E-mail phishing attacks remain one of the most significant challenges in IT security and are often used for initial access. Many organizations rely on phishing simulations to educate their staff to recognize suspicious e-mails. Previous studies have analyzed the effectiveness of these phishing simulations, with mixed findings. However, the perception of and attitudes towards phishing simulations among staff have received little to no attention.

This paper presents findings from a study that we carried out in cooperation with a multinational company that conducted phishing simulations over more than 12 months. We first conducted a quantitative survey involving 757 employees and then qualitative interviews with 22 participants to gain deeper insights into the perception of phishing simulations and the corresponding e-learning. We could not find evidence that employees feel attacked by their organisation as previous studies suspected. On the contrary, we found that a majority (86.9 %) have a positive or very positive attitude towards phishing simulations. The interviews revealed that some employees developed new routines for e-mail processing, but most describe themselves as having become more vigilant without concrete changes. Furthermore, we found evidence that phishing simulations create a false sense of security, as the employees feel protected by them. Additionally, lack of communication and feedback can negatively impact employees’ attitude and lead to adverse consequences. Finally, we show that only a small portion of the employees who clicked on the phishing website interacted with the interactive e-learning elements, which raises questions about its objective usefulness, although they are perceived as useful.

Virtual Private Networks (VPNs) provide confidentiality and hide the original IP address. Although many VPN providers promise not to record user activity, several media reports of data breaches show that this is often not true. Tor, on the other hand, allows anonymous communication using onion routing and takes privacy and anonymity seriously, but at the cost of performance loss. What is missing is a sweet spot between VPNs and anonymization networks that supports bulk downloads and video streaming but provides countermeasures against untrusted VPN providers and Autonomous System (AS)-level attackers.

In this paper, we present OnionVPN, an onion routing-based VPN tunnel, that provides better bulk transfer performance than Tor and offers additional security features over a VPN: (1) intermediate VPN nodes see only encrypted traffic, (2) protection against AS-level attackers with a new path selection algorithm, and (3) onion services with a novel cryptographic NAT traversal algorithm using the Noise protocol framework. We analyze 118 VPN providers, systematically compare them to our requirements and show that OnionVPN is currently possible with three VPN providers. An alternative to Tor for bulk traffic could relieve the Tor network and provide a better experience for other users who need higher privacy and anonymity features.

Modern DRAM is susceptible to fault attacks that undermine the entire system’s security. The most well-studied disturbance effect is Rowhammer, where an attacker repeatedly opens and closes (i.e., hammers) different rows, which can lead to bitflips in adjacent rows. Different hammering strategies include double-sided, hammering two rows sandwiching a victim row, and one-location, hammering a single row. One-location Rowhammer requires no physical address information, as any location in memory is mapped to a DRAM row, and no relation between rows is required for hammering. The recently discovered Rowpress differs from Rowhammer by not hammering rows but keeping them open longer, evident by a disjoint set of affected memory locations.

In this paper, we examine the differences between four attack variants: one-location Rowhammer, a one-location Rowpress variant we developed, double-sided Rowhammer, and double-sided Rowpress on a set of 12 DDR4 modules. Our methodology is to hammer and press the exact same set of physical memory locations in all attack variants. Surprisingly, our results show that on 4 out of 12 DDR4 modules, we were only able to reproduce double-sided Rowhammer but none of the other attack variants. On 2 DDR4 modules, we were able to reproduce all attack variants. We find that the number of unique bitflip locations ranges from 161 to 15 612, when hammering the exact same set of physical memory locations. Our one-location Rowhammer attack induces roughly the same amount of bitflips as double-sided Rowhammer, however, only 61.8 % of bitflip locations overlap. We explain this by one-location Rowhammer inducing bitflips due to the Rowhammer as well as the Rowpress effect, making the differentiation of both methods difficult, therefore, calling it Presshammer. Based on our observed bitflips, we develop the first end-to-end one-location Rowpress attack. One-location Rowpress requires only minimal physical address information that an attacker can acquire through a same-row same-bank side-channel attack. Our end-to- end attack escalates to kernel privileges within less than 10 minutes.

