Defeating All Man-in-the-Middle Attacks
|
|
- Baldric Butler
- 5 years ago
- Views:
Transcription
1 Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1
2 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type of attack. There are two main components to the attack. First, the adversary intercepts communication from the victim and relays it to the server the victim wishes to communicate with. Second, the adversary obtains cleartext of the communication between the victim and the victim s server. PrecisionAccess defeats all man-in-the-middle attacks using the combination of mutual TLS, pinned certificates, and a fixed encryption suite that cannot be downgraded or altered. This paper first presents the ways that adversaries intercept traffic, then, the ways they obtain cleartext, and, finally, how PrecisionAccess prevents adversaries from accessing the cleartext. Figure 1. To execute a man-in-the-middle attack, the adversary must first redirect traffic from its normal path (shown in green) to a path such that the traffic flows through the adversary (shown in red). Then, the adversary must decrypt any traffic that is encrypted. Figure 2. PrecisionAccess does not defeat the redirection of traffic. That happens at the networking layer. However, PrecisionAccess defeats the decryption of the traffic as explained in this paper. Vidder, Inc. Defeating All Man-in-the-Middle Attacks 2
3 Table of Contents Executive Summary... 2 Intercepting the Traffic... 4 Spoofing a Wi-Fi Hotspot... 4 Spoofing a Website... 4 ARP Spoofing... 4 DNS Spoofing... 4 Compromised Infrastructure... 5 Internet Route Hijacking... 5 Cleartext... 5 It s Already Cleartext... 5 Transforming HTTPS back to HTTP... 5 Attacks on SSL... 6 Summary... 6 Appendix A... 7 Vidder, Inc. Defeating All Man-in-the-Middle Attacks 3
4 Intercepting the Traffic In a man-in-the-middle attack, the adversary becomes the server to the victim s client computer and the adversary also becomes the client to the server the victim is communicating with. Here are the ways the adversary becomes the man-in-the-middle. Spoofing a Wi-Fi Hotspot One of the easiest ways to perform a man-in-the-middle attack is via spoofing a Wi-Fi access point because the adversary does not need to be on the network prior to creating the attack. There are multiple tools that can be used to do this attack and lots of websites that explain how to take over an existing access point (e.g., a corporate Wi-Fi access point), but it s even easier to spoof Starbucks or AT&T Wi-Fi especially because most clients will automatically connect to any access points they have previously connected to. Then, provided the adversary is also connected to the Internet and running some man-in-the-middle software (e.g., Ettercap), the intercept is complete. It s that easy, and it happens all the time. Spoofing a Website It s relatively easy for an adversary to perform a man-in-the-middle attack via spoofing a website. The adversary begins by cloning the website. There are many tools that automate this function. From there, the adversary registers a domain name for the cloned website that is very similar to the domain name of the real website. It may even be possible to get a legitimate SSL certificate for the cloned website. Finally, the adversary does a phishing attack, or some other type of social engineering, on a group of potential victims to get them to go to the cloned website thinking it is the legitimate website. Obviously, the cloned website is the man-in-the-middle. Therefore, it then relays traffic to the real website with the adversary seeing the cleartext. ARP Spoofing Address Resolution Protocol (ARP) allows servers to give clients their Ethernet MAC address. The typical workflow for this very common networking protocol is that a user types a URL into a browser, the operation system of the client uses the URL to request the IP address of the server from DNS, and then uses the IP address of the server to request the Ethernet MAC address of the server using ARP. Note that if the server is on a different IP subnet, the router will respond to ARP with its MAC access. Note also, that to reduce the number of times the clients perform an ARP, the clients will often listen to the ARP replies from servers and router when other clients make ARP requests. Therefore, an adversary has two ways to become a man-in-the-middle between the client and the server. One way is that the adversary can be very fast at replying to an ARP request with the adversary s MAC address (i.e., the adversary s host replies faster than the legitimate