Cloud Security and Mobile Application Security. SBA Research & Vienna University of Technology Edgar R. Weippl
|
|
- Arabella Logan
- 8 years ago
- Views:
Transcription
1 Cloud Security and Mobile Application Security SBA Research & Vienna University of Technology Edgar R. Weippl
2 Target Audience Graduate students in computer science Some knowledge in in security but no focus on information security Interest in Privacy and Security
3 Trust Humans interact with humans. Computer and communication security as a mechanism to implement trust. Bruce Schneier, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, John Wiley & Sons, 2012.
4 Trust
5 Observation & Empirical Research Observation of complex systems
6 Empirical Research Dropbox Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), Facebook Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, and Edgar Weippl. Appinspect: Largescale evaluation of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, 2013.
7 Empirical Research Dropbox Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), Facebook Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, and Edgar Weippl. Appinspect: Largescale evaluation of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, 2013.
8 Cloudoscopy Amir Herzberg and Haya Shulman Computer Science Dept. Bar-Ilan University - and - Johanna Ullrich and Edgar Weippl SBA Research, Wien
9 Cloud Computing / IaaS Infrastructure for on-demand IT services Rent storage, cycles, infrastructure, data hosting, outsource expertise and maintenance Some popular providers Amazon EC2, Microsoft Azure, Google, Rackspace Resource sharing between a number of VMs CPU Memory Bandwidth
10 New Threats Malicious cloud tenants, e.g., conflicting interests Resource sharing can be exploited for attacks by malicious tenants on other tenants, e.g., cross VM attacks Malicious cloud operator, e.g., may cheat to save resources Placement of instances on same physical region, same host Charges the subscriber not proportionally to service provided Rerouting traffic inefficiently Selling the list of its clients to data hoarders
11 Cloud Computing Security Isolation to prevent attacks by other tenants Network and host isolation Cloud service verification to establish trust in cloud Known (traditional) services verification: storage and computation. Extensively studied New (infrastructure) services verification: placement and communication
12 Cloud Computing Security Verify placement and communication To prevent single point of failure To reduce latency and guarantee quality of service To avoid snooping on traffic by attackers Efficient placement of instances and communication To prevent cross VM attacks, e.g., memory side channel attacks Cloud security is difficult to measure Need tools to enable clients to verify cloud services
13 Cloudoscopy 1. IP address deanonymisation: Expose the internal IP address of a victim instance 2. Hop-count measuring: measure its hopcount distance from adversarial cloud instances 3. Co-residence testing: test to find a specific instance which is close enough to the victim (e.g., co-resident) to allow (denial of service or side-channel) attacks.
14 IP Address Deanonymisation Expose the internal IP address of a victim instance, then Simple: tracert, ping New approach: interrupt-overloading sidechannel general and not protocol specific New approach: server-bounce scan In some protocols, e.g., SMTP, servers open a connection using a domain name from an incoming connection.
15 IP Address Deanonymisation: Discovery via Interrupts
16 IP Address Deanonymisation: Discovery via Interrupts
17 IP Address Deanonymisation: Discovery via Interrupts
18 IP Address Deanonymisation: Discovery via Interrupts
19 Hop-count measuring Once IP is found, find path to victim Cloud platforms block ICMP errors/ control messages Our idea: Scan with incrementing TTL Use timing side-channel to count hosts
20 Co-residence Testing Place prober on same host as victim Check if TTL scan to victim is 0 Check patterns to prober via interrupt-based side-channel If both pass attacker is co-resident with victim
21 Co-residence Testing Legitimate use: Ensure location (EU vs. US laws) Ensure separation of locations (redundancy) Attacks based on tenant-to-tenant and tenant-provider communication Blocking is not the solution, because 1/3 of communication would be less efficient
22 Summary
23 Empirical Research Dropbox Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011. WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), Facebook Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, and Edgar Weippl. Appinspect: Largescale evaluation of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, 2013.
24 Apps, Mobile Devices, Cloud Services So many new opportunities Building on experience of previous decades Things can only get better Really? Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011.
