# PapersCutA shortcut to recent security papers

### Arxiv

#### Pulse strategy for suppressing spreading on networks

Authors: Qiang Liu, Xiaoyu Zhou, Piet Van Mieghem

Abstract: In networked spreading models, each node can infect its neighbors and cure spontaneously. The curing is assumed to occur uniformly over time. A pulse immunization/curing strategy is more efficient and broadly applied to suppressing spreading processes. We model the epidemic process by the basic Susceptible-Infected (SI) process with a pulse curing and incorporate the underlying contact network. The mean-field epidemic threshold of the pulse SI model is shown to be $\frac{1}{\lambda_1}\ln\frac{1}{1-p}$, where $\lambda_1$ and $p$ are the largest eigenvalue of the adjacency matrix and the fraction of nodes covered by each curing, respectively. Compared to the extensively studied uniform curing process, we show that the pulse curing strategy saves about $36.8$\%, i.e. $p\approx 0.632$, of the number of curing operations invariant to the network structure. Our results may help related policy makers to estimate the cost of controlling spreading processes.

Comment: 8 pages, 1 figure

Date: 24 Apr 2019

#### Impersonating LoRaWAN gateways using Semtech Packet Forwarder

Authors: Lukas Simon Laufenberg

Abstract: Low Power Wide Area Network (LPWAN) technologies like the Long Range Wide Area Network (LoRaWAN) standard provide the foundation of applications realizing communication and intelligent interaction between almost any kind of object. These applications are commonly called Smart Cities and the Internet of Things (IoT). Offering the potential of great benefits for mankind, these applications can also present a significant risk, especially when their security is compromised. This paper's work analyzes the possibility of two particular scenarios of impersonating a LoRaWAN gateway combining existing attacks. Impersonated gateways are of use when exploiting vulnerabilities already shown by other researchers. We give a basic overview about LoRaWAN, the Semtech Packet Forwarder protocol, attacks needed to perform the impersonation, and assumptions made. We explain our attack and propose countermeasures to increase the security of LoRaWAN networks. We show a gateway impersonation is possible in particular circumstances but can be detected and prevented.

Comment: 9 pages, 6 figures, presented at the first Conference of Aspiring Students in Tech Rhein-Main (March 2019)

Date: 24 Apr 2019

#### Modeling and Simulation of Practical Quantum Secure Communication Network

Authors: Yaxing Wang, Qiong Li, Qi Han, Yumeng Wang

Abstract: As the Quantum Key Distribution (QKD) technology supporting the pointto-point application matures, the need to build the Quantum Secure Communication Network (QSCN) to guarantee the security of a large scale of nodes becomes urgent. Considering the project time and expense control, it is the first choice to build the QSCN based on an existing classical network. Suitable modeling and simulation are very important to construct a QSCN successfully and efficiently. In this paper, a practical QSCN model, which can reflect the network state well, is proposed. The model considers the volatile traffic demand of the classical network and the real key generation capability of the QKD devices, which can enhance the accuracy of simulation to a great extent. In addition, two unique QSCN performance indicators, ITS (information-theoretic secure) communication capability and ITS communication efficiency, are proposed in the model, which are necessary supplements for the evaluation of a QSCN except for those traditional performance indicators of classical networks. Finally, the accuracy of the proposed QSCN model and the necessity of the proposed performance indicators are verified by plentiful simulations results.

Comment: 18 pages, 7 figures

Date: 24 Apr 2019

#### A Decade of Mal-Activity Reporting: A Retrospective Analysis of Internet Malicious Activity Blacklists

Authors: Benjamin Zi Hao Zhao, Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kaafar, Abdelberi Chaabane, Kanchana Thilakarathna

Abstract: This paper focuses on reporting of Internet malicious activity (or mal-activity in short) by public blacklists with the objective of providing a systematic characterization of what has been reported over the years, and more importantly, the evolution of reported activities. Using an initial seed of 22 blacklists, covering the period from January 2007 to June 2017, we collect more than 51 million mal-activity reports involving 662K unique IP addresses worldwide. Leveraging the Wayback Machine, antivirus (AV) tool reports and several additional public datasets (e.g., BGP Route Views and Internet registries) we enrich the data with historical meta-information including geo-locations (countries), autonomous system (AS) numbers and types of mal-activity. Furthermore, we use the initially labelled dataset of approx 1.57 million mal-activities (obtained from public blacklists) to train a machine learning classifier to classify the remaining unlabeled dataset of approx 44 million mal-activities obtained through additional sources. We make our unique collected dataset (and scripts used) publicly available for further research. The main contributions of the paper are a novel means of report collection, with a machine learning approach to classify reported activities, characterization of the dataset and, most importantly, temporal analysis of mal-activity reporting behavior. Inspired by P2P behavior modeling, our analysis shows that some classes of mal-activities (e.g., phishing) and a small number of mal-activity sources are persistent, suggesting that either blacklist-based prevention systems are ineffective or have unreasonably long update periods. Our analysis also indicates that resources can be better utilized by focusing on heavy mal-activity contributors, which constitute the bulk of mal-activities.

Comment: ACM Asia Conference on Computer and Communications Security (AsiaCCS), 13 pages

Date: 24 Apr 2019

#### Security Analysis of Near-Field Communication (NFC) Payments

Authors: Dennis Giese, Kevin Liu, Michael Sun, Tahin Syed, Linda Zhang

Abstract: Near-Field Communication (NFC) is a modern technology for short range communication with a variety of applications ranging from physical access control to contactless payments. These applications are often heralded as being more secure, as they require close physical proximity and do not involve Wi-Fi or mobile networks. However, these systems are still vulnerable to security attacks at the time of transaction, as they require little to no additional authentication from the user's end. In this paper, we propose a method to attack mobile-based NFC payment methods and make payments at locations far away from where the attack occurs. We evaluate our methods on our personal Apple and Google Pay accounts and demonstrate two successful attacks on these NFC payment systems.

