Integration of the Captive Portal paradigm with the 802.1X architecture

In a scenario where hotspot wireless networks are increasingly being used, and given the amount of sensitive information exchanged on Internet interactions, there is the need to implement security mechanisms that guarantee data confidentiality and integrity in such networks, as well as the authenticity of the hotspot providers. However, many hotspots today use Captive Portals, which rely on authentication through Web pages (thus, an application-level authentication approach) instead of a link-layer approach. The consequence of this is that there is no security in the wireless link to the hotspot (it has to be provided at upper protocol layers), and is cumbersome to manage wireless access profiles (we need special applications or browsers' add-ons to do that). This work exposes the weaknesses of the Captive Portals' paradigm, which does not follow a unique nor standard approach, and describes a solution that intends to suppress them, based on the 802.1X architecture. This solution uses a new EAP-compliant protocol that is able to integrate an HTTP-based registration or authentication with a Captive Portal within the 802.1X authentication framework

AUTOMASI WEBSITE BROWSER UNTUK MELAKUKAN AUTOLOGIN KE DALAM CAPTIVE PORTAL

Penggunaan captive portal dalam sekuriti jaringan komputer menuntut pengguna untuk selalu melakukan registasi pada halaman hotspot saat diperlukan. Penelitian ini menanfaatkan website browser lynx berbasis teks sebagai sarana untuk melakukan registrasi pada captive portal yang di automasi dengan script yang berisi username dan password pengguna. Perangkat penelitiannya sendiri menggunakan software simulasi yang menjalankan RouterOS mikrotik dan linux sebagai pengguna. Mikrotik dibangun sebagai captive portal dengan menggunaan setup wizard dengan konfigurasi IP 192.168.200.1/24, menjalankan fungsi DHCP Server pada sebuah interface1 yang terhubung langsung dengan OS Linux pengguna sehingga mendapatkan IP melalui DHCP Client. Halaman captive portal terbentuk pada alamat http://test.mikrotik.local dengan tampilan standar. Perekaman proses login melalui browser lynx dilakukan untuk mendapatkan script proses login dan digunakan untuk proses automasi login. Pengujian dilakukan dengan menjalankan perintah cmd_script berisi rekaman proses login dan menghapus sesi login pada mikrotik setelah berhasil untuk pengujian selanjutnya. Pengujian dilakukan sebanyak 20 kali dengan hasil tanpa adanya kegagalan jika tidak terdapat gangguan oleh pengguna maupun sistem saat proses automasi berjalan

Captive Portal Network Authentication Based on WebAuthn Security Keys

[Abstract]: Network authentication is performed via different technologies, which have evolved together with authentication systems in other environments. In all these environments, the authentication paradigm during the last decades has been the well known password. However, passwords have some important security problems, like phishing or keylogging. In 2019, the WebAuthn standard from the W3C started a new authentication paradigm based on hardware devices known as security keys. Although they are already being used in many web authentication services, they have not yet been integrated with network authentication mechanisms. This work successfully developed and integrated an authentication server based on WebAuthn security keys with a captive portal system. With this solution, users can be authenticated using security keys within a web-based captive portal network authentication system that gives clients access to network resources. The resulting authentication server is compatible with major operating systems like Windows 10 and Ubuntu 20.04, browsers like Firefox and Google Chrome and security keys like the Solokey and the Yubikey.[Resumo]: A autenticación de rede realízase a través de diferentes tecnoloxías, que evolucionaron xunto con sistemas de autenticación noutros escenarios. En todos estes escenarios, o paradigma de autenticación durante as últimas décadas foi o coñecido contrasinal. Porén, os contrasinais teñen algúns problemas de seguridade importantes, como o phishing ou o keylogging. En 2019, o estándar WebAuthn da W3C comezou un novo paradigma da autenticación baseado en dispositivos físicos coñecidos como chaves de seguridade. Aínda que estas xa se están usando en moitos servizos de autenticación web, aínda non foron integradas en mecanismos de autenticación de rede. Este traballo desenvolveu e integrou con éxito un servidor de autenticación baseado en chaves de seguridade WebAuthn cun sistema de portal cativo. Con esta solución, os usuarios poden autenticarse usando chaves de seguridade nun sistema de autenticación de rede con portal cativo baseado en web que da acceso aos clientes a recursos de rede. O servidor de autenticación resultante é compatible con sistemas operativos relevantes como Windows 10 ou Ubuntu 20.04, navegadores como Firefox e Google Chrome e chaves de seguridade como a Solokey e a Yubikey.Traballo fin de mestrado (UDC.FIC). Ciberseguridade. Curso 2021/202

Effectiveness of Tools in Identifying Rogue Access Points on a Wireless Network

Wireless access points have greatly improved users\u27 ability to connect to the Internet. However, they often lack the security mechanisms needed to protect users. Malicious actors could create a rogue access point (RAP), using a device such as the WiFi Pineapple Nano, that could trick users into connecting to an illegitimate access point (AP). To make them look legitimate, adversaries tend to setup RAPs to include a captive portal. This is very effective, since most public networks use captive portals as a means to provide genuine access. The objective of this study is to examine the effectiveness of RAP identification tools in identifying WiFi Pineapple RAPs. Three common RAP identifications tools were used, namely Aircrack-ng, Kismet, and inSSIDer. The result indicated that RAPs could easily be identified through actively monitoring networks using tools such as Aircrack-ng, Kismet, and inSSIDer

