AndroSSL: A Platform to Test Android Applications Connection Security
|
|
- Rolf Carroll
- 8 years ago
- Views:
Transcription
1 AndroSSL: A Platform to Test Android Applications Connection Security François Gagnon, Marc-Antoine Ferland, Marc-Antoine Fortier, Simon Desloges, Jonathan Ouellet, and Catherine Boileau Cybersecurity Research Lab Cégep de Sainte-Foy, Québec, Canada, frgagnon@cegep-ste-foy.qc.ca Abstract. Developing secure mobile applications is not an easy task; especially when dealing with SSL/TLS since very few developers possess experience with those protocols. This paper presents AndroSSL, an automated platform to assess the security of (SSL/TLS) connections established by Android applications. AndroSSL assists mobile application developers by testing their applications for man-in-the-middle attacks, and, successful, pinpoints the reason why the application is vulnerable. Keywords: Privacy, SSL, MitM, Android, Test-Bed, Automated Experiment. 1 Introduction Mobile application developers are facing a new and difficult security challenge. While traditional web applications, common in the desktop world, rely on web browsers to manage secure communications, each mobile application must deal with this element on its own. Establishing a secure channel using the SSL/TLS protocol [3] requires the client to check the validity of the SSL 1 certificate received from the server. An application accepting an invalid certificate would allow an attacker to impersonate the real server through a man-in-the-middle (MitM) attack. The last decade has shown that validating an SSL certificate is a difficult and errorprone task. Even big players (e.g., web browser developers) have a hard time getting it right (see 2 CVE , CVE , CVE , CVE , CVE , CVE ). It would be unrealistic to believe all (even most) mobile application developers will rise to the task easily; especially since a lot of mobile applications are developed by non-expert programmers (much less security specialists). AndroSSL is a framework aiming to help mobile developers test their applications against connection security flaws. It relies on virtualization to provide a low cost and highly automated platform. Moreover, by offering a wide range of tests (in several different contexts), it is meant to provide detailed information regarding vulnerabilities in the certificate validation process. 1 The terms SSL and TLS are used interchangeably throughout this paper. 2
2 The paper is structured as follows: Section 2 provides an overview of AndroSSL, while Section 3 details the methodology used to mount MitM attacks. Section 4 discusses related work. Finally, Section 5 concludes with a summary of our findings and an opening on upcoming future work. 2 Experiment Test-Bed The objective of AndroSSL is to perform automated SSL MitM attacks against Android applications. When a MitM attack succeeds, it stands as proof that the application is vulnerable. Automation makes AndroSSL interesting for non-security experts (e.g., mobile app developers), since AndroSSL users do not have to worry about the inner working of security protocols. To automated its process, AndroSSL uses the AVP test-bed which relies heavily on virtualization to accomplish its mission. Android virtual devices (AVD) running on the Google QEMU emulator are used to host the applications to be tested, while standard virtual machines running in VMWare Workstation are used to host the required custom servers (e.g., DNS, Gateway, Fake SSL server). AndroSSL will run on any machine capable of running the Android Development Kit. When testing the security of an application, AndroSSL will go through eight steps: 1. Load a scenario describing the experiment. 2. Configure the network services needed (e.g., DNS, Fake SSL server). 3. Start an AVD. 4. Install the targeted Android application and launch it. 5. Start recording different aspects of the experiment (e.g., network traffic, Android internal log (logcat), screenshots of the AVD). 6. Interact with the application to trigger a legitimate login attempt. 7. Serve a fake 3 SSL certificate to the application. 8. Analyze experiment logs to determine if a security flaw was successfully exploited. The experiment specifications (scenario) is given to the system through an XML file. The scenario indicates which AVDs to use for the experiment, what information is to be recorded (e.g., network traffic, Logcat) and what actions are to be performed by the AVDs. During the execution phase, AVP manipulates AVDs through the instrumentation of various Android virtualization technologies. It executes the AVDs with their applications and then collects experiment data. AVP supports a wide range of actions and data collection capabilities. Regarding AndroSSL, the most important actions are: start/stop AVDs 4 and install/start applications. AVP supports several data gathering capabilities; those leveraged by AndroSSL are: network traffic recording and Android logcat recording. Once the experiment is over, post-analysis of the log files can be performed, see Section Meaning a certificate that should be considered invalid from the application s point of view. 4 With the possibility to use snapshots.
