SMS-based One-Time Passwords: Attacks and Defense

SMS-based One-Time Passwords (SMS OTP) were introduced to counter phishing and other attacks against Internet services such as online banking. Today, SMS OTPs are commonly used for authentication and authorization for many different applications. Recently, SMS OTPs have come under heavy attack, especially by smartphone trojans. In this paper, we analyze the security architecture of SMS OTP systems and study attacks that pose a threat to Internet-based authentication and authorization services. We determined that the two foundations SMS OTP is built on, cellular networks and mobile handsets, were completely different at the time when SMS OTP was designed and introduced. Throughout this work, we show why SMS OTP systems cannot be considered secure anymore. Based on our findings, we propose mechanisms to secure SMS OTPs against common attacks and specifically against smartphone trojans

Erkennung peripheriebasierter Angriffe auf den Hostspeicher

Um Computersysteme unerkannt und dauerhaft zu attackieren, können Angreifer Rootkit-Techniken auf der Zielplattform einsetzen. Industriespionage sowie Spionage auf politischer Ebene, das Überwachen von Computerbenutzern oder Verbrechen im Umfeld der Cyberkriminalität erfordern heimliche Angriffe. Eine Rootkit-Technik anzuwenden bedeutet, dass ein Teil des implementierten Angriffscodes für die Tarnung der Attacke zuständig ist. Angriffscode, der in Peripheriegeräten wie zum Beispiel der Netzwerkkarte zur Ausführung kommt, repräsentiert momentan den Gipfel der Rootkit-Evolution. Diese Arbeit untersucht solche vermeintlich heimlichen peripheriebasierten Attacken auf den Hostcomputer. Peripheriegeräte haben einen dedizierten Prozessor sowie dedizierten Laufzeitspeicher, um ihre Aufgaben zu erfüllen. Somit stellen diese Geräte separierte Systeme dar. Angreifer profitieren von dieser Art der Isolierung. Peripheriegeräte kommunizieren üblicherweise über den Hauptspeicher mit dem Hostsystem. Angreifer nutzen genau diesen Umstand aus. Sämtliche Laufzeitdaten des Hosts befinden sich im Hauptspeicher. Dazu zählen unter anderem kryptografische Schlüssel, Passwörter, geöffnete Dateien sowie weitere sensible Daten. Der Angreifer braucht diese Daten lediglich zu lokalisieren. Dann kann der Angreifer mittels direktem Speicherzugriff des Peripheriegerätes die Daten unerkannt auslesen oder modifizieren. Dabei werden Sicherheitsprogramme wie dem Stand der Technik entsprechende Antivirensoftware oder moderne gehärtete Betriebssystemkerne umgangen. Ziel dieser Arbeit ist es, solche heimlichen Angriffe zu enttarnen. Es wird ein heimlicher Angriff mit Hilfe eines speziellen vom Hostcomputer isolierten Mikro-Controllers zu Analysezwecken implementiert. Der zugehörige Proof of Concept wird DAGGER genannt, was vom englischen Direct memory Access based keystroke code loGGER abgeleitet ist. Die Entwicklung und Analyse dieses heimlichen Angriffs bringt wichtige Eigenschaften von peripheriebasierter bösartiger Software zu Tage. Mit den gewonnenen Erkenntnissen wird ein neuartiger Detektor entwickelt. Der Detektor wird BARM genannt. BARM steht für Bus Agent Runtime Monitor. Dieser Detektor deckt mit Hilfe bestimmter Hardwareeigenschaften heimliche Hauptspeicherattacken auf. Durch eine permanente und ressourcenschonende Messstrategie ist der Detektor in der Lage, kurzlebige Attacken zu enttarnen. Solche Attacken sind möglich, wenn nur zu bestimmten Zeitpunkten gemessen wird. Diese Messstrategie kann der Angreifer ausnutzen, indem er zwischen zwei Messungen angreift und rechtzeitig vor der kommenden Messung seine Spuren verwischt. Der Detektor repräsentiert eine alternative Lösung zu bisherigen präventiven Schutzsansätzen wie zum Beispiel zu Memory Management Units, die die Ein- und Ausgaben von Peripheriegeräten berücksichtigen können. Die bisherigen präventiven Ansätze bieten aufgrund der praktischen Umsetzung nicht notwendigerweise ausreichend Schutz. Diese Tatsache sowie das Bedrohungspotential, das von kompromittierten Peripheriegeräten ausgeht, verlangt nach der in dieser Arbeit vorgestellten alternativen Detektorlösung. Der Detektor kann Angriffe nicht nur aufdecken, sondern auch unterbinden. BARM detektiert und stoppt DAGGER-Angriffe unverzüglich. Dabei entstehen lediglich unbedeutende Leistungsverluste. Zusätzlich ist BARM in der Lage, zuverlässig einer externen Plattform mitzuteilen, ob der Hauptspeicher durch ein Peripheriegerät angegriffen wird.Adversaries can deploy rootkit techniques on the target platform to persistently attack computer systems in a stealthy manner. Industrial and political espionage, surveillance of users as well as conducting cybercrime require stealthy attacks on computer systems. Utilizing a rootkit technique means, that a part of the implemented attack code is responsible for concealing the attack. Attack code that is loaded into peripherals such as the network interface card or special micro-controllers currently are the peak of the evolution of rootkits. This work examines such stealthy peripheral-based attacks on the host computer. Peripherals have a dedicated processor and dedicated runtime memory to handle their tasks. This means that these peripherals are essentially a separate system. Attackers benefit from this kind of isolation. Peripherals generally communicate with the host via the host main memory. Attackers exploit this fact. All host runtime data is present in the main memory. This includes cryptographic keys, passwords, opened files, and other sensitive data. The attacker only needs to locate such data. Subsequently, attackers can read and modify the data unbeknownst by utilizing the direct memory access mechanism of the peripheral. This allows for circumventing security software such as state-of-the-art anti-virus software and modern hardened operating system kernels. Detecting such attacks is the goal of this work. Stealthy malicious software (malware) that is based on an isolated micro-controller is implemented to conduct an attack analysis. The malware proof of concept is called DAGGER, which is derived from Direct memory Access based keystroke code loGGER. The development and analysis of this malware reveals important properties of peripheral-based malware. The results of the analysis are the basis for the development of a novel runtime detector. The detector is called BARM - Bus Agent Runtime Monitor. This detector reveals stealthy peripheral-based attacks on the host main memory by exploiting certain hardware properties. A permanent and resource-efficient measurement strategy ensures that the detector is also capable of detecting transient attacks. Such transient attacks are possible when the applied measurement strategy only measures at certain points in time. The attacker exploits this measurement strategy by attacking the system in between two measurements and by destroying all attack traces before the system is measured. The detector represents an alternative solution for previously proposed preventive protection approaches, i. e., input/output memory management units. Previously proposed approaches are not necessarily effective due to practical issues. This fact as well as the threat posed by peripheral-based malware demand the alternative detector solution that is presented in this work. The detector does not only reveal an attack, but also halt the malicious device. BARM immediately detects and prevents attacks that are conducted by DAGGER. The performance overhead is negligible. Furthermore, BARM is able to report if the host main memory is attacked by a peripheral to an external platform

