Main Attacks

Security Threat Landscape

The following presents the major attacks that affected each of our domains of interest. The attacks are grouped based on the main exploited threat.

Attacks related to Device/IoT-Centric Security

In the following, the main attacks affecting the Device/IoT domain are reported.

  • Threat T1.1.1: Information leakage/sharing due to human errors: In the medical sector, IoT applications are very critical as also pointed out by Choi at al.[1]. that showed how data breaches in hospital can impact the 30-day mortality rate. According to Jiang et al.[2] most breaches in hospitals were triggered by employee mistakes or unauthorized disclosures. Given the nature of the information, the impact on privacy is of paramount importance. In some cases, sensor channels are protected, but the aggregation nodes at the edge were not. Employee mistakes can reveal them or generate a weakness that can potentially reveal them[2]. The installation phase is also critical in IoT since in most cases it the only moment where human intervention can activate security features or configure secure connections with the rest of the network. It can be complex to remediate to a human error at this phase.
  • Threat T1.1.2: Inadequate design and planning or incorrect adaptation: Many attacks partially involve this threat to trigger another one, like in the case of botnets. Examples of security attacks generated by an inadequate design are the ones that involve CloudPets’ toys, that are designed without considering any Bluetooth security features so that everyone within range can connect to them, and send and receive commands and data.[3] Given the nature of these devices, adaptation and fixing strategies are almost not applicable. One example of a wrong design of IoT device deployment is the one related to the device of refrigeration/heating-ventilation and air-conditioning of HVAC vendor that has remote access to monitor the environmental temperature. These devices were used in 2015 to generate data breaches on a retailer’s network. More than the vulnerabilities of the devices, the problem was the decision of having such devices on the same network with POS services.[4] Similar issues are quite common in medical facilities that use IoT devices for their specific capabilities without having network segmentation of them from other devices. The result is that any local device can end up having a global impact.[5]
  • Threat T1.2.1: Interception of information: Recently Amazon Smart Ring IoT devices was discovered by BitDefender to be vulnerable to password interception since they handle the exchange of the WiFi password in plain text format over an http channel.[6] A security vulnerability in BMW’s Connected Drive system allowed researchers to unlock the vehicles affected without the car keys. The researchers were able to impersonate BMW servers and send, over the public cellular network, remote unlocking instructions to vehicles. The problem was fixed adding HTTPS encryption to the connection and ensures that the car only accepts connections from a server with the correct security certificate. More recently VPNFilter similarly to BlackEnergy malware intercepted communication from SCADA systems used in manufacturing and the maintenance of infrastructure to sniff out credentials attacking routers.[7]
  • Threat T1.2.2: Unauthorised acquisition of information: Some traditional networking attacks can have a role in IoT given the vulnerabilities of networking devices currently used in the IoT environment. For instance, the sinkhole attack (or blackhole attack) is obtained via an attacker that declares himself to have a high-quality route/path allowing him to do manipulate all packets passing through it. Another type of attack on the network is the selective forwarding attack where the attacker can selectively forward/drop packets. The wormhole attack is obtained recording packets at one location in the network and tunneling them to another location having the scope of influencing perceived network behavior distort statistics and impacting the routing functionalities.
  • Threat T1.3.1: Device modification: An attacker may be able to exploit firmware upgrade (requiring or not physical access) by maliciously replacing the device’s firmware influencing its operational behavior. For example, an attacker can obtain a periodical report the energy consumption of a specific device could adding a piece of malicious code to the firmware. This information can be then used to infer if a home or an enterprise is active or not. In other cases, the fact that the firmware upgrade can be complex in the IoT environment leads to the situation in which firmware has not been properly maintained and updated. This scenario opens to vulnerabilities that might be exploited by attackers to replace the firmware on the device remotely. For instance, the Foscam wireless cameras were vulnerable to firmware replacement allowing full camera control.[8] IoT is also exposed more than other systems to physical cloning attacks.  Butun et al.[9] described a number of scenarios where the clone attack impacts IoT and the relative detection countermeasure.
  • Threat T1.3.2: Extraction of private information: Park at al. focused on the attack on information on IoT Sensors including the ones requiring physical access[10]. In many cases, physical access permits to bypass security protections and access to the device having the scope of tampering it to extract private information or to modify the firmware to have privileged shadow access. Additional examples are the side-channel attacks on sensors data. Maiti et al. describe a side-channel attack on mobile keypads using smartwatches[11]. Sarkisyan at al. study PIN prediction using the smartwatch motion sensor[12]. Chakraborty at al. describe optical eavesdropping on the display of a mobile device via light sensors[13].
  • Threat T1.4.1: Identity fraud: In 2015 Moose infected a device using brute force attacks through Telnet and set up a SOCKS and HTTP proxy. In 2018, Guardzilla, an IoT camera, used the same hard-coded keys on devices as it did for its AWS storage server. This is an example of an IoT threat that allows impersonification via access key of the cloud backend service.[14]
  • Threat T1.4.2: Denial of service: In Finland, a DDoS attack took down the heating systems of at least two housing blocks in the city of Lappeenranta, leaving their residents without heating in sub-zero temperatures for more than a week.[15] Apparently the source of this attack was a Mirai botnet.
  • Threat T1.4.3: Malicious code/software/activity: The Puerto Rican Electric Power Authority (PREPA) in 2009 suffered a series of power theft incidents related to its smart meter deployment. The attack was quite complex and exploited different threats. For instance, it requires physical access (TG1.3), and it probably implies malicious insiders that understand the hardware functionalities. The main exploited vulnerability was discovered later in 2010 and was the injection of false data mainly at the installation phase.[16] This is considered a serious security issue for IoT devices especially in correlation with a malicious insider. IoT is also the preferred target for Botnet based malware. Recently a new variant of Gafgyt malware targets small office and home routers exploiting well-known vulnerabilities. It is in competition with JenX botnet and in case of double infection, they are programmed to disable each other.[17] Jeep Cherokees were discovered to be vulnerable to an attacker that may be miles away yet capable of sending commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission.[18] IoT_Reaper, also known as “the Reaper,” is a variant of Mirai Linux that utilizes at least ten old and well-known vulnerabilities in IoT. Given the difficulties in updating IoT, even old vulnerabilities can be very effective. Recently crypto miners start considering IoT devices, more for the fact that they are quite easy to tamper than for their computational power even if devices such as Alexa and mobile phones (Android OS via ADB.Miner) have non-negligible computational capabilities.  More recently, these types of malware used blockchain-based DNS to make them more difficult to track, like Fbot.
  • Threat T1.4.4: Misuse of assurance tools: Given the IoT peculiarities such assurance tool is in most of the cases not implemented but there is a non-negligible effort in order to have them in place in the near future. Therefore, more attacks will become available in the future.
  • Threat T1.4.5: Failures of business process: Examples of business process failures are the ones that imply poorly-designed technical workflows like for instance save sensor data in multiple copies and in a not protected location or keep them locally even after having transferred them. Other failures refer to business-specific processes where IoT devices are manufactured with non-reliable or non-security components and the manufacturing process has no requirements on an assurance which is a supply chain vulnerability. According to TrapX most of the healthcare organizations are vulnerable to medical device hijacking also called “medjacking”, which in many cases imply failures on the business process connected with sensors or on the procurement process.[19]
  • Threat T1.4.6: Code execution and injection (unsecured APIs): SQL injections are a bigger danger to the IoT than traditional networks. They are in many cases at the basis of most of the Botnet since SQL injection can lead to privilege escalation quite straightforward. In many cases, the target is a smartphone that controls devices like in the cases of the XSS and SQL injection of  Belkin devices and WeMo app.[20] Recently Carlo Gavazzi SmartHouse version 6.5.33 was discovered to suffer from cross-site request forgery along with both reflective and persistent XSS vulnerabilities.[21]
  • Threat T1.5.1: Violation of laws or regulations
  • Threat T1.6.1: Skill shortage: No recent attacks have been reported.

Attacks related to Network-Centric Security

In the following, the main attacks affecting the Network domain are reported.