Contact Tracing Apps (CTAs) have been developed to contain the coronavirus disease 19 ( COVID-19) spread. By design, such apps invade their users’ privacy by recording data about their health, contacts, and—partially—location. Many CTAs frequently broadcast pseudorandom numbers via Bluetooth to detect contacts. These numbers are changed regularly to prevent individual smartphones from being tracked trivially. However, we find that this technology
is vulnerable to fingerprinting techniques. We measured real smartphones and observed that the Corona-Warn-App (CWA ) exhibits a device-specific latency between two subsequent broadcasts. These timing differences provide a potential attack vector for fingerprinting smartphones by passively recording Bluetooth messages. This could conceivably lead to the tracking of users’ trajectories and, ultimately, the re-identification of users.

The memory controller of the CPU uses bank addressing functions to determine physical locations within DRAM DIMMs. There are many fields of application for these addressing functions, particularly in security. For exam- ple, many Rowhammer proofs-of-concept use bank addressing functions to select addresses located on the same bank but in different rows to produce row conflicts. AMD provides these addressing functions for older CPU models. Hence, research on reverse-engineering addressing functions mainly targeted Intel CPUs since Intel did not publish these functions. However, AMD stopped to publish the DRAM addressing functions several years ago. AMD manufactures roughly a third of the sold CPUs in today’s CPU market. We analyze reverse- engineering tools for addressing functions and find that they do not work with AMD CPUs, hindering reverse-engineering at- tempts and Rowhammer attacks on systems with AMD CPUs. In this paper, we introduce an approach to reverse-engineer the addressing functions of AMD CPUs, which facilitates future Rowhammer experiments on AMD CPUs.

E-mail phishing attacks are still the number one gateway for attackers. Even when the patch level of a network is up to date, if one employee clicks on a link in a phishing e-mail and enters their credentials on a malicious website or downloads malware, the whole organization might get compromised. Anti-phishing support systems highlight different aspects of an e-mail to help users to detect phishing e-mails. However, little is known about their effectiveness, especially in comparison to each other. This paper presents our experimental design to investigate the efficacy of various support systems. For this purpose, we created a fictional scenario and an interactive tool to display e-mails. In addition, we present our preliminary study with the first results to classify test e-mails in different difficulty levels that serve as a basis for our main study.

Tor is a popular privacy-enhancing technology that allows anonymous communication using onion routing. However, such technologies are only helpful if used; therefore, performance is an important aspect. One of the main performance bottlenecks of Tor is the cross-circuit interference (CCI) problem. Tor multiplexes multiple circuits over a single Transport Layer Security (TLS) 1.2 connection if they share a path segment (link). Therefore, they have the same congestion window, which can yield unfair bandwidth allocation. However, there has been little work in understanding this problem in more depth.

This paper investigates the number of simultaneously shared links in the current Tor network, which are the root cause of CCI. We developed a novel shared links simulator called SALSA to investigate this problem. Our results show that 3.7 % of active links are shared, and the involving Onion Routers (ORs) have the most common bandwidth capabilities. Additionally, we show that the internal circuits and exit policy influence the CCI problem. Furthermore, we model the number of shared links when the demand grows further and show that the number of shared links can go up to 16 %. Finally, we run Shadow simulations with a 25 % downscaled Tor network and show that a network without shared links is faster.

E-mail is nearly 50 years old and is still one of the most used communication protocols nowadays. However, it has no support for End-to-end encryption (E2EE) by default, which makes it inappropriate for sending sensitive information. This is why two e-mail encryption standards have been developed—namely, Secure/Multipurpose Internet Mail Extensions (S/MIME) and OpenPGP. Previous studies found that bad usability of encryption software can lead to software that is incorrectly used or not at all. Both consequences have a fatal impact on users’ security and privacy. In recent years, the number of e-mails that are read and written on mobile devices has increased drastically. In this paper, we conduct to the best of our knowledge, the first usability study of e-mail encryption apps on smartphones. We tested two mobile apps, one uses OpenPGP on Android and one uses S/MIME on iOS. In our usability study, we tested both apps with eleven participants and evaluated the usability with the System Usability Scale (SUS) and the Short Version of User Experience Questionnaire (UEQ-S). Our study shows that both apps have several usability issues which partly led to unencrypted e-mails and participants sending their passphrase instead of their public key.