3 2.1 User Simulation The most challenging requirement of AndroSSL towards its test-bed is the need for proper user-simulation to lead an application to a specific state in order to trigger remote (possibly secure) connections. Our approach has been to manually pre-record (only once for each app) the sequence of actions leading the application to initiate a secure connection, then replay this action sequence automatically (as many times as needed) in AndroSSL experiments. Although this introduces manual intervention, it does not deviate from the objective of AndroSSL to help developpers test their apps automatically. Indeed, not every developer has the knowledge to mount a MitM attack or to analyze and interpret the network traffic and logs, but, it will be easy for them to record their intended action sequence. 3 Methodology The methodology behind AndroSSL has two components: the various scenarios used to attack the tested applications and the analysis of collected data to determine whether the attack was successful or not. Since some results will be discussed, a description of the experiment dataset comes first. 3.1 Dataset AndroSSL has been used to test 90 Android applications against 6 different attack scenarios. All these applications required Internet access and were downloaded from the top 500 most popular of each categories on the Google Play Store. 3.2 Analysis Three components are considered during the automated analysis of a run (that is, one application tested against one attack scenario): SSL server logs, network traffic and Logcat. When the SSL handshake is completed with a fake server, the success for the MitM is confirmed. Hence, the server logs are a good source of information. Network traffic is analyzed to find the plain password or a standard unsalted hash. This method allows to applications not using SSL to exchange credentials. Custom or salted hashes are more difficult to handle. In these cases, a heuristic search for keywords could be used, but manual confirmation would be required. Initially, logcat was not intended to be part of our result analysis. During the development phase, a search query was run by mistake on the logcat output file and returned surprising results. The password we used was broadcasted inside the AVD for a number of apps (10 out of 90). It turns out that those apps were relying on an API to query the server. The API will (or won t) use SSL properly to send the credentials to the server; this is also tested by AndroSSL. The broadcast of credentials inside an Android device is problematic as another installed application could manage to receive those broadcasts 5 (e.g., the CatLog Logcat Reader App 6 ). 5 Since Android 4.3, root privileges are required to access logcat. 6
4 Fig. 1. Static URL Network Configuration 3.3 Attack Scenarios The chosen apps have been tested against 6 attack scenarios. These scenarios, as well as the results, are presented below Actual Server The first scenario consists of letting the application connect to its actual server without any attempts to attack the app. No particular network configuration is required here. No meaningful results were expected. However, analysis of the network traffic turned out to be quite rich: 9 apps send the user s password in clear to the server. Anyone capturing the network traffic would catch the credentials. 1 app hashes (SHA-256 unsalted) the user s password before sending it to the server un-encrypted Static URL Two attack scenarios build the certificate using a static hostname. That is, the hostname is not related to the URL requested by the application. The network configuration schema of Figure 1 is used for these scenarios. The app queries a fake DNS (step 1) which will redirect the traffic to our fake SSL server (step 2). Every SSL connection will be served using the same static certificate (step 3). Two test cases rely on a static certificate Self-Signed This scenario is the easiest MitM involving SSL to perform for an attacker: create a self-signed certificate for a random hostname and use that certificate for a MitM attack. Figure 1 shows the network configuration underlying this attack scenario. Applications vulnerable to this attack are broken at two levels: chain validation (the certificate is self-signed) and source validation (the certificate is not for the expected hostname). 8 apps were vulnerable to this attack: 2 hash the password with MD5 (unsalted), the other 6 do not hash Valid This scenario is also easy to perform for an attacker: obtain a valid certificate for a domain you really own (15 minutes and 15 dollars) and use that certificate for a MitM attack. Being a static case, the network configuration of Figure 1 is used again here. Applications vulnerable to this attack are broken at source validation (the certificate chain is legitimate, but it is not for the expected hostname). The same 8 apps as in the previous case fell for this attack.
