Investigations into Decrypting Live Secure Traffic in Virtual Environments

Malicious agents increasingly use encrypted tunnels to communicate with external servers. Communications may contain ransomware keys, stolen banking details, or other confidential information. Rapid discovery of communicated contents through decrypting tunnelled traffic can support effective means of dealing with these malicious activities.Decrypting communications requires knowledge of cryptographic algorithms and artefacts, such as encryption keys and initialisation vectors. Such artefacts may exist in volatile memory when software applications encrypt. Virtualisation technologies can enable the acquisition of virtual machine memory to support the discovery of these cryptographic artefacts.A framework is constructed to investigate the decryption of potentially malicious communications using novel approaches to identify candidate initialisation vectors, and use these to discover candidate keys. The framework focuses on communications that use the Secure Shell and Transport Layer Security protocols in virtualised environments for different operating systems, protocols, encryption algorithms, and software implementations. The framework minimises virtual machine impact, and functions at an elevated level to make detection by virtual machine software difficult.The framework analyses Windows and Linux memory and validates decrypts for both protocols when the Advanced Encryption Standard symmetric block or ChaCha20 symmetric stream algorithms are used for encryption. It also investigates communications originating from malware clients, such as bot and ransomware, that use Windows cryptographic libraries.The framework correctly decrypted tunnelled traffic with near certainty in almost all experiments. The analysis durations ranged from sub-second to less than a minute, demonstrating that decryption of malicious activity before network session completion is possible. This can enable in-line detection of unknown malicious agents, timely discovery of ransomware keys, and knowledge of exfiltrated confidential information

Deriving ChaCha20 Key Streams From Targeted Memory Analysis

There can be performance and vulnerability concerns with block ciphers, thus stream ciphers can used as an alternative. Although many symmetric key stream ciphers are fairly resistant to side-channel attacks, cryptographic artefacts may exist in memory. This paper identifies a significant vulnerability within OpenSSH and OpenSSL and which involves the discovery of cryptographic artefacts used within the ChaCha20 cipher. This can allow for the cracking of tunneled data using a single targeted memory extraction. With this, law enforcement agencies and/or malicious agents could use the vulnerability to take copies of the encryption keys used for each tunnelled connection. The user of a virtual machine would not be alerted to the capturing of the encryption key, as the method runs from an extraction of the running memory. Methods of mitigation include making cryptographic artefacts difficult to discover and limiting memory access

Teaching Cybersecurity Using the Cloud

Cloud computing platforms can be highly attractive to conduct course assignments and empower students with valuable and indispensable hands-on experience. In particular, the cloud can offer teaching staff and students (whether local or remote) on-demand, elastic, dedicated, isolated, (virtually) unlimited, and easily configurable virtual machines. As such, employing cloud-based laboratories can have clear advantages over using classical ones, which impose major hindrances against fulfilling pedagogical objectives and do not scale well when the number of students and distant university campuses grows up. We show how the cloud paradigm can be leveraged to teach a cybersecurity course. Specifically, we share our experience when using cloud computing to teach a senior course on cybersecurity across two campuses via a virtual classroom equipped with live audio and video. Furthermore, based on this teaching experience, we propose guidelines that can be applied to teach similar computer science and engineering courses. We demonstrate how cloud-based laboratory exercises can greatly help students in acquiring crucial cybersecurity skills as well as cloud computing ones, which are in high demand nowadays. The cloud we used for this course was the Amazon Web Services (AWS) public cloud. However, our presented use cases and approaches are equally applicable to other available cloud platforms such as Rackspace and Google Compute Engine, among others

Critical Analysis on Detection and Mitigation of Security Vulnerabilities in Virtualization Data Centers

There is an increasing demand for IT resources in growing business enterprises. Data center virtualization helps to meet this increasing demand by driving higher server utilization and utilizing un-used CPU cycles without causes much increase in new servers. Reduction in infrastructure complexities, Optimization of cost of IT system management, power and cooling are some of the additional benefits of virtualization. Virtualization also brings various security vulnerabilities. They are prone to attacks like hyperjacking, intrusion, data thefts, denial of service attacks on virtualized servers and web facing applications etc. This works identifies the security challenges in virtualization. A critical analysis on existing state of art works on detection and mitigation of various vulnerabilities is presented. The aim is to identify the open issues and propose prospective solutions in brief for these open issues