25 Data Deduplication At the server Same file only stored once Save storage space at server At the client Calculate hash or other digest Reduce communication
26 Attacks Hash manipulation Stolen Host ID Direct Up-/Download Uploading without linking Simple HTTPS request
27 Evaluation Time until (hidden) chunks get deleted: Random data in multiple files Hidden upload: at least 4 weeks Regular upload: unlimited undelete possible (> 6 months) Popular files on Dropbox: thepiratebay.org Top 100 Torrent files Downloaded copyright-free content (.sfv,.nfo,...) 97 % (n = 368) were retrievable 20 % of torrents were less than 24 hours old Interpretation: At least one of the seeders uses Dropbox
28 Solutions Aftermath Dropbox fixed the flaws HTTPS Up-/Download Attack Host ID is now encrypted No more client-side deduplication Proof of ownership Take down notice 4. Download all files of the victim 3. Link hashes with fake client 1. Steal hashes 2. Send hashes to Attacker Attackers PC Victim using Dropbox
29 Underlying Problems Access Control Identification based on hash values
30 Access Control Structures Requirements on access control structures: The access control structure should help to express your desired access control policy. You should be able to check that your policy has been captured correctly. Access rights can be defined individually for each combination of subject and object. For large numbers of subjects and objects, such structures are cumbersome to manage. Intermediate levels of control are preferable.
31 Access Control Matrix Notation S set of subjects O set of objects A set of access operations Access control matrix: M = (M so ) s S,o O, M so A. The entry M so specifies the operations subject s may perform on object o. bill.doc edit.exe fun.com Alice - {exec} {exec,read} Bob {read,write} {exec} {exec,read,write}
32 Access Control Matrix ctd. The access control matrix is an abstract concept not very suitable for direct implementation not very convenient for managing security How do you answer the question: Has your security policy been implemented correctly? Bell LaPadula (and Orange Book): access control matrix defines discretionary access control (DAC).
33 Capabilities Focus on the subject access rights are stored with the subject Alice edit.exe: {exec} fun.com: {exec,read} capabilities rows of the access control matrix Subjects may grant rights to other subjects. Subjects may grant the right to grant rights. Problems: How to check who may access a specific object? How to revoke a capability? Distributed system security has created renewed interest in capabilities.
34 Access Control Lists (ACLs) Focus on the object access rights are stored with the object fun.com Alice: {exec} Bill: {exec,read,write} ACLs columns of the access control matrix Access rights are often defined for groups of users. Unix: owner, group, others VMS: owner, group, world, system Problem: How to check access rights of a specific subject? ACLs are typical for secure operating systems of Orange Book class C2.
35 Intermediate Controls Intermediate controls facilitate better security management. To deal with complexity, introduce more levels of indirection. users roles procedures data types objects
36 Groups and Negative Permissions Groups are an intermediate layer between users and objects. users groups objects To deal with special cases, negative permissions withdraw rights users groups objects
37 Role Based Access Control (RBAC) Several intermediate concepts can be inserted between subjects and objects Roles: collection of procedures assigned to users; a user can have more than one role and more than one user can have the same role. Procedures: high level access control methods with a more complex semantic than read or write; procedures can only be applied to objects of certain data types; example: funds transfer between bank accounts. Data types: each object is of a certain data type and can be accessed only through procedures defined for this data type.
38 RBAC continued RBAC itself does not have a generally accepted meaning, and it is used in different ways by different vendors and users. Controlling access to an object by restricting the procedures that may access this object is a general programming practice. It is a fundamental concept in the theory of abstract data types and object-oriented programming. Examples: user profiles in IBM s OS/400; global groups and local groups in Windows NT.
39 RBAC NIST model of RBAC (shown in Sandhu et al., 2000) is organized into four levels of increasing functional capabilities flat RBAC hierarchical RBAC constrained RBAC symmetric RBAC.
40 Flat RBAC
41 * Hierarchical RBAC +super-role 1 * +sub-role User membership Role authorization Permission * * * activation * * * User:Session: 1:n Session