5 Fig. 2. Dynamic URL Network Configuration Dynamic URL Three attack scenarios build the certificate using a dynamic hostname. That is, the hostname is related to the URL requested by the application. For the test cases requiring a dynamic certificate (i.e., where the certificate s hostname matches the one requested by the application), a more complex network configuration is deployed, see Figure 2. The DNS server attributes sequential IP addresses by incrementing the last byte by one at every request (step 1 in Figure 2). The first request receives IP , the second gets , and so on. Then, a Gateway (IPTables 7 ) will redirect SSL traffic towards the fake SSL server, but to a specific port (steps 2 and 3). For instance, IP would get port 11001, while IP would get 11255; the last three digits of the port match the last byte of the IP. When the SSL server receives a request on port 11xyz, it can associate this request with the URL originally requested to the DNS server (port 11xyz implies IP xyz, which can then be matched to a URL in the DNS memory). Hence, the server is able to dynamically construct an SSL certificate with the expected hostname (step 4) Self-Signed This scenario requires generating a self-signed certificate at runtime for the specific hostname requested by the app. Applications vulnerable to this attack are broken at chain validation (the certificate is self-signed). 12 applications fell for the attack, including the 8 discussed in the previous (static url) attacks. The 4 new vulnerable applications validate the hostname properly but not the chain (none of them hashes the password). The others were already known to be broken both for hostname and chain validation Signed by Self-Signed A self-signed certificate is generated once. Then, for each request a certificate is generated for the corresponding hostname and signed by the self-signed. Applications vulnerable to this attack are broken at chain validation. The same 12 apps as in the previous case fell for this attack Signed by Real A real certificate is first obtained for a controlled URL (like in Section ). Then, for each request a certificate is generated for the corresponding 7
6 hostname and signed by the real certificate. Applications vulnerable to this attack are broken at chain validation for a specific check: a real end-user certificate should not have the authority to sign other certificates (it is neither a root nor an intermediate certificate; it is a leaf). 12 applications fell for the attack, the same 12 as in the previous scenario Other Scenarios Since there are so many subtleties when validating SSL certificates, other scenarios will be created to test different flaws (e.g., expired certificates). 4 Related Work [6] performed a manual analysis of popular security libraries and concluded that SSL certificate validation is completely broken in non-browser software. Their analysis is not targeted towards Android applications and is fully manual. Hence, this method is not appropriate to average developers testing their apps. [4] proposed an automated approach relying on static analysis of Android application source code to find potential SSL certificate validation problems. An automated static analysis of Android applications by their Mallodroid tool flagged of them as being potentially vulnerable to MitM attacks. Furthermore, manual MitM attacks were performed on a subset of 100 potentially vulnerably apps. This analysis confirmed 41 vulnerable to MitM. Although the static analysis is automatic, manual work by a security expert is needed to avoid false positives (apps flagged as being vulnerable while they cannot be exploited). Again, not entirely suitable for a developer seeking to test his apps. [1] proposes a technique to automatically test certificate validation in SSL libraries. They target libraries implementations and not (Android) applications. Having correct SSL libraries is essential because apps using a broken library risk inheriting its vulnerabilities. However, having perfect libraries does not mean no vulnerabilities in applications as developers can misuse libraries introducing vulnerabilities. Hence testing applications and SSL libraries for vulnerabilities is complementary. [7] manually tested 100 Android Apps for MitM attacks. 32 accepted invalid certificate opening the door to a MitM attack. Their conclusion is that "...[there is a] need to give developers more effective tools that can help them detect and fix issues before the app is in production...". [5] proposes a way to improve the security of mobile applications by changing development practices related to SSL connections handling. Although this major step would certainly have a positive outcome, exhaustive testing will always play an important role (especially in security sensitive areas where new flaws are to be discovered). Google released the nogotofail [2] tool to test client side SSL certificate validation. A few difference with AndroSSL are worth mentioning. nogotofail provides no automation for user interaction on the client side. The user interaction has to be done (and repeated) entirely manually. Having no automation for user interaction means nogotofail is not limited to Android applications; it can be used to test any client. nogotofail is not limited to client-side validation as it includes bugs like Heartbleed, POODLE and gotofail. It seems that two scenarios are built in nogotofail to test for client-side certifi-