  • Threat T2.1.1: Erroneous use or administration of devices and systems: A human error caused a mobile internet outage for millions of users. Due to a human error (wrong software configuration) during the migration of the packet gateway, clients of one operator were not able to use mobile data. Mobile switches were affected by this incident. A rollback was successfully executed to resolve the issue.[22] Misconfigured, Open DNS Servers have been used in Record-Breaking DDoS Attack. The attackers abused improperly configured or default-state DNS servers, also known as open DNS resolvers.[23]
  • Threat T2.2.1: Signaling traffic interception: An attacker by simply having signaling network access (e.g. by simply renting a global title on the market) can send crafted messages to retrieve location information of the network node on which a target subscriber is connected. An attacker can alter the current subscriber’s location and profile to receive mobile terminating or mobile originating calls, SMS, or data traffic. Hostile SS7 Update Location enables subscriber SMS interception by simulating a fake MSC which will then receive the SMS for this targeted subscriber. The interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication. In [24] SS7 has been exploited to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The exploitation of SS7 design weaknesses to obtain a victim’s location, harvest their messages, and listen in on calls was demonstrated in 2014.[25] Other examples are the demonstration in [26] and [27] O2 in Germany confirmed that some customers in Germany have had their accounts drained by attackers that used SS7 to intercept and redirect mTANs to their own phones.[28] In [29], and attempted Data interception attacks using SS7 was reported.
  • Threat T2.2.2: Data session hijacking: A data session hijacking was achieved by performing GTP attacks.[30] In 2014, attackers hijacked a portion of online traffic from a set of 19 ISPs, with the goal of stealing cryptocurrency from a group of users.[31] In April 2017, Rostelecom, a Russian ΙSP, leaked dozens of routes pertaining to IP addresses that belong to major financial services firms. The Russian ISP ‘originated’ 137 prefixes, 37 of which belong to financial, e-commerce, and payment services, like Mastercard, Visa, Forti, Alfabank. For 7 minutes, global traffic to these services was redirected via the Rostelecom network.[32] In 2018, a BGP hijack was used to divert traffic to Google from subscribers living in the west of the USA, via Russia, to China, allegedly intentionally and for espionage purposes.[33]
  • Threat T2.2.3: Traffic eavesdropping: To conduct such an attack, attackers would need to have the proper equipment to capture and store the radio communication between the cellular mobile device and the base station. False Base Station (FBS), Rogue Base Station (RBS), International Mobile Subscriber Identifier (IMSI) Catcher or Stingray can be used for traffic eavesdropping (passive and active) by exploiting security weaknesses in mobile networks. With mobile network evolution from 2G until 5G more security features have been added. However, the use of fake base stations remains still possible and this issue is under discussion within the 3GPP SA3 to define a possible way to detect fake base stations. The security enhancements provided with the 5G network limit the type of information that can be gathered by using a fake base station. At least until 4G by using fake base station it is possible to retrieve the user IMSI because the device authenticates itself via its unique subscriber identity. This means that the fake BS can request the IMSI and gets it. 5G specifications provide the necessary mechanisms for protecting user privacy and the subscriber’s identity should have to be encrypted to prevent attacks from the fake base stations.  Moreover, even in the current 5G, there is some identification information transmitted from the device which is still unencrypted. This data can be captured by a fake BS and used to determine the class of devices, some hardware components, models and operating systems. The info can be useful for attackers if they are looking for a specific custom device. An attacker can change the category of the target device so that the base station only provides 2G/3G connections. This will make the device vulnerable to other attacks specific to 2G/3G. In passive attacks, the false base station records and analyses the mobile radio signal of legitimate connections between the operator network and the targeted mobiles. The attacker can decode the network identifier of the targeted mobiles and possibly decrypt the communication content if it was encrypted using a vulnerable cipher algorithm. In an active attacker, the attacker is on the path of the communication between a targeted mobile and the legitimate network with a false base station used in a man-in-the-middle setup. The false base station impersonates the radio signal of a legitimate mobile network and forces the mobile device to connect to it by using a higher power signal. In the meantime, the false base station connects to the legitimate network by impersonating the targeted mobile. In the 3G network, a false base station can relay the network authentication signaling to the intercepted mobile and ask the network to use either no security or vulnerable security algorithms. Examples of broken 2G cryptographic algorithms are A5/1 and A5/2. In addition, using a rogue base station broadcasting at a high-power level, an attacker can force a user to downgrade to either GSM or UMTS. For example, using a fake BS once IMSI of a target user has been obtained it could be possible to modify the 4G SDR based network code to degrade the 4G service completely forcing the device to look for another cell in the 3G frequencies or 2G[34]. Another way to perform downgrade attacks is reported in the paper “Practical attacks against privacy and availability in 4G/LTE mobile communications”[35]. Recently at the DefCon Security Conference in Las Vegas 2019, a team of researchers from Blackberry displayed how the calls can be hacked by cybercriminals.[36]
  • Threat T2.2.4: Traffic redirection: An active domain name system (DNS) redirect attack, referred to as aLTEr has been recently demonstrated by researchers from Ruhr-Universität Bochum and New York University Abu Dhabi.[37] It allows an attacker to perform man-in-the-middle attacks to intercept communications and redirect the victim to malicious websites using DNS spoofing. This attack works by taking advantage of a design flaw within the LTE network: the data link layer (or layer 2) of the LTE network is encrypted with AES-CTR but it is not integrity-protected. This means an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext. As a result, the attacker is posing as a cell tower to the victim, while pretending to be a subscriber to the real network.
  • Threat T2.3.1: Exploitation of software bug: Many attacks based on vulnerability exploitation have been reported against core and access networks. A massive attack was launched toward the end of 2016, the main target was Deutsche Telekom Access Network and its Infrastructures. A cyber-attack that infected nearly one million routers used to access Deutsche Telekom Internet service was part of a campaign targeting web-connected devices around the globe.[38] The devices were vulnerable CPE, and according to the telecommunications company, impacted customers were unable to connect to the Internet. Software vulnerabilities are also used to penetrate the network infrastructures by APT (Advanced Persistent Threat).[39] As described by Cybereason, the “Soft cell” operation started by exploiting a vulnerability in an unpatched IIS publicly-facing server from which the attackers gathered information about the network and propagated across the network. Recently it was also identified the Simjacker attack which exploits a vulnerability of a SIM Card technology, called S@T Browser. The key issue with the S@T Browser technology is that its default security does not require any authentication, and as a result, the attacker is able to execute functionality on the SIM card with the aim to ‘take over’ the mobile phone to retrieve and perform sensitive commands. The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users.[40]
  • Threat T2.3.2: Manipulation of hardware and firmware: The Meltdown and Spectre vulnerabilities introduced the world to the power of hardware-level weaknesses.[41] The recently discovered LoJax[42] malware and the Hacking Team UEFI Rootkit are two of the most well-known examples of firmware attacks. In both examples, the malware targeted the system’s UEFI firmware. These attacks took advantage of specific vulnerabilities and many other vulnerabilities have been discovered over the past few years in UEFI and related components. However, in some cases, attackers do not need to exploit a vulnerability at all to install their malicious implants. Older systems and even some recent servers lack basic protections like signed firmware updates. These attacks can apply to virtually any device that can be compromised with malware. While malware represents a common attack vector, research has shown that firmware can also be exploited remotely. This attack vector has a lot to do with the growing set of networking options found within UEFI components themselves. The standard UEFI codebase now includes a rich set of network capabilities for Ethernet, WiFi, and even Bluetooth that allow the firmware to communicate remotely and even perform a full HTTP boot from a remote server across the Internet. Eclypsium researchers found that in some cases the update over the Internet functionality was downloaded unverified and in the clear. The host would try to contact a remote update server using plain HTTP without SSL or any verification. This means that simple man-in-the-middle or other redirection techniques (e.g. DNS/ARP/route poisoning) could be used to modify the response returned to the client and exploit the vulnerability. As a result, the research showed that one could remotely deliver malicious code resulting in buffer overflows and arbitrary code execution just by checking if a newer version of the firmware exists.[43]
  • Threat T2.3.3: Malicious code/software/activity: One of the most important technology in the network environment is the Software Define Network (SDN). SDN technology aims to replace the physical network by using a decoupled Data plane-Control plane architecture controlled by software. Although no specific malware attack has been already publicly announced, ETSI Security experts published the “ETSI GS NFV-SEC 003: Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance”, where malware is indicated as one of the main threat vectors. Also, Academia and independent researchers are investigating the topic.  As an example of such investigations, in 2016, during the Black Hat event, it was presented a paper “attacking SDN infrastructure: are we ready for the next-gen networking?”.[44] The paper describes how malware can attack and damage SDN infrastructures. Two uses case has been presented: the first one shows how to infect the SDN Control Plane at Build-time and the second one how to infect the SDN Control plane at run time. Another example of malware spread that impacted the network functions was Wannacry, a ransomware crypto-worm that targeted computers running the Microsoft Windows operating system in May 2017. Once installed in a computer, thanks to its worm behavior, it had the capabilities to spread into the local networks compromising the functionality of the network. Telefonica was impacted by this attack[45].Malware spread can impact also the endpoint network asset. As a recent example, during June 2019 a new variant of malware was detected which aim to wipe the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017. This new variant is named Silex, it works by trashing an IoT device’s storage, dropping firewall rules, removing the network configuration, and then halting the device.[46]
  • Threat T2.3.4: Remote activities (execution): In 2018 Hackers targeted mobile phone networks around the world aiming to obtain CDR records.[39]The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more. The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory. The hackers created privileged accounts to easily regain access later, and in one case even set up a VPN connection to easily tunnel back into the network.
  • Threat T2.3.5: Malicious code – Signaling amplification attacks: An attack consists of malicious users who take advantage of the signaling overhead required to set up and release dedicated bearers to overload the signaling plane by repeatedly triggering dedicated bearers’ requests. A botnet of infected mobile devices could be used to generate a signaling amplification attack by forcing each terminal to constantly establish and release IP connections with an external server[47]. A piece of malware could also trigger mobile phones to reboot at the same time, thereby potentially overloading the EPC with registrations once they come back up. It is also necessary to consider that, Home Subscriber Server (HSS) is also involved in a significant number of signaling processes at the EPC; thus, it can as well suffer from a signaling amplification attack. Such saturation of the EPC could potentially also occur legitimately due to the overwhelming amount of traffic and frequent reconnections of billions of Machine to Machine (M2M) nodes. Amplification attacks exploiting NTP and DNS signaling are reported in [48].
  • Threat T2.4.1: Failures of devices or systems: A system failure caused a mobile internet, telephony and SMS outage for thousands of users. A software bug occurred in the SPR (Subscriber Profile Repository) server. Following the repeated instability of the equipment, the signaling traffic increased and the STP (Signalling Transfer Point) platforms became overloaded. As a result, end-users had difficulties to access mobile internet services as well as voice and SMS services. The vendor responded by fully restoring the functionality of the SPR equipment. To stop the avalanche of signaling messages, the 3G and 4G networks were partially shut off and all subscribers were located on the 2G network.[22] A system failure caused a mobile internet outage for millions of users. A software bug occurred in the Internal system component Software Deployment Manager (SDM) leading to the degradation of user authorization for mobile data and mobile voice. As a result, end-users had difficulties to access mobile services, both voice, and data. Also, customers abroad were affected (roaming services). Mobile switches and mobile user registers were affected by this bug. The provider removed the obstacles in accessing the services and for the prevention of similar incidents in the future, a mitigation plan was created in collaboration with software vendors.[49] System failure caused disruption in, both mobile and fixed, telephony and internet services as well as SMS/MMS services, affecting millions of users. An outage of several network components used for delivering DSL in the subscriber access network resulted in the disruption of mobile and fixed telephony and internet access. The provider responded by raising the capacity of the remaining network components. A subsequent software upgrade resolved the issue completely.[49]
  • Threat T2.4.2: Supply chain: In 2018, several examples of supply chain attacks have been identified, including tampering with chipsets[50] and vulnerabilities in AMD processors.[51] A recent case of “supply chain attacks” is the “NotPetya” malware. It spreads to systems that had specific accounting software installed. The investigation of the incident revealed that the threat actor behind the attack compromised the infrastructure of the software provider, tampered the software, and pushed the tampered version of the software to the provider’s clients as a legitimate software update. The software update essentially installed the “NotPetya” malware on the victim-machines. Another case is a backdoor dubbed ShadowPad. It was injected into a network management software suite and was pushed through a software update to the respective systems that had the software installed. The attack was spotted when a company using the software observed suspicious domain name lookup requests. Such a backdoor could potentially allow the threat actor behind the attack to load malware on the victim systems and/or exfiltrate data.[52]
  • Threat T2.4.3: Software bug: Multiple vulnerabilities were found by security researchers in 4G routers manufactured by several companies, with the flaws exposing users to information leaks and command execution attacks.[53]

Attacks related to System-Centric Security

In the following, the main attacks affecting the System domain are reported.

