АНАЛІЗ БЕЗПЕКИ ПРОТОКОЛУ OAUTH

Introduction. In recent years, the use of authorisation and authentication protocols in various services has been growing rapidly, which leads to increased interest in such protocols and the protection guarantees they can provide. The work is devoted to an overview of the security of the OAuth protocol, which is currently one of the most widely used authentication mechanisms, allowing users to grant access to their protected resources without providing direct access to their passwords, and is the basis of the OpenID Connect SSO standard. It has become the standard for many web applications and APIs that provide access to restricted resources. Recently, the number of abuses during the use of this protocol and various cyber-attacks on it has been rapidly increasing, which poses critical problems for users who use it. Such attacks are primarily carried out through existing security issues of this protocol.This study aims to develop recommendations for the implementation and search for vulnerabilities by the method of penetration testing of Web services in the context of the Oauth 2.0 protocol. The paper considers the basic aspects and mechanisms of using this protocol. Its main known vulnerabilities are analysed in detail. In particular, it is investigated that as a result of insufficient URI redirection validation, client identification or authentication may be violated, allowing an attacker to obtain an authorization code. The scenarios of possible attacks on the provision of authorization code and  implicit grant, and the threat of leakage of state codes through client or authorisation server referrer headers, which are also often used by attackers to disrupt the OAuth protocol, are described. It is also demonstrated that the OAuth protocolcan compromise the resource server. The vulnerability assessment was conducted using the CVSS calculator, which showed certain serious security issues with the OAuth protocol.Conclusions. So, although the OAuth protocol allows convenient and secure authorisation and authentication in various web applications and services, it has its potential security threats that must be considered when using it. It is important to maintain high-security standards and ensure proper server configuration to protect user data from possible threats. Since the research in the paper was generally aimed at the OAuth protocol itself, not its implementations, clear general recommendations were provided, compliance with which will improve the security of user authentication and authentication on the Internet, as well as ensure information protection at an appropriate level.Постановка проблеми: В останні роки стрімко зростає використання протоколів авторизації та автентифікації в різних сервісах, що зумовлює підвищений інтерес до таких протоколів і до гарантій захисту, які вони можуть надавати. Робота присвячена огляду безпеки протоколу OAuth, який на сьогодні є одним з найбільш поширених механізмів авторизації, дозволяє користувачам надавати доступ до своїх захищених ресурсів без надання прямого доступу до свого пароля та лежить в основі стандарту SSO OpenID Connect. Він став стандартом для багатьох веб-додатків та API, які забезпечують доступ до обмежених ресурсів. Останнім часом стрімко зростає кількість зловживань під час використання цього протоколу, а також різноманітні кібератаки на нього, що створює критичні проблеми для його користувачів. В першу чергу такі атаки здійснюються через проблеми безпеки цього протоколу.Метою дослідження є розроблення рекомендацій з реалізації та пошуку вразливостей методом тестування на проникнення Web-сервісів в контексті протоколу Oauth 2.0.Результати дослідження. В роботі розглянуті базові аспекти та механізми використання цього протоколу. Детально проаналізовані його основні відомі вразливості. Зокрема досліджено, що в результаті недостатньої перевірки URI перенаправлення може бути порушена ідентифікація або автентифікація клієнта, що дозволить зловмиснику отримати код авторизації. Описано сценарії можливих атак на надання коду авторизації та на неявний грант, загрозу витоку кодів станів через сторони клієнта або сервера авторизації через Referrer-заголовки, які також часто використовуються зловмисниками для порушення роботи протоколу OAuth. Також, продемонстровано, що черезпротокол OAuth може бути скомпрометований сервер ресурсів. Проведено оцінювання вразливостей з використанням CVSS-калькулятора, яке показало певні серйозні моменти з безпекою протоколу OAuth.Висновки. Отже, хоча протокол OAuth дозволяє зручну та безпечну авторизацію та автентифікацію в різних веб-додатках та сервісах, він має свої потенційні загрози безпеці, які необхідно враховувати при його використанні. Важливо дотримуватися високих стандартів безпеки та забезпечувати належну конфігурацію сервера, щоб захистити дані користувачів від можливих загроз. Оскільки дослідження в роботі були спрямовані загалом на сам протокол OAuth, а не на його окремі реалізації, то були надані загальні чіткі рекомендації, дотримання яких дасть змогу покращити безпеку авторизації та автентифікації користувачів в Інтернет, а також забезпечити захист інформації на належному рівні