server or router). The other way is that the adversary can generate a gratuitous ARP reply such that the hosts on the network store the adversary s MAC address and associate it with whatever server s IP address is in the gratuitous ARP from the adversary. The downside of both of these methods is that the adversary needs to have control of a host on the LAN of the potential victims. Therefore, typically, the adversary will compromise a computer on the network with a phishing attack, and then use this man-in-the-middle attack to obtain credentials for lateral movement through the network. DNS Spoofing DNS spoofing provides another mechanism to get victims to visit a spoofed website. That is, take the concept above about cloning a website and registering a DNS name, but, instead of using social engineering to get the victims to the website, alter the DNS entry of the legitimate domain name such that the DNS entry points to the cloned website. There are multiple ways to spoof a DNS server. One method is similar to ARP spoofing, where the adversary acts like a DNS server and returns the IP address of the requested DNS name quicker than the legitimate DNS server. This requires the adversary to be close to the victim. Another way is for the Vidder, Inc. Defeating All Man-in-the-Middle Attacks 4
5 adversary to compromise the local DNS server and change the IP address of certain domain names to point to the websites of the adversary. This allows the adversary to DNS spoof a region of the Internet. Finally, there is the possibility of compromising an authoritative DNS server. If a local DNS server does not know the IP address of a requested domain name, it will call upstream DNS servers to get the name. Each DNS server in turn will call additional DNS servers until one reaches the authoritative DNS server for that domain. Therefore, if the adversary compromises an authoritative DNS server, the adversary can redirect everyone in the world to the adversary s fake IP addresses. Compromised Infrastructure There are a lot of networking products between a client and a server, for example: switches, routers, firewalls, lots of security devices, load balancers, etc. If the adversary compromises any of those devices, it is possible to create a man-in-the-middle attack from that device. And it is surprisingly easy to compromise a component of the infrastructure default passwords, poorly configured SNMP, and unpatched vulnerabilities on embedded operating systems that do not get upgraded at the same rate as servers to name just a few. Internet Route Hijacking It is believed that nation states, including China and Russia, have injected fake routes into the Border Gateway Protocol (BGP) routing tables such that they were able to create a man-in-the-middle attack on a huge amount of data. In the cases mentioned, the nation states originated network prefix they did not own such that traffic to those networks passed through the routers in their countries. Clearly, this is not your common everyday adversary, but it does go to show just how many ways there are to execute a man-in-the-middle attack. Cleartext As described above, the first step is for the adversary to intercept the traffic. The second step is to remove any encryption from the traffic to obtain cleartext. However, PrecisionAccess defeats all ways of seeing the cleartext. It s Already Cleartext Obviously, any protocols that do not encrypt traffic provide the cleartext to the adversary without additional effort. The most notable protocol that uses cleartext is HTTP. Importantly, not only is the data in cleartext, but so are the cookies, session tokens, and other input parameters. Cookies and session tokens act as short-term credentials for accessing websites. Therefore, when the man-in-the-middle adversary sees the cleartext cookie or session token, the adversary can impersonate the victim connecting to the website as the victim. PrecisionAccess encrypts all traffic from the user s client to the PrecisionAccess Gateway including HTTP traffic. If the traffic is cleartext, it gets encrypted including the cookies, session tokens and other input parameters. If the traffic is cyphertext, it gets encrypted a second time. Transforming HTTPS back to HTTP To mitigate the attack above, the majority of popular websites are now using HTTPS instead of HTTP, where HTTPS uses TLS encryption to provide secrecy and data integrity of the HTTP traffic. Therefore, the objective of the man-in-the-middle adversary becomes the decryption of the HTTPS traffic. One of the more elegant ways of creating