Physical Sciences and Mathematics Commons^™

Vulnerability Analysis: Protecting Information In The Iot, Brian Cusack, Feiqiu Zhuang

Australian Information Security Management Conference

The research was designed to study IoT security vulnerabilities and how to better protect IoT communications. By researching the system a Fitbit uses for communications, this research analyzes and reveals security defects in the IoT architecture. The research first uses a man-in the middle (MITM) attack to intercept and analyze the Fitbit system traffic to identify security weakness. Then uses a replay attack to further validate these flaws. Finally, countermeasures against these security threats are proposed. The research findings show the Fitbit’s IoT communication architecture has serious information security risks. Firstly, the Fitbit tested does not encrypt the raw data …

Bringing Defensive Artificial Intelligence Capabilities To Mobile Devices, Kevin Chong, Ahmed Ibrahim

Australian Information Security Management Conference

Traditional firewalls are losing their effectiveness against new and evolving threats today. Artificial intelligence (AI) driven firewalls are gaining popularity due to their ability to defend against threats that are not fully known. However, a firewall can only protect devices in the same network it is deployed in, leaving mobile devices unprotected once they leave the network. To comprehensively protect a mobile device, capabilities of an AI-driven firewall can enhance the defensive capabilities of the device. This paper proposes porting AI technologies to mobile devices for defence against today’s ever-evolving threats. A defensive AI technique providing firewall-like capability is being …

Mitigating Man-In-The-Middle Attacks On Mobile Devices By Blocking Insecure Http Traffic Without Using Vpn, Kevin Chong, Muhammad Imran Malik, Peter Hannay

Australian Information Security Management Conference

Mobile devices are constantly connected to the Internet, making countless connections with remote services. Unfortunately, many of these connections are in cleartext, visible to third-parties while in transit. This is insecure and opens up the possibility for man-in-the-middle attacks. While there is little control over what kind of connection running apps can make, this paper presents a solution in blocking insecure HTTP packets from leaving the device. Specifically, the proposed solution works on the device, without the need to tunnel packets to a remote VPN server, and without special privileges such as root access. Speed tests were performed to quantify …

Evaluating Ip Surveillance Camera Vulnerabilities, Brian Cusack, Zhuang Tian

Australian Information Security Management Conference

Hacking of IP surveillance camera systems came to public attention in 2016 when the high bandwidth and resources were exploited for a massive DDoS attack that affected one third of all US Internet services. A review of previous studies show that a vast number of IP cameras have been hacked because the default usernames and passwords have not been changed from the factory defaults. In this research we asked, What are the vulnerabilities of an IP surveillance camera? The purpose of the study was to provide identification of vulnerabilities and guidance for the protection of surveillance camera systems. The research …

Neurosecurity For Brainware Devices, Brian Cusack, Kaushik Sundararajan, Reza Khaleghparast

Australian Information Security Management Conference

Brainware has a long history of development down into the present day where very simple and usable devices are available to train for the control of games and services. One of the big areas of application has been in the health sciences to provide compensatory control to humans who may lack the usual capabilities. Our concern has been the protection of information in brainware so that a human intention may have confidentiality, integrity, and accessibility to the required implementation mechanisms for services. The research question was: What are the consequences of security failure in brainware? Our research tested a brainware …

The Proceedings Of 15th Australian Information Security Management Conference, 5-6 December, 2017, Edith Cowan University, Perth, Australia, Craig Valli (Ed.)

Australian Information Security Management Conference

Conference Foreword

The annual Security Congress, run by the Security Research Institute at Edith Cowan University, includes the Australian Information Security and Management Conference. Now in its fifteenth year, the conference remains popular for its diverse content and mixture of technical research and discussion papers. The area of information security and management continues to be varied, as is reflected by the wide variety of subject matter covered by the papers this year. The papers cover topics from vulnerabilities in “Internet of Things” protocols through to improvements in biometric identification algorithms and surveillance camera weaknesses. The conference has drawn interest and …

A Survey Of Social Media Users Privacy Settings & Information Disclosure, Mashael Aljohani, Alastair Nisbet, Kelly Blincoe

Australian Information Security Management Conference

This research utilises a comprehensive survey to ascertain the level of social networking site personal information disclosure by members at the time of joining the membership and their subsequent postings to the sites. Areas examined are the type of information they reveal, their level of knowledge and awareness regarding how their information is protected by SNSs and the awareness of risks that over-sharing may pose. Additionally, this research studies the effect of gender, age, education, and level of privacy concern on the amount and kind of personal information disclosure and privacy settings applied. A social experiment was then run for …

A Privacy Gap Around The Internet Of Things For Open-Source Projects, Brian Cusack, Reza Khaleghparast

