378 research outputs found
IoTsafe, Decoupling Security from Applications for a Safer IoT
The use of robust security solutions is a must for the Internet of Things (IoT) devices and their applications: regulators in different countries are creating frameworks for certifying those devices with an acceptable security level. However, even for already certified devices, security protocols have to be updated when a breach is found or a certain version becomes obsolete. Many approaches for securing IoT applications are nowadays based on the integration of a security layer [e.g., using transport layer security, (TLS)], but this may result in difficulties when upgrading the security algorithms, as the whole application has to be updated. This fact may shorten the life of IoT devices. As a way to overcome these difficulties, this paper presents IoTsafe, a novel approach relying on secure socket shell (SSH), a feasible alternative to secure communications in IoT applications based on hypertext transfer protocol (HTTP and HTTP/2). In order to illustrate its advantages, a comparison between the traditional approach (HTTP with TLS) and our scheme (HTTP with SSH) is performed over low-power wireless personal area networks (6loWPAN) through 802.15.4 interfaces. The results show that the proposed approach not only provides a more robust and easy-To-update solution, but it also brings an improvement to the overall performance in terms of goodput and energy consumption. Core server stress tests are also presented, and the server performance is also analyzed in terms of RAM consumption and escalation strategies
Towards a Secure Smart Grid Storage Communications Gateway
This research in progress paper describes the role of cyber security measures
undertaken in an ICT system for integrating electric storage technologies into
the grid. To do so, it defines security requirements for a communications
gateway and gives detailed information and hands-on configuration advice on
node and communication line security, data storage, coping with backend M2M
communications protocols and examines privacy issues. The presented research
paves the road for developing secure smart energy communications devices that
allow enhancing energy efficiency. The described measures are implemented in an
actual gateway device within the HORIZON 2020 project STORY, which aims at
developing new ways to use storage and demonstrating these on six different
demonstration sites.Comment: 6 pages, 2 figure
Multiprotocol Authentication Device for HPC and Cloud Environments Based on Elliptic Curve Cryptography
Multifactor authentication is a relevant tool in securing IT infrastructures combining two or
more credentials. We can find smartcards and hardware tokens to leverage the authentication process,
but they have some limitations. Users connect these devices in the client node to log in or request access
to services. Alternatively, if an application wants to use these resources, the code has to be amended
with bespoke solutions to provide access. Thanks to advances in system-on-chip devices, we can
integrate cryptographically robust, low-cost solutions. In this work, we present an autonomous device
that allows multifactor authentication in client–server systems in a transparent way, which facilitates
its integration in High-Performance Computing (HPC) and cloud systems, through a generic gateway.
The proposed electronic token (eToken), based on the system-on-chip ESP32, provides an extra layer
of security based on elliptic curve cryptography. Secure communications between elements use
Message Queuing Telemetry Transport (MQTT) to facilitate their interconnection. We have evaluated
different types of possible attacks and the impact on communications. The proposed system offers an
efficient solution to increase security in access to services and systems.Spanish Ministry of Science, Innovation and Universities (MICINN)
PGC2018-096663-B-C44European Union (EU
Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact
Containerization allows bundling applications and their dependencies into a
single image. The containerization framework Docker eases the use of this
concept and enables sharing images publicly, gaining high momentum. However, it
can lead to users creating and sharing images that include private keys or API
secrets-either by mistake or out of negligence. This leakage impairs the
creator's security and that of everyone using the image. Yet, the extent of
this practice and how to counteract it remains unclear.
In this paper, we analyze 337,171 images from Docker Hub and 8,076 other
private registries unveiling that 8.5% of images indeed include secrets.
Specifically, we find 52,107 private keys and 3,158 leaked API secrets, both
opening a large attack surface, i.e., putting authentication and
confidentiality of privacy-sensitive data at stake and even allow active
attacks. We further document that those leaked keys are used in the wild: While
we discovered 1,060 certificates relying on compromised keys being issued by
public certificate authorities, based on further active Internet measurements,
we find 275,269 TLS and SSH hosts using leaked private keys for authentication.
