XML Rewriting Attacks: Existing Solutions and their Limitations

Web Services are web-based applications made available for web users or remote Web-based programs. In order to promote interoperability, they publish their interfaces in the so-called WSDL file and allow remote call over the network. Although Web Services can be used in different ways, the industry standard is the Service Oriented Architecture Web Services that doesn't rely on the implementation details. In this architecture, communication is performed through XML-based messages called SOAP messages. However, those messages are prone to attacks that can lead to code injection, unauthorized accesses, identity theft, etc. This type of attacks, called XML Rewriting Attacks, are all based on unauthorized, yet possible, modifications of SOAP messages. We present in this paper an explanation of this kind of attack, review the existing solutions, and show their limitations. We also propose some ideas to secure SOAP messages, as well as implementation ideas

Cybercrimes in Southern Nigeria and survey of IoT implications

This study comprises of a survey on the cybercrime situational awareness in the southern part of Nigeria and the readiness for IoT implications resulting from the challenges of IoT technology adoption for consumer and industrial use cases. We considered cybercrimes in the forms of identity theft, data theft, false alert, dating and romance scam and online shopping scam. The analysis shows among others, 84% of involvement in identity theft and 20% of involvement in data theft with the mode operation being highest through web-based applications. Although cybercriminals are yet to fully utilize the vast potentials of emerging IoT technology and their vulnerability to commit cybercrimes in the region, the rate is on the increase. Also presented is a generic background study on IoT security concerning device capabilities, threat landscape, policy frameworks and applications from which cybercrime trend mitigations and recommendations to reduce the impending dangers of IoT cybercrimes were proposed

Malicious Web Sites Detection using C4.5 Decision Tree

The technology advancement poses the challenge to the cybercriminals for doing various online criminal acts, such as identity theft, extortion of money or simply, viruses and worms spreading. The common aim of the online criminals is to attract visitors to the Web site, which can be easily accessed by clicking on the URL. Blacklisting seems not to be the successful way of marking Web sites with the “bad” content, considering that many malicious Web sites are not blacklisted. The aim of this paper is to evaluate the ability of C4.5 decision tree classifier in detecting malicious Web sites, based on the features that characterize URLs. The classifier is evaluated through several performance evaluation criteria, namely accuracy, sensitivity, specificity and area under the ROC curve. C4.5 decision tree classifier achieved significant success in malicious Web sites detection, considering all four criteria (accuracy 96.5, sensitivity 96.4, specificity 96.5 and area under the curve 0.958)

Detection Of Phishing Websites And Secure Transactions

Phishing is an electronic online identity theft in which the attackers use a combination of social engineering and web site spoofing techniques to trick a user into revealing confidential information. It steals the user’s personal identity data and financial credentials. Most of the phishing attacks emerge as spoofed E-Mails appearing as legitimate ones which makes the users to trust and divulge into them by clicking the link provided in the E-Mail. To detect a Phishing website, human experts compare the claimed identity of a website with features in the website. For example, human experts often compare the domain name in the URL against the claimed identity. Most legitimate websites have domain names that match their identities, while Phishing websites usually have less relevance between their domain names and their claimed (fake) identities. In addition to blacklists, white lists, heuristics, and classifications used in the state-of-the-art systems, we propose to consider websites’ identity claims. To enable secure transactions ,Password hashing has been done with MD5 hashing algorithms that strengthens web password authentication. It is also shown that getting original password from hashed form is not an easy task due to addition of salt value. If the user is valid, get a session key via mobile, through which further access can be don

The threats of social networking : old wine in new bottles?

Despite the many potential benefits to its users, social networking appears to provide a rich setting for criminal activities and other misdeeds. In this paper we consider whether the risks of social networking are unique and novel to this context. Having considered the nature and range of applications to which social networks may be applied, we conclude that there are no exploits or fundamental threats inherent to the social networking setting. Rather, the risks and associated threats treat this communicative and social context as an enabler for existing, long established and well-recognised exploits and activities

Under and over the surface: a comparison of the use of leaked account credentials in the Dark and Surface Web

The world has seen a dramatic increase in cybercrime, in both the Surface Web, which is the portion of content on the World Wide Web that may be indexed by popular engines, and lately in the Dark Web, a portion that is not indexed by conventional search engines and is accessed through network overlays such as the Tor network. For instance, theft of online service credentials is an emerging problem, especially in the Dark Web, where the average price for someone\u2019s online identity is \ua3820. Previous research studied the modus operandi of criminals that obtain stolen account credentials through Surface Web outlets. As part of an effort to understand how the same crime unfolds in the Surface Web and the Dark Web, this study seeks to compare the modus operandi of criminals acting on both by leaking Gmail honey accounts in Dark Web outlets. The results are compared to a previous similar experiment performed in the Surface Web. Simulating operating activity of criminals, we posted 100 Gmail account credentials on hidden services on the Dark Web and monitored the activity that they attracted using a honeypot infrastructure. More specifically, we analysed the data generated by the two experiments to find differences in the activity observed with the aim of understanding how leaked credentials are used in both Web environments. We observed that different types of malicious activity happen on honey accounts depending on the Web environment they are released on. Our results can provide the research community with insights into how stolen accounts are being manipulated in the wild for different Web environments

Can the Internet Kill? Holding Web Investigators Liable for Their Criminal Customers

As the wealth of online information grows, private investigation websites are becoming more powerful and popular. Their client lists include attorneys, insurance agencies, banks, neighbors, employers, and, oh yes, stalkers and identity thieves. When a stalker used information from a web investigator to track down and kill his victim, the New Hampshire Supreme Court held the investigator liable for its customer\u27s criminal acts. This iBrief considers how far liability should extend for a web investigator, distinguishes web investigators from handgun and bullet retailers, and explains how this decision realizes a policy against privacy invasions

Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies

Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed

Identity theft: a pernicious and costly fraud

On October 3, 2003, the Payment Cards Center of the Federal Reserve Bank of Philadelphia sponsored a workshop on identity theft to examine its growing impact on participants in our payments system. Avivah Litan, vice president and research director of financial services for Gartner Inc., led the workshop. The discussion began and this paper follows with a broad study of identity theft, at times compared with traditional payment fraud, and continues with an evaluation of its overall risk to consumers, merchants, and credit providers. The paper compares the incentives each such party has to address identity theft in concert with current market response to the crime. Finally, the paper concludes by posing several questions for further study. This paper supplements material from Litan’s presentation with additional research on the crime of identity theft.Fraud ; Identity theft