Australian Information Security Management Conference

The Internet of Things (IoT) is having a more important role in the everyday lives of people. The distribution of connectivity across social and personal interaction discloses personalised information and gives access to a sphere of sensitivities that were previously masked. Privacy measures and security to protect personal sensitivities are weak and in their infancy. In this paper we review the issue of privacy in the context of IoT open-source projects, and the IoT security concerns. A proposal is made to create a privacy bubble around the interoperability of devices and systems and a filter layer to mitigate the exploitation …

An Analysis Of Chosen Alarm Code Pin Numbers & Their Weakness Against A Modified Brute Force Attack, Alastair Nisbet, Maria Kim

Australian Information Security Management Conference

Home and commercial alarms are an integral physical security measure that have become so commonplace that little thought is given to the security that they may or may not provide. Whilst the focus has shifted from physical security in the past to cyber security in the present, physical security for protecting assets may be just as important for many business organisations. This research looks at 700 genuine alarm PIN codes chosen by users to arm and disarm alarm systems in a commercial environment. A comparison is made with a study of millions of PIN numbers unrelated to alarms to compare …

Using Graphic Methods To Challenge Cryptographic Performance, Brian Cusack, Erin Chapman

Australian Information Security Management Conference

Block and stream ciphers have formed the traditional basis for the standardisation of commercial ciphers in the DES, AES, RC4, and so on. More recently alternative graphic methods such as Elliptic Curve Cryptography (ECC) have been adopted for performance gains. In this research we reviewed a range of graphic and non-graphic methods and then designed our own cipher system based on several graphic methods, including Visual Cryptography (VC). We then tested our cipher against RC4 and the AES algorithms for performance and security. The results showed that a graphics based construct may deliver comparable or improved security and performance in …

Evaluating Single Sign On Security Failure In Cloud Services, Brian Cusack, Eghbal Zadeh

Australian Information Security Management Conference

The business use of cloud computing services is motivated by the ease of use and the potential financial cost reductions. Service failure may occur when the service provider does not protect information or when the use of the services becomes overly complex and difficult. The benefits also bring optimisation challenges for the information owners who must assess the service security risk and the degree to which new human behaviours are required. In this research we look at the risk of identity theft when ease of service access is provided through a Single Sign On (SSO) authorisation and ask: What are …

The Challeges In Implementing Security In Spontaneous Ad Hoc Networks, Alastair Nisbet

Australian Information Security Management Conference

Mobile Ad Hoc Networks (MANETS) promise much in the ability to rapidly deploy a wireless network in a fashion where no prior planning is needed and the network can be running efficiently and with high security within minutes. Natural disaster response, military, education and business provide areas where MANETS can offer significant advantages in communication where infrastructure networks may take days to set up or may be impossible to implement. This research reviews a selection of MANET protocols to show the progression of the research and the issues that are yet to be addressed. It discusses the challenges to researchers …

Evaluating Policy Layer Security Controls For Value Realisation In Secure Systems, Brian Cusack, Maher Al-Khazrajy

Australian Information Security Management Conference

A strategic question for any business is: What value do control frameworks give? The question concerns the costs associated with implementing and maintaining control frameworks compared with the benefits gained. Each control framework contains many controls that may or may not benefit a situation and this research is aimed at testing different selections and combinations of controls to forecast probable impacts on business outcomes. The scope of the research is limited to a representative set of security controls and the lesser question: What are the criteria for selecting the most effective and efficient security control configurations for best business value? …

Ransomware: Emergence Of The Cyber-Extortion Menace, Nikolai Hampton, Zubair A. Baig

Australian Information Security Management Conference

Ransomware is increasingly posing a threat to the security of information resources. Millions of dollars of monetary loss have been afflicted on end-users and corporations alike through unlawful deployment of ransomware. Through malware injection into end-user devices and subsequent extortion of their system or data, ransomware has emerged as a threat requiring immediate attention and containment by the cyber-security community. We conduct a detailed analysis of the steps of execution involved in ransomware deployment to facilitate readiness of the cyber-security community in containing the rapid proliferation of ransomware. This paper examines the evolution of malware over a period of 26 …

Innovating Additional Layer 2 Security Requirements For A Protected Stack, Brian Cusack, Raymond Lutui

Australian Information Security Management Conference

Security is only as good as the weakest link and if the weakness is at a low level in the communication stack then every other Layer has potential to inherit the problem. The OSI Layer model has defined the theoretical architecture for network communications (ISO/IEC 7498-1). Standardisation assures that each element of an internetwork uses the same model and hence a message can be moved intelligibly and correctly between participants. The OSI model divides communications into seven hierarchical Layers that provide the necessary services from the application Layer through to the physical Layer of electricity (ISO/IEC 7498-2). Each Layer is …