To counteract this issue, we discuss how our methodology can be used to prevent
secret leakage and reuse.Comment: 15 pages, 7 figure
Security protocols for networks and Internet: a global vision
This work was supported by the MINECO grant TIN2013-46469-R (SPINY: Security and Privacy in the Internet of You), by the CAM grant S2013/ICE-3095 (CIBERDINE: Cybersecurity, Data, and Risks), which is co-funded by European Funds (FEDER), and by the MINECO grant TIN2016-79095-C2-2-R (SMOG-DEV—Security mechanisms for fog computing: advanced security for devices)
Fotovoltaic excess management and visualization system
L'objectiu principal del projecte és el desenvolupament d'un prototip funcional per a un sistema de gestió i visualització d'excedents fotovoltaics basat en la integració de tecnologies ja existents. En termes més concrets, implica la implementació d'una solució software capaç de gestionar els excedents d'energia d'una casa intel·ligent o instal·lació similar (seguiment de l'ús de l'energia importada/exportada, decidir quan i com utilitzar l'excés d'energia, etc.), aixà com visualitzar-lo (consum de diferents dispositius, cà lcul de potènciacostos/beneficis, recursos hardware, etc.)The project's main objective is the development of a working prototype for a photovoltaic excess management and visualization system based on the integration of already existing technologies. In more concrete terms, this means the implementation of a software-based solution capable of managing excess power from a smart home or similar installation (tracking use of imported/exported power, deciding when and how to use excess power, etc.), as well as visualizing it (consumption of different devices, computation of power costs/benefits, hardware resources, etc.
Configuration Management of Distributed Systems over Unreliable and Hostile Networks
Economic incentives of large criminal profits and the threat of legal consequences have pushed criminals to continuously improve their malware, especially command and control channels. This thesis applied concepts from successful malware command and control to explore the survivability and resilience of benign configuration management systems.
This work expands on existing stage models of malware life cycle to contribute a new model for identifying malware concepts applicable to benign configuration management. The Hidden Master architecture is a contribution to master-agent network communication. In the Hidden Master architecture, communication between master and agent is asynchronous and can operate trough intermediate nodes. This protects the master secret key, which gives full control of all computers participating in configuration management. Multiple improvements to idempotent configuration were proposed, including the definition of the minimal base resource dependency model, simplified resource revalidation and the use of imperative general purpose language for defining idempotent configuration.
Following the constructive research approach, the improvements to configuration management were designed into two prototypes. This allowed validation in laboratory testing, in two case studies and in expert interviews. In laboratory testing, the Hidden Master prototype was more resilient than leading configuration management tools in high load and low memory conditions, and against packet loss and corruption. Only the research prototype was adaptable to a network without stable topology due to the asynchronous nature of the Hidden Master architecture.
The main case study used the research prototype in a complex environment to deploy a multi-room, authenticated audiovisual system for a client of an organization deploying the configuration. The case studies indicated that imperative general purpose language can be used for idempotent configuration in real life, for defining new configurations in unexpected situations using the base resources, and abstracting those using standard language features; and that such a system seems easy to learn.
Potential business benefits were identified and evaluated using individual semistructured expert interviews. Respondents agreed that the models and the Hidden Master architecture could reduce costs and risks, improve developer productivity and allow faster time-to-market. Protection of master secret keys and the reduced need for incident response were seen as key drivers for improved security. Low-cost geographic scaling and leveraging file serving capabilities of commodity servers were seen to improve scaling and resiliency. Respondents identified jurisdictional legal limitations to encryption and requirements for cloud operator auditing as factors potentially limiting the full use of some concepts
SUTMS - Unified Threat Management Framework for Home Networks
Home networks were initially designed for web browsing and non-business critical applications. As infrastructure improved, internet broadband costs decreased, and home internet usage transferred to e-commerce and business-critical applications. Today’s home computers host personnel identifiable information and financial data and act as a bridge to corporate networks via remote access technologies like VPN. The expansion of remote work and the transition to cloud computing have broadened the attack surface for potential threats. Home networks have become the extension of critical networks and services, hackers can get access to corporate data by compromising devices attacked to broad- band routers. All these challenges depict the importance of home-based Unified Threat Management (UTM) systems. There is a need of unified threat management framework that is developed specifically for home and small networks to address emerging security challenges. In this research, the proposed Smart Unified Threat Management (SUTMS) framework serves as a comprehensive solution for implementing home network security, incorporating firewall, anti-bot, intrusion detection, and anomaly detection engines into a unified system. SUTMS is able to provide 99.99% accuracy with 56.83% memory improvements. IPS stands out as the most resource-intensive UTM service, SUTMS successfully reduces the performance overhead of IDS by integrating it with the flow detection mod- ule. The artifact employs flow analysis to identify network anomalies and categorizes encrypted traffic according to its abnormalities. SUTMS can be scaled by introducing optional functions, i.e., routing and smart logging (utilizing Apriori algorithms). The research also tackles one of the limitations identified by SUTMS through the introduction of a second artifact called Secure Centralized Management System (SCMS). SCMS is a lightweight asset management platform with built-in security intelligence that can seamlessly integrate with a cloud for real-time updates
- …