cleartext is for the man-in-the-middle adversary to create the HTTPS connection to the server, but to act like an HTTP server to the victim. This was first demonstrated in 2009 with a program called SSLstrip. To the user, it looks like a regular HTTP session to a server, and all the user s data, cookies, session tokens, and other input parameters are in cleartext. The adversary sees the user s cleartext, but then encrypts it in TLS for the connection to the server. The server sees cyphertext, just like it wants to. In an attempt to defeat the SSLstrip attack, the browser industry created the HTTP Strict Transport Security (HSTS) protocol, a mechanism by which a website is able to inform the browser if it s Vidder, Inc. Defeating All Man-in-the-Middle Attacks 5
6 supposed to be secured with SSL end-to-end. However, a more recent application that is part of the Mana Toolkit now defeats that protocol to again allow the adversary to server HTTP traffic to the victim and HTTPS to the website. PrecisionAccess defeats this attack because it uses mutual TLS to authenticate the client to the server. The adversary does not have the private key for the mutual TLS. Therefore, the adversary cannot impersonate the user to the PrecisionAccess Controllers or Gateways during the TLS handshake. Attacks on SSL There have been so many attacks on SSL and TLS that the list had to be put in an appendix to this paper, but we can generalize the types of attacks as follows. Below, you see how PrecisionAccess defeats each attack. Some of the attacks are based on the fact that the client and the server are verified separately, such that each step can be spoofed separately. Many of the attacks used JavaScript to initiate the attack on the victim s browser. Another set of attacks used forged certificates. This is possible because there are so many Certificate Authorities in the world that are trusted by the browser. A fourth set of attacks was based on the adversary s ability to downgrade the encryption cypher being used or alter other parameters of the HTTP/S protocol suite. Finally, there are the attacks that are possible just because any adversary can connect to a server with TLS. PrecisionAccess defeats all of these attacks. It uses mutual TLS to authenticate both the client and the server in a two-way handshake, where both authenticate each other at the same time. It defeats JavaScript-based attacks because the PrecisionAccess Client that creates the mutual TLS connection is not a browser and does not run JavaScript. It defeats forged certificates by using pinned certificates. That is, instead of trusting the hundreds of the Certificate Authorities in the world like a browser does, the PrecisionAccess Client only trusts certificates issued by the PrecisionAccess Certificate Authority. It defeats the fourth set of attacks by using one, and only one, encryption suite. This is only possible because PrecisionAccess controls the encryption algorithm in the Clients, Controllers, and Gateways. And note that PrecisionAccess uses the strongest encryption algorithm commercially available. Finally, it defeats the fifth set of attacks by requiring Single Packet Authorization prior to allowing access to the TLS protocol. It s also interesting to note that Single Packet Authorization defeats all of the attacks on TLS by unauthorized devices because devices cannot begin the TLS handshake until they have passed Single Packet Authorization. Summary There are two parts to man-in-the-middle attacks: intercepting the traffic from a client to a server and decrypting the traffic. PrecisionAccess defeats all man-in-the-middle attacks because it creates an independent layer of encryption between the client and the PrecisionAccess Gateway using the combination of mutual TLS, pinned certificates, and a fixed encryption suite that cannot be downgraded or altered in any way. Vidder, Inc. Defeating All Man-in-the-Middle Attacks 6