42 Constrained RBAC
43 WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012),
44 Man-in-the-Middle
45 CERTIFICATES?
46
47 Authentication
48
49
50 In Reality
51 Even Worse Code = Hi!
52 Completely Stealthy
53 WowTalk
54 Status Messages
55
56
57 iphone/u.php?cc=countrycode&me =phonenumber&s=statusmessage
58 Enumeration Attack
59 Enumeration Attack
60 Enumeration Attack
61 On vacation Sleeping At work... Bleh. Missing my love! Heartbroken Nicaragua in 4 days!! On my way to Ireland! at work but not doing shit I m never drinking again
62
63 WhatsApp ebuddy XMS WowTalk Viber HeyTell Forfone Voypi Tango EasyTalk
64 Results
65 Summary Authentication protocols: 6 out of 9 similar applications had the same problems Unintended use (reverse hash in Dropbox) Trust in client application Missing input validation Everything you should learn in Security 101 Software Obfuscation as possible temporary solution
66 Questions? DBSec 2013 March 1 ARES 2014 Submission Deadline March 1 IPICS Summerschool contact me personally (new Website not yet available)
67 What can you do? Analyze communication protocols Reverse engineering of applications Make guesses on how something could have been implemented and try to confirm / refute it
68
Cloud Security and Mobile Applica4on Security
2/22/13 Cloud Security and Mobile Applica4on Security SBA Research & Vienna University of Technology Edgar R. Weippl Target Audience Graduate students in computer science Some knowledge in in security
More informationEHR: System Architecture and Systems Security An Analysis of Interdependencies. SBA Research & Vienna University of Technology Edgar R.
EHR: System Architecture and Systems Security An Analysis of Interdependencies SBA Research & Vienna University of Technology Edgar R. Weippl Typical Security Errors in Large-Scale Systems SBA Research
More informationObserva(on & Empirical Research. Advanced Persistent Threats & Social Engineering. Observa(on of complex systems
17/03/15 Advanced Persistent Threats & Social Engineering SBA Research & Vienna University of Technology Edgar R. Weippl Observa(on & Empirical Research Observa(on of complex systems 1 Impact Real- World
More informationWelcome to SBA Research! NIST/ACTS Team Visit Vienna, April 10 th, 2015
Welcome to SBA Research! NIST/ACTS Team Visit Vienna, April 10 th, 2015 SBA Research Overview Markus D. Klemen Managing director Basic facts Founded 2006 Research center (for applied information security)
More informationBig Data & Security. Edgar Weippl SBA Research
Big Data & Security Edgar Weippl SBA Research Security Challenges Confidentiality Cloud storage (e.g. Dropbox) Authentication (e.g. WhatsApp) Open data vs. unintended data leaks Availability Dependability
More informationGuess Who s Texting You? Evaluating the Security of Smartphone Messaging Applications
Guess Who s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, Edgar Weippl
More informationGuess Who s Texting You? Evaluating the Security of Smartphone Messaging Applications
Guess Who s Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, Edgar Weippl
More informationRe-evaluating Smartphone Messaging Application Security
Re-evaluating Smartphone Messaging Application Security Robin Müller University of Technology Vienna, Austria robin.m@gmx.at Abstract During the last two years mobile messaging and VoIP applications for
More informationSBA Research. Angewandte Forschung Angewandtes Wissen. UBIT Club IT, 12. Mai 2015 Best of Cybersecurity
SBA Research Angewandte Forschung Angewandtes Wissen SBA Die Fakten gegründet 2006 größtes Forschungszentrum für IT-Sicherheit und einer der größten Sicherheitsdienstleister in der DACH-Region Know-how
More informationCloud computing security
Cloud computing security Exploring information leakage in third-party compute clouds Yangchun Fu November 18 th, 2011 Outline 1 Introduction 2 EC2 cloud cartography 3 Co-residence 4 side-channel cross-vm
More informationSecurity Considerations for Public Mobile Cloud Computing
Security Considerations for Public Mobile Cloud Computing Ronnie D. Caytiles 1 and Sunguk Lee 2* 1 Society of Science and Engineering Research Support, Korea rdcaytiles@gmail.com 2 Research Institute of
More informationIntroduction to Computer Security
Introduction to Computer Security Access Control and Authorization Pavel Laskov Wilhelm Schickard Institute for Computer Science Resource access recapitulated 1. Identification Which object O requests
More informationComputer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk
About PaaS Security Donghoon Kim Henry E. Schaffer Mladen A. Vouk North Carolina State University, USA May 21, 2015 @ ICACON 2015 Outline Introduction Background Contribution PaaS Vulnerabilities and Countermeasures
More informationAppInspect: Large-scale Evaluation of Social Networking Apps
AppInspect: Large-scale Evaluation of Social Networking Apps ACM COSN, Boston, 10/08/2013 Markus Huber, Martin Mulazzani, Sebastian Schrittwieser, Edgar Weippl mhuber[at]sba-research[dot]org Main Contributions