7 cate validation: one static (Invalid Hostname Certificate [2]) and one dynamic (hinted in [8]). It is not clear how easily nogotofail can be extended with other scenarios. [9] proposed an approach similar to AndroSSL where the experiment is fully automated and no security experts are required. However, the methodology of SMV-Hunter differs from AndroSSL making the two approaches complementary. SMV-Hunter s fully automated support is a great advantage, especially for large scale analysis. However, when SMV-Hunter fails (complex UI controls, invalid heuristic path), AndroSSL could take over to provide a more precise control of the user interaction. AndroSSL provides a more exhaustive set of test scenarios; using a variety of certificates and different network configurations (while SMV-Hunter tests for a single attack scenario). Having multiple scenarios allows AndroSSL to provide precise information regarding the certificate validation vulnerabilities in an application. For instance, a few applications tested were successfully attacked in the dynamic URL setup while the attempts failed in the static URL setup. This leads to the conclusion that those applications validate the certificate s hostname, but do not properly validate the signature chain. 5 Conclusion The main lesson we learned from our experimentation is that mobile application developers are not aware of the security challenges they face. Some applications, not even relying on SSL, are just too easy to attack. Tools such as AndroSSL should facilitate security testing for mobile app developers. 5.1 Summary Results Table 1. Result Summary Network Configurations Test Cases Vulnerable Apps Nb Actual Server Logcat 3, 4, 34, 35, 36, 37, 54, 72, 73 9 Network 3, 34, 35, 36, 37, 54, 63, 67, 70, Static URL Self-Signed Valid 14, 16, 46 H, 53 H, 64, 68, 87, 89 8 Self-Signed Dynamic URL Signed by Self-Signed 9, 14, 16, 25, 26, 46 H, 53 H, 64, 68, 87, 89, Signed by Real Total 25 Table 1 provides a summary of the problems found automatically by AndroSSL when testing 90 popular Android applications. For each test case, the list of vulnerable apps is given (each app being represented by a numeric ID). Apps in bold were vulnerable to a single experiment (this illustrates the need for a multi test-cases approach), and subscript H indicates apps hashing the password client side (no salt). The apps appearing more than once (e.g., 14 and 34) have multiple weaknesses (14 does not validate the certificate hostname nor the chain while 34 sends the clear password into the Android log and also on the network). Overall, AndroSSL determined that 25
8 apps have a vulnerability. If we remove the apps that are just sending the password into the Android log 8, we are still left with apps sent the user credential through the network over a non-encrypted channel. Another 12 apps have a broken SSL certificate validation procedure (8 accepting certificate with an invalid hostname and an invalid chain while the other 4 accept certificates with an invalid chain as long as they have the proper hostname). 5.2 Future Work Several tasks are planned to continue the development of AndroSSL: Adding new network configurations is a definitive priority, particularly to have the possibility to hijack SSL connections only (and target only 1 URL) while letting non-ssl connections flow towards the legitimate server. This will provide a better understanding regarding the conditions required for a successful MitM attack. This should allow for more successful attacks. Adding new test cases (i.e., new "fake" certificates) is an ongoing task as there are many subtle cases worth testing. References 1. Brubaker, C., Jana, S., Ray, B., Khurshid, S., Shmatikov, V.: Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. In: proceedings of the 2014 IEEE Symposium on Security and Privacy (SP) (2014) 2. Brubaker, C., Klyubin, A., Condra, G.: nogotofail. nogotofail (2014) 3. Dierks, T., Rescorla, E.: Rfc5246 tls v (2008) 4. Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgartner, L., Freisleben, B.: Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CSS 12). pp (2012) 5. Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM Conference on COmputer and Communications Security (CSS 13). pp (2013) 6. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: Validating SSL certificate in non-browser software. In: Proceedings of the 2012 ACM Conference on COmputer and Communications Security (CSS 12). pp (2012) 7. Onwuzurike, L., Cristofaro, E.D.: Danger is my middle name: Experimenting with SSL vulnerabilities in Android apps. In: proceedings of the 2015 ACM WiSec (2015) 8. Sillars, D.: Using nogotofail to find issues with your https connections. http: //developerboards.att.lithium.com/t5/at-t-developer-program-blogs/usingnogotofail-to-find-issues-with-your-https-connections/ba-p/39891 (2015) 9. Sounthiraraj, D., Sahs, J., Lin, Z., Khan, L., Greenwood, G.: SMV-Hunter: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In: proceedings of the 2014 Network and Distributed System Security Symposium (NDSS 14) (2014) 8 Although this is problematic and should be addressed, we could consider this flaw as more difficult to exploit.
Is Your SSL Website and Mobile App Really Secure?
Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電
More informationSSL implementieren aber sicher!