7 Appendix A Appendix A is a list of recent attacks on SSL/TLS. The first column is the common name of the attack. The second column is the date it was announced. The third column is a short description of the attack. The fourth column explains how PrecisionAccess defeats the attack from unauthorized devices. And the fifth column explains how PrecisionAccess defeats the attack by authorized users on authorized devices. Name Date Attack Unauthorized Authorized Users SSLstrip Feb 2009 MitM http to https Mutual TLS THC-SSL-DOS Aug 2011 Server DoS attack SPA --- DigiNotar Sept 2011 MitM forged certs Pinned certs BEAST Apr 2012 MitM Java Applet oracle PA client is not a browser CRIME Sept 2012 MitM SPDY compressing oracle No compression in cypher Lucky 13 Feb 2013 MitM CBC padding oracle GCM cypher not vulnerable TIME Mar 2013 MitM browser JavaScript timing oracle PA client is not a browser RC4 biases Mar 2013 MitM RC4 oracle No cypher negotiation BREACH Aug 2013 Website redirect, compression SPA No redirect or compression goto fail Feb 2014 MitM counterfeit key via coding error Pinned dedicated cert Triple Handshake Mar 2014 MitM on client cert Pinned dedicated cert Heartbleed Apr 2014 OpenSSL bug SPA Not single-ended SSL BERserk Sept 2014 MitM PKCS#1.5 padding Cypher not vulnerable Poodle Oct 2014 MitM SSLv3 oracle No cypher negotiation Poodle++ Dec 2014 MitM JavaScript timing oracle PA client is not a browser FREAK Mar 2015 MitM negotiation 512 bit key No key negotiation Bar-mitzvah Mar 2015 MitM on RC4 No cypher negotiation logjam May 2015 MitM downgrade to 512 bit key No cypher negotiation DROWN Mar 2016 MitM downgrade to SSLv2 No cypher negotiation Sweet32 Aug 2016 MitM birthday attack on 64-bit ciphers 64-bit cypher not used SHA-1collision Jan 2017 MitM collision attack on SHA-1 SHA-1 not used Vidder, Inc. Defeating All Man-in-the-Middle Attacks 7
So.ware Defined Perimeter Internet- scale Security for the Internet2 Community. Junaid Islam Co- Chair SDP Workgroup Cloud Security Alliance
So.ware Defined Perimeter Internet- scale Security for the Internet2 Community Junaid Islam Co- Chair SDP Workgroup Cloud Security Alliance The challenge: How do you secure an open network? 2 Solution
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More information32c3. December 28, Nick https://crypto.dance. goto fail;
32c3 December 28, 2015 Nick Sullivan @grittygrease nick@cloudflare.com https://crypto.dance goto fail; a compendium of transport security calamities Broken Key 2 Lock 3 Lock 4 5 6 HTTP HTTPS The S stands
More informationSSL/TLS: Still Alive? Pascal Junod // HEIG-VD
SSL/TLS: Still Alive? Pascal Junod // HEIG-VD 26-03-2015 Agenda SSL/TLS Protocol Attacks What s next? SSL/TLS Protocol SSL/TLS Protocol Family of cryptographic protocols offering following functionalities:
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationPrecisionAccess Trusted Access Control
Data Sheet PrecisionAccess Trusted Access Control Defeats Cyber Attacks Credential Theft: Integrated MFA defeats credential theft. Server Exploitation: Server isolation defeats server exploitation. Compromised
More informationVidder PrecisionAccess
Vidder PrecisionAccess Transparent Multi-Factor Authentication June 2015 910 E HAMILTON AVENUE. SUITE 430. CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview...
More informationMan In The Middle Project completed by: John Ouimet and Kyle Newman
Man In The Middle Project completed by: John Ouimet and Kyle Newman What is MITM? Man in the middle attacks are a form of eves dropping where the attacker relays messages that are sent between victims
More informationTLS1.2 IS DEAD BE READY FOR TLS1.3
TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations Presenter Photo Motaz Alturayef Jubial Cyber Security Conference 70% Privacy and security concerns are
More informationSecuring Office 365 & Other SaaS
Securing Office 365 & Other SaaS PrecisionAccess Vidder, Inc. Securing Office 365 & Other SaaS 1 Executive Summary Securing Office 365 means securing Email, SharePoint, OneDrive, and a number of other
More informationTLS 1.1 Security fixes and TLS extensions RFC4346
F5 Networks, Inc 2 SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security
More informationNetwork Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015
Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan June 18, 2015 1 / 19 ARP (Address resolution protocol) poisoning ARP is used to resolve 32-bit
More informationAttacks on SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016
Attacks on SSL/TLS Applied Cryptography Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dez. 6th, 2016 Timeline of attacks on SSL/TLS 2/41 SSLstrip 2010 2011 2012 2013 2014 2015 2016 BEAST POODLE
More informationSSL Report: ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > www.workbench.nationaldataservice.org SSL Report: www.workbench.nationaldataservice.org (141.142.210.100) Assessed on:
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationOverview of TLS v1.3 What s new, what s removed and what s changed?
Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Solution Architect / Principal Design Engineer. On Worldpay ecommerce Payment Gateways. Based in Cambridge, UK.
More informationSSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger
SSL / TLS Crypto in the Ugly Real World Malvin Gattinger 2016-03-17 SSL/TLS Figure 1: The General Picture SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 (1995-2011)
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationFrequently Asked Questions WPA2 Vulnerability (KRACK)
Frequently Asked Questions WPA2 Vulnerability (KRACK) Release Date: October 20, 2017 Document version: 1.0 What is the issue? A research paper disclosed serious vulnerabilities in the WPA and WPA2 key
More informationSSL Report: printware.co.uk ( )
1 of 5 26/06/2015 14:27 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > printware.co.uk SSL Report: printware.co.uk (194.143.166.5) Assessed on: Fri, 26 Jun 2015 12:53:08
More informationTLS Security and Future
TLS Security and Future Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Fixing issues in practice Trust, Checking certificates and
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.3: Network Security SSL/TLS Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Analysis of the HTTPS Certificate
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.1: Network Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) 2 Network Security INTRODUCTION 3 What
More informationPost Connection Attacks
Post Connection Attacks All the attacks we carried out in the previous sections can be done without knowing the key to the AP, ie: without connecting to the target network. We saw how we can control all
More informationDROWN - Breaking TLS using SSLv2
DROWN - Breaking TLS using SSLv2 Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper,
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationFindings for
Findings for 198.51.100.23 Scan started: 2017-07-11 12:30 UTC Scan ended: 2017-07-11 12:39 UTC Overview Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 80/tcp
More informationCOSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS
COSC 301 Network Management Lecture 15: SSL/TLS and HTTPS Zhiyi Huang Computer Science, University of Otago COSC301 Lecture 15: SSL/TLS and HTTPS 1 Today s Focus WWW WWW How to secure web applications?
More informationSSL Report: bourdiol.xyz ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > bourdiol.xyz > 217.70.180.152 SSL Report: bourdiol.xyz (217.70.180.152) Assessed on: Sun Apr 19 12:22:55 PDT 2015 HIDDEN
More informationSoftware Defined Perimeter & PrecisionAccess. Secure. Simple.
Software Defined Perimeter & PrecisionAccess Secure. Simple. Enterprise Perimeter: Then & Now THEN: Fixed Perimeter blocked attackers NOW: Attackers are Inside the Perimeter Corporate employees Corporate
More informationLecture 10: Communications Security
INF3510 Information Security Lecture 10: Communications Security Nils Gruschka University of Oslo Spring 2018 Introduction Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg
More informationIntroduction. INF3510 Information Security. Lecture 10: Communications Security. Outline. Network Security Concepts. University of Oslo Spring 2018
Introduction INF3510 Information Security Lecture 10: Communications Security Nils Gruschka University of Oslo Spring 2018 Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationSecure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
More informationSSL Report: cartridgeworld.co.uk ( )
1 of 5 26/06/2015 14:21 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > cartridgeworld.co.uk SSL Report: cartridgeworld.co.uk (95.138.147.104) Assessed on: Fri, 26 Jun
More informationMost Common Security Threats (cont.)
Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?
More informationSPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 7 Week of March 5, 2018 Question 1 DHCP (5 min) Professor Raluca gets home after a tiring day writing papers and singing karaoke. She opens
More informationGrandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide
Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide Table of Contents INTRODUCTION... 4 SCENARIO OVERVIEW... 5 CONFIGURATION STEPS... 6 Core Site Configuration... 6 Generate Self-Issued Certificate
More informationSegmentation for Security
Segmentation for Security Do It Right Or Don t Do It At All Vidder, Inc. Segmentation for Security 1 Executive Summary During the last 30 years, enterprises have deployed large open (flat) networks to
More informationSECURE YOUR INTEGRATIONS. Maarten Smeets
SECURE YOUR INTEGRATIONS Maarten Smeets 07-06-2018 About Maarten Integration consultant at AMIS since 2014 Several certifications SOA, BPM, MCS, Java, SQL, PL/SQL, Mule, AWS, etc Enthusiastic blogger http://javaoraclesoa.blogspot.com
More informationSSL/TLS Security Assessment of e-vo.ru
SSL/TLS Security Assessment of e-vo.ru Test SSL/TLS implementation of any service on any port for compliance with industry best-practices, NIST guidelines and PCI DSS requirements. The server configuration
More informationOn the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications
Πανεπιστήμιο Κύπρου Τμήμα Πληροφορικής [ΕΠΛ682 Advanced Security Topics] On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications Όνομα: Φιλίππου Χρίστα Καθηγητής : Δρ. Ηλίας Αθανασόπουλος
More informationComputer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 12. Firewalls & VPNs Paul Krzyzanowski Rutgers University Spring 2018 April 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Conversation Isolation: Network Layer Virtual Private Networks (VPNs)
More informationBut where'd that extra "s" come from, and what does it mean?