Timing Attack Detection On Bacnet Via A Machine Learning Approach, Michael N. Johnstone, Matthew Peacock, J I. Den Hartog

Australian Information Security Management Conference

Building Automation Systems (BAS), alternatively known as Building Management Systems (BMS), which centralise the management of building services, are often connected to corporate networks and are routinely accessed remotely for operational management and emergency purposes. The protocols used in BAS, in particular BACnet, were not designed with security as a primary requirement, thus the majority of systems operate with sub-standard or non-existent security implementations. As intrusion is thus likely easy to achieve, intrusion detection systems should be put in place to ensure they can be detected and mitigated. Existing intrusion detection systems typically deal only with known threats (signature-based approaches) …

Authentication And Authorisation In Entrusted Unions, Ayed F. Dhouha, Jan Camenisch, Tanya Ignatenko, Michael N. Johnstone, Paul Koster, Brigitta Lange, Milan Petkovic, Dieter Sommer, John Zic

Australian Information Security Management Conference

This paper reports on the status of a project whose aim is to implement and demonstrate in a real-life environment an integrated eAuthentication and eAuthorisation framework to enable trusted collaborations and delivery of services across different organisational/governmental jurisdictions. This aim will be achieved by designing a framework with assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption to address the security and confidentiality requirements of large distributed infrastructures. The framework supports collaborative secure distributed storage, secure data processing and management in both the cloud and offline scenarios and is intended to be deployed and tested in two …

Evaluating The Security Vulenerabilities Of The Ip6to4 Tunnelling Mechanism, Brian Cusack, Raymond Lutui

Australian Information Security Management Conference

The two versions of Internet Protocol (IP) rely on mechanisms that will convert one protocol to the other and vice versa. Version 4 is still prevalent in the Internet backbone and version 6 in most private networks. In this research we focus on the automatic tunnelling mechanism that provides the encapsulation at one end of the transition tunnel and the de-encapsulation at the other end dependant on the direction of transition. In our research we asked: How secure is the automatic tunnelling mechanism? It is a simple question but important given the number of times transition may occur in any …

Securing Identity Information With Image Watermarks, Brian Cusack, Reza Khaleghparas

Australian Information Security Management Conference

In this paper, we describe the requirements for embedding watermarks in images used for identity verification and demonstrate a proof of concept in security sciences. The watermarking application is designed for verifying the rightful ownership of a driving license or similar identity object. The tool we built and tested embeds and extracts watermarks that contain verification information of the rightful owner. We used the human finger print of the rightful owner as the watermark. Such information protection mechanisms add an extra layer of security to the information system and improve verification of identification attributes by providing strong security. The issues …

The Impact Of Social Constructivism On Erp Systems Security: A Critical Social Review, Kennedy Njenga

Australian Information Security Management Conference

Little is understood about the effects of social constructivism that shapes conflicting concerns regarding Enterprise Resource Planning (ERP) security and usability during implementation. This work looks at social constructivism as produced and reproduced by stakeholders in the ERP systems implementation phase. Social constructivism is characterised by the embedded trade-off for usability, espoused by end-user and security, espoused by developers. Social constructivism was conceptualised qualitatively from a selected case study. Critical Social Theory (CST) was used as the theoretical lens. Stakeholders concerned with ERP security aspects in the implementation phase were interviewed and data transcribed and interpreted. Hermeneutical interpretation was applied …

A 2013 Study Of Wireless Network Security In New Zealand: Are We There Yet?, Alastair Nisbet

Australian Information Security Management Conference

This research examines the current level of security in wireless networks in New Zealand. A comprehensive wardrive covering the length of the country was made in January 2013 to ensure accurate comparisons from two previous wardrives as well as comparisons between the four main cities and the suburbs can be made. With 16 years since the introduction of the original IEEE 802.11 wireless standard having passed, an examination is made of the current state of wireless security of networks throughout New Zealand and the Auckland suburbs, and where possible compares these results with similar studies undertaken in 2004 and 2011. …

Privacy And Legal Issues In Cloud Computing - The Smme Position In South Africa, Mathias Mujinga

Australian Information Security Management Conference

Cloud computing (CC) brings substantial benefits to organizations and their clients. Information technology (IT) users in developing countries, especially those in underdeveloped communities, are gaining easy and cost‐effective access to a variety of services, from entertainment to banking. South Africa has outlined a national e‐strategy that aims to improve those communities, by providing frameworks for access to information and communications technology (ICT). The products and services of small‐, medium and micro‐sized enterprises (SMME) are now reaching a wider audience through the use of technology. CC can go a long way to help government realize the national e‐strategy. There are numerous …