  • Threat T3.1.1: Information leakage/sharing due to human errors: Information leakage due to misconfiguration has been reported in many studies in literature and by CSA as one of the major sources of security issues. In 2017, a misconfigured AWS Simple Storage Service (S3) cloud storage bucket exposed detailed and private data[54]. In 2018, a server misconfiguration (public access) exposed the Elasticsearch database owned by Exactis to a massive breach containing highly personal data.[55] Again, in 2018, a misconfigured rsync server for backup permitted unauthenticated data transfer to any rsync client exposing, Level One Robotics customers’ data (including Volkswagen, Chrysler).[56] Another famous example refers to Verizon customer accounts data breaches due to the misconfiguration of S3 buckets. Other human errors can lead to system outage like in the case of the famous AWS employing error that took the server offline.[57] AWS said that it has not had to fully reboot these S3 systems for several years, and the program has grown extensively since then, causing the restart to take longer than expected.
  • Threat T3.1.2: Inadequate design and planning or incorrect adaptation: Examples of inadequate planning refers to the lack of controls on backups and data cloning for internal management processes. Accenture inadvertently left a massive store of private data across four unsecured Amazon S3 buckets, exposing highly sensitive passwords and secret decryption keys (this type of attack is also relevant for data-centric security in Section 3.6). S3 buckets contained data that could be downloaded without a password by anyone just knowing the web addresses of the server.[58] Similarly, data that belong to Honda Connect App were exposed online. Researchers from Kromtech Security Center discovered the data stored on two unsecured, publicly accessible and unprotected Amazon AWS S3 Buckets.[59] In 2018, more than 120 million unique identification numbers issued by the Brazilian Federal Reserve to Brazilian citizens were exposed to unprotected S3 Bucket.[60] The problem was that the server was treated as an accessible web server, while it should be protected. In 2019, Voipo, a Voice over Internet Protocol (VoIP) telecom company, exposed millions of unencrypted customer call logs and credentials on an Elasticsearch database.[61] The problem was again inadequate planning since it was declared that the server exposed was a development server having no security features enabled. The migration process can be also considered a source of serious threats for visualization, where migration is normally handled automatically for the sake of dynamic load balancing. During live migration, an attacker at a malicious hypervisor may falsely advertise available resources to migrate the compromised VM to the trusted hypervisor. This is a malicious activity exploiting a wrongly designed migration process. Other examples refer to VM rollback. For instance, while restoring a VM from a snapshot to a previous state, the security features enabled in the actual state can be disabled. VM rollback can be exploited by an attacker even using a brute-force approach[62]. VM cloning can be used to copy and move a VM without revealing to the user that the VM has been cloned in multiple instances. VM cloning can be also executed for the legitimate scope of backup. In this case, the backup location must be secured for intromission or copy even not intentional. Another example of the wrongly designed process is the one related to Apache CloudStack, which does not properly preserve VNC passwords when migrating KVM virtual machines (CVE-2015-3252), exposing to attacks at a credential level.
  • Threat T3.2.1: Interception of information: Attacks aiming to intercept data exchanged in internal or external communications involving the system at every level have been proposed in the past. At the cloud level, most of the attacks refer to applications deployed on the cloud. More details are available in Section 3.7.  Considering the virtualization layer, the recent foreshadow vulnerability (CVE-2018-3646) that affects XenServer allows an attacker to create a speculative side-channel and steal data in VMRAM from other non-trusted VMs on the same physical server.  Other attacks can exploit the cold boot of the VM memory snapshot to capture sensible data or read the memory exchanged by different VMs[63] Zhang at al.[64] used the Prime+Probe technique on L2 cache to detect co-location on Xen. Monitoring L1 cache timing, Zhang at al.[65] extracted the ElGamal secret key that is used for GNU Privacy Guard decryption performed in another VM, while Weiß et al[66] extracted AES keys of a VM running on an ARM Cortex-A8 processor. Irazoqui at al.[67] demonstrated a side-channel attack to recover AES keys in Xen and VMWare. Yarom at al.[68] used a flush and reload approach to observe shared pages of Intel X86 processor to extract private keys across multiprocessor and multicore running VMs. A related technique called Prime+Probe was adopted by Inci at al.[69] to monitor L3 cache in order to extract noisy data from Amazon E2 VM and use it to obtain the RSA encryption key. Other approaches try to set up a covert channel attack. Maurice et al.[70] used the same Prime+Probe approach for the LLC-based covert channel. Xiao at al.[71] presented a memory deduplication-based covert-channel attack which is faster than L2 cache-based attacks. Another type of attack is the rowhammer attack across VMs exploiting memory de-duplication to obtain, for instance, a side-channel and a covert channel[72]. Most of the above attacks use malicious actions or malware as vectors to exploit the vulnerability.
  • Threat T3.2.2: Unauthorised acquisition of information (data breach): In general data breach is the main goal of an attack and therefore most of the attacks can be related to a data breach. A famous example that refers to a cloud service is the Dropbox data breach in 2014[73] that permitted the discovery of private file transfer links. More recently, another data breach targeted Amazon Black Friday, where details about amazon e-commerce were exposed.[74] These attacks also link to the application-centric domain in Section 3.7. The famous VENOM vulnerability (CVE-2015-3456) at the virtualization layer that affects Qemu can potentially lead to a data breach as well. It allows an attacker to break out a VM, execute code on a host machine, and access all the other VMs on the host. A potential data breach was also reported as connected to VMware and Dell EMC storage as a service technology and a trio of critical vulnerabilities (CVE-2017-15548, CVE-2017-15549, and CVE-2017-15550). A set of potential data breaches are related to attacks on VM images focused on extracting data from the VM image file at rest. Similar to this, but more sophisticated, is the VM data remanence attack. Data remanence was experimented by Albelooshi et al.[75] to see if the physical representation of digital data remains on the physical device even after its removal. We refer to Section 3.6 for additional attacks specifically on the data domain.
  • Threat T3.3.1: Configuration poisoning:  The case of Capital One attack is an example of multiple deliberate configuration poisoning of both firewall and S3 bucket to expose data.[76] In 2017 National Credit Federation exposed its customers’ data due to an intentional poisoning of AWS S3 bucket configured for public access under a subdomain. As a side note, the company did not react immediately to this potential breach due to the difficulties of updating device firmware. In 2019, Ascension, a data and analytics company, database was exposed on a publicly accessible elastic search database apparently due to a poisoned backup process. Again in 2019, a massive government data set belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a storage server (based on an open-access rsync) exposing millions of sensitive files.[77]
  • Threat T3.3.2: Business process poisoning: A famous example of BPC attack was the one of Bangladesh Central Bank, which resulted in losses of up to US$81 million poisonings the SWIFT protocol for money transfer using a piggybacking approach. This is more at the application level, but similar concepts can be exploited at the cloud/virtualization level. Considering the cloud environment, the business process implementation in the cloud is a preferred target for compromising since it is much less visible than a normal business process and the attacker activities can be more complex to detect. Another example refers to VM relocation. It can be exploited explicitly poisoning the process to target a malicious server, where memory snapshot is enabled[78]. Other examples in threat T3.1.2 that are relative to inadequate design and planning or incorrect adaptation can be exploited also via ad hoc poisoning of cloud/virtualization processes.
  • Threat 3.4.1: Identity fraud: In virtualized environments, privilege escalation can be even more dangerous than in physical environments because of multitenancy and the hierarchical structure of administrator privileges.  In addition, VMM is a crucial target for usurpation-based misappropriation, due to its role in virtualization, as well as to the presence of vulnerabilities that allow guest-OS users the potential to execute arbitrary code on the host OS.[79]. Timehop had a data breach due to compromised admin credentials that were used to enter their Cloud.[80]. Deloitte experienced a major data breach due to weak identity, credential, and access management or its Azure account in 2017. More recently, in 2018, a German student hacked data protected by weak passwords.[81] Generally speaking, 2017 was the year of the rise of cloud account-targeted campaigns, in particular for Microsoft Office 365 accounts. Another example of account hijacking was presented as a PoC in 2018. It was based on compromises of Microsoft live accounts via subdomain hijacking.[82]
  • Threat T3.4.2: Denial of service: Both on cloud and virtualization the main scope of the attacker is to exploit the sharing of resources. In virtualization, examples of attacks are the ones that focused on the hypervisor crash. A VM may corrupt the hypervisor memory and cause the hypervisor to crash leading to DoS (CVE-2018-7542 on Xen via a NULL pointer dereference).[83] Resource starvation can be exploited to violate the availability of the hypervisor via uncontrolled resource allocation[84] In the cloud, the concept is very similar due to the idea to share services among different users and tenants. However, some DoS attacks in the cloud also target the API exposed by the different cloud layers. Yeh et al.[85] presented a multi-resource DoS attack on cloud VM migration schemes.
  • Threat T3.4.3: Malicious code/software/activity: The Zepto variant of the Locky ransomware spreads via cloud services such as Microsoft OneDrive, Google Drive and Box by sharing a malicious file with potential victims. Similarly, the CloudSquirrel attack establishes a connection with its command and control hosted in Dropbox. Historical examples of hyperjacking are the SubVirt[86] that installs a hypervisor below the host OS and controls the VM and the Blue Pill[87] that exploits hardware extensions in the virtualization enabled CPUs and runs an infected system into a VM. In the work of Jasty et al.[88], VM hoping has been demonstrated by maliciously gaining access to different VMs.
  • Threat T3.4.4: Generation and use of rogue certificates: This threat is usually at the basis of other more complex attacks as discussed in the previous threats. As an example, BIG-IP and BIG-IQ do not properly regenerate certificates and keys when deploying VM image on AWS, Azure or Verizon cloud service, which makes multiple instances to share the same certificates and keys. It causes the disruption of services eventually leading to an information leak (CVE-2016-2084).
  • Threat T3.4.5: Misuse of assurance tools: The complexity of the current cloud systems makes the poisoning of assurance tools critical to cover unauthorized access to large amounts of personally identifiable data. No recent attacks have been reported.
  • Threat T3.4.6: Failures of business process: In general, there are a number of attacks that exploit shadow IT. Some of them rely on the usage of apps installed on mobile devices or on free services used by one or more company employees, for instance, to fulfill a temporal need. In many of the cases, these services are used just a few times and then forgotten, without taking care of updates and new security issues discovered.  Reports on attacks exploiting shadow IT are not frequent since they are not easy to be discovered; however, every attack that is caused by an employee using a vulnerable service against company regulations in terms of adoption of abnormal usage can be considered relevant to this threat. NormShield reports on breaches caused by third parties. This can be considered as a superset of the Shadow IT-based attacks including also app misuse in some cases.
  • Threat T3.4.7: Code execution and injection (unsecured APIs): A famous attack dates back to 2010. An Amazon cross-site scripting (XSS) bug enabled credential theft. Another famous attack was one of US Internal Revenue Service (IRS) in 2015, which exposed a great amount of record via a vulnerable API (“Get Transcript”).  More recently, a vulnerability of Facebook API was exploited resulting in the generation of an access token that had the permissions of the Facebook mobile app, not for the viewer, but for the other Facebook user. This also links back to account hijacking. Considering the virtualization level, and specifically, the management interface injection vulnerability can be exploited. For example, CSS vulnerability (CVE-2012-5050) in VMware vCenter Operations before 5.0.x allows remote attackers to inject arbitrary web script to take control of vCenter”. The Iago attack[89] is an example of a virtualization level API call from a kernel perspective. Supposing to have a malicious kernel, it can make an application to act against its interests by communicating with it since applications generally do not check return values from the kernel.
  • Threat T3.5.1: Violation of laws or regulations data
  • Threat T3.6.1: Skill shortage: Examples of attacks that ground on skill shortage can be found in TG3.1. The main problem is the wrong “lift-and-shift” approach in moving traditional ICT to the cloud, where missing skills play a significant role.
  • Threat T3.6.2: Malicious insider: A famous example of malicious insider was the 2018 Tesla saboteur. The sabotage included the use of false usernames to make changes to the code used in the Tesla Manufacturing Operation System Cloud, as well as exporting large amounts of highly sensitive data to unknown third parties. Another example of a malicious insider that can be also linked to the failure of the business process was discovered in 2018 and refers to an engineer that was found guilty of stealing navy secrets via a personal Dropbox account.[90] Considering virtualized environments, a compromised management interface can be used to exploit vulnerabilities by a privileged user (CVE-2016-9603, CVE-2017-2615), having the scope to attack the hypervisor like the compromising CIA, DMA attack exploiting the direct channel between the hypervisor and the HW, VM sprawl attack aimed to violate the hypervisor availability. In addition, the management interface can be directly accessed by a malicious insider[91][92] leading to attacks on the VMs[93].

Attacks related to Data-Centric Security

In the following, the main attacks affecting the Data domain are reported.