Bandwidth Allocation Mechanism based on Users' Web Usage Patterns for Campus Networks

Managing the bandwidth in campus networks becomes a challenge in recent years. The limited bandwidth resource and continuous growth of users make the IT managers think on the strategies concerning bandwidth allocation. This paper introduces a mechanism for allocating bandwidth based on the users’ web usage patterns. The main purpose is to set a higher bandwidth to the users who are inclined to browsing educational websites compared to those who are not. In attaining this proposed technique, some stages need to be done. These are the preprocessing of the weblogs, class labeling of the dataset, computation of the feature subspaces, training for the development of the ANN for LDA/GSVD algorithm, visualization, and bandwidth allocation. The proposed method was applied to real weblogs from university’s proxy servers. The results indicate that the proposed method is useful in classifying those users who used the internet in an educational way and those who are not. Thus, the developed ANN for LDA/GSVD algorithm outperformed the existing algorithm up to 50% which indicates that this approach is efficient. Further, based on the results, few users browsed educational contents. Through this mechanism, users will be encouraged to use the internet for educational purposes. Moreover, IT managers can make better plans to optimize the distribution of bandwidth

Network Neutrality and the False Promise of Zero-Price Regulation

This Article examines zero-price regulation, the major distinguishing feature of many modern "network neutrality" proposals. A zero-price rule prohibits a broadband Internet access provider from charging an application or content provider (collectively, "content provider") to send information to consumers. The Article differentiates two access provider strategies thought to justify a zero-price rule. Exclusion is anticompetitive behavior that harms a content provider to favor its rival. Extraction is a toll imposed upon content providers to raise revenue. Neither strategy raises policy concerns that justify implementation of a broad zero-price rule. First, there is no economic exclusion argument that justifies the zero-price rule as a general matter, given existing legal protections against exclusion. A stronger but narrow argument for regulation exists in certain cases in which the output of social producers, such as Wikipedia, competes with ordinary market-produced content. Second, prohibiting direct extraction is undesirable and counterproductive, in part because it induces costly and unregulated indirect extraction. I conclude, therefore, that recent calls for broad-based zero-price regulation are mistaken.

Wi-Fi Enabled Healthcare

Focusing on its recent proliferation in hospital systems, Wi-Fi Enabled Healthcare explains how Wi-Fi is transforming clinical work flows and infusing new life into the types of mobile devices being implemented in hospitals. Drawing on first-hand experiences from one of the largest healthcare systems in the United States, it covers the key areas associated with wireless network design, security, and support. Reporting on cutting-edge developments and emerging standards in Wi-Fi technologies, the book explores security implications for each device type. It covers real-time location services and emerging trends in cloud-based wireless architecture. It also outlines several options and design consideration for employee wireless coverage, voice over wireless (including smart phones), mobile medical devices, and wireless guest services. This book presents authoritative insight into the challenges that exist in adding Wi-Fi within a healthcare setting. It explores several solutions in each space along with design considerations and pros and cons. It also supplies an in-depth look at voice over wireless, mobile medical devices, and wireless guest services. The authors provide readers with the technical knowhow required to ensure their systems provide the reliable, end-to-end communications necessary to surmount today’s challenges and capitalize on new opportunities. The shared experience and lessons learned provide essential guidance for large and small healthcare organizations in the United States and around the world. This book is an ideal reference for network design engineers and high-level hospital executives that are thinking about adding or improving upon Wi-Fi in their hospitals or hospital systems

The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web

When browsing the web, none of us want sites to infer which other sites we may have visited before or are logged in to. However, attacker-controlled sites may infer this state through browser side-channels dubbed Cross-Site Leaks (XS-Leaks). Although these issues have been known since the 2000s, prior reports mostly found individual instances of issues rather than systematically studying the problem space. Further, actual impact in the wild often remained opaque. To address these open problems, we develop the first automated framework to systematically discover observation channels in browsers. In doing so, we detect and characterize 280 observation channels that leak information cross-site in the engines of Chromium, Firefox, and Safari, which include many variations of supposedly fixed leaks. Atop this framework, we create an automatic pipeline to find XS-Leaks in real-world websites. With this pipeline, we conduct the largest to-date study on XS-Leak prevalence in the wild by performing visit inference and a newly proposed variant cookie acceptance inference attack on the Tranco Top10K. In addition, we test 100 websites for the classic XS-Leak attack vector of login detection. Our results show that XS-Leaks pose a significant threat to the web ecosystem as at least 15%, 34%, and 77% of all tested sites are vulnerable to the three attacks. Also, we present substantial implementation differences between the browsers resulting in differing attack surfaces that matter in the wild. To ensure browser vendors and web developers alike can check their applications for XS-Leaks, we open-source our framework and include an extensive discussion on countermeasures to get rid of XS-Leaks in the near future and ensure new features in browsers do not introduce new XS-Leaks

Semantic discovery and reuse of business process patterns

Patterns currently play an important role in modern information systems (IS) development and their use has mainly been restricted to the design and implementation phases of the development lifecycle. Given the increasing significance of business modelling in IS development, patterns have the potential of providing a viable solution for promoting reusability of recurrent generalized models in the very early stages of development. As a statement of research-in-progress this paper focuses on business process patterns and proposes an initial methodological framework for the discovery and reuse of business process patterns within the IS development lifecycle. The framework borrows ideas from the domain engineering literature and proposes the use of semantics to drive both the discovery of patterns as well as their reuse