1,435 research outputs found
Short Paper: On Deployment of DNS-based Security Enhancements
Although the Domain Name System (DNS) was designed as a naming system, its
features have made it appealing to repurpose it for the deployment of novel
systems. One important class of such systems are security enhancements, and
this work sheds light on their deployment. We show the characteristics of these
solutions and measure reliability of DNS in these applications. We investigate
the compatibility of these solutions with the Tor network, signal necessary
changes, and report on surprising drawbacks in Tor's DNS resolution.Comment: Financial Cryptography and Data Security (FC) 201
HLOC: Hints-Based Geolocation Leveraging Multiple Measurement Frameworks
Geographically locating an IP address is of interest for many purposes. There
are two major ways to obtain the location of an IP address: querying commercial
databases or conducting latency measurements. For structural Internet nodes,
such as routers, commercial databases are limited by low accuracy, while
current measurement-based approaches overwhelm users with setup overhead and
scalability issues. In this work we present our system HLOC, aiming to combine
the ease of database use with the accuracy of latency measurements. We evaluate
HLOC on a comprehensive router data set of 1.4M IPv4 and 183k IPv6 routers.
HLOC first extracts location hints from rDNS names, and then conducts
multi-tier latency measurements. Configuration complexity is minimized by using
publicly available large-scale measurement frameworks such as RIPE Atlas. Using
this measurement, we can confirm or disprove the location hints found in domain
names. We publicly release HLOC's ready-to-use source code, enabling
researchers to easily increase geolocation accuracy with minimum overhead.Comment: As published in TMA'17 conference:
http://tma.ifip.org/main-conference
The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem
In this paper, we analyze the evolution of Certificate Transparency (CT) over
time and explore the implications of exposing certificate DNS names from the
perspective of security and privacy. We find that certificates in CT logs have
seen exponential growth. Website support for CT has also constantly increased,
with now 33% of established connections supporting CT. With the increasing
deployment of CT, there are also concerns of information leakage due to all
certificates being visible in CT logs. To understand this threat, we introduce
a CT honeypot and show that data from CT logs is being used to identify targets
for scanning campaigns only minutes after certificate issuance. We present and
evaluate a methodology to learn and validate new subdomains from the vast
number of domains extracted from CT logged certificates.Comment: To be published at ACM IMC 201
How to Measure TLS, X.509 Certificates, and Web PKI: A Tutorial and Brief Survey
Transport Layer Security (TLS) is the base for many Internet applications and
services to achieve end-to-end security. In this paper, we provide guidance on
how to measure TLS deployments, including X.509 certificates and Web PKI. We
introduce common data sources and tools, and systematically describe necessary
steps to conduct sound measurements and data analysis. By surveying prior TLS
measurement studies we find that diverging results are rather rooted in
different setups instead of different deployments. To improve the situation, we
identify common pitfalls and introduce a framework to describe TLS and Web PKI
measurements. Where necessary, our insights are bolstered by a data-driven
approach, in which we complement arguments by additional measurements
A Macroscopic Study of Network Security Threats at the Organizational Level.
Defenders of today's network are confronted with a large number of malicious activities such as spam, malware, and denial-of-service attacks. Although many studies have been performed on how to mitigate security threats, the interaction between attackers and defenders is like a game of Whac-a-Mole, in which the security community is chasing after attackers rather than helping defenders to build systematic defensive solutions. As a complement to these studies that focus on attackers or end hosts, this thesis studies security threats from the perspective of the organization, the central authority that manages and defends a group of end hosts. This perspective provides a balanced position to understand security problems and to deploy and evaluate defensive solutions.