  • Threat T4.1.1: Information leakage/sharing due to human errors: Information leakage due to misconfiguration has been reported in many studies in the literature. BinaryEdge[94] showed how erroneous system misconfigurations led to weaknesses in Redis, MongoDB, Memcache, and ElasticSearch. The same study comments how very often these technologies are meant to be installed in private environments, providing weak default security configurations (e.g., no authentication or encryption), privileging performance. Other attacks have been reported with unauthorized sharing of sensitive and confidential information.[95] The data breach targeting Equifax[96] in 2017 was one of the widest breaches ever. Hackers took advantage of a well-known bug that was exploited due to the fact that the Equifax system was not up-to-date. The hackers stole names, birthdates, Social Security numbers, addresses, and driver license numbers for 145.5 million Americans plus approximately 200,000 credit card numbers, and affected more than 100 million credit users worldwide.[97] Targeted phishing attacks are rapidly increasing and are relevant for both data and user domains.[98] Cybercriminals target rich individuals and top-management people that have access to sensitive data, as well as public authorities that handle personally identifiable information.[99][100] Also, a shift from consumer to enterprise targets has been observed and driven by profit.[96][98] Business email compromise (BEC) scams[101] is a financial fraud also called CEO fraud that aims to reduce the effort of a phishing attack. Before sending an attack, the cyber-criminals identify the preferred victim in the business (e.g., someone from the finance department), and send a fraudulent email, impersonating the CEO or CFO. PIR Bank in Russia lost $920,000 due to an outdated, unsupported cisco router that was used as a trojan horse to reach the core of the bank.[102] A similar issue happened to British Airways, where an outdated version of Modernizr Javascript library was exploited to steal customer data.[103] MongoDB, a major open-source NoSQL database, was the target of different attacks. In 2015,[104] three students from the University of Saarland in Germany at the Centre for IT Security found that the default installation of MongoDB running at TCP port 27017 was freely available for read and write operations. More recently, in 2017, hackers have wiped more than 26k MongoDB again exploiting its default configuration permitting connections from the Internet.[105] A rise in attacks on Hadoop components, such as Hadoop YARN, Redis, and ActiveMQ has been observed. The goals of these attacks can be different, from crypto mining to ransomware and data wiping.[106][107][108] A company affiliated to FedEx was breached due to an unsecured Amazon S3 server and resulted in data exposed on the internet.[98] Similarly, data from 221 LA County was accidentally exposed due to a misconfigured S3 cloud server.[98]
  • Threat T4.1.2: Inadequate design and planning or incorrect adaptation: It has been shown how the replication approach taken by the Hadoop framework can backfire:[109] a corrupted application could destroy all replicas. Damiani[110] claims that Hadoop redundancy could even be a non-linear risk booster for Big Data leakages. Also, Aditham[111] shows how the design of the Hadoop Distributed File System (HDFS) could introduce security problems. HDFS, which is the basis of many storage systems, originally, cannot tolerate the failure of Namenode, as proved in real scenarios.[112] Finally, NIST reported a scenario where digital rights management (DRM) techniques were not built to scale and caused system failures.[113][114] In 2017, Amazon AWS and, in particular, its S3 storage, suffered a major outage.[115][116] This outage was due to the fact that to fix a performance problem an incorrect command was sent causing this unexpected disruption. After this command was set, an unpredictable sequence of cascading events caused a big denial of service. Apache Ambari erroneously stored sensitive data on disk in temporary files on the Ambari server host.[117] These files were then readable by any authenticated users. The database server of Exactis was publicly accessible and resulted in the theft of millions of user records.[98][118]
  • Threat T4.2.1: Interception of information: Attacks aiming to intercept data exchanged in internal or external communications involving the Big Data platform have been proposed in the past. Among them, we can consider hijacking and eavesdropping. Hijacking is an active attack and aims to take control of communication and its content (this attack is considered in the network-centric domain in Section 3.4). Eavesdropping is a passive attack where the content of the communication is intercepted without interfering with the information flow. In 2017, the biggest data breach targeting Equifax[96] affected more than 100 million credit users worldwide and across the EU. Note that the General Data Protection Regulation (GDPR) that became applicable in May 2018 dictates the mandatory reporting of data breaches (both to affected individuals and Data Protection Authorities), provided that certain requirements are met. A vulnerability in Apache Hadoop Distributed File System (HDFS) permitted cybercriminals to remotely access sensitive information with no authentication.[119] Apache Ambari permitted cyber attackers to steal sensitive information, caused by the exposure of passwords for Hadoop credential. These passwords are stored in Ambari Agent informational log messages when the credential store feature is enabled for eligible services.[120][121]
  • Threat T4.2.2: Unauthorised acquisition of information (data breach): Massive privacy breaches (discussed in Section 3.8) have been reported,[122][123] where administrative credentials have been used to regularly access private user information. As already mentioned, in 2017, the biggest data breach targeted Equifax[96] and affected more than 100 million credit users worldwide. Data breach at Yahoo is the biggest data breach ever and involved three billion customers.[96][124] Abuse of Point of Sales (POS) terminals is another example of an unauthorized acquisition of information.[96] The terminal is manipulated to access and distribute the data of the customers, or in other cases, fake companies are created to steal these data. A weakness in the “Search” capability of the Facebook platform resulted in one of the biggest data breaches where about 2.000 million users’ information was exposed (including Cambridge Analytica case[125]).[98] A problem in the Twitter procedure for password handling exposed passwords in plain text.[98]
  • Threat T4.3.1: Data poisoning: Data poisoning is often seen as a preparation activity for launching attacks (e.g., Carbanak and Cobalt malware[126]). It is at the basis of the other previously explained threats, as a means for hiding malicious behavior and covering malicious traces (see Threat T4.4.5), and as a way to manipulate inferences and decisions. Specific to this threat, in 2015, attacks to drug infusion pumps have been reported.[127][128] Cybercriminals were able to modify the number of drugs distributed to patients potentially causing an overdose, due to lack of authentication. Different attacks of this type are also reported in Section 3.3.
  • Threat T4.3.2: Model poisoning: Adversarial machine learning is a technique developed in the field of machine learning that aims to fool model learning through data poisoning[129]. The goal is to provide model training with fake data that cause the trained model to make a mistake and malfunction. Zhao et al.[130] presented an overview of data poisoning attacks on multi-task relationship learning and an approach to optimal data poisoning.  Yi et al.[131] presented an adversarial machine learning approach that aims to spectrum data poisoning attack. The goal is to let an adversary falsify the spectrum sensing data in wireless communications. Li et al.[132] presented data poisoning attacks on collaborative filtering systems, where an attacker generates malicious data to avoid being detected. Zugner et al.[133] studied adversarial attacks on neural networks for graph data.
  • Threat T4.4.1: Identity fraud: Some of the attacks based on identity fraud target the control infrastructure (and the user’s system interface) where the Big Data systems are built, such as private or public clouds[134]. An attack permitting to take control over the console gives to the attacker the ability to manage the user’s account including access to stored data. Attacks of this type[135] are based on a mixture of signature wrapping and advanced XSS techniques, then privilege escalation leading to identity fraud. Last but not least, attacks often target social networks (see Section 3.8 for more details). For example, XSS vulnerabilities on Twitter have been used to push malicious and fake tweets, while Internet malware has emerged on Facebook as a means of promoting malicious profiles.[136] Social engineering attacks continue to grow with the goal of obtaining personal data, hijacking accounts, steal identities.[96] Identity fraud can also target companies. For instance, attackers can try to impersonate legitimate businesses to retrieve Point of Sales (POS) terminals that are then used to steal customer data.[96] This attack is possible since the information used to request a POS is non-confidential. Card-not-present fraud is another example of an attack that can be linked to identity fraud.[96] Stolen credit cards are used for e-commerce shopping. These attacks are particularly relevant also for user-centric security in Section 3.8, since users (and their data) become the target of the attacks.
  • Threat T4.4.2: Denial of service: A DoS attack targeted the Hadoop cluster, leading to a significant decrease of system performance and causing the loss of the targeted resource to other cloud users[137]. An attack to Amazon distributed storage was also reported, based on authenticated requests and account validation.[138] Also, attacks to social networks have been reported, such as the one exploiting some weaknesses of the Hadoop Distributed File system, to target Facebook.a href=”#_ftn112″>[112] Today, Distributed-Denial-of-Service (DDoS) attacks are distributed as a tool against private business as well as the public sector. The aims of these attacks are used financial gains, as well as ideological, political or purely malicious reasons. This type of attack is the most widespread second to malware attacks only (2017), and is increasingly becoming more accessible, low cost and low risk. Data wiping attacks target data availability by overwriting files/data with random data or by deleting them. Shamoon Malware infects a system and then wipes all its files, destroying the hard disk and making systems unusable. It was first introduced in 2012 and then reused in 2016, to attack oil and gas company Saudi Aramco in the Middle East. In 2018, the last version of the malware was used to attack the Italian oil and gas firm Saipem.[139] The new malware involves a new wiper that deletes files from infected computers before the Shamoon malware wipes the master boot record. Saipem stated that between 300 and 400 servers and up to 100 personal computers were compromised. DemBot malware[140][141] targeted the Hadoop server using a YARN exploit to take control of the system and launch a DDoS attack. A similar attack used Mirai malware to exploit the same Hadoop YARN exploit and launch a devastating DDoS.[142][143]
  • Threat T4.4.3: Malicious code/software/activity: Service spoofing (e.g., ARP spoofing) aims to masquerades an attacker identity to take a competitive advantage. Web application attacks and code injection attacks (see Section 3.7) are traditional examples of attacks that often represent the starting point for more sophisticated attacks. In Big Data, malware can infect nodes to send malicious commands to other servers, worms can distribute themselves sending copies to other nodes. Backdoors or hidden functionality can simplify accesses to components and devices[144]. A malicious code attack is also reported in[144] as faulty results of the Hadoop logging data system. It uses a malicious script to let Flume streaming previously modified log data into Hcatalog[144]. MapReduce computational framework has been the target of malicious software. Untrusted mappers can in fact alter results, whose malicious activities could be difficult to identify with large amounts of data.[145] Ransomware[96] is still a critical attack that aims to target the availability of data; recently, we are moving from financial motivations to nation-states actions. Meltdown[146] and Spectre[147] are new information disclosure vulnerabilities in most modern microprocessors.[102] They break the isolation between user applications and operating system, and different applications, respectively, to the aim of retrieving sensitive data in the memory of other running programs,[148] including passwords, personal photos, emails, instant messages, and even business-critical documents. In 2013, the Carbanak and Cobalt malware[96] was launched targeting financial institutions. The malware took control of the servers and ATMs, impersonating customers for money transfers, inflating account balances, and controlling ATMs. This attack also links to threat T4.4.1 identity fraud and threat T4.3.1 data poisoning. The gang managing this malware got arrested in 2018.
  • Threat T4.4.4: Generation and use of rogue certificates: This threat is usually at the basis of more complex attacks as discussed in the previous threats, in particular, T4.2.1, T4.3.2, T4.4.1, T4.4.2. For instance, an increase in phishing sites using HTTPS has been observed.[98] Attackers used free certificate services like Let’s Encrypt or Comodo to break the common assumption that HTTPS web sites are secure and safe.
  • Threat T4.4.5: Misuse of assurance tools: The complexity of current data storage and databases makes poisoning of assurance tools critical to cover unauthorized access to large amounts of personally identifiable data. No recent attacks have been reported.
  • Threat T4.4.6: Failures of business process: User re-identification is an example of weak anonymization. While data collection and aggregation use anonymization techniques, individual users can be re-identified by leveraging other Big Data data sets, often available in the public domain[149]. This scenario is put to the extreme by Big Data variety that permits to infer identity from anonymized data sets by correlating with apparently innocuous public information.[150][151][152]
  • Threat T4.4.7: Code execution and injection (unsecured APIs): Data breaches due to insecure APIs have been reported in the past and often targeted social networks (e.g., Facebook, Yahoo, and Snapchat).[153][154] SPARQL code injection is an example of attacks on Semantic Web technologies[155]. Security flaws are rather common in Big Data languages like SPARQL, RDQL, and SPARUL, mimicking the one affecting traditional and still dangerous query languages, like SQL, LDAP and XPath injection[156].[157] Hive, MongoDB and CouchDB also suffer from traditional threats such as code execution and remote SQL injection.[158][159] A big data breach was reported on India’s national ID database, “Aadhaar,” affecting more than 1.2 billion Indian citizens.[102] The breach was due to an unsecured API used to check a customer’s status and verify their identity.[160] Apache Hadoop YARN NodeManager Daemon has been found to be vulnerable to Zip Slip vulnerability.[161] This attack permits to inject malicious code in the jobs of other cluster users. In 2018, Alibaba Cloud Security Team discovered the first Remote Code Execution (RCE) exploit in Spark Rest API.[162] This weakness allowed to instruct the server to download and execute a remote jar file from the Darknet. A vulnerability in Apache Spark permitted an unauthenticated, remote attacker to execute arbitrary code on the master host of a targeted system.[163] This vulnerability exploits improper security restrictions and insufficient validation of user-supplied input.  A vulnerability in Apache Ambari permitted to implement persistent cross-site scripting thanks to insufficient sanitization of user-supplied data.[164] A weakness in the British Airways web and mobile app caused the exposition of personal and payment data.[165]
  • Threat T4.5.1: Violation of laws or regulations
  • Threat T4.6.1: Skill shortage: Data analysis and management are among the most important activities in a Big Data environment. Data science skills and data scientist shortage introduce unprecedented risks.[166] Lack of skill can, in fact, result in wrong decisions and adaptations with catastrophic consequences on the target system (see also threat T4.1.1). The inability to properly analyze large data sets can then result in substantial loss of money, reducing productivity and innovation growth.
  • Threat T4.6.2: Malicious insider: In the data domain, the risks introduced by insider threats are quite clear and often result in data leakage. The goal is to increase the cyber attacker revenue or to decrease the reputation of the attack target. Very famous are the cases of Edward Snowden or Chelsea Manning (the work in [167] provides the description of the most famous insider threat cases). Case studies of insider threats have been analyzed in different domains and from different angles[168]. For instance, Randazzo et al.[169]presented 23 case studies in the finance sector, while Kowalski et al.[170]] 36 case studies in the government sector, involving fraud, IP theft, and sabotage of the IS/network, and combination thereof. Other works[171][172]described case studies including system administrators, programmers, and network professionals. Keeney et al.[173]] also presented different cases of Sabotage using IT in critical infrastructures. Additional work has been done in [174][175][176][177] aimed at data exfiltration, IP theft, or sabotage in financial and military sectors. Unintentional insider threat was considered by[177]] (phishing attacks) and[178] (unintentional denial of service).