Automated Conformity Verification Concept for Cloud Security

The primary objective of this research is to develop an advanced automated method for configuring and managing public cloud accounts and subscriptions on prominent platforms such as AWS, GCP, and Azure. This method involves the application of standardized configurations to ensure optimal performance and security compliance. A significant component of this methodology is the intermittent scanning of the infrastructure of these cloud accounts and subscriptions. This scanning is meticulously designed to identify and address any deviations or non-compliance issues with globally recognized security standards, including NIST 800-53, ISO 27001, HIPAA, and PCI DSS. The approach leverages cutting-edge automation technologies to streamline the deployment and management of cloud resources. By automating the application of configurations, the method aims to reduce manual effort, minimize the likelihood of human error, and enhance operational efficiency. This automation extends to the continuous monitoring and auditing processes, enabling real-time detection of configuration drifts or security vulnerabilities. Furthermore, the research delves into the development of a dynamic, responsive system capable of adapting to the evolving requirements of cloud security. The automated scanning component plays a pivotal role in this aspect, providing ongoing assurance that the cloud environments adhere to the strictest security protocols and standards. Continuous compliance monitoring is critical in today’s ever-changing digital landscape, where threats to data security and privacy are increasingly sophisticated. By integrating these automated processes, the proposed method promises not only to bolster the security posture of cloud environments but also to offer a scalable, efficient solution for cloud infrastructure management. This automated approach is poised to set a new standard in cloud management, aligning with best practices in IT security and compliance, and paving the way for more secure, manageable, and efficient cloud computing practices

Machine learning uncovers the most robust self-report predictors of relationship quality across 43 longitudinal couples studies

Given the powerful implications of relationship quality for health and well-being, a central mission of relationship science is explaining why some romantic relationships thrive more than others. This large-scale project used machine learning (i.e., Random Forests) to 1) quantify the extent to which relationship quality is predictable and 2) identify which constructs reliably predict relationship quality. Across 43 dyadic longitudinal datasets from 29 laboratories, the top relationship-specific predictors of relationship quality were perceived-partner commitment, appreciation, sexual satisfaction, perceived-partner satisfaction, and conflict. The top individual-difference predictors were life satisfaction, negative affect, depression, attachment avoidance, and attachment anxiety. Overall, relationship-specific variables predicted up to 45% of variance at baseline, and up to 18% of variance at the end of each study. Individual differences also performed well (21% and 12%, respectively). Actor-reported variables (i.e., own relationship-specific and individual-difference variables) predicted two to four times more variance than partner-reported variables (i.e., the partner’s ratings on those variables). Importantly, individual differences and partner reports had no predictive effects beyond actor-reported relationship-specific variables alone. These findings imply that the sum of all individual differences and partner experiences exert their influence on relationship quality via a person’s own relationship-specific experiences, and effects due to moderation by individual differences and moderation by partner-reports may be quite small. Finally, relationship-quality change (i.e., increases or decreases in relationship quality over the course of a study) was largely unpredictable from any combination of self-report variables. This collective effort should guide future models of relationships

Designing Secured Services for Authentication, Authorization, and Accounting of Users

In this paperwork service for authentication, authorization, and user management has been designed and developed. The purpose of this work is to simplify the configuration of user security in web and mobile applications with a ready-made solution. The service can be implemented as a separate server on the Internet—you will be able to use it right after registering a client this method does not require the use of your resources, but it is less secure, especially for applications that keep vulnerable data. Still, the best and the most secure option is to download the source code and run the service on the local network. In this case, it will be only accessible to other applications or microservices in the case of microservice architectur