Automated Detection Of Vehicles With Machine Learning, Michael N. Johnstone, Andrew Woodward

Australian Information Security Management Conference

Considering the significant volume of data generated by sensor systems and network hardware which is required to be analysed and intepreted by security analysts, the potential for human error is significant. This error can lead to consequent harm for some systems in the event of an adverse event not being detected. In this paper we compare two machine learning algorithms that can assist in supporting the security function effectively and present results that can be used to select the best algorithm for a specific domain. It is suggested that a naive Bayesian classiifer (NBC) and an artificial neural network (ANN) …

An Empirical Study Of Challenges In Managing The Security In Cloud Computing, Bupesh Mansukhani, Tanveer A. Zia

Australian Information Security Management Conference

Cloud computing is being heralded as an important trend in information technology throughout the world. Benefits for business and IT include reducing costs and increasing productivity. The downside is that many organizations are moving swiftly to the cloud without making sure that the information they put in the cloud is secure. The purpose of this paper is to learn from IT and IT security practitioners in the Indian Continent the current state of cloud computing security in their organizations and the most significant changes anticipated by respondents as computing resources migrate from on-premise to the cloud. As organizations grapple with …

Using Checklists To Make Better Best, Craig S. Wright, Tanveer A. Zia

Australian Information Security Management Conference

The more routine a task is we see the greater the need for a checklist. Even the smartest of us can forget where we parked our cars on returning from a long flight. So, the question is, why not create a straightforward checklist that will improve system management and security? In Information Technology operations, the vast majority of skilled people have re-built servers, but in an incident response situation, it can be unforgivable to overlook a serious security configuration simply because in the stress of the environment causes one to lose track of which stage they were on while being …

A Preliminary Investigation Of Distributed And Cooperative User Authentication, C G. Hocking, S M. Furnell, N L. Clarke, P L. Reynolds

Australian Information Security Management Conference

Smartphones and other highly mobile yet sophisticated technologies are rapidly spreading through society and increasingly finding their way into pockets and handbags. As reliance upon these intensifies and familiarity grows, human nature dictates that more and more personal details and information is now to be found upon such devices. The need to secure and protect this valuable and desirable information is becoming ever more prevalent. Building upon previous work which proposed a novel approach to user authentication, an Authentication Aura, this paper investigates the latent security potential contained in surrounding devices in everyday life. An experiment has been undertaken to …

Modelling Misuse Cases As A Means Of Capturing Security Requirements, Michael N. Johnstone

Australian Information Security Management Conference

Use cases as part of requirements engineering are often seen as an essential part of systems development in many methodologies. Given that modern, security-oriented software development methods such as SDL , SQUARE and CLASP place security at the forefront of product initiation, design and implementation, the focus of requirements elicitation must now move to capturing security requirements so as not to replicate past errors. Misuse cases can be an effective tool to model security requirements. This paper uses a case study to investigate the generation of successful misuse cases by employing the STRIDE framework as used in the SDL.

Cloud Computing Concerns In Developing Economies, Mathias Mujinga, Baldreck Chipangura

Australian Information Security Management Conference

Cloud computing promises to bring substantial benefits to how organizations conduct their businesses and the way their services reach out to potential consumers. Cloud computing is a welcome initiative for small businesses that cannot afford to invest in ICT infrastructure but need to benefit from the rewards of conducting business online. In developing economies, there are challenges that face cloud services providers and their consumers. Broadband network access was identified as the main essential service for a successful cloud computing offering. The objective of this paper is to give background information on the security issues in cloud computing, and highlight …

Information Security Disclosure: A Victorian Case Study, Ian Rosewall, Matthew Warren

Australian Information Security Management Conference

This paper will focus upon the impact of Generation Y and their attitudes to security. The paper will be based around discussing the findings of a recent report by the Office of Police Integrity (OPI) on “Information Security and the Victoria Police State Surveillance Unit”. Issues that will be discussed include the context of Generation Y and how they contribute to the case study, their attitudes, or their perceived attitudes to security of information. A discussion of the OPI report itself, and the issues that have arisen. A brief overview of the key findings within this report and the implications …

Threat Modelling With Stride And Uml, Michael N. Johnstone

Australian Information Security Management Conference

Threat modelling as part of risk analysis is seen as an essential part of secure systems development. Microsoft’s Security Development Lifecycle (SDL) is a well-known software development method that places security at the forefront of product initiation, design and implementation. As part of SDL, threat modelling produces data flow diagrams (DFDs) as key artefacts and uses those diagrams as mappings with STRIDE to identify threats. This paper uses a standard case study to illustrate the effects of using an alternative process model (UML activity diagrams) with STRIDE and suggests that using a more modern process diagram can generate a more …