Attacks related to Application-Centric Security

In the following, the main attacks affecting the Application domain are reported.

  • Threat T5.1.1: Security Misconfiguration: In addition to attacks presented in Threat T4.1.1 in Section 3.6.3 focusing on data breach, default configurations are usually at the basis of security breaches. For instance, Amazon AWS S3 poorly configured access control policy allows an attacker to read and write data from a bucket.[179] Mirai IoT malware targets the devices that are usually managed by not-expert people and come with default configurations. Being such devices often available through the network using an application (GUI) with default credentials, they are the perfect target for malware like Mirai.[180] Other attacks like WannaCry, one of the most known crypto lockers, used the EternalBlue exploit, spreading the ransomware to every other unpatched computer on the network using a single vulnerable and internet-exposed system.[181] The slow patching process of companies made the crypto locker effective even if Microsoft already released a patch. Other attacks target insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information in operating systems, frameworks, libraries, and applications.[182] Vulnerable XML processors can be used to attack XML-based web services:[182]Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.” In this context, well-known attacks are Billion Laughs Attack and SAML Security XML External Entity Attack.
  • Threat T5.2.1: Interception of information:  In addition to attacks presented in other domains, many attacks resulting in information interception have been reported. Advanced Persistent Malware is increasingly designed to steal SSL/TLS keys and certificates.[183] For instance, the Heartbleed Bug vulnerability of OpenSSL cryptographic software library permitted to steal sensitive information (digital keys and certificates) normally protected by SSL/TLS encryption.[184] Man-in-the-Middle (MITM) Attacks are traditional attacks where an attacker impersonates a trusted website accessing all communications. Again, steal of SSL/TLS keys and certificates facilitates such attack, and unsecured or lightly protected wireless access points are often exploited for entry. Self-signed and wildcard certificates, as well as unknown, untrusted, and forged certificate authorities are other sources of attacks.[183][185] The first is at the basis of fake web sites for phishing attacks; the second results, as proven by NetCraft in 2014, fake digital certificates impersonating banks, eCommerce sites, ISPs and social networks deployed across the Internet.
  • Threat T5.2.2: Sensitive data exposure: Attacks in this threat mainly resembles attacks described in T5.1.1 and T5.1.2 in this section, and T4.1.1, T4.2.1, T4.2.2, T4.4.4 in Section 3.6.3. Attacks such as the ones to ApplePay,[186] ATM,[187] banks,[188] are facilitated by cleartext, that is, either password stored in clear or cleartext communications.
  • Threat T5.3.1: Broken authentication and access control: Automated brute force, dictionary, and session management attacks are spread. Several Member States have reported the exploitation of Remote Desktop Protocols (RDPs) for malware infection. Cyber attackers scan specific open ports and then attempt to brute force access to the victim’s RDP.[96][189] For instance, in 2017, up to 90 email accounts of the UK Parliament were compromised thanks to a brute force attack and weak passwords.[190] Weak and the default password is at the basis of many botnets, such as Mirai IoT malware, which compromised devices by guessing weak passwords to access the management application (GUI)[191][180]
  • Threat T5.3.2: Denial of service: On one side, malware often targets components and services that result in an application DoS. For instance, Mirai malware targeted the availability of DNS to bring well-known applications down (e.g., Twitter, the Guardian, Netflix, Reddit, CNN).[180] On the other side, as already discussed in Threat T2.3.5 in Section 3.4.3 and T5.2.1 in this section, expired certificates can result in system outages or open a door to attacks, such as, in 2013, where Microsoft Azure experienced a worldwide outage or, in 2014, tens of thousands of payment terminals in the U.S. made unavailable.
  • Threat T5.3.3: Code execution and injection (unsecured APIs):  Malware attacks have been extensively discussed in previous sections. As a summary, ransomware (e.g., WannaCry and NotPetya)attacks moved the malware attack to another level, difficult to challenge by national law enforcement agencies alone.[96] In addition, cyber attackers are turning security defenses in weapons. SSL/TLS has been used to deliver malware undetected, to disrupt secured transactions, and to exfiltrate data over encrypted communication channels.[183] For example, Zeus botnet used SSL communication to upgrade the attack after the initial email infection. After the Boston Marathon bombing, a malware distributed through a spam message used SSL to report back to its command and control server.[183] Finally, mobile malware, specifically targeting mobile operating systems and mobile applications, is growing significantly since 2017, in particular mobile ransomware.[192][193] Some reports indicate that this malware is active in Africa, Asia, and USA, with the exception of mobile ransomware which heavily targets North America.[96][193] More in detail, Ransomware, spyware, bots, Adware, Potentially Unwanted Applications (PUA), Trojans, and Trojan spyware are exponentially targeting smartphones and IoT devices[194], over which modern applications are installed. PUA is the topmost Android malware detected by Quick Heal,[195] where third-party application stores are used to spread malware and exfiltrate private information of the user. Gugi is an example of a banking Trojan exploiting the security policies of Android Marshmallow[194]. GooglePlay has dozen of malicious apps[194]; for instance, Judy, which affected around 36.5 million Android users,[196] was in about 40 applications. According to[194], runtime information gathering (RIG)[197], energy-based[198], remote code execution/injection,[199][200][201] hijacking,[202] privilege escalation attacks[203][204] are the most critical targeting Android devices. They are mostly based on vulnerabilities in (third-party) libraries and over-permission applications, libraries, and ad libraries (more details can be found in Section 3.3)[194].
  • Threat T5.3.4: Insufficient logging and monitoring:  This class of threats is usually a pre-requisite for any large attack and major incident. It virtually exploits insufficient logging and monitoring to go undetected for a while, reducing timely response (191 days on average in 2016).[182]
  • Threat T5.3.5: Untrusted composition: Attacks related to this threat mainly target single services/applications, trying to identify the weakest link in the composition. They then resemble attacks described in this section. No recent attacks on the composition flow and orchestrators have been reported, while different assurance solutions (e.g. [205]) have been reported to verify (e.g., certify) the strength of a service composition by verifying the strength of the single component services.
  • Threat T5.4.1: Violation of laws or regulations
  • Threat T5.5.1: Malicious insider

Attacks related to User-Centric Security

In the following, the main attacks affecting User domain are reported.

  • Threat T6.1.1: Mishandling of physical assets: The problem of mishandling of physical assets is particularly evident in the case of stolen laptops. Laptops are systematically stolen from cars, offices, and public places, as witnessed by cybersecurity surveys like the Verizon DBIR or other studies[206]. More worrisome is the fact that there already is a history of severe data breaches caused by stolen laptops[207], and affecting critical and sensitive data.[208]
  • Threat T6.1.2: Misconfiguration of systems: Attacks due to system misconfiguration have a long history. Incidents happened for misconfigurations of BGP[209][210], DNS[211], firewalls[212], web applications[213], up to recent AWS S3 buckets[214], and many other systems. Besides the System and Application domains, the User domain is also involved because misconfigurations have often to do with situations leading users to make errors. This scenario should be accounted for and explicitly managed.
  • Threat T6.1.3: Loss of CIA on data assets: This is a vast threat category, spanning over multiple domains and comprising almost countless attacks. Attacks on CIA regarding the User domain could be found in those cases where the human factor is key for the attack to succeed. For example, cases where a user has misused his/her access privileges[215], the case of fraudulent or mismanaged Certification Authority[216], or employees falling prey of impersonation attacks[217] or frauds, such as cases of so-called CEO frauds, where CEOs (or other C-level managers) are either victims[218] or perpetrators of frauds[219].
  • Threat T6.1.4: Legal, reputational, and financial cost: There are a few examples of firms that were fined for a cybersecurity incident. For instance, in 2007, Heartland Payment Systems paid $150 million in fines and legal costs for a breach in which more than 100 million credit and debit card numbers were lost[220][221].  However, for the EU, things seem to have changed after the GDPR, which may impose severe fines, and organizations took notice[222][223]. Cybersecurity incidents causing financial and reputational costs have been analyzed, especially by scholars and analysts interested in the economics of cybersecurity[224][225].
  • Threat T6.2.1: Profiling and discriminatory practices: In 2012, the FTC published a document titled “Protecting Consumer Privacy in an Era of Rapid Change”[226] addressing the data broker sector and specifically those not regulated by the FCRA. Data brokers were categorized in those having an activity: (i) subject to the FCRA; (ii) not subject to FCRA and collecting data for marketing purpose; (iii) not subject to FCRA and collecting data for purposes other than marketing, for instance to detect frauds or locate people. Then, in 2014, a new report titled “Data Brokers – A Call for Transparency and Accountability” was published[227]. To date, it represents one of the most comprehensive analysis of the data broker industry. The characteristics of nine data brokers are described. Their names are unknown for almost everybody (i.e., Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future), but their activity has involved nearly every US consumer and many others internationally. These companies manage consumers’ data – usually bought from other data brokers or from companies directly collecting them from individuals – and produce derived data for satisfying their clients business needs in terms of marketing, risk mitigation, and people search. Citizens are normally unaware and never specifically informed of their personal data being used for these purposes. Data may include bankruptcy information, voting registration, consumer purchase data, web browsing activities, warranty registrations, and others from everyday online and offline activity. Data sources are heterogeneous; from publicly available blogs and social media to commercial sources, for example about the purchasing history of customers or online service registrations. Data updates are commanded by data brokers according to their cost-benefit assessment: The more frequent the update, the higher the classification accuracy and costs. For this reason, some personal data might be inaccurate even for a long time, without the individual able to know about that and about possible consequences of misalignment. Typically, data brokers compile commercial categories and group customers with similar behaviors. Such categories may look fancy to those not accustomed with advertising practices. Example of categories could be Soccer Moms, Urban Scramble, Rural Everlastings, or Thrifty Elders. Bizarre as they may sound, categories like these are useful for targeting quality buyers, as profiled citizens are dubbed by a very active online advertising company[228]. Another data broker activity is to develop models to predict behaviors. In this case, a subset of customers is specifically analyzed for its purchase behavior and that knowledge is applied to predict future purchases of other customers with similar characteristics. This may also involve sensitive information like those related to health, pregnancy, and medicine consumption. In particular, privacy abuses of health data have been the subject of several journalistic investigations[229][230] and scientific research[231][232], which unveiled some commercial practices that most citizens completely ignore but strongly oppose when informed. For instance, the severity of medical privacy invasion came shockingly to light in 2013 with the Congressional testimony of Pam Dixon of World Privacy Forum[233]. On that occasion, Dixon presented evidence that lists of patients suffering from mental illness to sexual dysfunctions, cancer, and HIV/AIDS to name just a few examples were commonly traded. Even more outrageously, lists of rape victims were publicly advertised and sold. Opting out of data broker profiling is often impractical, at least. Since data brokerss typically do not interact directly with consumers, even those offering clear opt-out procedures are unlikely to be known by consumers willing to exercise their choice. Many data broker instead provide murky opt-out procedures or simply do not care of providing any. In Dixon Congressional testimony, it was mentioned that in a sample of 352 data broker, just 128 provided an opt-out procedure. In some cases, for example when consumers are profiled to calculate a credit score, it is practically impossible to be deleted from a score list. In other situations, the opt-out choice is made difficult to exercise due to clauses such as the request of a motivation to be approved or of a fee. Therefore, opting-out of data broker profiling, when permitted, is likely to be incomplete, does not imply deletion of personal data and does not involve third parties, it may be costly, hard to find and there is no guarantee that it is not just temporary. 
  • Threat T6.2.2: Illegal acquisition of information: Data has always been the target of attacks[234]. Now they are often reported at great length by the press and might represent a major incident for a company, Cambridge Analytica[235] and Equifax[236] are just two of the most noticeable examples. With respect to the User domain, the illegal acquisition of information may have unforeseen consequences on a company’s operations. From damaging the brand reputation to costs for litigations and liabilities, the loss of trustworthiness, scapegoating and career damages, and so forth. A data breach is not only a threat for data and data owners, but it might trigger a cascade of consequences on the organization’s processes and personnel.
  • Threat T6.3.1: Organized criminal groups’ activity: Attacks perpetrated by organized criminals are almost countless. From petty crimes to large frauds. Europol publishes one of the leading reports providing plenty of information[96]. In the current issue, one of the key messages is that still criminals mostly target data. Europol, too, insists on the need to counteract criminal groups by considering the big picture and adopting a holistic approach consisting in analyzing single vulnerabilities but also the system perspective, technologies and organizational processes, tools, and people.
  • Threat T6.3.2: State-sponsored organizations’ activity: Political, geostrategic, and business tensions arose in recent years among several countries worldwide leading to a wave of state-sponsored attacks. It has become common to talk about state-sponsored organizations engaged in hostile activities against organizations in other countries. Stuxnet, often dubiously dubbed as “the first act of cyberwar”, was one of the first episodes of clear state-sponsored attack[237]. After that episode, state-sponsored attacks seem to have escalated, becoming common and motivated by very different reasons[238][239][240][241].
  • Threat T6.3.3: Malicious employees or partners’ activity: As we reminded, it is way too easy to overhype the dangers posed by disloyal insiders and oversell stereotypes like the “disgruntled employee” or the “treacherous sysadmin”.  On the other side, it is true that cases of cybercrimes made by employees are countless. For example, the US Department of Homeland Security has published a long list of references to insider threat analyses, showing the many ways an employee may become responsible for cybercrime[242][243].
  • Threat T6.4.1: Misinformation/disinformation campaigns: A misinformation or disinformation campaign (the difference laying in the intentionality of the campaign) targeting a company might inflict not negligible damages on brand reputation and trustfulness, which would require public relation efforts to be mitigated. Pieces of evidence of this are still murky and opinionated, but at least we can observe that the problem is growing and has already put pressure on some companies[244][245].
  • Threat T6.4.2: Smear campaigns/market manipulation: This is still more a theoretical case than a real threat, but nevertheless the growing influence of online media and social networks provides the means for new forms of classical pump-and-dump schemes. Example of politically motivated smear campaign abounds[246]. The shift to a business threat is certainly possible in the future[247].
  • Threat T6.4.3: Social responsibility/ethics-related incidents:IT companies accused of unethical behavior[248] and that have suffered for the consequences of having behaved (or the perception of) unethical are not rare in history[249]. Interestingly, cases of modern Internet-based, technology-intensive companies that are reported to engage in unethical behavior seem rampant. Sometimes, the bad reputation gained has triggered boycotts by customers. Uber, for example, has been recently often accused of unethical activities and its reputation has clearly suffered for that[250]. The sharing economy, as a whole, has been studied as possibly facilitating unethical activities[251].
  • Threat T6.5.1: Skill shortage/undefined cybersecurity curricula: No recent attacks have been reported.
  • Threat T6.5.2: Business misalignment/shift of priorities: Many companies still struggle with deciding the right position in the organigram of the responsible of cybersecurity, being either the CSO (Chief Security Officer) or the CISO (Chief Information Security Officer), or even the more recent CRO (Chief Risk Officer)[252][253]. The organizational weakness of the cybersecurity function in many companies is also one of the reasons for the common shift of priority of cybersecurity, which sees drastic budget reduction as soon as the company is in need of review budgets[254].