Designing Data Classification and Secure Store Policy According to SOC 2 Type II

This paper discusses the design of a data classification policy for SOC 2 Type II compliance. SOC 2 Type II is a significant certification that attests to a service organization’s ability to meet the Trust Services Criteria, which encompass security, availability, processing integrity, confidentiality, and privacy. Data classification is a critical first step in establishing a robust data security strategy, as it helps organizations understand what data they have and assigns a level of sensitivity to that data, which informs the security controls that should be applied. The main objectives of data classification are to organize and manage data in a way that enhances its protection and aligns with the overall data security strategy of an organization. Data security plays a pivotal role in the data classification process, as it directly influences how classified data is protected and managed. Designing a data classification policy for SOC 2 Type II compliance involves several challenges and considerations that organizations must navigate to effectively protect sensitive information and maintain the integrity of their service delivery. These challenges and considerations include understanding the scope of data, aligning with the Trust Services Criteria, balancing security with usability, training, and awareness, regular updates, and reviews, defining classification levels, ensuring consistency, automating classification, integration with other policies and controls, dealing with third-party vendors, monitoring and enforcement, and legal and regulatory compliance

Implementation of modified additive lagged Fibonacci generator

Generator of pseudorandom bit sequence with increased cryptographic security, which is based on additive lagged Fibonacci generator, is developed. The generator structure circuit and it work principle are described in the paper. There are also given two variants of it construction that are formed on programmable logic device developed by Xilinx company. The main generator characteristics are researched, in particular: recurrence period, fastacting, statistical characteristics. In relation to the last the statistical portrait is presented, that was built with the help of NIST tests

Матеріалознавство і слюсарна справа : монографія

EN: The issue provides the basic information on Materials Technology and Metalwork. Intended for researchers and specialists in this area, for students who receive training in Education (01), Professional Education (015.18), Technology of Production and Agricultural Products Processing, Agrarian Sciences and Food Supplies (20), Agrarian Engineering (208)), Transport (27), Automobile Transport (274), Transport Technologies (in Automobile Transport) (275.03). UK: У виданні наведено основні відомості про будову, фізикомеханічні і технологічні властивості матеріалів, викладено питання термічної обробки металів і сплавів, правила виконання основних видів слюсарної обробки металів, види інструменту для кожної слюсарної операції, прийоми їх виконання і методи організації робочого місця. Окрім того, наведено основи стандартизації, взаємозамінності і технічних вимірювань. Міститься інформація про полімерні, композиційні і неметалеві матеріали. Видання призначене науковцям та спеціалістам, які займаються дослідженнями в матеріалознавстві та слюсарній справі, може бути корисним для студентів, що навчаються за фахом 01 Освіта (015.18 Професійна освіта (Технологія виробництва і переробки продуктів сільського господарства), 20 Аграрні науки та продовольство (208 Агроінженерія), 27 Транспорт (274 Автомобільний транспорт, 275.03 Транспортні технології (на автомобільному транспорті))

Machine learning uncovers the most robust self-report predictors of relationship quality across 43 longitudinal couples studies

Given the powerful implications of relationship quality for health and well-being, a central mission of relationship science is explaining why some romantic relationships thrive more than others. This large-scale project used machine learning (i.e., Random Forests) to 1) quantify the extent to which relationship quality is predictable and 2) identify which constructs reliably predict relationship quality. Across 43 dyadic longitudinal datasets from 29 laboratories, the top relationship-specific predictors of relationship quality were perceived-partner commitment, appreciation, sexual satisfaction, perceived-partner satisfaction, and conflict. The top individual-difference predictors were life satisfaction, negative affect, depression, attachment avoidance, and attachment anxiety. Overall, relationship-specific variables predicted up to 45% of variance at baseline, and up to 18% of variance at the end of each study. Individual differences also performed well (21% and 12%, respectively). Actor-reported variables (i.e., own relationship-specific and individual-difference variables) predicted two to four times more variance than partner-reported variables (i.e., the partner's ratings on those variables). Importantly, individual differences and partner reports had no predictive effects beyond actor-reported relationship-specific variables alone. These findings imply that the sum of all individual differences and partner experiences exert their influence on relationship quality via a person's own relationship-specific experiences, and effects due to moderation by individual differences and moderation by partner-reports may be quite small. Finally, relationship-quality change (i.e., increases or decreases in relationship quality over the course of a study) was largely unpredictable from any combination of self-report variables. This collective effort should guide future models of relationships