SSL implementieren aber sicher! Karlsruher Entwicklertag 2014 21.05.2014 Dr. Yun Ding SSL in the news 2011 2012 2013 2014 BEAST CRIME Lucky 13 Compromised CAs RC4 biases BREACH DRBG Backdoor Apple goto
More informationMan-in-the-Middle Attack on T-Mobile Wi-Fi Calling
Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling Jethro Beekman Christopher Thompson Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2013-18
More informationImplementation Vulnerabilities in SSL/TLS
Implementation Vulnerabilities in SSL/TLS Marián Novotný novotny@eset.sk ESET, spol. s r.o. Bratislava, Slovak Republic Abstract SSL/TLS protocol has become a standard way for establishing a secure communication
More informationWhy Eve and Mallory Love Android An Analysis of Android SSL (In)Security
Why Eve and Mallory Love Android An Analysis of Android SSL (In)Security Sascha Fahl Marian Harbach Thomas Muders Lars Baumgärtner Bernd Freisleben Ma:hew Smith Some Android Facts 330 million devices (as
More informationWhy Eve and Mallory Love Android An Analysis of Android SSL (In)Security
Why Eve and Mallory Love Android An Analysis of Android SSL (In)Security Sascha Fahl Marian Harbach Thomas Muders Lars Baumgärtner Bernd Freisleben Matthew Smith Some Android Facts 330 million devices
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationBest Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.
Best Practice Guide (SSL Implementation) for Mobile App Development 流 動 應 用 程 式 (SSL 實 施 ) 最 佳 行 事 指 引 香 港 電 腦 事 故 協 調 中 心 ] Jointly published by [ 專 業 資 訊 保 安 協 會 ] Hong Kong Computer Emergency Response
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationBypassing CAPTCHAs by Impersonating CAPTCHA Providers
Bypassing CAPTCHAs by Impersonating CAPTCHA Providers Author: Gursev Singh Kalra Principal Consultant Foundstone Professional Services Table of Contents Bypassing CAPTCHAs by Impersonating CAPTCHA Providers...
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More informationDEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES *
DEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES * Shamima Rahman Tuan Anh Nguyen T. Andrew Yang Univ. of Houston Clear Lake 2700 Bay Area Blvd., Houston, TX 77058 rahmans3984@uhcl.edu nguyent2591@uhcl.edu
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationUnifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Email Gateway
Unifying Information Security Implementing TLS on the CLEARSWIFT SECURE Email Gateway Contents 1 Introduction... 3 2 Understanding TLS... 4 3 Clearswift s Application of TLS... 5 3.1 Opportunistic TLS...
More informationPenetration Testing for iphone Applications Part 1
Penetration Testing for iphone Applications Part 1 This article focuses specifically on the techniques and tools that will help security professionals understand penetration testing methods for iphone
More informationHow to Configure an Initial Installation of the VMware ESXi Hypervisor
How to Configure an Initial Installation of the VMware ESXi Hypervisor I am not responsible for your actions or their outcomes, in any way, while reading and/or implementing this tutorial. I will not provide
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationRelease Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8
Release Notes for Epilog for Windows v1.7/v1.8 InterSect Alliance International Pty Ltd Page 1 of 22 About this document This document provides release notes for Snare Enterprise Epilog for Windows release
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationLynn Margaret Batten. IT Security Research Services & Deakin University, Melbourne, Australia. June 2015
Lynn Margaret Batten IT Security Research Services & Deakin University, Melbourne, Australia June 2015 Smart devices versus PCs WebView versus Web 2.0 Tracking Certificates Mallory Countermeasures. On
More informationInstalling and Configuring vcenter Support Assistant
Installing and Configuring vcenter Support Assistant vcenter Support Assistant 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
More informationJob Reference Guide. SLAMD Distributed Load Generation Engine. Version 1.8.2
Job Reference Guide SLAMD Distributed Load Generation Engine Version 1.8.2 June 2004 Contents 1. Introduction...3 2. The Utility Jobs...4 3. The LDAP Search Jobs...11 4. The LDAP Authentication Jobs...22
More informationUsing EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience
Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience Applied Technology Abstract The Web-based approach to system management taken by EMC Unisphere
More informationSSL and Browsers: The Pillars of Broken Security
SSL and Browsers: The Pillars of Broken Security Ivan Ristic Wolfgang Kandek Qualys, Inc. Session ID: TECH-403 Session Classification: Intermediate SSL, TLS, And PKI SSL (or TLS, if you prefer) is the
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationKonyOne Server Prerequisites _ MS SQL Server
KonyOne Server Prerequisites _ MS SQL Server KonyOne Platform Release 5.0 Copyright 2012-2013 Kony Solutions, Inc. All Rights Reserved. Page 1 of 13 Copyright 2012-2013 by Kony Solutions, Inc. All rights
More informationInternet Banking System Web Application Penetration Test Report
Internet Banking System Web Application Penetration Test Report Kiev - 2014 1. Executive Summary This report represents the results of the Bank (hereinafter the Client) Internet Banking Web Application
More informationCS 558 Internet Systems and Technologies
CS 558 Internet Systems and Technologies Dimitris Deyannis deyannis@csd.uoc.gr 881 Heat seeking Honeypots: Design and Experience Abstract Compromised Web servers are used to perform many malicious activities.