SSL/TLS While browsing Internet, some URLs start with "http://" while others start with "https://"? Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying
More informationCS670: Network security
Cristina Nita-Rotaru CS670: Network security ARP, TCP 1: Background on network protocols OSI/ISO Model Application Presentation Session Transport Network Data Link Physical Layer Application Presentation
More informationYour Apps and Evolving Network Security Standards
Session System Frameworks #WWDC17 Your Apps and Evolving Network Security Standards 701 Bailey Basile, Secure Transports Engineer Chris Wood, Secure Transports Engineer 2017 Apple Inc. All rights reserved.
More informationSSL/TLS. How to send your credit card number securely over the internet
SSL/TLS How to send your credit card number securely over the internet The security provided by SSL SSL is implemented at level 4 The transport control layer In practice, SSL uses TCP sockets The underlying
More informationSSL/TLS Server Test of
SSL/TLS Server Test of www.rotenburger-gruene.de Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. WWW.ROTENBURGER-GRUENE.DE
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationInternetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview
Internetwork Expert s CCNA Security Bootcamp Mitigating Layer 2 Attacks http:// Layer 2 Mitigation Overview The network is only as secure as its weakest link If layer 2 is compromised, all layers above
More informationINF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationRecommendations for Device Provisioning Security
Internet Telephony Services Providers Association Recommendations for Device Provisioning Security Version 2 May 2017 Contact: team@itspa.org.uk Contents Summary... 3 Introduction... 3 Risks... 4 Automatic
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationCrypto meets Web Security: Certificates and SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationInstall the ExtraHop session key forwarder on a Windows server
Install the ExtraHop session key forwarder on a Windows server Published: 2018-12-17 Perfect Forward Secrecy (PFS) is a property of secure communication protocols that enables short-term, completely private
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informatione-commerce Study Guide Test 2. Security Chapter 10
e-commerce Study Guide Test 2. Security Chapter 10 True/False Indicate whether the sentence or statement is true or false. 1. Necessity refers to preventing data delays or denials (removal) within the
More informationComing of Age: A Longitudinal Study of TLS Deployment
Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,
More informationAuthentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005
Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based
More informationCIT 380: Securing Computer Systems. Network Security Concepts
CIT 380: Securing Computer Systems Network Security Concepts Topics 1. Protocols and Layers 2. Layer 2 Network Concepts 3. MAC Spoofing 4. ARP 5. ARP Spoofing 6. Network Sniffing Protocols A protocol defines
More informationSSL Report: sharplesgroup.com ( )
1 of 5 26/06/2015 14:28 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > sharplesgroup.com SSL Report: sharplesgroup.com (176.58.116.26) Assessed on: Fri, 26 Jun 2015
More informationMan in the middle. Bởi: Hung Tran
Man in the middle Bởi: Hung Tran INTRODUCTION In today society people rely a lot on the Internet for studying, doing research and doing business. Internet becomes an integral part of modern life and many
More informationHow to Render SSL Useless. Render SSL Useless. By Ivan Ristic 1 / 27
How to Render SSL Useless By Ivan Ristic 1 / 27 Who is Ivan Ristic? 1) ModSecurity (open source web application firewall), 2) Apache 2 / 33 Security (O Reilly, 2005), 3) SSL Labs (research and assessment
More informationSSL Server Rating Guide
SSL Server Rating Guide version 2009k (14 October 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.
More informationInternetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
More informationNetwork Attacks Distributed Denial of Service Survey by Arbor Network: 38% op security ppl say they deal with at least 21 DDoS attacks per month Some
Denial of Service and Distributed Denial of Service Volumetric UDP/ICMP floods Application Layer Brute Force Attacks password cracking Browser Attacks man-in-the-browser Backdoor Attacks who puts them
More informationOverview of TLS v1.3. What s new, what s removed and what s changed?
Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a
More informationTypes of Attacks That Can Be Carried Out on Wireless Networks
1 Types of Attacks That Can Be Carried Out on Wireless Networks Westley Hansen CS 4960 Dr. Martin May 7, 2015 2 Abstract Wireless Networks are very mainstream, it allows a way for computer devices to connect
More informationAN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP
AN IPSWITCH WHITEPAPER The Definitive Guide to Secure FTP The Importance of File Transfer Are you concerned with the security of file transfer processes in your company? According to a survey of IT pros
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationHTTPS and the Lock Icon
Web security HTTPS and the Lock Icon Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating HTTPS into the browser Lots of user interface
More informationBreaking SSL Why leave to others what you can do yourself?
