Indicators of Malicious SSL Connections

Internet applications use SSL to provide data confidentiality to communicating entities. The use of encryption in SSL makes it impossible to distinguish between benign and malicious connections as the content cannot be inspected. Therefore, we propose and evaluate a set of indicators for malicious SSL connections, which is based on the unencrypted part of SSL (i.e., the SSL handshake protocol). We provide strong evidence for the strength of our indicators to identify malicious connections by cross-checking on blacklists from professional services. Besides the confirmation of prior research results through our indicators, we also found indications for a potential (not yet blacklisted) botnet on SSL. We consider the analysis of such SSL threats as highly relevant and hope that our findings stimulate the research community to further study this direction. © Springer International Publishing Switzerland 2015

Danger is My Middle Name: Experimenting with SSL Vulnerabilities in Android Apps

This paper presents a measurement study of information leakage and SSL vulnerabilities in popular Android apps. We perform static and dynamic analysis on 100 apps, downloaded at least 10M times, that request full network access. Our experiments show that, although prior work has drawn a lot of attention to SSL implementations on mobile platforms, several popular apps (32/100) accept all certificates and all hostnames, and four actually transmit sensitive data unencrypted. We set up an experimental testbed simulating man-in-the-middle attacks and find that many apps (up to 91% when the adversary has a certificate installed on the victim's device) are vulnerable, allowing the attacker to access sensitive information, including credentials, files, personal details, and credit card numbers. Finally, we provide a few recommendations to app developers and highlight several open research problems.Comment: A preliminary version of this paper appears in the Proceedings of ACM WiSec 2015. This is the full versio

Internet security for mobile computing

Mobile devices are now the most dominant computer platform. Every time a mobile web application accesses the internet, the end user’s data is susceptible to malicious attacks. For instance, when paying a bill at a store with NFC mobile payment, navigating through a city operating GPS on a smartphone, or dictating the temperature at a household with a home automation device. These activities seem routine, yet, when vulnerabilities are present they can leave holes for hackers to access bank accounts, pinpoint a user’s recent location, or tell when someone is not at home. The awareness of the end user cannot be trusted. Device vendors and developers must provide safeguards. An ongoing issue is that the present security standards are outdated and were never envisioned with mobile devices in mind. It can be suggested that security is only idling the progress of mobile computing. Still, many application developers and IT professionals do not adopt security standards fast enough to keep up-to-date with known vulnerabilities. The main goals of the next generation of security standards, TLS, will provide developers with greater security efficiency and improved mobile throughput. These proposed capabilities of the TLS protocol will streamline mobile computing into the forefront of security practices. The analysis of this report demonstrates concepts on the direction mobile security, usability, and performance from a development standpoint.Electrical and Computer Engineerin

Spoiled Onions: Exposing Malicious Tor Exit Relays

Several hundred Tor exit relays together push more than 1 GiB/s of network traffic. However, it is easy for exit relays to snoop and tamper with anonymised network traffic and as all relays are run by independent volunteers, not all of them are innocuous. In this paper, we seek to expose malicious exit relays and document their actions. First, we monitored the Tor network after developing a fast and modular exit relay scanner. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of four months. We discovered numerous malicious exit relays engaging in different attacks. To reduce the attack surface users are exposed to, we further discuss the design and implementation of a browser extension patch which fetches and compares suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously monitor Tor exit relays. We are able to detect and thwart many man-in-the-middle attacks which makes the network safer for its users. All our code is available under a free license

Dockerized MISP (Malware Information Sharing Platform)

Dockerització de la plataforma MISP (Malware Information Sharing Platform) per a compartició d'informació relacionada amb malware i atacs cibernètics per crear un entorn segur on les regles de firewall y proxy s'actualitzin automàticament a partir de la informació que s'introdueixi a la plataforma. Vol se una sol·lució econòmica alternativa a appliances com podrien ser FireEye per a empreses petites on empreses del mateix sector puguin compartir informació sobre amenaces comuns entre elles i així estar el més protegides possible. Els objectius principals serien: -Dockeritzar l'aplicació. Crear una instal·lador de MISP fàcilment desplegable en entorns productius mitjançant Docker sense afectació per a les empreses. -Crear una xarxa de MISPs intercommunicats entre ells simulant ser diferentes empreses. -Extreure/automatizar la creació de regles de firewall per a sistemes IPS/IDS (utilitzaria Snort en pfsense). Simularia ser el firewall de les empreses. -Veure com es comporta el sistema simulant atacs dins del parc de les empreses i veient com s'evita la infecció (extreure telemetria).In an age where most companies offer as much services as they can on the Internet, any protection against cyber threats is little. That is why employee awareness campaigns about security, good network architecture designs, fine-tuned monitoring systems and adequate data treatment policies are of vital importance to companies. Any unexpected production disruption, unavailability of services or information leakage due to a cyberattack can be translated to significant losses at both economical and reputational level. The aim of this project is to study feasibility of using a malware related information platform for sharing information assets between small, medium and large sized companies as alternative or complement of most advanced and expensive systems in the market in an open source software deployment. A company environment will be simulated in order to integrate Malware Information Sharing Platform with common security systems and study the behavior when a threat is detected.En una era donde las empresas ofrecen tantos servicios como pueden a través de Internet, toda protección contra amenazas de carácter cibernético es poca. Es por esto que campañas de concienciación a los empleados acerca de seguridad y buenas prácticas, buenos diseños de arquitectura de red, sistemas de monitorización bien afinados i políticas de tratamiento de datos adecuadas son vitales para las empresas. Cualquier corte inesperado en la cadena de producción, indisponibilidad de servicios utilizados día a día para el funcionamiento o fugas de información debidas a un ataque cibernético se pueden traducir en pérdidas importantes tanto a nivel económico como reputacional. El objetivo de este proyecto es estudiar la viabilidad de utilizar una plataforma de información relacionada con malware y amenazas para compartir información entre pequeñas, medianas y grandes empresas como alternativa o complemento a los aplicativos más avanzados y costosos del mercado mediante la utilización de software libre. Se simulará un entorno empresarial para integrar MISP (Malware Information Sharing Platform) con otras herramientas de seguridad comunes y poder estudiar así el comportamiento del sistema ante la detección de una amenaza.En un món on les empresen ofereixen tants serveis com els és posible a través d'Internet, tota protecció contra amenaces de caire cibernètic és poca. És per això que campanyes de concienciació als empleats sobre seguretat i bones pràctiques, bons dissenys d'arquitectura de xarxa, sistemes de monitorització ben ajustats i polítiques de tractament de dades adequades són vitals per a les empreses. Qualsevol aturada inesperada de la cadena de producción, indisponibilitat de serveis que s'utilitzin dia a dia o fugues d'informació degudes a un atac cibernètic es poden traduir en pèrdues importants tant a nivell econònic com reputacional. L'objectiu d'aquest projecte és estudiar la viabilitat d'utilitzar una plataforma d'informació relacionada amb malware i amenaces per compartir informació entre petites, mitjanes i grans empreses com a alternativa o complement als aplicatius més avançats i costosos del mercat mitjançant la utilització de software lliure. És simularà un entorn empresarial per tal d'integrar MISP (Malware Information Sharing Platform) amb altres sistemes de seguretat comuns i estudiar el comportament del sistema davant la detecció duna amenaça