A New Procedure to Detect Low Interaction Honeypots

Honeypots  systems  are   an   important  piece  of   the   network  security infrastructure and can be deployed to accomplish different purposes such as: network sensing, capturing and learning about 0-day exploits, capturing and analyzing of black hat techniques, deterring black hats and data gathering for doing  statistical  analysis  over  the  Internet  traffic,  among  others. Nevertheless, all honeypots need to look like real systems, due to if a honeypot is unmasked, it loses its value. This paper presents a new procedure to detect low interaction honeypots, through HTTP request, regardless honeypot architecture. It is important to mention that Low Interaction Honeypots network services need to be improved in order to get trustworthy information. Otherwise, it should consider data obtained by low interaction honeypots like inaccurate and unreliable information.DOI:http://dx.doi.org/10.11591/ijece.v4i6.688

Copyright Notice

Using SHA2 Algorithms with Cryptographic Message Syntax This document describes the conventions for using the Secure Hash Algorithm (SHA) message digest algorithms (SHA-224, SHA-256, SHA-384, SHA-512) with the Cryptographic Message Syntax (CMS). It also describes the conventions for using these algorithms with the CMS an

Supporting authorize-then-authenticate for wi-fi access based on an electronic identity infrastructure

Federated electronic identity systems are increasingly used in commercial and public services to let users share their electronic identities (eIDs) across countries and providers. In Europe, the eIDAS Regulation and its implementation-the eIDAS Network-allowing mutual recognition of citizen’s eIDs in various countries, is now in action. We discuss authorization (before authentication), named also authorize-then-authenticate (AtA), in services exploiting the eIDAS Network. In the eIDAS Network, each European country runs a national eIDAS Node, which transfers in other Member State countries, via the eIDAS protocol, some personal attributes, upon successful authentication of a person in his home country. Service Providers in foreign countries typically use these attributes to implement authorization decisions for the requested service. We present a scenario where AtA is required, namely Wi-Fi access, in which the service provider has to implement access control decisions before the person is authenticated through the eIDAS Network with his/her national eID. The Wi-Fi access service is highly required in public and private places (e.g. shops, hotels, a.s.o.), but its use typically involves users’ registration at service providers and is still subject to security attacks. The eIDAS Network supports different authentication assurance levels, thus it might be exploited for a more secure and widely available Wi-Fi access service to the citizens with no prior registration, by exploiting their national eIDs. We propose first a model that discusses AtA in eIDAS-based services, and we consider different possible implementation choices. We describe next the implementation of AtA in an eIDAS-based Wi-Fi access service leveraging the eIDAS Network and a Zeroshell captive portal supporting the eIDAS protocol. We discuss the problems encountered and the deploy-ment issues that may impact on the service acceptance by the users and its exploitation on large scale

Web Traffic Data Export to MAFF

Cílem této bakalářské práce bylo seznámení se s principy přenosu, uložení a opětovného zobrazení webového provozu. Další částí byl návrh a realizace modulu pro rekonstrukci a exportování obsahu webového provozu. Tento modul umožňuje poskládat webové stránky získané ze zachycené webové komunikace. Rovněž umožňuje takové stránky zobrazit. Výstupy modulu jsou tvořeny pomocí archivačního formátu MAFF, který slouží k uložení webové stránky pro možnost pozdějšího zobrazení. Základní ověření funkčnosti modulu probíhalo pomocí sad testů.The goal of this bachelor thesis was to get acquainted with the principles of transmission, storage and re-visualisation of web traffic. The next part lied with the design and realization of the module for the reconstruction and exporting of the web traffic contents. This module allows to assemble the websites acquired from the captured web communication. It also allows to visualize such websites. The outputs of the module are made through the archival format MAAF, which serves to store web pages for the option of later display. The basic validation of the module functionality was done using test sets.

An Extensive Evaluation of the Internet's Open Proxies

Open proxies forward traffic on behalf of any Internet user. Listed on open proxy aggregator sites, they are often used to bypass geographic region restrictions or circumvent censorship. Open proxies sometimes also provide a weak form of anonymity by concealing the requestor's IP address. To better understand their behavior and performance, we conducted a comprehensive study of open proxies, encompassing more than 107,000 listed open proxies and 13M proxy requests over a 50 day period. While previous studies have focused on malicious open proxies' manipulation of HTML content to insert/modify ads, we provide a more broad study that examines the availability, success rates, diversity, and also (mis)behavior of proxies. Our results show that listed open proxies suffer poor availability--more than 92% of open proxies that appear on aggregator sites are unresponsive to proxy requests. Much more troubling, we find numerous examples of malicious open proxies in which HTML content is manipulated to mine cryptocurrency (that is, cryptojacking). We additionally detect TLS man-in-the-middle (MitM) attacks, and discover numerous instances in which binaries fetched through proxies were modified to include remote access trojans and other forms of malware. As a point of comparison, we conduct and discuss a similar measurement study of the behavior of Tor exit relays. We find no instances in which Tor relays performed TLS MitM or manipulated content, suggesting that Tor offers a far more reliable and safe form of proxied communication

Separation of SSL protocol phases across process boundaries

Secure Sockets Layer is the de-facto standard used in the industry today for secure communications through web sites. An SSL connection is established by performing a Handshake, which is followed by the Record phase. While the SSL Handshake is computationally intensive and can cause of bottlenecks on an application server, the Record phase can cause similar bottlenecks while encrypting large volumes of data. SSL Accelerators have been used to improve the performance of SSL-based application servers. These devices are expensive, complex to configure and inflexible to customizations. By separating the SSL Handshake and the Record phases into separate software processes, high availability and throughput can be achieved using open-source software and platforms. The delegation of the SSL Record phase to a separate process by transfer of necessary cryptographic information was achieved. Load tests conducted, showed gains with the separation of the Handshake and Record phases at nominal data sizes and the approach provides flexibility for enhancements to be carried out for performance improvements at higher data sizes