More informationAccess Control Basics. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Access Control Basics Murat Kantarcioglu Access Control - basic concepts An access control system regulates the operations that can be executed
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationSecurity of Cloud Storage: - Deduplication vs. Privacy
Security of Cloud Storage: - Deduplication vs. Privacy Benny Pinkas - Bar Ilan University Shai Halevi, Danny Harnik, Alexandra Shulman-Peleg - IBM Research Haifa 1 Remote storage and security Easy to encrypt
More informationCloud Storage Security
Cloud Storage Security Sven Vowé Fraunhofer Institute for Secure Information Technology (SIT) Darmstadt, Germany SIT is a member of CASED (Center for Advanced Security Research Darmstadt) Cloud Storage
More informationCloud Computing and Attacks
Cloud Computing and Attacks Joseph Spring School of Computer Science 7COM1027 - Distributed Systems Security 1 Areas for Discussion Cloud Computing Attacks Firewalls 2 Cloud Computing A Cloud is a large
More informationIntroduction to Computer Security
Introduction to Computer Security Authentication and Access Control Pavel Laskov Wilhelm Schickard Institute for Computer Science Resource access: a big picture 1. Identification Which object O requests
More informationDigital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate
More informationIntroduction to Cloud Services
Introduction to Cloud Services (brought to you by www.rmroberts.com) Cloud computing concept is not as new as you might think, and it has actually been around for many years, even before the term cloud
More informationqwertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfgh jklzxcvbnmqwertyuiopasdfghjklzxcvb nmqwertyuiopasdfghjklzxcvbnmqwer
qwertyuiopasdfghjklzxcvbnmqwertyui opasdfghjklzxcvbnmqwertyuiopasdfgh jklzxcvbnmqwertyuiopasdfghjklzxcvb nmqwertyuiopasdfghjklzxcvbnmqwer Problems Faced by Cloud Computing tyuiopasdfghjklzxcvbnmqwertyuiopas
More informationXerox Mobile Print Cloud
September 2012 702P00860 Xerox Mobile Print Cloud Information Assurance Disclosure 2012 Xerox Corporation. All rights reserved. Xerox and Xerox and Design are trademarks of Xerox Corporation in the United
More informationCloud Models and Platforms
Cloud Models and Platforms Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF A Working Definition of Cloud Computing Cloud computing is a model
More informationThe Threat of Coexisting With an Unknown Tenant in a Public Cloud
royal holloway The Threat of Coexisting With an Unknown Tenant in a Public Cloud An examination of the vulnerabilities of the cloud, with a focus on the issues of attackers ability to load malicious programs
More informationCryptanalysis of Cloud based computing
Cryptanalysis of Cloud based computing COMP 4109 Elom Tsiagbey Overview Introduction Recent threats to cloud computing Key Management models Conclusion Proposed key management model What is Cloud Computing?
More informationData Protection: From PKI to Virtualization & Cloud
Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security
More informationCloud Security: Evaluating Risks within IAAS/PAAS/SAAS
Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS Char Sample Security Engineer, Carnegie Mellon University CERT Information Security Decisions TechTarget Disclaimer Standard Disclaimer - This talk
More informationEvripidis Paraskevas (ECE Dept. UMD) 04/09/2014
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (T. Ristenpart, Eran Tromer, Hovav Schacham and Stefan Savage CCS 2009) Evripidis Paraskevas (ECE Dept. UMD) 04/09/2014
More informationA Measurement Study on Co-residence Threat inside the Cloud
A Measurement Study on Co-residence Threat inside the Cloud Zhang Xu, College of William and Mary; Haining Wang, University of Delaware; Zhenyu Wu, NEC Laboratories America https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/xu
More informationFuture of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST
Future of Cloud Computing Irena Bojanova, Ph.D. UMUC, NIST No Longer On The Horizon Essential Characteristics On-demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured Service
More informationNetwork Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015
Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,
More informationData Storage Security in Cloud Computing for Ensuring Effective and Flexible Distributed System
Data Storage Security in Cloud Computing for Ensuring Effective and Flexible Distributed System 1 K.Valli Madhavi A.P vallimb@yahoo.com Mobile: 9866034900 2 R.Tamilkodi A.P tamil_kodiin@yahoo.co.in Mobile:
More informationCloud computing an insight
Cloud computing an insight Overview IT infrastructure is changing according the fast-paced world s needs. People in the world want to stay connected with Work / Family-Friends. The data needs to be available
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationDNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!
DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013 About us Bar Ilan University
More informationSharing Files Using Cloud Storage Services
Sharing Files Using Cloud Storage Services Tiago Oliveira, Ricardo Mendes, and Alysson Bessani {toliveira,rmendes}@lasige.di.fc.ul.pt, bessani@di.fc.ul.pt Universidade de Lisboa, Faculdade de Ciências,
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationSpoiled Onions: Exposing Malicious Tor Exit Relays
Spoiled Onions: Exposing Malicious Tor Exit Relays Philipp Winter, Richard Köwer, Martin Mulazzani, Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, Edgar Weippl Outline This talk is about: Detecting
More informationCloud Computing Technology
Cloud Computing Technology The Architecture Overview Danairat T. Certified Java Programmer, TOGAF Silver danairat@gmail.com, +66-81-559-1446 1 Agenda What is Cloud Computing? Case Study Service Model Architectures
More informationSMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales
SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,
More informationArchitectural Principles for Secure Multi-Tenancy
Architectural Principles for Secure Multi-Tenancy John Linn, Office of the CTO, RSA, The Security Division of EMC John Field, Office of the CTO, EMC Also adapting prior content by Burt Kaliski DIMACS Workshop
More informationCSE543 Computer and Network Security Module: Cloud Computing
CSE543 Computer and Network Security Module: Computing Professor Trent Jaeger 1 Computing Is Here Systems and Internet Infrastructure Security (SIIS) Laboratory 2 Computing Is Here Systems and Internet
More informationCloud security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642
Cloud security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Announcements Take- home final versus in- class Homework
More informationClouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst
Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment
More informationMobile Cloud Computing Security Considerations
보안공학연구논문지 (Journal of Security Engineering), 제 9권 제 2호 2012년 4월 Mobile Cloud Computing Security Considerations Soeung-Kon(Victor) Ko 1), Jung-Hoon Lee 2), Sung Woo Kim 3) Abstract Building applications
More informationThreat Modeling Cloud Applications
Threat Modeling Cloud Applications What You Don t Know Will Hurt You Scott Matsumoto Principal Consultant smatsumoto@cigital.com Software Confidence. Achieved. www.cigital.com info@cigital.com +1.703.404.9293
More informationDaren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD
Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD Agenda Cloud Computing Technical Overview Cloud Related Applications Identified Risks Assessment Criteria Cloud Computing What Is It? National
More informationCLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY
CLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY Varun Gandhi 1 Department of Computer Science and Engineering, Dronacharya College of Engineering, Khentawas,
More informationSecurity and Privacy in Public Clouds. David Lie Department of Electrical and Computer Engineering University of Toronto
Security and Privacy in Public Clouds David Lie Department of Electrical and Computer Engineering University of Toronto 1 Cloud Computing Cloud computing can (and is) applied to almost everything today.
More informationDigital Forensics. Lab 10: Cloud Computing & the Future of Digital Forensics
Digital Forensics Lab 10: Cloud Computing & the Future of Digital Forensics Today's Topics Cloud Computing Overview Applications of Cloud Computing Impact of CC to Digital Forensics Future of Digital Forensics
More informationHTTPS Inspection with Cisco CWS
White Paper HTTPS Inspection with Cisco CWS What is HTTPS? Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (HTTP). It is a combination of HTTP and a
More informationA Secure Strategy using Weighted Active Monitoring Load Balancing Algorithm for Maintaining Privacy in Multi-Cloud Environments
IJSTE - International Journal of Science Technology & Engineering Volume 1 Issue 10 April 2015 ISSN (online): 2349-784X A Secure Strategy using Weighted Active Monitoring Load Balancing Algorithm for Maintaining
More informationData Centers and Cloud Computing. Data Centers
Data Centers and Cloud Computing Slides courtesy of Tim Wood 1 Data Centers Large server and storage farms 1000s of servers Many TBs or PBs of data Used by Enterprises for server applications Internet
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationCloud-Security: Show-Stopper or Enabling Technology?