This thesis explores how a macroscopic view of network security from an organization's perspective can be formed to help measure, understand, and mitigate security threats. To realize this goal, we bring together a broad collection of reputation blacklists. We first measure the properties of the malicious sources identified by these blacklists and their impact on an organization. We then aggregate the malicious sources to Internet organizations and characterize the maliciousness of organizations and their evolution over a period of two and half years. Next, we aim to understand the cause of different maliciousness levels in different organizations. By examining the relationship between eight security mismanagement symptoms and the maliciousness of organizations, we find a strong positive correlation between mismanagement and maliciousness. Lastly, motivated by the observation that there are organizations that have a significant fraction of their IP addresses involved in malicious activities, we evaluate the tradeoff of one type of mitigation solution at the organization level --- network takedowns.PhDComputer Science and EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/116714/1/jingzj_1.pd
Evaluating Resilience of Electricity Distribution Networks via A Modification of Generalized Benders Decomposition Method
This paper presents a computational approach to evaluate the resilience of
electricity Distribution Networks (DNs) to cyber-physical failures. In our
model, we consider an attacker who targets multiple DN components to maximize
the loss of the DN operator. We consider two types of operator response: (i)
Coordinated emergency response; (ii) Uncoordinated autonomous disconnects,
which may lead to cascading failures. To evaluate resilience under response
(i), we solve a Bilevel Mixed-Integer Second-Order Cone Program which is
computationally challenging due to mixed-integer variables in the inner problem
and non-convex constraints. Our solution approach is based on the Generalized
Benders Decomposition method, which achieves a reasonable tradeoff between
computational time and solution accuracy. Our approach involves modifying the
Benders cut based on structural insights on power flow over radial DNs. We
evaluate DN resilience under response (ii) by sequentially computing autonomous
component disconnects due to operating bound violations resulting from the
initial attack and the potential cascading failures. Our approach helps
estimate the gain in resilience under response (i), relative to (ii)
Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
Each month, more attacks are launched with the aim of making web users
believe that they are communicating with a trusted entity which compels them to
share their personal, financial information. Phishing costs Internet users
billions of dollars every year. Researchers at Carnegie Mellon University (CMU)
created an anti-phishing landing page supported by Anti-Phishing Working Group
(APWG) with the aim to train users on how to prevent themselves from phishing
attacks. It is used by financial institutions, phish site take down vendors,
government organizations, and online merchants. When a potential victim clicks
on a phishing link that has been taken down, he / she is redirected to the
landing page. In this paper, we present the comparative analysis on two
datasets that we obtained from APWG's landing page log files; one, from
September 7, 2008 - November 11, 2009, and other from January 1, 2014 - April
30, 2014. We found that the landing page has been successful in training users
against phishing. Forty six percent users clicked lesser number of phishing
URLs from January 2014 to April 2014 which shows that training from the landing
page helped users not to fall for phishing attacks. Our analysis shows that
phishers have started to modify their techniques by creating more legitimate
looking URLs and buying large number of domains to increase their activity. We
observed that phishers are exploiting ICANN accredited registrars to launch
their attacks even after strict surveillance. We saw that phishers are trying
to exploit free subdomain registration services to carry out attacks. In this
paper, we also compared the phishing e-mails used by phishers to lure victims
in 2008 and 2014. We found that the phishing e-mails have changed considerably
over time. Phishers have adopted new techniques like sending promotional
e-mails and emotionally targeting users in clicking phishing URLs
Internet censorship in the European Union
Diese Arbeit befasst sich mit Internetzensur innnerhalb der EU, und hier
insbesondere mit der technischen Umsetzung, das heißt mit den angewandten
Sperrmethoden und Filterinfrastrukturen, in verschiedenen EU-Ländern. Neben
einer Darstellung einiger Methoden und Infrastrukturen wird deren Nutzung zur
Informationskontrolle und die Sperrung des Zugangs zu Websites und anderen im
Internet verfügbaren Netzdiensten untersucht. Die Arbeit ist in drei Teile
gegliedert. Zunächst werden Fälle von Internetzensur in verschiedenen EU-Ländern
untersucht, insbesondere in Griechenland, Zypern und Spanien. Anschließend wird
eine neue Testmethodik zur Ermittlung der Zensur mittels einiger Anwendungen,
welche in mobilen Stores erhältlich sind, vorgestellt. Darüber hinaus werden
alle 27 EU-Länder anhand historischer Netzwerkmessungen, die von freiwilligen
Nutzern von OONI aus der ganzen Welt gesammelt wurden, öffentlich zugänglichen
Blocklisten der EU-Mitgliedstaaten und Berichten von
Netzwerkregulierungsbehörden im jeweiligen Land analysiert.This is a thesis on Internet censorship in the European Union (EU),
specifically regarding the technical implementation of blocking methodologies
and filtering infrastructure in various EU countries. The analysis examines the
use of this infrastructure for information controls and the blocking of access
to websites and other network services available on the Internet. The thesis
follows a three-part structure. Firstly, it examines the cases of Internet
censorship in various EU countries, specifically Greece, Cyprus, and Spain.
Subsequently, this paper presents a new testing methodology for determining
censorship of mobile store applications. Additionally, it analyzes all 27 EU
countries using historical network measurements collected by Open Observatory
of Network Interference (OONI) volunteers from around the world, publicly
available blocklists used by EU member states, and reports issued by network
regulators in each country
- …