense scenarios quantitatively to implement a defense strategy that will provide maximum utilization of their limited resources. Therefore, a systematic framework is essential, relying on modeling tools that security experts are familiar with. In this paper, we propose a comprehensive methodology for enabling the defender to perform a high-level attack surface analysis of an XFCS and determine the defense strategy with the highest utility value. We apply STRIDE threat modeling and attack defense tree (ADT) to enumerate realizable attack paths and identify possible defense measures. We then employ analytic hierarchy process (AHP) as a multi-criteria decisionmaking algorithm to obtain the highest utility strategy for the defender to adopt. The proposed methodology is validated by demonstrating its real-world feasibility through a case study, using sample attack paths for an XFCS.
Authored by Souradeep Bhattacharya, Manimaran Govindarasu, Mansi Girdhar, Junho Hong
Online loan is viewed as an alternative to banking but easier and provide direct connection between public and loan offerer. However, online security threats and scam are undermining the quality of online loan. This study aims to determine how the public views their privacy while using online loan applications, perceived risk, perceived security, and qualities on intention to apply online loan. In order to examine the intention, a quantitative survey method was adopted and survey questionnaire was sent to the public who had experienced and apply for online loan applications. 153 responses were received and analysed using IBM SPSS version 28 for demographic analysis and SmartPLS 4 for model and structural measurements. Results show that perceived security, service quality and system quality were not critical to the respondents when choosing online loan applications while perceived risk, information sharing, and privacy concern were critical. This study shows that general public believed that security and quality are part of the package when organization offered a product or service. Interestingly, while privacy, risk, and information are important, public felt that it is the duty of organization to take care of their interests. Future research should look into behavioural aspects of public risk, information sharing, and privacy concern to understand in-depth.
Authored by Natanael Kurniawan, Jacques, Muammar Tohepaly, Anderes Gui, Muhammad Shaharudin, Yuvaraj Ganesan
Comprehensive Analysis and Remediation of Insecure Direct Object References (IDOR) Vulnerabilities in Android APIs
The escalating visibility of secure direct object reference (IDOR) vulnerabilities in API security, as indicated in the compilation of OWASP Top 10 API Security Risks, highlights a noteworthy peril to sensitive data. This study explores IDOR vulnerabilities found within Android APIs, intending to clarify their inception while evaluating their implications for application security. This study combined the qualitative and quantitative approaches. Insights were obtained from an actual penetration test on an Android app into the primary reasons for IDOR vulnerabilities, underscoring insufficient input validation and weak authorization methods. We stress the frequent occurrence of IDOR vulnerabilities in the OWASP Top 10 API vulnerability list, highlighting the necessity to prioritize them in security evaluations. There are mitigation recommendations available for developers, which recognize its limitations involving a possibly small and homogeneous selection of tested Android applications, the testing environment that could cause some inaccuracies, and the impact of time constraints. Additionally, the study noted insufficient threat modeling and root cause analysis, affecting its generalizability and real-world relevance. However, comprehending and controlling IDOR dangers can enhance Android API security, protect user data, and bolster application resilience.
Authored by Semi Yulianto, Roni Abdullah, Benfano Soewito
Risk assessors and managers face many difficult challenges related to the new network system. These challenges include the continuous changes in the nature of network systems caused by technological progress, their distribution in the fields of physics, information and social cognition, and the complex network structure that usually includes thousands of nodes. Here, we review the probability and risk-based decision technology applied to network systems, and conclude that the existing methods can not solve all the components of the risk assessment triad (threat, vulnerability, consequence), and lack the ability to integrate across multiple areas of network systems, thus providing guidance for enhancing network security. We propose a cloud native security chain architecture and network topology reconstruction technology link based on the full link of microservices. The network security performance is quantified by multi-layer filtering mechanism and setting different fitness index functions. The method proposed in this paper solves the problems of packet loss, load balancing and distributed delay of network security mechanism in the global network to a certain extent.
Authored by Shuo Sheng, Kun Che, Ang Mi, Xiaobo Wan
Package registries host reusable code assets, allowing developers to share and reuse packages easily, thus accelerating the software development process. Current software registry ecosystems involve multiple independent stakeholders for package management. Unfortunately, abnormal behavior and information inconsistency inevitably exist, enabling adversaries to conduct malicious activities with minimal effort covertly. In this paper, we investigate potential security vulnerabilities in six popular software registry ecosystems. Through a systematic analysis of the official registries, corresponding registry mirrors and registry clients, we identify twelve potential attack vectors, with six of them disclosed for the first time, that can be exploited to distribute malicious code stealthily. Based on these security issues, we build an analysis framework, RScouter, to continuously monitor and uncover vulnerabilities in registry ecosystems. We then utilize RScouter to conduct a measurement study spanning one year over six registries and seventeen popular mirrors, scrutinizing over 4 million packages across 53 million package versions. Our quantitative analysis demonstrates that multiple threats exist in every ecosystem, and some have been exploited by attackers. We have duly reported the identified vulnerabilities to related stakeholders and received positive responses.