Cloud-Security: Show-Stopper or Enabling Technology? Fraunhofer Institute for Secure Information Technology (SIT) Technische Universität München Open Grid Forum, 16.3,. 2010, Munich Overview 1. Cloud Characteristics
More informationCloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive
Cloud Security Through Threat Modeling Robert M. Zigweid Director of Services for IOActive 1 Key Points Introduction Threat Model Primer Assessing Threats Mitigating Threats Sample Threat Model Exercise
More informationAgent vs. Agent-less auditing
Centennial Discovery Agent vs. Agent-less auditing Building fast, efficient & dynamic audits As network discovery solutions have evolved over recent years, two distinct approaches have emerged: using client-based
More informationWorkday Mobile Security FAQ
Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy
More informationSAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)
SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview
More informationDark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space
Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space Martin Mulazzani SBA Research Sebastian Schrittwieser SBA Research Edgar Weippl SBA Research Manuel Leithner SBA
More informationECE6130 Grid and Cloud Computing
ECE6130 Grid and Cloud Computing Howie Huang Department of Electrical and Computer Engineering School of Engineering and Applied Science Cloud Computing Hardware Software Outline Research Challenges 2
More information10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM. Agenda. Security Cases What is Cloud? Road Map Security Concerns
BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM Agenda Security Cases What is Cloud? Road Map Security Concerns 1 Security Cases on Cloud Data Protection - Two arrested in ipad
More informationBM482E Introduction to Computer Security
BM482E Introduction to Computer Security Lecture 7 Database and Operating System Security Mehmet Demirci 1 Summary of Lecture 6 User Authentication Passwords Password storage Password selection Token-based
More informationApplication Based Access Control on Cloud Networks for Data Security
Application Based Access Control on Cloud Networks for Data Security Ms. Smitha P M.Tech in DCN, Department of ECE GSSSIETW, Mysuru Karnataka, India Smitha.21sn @gmail.com Mrs. Manjula G Associate. Proffesor,
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationDark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space
Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space Martin Mulazzani SBA Research Sebastian Schrittwieser SBA Research Edgar Weippl SBA Research Manuel Leithner SBA
More informationResidual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)
Organizational risks 1 Lock-in Risk of not being able to migrate easily from one provider to another 2 Loss of Governance Control and influence on the cloud providers, and conflicts between customer hardening
More informationArchitectural Implications of Cloud Computing
Architectural Implications of Cloud Computing Grace Lewis Research, Technology and Systems Solutions (RTSS) Program Lewis is a senior member of the technical staff at the SEI in the Research, Technology,
More informationPublic Cloud Security: Surviving in a Hostile Multitenant Environment
Public Cloud Security: Surviving in a Hostile Multitenant Environment SESSION ID: EXP-R01 Mark Russinovich Technical Fellow Windows Azure, Microsoft @markrussinovich The Third Computing Era Security Could
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationDark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space
Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space Martin Mulazzani SBA Research Sebastian Schrittwieser SBA Research Edgar Weippl SBA Research Manuel Leithner SBA
More informationEnsuring Data Storage Security in Cloud Computing By IP Address Restriction & Key Authentication
Ensuring Data Storage Security in Cloud Computing By IP Address Restriction & Key Authentication Sanjay Kumar Baghel Mtech Scholar, CSE, CSIT DURG Sanju5878@gmail.com Bhupesh Kumar Dewangan Assistant Professor,CSE,
More informationKey Management Issues in the Cloud Infrastructure
Key Management Issues in the Cloud Infrastructure Dr. R. Chandramouli (Mouli) mouli@nist.gov Dr. Michaela Iorga michaela.iorga@nist.gov (Information Technology Lab, NIST, USA) ARO Workshop on Cloud Computing
More informationA Survey on Cloud Security Issues and Techniques
A Survey on Cloud Security Issues and Techniques Garima Gupta 1, P.R.Laxmi 2 and Shubhanjali Sharma 3 1 Department of Computer Engineering, Government Engineering College, Ajmer Guptagarima09@gmail.com
More informationhttps://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests
More informationMy FreeScan Vulnerabilities Report
Page 1 of 6 My FreeScan Vulnerabilities Report Print Help For 66.40.6.179 on Feb 07, 008 Thank you for trying FreeScan. Below you'll find the complete results of your scan, including whether or not the
More informationIntroduction to Cloud Computing - 02
Introduction to Cloud Computing - 02 Iván Carrera Institute of Informatics - UFRGS September 2013 Outline Platform as a Service Characteristics PaaS Architecture - Problem* PaaS NIST Recommendations PaaS
More informationSESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft
More informationNear Sheltered and Loyal storage Space Navigating in Cloud
IOSR Journal of Engineering (IOSRJEN) e-issn: 2250-3021, p-issn: 2278-8719 Vol. 3, Issue 8 (August. 2013), V2 PP 01-05 Near Sheltered and Loyal storage Space Navigating in Cloud N.Venkata Krishna, M.Venkata
More informationTufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao Guocui.gao@tufts.