More informationWeb Application Firewall
Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
More informationBypassing CAPTCHAs by Impersonating CAPTCHA Providers
White Paper Bypassing CAPTCHAs by Impersonating CAPTCHA Providers Gursev Singh Kalra, Principal Consultant McAfee Foundstone Professional Services Table of Contents Inside a CAPTCHA Provider Integration
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationThe Trivial Cisco IP Phones Compromise
Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002
More informationSecure Web Appliance. SSL Intercept
Secure Web Appliance SSL Intercept Table of Contents 1. Introduction... 1 1.1. About CYAN Secure Web Appliance... 1 1.2. About SSL Intercept... 1 1.3. About this Manual... 1 1.3.1. Document Conventions...
More informationUsing a Malicious Proxy to Pilfer Data & Wreak Havoc. Edward J. Zaborowski ed@thezees.net
Using a Malicious Proxy to Pilfer Data & Wreak Havoc Edward J. Zaborowski ed@thezees.net Abstract...3 Malicious Web Proxy...3 Becoming the Proxy...3 ARP Spoofing...3 Static Configuration...3 Web Proxy
More informationLab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace
Lab Exercise SSL/TLS Objective To observe SSL/TLS (Secure Sockets Layer / Transport Layer Security) in action. SSL/TLS is used to secure TCP connections, and it is widely used as part of the secure web:
More informationChapter 17. Transport-Level Security
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
More informationA Study of What Really Breaks SSL HITB Amsterdam 2011
A Study of What Really Breaks SSL HITB Amsterdam 2011 v1.0 Ivan Ristic Michael Small 20 May 2011 Agenda 1. State of SSL 2. Quick intro to SSL Labs 3. SSL Configuration Surveys 4. Survey of Actual SSL Usage
More informationAdministrator Guide. v 11
Administrator Guide JustSSO is a Single Sign On (SSO) solution specially developed to integrate Google Apps suite to your Directory Service. Product developed by Just Digital v 11 Index Overview... 3 Main
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationCitrix Receiver for Mobile Devices Troubleshooting Guide
Citrix Receiver for Mobile Devices Troubleshooting Guide www.citrix.com Contents REQUIREMENTS...3 KNOWN LIMITATIONS...3 TROUBLESHOOTING QUESTIONS TO ASK...3 TROUBLESHOOTING TOOLS...4 BASIC TROUBLESHOOTING
More informationBYOD Guidance: BlackBerry Secure Work Space
GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.
More informationqliqdirect Active Directory Guide
qliqdirect Active Directory Guide qliqdirect is a Windows Service with Active Directory Interface. qliqdirect resides in your network/server and communicates with qliqsoft cloud servers securely. qliqdirect
More informationFaking Extended Validation SSL Certificates in Internet Explorer 7
Page 1 of 11 Faking Extended Validation SSL Certificates in Internet Explorer 7 June 7 th 2007, V1.1 Martin Christinat, CTO, christinat@.ch Abstract Extended Validation (EV) SSL certificates are a new
More informationBlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide
BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry
More informationAdobe Marketing Cloud Bloodhound for Mac 3.0
Adobe Marketing Cloud Bloodhound for Mac 3.0 Contents Adobe Bloodhound for Mac 3.x for OSX...3 Getting Started...4 Processing Rules Mapping...6 Enable SSL...7 View Hits...8 Save Hits into a Test...9 Compare
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationSascha Fahl, Marian Harbach, Matthew Smith. Usable Security and Privacy Lab Leibniz Universität Hannover
Hunting Down Broken SSL in Android Apps Sascha Fahl, Marian Harbach, Matthew Smith Usable Security and Privacy Lab Leibniz Universität Hannover OWASP AppSec 2013 Seite 1 Appification There s an App for
More informationHTTP Mutual authentication and Web security
HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague Web security Its importance no need to say Transaction security (credit card, PayPal etc.) User data privacy Most online consumer
More informationLab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace
Lab Exercise SSL/TLS Objective To observe SSL/TLS (Secure Sockets Layer / Transport Layer Security) in action. SSL/TLS is used to secure TCP connections, and it is widely used as part of the secure web:
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationOnline Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice
Online Data Services Security Guidelines Online Data Services by Esri UK Security Best Practice 28 November 2014 Contents Contents... 1 1. Introduction... 2 2. Data Service Accounts, Security and Fair
More informationExploiting Transparent User Identification Systems
Exploiting Transparent User Identification Systems Wayne Murphy Benjamin Burns Version 1.0a 1 CONTENTS 1.0 Introduction... 3 1.1 Project Objectives... 3 2.0 Brief Summary of Findings... 4 3.0 Background
More informationA Real-Life Man-in-the-Middle Attack on SSL
A Real-Life Man-in-the-Middle Attack on SSL Ted Shorter, Certified Security Solutions February 15, 2005 4:30pm Agenda Spyware product Analysis Work originated while helping CSS client Ways to address the
More informationDreamFactory on Microsoft SQL Azure
DreamFactory on Microsoft SQL Azure Account Setup and Installation Guide For general information about the Azure platform, go to http://www.microsoft.com/windowsazure/. For general information about the
More informationOverview Most of the documentation out there on the transition from SHA-1 certificates to SHA-2 certificates will tell you three things:
SHA-1 Versus SHA-2 Overview Most of the documentation out there on the transition from SHA-1 certificates to SHA-2 certificates will tell you three things: - Breaking SHA-1 is not yet practical but will
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationKaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking
Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking Today s bank customers can perform most of their financial activities online. According to a global survey
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationProto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL. http://www.protonet.co.za/
Proto Balance SSL TLS Off-Loading, Load Balancing http://www.protonet.co.za/ User Manual - SSL Copyright c 2003-2010 Shine The Way 238 CC. All rights reserved. March 13, 2010 Contents 1. Introduction........................................................................
More informationS E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s
S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s During the period between November 2012 and March 2013, Symantec Consulting Services partnered with Bomgar to assess the security
More informationWPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies" (srublev@ptsecurity.ru)
WPAD TECHNOLOGY WEAKNESSES Sergey Rublev Expert in information security, "Positive Technologies" (srublev@ptsecurity.ru) MOSCOW 2009 CONTENTS 1 INTRODUCTION... 3 2 WPAD REVIEW... 4 2.1 PROXY AUTO CONFIGURATION
More informationOPENID AUTHENTICATION SECURITY
OPENID AUTHENTICATION SECURITY Erik Lagercrantz and Patrik Sternudd Uppsala, May 17 2009 1 ABSTRACT This documents gives an introduction to OpenID, which is a system for centralised online authentication.
More informationAnalyzing DANE's Response to Known DNSsec Vulnerabilities
Analyzing DANE's Response to Known DNSsec Vulnerabilities Matthew Henry Joseph Kirik Emily Scheerer UMBC UMBC UMBC henmatt1@umbc.edu joskir1@umbc.edu semily1@umbc.edu May 9, 2014 Abstract: SSL/TLS is currently
More informationSSL Server Rating Guide
SSL Server Rating Guide version 2009j (20 May 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.