Breaking SSL Why leave to others what you can do yourself? By Ivan Ristic 1/ 26 Who is Ivan Ristic? 1) ModSecurity (open source web application firewall), 2) Apache 2/ 33 Security (O Reilly, 2005), 3)
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationSecuring ARP and DHCP for mitigating link layer attacks
Sādhanā Vol. 42, No. 12, December 2017, pp. 2041 2053 https://doi.org/10.1007/s12046-017-0749-y Ó Indian Academy of Sciences Securing ARP and DHCP for mitigating link layer attacks OSAMA S YOUNES 1,2 1
More informationLecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015
Lecture 10 Denial of Service Attacks (cont d) Thursday 24/12/2015 Agenda DoS Attacks (cont d) TCP DoS attacks DNS DoS attacks DoS via route hijacking DoS at higher layers Mobile Platform Security Models
More informationEthical Hacking. Content Outline: Session 1
Ethical Hacking Content Outline: Session 1 Ethics & Hacking Hacking history : How it all begin - Why is security needed? - What is ethical hacking? - Ethical Hacker Vs Malicious hacker - Types of Hackers
More informationIntegrating the Hardware Management Console s Broadband Remote Support Facility into your Enterprise
System z Integrating the Hardware Management Console s Broadband Remote Support Facility into your Enterprise SC28-6880-00 System z Integrating the Hardware Management Console s Broadband Remote Support
More informationDEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC
DEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC OVERVIEW Microsoft SharePoint Server 2016 is a collaboration platform that organizations of all sizes can use to improve the
More informationWhat is Eavedropping?
WLAN Security What is Eavedropping? War Driving War Driving refers to someone driving around with a laptop and an 802.11 client card looking for an 802.11 system to exploit. War Walking Someone walks
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationThe question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 2 M.M:50 The question paper contains 40 multiple choice questions with four choices and students will have to pick the
More informationDon t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
More informationNETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
NETWORK INTRUSION Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Recognize different
More informationState of TLS usage current and future. Dave Thompson
State of TLS usage current and future Dave Thompson TLS Client/Server surveys Balancing backward compatibility with security. As new vulnerabilities are discovered, when can we shutdown less secure TLS
More informationProtecting TLS from Legacy Crypto
Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan Bhargavan + many, many others. (INRIA, Microsoft Research, LORIA, IMDEA, Univ of Pennsylvania, Univ of Michigan, JHU) Popular cryptographic
More informationCan HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit
Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1 2 o hai. 3 Why Think About HTTP Strict Transport Security? Roadmap what is HSTS?
More informationECCouncil Certified Ethical Hacker. Download Full Version :
ECCouncil 312-50 Certified Ethical Hacker Download Full Version : http://killexams.com/pass4sure/exam-detail/312-50 A. Cookie Poisoning B. Session Hijacking C. Cross Site Scripting* D. Web server hacking
More informationWireless LAN Security. Gabriel Clothier
Wireless LAN Security Gabriel Clothier Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationHTTPS is Fast and Hassle-free with Cloudflare
HTTPS is Fast and Hassle-free with Cloudflare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their
More informationInternet Security VU Web Application Security 3. Adrian Dabrowski, Johanna Ullrich, Aljosha Judmayer, Georg Merzdovnik, and Christian Kudera
Internet Security VU 188.366 Web Application Security 3 Adrian Dabrowski, Johanna Ullrich, Aljosha Judmayer, Georg Merzdovnik, and Christian Kudera inetsec@seclab.tuwien.ac.at Overview More on session
More informationMan in the Middle Attacks and Secured Communications
FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow
More informationELEC5616 COMPUTER & NETWORK SECURITY
ELEC5616 COMPUTER & NETWORK SECURITY Lecture 17: Network Protocols I IP The Internet Protocol (IP) is a stateless protocol that is used to send packets from one machine to another using 32- bit addresses
More informationSecurity issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.
Security issues: Threats Methods of attack Encryption algorithms Secret-key Public-key Hybrid protocols Lecture 15 Page 2 1965-75 1975-89 1990-99 Current Platforms Multi-user timesharing computers Distributed
More information