Review of Custom Grids for Updated Vehicles on VANET Simulators

VANET deployment and testing is time-consuming and costly. Simulation is a handy and less expensive alternative to real implementation as a workaround. It is required to develop accurate models in order to receive excellent results from a VANET simulation, which difficult operation owes to the complexity of the VANET infrastructure (for example, simulators have to model the navigation models and communication protocols). The network and navigation components, which are the building blocks of contemporary VANET simulators, are described in this section. Simulators are a useful tool for testing VANETs at a minimal cost and without endangering users. However, in order to be helpful and convey trustworthy findings, simulators must be able to simulate new technologies that enter the VANET and enable safety and security procedures. To put it another way, if simulation is a good tool for VANET development it should be enhanced. VANET simulators have been the subject of research since early 2010 [1-4]. They analyze the correctness of VANET's numerous tools like a navigation simulator and network simulator, as well as how these building blocks are connected. The introduction of new network technologies such as 5G, SDN, edge computing, and VANET research as a result of investments in autonomous cars is forcing VANET simulators to re-evaluate their support for these new capabilities. We present an updated evaluation of VANET simulators in this post, highlighting their key features and current support for emerging technologies

Evaluating Security Aspects for Building a Secure Virtual Machine

One of the essential characteristics of cloud computing that revolutionized the IT business is the sharing of computing resources. Despite all the benefits, security is a major concern in a cloud virtualization environment. Among those security issues is securely managing the Virtual Machine (VM) images that contain operating systems, configured platforms, and data. Confidentiality, availability, and integrity of such images pose major concerns as it determines the overall security of the virtual machines. This paper identified and discussed the attributes that define the degree of security in VM images. It will address this problem by explaining the different methods and frameworks developed in the past to address implementing secure VM images. Finally, this paper analyses the security issues and attributes and proposes a framework that will include an approach that helps to develop secure VM images. This work aims to enhance the security of cloud environments

Automatic Test Framework Anomaly Detection in Home Routers

In a modern world most people have a home network and multiple devices behind it. These devices include simple IoT, that require external protection not to join a botnet. This protection can be granted by a security router with a feature of determining the usual network traffic of a device and alerting its unusual behaviour. This work is dedicated to creating a testbed to verify such router's work. The test bed includes tools to capture IoT traffic, edit and replay it. Created tool supports UDP, TCP, partially ICMP and is extendable to other protocols. UDP and TCP protocols are replayed using OS sockets at transport network layer. The methods described have proved to work on a real setup

Platform for deploying a highly available, secure and scalable web hosting architecture to the AWS cloud with Terraform

L'objectiu d'aquest projecte és la creació d'una plataforma capaç de realitzar tots els passos necessaris per tal de generar una infrastructura preparada per allotjar al núvol d'Amazon Web Services els portals web més exigents. L'interès d'aquest servei rau en l'elevada disponibilitat que aquests llocs web requereixen, ja que no es poden permetre estar fora de servei i requereixen d'una seguretat extrema i un cost de manteniment elevat a causa de la demanda variable i impredictible que solen tenir. La plataforma presentada, desenvolupada en Python, permet, per una banda, automatitzar la creació de la infraestructura gràcies al llenguatge Terraform, un dels pilars de la infraestructura com a codi (IaC), que permet crear, esborrar i destruir amb facilitat aquest tipus de desplegaments cloud. Per altra banda, prepara el codi per a ser mantingut en el temps de forma ràpida i eficient, tot potenciant el treball colaboratiu i en equip (CI/CD) gràcies al control de versions de GitHub i l'emmagatzematge del codi Terraform al núvol d'AWS. Al llarg de la memòria, s'introdueixen els conceptes principals de Terraform, s'enumeren i expliquen en profunditat cadascun dels components que conformen la infraestructura i es detalla com s'ha construït la plataforma així com les accions que porta a terme. Es conclou reflexionant sobre els avantatges que implica el cloud per a la indústria i els errors, temps i diners que estalvia fer-ne ús juntament amb un llenguatge d'infraestructura com a codi, així com els beneficis que aporta dissenyar des d'un bon inici entorns que facilitin el desenvolupament continu i el treball en equip. Tot el codi desenvolupat durant el projecte es pot consultar en el següent repositori públic de GitHub: https://github.com/j1nc0/TFGThe goal of this project is to create a platform capable of performing all the necessary steps in order to generate an infrastructure ready to host the most demanding web portals in the Amazon Web Services cloud. The interest of this service lies in the high availability that these websites require, as they cannot afford to be out of service and require extreme security and a high maintenance cost due to the variable and unpredictable demand that they usually have. The platform presented, developed in Python, allows, on the one hand, to automate the creation of the infrastructure thanks to the Terraform language, one of the pillars of the infrastructure as a code (IaC), which allows you to easily create, delete and destroy this type of cloud deployments. On the other hand, it prepares the code to be maintained over time quickly and efficiently, enhancing teamwork (CI / CD) through GitHub version control and Terraform code storage in the AWS cloud. Throughout the report, the main concepts of Terraform are introduced, each of the components that make up the infrastructure are listed and explained in depth, and it is detailed how the platform was built as well as the actions it carries out. The thesis concludes by reflecting on the benefits of the cloud for the industry and the mistakes, time and money it saves to use it along with an infrastructure as a code language, as well as the benefits of designing from the beginning environments that facilitate continuous development and teamwork. All the code developed during the project can be consulted in the following public GitHub repository: https://github.com/j1nc0/TF