Identifying and Mitigating Phishing Attack Threats in IoT Use Cases Using a Threat Modelling Approach

Internet of things (IoT) is a technology that enables our daily life objects to connect on the Internet and to send and receive data for a meaningful purpose. In recent years, IoT has led to many revolutions in almost every sector of our society. Nevertheless, security threats to IoT devices and networks are relentlessly disruptive, because of the proliferation of Internet technologies. Phishing is one of the most prevalent threats to all Internet users, in which attackers aim to fraudulently extract sensitive information of a user or system, using fictitious emails, websites, etc. With the rapid increase in IoT devices, attackers are targeting IoT devices such as security cameras, smart cars, etc., and perpetrating phishing attacks to gain control over such vulnerable devices for malicious purposes. In recent decades, such scams have been spreading, and they have become increasingly advanced over time. By following this trend, in this paper, we propose a threat modelling approach to identify and mitigate the cyber-threats that can cause phishing attacks. We considered two significant IoT use cases, i.e., smart autonomous vehicular system and smart home. The proposed work is carried out by applying the STRIDE threat modelling approach to both use cases, to disclose all the potential threats that may cause a phishing attack. The proposed threat modelling approach can support the IoT researchers, engineers, and IoT cyber-security policymakers in securing and protecting the potential threats in IoT devices and systems in the early design stages, to ensure the secure deployment of IoT devices in critical infrastructures.

Download Full-text

Blockchain-Based Security Model for LoRaWAN Firmware Updates

Journal of Sensor and Actuator Networks ◽

10.3390/jsan11010005 ◽

2022 ◽

Vol 11 (1) ◽

pp. 5

Author(s):

Njabulo Sakhile Mtetwa ◽

Paul Tarwireyi ◽

Cecilia Nombuso Sibeko ◽

Adnan Abu-Mahfouz ◽

Matthew Adigun

Keyword(s):

Use Cases ◽

Smart Devices ◽

Area Network ◽

Sensitive Information ◽

Security Model ◽

Functional Requirements ◽

Wide Area Network ◽

Proposed Model ◽

Attack Surface ◽

Iot Devices

The Internet of Things (IoT) is changing the way consumers, businesses, and governments interact with the physical and cyber worlds. More often than not, IoT devices are designed for specific functional requirements or use cases without paying too much attention to security. Consequently, attackers usually compromise IoT devices with lax security to retrieve sensitive information such as encryption keys, user passwords, and sensitive URLs. Moreover, expanding IoT use cases and the exponential growth in connected smart devices significantly widen the attack surface. Despite efforts to deal with security problems, the security of IoT devices and the privacy of the data they collect and process are still areas of concern in research. Whenever vulnerabilities are discovered, device manufacturers are expected to release patches or new firmware to fix the vulnerabilities. There is a need to prioritize firmware attacks, because they enable the most high-impact threats that go beyond what is possible with traditional attacks. In IoT, delivering and deploying new firmware securely to affected devices remains a challenge. This study aims to develop a security model that employs Blockchain and the InterPlanentary File System (IPFS) to secure firmware transmission over a low data rate, constrained Long-Range Wide Area Network (LoRaWAN). The proposed security model ensures integrity, confidentiality, availability, and authentication and focuses on resource-constrained low-powered devices. To demonstrate the utility and applicability of the proposed model, a proof of concept was implemented and evaluated using low-powered devices. The experimental results show that the proposed model is feasible for constrained and low-powered LoRaWAN devices.

Download Full-text

PHISHING: AN EVOLVING THREAT

International Journal of Students Research in Technology & Management ◽

10.18510/ijsrtm.2015.312 ◽

2015 ◽

Vol 3 (1) ◽

pp. 216-222

Author(s):

Keyur Shah

Keyword(s):

Success Rate ◽

Large Scale ◽

Large Population ◽

Social Engineering ◽

Text Messages ◽

Sensitive Information ◽

Phishing Attacks ◽

Internet Users ◽

Confidential Data ◽

E Mail

Phishing is one of the most common attacks used to extract sensitive information for malicious use. It is one of the easiest ways to extract confidential data on a large-scale. A fraudulent website/e-mail which looks very similar to the original is setup to trap the victim to give away confidential information. A large population of internet users still lacks knowledge to avoid phishing. When the phishing attacks are complimented with social engineering skills, the success rate is increased. Along with the progress of technology, phishing techniques have evolved encroaching upon newer communication mediums like voice and text messages giving rise to newer specialized forms of Phishing called - Vishing and SMSishing. In this paper, we also cover how to avoid being a victim of these attacks. One of the best promising methods to avoid Phishing is Zero Knowledge Authentication -ZeKo which immunes the user from phishing attacks.

