1,720,952 research outputs found
One thing after another: The role of users, manufacturers, and intermediaries in iot security
No full textIn recent years the number of Internet-connected devices (aka as Internet of Things (IoT)) has increased dramatically. IoT Manufacturers have launched into the market a variety of IoT products to make a profit, while users buy them for the convenience of the technology. Despite IoT technology’s benefits to society, infected IoT devices with malicious software (malware) are a serious security concern. For instance, in 2016, we witnessed one of the largest Distributed Denial of Service (DDoS) attacks facilitated by IoT devices. This attack disrupted major well-known websites, including Twitter, Spotify, Github, and others.Infected IoT devices cause negative externalities. A negative externality is the cost that third parties, who are neither the seller nor the buyer of IoT devices, must incur to protect themselves against DDoS attacks.In the traditional personal computer world, compromised machines can be remedied with self-service solutions like antivirus. However, there is a lack of such tools to help users remove malicious software once it has taken hold for the wide variety of IoT devices. This, in turn, creates usability issues for users in the IoT space. To remediate infected IoT devices, users may need to take different actions. These actions depend on the device type, its manufacturer, patches or software updates available, and available settings of the device.Some Internet Service Providers (ISPs) (referred interchangeably as intermediaries in this dissertation) have undertaken the task of notifying users about infected IoT devices in their home network. These types of notifications can aid the threat detection mechanisms of infected IoT devices for users.Considering that the IoT technology has certain limitations, and users will have to deal with infected IoT devices, and the aforementioned actors are involved, we set ourselves to answer the following research question: How can users mitigate infected IoT devices? And what role can manufacturers and intermediaries play in supporting them? To answer this question in short users require information and actionable advice to take appropriate actions. Manufacturers need to improve security practices, such as removing default credentials from the setup process of IoT devices. ISPs can facilitate threat detection through notifications and DNS-based prevention. The results of this dissertation, suggest that governments should incentivize intermediaries and manufacturers to address this issues, and collaboration among stakeholders is essential since users alone cannot mitigate infected IoT devices even though they are motivated
Where do all the idIoTs come from?: Identification of Insecurely Developed IoT devices and a corresponding analysis of Dutch digital markets that sell them
No full textManagement of Technology (MoT
Dear customer, critters are crawling through your precious files: Understanding real-world evidence of QSnatch clean-up results and user experiences after warnings from the ISP
No full textAs the IoT is widely deployed in people’s homes, adversaries are busy exploiting the vulnerabilities of these devices. One kind of such device is the NAS device made by the company QNAP. Unfortunately, these devices are prone to the QSnatch malware. Unlike previous malware such as Mirai has this nasty habit, it settles deeper into the machine. In this way, the malware gains reboot persistence. Therefore, we consider the malware as persistent IoT malware compared to the non-persistent IoT malware. This affects the clean-up of the virus, as changing the passwords and rebooting the device is not enough to remove the virus. As a result, other steps are needed to get rid of the virus. If we take a look at the NAS device market, we see that the manufacturers of these devices have little incentive to invest a lot in the security of the devices. It is then challenging for the customer to estimate which devices are secure and are mainly tempted by discounts and devices that can be configured quickly. Then, the ISP is the link in the process that, with the help of the non-profit organisation Shadow Server, can determine which of its customers may be infected with certain malware. Shadow Server uses servers to receive the malicious traffic and forwards the corresponding IP addresses to the ISP. The ISP then knows which customer is dealing with possible infection and can inform them. This also happens for the QSnatch malware. The ISP sends the infected customer a notification informing them about the infection and providing steps to clean their device. These steps are a simplified and Dutch-translated version of the steps provided by QNAP. From that moment on, it is up to the infected customer to take action. Previous research has made a tremendous effort in understanding the efforts of infected customers in remediating the issue and showed that various resources could be used by the ISP to improve the results of this process.Management of Technology (MoT
Centralised DNS-based Malware Mitigation: Examining the adoption and efficacy of centralised DNS-based malware mitigation services
