Out of Sight, Out of Mind: Detecting Orphaned Web Pages at Internet-Scale

Security misconfigurations and neglected updates commonly lead to systems being vulnerable. Especially in the context of websites, we often find pages that were forgotten, that is, they were left online after they served their purpose and never updated thereafter. In this paper, we introduce new methodology to detect such forgotten or orphaned web pages. We combine historic data from the Internet Archive with active measurements to identify pages no longer reachable via a path from the index page, yet stay accessible through their specific URL. We show the efficacy of our approach and the real-world relevance of orphaned web-pages by applying it to a sample of 100,000 domains from the Tranco Top 1M. Leveraging our methodology, we find 1,953 pages on 907 unique domains that are orphaned, some of which are 20 years old. Analyzing their security posture, we find that these pages are significantly ((p < 0.01) using (χ2)) more likely to be vulnerable to cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities than maintained pages. In fact, orphaned pages are almost ten times as likely to suffer from XSS (19.3%) than maintained pages from a random Internet crawl (2.0%), and maintained pages of websites with some orphans are almost three times as vulnerable (5.9%). Concerning SQLi, maintained pages on websites with some orphans are almost as vulnerable (9.5%) as orphans (10.8%), and both are significantly more likely to be vulnerable than other maintained pages (2.7%). Overall, we see a clear hierarchy: Orphaned pages are the most vulnerable, followed by maintained pages on websites with orphans, with fully maintained sites being least vulnerable. We share an open source implementation of our methodology to enable the reproduction and application of our results in practice.Information and Communication Technolog

Enumerating Active IPv6 Hosts for Large-scale Security Scans via DNSSEC-signed Reverse Zones

Security research has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the overall state of security of the Internet, and ZMap made scanning the entire IPv4 address space practical. However, the IPv4 address space is exhausted, and a switch to IPv6, the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, including in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 2^96 times larger than the IPv4 address space. Therefore, enumeration of active hosts prior to scanning is necessary. Without it, we will be unable to investigate the overall security of Internet-connected devices in the future. In this paper, we introduce a novel technique to enumerate an active part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. Subsequently, by scanning the enumerated addresses, we uncover significant security problems: the exposure of sensitive data, and incorrectly controlled access to hosts, such as access to routing infrastructure via administrative interfaces, all of which were accessible via IPv6. Furthermore, from our analysis of the differences between accessing dual-stack hosts via IPv6 and IPv4, we hypothesize that the root cause is that machines automatically and by default take on globally routable IPv6 addresses. This is a practice that the affected system administrators appear unaware of, as the respective services are almost always properly protected from unauthorized access via IPv4. Our findings indicate (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts, and (iii) that unintended IPv6 connectivity is a major security issue for unaware system administrators.Accepted Author ManuscriptInformation and Communication Technolog

"I needed to solve their overwhelmness": How system administration work was affected by COVID-19

The ongoing global COVID-19 pandemic made working from home – wherever working remotely is possible the norm for what had previously been office-based jobs across the world. This change in how we work created a challenging situation for system administrators (sysadmins), as they are the ones building and maintaining the digital infrastructure our world relies on. In this paper, we examine how system administration work changed early in the pandemic from sysadmins’ personal perspectives, through semi-structured interviews and thematic analysis. We find that sysadmins faced a two-sided crisis: While sysadmins’ own work environment changed, they also had to react to the new situation and facilitate stable options to work online for themselves and their colleagues, supporting their users in adapting to the crisis. This finding embeds into earlier work on the connection between IT (security) work and the notion of ‘care’, where we substantiate these earlier findings with results from a repeatable method grounded in coordination theory. Furthermore, while we find that sysadmins perceived no major changes in the way they work, by consecutively probing our interviewees, we find that they did experience several counter-intuitive effects on their work. This includes that while day-to-day communication became inherently more difficult, other tasks were streamlined by the remote working format and were seen as having become easier. Finally, by structuring our results according to a model of coordination and communication, we identify changes in sysadmins’ coordination patterns. From these we derive recommendations for how system administration work can be coordinated, ranging beyond the immediate pandemic response and the transition to any ‘new normal’ way of working.Information and Communication TechnologyOrganisation & Governanc

Security at the End of the Tunnel: The Anatomy of VPN Mental Models Among Experts and Non-Experts in a Corporate Context

With the worldwide COVID-19 pandemic in 2020 and 2021 necessitating working from home, corporate Virtual Private Networks (VPNs) have become an important item securing the continued operation of companies around the globe. However, due to their different use case, corporate VPNs and how users interact with them differ from public VPNs, which are now commonly used by end-users. In this paper, we present a first explorative study of eleven experts' and seven non-experts' mental models in the context of corporate VPNs. We find a partial alignment of these models in the high-level technical understanding while diverging in important parameters of how, when, and why VPNs are being used. While, in general, experts have a deeper technical understanding of VPN technology, we also observe that even they sometimes hold false beliefs on security aspects of VPNs. In summary, we show that the mental models of corporate VPNs differ from those for related security technology, e.g., HTTPS. Our findings allow us to draft recommendations for practitioners to encourage a secure use of VPN technology (through training interventions, better communication, and system design changes in terms of device management). Furthermore, we identify avenues for future research, e.g., into experts' knowledge and balancing privacy and security between system operators and users.Information and Communication Technolog

Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates

Infrastructure-as-a-Service (IaaS), and more generallythe “cloud,” like Amazon Web Services (AWS) or MicrosoftAzure, have changed the landscape of system operations on theInternet. Their elasticity allows operators to rapidly allocate anduse resources as needed, from virtual machines, to storage, tobandwidth, and even to IP addresses, which is what made thempopular and spurred innovation.In this paper, we show that the dynamic component pairedwith recent developments in trust-based ecosystems (e.g., SSLcertificates) creates so far unknown attack vectors. Specifically, wediscover a substantial number of stale DNS records that point toavailable IP addresses in clouds, yet, are still actively attempted tobe accessed. Often, these records belong to discontinued servicesthat were previously hosted in the cloud. We demonstrate that itis practical, and time and cost efficient for attackers to allocateIP addresses to which stale DNS records point. Consideringthe ubiquity of domain validation in trust ecosystems, like SSLcertificates, an attacker can impersonate the service using avalid certificate trusted by all major operating systems andbrowsers. The attacker can then also exploit residual trust inthe domain name for phishing, receiving and sending emails, orpossibly distribute code to clients that load remote code from thedomain (e.g., loading of native code by mobile apps, or JavaScriptlibraries by websites).Even worse, an aggressive attacker could execute the attackin less than 70 seconds, well below common time-to-live (TTL) forDNS records. In turn, it means an attacker could exploit normalservice migrations in the cloud to obtain a valid SSL certificatefor domains owned and managed by others, and, worse, that shemight not actually be bound by DNS records being (temporarily)stale, but that she can exploit caching instead.We introduce a new authentication method for trust-based domainvalidation that mitigates staleness issues without incurringadditional certificate requester effort by incorporating existingtrust of a name into the validation process. Furthermore, weprovide recommendations for domain name owners and cloudoperators to reduce their and their clients’ exposure to DNSstaleness issues and the resulting domain takeover attacks.Information and Communication Technolog

Something From Nothing (There): Collecting Global IPv6 Datasets from DNS

Current large-scale IPv6 studies mostly rely on non-public datasets, asmost public datasets are domain specific. For instance, traceroute-based datasetsare biased toward network equipment. In this paper, we present a new methodologyto collect IPv6 address datasets that does not require access to restrictednetwork vantage points. We collect a new dataset spanning more than 5.8 millionIPv6 addresses by exploiting DNS’ denial of existence semantics (NXDOMAIN).This paper documents our efforts in obtaining new datasets of allocated IPv6 addresses,so others can avoid the obstacles we encountered

Back-to-the-Future Whois: An IP Address Attribution Service for Working with Historic Datasets

Researchers and practitioners often face the issue of having to attribute an IP address to an organization. For current data this is comparably easy, using services like whois or other databases. Similarly, for historic data, several entities like the RIPE NCC provide websites that provide access to historic records. For large-scale network measurement work, though, researchers often have to attribute millions of addresses. For current data, Team Cymru provides a bulk whois service which allows bulk address attribution. However, at the time of writing, there is no service available that allows historic bulk attribution of IP addresses. Hence, in this paper, we introduce and evaluate our ‘Back-to-the-Future whois’ service, allowing historic bulk attribution of IP addresses on a daily granularity based on CAIDA Routeviews aggregates. We provide this service to the community for free, and also share our implementation so researchers can run instances themselves.Organisation & GovernanceInformation and Communication Technolog

In rDNS We Trust: Revisiting a Common Data-Source’s Reliability

Reverse DNS (rDNS) is regularly used as a data source in Internet measurement research. However, existing work is polarized on its reliability, and new techniques to collect active IPv6 datasets have not yet been sufficiently evaluated. In this paper, we investigate active and passive data collection and practical use aspects of rDNS datasets.We observe that the share of non-authoritatively answerable IPv4 rDNS queries reduced since earlier studies and IPv6 rDNS has less non-authoritatively answerable queries than IPv4 rDNS. Furthermore, we compare passively collected datasets with actively collected ones, and we show that they enable observing the same effects in rDNS data. While highlighting opportunities for future research, we find no immediate challenges to the use of rDNS as active and passive data-source for Internet measurement research.Information and Communication Technolog

Taking Control of SDN-based Cloud Systems via the Data Plane

Virtual switches are a crucial component of SDN-based cloud systems, enabling the interconnection of virtual machines in a flexible and “software-defined” manner. This paper raises the alarm on the security implications of virtual switches. In particular, we show that virtual switches not only increase the attack surface of the cloud, but virtual switch vulnerabilities can also lead to attacks of much higher impact compared to traditional switches. We present a systematic security analysis and identify four design decisions which introduce vulnerabilities. Our findings motivate us to revisit existing threat models for SDN-based cloud setups, and introduce a new attacker model for SDN-based cloud systems using virtual switches.Information and Communication Technolog

Heads in the Clouds? Measuring Universities' Migration to Public Clouds: Implications for Privacy & Academic Freedom

With the emergence of remote education and work in universi- ties due to COVID-19, the ‘zoomification’ of higher education, i.e., the migration of universities to the clouds, reached the public dis- course. Ongoing discussions reason about how this shift will take control over students’ data away from universities, and may ulti- mately harm the privacy of researchers and students alike. How- ever, there has been no comprehensive measurement of universi- ties’ use of public clouds and reliance on Software-as-a-Service of- ferings to assess how far this migration has already progressed.We perform a longitudinal study of the migration to public clouds among universities in the U.S. and Europe, as well as institutions listed in the Times Higher Education (THE) Top100 between Jan- uary 2015 and October 2022. We find that cloud adoption differs between countries, with one cluster (Germany, France, Austria, Switzerland) showing a limited move to clouds, while the other (U.S., U.K., the Netherlands, THE Top100) frequently outsources universities’ core functions and services—starting long before the COVID-19 pandemic. We attribute this clustering to several socio- economic factors in the respective countries, including the general culture of higher education and the administrative paradigm taken towards running universities. We then analyze and interpret our results, finding that the implications reach beyond individuals’ pri- vacy towards questions of academic independence and integrity.Organisation & GovernanceNetworked SystemsTechnology, Policy and Managemen