Download Full-text

A Threat Modelling Approach to Analyze and Mitigate Botnet Attacks in Smart Home Use Case

10.21203/rs.3.rs-142075/v1 ◽

2021 ◽

Author(s):

Syed Ghazanfar Abbas ◽

Shahzaib Zahid ◽

Faisal Hussain ◽

Ghalib A. Shah ◽

Muhammad Husnain

Keyword(s):

Smart Home ◽

Design Activity ◽

Use Case ◽

Development Level ◽

Development And Utilization ◽

Threat Modelling ◽

Iot Devices ◽

Modelling Methods ◽

Security Of Iot ◽

Modelling Approach

Abstract Despite the surging development and utilization of IoT devices, the security of IoT devices is still in infancy. The security pitfalls of IoT devices have made it easy for hackers to take over IoT devices and use them for malicious activities like botnet attacks. With the rampant emergence of IoT devices, botnet attacks are surging. The botnet attacks are not only catastrophic for IoT device users but also for the rest of the world. Therefore, there is a crucial need to identify and mitigate the possible threats in IoT devices during the design phase. Threat modelling is a technique that is used to identify the threats in the earlier stages of the system design activity. In this paper, we propose a threat modelling approach to analyze and mitigate the botnet attacks in an IoT smart home use case. The proposed methodology identifies the development-level and application-level threats in smart home use case using STRIDE and VAST threat modelling methods. Moreover, we reticulate the identified threats with botnet attacks. Finally, we propose the mitigation techniques for all identified threats including the botnet threats.

Download Full-text

A Comparative Analysis of Arabic Text Steganography

Applied Sciences ◽

10.3390/app11156851 ◽

2021 ◽

Vol 11 (15) ◽

pp. 6851

Author(s):

Reema Thabit ◽

Nur Izura Udzir ◽

Sharifah Md Yasin ◽

Aziah Asmawi ◽

Nuur Alifah Roslan ◽

...

Keyword(s):

Evaluation Criteria ◽

Arabic Language ◽

Text Messages ◽

Secret Message ◽

Sensitive Information ◽

Arabic Text ◽

Ideal Object ◽

Internet Users ◽

Text Steganography ◽

Text Content

Protecting sensitive information transmitted via public channels is a significant issue faced by governments, militaries, organizations, and individuals. Steganography protects the secret information by concealing it in a transferred object such as video, audio, image, text, network, or DNA. As text uses low bandwidth, it is commonly used by Internet users in their daily activities, resulting a vast amount of text messages sent daily as social media posts and documents. Accordingly, text is the ideal object to be used in steganography, since hiding a secret message in a text makes it difficult for the attacker to detect the hidden message among the massive text content on the Internet. Language’s characteristics are utilized in text steganography. Despite the richness of the Arabic language in linguistic characteristics, only a few studies have been conducted in Arabic text steganography. To draw further attention to Arabic text steganography prospects, this paper reviews the classifications of these methods from its inception. For analysis, this paper presents a comprehensive study based on the key evaluation criteria (i.e., capacity, invisibility, robustness, and security). It opens new areas for further research based on the trends in this field.

Download Full-text

Ciphertext-policy attribute-based encryption with hidden sensitive policy from keyword search techniques in smart city

EURASIP Journal on Wireless Communications and Networking ◽

10.1186/s13638-020-01875-2 ◽

2021 ◽

Vol 2021 (1) ◽

Author(s):

Fei Meng ◽

Leixiao Cheng ◽

Mingqiang Wang

Keyword(s):

Smart City ◽

Keyword Search ◽

Sensitive Information ◽

Security Model ◽

Computational Overhead ◽

Diffie Hellman ◽

Attribute Based Encryption ◽

Iot Devices ◽

Ciphertext Policy ◽

Access Policies

AbstractCountless data generated in Smart city may contain private and sensitive information and should be protected from unauthorized users. The data can be encrypted by Attribute-based encryption (CP-ABE), which allows encrypter to specify access policies in the ciphertext. But, traditional CP-ABE schemes are limited because of two shortages: the access policy is public i.e., privacy exposed; the decryption time is linear with the complexity of policy, i.e., huge computational overheads. In this work, we introduce a novel method to protect the privacy of CP-ABE scheme by keyword search (KS) techniques. In detail, we define a new security model called chosen sensitive policy security: two access policies embedded in the ciphertext, one is public and the other is sensitive and hidden. If user's attributes don't satisfy the public policy, he/she cannot get any information (attribute name and its values) of the hidden one. Previous CP-ABE schemes with hidden policy only work on the “AND-gate” access structure or their ciphertext size or decryption time maybe super-polynomial. Our scheme is more expressive and compact. Since, IoT devices spread all over the smart city, so the computational overhead of encryption and decryption can be shifted to third parties. Therefore, our scheme is more applicable to resource-constrained users. We prove our scheme to be selective secure under the decisional bilinear Diffie-Hellman (DBDH) assumption.