[1] S. Choi e M. E. Johnson, Do Hospital Data Breaches Reduce Patient Care Quality?, 2019.

[2] J. Jiang e G. Bai, «Evaluation of Causes of Protected Health Information Breaches,» JAMA Internal Medicine, vol. 179, 2018.

[3] How This Internet of Things Stuffed Animal Can Be Remotely Turned Into a Spy Device

[4] IoT Hack Connected To Target Breach

[5] Health care’s huge cybersecurity problem

[6] Ring Video Doorbell Pro Under the Scope

[7] VPNFilter: New Router Malware with Destructive Capabilities

[8] How A Creep Hacked A Baby Monitor To Say
Lewd Things To A 2-Year-Old

[9] I. Butun, P. Österberg e H. Song, «Security of the Internet of Things: Vulnerabilities, Attacks and Countermeasures,» IEEE Communications Surveys & Tutorials, vol. PP, pp. 1-1, 2019.

[10] M. Park, H. Oh e K. Lee, «Security Risk Measurement for Information Leakage in IoT-Based Smart Homes from a Situational Awareness Perspective,» Sensors, vol. 19, p. 2148, 2019.

[11] A. Maiti, M. Jadliwala, J. He e I. Bilogrevic, «Side-Channel Inference Attacks on Mobile Keypads using Smartwatches,» IEEE Transactions on Mobile Computing, vol. PP, 2017.

[12] A. Sarkisyan, R. Debbiny e A. Nahapetian, «WristSnoop: Smartphone PINs prediction using smartwatch motion sensors,» in Proceedings of the 2015 IEEE International Workshop on Information Forensics and Security (WIFS), Rome, 2015.

[13] S. Chakraborty, W. Ouyang e M. Srivastava, «LightSpy: Optical eavesdropping on displays using light sensors on mobile devices,» in Proceedings of the 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, USA, 11-14 December 2017.

[14] Security flaws let anyone snoop on Guardzilla smart camera video recordings

[15] DDoS Attack Takes Down Central Heating System Amidst Winter In Finland

[16] Puerto Rico smart meters believed to have been hacked – and such hacks likely to spread

[17] This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army

[18] Hackers Remotely Kill a Jeep on the Highway—With Me in It

[19] Medjacking: The newest healthcare risk?

[20] Assessing the Severity of SQL Injection Threats to IoT Security

[21] Carlo Gavazzi SmartHouse 6.5.33 XSS /Cross Site Request Forgery

[22] Annual Report Telecom Security Incidents 2018

[23] Misconfigured, Open DNS Servers Used In Record-Breaking DDoS Attack

[24] After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

[25] White hats do an NSA, figure out LIVE PHONE TRACKING via protocol vuln

[26] Tobias Engel, “SS7: Locate. Track. Manipulate”, 2014,

[27] “SS7 Attack Discovery” , Positive Technologies, 2016

[28] Schwachstelle im Mobilfunknetz: Kriminelle Hacker räumen Konten leer

[29] Tunnel Vision : Malicious data interception via SS7

[30] HITB2014AMS – Day 2 – On Her Majesty’s Secret Service: GRX & A Spy Agency

[31] Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins

[32] Rostelecom Route Leak Targets E-Commerce Services

[33] OK Google, why was your web traffic hijacked and routed through China, Russia today?

[34] Israel Accused of Planting Mysterious Spy Devices Near the White House

[35] C. A. Ardagna, R. Asal, E. Damiani e Q. Vu, «From Security to Assurance in the Cloud: A Survey,» in ACM Computing Surveys (CSUR), August, 2015.

[36] Hackers Could Decrypt Your GSM Phone Calls

[37] Protecting against the latest LTE network attacks

[38] New Mirai Variant Targets Routers, Knocks 900,000 Offline

[39] Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers

[40] New Simjacker vulnerability exploited by surveillance companies for espionage operation

[41] Spectre and Meltdown explained: A comprehensive guide for professionals

[42] LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

[43] Remote UEFI Attacks


[45] What is the WannaCry Ransomware Attack?

[46] New Silex malware is bricking IoT devices, has scary plans

[47] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi e J.-P. Seifert, «Practical Attacks Against Privacy and Availability in4G/LTE Mobile Communication Systems,» ArXiv, vol. abs/1510.07563, 7 August 2015.

[48] See

[49] Annual Report Telecom Security Incidents 2017 – enisa,

[50] Security researcher claims Via C3 x86 CPUscontain hidden ‘God mode’

[51] 13 flaws found in AMD processors, AMDgiven little warning

[52] ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World

[53] 4G Router Vulnerabilities Lets Attackers Take Full Control

[54] See

[55] See

[56] See

[57] See Amazon explains big AWS outage, says employee error took servers offline, promises changes

[58] See

[59] Personal data of over 50,000 Honda Connect App leaked

[60] Exposed S3 bucket compromises 120 million Brazilian citizens

[61] See

[62] M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica e M. Zaharia, «Above the Clouds: A Berkeley View of Cloud Computing,» University of California at Berkeley UCB/EECS-2009-28, February, vol. 28, February 2009.

[63] F. Rocha, T. Gross e A. van Moorsel, «Defense-in-depth against malicious insiders in the cloud,» in Proceeedings of the IEEE International Conference on Cloud Engineering (IC2E’13), 2013.

[64] Y. Zhang, A. Juels, A. Oprea e M. K. Reiter, «Homealone: Co-residency detection in the cloud via side-channel analysis,» in Proceeedings of the IEEE Symposium on Security and Privacy (SP’11), 2011.

[65] Y. Zhang, A. Juels, M. K. Reiter e T. Ristenpart, «Cross-VM side channels and their use to extract private keys,» in Proceeedings of the ACM Conference on Computer and Communications Security, 2012.

[6] M. Weiß, B. Heinz e F. Stumpf, «A cache timing attack on AES in virtualization environments,» in Proceedings of the International Conference on Financial Cryptography and Data Security, 2012.

[67] G. Irazoqui, M. S. Inci, T. Eisenbarth e B. Sunar, «Fine grain cross-VM attacks on xen and VMware,» in Proceeedings of the International Conference on Big Data and Cloud Computing, 2014.

[68] Y. Yarom e K. Falkner, «FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack,» in Proceeedings of the USENIX Security Symposium, 2014.

[69] G. Irazoqui, M. S. Inci, T. Eisenbarth e B. Sunar, «Seriously, get off my cloud! cross-VM RSA key recovery in a public cloud,» IACR Cryptology ePrint Archive, 2015.

[70] C. Maurice, C. Neumann, O. Heen e A. Francillon, «C5: Cross-cores cache covert channel,» in Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2015.

[70] C. Maurice, C. Neumann, O. Heen e A. Francillon, «C5: Cross-cores cache covert channel,» in Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2015.

[71] J. Xiao, Z. Xu, H. Huang e H. Wang, «A covert channel construction in a virtualized environment,» in Proceeedings of the ACM Conference on Computer and Communications Security, 2012.

[72] P. Pessl, D. Gruss, C. Maurice, M. Schwarz e S. Mangard, «DRAMA: Exploiting DRAM addressing for cross-CPU attacks,» in Proceeedings of the USENIX Security Symposium, 2016.

[73] Dropbox and Box leak files in security through obscurity nightmare

[74] Amazon hit with major data breach days before Black Friday

[75] B. Albelooshi, K. Salah, T. Martin e E. Damiani, «Experimental Proof: Data Remanence in Cloud VMs,» IEEE 8th International Conference on Cloud Computing (CLOUD) 2015, 2015.