Distributed Hash Table (DHT) protocols, such as Kademlia, provide a decentralized key-value lookup which is nowadays integrated into a wide variety of applications, such as Ethereum, InterPlanetary File System (IPFS), and BitTorrent. However, many security issues in DHT protocols have not been solved yet. DHT networks are typically evaluated using mathematical models or simulations, often abstracting away from artefacts that can be relevant for security and/or performance. Experiments capturing these artefacts are typically run with too few nodes. In this paper, we provide Locust, a novel highly concurrent DHT experimentation framework written in Elixir, which is designed for security evaluations. This framework allows running experiments with a full DHT implementation and around 4,000 nodes on a single machine including an adjustable churn rate; thus yielding a favourable trade-off between the number of analysed nodes and being realistic. We evaluate our framework in terms of memory consumption, processing power, and network traffic.

Virtual Private Network (VPN) protocols provide means for establishing secure inter-network links. However, they do not provide anonymity. VPN providers can monitor both ends of the connection. On the other hand, Onion Routing offers very good anonymity properties but offers significantly less throughput than typical VPN setups. An interesting compromise is using several VPN servers connected in series (cascading VPN). This paper evaluates the throughput of two VPN protocols, WireGuard and OpenVPN, in a cascading environment.

Fingerprinting is a ready-to-use technology that exploits the diversity and complexity of today’s personal computing devices. Since fingerprinting leaves little to no trace, Do Not Track (DNT) policies are hard to enforce. The upcoming ePrivacy Regulation must consider this technological reality. In this opinion paper, we analyse technical use cases for device fingerprinting as an easy-to-deploy and hard-to-detect tracking technology. The EU has a longstanding tradition in strong data protection norms. To keep this high standards, we call on to the legislator to act, and illustrate vital points that must be considered in the legislative process.

Given the importance of an early anomaly detection, Intrusion Detection Systems (IDSs) are introduced in Supervisory Control And Data Acquisition (SCADA). Agents or probes form the cornerstone of any IDS by capturing network packets and extracting relevant information. However, IDSs are facing unprecedented challenges due to the escalation in the number, scale and diversity of attacks. Software-Defined Network (SDN) then comes into play and can provide the required flexibility and scalability. Building on that, we introduce Traffic Agent Controllers (TACs) that monitor SDN-enabled switches via Open-Flow. By using lightweight statistical metrics such as Kullback-Leibler Divergence (KLD), we are able to detect the slightest anomalies, such as stealth port scans, even in the presence of background traffic. The obtained metrics can also be used to locate the anomalies with precision over 90% inside a hierarchical network topology.

The main objectives of the Intelligent Transportation Systems (ITS) vision is to improve road safety, traffic management, and mobility by enabling cooperative communication among participants. This vision requires the knowledge of the current state of the road traffic, which can be obtained by collecting Floating Car Data (FCD) information using Dedicated Short-Range Communication (DSRC) based on the IEEE 802.11p standard. Most of the existing FCD collection protocols have been evaluated via simulations and mathematical models, while the real-world implications have not been thoroughly investigated. This paper presents an open-source implementation of two state-of-the-art FCD collection algorithms, namely BASELINE and DISCOVER. These algorithms are implemented in an open-source vehicular prototyping platform and validated in a real-world experimental setup.

With the emergence of self-driving technology and the ever-increasing demand of bandwidth-hungry applications, providing the required latency, security and computational capabilities is becoming a challenging task. Although being evolving, traditional vehicular radio access technologies, namely WLAN/IEEE 802.11p and cellular networks cannot meet all the requirements of future Cooperative, Connected and Automated Mobility (CCAM). In addition, current vehicular architectures are not sufficiently flexible to support the highly heterogeneous landscape of emerging communication technologies, such as mmWave, Cellular Vehicle-to-Everything (C-V2X), and Visible Light Communication (VLC). To this aim, Multi-access Edge Computing (MEC) has been recently proposed to enhance the quality of passengers experience in delay-sensitive applications. In this paper, we discuss the in-premises features of MEC and the need of supporting technologies, such as Software Defined Networking (SDN) and Network Function Virtualization (NFV), to fulfil the requirements in terms of responsiveness, reliability and resiliency. The latter is of paramount importance for automated services, which are supposed to be always-on and always-available. We outline possible solutions for mobility-aware computation offloading, dynamic spectrum sharing, and interference mitigation. Also, by revealing MEC-inherent security vulnerabilities, we argue for the need of adequate security and privacy-preserving schemes in MEC-enabled vehicular architectures.