Download Full-text

Persuading end users to act cautiously online: a fear appeals study on phishing

Information and Computer Security ◽

10.1108/ics-03-2018-0038 ◽

2018 ◽

Vol 26 (3) ◽

pp. 264-276 ◽

Cited By ~ 3

Author(s):

Jurjen Jansen ◽

Paul van Schaik

Keyword(s):

Information Sharing ◽

Fear Appeals ◽

Future Research ◽

Protection Motivation ◽

Online Information ◽

Fear Appeal ◽

Content Type ◽

Phishing Attacks ◽

Internet Users ◽

Post Test

Purpose The purpose of this paper is to test the protection motivation theory (PMT) in the context of fear appeal interventions to reduce the threat of phishing attacks. In addition, it was tested to what extent the model relations are equivalent across fear appeal conditions and across time. Design/methodology/approach A pre-test post-test design was used. In the pre-test, 1,201 internet users filled out an online survey and were presented with one of three fear appeal conditions: strong fear appeal, weak fear appeal and control condition. Arguments regarding vulnerability of phishing attacks and response efficacy of vigilant online information-sharing behaviour were manipulated in the fear appeals. In the post-test, data were collected from 786 internet users and analysed with partial least squares path modelling. Findings The study found that PMT model relations hold in the domain of phishing. Self-efficacy and fear were the most important predictors of protection motivation. In general, the model results were equivalent across conditions and across time. Practical Implications It is important to consider online information-sharing behaviour because it facilitates the occurrence and success of phishing attacks. The results give practitioners more insight into important factors to address in the design of preventative measures to reduce the success of phishing attacks. Future research is needed to test how fear appeals work in real-world settings and over longer periods. Originality/value This paper is a substantial adaptation of a previous conference paper (Jansen and Van Schaik, 2017a, b).

Download Full-text

Device-Based Security to Improve User Privacy in the Internet of Things †

Sensors ◽

10.3390/s18082664 ◽

2018 ◽

Vol 18 (8) ◽

pp. 2664 ◽

Cited By ~ 4

Author(s):

Luis Belem Pacheco ◽

Eduardo Pelinson Alchieri ◽

Priscila Mendez Barreto

Keyword(s):

Cloud Computing ◽

Internet Of Things ◽

Single Point ◽

Data Access ◽

Cloud Services ◽

Sensitive Information ◽

User Privacy ◽

Privacy And Security ◽

Iot Devices ◽

And Control

The use of Internet of Things (IoT) is rapidly growing and a huge amount of data is being generated by IoT devices. Cloud computing is a natural candidate to handle this data since it has enough power and capacity to process, store and control data access. Moreover, this approach brings several benefits to the IoT, such as the aggregation of all IoT data in a common place and the use of cloud services to consume this data and provide useful applications. However, enforcing user privacy when sending sensitive information to the cloud is a challenge. This work presents and evaluates an architecture to provide privacy in the integration of IoT and cloud computing. The proposed architecture, called PROTeCt—Privacy aRquitecture for integratiOn of internet of Things and Cloud computing, improves user privacy by implementing privacy enforcement at the IoT devices instead of at the gateway, as is usually done. Consequently, the proposed approach improves both system security and fault tolerance, since it removes the single point of failure (gateway). The proposed architecture is evaluated through an analytical analysis and simulations with severely constrained devices, where delay and energy consumption are evaluated and compared to other architectures. The obtained results show the practical feasibility of the proposed solutions and demonstrate that the overheads introduced in the IoT devices are worthwhile considering the increased level of privacy and security.