[76] Capital One Data Breach Impacts 100 Million Customers

[77] Unprotected Government Server Exposes Years of FBI Investigations

[78] S. Shafieian, M. Zulkernine e A. Haque, «Attacks in Public Clouds: Can They Hinder the Rise of the Cloud?,» in Cloud Computing, 2014, pp. 3-22.

[79] Common Vulnerabilities and Exposures (2012) CVE-2012-2450.

[80] Timehop discloses July 4 data breachaffecting 21 million

[81] German Man Confesses to Hacking Politicians’ Data, Officials Say

[82] PoC Exploit Compromises Microsoft Live Accounts via Subdomain Hijacking

[83] A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks

[84] L. Shi, Y. Wu, Y. Xia, N. Dautenhahn, H. Chen, B. Zang e J. Li, «Deconstructing Xen,» in Proc of NDSS, 2017.

[85] J.-R. Yeh, H.-C. Hsiao e A.-C. Pang, «Migrant Attack: A Multi-resource DoS Attack on Cloud Virtual Machine Migration Schemes,» in 11th Asia Joint Conference on Information Security (AsiaJCIS), 2016.

[86] S. T. King e P. M. Chen, «SubVirt: Implementing malware with virtual machines,» in In Proceeedings of the IEEE Symposium on Security and Privacy, 2006.

[87] A. Desnos, E. Filiol e I. Lefou, «Detecting (and creating!) a HVM rootkit (aka BluePill-like),» Journal in Computer Virology, pp. 23-49, 2011.

[88] A. Jasti, P. Shah, R. Nagaraj e R. Pendse, «Security in multi-tenancy cloud,» in Proceeedings of the IEEE International Carnahan Conference on Security Technology, 2010.

[89] S. Checkoway e H. Shacham, «Iago attacks: Why the system call API is a bad untrusted RPC interface,» International Conference on Architectural Support for Programming Languages and Operating Systems – ASPLOS, pp. 253-264, 2013.

[90] Engineer Found Guilty of Stealing Navy Secrets via Dropbox Account

[91] M. Kandias, N. Virvilis e D. Gritzalis, «The insider threat in cloud computing,» in Proceedings of the International Workshop on Critical Information Infrastructures Security, 2011.

[92] F. Rocha e M. Correia, «Lucy in the sky without diamonds: Stealing confidential data in the cloud,» in Proceeedings of the IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W’11), 2011.

[93] C. Li, A. Raghunathan e N. K. Jha, «Secure virtual machine execution under an untrusted management OS,» in Proceeedings of the 3rd IEEE International Conference on Cloud Computing, 2010.

[94] Data, Technologies and Security – Part 1

[95] Dropbox Security Bug Made Passwords Optional For Four Hours,

[96] Europol, Internet Organised Crime Threat Assessment (IOCTA), Strategic, policy and tactical updates on the fight against cybercrime

[97] Data Breach

[98] WP2018 O.1.2.1 – ENISA Threat Landscape 2018

[99] Malwarebytes LABS, Cybercrime tactics and techniques: Q2 2018 >/em>

[100] KrebsOnSecurity, The Year Targeted Phishing Went Mainstream,

[101] Symantec, BEC Scams Remain a Billion-Dollar Enterprise, Targeting 6K Businesses Monthly, July 2019

[102] Data Breach Investigations Report 2019,

[103] A simple fix could have saved British Airways from its £183m fine

[104] 40,000 UnProtected MongoDB Databases Found on the Internet

[105] More than 26,000 vulnerable MongoDB databases whacked by ransomware

[106] Securonix Threat Research:Detecting Persistent Cloud Infrastructure/Hadoop/YARN Attacks Using Security Analytics:Moanacroner, XBash, and Others

[107] Hadoop coop thrown for loop by malware snoop n’ scoop troop? Oh poop

[108] Securonix Threat Research: DetectingPersistent Cloud Infrastructure/Hadoop/YARN Attacks Using Security Analytics: Moanacroner, XBash, and Others

[109] How Your Hadoop Distribution Could Lose Your Data Forever

[110] E. Damiani, «Toward Big Data Leak Analysis,» Proceedings of the Privacy and Security of Big Data Workshop (PSBD 2015), IEEE Big Data Conference, 1-3 November 2015.

[111] S. Aditham e N. Ranganathan, «A novel framework for mitigating insider attacks in big data systems,» 2015 IEEE International Conference on Big Data, 2015.

[112] See “Notes by Facebook engineering” in

[113] NIST Special Publication 1500-4. Use case: consumer digital media (examples: Netflix, iTunes, and others).

[114] Xiao Zhang, “A Survey of Digital Rights Management Technologies”, see

[115] Typo blamed for Amazon’s internet-crippling outage

[116] Amazon knocked AWS sites offline because of typo

[117] See

[118] Cyber Risk Outlook 2018

[119] Common Vulnerabilities and Exposures

[120] Apache Ambari Hadoop credential stores information disclosure

[121] See

[122] “Google fires employees for breaching user privacy” in TechSpot news, (Sept 2010) in

[123] Armerding, T., The 17 biggest data breaches of the 21st century,, 2018.

[124] Djurberg, J. A., Bekräftat: ddos-attack bakom tågförseningar [Confirmed: DDOS attack behind train delays],, 2017

[125] The Value of Personal Online Data

[126] Carbank/Cobalt A global threat to financial institutions

[127] A hacker can give you a fatal overdose

[128] Hacker Can Spend Fatal Dose to Hospital Drug Pumps

[129] H. Meng, V. Thing, Y. Cheng, Z. Dai e L. Zhang, «A survey of Android exploits in the wild,» Computers & Security, vol. 76, pp. 71-91, 2018.

[130] Z. Mengchen, B. An, Y. Yu, S. Liu e S. J. Pan, «Data Poisoning Attacks onMulti-Task Relationship Learning,» in Proc. of the The Thirty-Second AAAI Conferenceon Artificial Intelligence (AAAI-18), 2018.

[131] S. Yi, T. Erpek, Y. E. Sagduyu e J. H. Li, «Spectrum Data Poisoning with Adversarial Deep Learning,» MILCOM 2018 – 2018 IEEE Military Communications Conference (MILCOM), 2018.

[132] B. Li, Y. Wang, A. Singh e Y. Vorobeychik, «Data poisoning attacks on factorization-based collaborative filtering,» in Proceedings of the 30th International Conference on Neural Information Processing Systems (NIPS’16), 2016.

[133] D. Zügner, A. Akbarnejad e S. Günnemann, «Adversarial Attacks on Neural Networks for Graph Data,» in Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD ’18), 2018, 2018.

[134] J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka e G. Lo Iacono, «All your clouds are belong to us: security analysis of cloud management interfaces,» in Proceedings of the 3rd ACM workshop on Cloud computing security workshop (CCSW ’11), 2011.

[135] US-CERT warns of guest-to-host VM escape vulnerability

[136] See Nine Threats Targeting Facebook Users in

[137] J. Huang, D. M. Nicol e R. H. Campbell, «Denial-of-Service Threat to Hadoop/YARN Clusters with Multi-Tenancy,» IEEE International Congress on Big Data, 2014.

[138] ZDnet bog in

[139] Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail

[140] DemonBot Malware Targets Apache Hadoop Servers Using Available Exploit Code

[141] New DDoS botnet goes after Hadoop enterprise servers

[142] Mirai ‘botmasters’ now exploiting Hadoop flaw to target Linux servers

[143] Due to Misconfigured Component: DemonBot Malware Infects Multiple Apache Hadoop Servers

[144] E. R. Osawaru e R. A. Ariyaluran Habeeb, «A Highlight of Security Challenges in Big Data,» International Journal of Information Systems and Engineering (online), vol. 2, n. 1, April 2014.

[145] Big Data Threat Landscape, ENISA, January 2016,

[146] M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom e M. Hamburg, « Meltdown: reading kernel memory from user space,» in Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18), 2018.

[147] P. Kocher, J. Horn, A. Fogh, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz e Y. Yarom, «Spectre Attacks: Exploiting Speculative Execution,» in Proc. of the 40th IEEE Symposium on Security and Privacy (S\&P’19)}, 2019.

[148] Meltdown and Spectre Vulnerabilities in modern computers leak passwords and sensitive data

[149] S. De Capitani di Vimercati, S. Foresti, G. Livraga e P. Samarati, «Data privacy: Definitions and techniques,» International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 20, n. 6, pp. 793-817, 2012.

[150] AOL search data leak

[151] See NIST Big Data Interoperability Framework: Volume 4, Security and Privacy. Use case: Web traffic analytics in retail and marketing.

[152] ENISA’s report “Privacy by design in big data: An overview of privacy enhancing technologies in the era of big data analytics “

[153] Jaime Ryan (CA, Sr. Director) and Tyson Whitten (CA, Director of API Management) in “Takeaways from API Security Breaches” presentation and webinar (2015) reported breaches, due to unsecure APIs, for Yahoo, Snapchat and other companies, see

[154] See security issues for the Graph Facebook API library reported by Websegura technical blog,

[155] P. Orduña, A. Almeida, U. Aguilera, X. Laiseca, D. López-de-Ipiña e A. Gómez-Goiri, «Identifying’Identifying Security Issues in the Semantic Web: Injection attacks in the Semantic Query Languages,» VI Jornadas Científico-Técnicas en Servicios Web y SOA (JSWEB 2010p.), pp. 43-50, September 2010.

[156] N. Ben Mustapha, H. Zghal, M.-A. Aufaure e H. Ben Ghezala, «Enhancing semantic search using case-based modular ontology,» in Proceeding of the 2010 ACM Symposium on Applied Computing, 2010.

[157] In October 2015, presumably, an SQL injection was used to attack the servers of British telecommunications company Talk Talk’s, endangering the personal details of up to four million customers. See

[158] 50 For example Hive version 2.0 suffers from cross site scripting, code execution, and remote SQL injection vulnerabilities, see

[159] MongoDB suffers injection attacks, see

[160] A new data leak hits Aadhaar, India’s national ID database

[161] Apache Hadoop spins cracking code injection vulnerability YARN

[162] Alibaba Cloud Security Team Discovers Apache Spark Rest API Remote Code Execution (RCE) Exploit

[163] Announcement Regarding Non-Cisco Product Security Alerts

[164] Cross-site scripting in Apache Ambari

[165] Customer data theft

[166] August LinkedIn Workforce Report: Data Science Skills are in High Demand Across Industries

[167] M. Collins, M. Theis, R. Trzeciak, J. Strozer, J. Clark, D. Costa, T. Cassidy, M. Albrethsen e A. Moore, «Common Sense Guide to Prevention and Detection of Insider Threats (5th ed.),» Pittsburgh, PA, 2016.

[168] I. Homoliak, F. Toffalini, J. Guarnizo, Y. Elovici e M. Ochoa, «Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures,» ACM Computing Surveys, vol. 52, pp. 1-40, March 2019.

[169] M. Reddy, M. Keeney, E. Kowalski, D. M. Cappelli e A. P. Moore, «Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector,» Pittsburgh, PA, 2005.

[170] E. Kowalski, T. Conway, S. Keverline, M. Williams, D. M. Cappelli, B. Willke e A. P. Moore, «Insider threat study: Illicit cyber activity in the government sector,» 2008.

[171] L. F. Fischer, «Characterizing information systems insider offenders,» in Proceedings of the Conference of the International Military Testing Association, 2003.

[172] E. Shaw, K. Ruby e J. Post, «The Insider threat to information systems: The psychology of the dangerous insider,» Security Awareness Bulletin, vol. 2, pp. 1-10, 1998.

[173] M. Keeney, E. Kowalski, A. P. Moore, T. Shimeall e S. Rogers, «Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,» Washington DC, 2005.

[174] G. Magklaras e S. Furnell, «Insider Threat Prediction Tool: Evaluating the probability of IT misuse,» Computers & Security, vol. 21, pp. 62-73, 2002.