No full textMalware presents a growing problem in a world that is increasingly connected to, and reliant on, the internet. The growing, devastating potential of cyber attacks such as DDoS attacks on society and economy is largely the result of a new class of devices, the Internet of Things (IoT), whose characteristic vulnerabilities make them easy targets to be compromised and controlled by malicious actors. This study employs a mixed-method research design to examine end-users' perceptions of the security of internet connected devices, their motivations for (non-)adoption of centralized DNS-based malware mitigation measures, and the efficacy of such services in mitigating malicious activity in a real-life environment. The results indicate that centralized DNS-based malware mitigation have significant potential in reducing end-user vulnerability to malware threats, but their adoption is hindered by lacking ability to assess threats and the value and efficacy of security measures.Complex Systems Engineering and Management (CoSEM
A Visit to the Crime Scene: Monitoring end-users during the remediation process of Mirai infected Internet of Things devices
No full textThe increasingly important availability of online services is constantly threatened by malicious software such as botnets. Attackers have gained power through devices that are part of the rising Internet of Things (IoT), mostly through infections caused by Mirai. The botnets created by Mirai are used for the purpose of DDoS attacks, which can take away the availability of an online service. Although Mirai can be detected relatively easily due to its superficial signature, the remediation process of Mirai infected IoT devices runs far from smoothly.As end-users often do not notice the presence of Mirai and manufacturers lack incentives to invest in better security or support, ISPs like KPN are amongst the few viable actors that could defend against botnets like Mirai. As ISPs are able to link infection feeds to their customers, they are able to send out notifications accompanied by protocols that can resolve Mirai infections when executed properly. Although research exists on the remediation rates, it is not clear what processes take place at end-users homes during the remediation process and what critical points of error exist throughout the phases of the anti-botnet cycle. As the remediation rate of Mirai infections is currently only 60 – 76 percent, it can be worth looking into the remediation processes to see where they could be improved.The main research question is the following: “What do we learn about how and to what extent Internet Service Providers can improve the remediation process of malware infected Internet of Things devices by monitoring end-users while they are cleaning their Mirai infections?”. To answer this question, we have closely followed 17 Mirai infected end-users over a period of 7 weeks, at the KPN Abuse Desk, after a 1 week pilot phase to test our email notification and think aloud protocol. We have prepared and analyzed all steps from identification of a Mirai infection until successful remediation took place. The lion’s share of this experiment is about a virtual visit; a phone call with an option to upgrade to a video conference, in which infected end-users get advanced support in performing the 5 cleaning steps stated in the protocol they received. As the end-users thought aloud during the calls, we were able to follow them closely and pinpoint arising issues. Using a thematic content analysis, we synthesized the personal stories that end-users shared.During the 7 week experiment, we saw 37 unique IP addresses infected with Mirai, of which 12 were excluded due to the ISP policy of not providing support during the weekends. Of the 25 remaining IP addresses, 3 could not be notified due to technical issues within KPN, 2 did not pick up the phone after being notified and 3 were not willing to take part in the experiment due to trust issues.16 out of 17 participants that were responsible for the internet security were male, but their varying household sizes shows that this does not relate to men becoming infected more often. The age of the end-users was normally distributed between 21 and 80 and we found a household size of 1 to 6, excluding 3 small business locations that became victim of Mirai. End-users can often only identify 1 or 2 IoT devices in their network (13 out of 17) and are almost always able to pinpoint the infected device (16 out of 17). Many issues arose during the virtual visits, such as a lack of trust, not willing to spend effort, a lack of support by the manufacturer, or the idea that regular protection measures should have protected against Mirai.Only 6 out of 17 end-users were able to perform all steps successfully. In most cases end-users failed to change the password of their device or performed a regular reset on their router instead of a factory reset. This caused 3 failing remediation efforts and 5 reinfections during the experiment phase. The remediation process has barriers in each phase that could be addressed. The biggest improvement can be made in the awareness of end-users, which would lead to higher prevention of infections. Prevention would keep the many potential issues in the remediation process from arising altogether.Engineering and Policy Analysi