Download Full-text

A conceptual framework for cyber security awareness and education in SA

South African Computer Journal ◽

10.18489/sacj.v52i0.201 ◽

2014 ◽

Vol 52 ◽

Cited By ~ 18

Author(s):

Noluxolo Kortjan ◽

Rossouw Von Solms

Keyword(s):

South Africa ◽

Cyber Security ◽

Developed Countries ◽

The Internet ◽

Security Awareness ◽

Key Factors ◽

Primary Research ◽

Daily Lives ◽

Internet Users ◽

Positive Effect

The Internet is becoming increasingly interwoven in the daily lives of many individuals, organisations and nations. It has, to a large extent, had a positive effect on the way people communicate. It has also introduced new avenues for business; and it has offered nations an opportunity to govern online. Nevertheless, although cyberspace offers an endless list of services and opportunities, it is also accompanied by many risks, of which many Internet users are not aware. As such, various countries have developed and implemented cyber-security awareness and education measures to counter the perceived ignorance of the Internet users. However, there is currently a definite lack in South Africa (SA) in this regard; as there are currently, little government-led and sponsored cyber-security awareness and education initiatives. The primary research objective of this paper, therefore, is to propose a cyber-security awareness and education framework for SA that would assist in creating a cyber-secure culture in SA among all of the users of the Internet. This framework will be developed on the basis of key factors extrapolated from a comparative analysis of relevant developed countries.

Download Full-text

Review of the machine learning methods in the classification of phishing attack

Bulletin of Electrical Engineering and Informatics ◽

10.11591/eei.v8i4.1344 ◽

2019 ◽

Vol 8 (4) ◽

pp. 1545-1555

Author(s):

John Arthur Jupin ◽

Tole Sutikno ◽

Mohd Arfian Ismail ◽

Mohd Saberi Mohamad ◽

Shahreen Kasim ◽

...

Keyword(s):

Machine Learning ◽

Social Media ◽

Computer Network ◽

Computer Users ◽

Machine Learning Method ◽

Learning Method ◽

Phishing Attacks ◽

Internet Users ◽

Internet Networks ◽

Use Of Internet

The development of computer networks today has increased rapidly. This can be seen based on the trend of computer users around the world, whereby they need to connect their computer to the Internet. This shows that the use of Internet networks is very important, whether for work purposes or access to social media accounts. However, in widely using this computer network, the privacy of computer users is in danger, especially for computer users who do not install security systems in their computer. This problem will allow hackers to hack and commit network attacks. This is very dangerous, especially for Internet users because hackers can steal confidential information such as bank login account or social media login account. The attacks that can be made include phishing attacks. The goal of this study is to review the types of phishing attacks and current methods used in preventing them. Based on the literature, the machine learning method is widely used to prevent phishing attacks. There are several algorithms that can be used in the machine learning method to prevent these attacks. This study focused on an algorithm that was thoroughly made and the methods in implementing this algorithm are discussed in detail.

Download Full-text

UNIVERSITY CYBER SECURITY AS A METHOD FOR ANTI-FISHING FRAUD

ED/2019/1 - The economic discourse ◽

10.36742/2410-0919-2020-1-7 ◽

2020 ◽

pp. 59-67

Author(s):

Irina Tatomur

Keyword(s):

Cyber Security ◽

Educational Institution ◽

Visual Presentation ◽

Academic Community ◽

Cyber Attacks ◽

Asia Pacific ◽

Economic Losses ◽

Educational Institutions ◽

Security Measures ◽

Phishing Attacks

Introduction. With the rapid adoption of computer and networking technologies, educational institutions pay insufficient attention to the implementation of security measures to ensure the confidentiality, integrity and accessibility of data, and thus fall prey to cyber-attacks. Methods. The following methods were used in the process of writing the article: methods of generalization, analogy and logical analysis to determine and structure the motives for phishing attacks, ways to detect and prevent them; statistical analysis of data – to build a chronological sample of the world's largest cyber incidents and determine the economic losses suffered by educational institutions; graphical method – for visual presentation of results; abstraction and generalization – to make recommendations that would help reduce the number of cyber scams. Results. The article shows what role cyber security plays in counteracting phishing scams in the educational field. The motives for the implementation of phishing attacks, as well as methods for detecting and preventing them, have been identified and regulated. The following notions as "phishing", "submarine" and "whaling" are evaluated as the most dangerous types of fraud, targeting both small and large players in the information chain of any educational institution. An analytical review of the educational services market was conducted and a chronological sampling of the largest cyber incidents that occurred in the period 2010-2019 was made. The economic losses incurred by colleges, research institutions and leading universities in the world were described. It has been proven that the US and UK educational institutions have been the most attacked by attackers, somewhat inferior to Canada and countries in the Asia-Pacific region. It is found that education has become the top industry in terms of the number of Trojans detected on devices belonging to educational institutions and the second most listed among the most affected by the ransomware. A number of measures have been proposed to help reduce the number of cyber incidents. Discussion. The obtained results should be taken into account when formulating a strategy for the development of educational institutions, as well as raising the level of awareness of the representatives of the academic community in cybersecurity. Keywords: phishing, cyber security, cyber stalkers, insider threat, rootkit, backdoor.

Download Full-text