More informationDomino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014
Domino and Internet Ask the Experts 12/16/2014 Security IBM Collaboration Solutions Agenda Overview of internet encryption technology Domino's implementation of encryption Demonstration of enabling an
More informationIndusGuard Web Application Firewall Test Drive User Registration
IndusGuard Web Application Firewall Test Drive User Registration Document Version 1.0 24/06/2015 Confidentiality INDUSFACE HAS PREPARED THIS DOCUMENT FOR INTERNAL PURPOSE. NEITHER THIS DOCUMENT NOR ITS
More informationLayered security in authentication. An effective defense against Phishing and Pharming
1 Layered security in authentication. An effective defense against Phishing and Pharming The most widely used authentication method is the username and password. The advantages in usability for users offered
More informationPowerChute TM Network Shutdown Security Features & Deployment
PowerChute TM Network Shutdown Security Features & Deployment By David Grehan, Sarah Jane Hannon ABSTRACT PowerChute TM Network Shutdown (PowerChute) software works in conjunction with the UPS Network
More informationData Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment
White Paper Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment Cisco Connected Analytics for Network Deployment (CAND) is Cisco hosted, subscription-based
More informationEthical Hacking as a Professional Penetration Testing Technique
Ethical Hacking as a Professional Penetration Testing Technique Rochester ISSA Chapter Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net 2 Background Founder of Durkee Consulting since 1996
More informationSSL/TLS: The Ugly Truth
SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography
More informationVMware vcenter Log Insight Getting Started Guide
VMware vcenter Log Insight Getting Started Guide vcenter Log Insight 1.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by
More informationSmartphone Pentest Framework v0.1. User Guide
Smartphone Pentest Framework v0.1 User Guide 1 Introduction: The Smartphone Pentest Framework (SPF) is an open source tool designed to allow users to assess the security posture of the smartphones deployed
More informationHow To Set Up The Barclaycard Epdq Cardholder Payment Interface (Cpi) On Papercut (Barclay Card) On A Microsoft Card (For A Credit Card) With A Creditcard (For An Account)
Barclaycard epdq CPI Quick Start Guide This guide is designed to supplement the Payment Gateway Module documentation and provides a guide to installing, setting up and testing the Payment Gateway Module
More informationF-Secure Messaging Security Gateway. Deployment Guide
F-Secure Messaging Security Gateway Deployment Guide TOC F-Secure Messaging Security Gateway Contents Chapter 1: Deploying F-Secure Messaging Security Gateway...3 1.1 The typical product deployment model...4
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationUNITED STATES OF AMERICA FEDERAL TRADE COMMISSION
UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION 132 3091 COMMISSIONERS: Edith Ramirez, Chairwoman Julie Brill Maureen K. Ohlhausen Joshua D. Wright ) In the Matter of ) DOCKET NO. ) Credit Karma, Inc.,
More informationVIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division
VIDEO Intypedia013en LESSON 13: DNS SECURITY AUTHOR: Javier Osuna García-Malo de Molina GMV Head of Security and Process Consulting Division Welcome to Intypedia. In this lesson we will study the DNS domain
More informationNetwork and Host-based Vulnerability Assessment
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
More informationSSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust
SSL Interception Proxies Jeff Jarmoc Sr. Security Researcher Dell SecureWorks and Transitive Trust About this talk History & brief overview of SSL/TLS Interception proxies How and Why Risks introduced
More informationPOODLE. Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp. 2015/3/3 APAN 39th in Fukuoka 1
POODLE Yoshiaki Kasahara Kyushu University kasahara@nc.kyushu-u.ac.jp 2015/3/3 APAN 39th in Fukuoka 1 Summary POODLE: Padding Oracle On Downgraded Legacy Encryption Discovered in October 2014 by Google
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More information2X SecureRemoteDesktop. Version 1.1
2X SecureRemoteDesktop Version 1.1 Website: www.2x.com Email: info@2x.com Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 19 th November 2014 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationSSL/TLS and MITM attacks. A case study in Network Security By Lars Nybom & Alexander Wall
SSL/TLS and MITM attacks A case study in Network Security By Lars Nybom & Alexander Wall SSL/TLS Background SSL/TLS Secure Socket Layer/Transport Layer Security (rfc 2246) SSL/TLS Background SSL/TLS Secure
More informationControlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway
Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway Websense Support Webinar January 2010 web security data security email security
More informationServer Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4
Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Aliases 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical Access
More informationDIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
More informationHTTPS Inspection with Cisco CWS
White Paper HTTPS Inspection with Cisco CWS What is HTTPS? Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (HTTP). It is a combination of HTTP and a
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION. Julie Brill Maureen K. Ohlhausen Joshua D. Wright Terrell McSweeny
132 3089 UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION COMMISSIONERS: Edith Ramirez, Chairwoman Julie Brill Maureen K. Ohlhausen Joshua D. Wright Terrell McSweeny In the Matter of DOCKET
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationKaspersky Lab Mobile Device Management Deployment Guide
Kaspersky Lab Mobile Device Management Deployment Guide Introduction With the release of Kaspersky Security Center 10.0 a new functionality has been implemented which allows centralized management of mobile
More informationMobile Device Management Version 8. Last updated: 17-10-14
Mobile Device Management Version 8 Last updated: 17-10-14 Copyright 2013, 2X Ltd. http://www.2x.com E mail: info@2x.com Information in this document is subject to change without notice. Companies names
More informationAn Insight into Cookie Security
An Insight into Cookie Security Today most websites and web based applications use cookies. Cookies are primarily used by the web server to track an authenticated user or other user specific details. This
More information