Since Critical Infrastructures (CIs) use systems and equipment that are separated by long distances, Supervisory Control And Data Acquisition (SCADA) systems are used to monitor their behaviour and to send commands remotely. For a long time, operator of CIs applied the air gap principle, a security strategy that physically isolates the control network from other communication channels. True isolation, however, is difficult nowadays due to the massive spread of connectivity: using open protocols and more connectivity opens new network attacks against CIs. To cope with this dilemma, sophisticated security measures are needed to address malicious intrusions, which are steadily increasing in number and variety. However, traditional Intrusion Detection Systems (IDSs) cannot detect attacks that are not already present in their databases. To this end, we assess in this paper Machine Learning (ML) techniques for anomaly detection in SCADA systems using a real data set collected from a gas pipeline system and provided by the Mississippi State University (MSU). The contribution of this paper is two-fold: 1) The evaluation of four techniques for missing data estimation and two techniques for data normalization, 2) The performances of Support Vector Machine (SVM), Random Forest (RF), Bidirectional Long Short Term Memory (BLSTM) are assessed in terms of accuracy, precision, recall and F1 score for intrusion detection. Two cases are differentiated: binary and categorical classifications. Our experiments reveal that RF and BLSTM detect intrusions effectively, with an F1 score of respectively > 99% and > 96%.

Automotive Ethernet (AE) is becoming more and more relevant to the automotive industry due to its support of emerging in-car applications, which have high bandwidth demands and stringent requirements in terms of latency and time synchronization. One of the standards under consideration for AE is IEEE 802.1 Audio Video Bridging (AVB)/Time Sensitive Networking (TSN) that provides deterministic data link layer and bounded latency to real-time traffic classes. So far, this protocol stack has only been evaluated using either simulations or proprietary and expensive platforms. In this paper, we design a real testbed system for AE using general-purpose single-board computers and conduct experiments to assess the real-time performance of an open-source AVB/TSN implementation. Our preliminary results show that even under heavy load, AVB/TSN can fulfil the latency requirements of AE while keeping a constant latency variation.

Critical Infrastructures (CIs) use Supervisory Control And Data Acquisition (SCADA) systems for remote control and monitoring. Sophisticated security measures are needed to address malicious intrusions, which are steadily increasing in number and variety due to the massive spread of connectivity and standardisation of open SCADA protocols. Traditional Intrusion Detection Systems (IDSs) cannot detect attacks that are not already present in their databases. Therefore, in this paper, we assess Machine Learning (ML) for intrusion detection in SCADA systems using a real data set collected from a gas pipeline system and provided by the Mississippi State University (MSU). The contribution of this paper is two-fold: 1) The evaluation of four techniques for missing data estimation and two techniques for data normalization, 2) The performances of Support Vector Machine (SVM), and Random Forest (RF) are assessed in terms of accuracy, precision, recall and F 1 score for intrusion detection. Two cases are differentiated: binary and categorical classifications. Our experiments reveal that RF detect intrusions effectively, with an F 1 score of respectively > 99%.

As of IEEE 802.11n, a wireless Network Interface Card (NIC) uses Channel State Information (CSI) to optimize the transmission over multiple antennas. CSI contain radio-metrics such as amplitude and phase. Due to scattering during hardware production these metrics exhibit unique properties. Since these information are transmitted unencrypted, they can be captured by a passive observer. We show that these information can be used to create a unique fingerprint of a wireless device, based on as little as 100 CSI packets per device collected with an off-the-shelf Wi-Fi card. For our proof of concept we captured data from seven smartphones including two identical models. We were able to identify more than 90% when using out-of-the-box Random Forrest (RF).

Industrial and Automation Control systems traditionally achieved security thanks to the use of proprietary protocols and isolation from the telecommunication networks. Nowadays, the advent of the Industrial Internet of Things poses new security challenges. In this paper, we first highlight the main security challenges that advocate for new risk assessment and security strategies. To this end, we propose a security framework and advanced tools to properly manage vulnerabilities, and to timely react to the threats. The proposed architecture fills the gap between computer science and control theoretic approaches. The physical layers connected to Industrial Control Systems are prone to disrupt when facing cyber-attacks. Considering the modules of the proposed architecture, we focus on the development of a practical framework to compare information about physical faults and cyber-attacks. This strategy is implemented in the ATENA architecture that has been designed as an innovative solution for the protection of critical assets.