Authored by Yacong Gu, Lingyun Ying, Yingyuan Pu, Xiao Hu, Huajun Chai, Ruimin Wang, Xing Gao, Haixin Duan
Security system designers favor worst-case security metrics, such as those derived from differential privacy (DP), due to the strong guarantees they provide. On the downside, these guarantees result in a high penalty on the system’s performance. In this paper, we study Bayes security, a security metric inspired by the cryptographic advantage. Similarly to DP, Bayes security i) is independent of an adversary’s prior knowledge, ii) it captures the worst-case scenario for the two most vulnerable secrets (e.g., data records); and iii) it is easy to compose, facilitating security analyses. Additionally, Bayes security iv) can be consistently estimated in a black-box manner, contrary to DP, which is useful when a formal analysis is not feasible; and v) provides a better utility-security trade-off in high-security regimes because it quantiﬁes the risk for a speciﬁc threat model as opposed to threat-agnostic metrics such as DP.
Authored by Konstantinos Chatzikokolakis, Giovanni Cherubin, Catuscia Palamidessi, Carmela Troncoso
This research aimed to examine the relationship between digital citizenship and information security achievements levels. For this purpose, the research was designed in the relational survey model within the scope of quantitative research. The sample of the research consists of teacher candidates studying at the Faculty of Education of Fırat University in the 2022-2023 academic year. To collect the research data, the Digital Citizenship Questionnaire and the Information Security Achievements Scale were used. At the end of the study, it was revealed that the digital citizenship levels of the teacher candidates were high, and the information security attainment levels related to threats and taking precautions were moderate. According to the gender variable, the digital citizenship levels of teacher candidates were found to be significantly higher in favor of females. Information security achievement levels differ significantly in favor of males according to the gender variable. It has been observed that as the information security achievements of the teacher candidates increase, the correct usage, health and social responsibility levels of digital citizenship tend to increase as well.
Authored by Songül Karabatak, Sevinç Ay, Murat Karabatak
In the digital era, web applications have become a prevalent tool for businesses. As the number of web applications continues to grow, they become enticing targets for malicious actors seeking to exploit potential security vulnerabilities. Organizations face constant risks associated with vulnerabilities in their web-based software systems, which can result in data breaches, service disruptions, and a loss of trust. Consequently, organizations require an effective and efficient approach to assess and analyze the security of acquired web-based software, ensuring sufficient confidence in its utilization. This research aims to enhance the quantitative evaluation and analysis of web application security through a model-based approach. We focus on integrating the Open Web Application Security Project s (OWASP) Application Security Verification Standard (ASVS) into a structured and analyzable metamodel. This model aims to effectively assess the security levels of web applications while offering valuable insights into their strengths and weaknesses. By combining the ASVS with a comprehensive framework, we aim to provide a robust methodology for evaluating and analyzing web application security.
Authored by Shao-Fang Wen, Basel Katt
Security still remains an afterthought in modern Electronic Design Automation (EDA) tools, which solely focus on enhancing performance and reducing the chip size. Typically, the security analysis is conducted by hand, leading to vulnerabilities in the design remaining unnoticed. Security-aware EDA tools assist the designer in the identification and removal of security threats while keeping performance and area in mind. Stateof-the-art approaches utilize information flow analysis to spot unintended information leakages in design structures. However, the classification of such threats is binary, resulting in negligible leakages being listed as well. A novel quantitative analysis allows the application of a metric to determine a numeric value for a leakage. Nonetheless, current approximations to quantify the leakage are still prone to overlooking leakages. The mathematical model 2D-QModel introduced in this work aims to overcome this shortcoming. Additionally, as previous work only includes a limited threat model, multiple threat models can be applied using the provided approach. Open-source benchmarks are used to show the capabilities of 2D-QModel to identify hardware Trojans in the design while ignoring insignificant leakages.
Authored by Lennart Reimann, Sarp Erdönmez, Dominik Sisejkovic, Rainer Leupers
Technology integration has enabled value-added services and quality-of-life enhancement in almost all aspects of modern life. In this paper, we present a UAV and low-cost Bluetooth low energy (BLE) tags-based location search system which enables a cart take-home service for shoppers of a supermarket in a model smart colony. The presented system has quality-of-life enhancement as well as carbon footprint reduction effects and can be integrated with the existing security and/or transport system of the model smart colony. Conducted field trials on location accuracy of the system are also presented, showing that carts left by residents outside the home can be located within 6.58m and carts taken inside homes or buildings can be located within 16.43m.
Authored by Rana Bilal, Zubair Akhter, Nawaf Alsahli, Muhammad Abdel-Aal, Atif Shamim
Design and Development of an IoT Enabled Multi Features Smart Bag and Women’s Security Monitoring System
IoT-Based Smart Bag and Women Security System is an novel solution to address the raising problem of women s safety and offers protection to their personal belongings while providing real-time status updates. In recent days, women often face insecure situations in society. To overcome this, a safety-oriented method has been proposed. When the person is attacked by any of the strangers of thieves, the person can use the push button by which an alert notification is delivered to the registered smart phone number with the person’s location. Additionally, the bag is provided with a shock generator that can be used by women to defend themselves against attacks from strangers or theft people, which generates an electric shock of 550V. The bag is also assisted with a finger print detector is used for securing the zipper to avoid theft. An internal lighting system have been used which detects the intensity of light and automatically switches ON when the intensity is low for ease of locating items and a wireless charger for consumer’s convenience. This system utilizes components such as ESP32, a fingerprint sensor, and a GPS system helps tracing the exact location of the bag. The collected data can visualize through the Adafruit dashboard, that offers users a clear view of the bag s location, and ON and OFF status of LED and fingerprint sensor.
Authored by Ramesh R