Comment: 10 pages, 3 figures

Date: 24 Apr 2019

#### Handoff All Your Privacy: A Review of Apple's Bluetooth Low Energy Implementation

Authors: Jeremy Martin, Douglas Alpuche, Kristina Bodeman, Lamont Brown, Ellis Fenske, Lucas Foppe, Travis Mayberry, Erik C. Rye, Brandon Sipes, Sam Teplov

Abstract: In recent versions of iOS, Apple has incorporated new wireless protocols to support automatic configuration and communication between devices. In this paper, we investigate these protocols, specifically Bluetooth Low Energy (BLE) "Continuity," and show that the price for this seamless user experience is substantial leakage of identifying information and users' behavioral data to a passive listening adversary. We start by reverse engineering Apple's proprietary protocol and identifying a number of data fields that are transmitted unencrypted. Plaintext messages are broadcast over BLE in response to user actions such as locking and unlocking a device's screen, using the copy/paste feature and tapping the screen while it is unlocked. We also demonstrate that the format and contents of these messages can be used to identify the type and OS version of a device. Finally, we show how the predictable sequence numbers of these frames can allow an adversary to track iOS devices from location to location over time, defeating existing anti-tracking techniques like MAC address randomization.

Date: 24 Apr 2019

#### Peek-a-boo, I Can See You, Forger: Influences of Human Demographics, Brand Familiarity and Security Backgrounds on Homograph Recognition

Authors: Tran Phuong Thao, Yukiko Sawaya, Hoang-Quoc Nguyen-Son, Akira Yamada, Ayumu Kubota

Abstract: Homograph attack is a way that attackers deceive victims about which domain they are communicating with by exploiting the fact that many characters look alike. The attack becomes serious and is raising broad attention when recently many brand domains have been attacked such as Apple Inc., Adobe Inc., Lloyds Bank, etc. We first design a survey of human demographics, brand familiarity, and security backgrounds and apply it to 2,067 participants. We build a regression model to study which actors affect participants' ability in recognizing homograph domains. We then find that participants exhibit different ability for different kinds of homographs. For instance, female participants tend to be able to recognize homographs while male participants tend to be able to recognize non-homographs. Furthermore, 16.59% of participants can recognize homographs whose visual similarity with the target brand domains is under 99.9%; however, when the similarity increases to 99.9%, the number of participants who can recognize homographs drops down significantly to merely 0.19%; and for the homographs with 100% of visual similarity, there is no way for the participants to recognize. We also find that people working or educated in computer science or computer engineering are the ones who tend to exhibit the best ability to recognize all kinds of homographs and non-homographs. Surprisingly to us, brand familiarity does not influcence the ability in either homographs or non-homographs. Stated differently, people who frequently use the brand domains but do not have enough knowledge are still easy to fall in vulnerabilities.

Date: 24 Apr 2019

#### When and where do you want to hide? Recommendation of location privacy preferences with local differential privacy

Authors: Maho Asada, Masatoshi Yoshikawa, Yang Cao

Abstract: In recent years, it has become easy to obtain location information quite precisely. However, the acquisition of such information has risks such as individual identification and leakage of sensitive information, so it is necessary to protect the privacy of location information. For this purpose, people should know their location privacy preferences, that is, whether or not he/she can release location information at each place and time. However, it is not easy for each user to make such decisions and it is troublesome to set the privacy preference at each time. Therefore, we propose a method to recommend location privacy preferences for decision making. Comparing to existing method, our method can improve the accuracy of recommendation by using matrix factorization and preserve privacy strictly by local differential privacy, whereas the existing method does not achieve formal privacy guarantee. In addition, we found the best granularity of a location privacy preference, that is, how to express the information in location privacy protection. To evaluate and verify the utility of our method, we have integrated two existing datasets to create a rich information in term of user number. From the results of the evaluation using this dataset, we confirmed that our method can predict location privacy preferences accurately and that it provides a suitable method to define the location privacy preference.

Date: 24 Apr 2019

#### Quantum boomerang capacity

Authors: Siddhartha Das, Mark M. Wilde

Abstract: Inspired by the power of abstraction in information theory, we consider quantum boomerang protocols as a way of providing a unifying perspective to deal with several information-processing tasks related to and extending quantum channel discrimination to the Shannon-theoretic regime. Such protocols, defined in the most general quantum-physical way possible, have been considered in the physical context of the DW model of quantum reading [Das and Wilde, arXiv:1703.03706]. In [Das, arXiv:1901.05895], it was discussed how such protocols apply in the different physical context of round-trip communication from one party to another and back. The common point for all quantum boomerang tasks is that the decoder himself has access to both the input and output of a randomly selected sequence of channels, and the goal is to determine a message encoded into the channel sequence. As employed in the DW model of quantum reading, the most general quantum-physical strategy that a decoder can employ is an adaptive strategy, in which general quantum operations are executed before and after each call to a channel in the sequence. We determine lower and upper bounds on the quantum boomerang capacities in various scenarios of interest, and we also discuss cases in which adaptive schemes provide an advantage over non-adaptive schemes in zero-error quantum boomerang protocols.

Comment: 7 pages, 2 figures, see companion paper at arXiv:1703.03706

Date: 23 Apr 2019

#### PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware

Authors: Denis Ugarte, Davide Maiorca, Fabrizio Cara, Giorgio Giacinto

Abstract: PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis.

Date: 24 Apr 2019