Detecting peripheral-based attacks on the host memory

This work addresses stealthy peripheral-based attacks on host computers and presents a new approach to detecting them. Peripherals can be regarded as separate systems that have a dedicated processor and dedicated runtime memory to handle their tasks. The book addresses the problem that peripherals generally communicate with the host via the host’s main memory, storing cryptographic keys, passwords, opened files and other sensitive data in the process – an aspect attackers are quick to exploit.  Here, stealthy malicious software based on isolated micro-controllers is implemented to conduct an attack analysis, the results of which provide the basis for developing a novel runtime detector. The detector reveals stealthy peripheral-based attacks on the host’s main memory by exploiting certain hardware properties, while a permanent and resource-efficient measurement strategy ensures that the detector is also capable of detecting transient attacks, which can otherwise succeed when the applied strategy only measures intermittently. Attackers exploit this strategy by attacking the system in between two measurements and erasing all traces of the attack before the system is measured again.

Detection of Intrusions and Malware, and Vulnerability Assessment10th International Conference, DIMVA 2013, Berlin, Germany, July 18-19, 2013. Proceedings /

XII, 207 p. 55 illus.online resource

On the Use of Tunable Power Splitter for Simultaneous Wireless Information and Power Transfer Receivers

The use of a tunable power splitter (PS) as a constituent component of a simultaneous wireless information and power transfer (SWIPT) system is discussed. Two varactor diodes are used to achieve a tunable output power ratio P2 : P3 varying from 1 : 1 to 1 : 10 under good matching conditions. The SWIPT system that operates at 2.4 GHz consists of a typical patch antenna, cascaded with the tunable PS, and a voltage doubler rectifier. The constituent components were implemented and tested as stand-alone devices and were subsequently combined in a measurement system using interconnectors. The effect of the tunable PS was explored with respect to the SNR measurements on the port that is intended for the information decoding receiver and the DC voltage measurements on the termination load of the rectifier that is connected directly on the energy harvesting port of the tunable PS. A spectrum analyzer is used for the SNR measurements while the input power is controlled using a signal generator. Both wireless power transmission and on-board measurements verify that the harvested energy can be maximized by using the minimum SNR at the information decoding branch at the expense of DC power consumption required for the biasing of the varactor diodes

Printed in the European Union.

Die Deutsche Bibliothek verzeichnet diese Publikation in der Deutsche