Going Beyond Counting First Authors in Author Co-citation Analysis
Full text linkThe present study examines one of the fundamental aspects of author co-citation analysis (ACA) - the way co-citation
counts are defined. Co-citation counting provides the data on which all subsequent statistical analyses and mappings
are based, and we compare ACA results based on two different types of co-citation counting - the traditional type that
only counts the first one among a cited work's authors on the one hand and a non-traditional type that takes into
account the first 5 authors of a cited work on the other hand. Results indicate that the picture produced through this non-traditional author co-citation counting contains more coherent author groups and is therefore considerably clearer. However, this picture represents fewer specialties in the research field being studied than that produced through the traditional first-author co-citation counting when the same number of top-ranked authors is selected and analyzed. Reasons for these effects are discussed
Variations on the Author
Full text link“Variations on the Author” discusses two of Eduardo Coutinho’s recent films (Um Dia na Vida, from 2010, and Últimas Conversas, posthumously released in 2015) and their contribution to the general question of documentary authorship. The director’s filmography is characterized by a consistent yet self-effacing form of authorial self-inscription: Coutinho often features as an interviewer that rather than express opinions propels discourses; an interviewer that is good at listening. This mode of self-inscription characterizes him as an author who is not expressive but who is nonetheless markedly present on the screen. In Um Dia na Vida, however, Coutinho is completely absent form the image, while Últimas Conversas, on the contrary, includes a confessional prologue that moves the director from the margins to the center of his films. This article examines the ways in which these works stand out in the filmography of a director who offers new insights into the notion of cinematic authorship
Appropriate Similarity Measures for Author Cocitation Analysis
Full text linkWe provide a number of new insights into the methodological discussion about author cocitation analysis. We first argue that the use of the Pearson correlation for measuring the similarity between authors’ cocitation profiles is not very satisfactory. We then discuss what kind of similarity measures may be used as an alternative to the Pearson correlation. We consider three similarity measures in particular. One is the well-known cosine. The other two similarity measures have not been used before in the bibliometric literature. Finally, we show by means of an example that our findings have a high practical relevance.information science;Pearson correlation;cosine;similarity measure;author cocitation analysis
Can ISPs help mitigate IoT malware? A longitudinal study of broadband ISP security efforts
No full textFor the mitigation of compromised Internet of Things (IoT) devices we rely on Internet Service Providers (ISPs) and their users. Given that devices are in the hands of their subscribers, what can ISPs realistically do? This study examines the effects of ISP countermeasures on infections caused by variants of the notorious Mirai family of IoT malware, still among the dominant families. We collect and analyze more than 4 years of longitudinal darknet data tracking Mirai-like infections in conjunction with threat intelligence data on various other IoT and non-IoT botnets across the globe from January 2016 to May 2020. We measure the effect of two ISP countermeasures on Mirai variant infection numbers: (i) reducing the attack surface (i.e., closing ports that are used by the malware for propagation) and (ii) ISPs increasing their general network hygiene and malware removal efforts (as observed by proxy of the remediation of infections of other families of IoT and non-IoT malware and reductions in the number of DDoS amplifiers in their networks). We map our infection data to 342 broadband providers that have the bulk of the broadband market share in their respective 83 countries. We find that the number of infections correlates strongly with the number of ISP subscribers (R2=0.55$). Yet, infection numbers can still vary by three orders of magnitude even for ISPs with comparable subscriber numbers. We observe that many ISPs, together with their subscribers, have reduced their attack surface for IoT compromise by blocking traffic to commonly-exploited infection vectors such as Telnet and FTP. We statistically estimate the impact of these reductions on infection levels and, counter-intuitively, find no significant impact. In contrast, we do find a significant impact for improving general network hygiene and best malware mitigation practices. ISPs that were more successful in reducing DDoS amplifiers and non-Mirai malware infections in their networks also end up with significantly lower Mirai infection rates. In other words, rather than investing in IoT-specific countermeasures like reducing the attack surface, our findings suggest that ISPs might be better off investing in general security efforts to improve network hygiene and clean up abuse.Accepted author manuscriptOrganisation & Governanc
- …