[175] G. Jabbour e D. A. Menascé, «Stopping the insider threat: The case for implementing autonomic defense mechanisms in computing systems,» in Proceedings of the International Conference of Information Security and Privacy, 2009.

[176] M. Bishop, S. Engle, S. Peisert, S. Whalen e C. Gates, «Case studies of an insider framework,» in Hawaii International Conference on System Sciences, Los Alamitos, CA, 2009.

[177] C. W. Probst e J. Hunker, «The Risk of Risk Analysis And its Relation to the Economics of Insider Threats,» Springer, 2010, pp. 279-299.

[178] J. Predd, S. L. Pfleeger, J. Hunker e C. Bulford, «Insiders Behaving Badly,» Security & Privacy, IEEE, vol. 6, n. 4, pp. 66-70, 2008.

[179] AWS S3 Bucket Discovery Build your own tools with the secapps Fuzzer

[180] I Can’t Believe Mirais: Tracking the Infamous IoT Malware

[181] Two years after WannaCry, a million computers remain at risk

[182] OWASP Top 10 -2017 The Ten Most Critical Web Application Security Risks

[183] Common SSL Attacks

[184] The Hearthbleed Bug

[185] Why SSL/TLS attacks are on the rise

[186] Wallet-snatch hack: ApplePay ‘vulnerable to attack’, claim researchers

[187] ATM logic attacks: scenarios, 2018

[188] How hackers rob banks

[189] Panda Security, PandaLabs Annual Report 2017, 2017.

[190]‘Brute force’ cyber attack on Parliament compromised up to 90 email accounts

[191] M. Anisetti, C. A. Ardagna, R. Asal, L. Comi, E. Damiani e F. Gaudenzi, «A Knowledge-Based IoT Security Checker,» in Proc. of the 2nd Workshop on Fog-to-Cloud Distributed Processing (F2c-DP), Turin, Italy, August, 2018.

[192] TrendLabs, 2017 Annual Security Roundup: the paradox of cyber threats, 2018.

[193] Symantec, ‘Facts and figures’, Internet Security Threat Report (ISTR), 2018

[194] P. Bhat e K. Dutta, «A Survey on Various Threats and Current State of Security in Android Platform,» ACM Computing Surveys, vol. 52, pp. 1-35, February 2019.

[195] Annual threat report. 2017. Quick Heal.

[196] Jason Murdock. Judy’ could be the largest malware campaign ever found on google play. 2017. International Business Times.

[197] N. Zhang, K. Yuan, M. Naveed, X. Zhou e X. Wang, «Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android,» in Proceedings of the 2015 IEEE Symposium on Security and Privacy, 2015.

[197] U. Fiore, F. Palmieri, A. Castiglione, V. Loia e A. De Santis, «Multimedia-based battery drain attacks for Android devices,» in Proceedings of the 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC’14), 2014.

[199] Android Developers Blog. Android security bulletin, October. 2017.

[200] Google ASI. Vungle support, security vulnerability in Android sdks prior to 3.3.0. 2016.

[201] S. Poeplau, Y. Fratantonio, A. Bianchi, A. Bianchi, C. Kruegel e G. Vigna, «Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications,» in Proceedings of the Network and Distributed System Security Symposium, 2014.

[202] Mohit Kumar. 2014. The hacker news. Facebook sdk vulnerability puts millions of smartphone users’ accounts at risk.

[203] N. Hardy, «The Confused Deputy (or why capabilities might have been invented),» ACM SIGOPS Operating Systems Review 22, vol. 4, pp. 36-38, October 1988.

[204] R. Schlegel, K. Zhang, X.-y. Zhou, M. Intwala, A. Kapadia e X. Wang, «Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones,» in Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS), 2011.

[205] M. Anisetti, C. Ardagna, E. Damiani e G. Polegri, «Test-Based Security Certification of Composite Services,» ACM Transactions on the Web, vol. 13, pp. 1-43, February 2019.

[206] S. Johnson, K. Bowers, L. Gamman, L. Tisdall e A. Warne, «Theft of Customers’ Personal Property in Cafés and Bars,» in Problem-Oriented Guides for Police, 2010, p. 60.

[207] S. G. Wakeling, P. Hannay e Z. Baig, «A review of data breaches and losses that occurred from laptops that were stolen or otherwise misplaced in 2015 and 2016,» in The Proceedings of 15th Australian Information Security Management Conference, Perth, Western Australia, 5-6 December, 2017.

[208] Jessica Davis, Data of 43,000 patients breached after theft of unencrypted laptop. Healthcare IT News, January 2018.

[209] R. Mahajan, D. Wetherall e T. Anderson, «Understanding BGP misconfiguration,» ACM SIGCOMM Computer Communication Review, vol. 32, n. 4, pp. 3-16, 2002.

[210] O. Nordström e C. Dovrolis, «Beware of BGP attacks,» Computer Communication Review, vol. 34, pp. 1-8, 2004.

[211] V. Pappas, D. Wessels, D. Massey, S. Lu, A. Terzis e L. Zhang, «Impact of Configuration Errors on DNS Robustness,» ACM SIGCOMM Computer Communication Review, vol. 34, n. 4, 2004.

[212] F. Cuppens, N. Cuppens-Boulahia e J. Garcia-Alfaro, «Detection and removal of firewall misconfiguration,» in Proceedings of the 2005 IASTED International Conference on Communication, Network and Information Security, 2005.

[213] B. Eshete, A. Villafiorita e K. Weldemariam, «Early Detection of Security Misconfiguration Vulnerabilities in Web Applications,» 2011 Sixth International Conference on Availability, Reliability and Security, 2011.

[214] A. Continella, M. Polino, M. Pogliani e S. Zanero, «There’s a Hole in that Bucket!: A Large-scale Analysis of Misconfigured S3 Buckets,» in Proceedings of the 34th Annual Computer Security Applications Conference, 2018.

[215] E. Schultz, «A framework for understanding and predicting insider attacks,» Computers & Security, vol. 21, n. 6, pp. 526-531, 2002.

[216] P. Turner, W. Polk e E. Barker, «Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance,» National Institute of Standards and Technology, 2012.

[217] B. Danev, H. Luecken, S. Capkun e K. Eldefrawy, «Attacks on physical-layer identification,» in Proceedings of the third ACM conference on Wireless network security, 2010.

[218] Jill McCabe, FBI Warns of Dramatic Increase in Business E-Mail Scams. FBI Phoenix, April2016.

[219] V. Khanna, E. Kim e Y. Lu, «CEO Connectedness and Corporate Fraud,» The Journal of Finance, vol. 70, n. 3, pp. 1203-1252, 2015.

[220] A. Etzioni, «Geo. J. The Private Sector: A Reluctant Partner in Cybersecurity,» in Int’l Aff. 15, 2014, p. 69.

[221] Danny Yadron, “Companies Wrestle With the Cost of Cybersecurity,” Wall Street Journal,

[222] P. Tobin, M. Mckeever, J. Blackledge, M. Whittington e B. Duncan, «UK Financial Institutions Stand to Lose Billions in GDPR Fines: How can They Mitigate This?,» in Br. Account. Financ. Assoc. Scottish Area Gr. Annu. Conf., BAFA, Ed. a cura di, Aberdeen, 2017.

[223] P. Voigt e A. Bussche, «Enforcement and Fines Under the GDPR,» in The EU General Data Protection Regulation (GDPR), Springer, Cham, 2017, pp. 201-217.

[224] M. Lesk, «Cybersecurity and Economics,» IEEE Security & Privacy, vol. 9, n. 6, pp. 76-79, 2011.

[225] J. J. Cordes, «An overview of the economics of cybersecurity and cybersecurity policy,» 2011.

[226] US Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers. March 2012.

[227] US Federal Trade Commission, Data Brokers – A Call for Transparency and Accountability, Washington, DC: US Federal Trade Commission,May 2014, available at:

[228] Rubicon Project. The Advertising Automation Cloud, 2016, available at:

[229] L. Beckett. Everything We Know About What Data Brokers Know About You, >Pro Publica2014, available at: ,

[230] A. Tanner. How Data Brokers Make Money Off Your Medical Records, Scientific American, 2016, available at:

[231] B. Kaplan, «Selling Health Data,» Cambridge quarterly of healthcare ethics : CQ : the international journal of healthcare ethics committees, vol. 24, n. 03, pp. 256-71, 2015.

[231] M. Huesch, M. Ong e B. D. Richman, «Could Data Broker Information Threaten Physician Prescribing and Professional Behavior?,» SSRN Electronic Journal, 2015.

[233] P. Dixon. Congressional Testimony: What Information Do Data Brokers Have on Consumers?, World Privacy Forum2013, available at: ,

[234] Juliana De Groot, The History of Data Breaches. Digital Guardian’s Blog, October 2019.

[235] Cadwalladr, C., & Graham-Harrison, E. (2018). Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. The Guardian, 17, 22.

[236] H. Berghel, «Equifax and the Latest Round of Identity Theft Roulette,» Computer, vol. 50, n. 12, pp. 72-76, 2017.

[237] R. Langner, «Stuxnet: Dissecting a Cyberwarfare Weapon,» IEEE Security & Privacy, vol. 9, n. 3, pp. 49-51, 2011.

[238] B. Watkins, «The impact of cyber attacks on the private sector,» Association for International Affair, 2014.

[239] C. Bronk e E. Tikk-Ringas, «The Cyber Attack on Saudi Aramco,» Survival, vol. 55, n. 2, pp. 81-96, 2013.

[240] V. Joubert, «Five Years After Estonia’s Cyber Attacks: Lessons Learned for NATO?,» NATO Defense College, 2012.

[241] J. F. Brenner, «Eyes wide shut: The growing threat of cyber attacks on industrial control systems,» Bulletin of the Atomic Scientists, vol. 69, n. 5, pp. 15-20, 2013.

[242] G. Silowash, D. Cappelli, A. Moore, R. Trzeciak, T. J. Shimeall e L. Flynn, «Common sense guide to mitigating insider threats,» 2012.

[243] Department of Homeland Security, Insider Threat – Cyber. DHS National Cybersecurity and Communications Integration Center, 2019.

[244] Mike Isaac, Facebook Finds New Disinformation Campaigns and Braces for 2020 Torrent. The New York Times, October 21, 2019.

[245] Shelly Banjo, Facebook, Twitter and the Digital Disinformation Mess. The Washington Post, October 2, 2019.

[246] Ö. Sandıkcı e A. Ekici, «Politically motivated brand rejection,» Journal of Business Research, vol. 62, n. 2, pp. 208-217, 2009.

[247] J. J. Angel e D. M. McCabe, «The Business Ethics of Short Selling and Naked Short Selling,» Journal of Business Ethics, vol. 85, n. 1, pp. 239-249, 2009.

[248] D. W. Mccormick e J. C. Spee, «IBM and Germany 1922–1941,» Organization Management Journal, vol. 5, n. 4, pp. 214-223, 2008.

[249] S. M. Rao e J. B. Hamilton III, «The effect of published reports of unethical conduct on stock prices,» Journal of Business Ethics, vol. 15, n. 12, pp. 1321-1330, 1996.

[250] F. M. Chee, «An Uber ethical dilemma: examining the social issues at stake,» Journal of Information, Communication and Ethics in Society, vol. 16, n. 3, pp. 261-274, 2018.

[251] M. Ahsan, «Entrepreneurship and Ethics in the Sharing Economy: A Critical Perspective,» Journal of Business Ethics, pp. 1-15, 2018.

[252] Westby JR. Governance of enterprise security: CyLab 2012 report. Pittsburgh, PA. 2012.

[253] Data Security Council of India. “Developing a Framework to Improve Critical Infrastructure Cybersecurity.”

[254] B. Srinidhi, J. Yan e G. K. Tayi, «Allocation of Resources to Cyber-Security: The Effect of Misalignment of Interest between Managers and Investors,» Decision Support Systems, vol. 75, pp. 49-62, 2015.