Tufts University Department of Computer Science COMP 116 Introduction to Computer Security Fall 2014 Final Project Investigating Security Issues in Cloud Computing Guocui Gao Guocui.gao@tufts.edu Mentor:
More informationModule 7 Security CS655! 7-1!
Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed
More informationInternational Research Journal of Engineering and Technology (IRJET) e-issn: 2395-0056. Volume: 02 Issue: 05 Aug-2015 www.irjet.net p-issn: 2395-0072
Fear of Cloud Vinnakota Saran Chaitanya 1, G. Harshavardhan Reddy 2 1 UG Final year student, Department of Computer Science and Engineering, G. Pulla Reddy Engineering College, Andhra Pradesh, India 2
More informationDatabase security issues PETRA BILIĆ ALEXANDER SPARBER
Database security issues PETRA BILIĆ ALEXANDER SPARBER Introduction Database security is one aspect of computer security It uses different information security controls to protect databases Information
More informationCloud Security Enterprise Concerns and Mitigations. November 3 rd 2015
Cloud Security Enterprise Concerns and Mitigations November 3 rd 2015 Biography Javed Samuel - Technical Director at NCC Group Lead Training Services Technical Account Manager for various clients Deliver
More informationDISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2
DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing Slide 1 Slide 3 A style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet.
More informationCourse Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)
Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses
More informationCloud Computing Security Master Seminar, Summer 2011
Cloud Computing Security Master Seminar, Summer 2011 Maxim Schnjakin, Wesam Dawoud, Christian Willems, Ibrahim Takouna Chair for Internet Technologies and Systems Definition of Cloud Computing 2 Cloud
More informationATTACKS ON CLOUD COMPUTING. Nadra Waheed
ATTACKS ON CLOUD COMPUTING 1 Nadra Waheed CONTENT 1. Introduction 2. Cloud computing attacks 3. Cloud TraceBack 4. Evaluation 5. Conclusion 2 INTRODUCTION Today, cloud computing systems are providing a
More informationCS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University
CS377: Database Systems Data Security and Privacy Li Xiong Department of Mathematics and Computer Science Emory University 1 Principles of Data Security CIA Confidentiality Triad Prevent the disclosure
More informationHTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity
Improving File Sharing Security: A Standards Based Approach A Xythos Software White Paper January 2, 2003 Abstract Increasing threats to enterprise networks coupled with an ever-growing dependence upon
More informationA Layperson s Guide To DoS Attacks
A Layperson s Guide To DoS Attacks A Rackspace Whitepaper A Layperson s Guide to DoS Attacks Cover Table of Contents 1. Introduction 2 2. Background on DoS and DDoS Attacks 3 3. Types of DoS Attacks 4
More informationNSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs
Mandatory Knowledge Units 1.0 Core2Y 1.1 Basic Data Analysis The intent of this Knowledge Unit is to provide students with basic abilities to manipulate data into meaningful information. 1.1.1 Topics Summary
More informationEnd to End Defense against Rootkits in Cloud Environment Sachin Shetty
End to End Defense against Rootkits in Cloud Environment Sachin Shetty Associate Professor Electrical and Computer Engineering Director, Cybersecurity Laboratory Tennessee State University Tennessee State
More information1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained
home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:
More informationCloud Computing Flying High (or not) Ben Roper IT Director City of College Station
Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station What is Cloud Computing? http://www.agent-x.com.au/ Wikipedia - the use of computing resources (hardware and software)
More information