DOCSLIB.ORG

Debenham Decl Part 1.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Debenham Decl Part 1.Pdf I, Mark Debenham, declare as follows: 1. I am a Senior Manager of Investigations in the Digital Crimes Unit of Plaintiff Microsoft Corp.’s (“Microsoft”) Legal and Corporate Affairs group. I make this declaration in support of Plaintiffs’ Application For An Emergency Temporary Restraining Order, Seizure Order And Order To Show Cause Re Preliminary Injunction. I make this declaration of my own personal knowledge and, if called as a witness, I could and would testify competently to the truth of the matters set forth herein. 2. In my role at Microsoft, I assess technology security threats to Microsoft and the impact of such threats on Microsoft’s business. Prior to my current role, I worked as a security engineer in Microsoft’s Trustworthy Computing group, dealing with the discovery, remediation and mitigation of Internet and software security vulnerabilities. Among my responsibilities were investigating targeted attacks and driving the establishment of Microsoft Security Response Center’s response to online service vulnerabilities. Before joining Microsoft, I worked for Verizon Business as a Senior Network Security Specialist performing security assessments as part of its network security professional services team for clients ranging from healthcare and educational establishments to aerospace companies. 3. I have conducted an investigation of the structure and functions of three interrelated botnet architectures called “Zeus,” “Ice-IX,” and “SpyEye,” as well as the activities carried out through these botnets, and an assessment of the impact on Microsoft’s business and on users of the Internet. For simplicity, throughout this declaration, these interrelated architectures, each of which incorporates the “Zeus” code, are collectively referred to as the “Zeus Botnets.” The Zeus Botnets have caused, and continue to cause, extreme damage to Microsoft and other parties which, if allowed to continue, will be compounded as the case proceeds. BOTNETS IN GENERAL 4. A botnet is a network made up of end-user computers connected to the Internet that have been infected with a certain type of malicious software (“malware” or a “Trojan”) that 2 places them under the control of the individuals or organizations who utilize the infected end- user computers to conduct illegal activity. A botnet network may be comprised of as few as hundreds or as many as tens of thousands or millions of infected end-user computers. Once a large-scale botnet has been created, its massive infrastructure can be used by the botnet operators to engage in malicious activity—such as stealing financial credentials, stealing personal identification information, stealing confidential data, sending spam email or anonymously carrying out other technical activities or attacks. THE STRUCTURE OF THE ZEUS BOTNETS 5. The botnets at issue in this case—the “Zeus Botnets”—are credential stealing botnets. The primary aim of these botnets is to infect end-user computers in order to (1) steal credentials for online accounts, such as account login information for Microsoft or other websites, or financial and banking credentials, from the owners or users of those computers, (2) access the victims’ online accounts with the stolen credentials, and (3) transfer information or funds from the victims’ accounts to accounts or computers controlled by the Defendants. Defendants and the Zeus Botnets cause extreme injury to individuals, companies, and governments alike. For example, attached as Exhibit 1 is a true and correct copy of a letter to Microsoft from the Minister for the Cabinet Office and Paymaster General of the government of the United Kingdom, detailing the injury caused by the Zeus Botnets to UK government institutions. 6. I have carried out an examination of the “Zeus,” “Ice-IX,” and “SpyEye” code found on infected end-user computers that are part of these botnets. I have researched the command and control infrastructure of the “Zeus,” “Ice-IX,” and “SpyEye” botnets. I have researched the infrastructure used to propagate the “Zeus,” “Ice-IX” and “SpyEye” botnets. I have also reviewed literature by other Internet security researchers regarding the code, architecture and features of these botnets, including the command and control servers, infected end-user computers that are part of the botnet and infrastructure used to disseminate botnet code. Based on this analysis, I reach the following conclusions regarding the origins of and 3 relationships between the “Zeus,” “Ice-IX,” and “SpyEye” code and the technical architecture of this infrastructure. A. The Defendants Who Created The Malicious “Zeus,” “Ice-IX” And “SpyEye” Software Have Leveraged Each Others Work To Create, Distribute And Operate The Zeus Botnets 7. The Zeus, Ice-IX and SpyEye code is offered by Defendants as “builder kits” that allow other would-be cyber criminals to easily setup, operate, maintain, and propagate botnets to infect end-user computers, carry out theft of online credentials for Microsoft or financial institution websites, engage in financial theft, engage in identity theft, send spam email or engage in other malicious activities. The Defendants offer the kits for sale on “underground” cybercrime forums on the Internet. The simplest versions of the malicious software described below are readily available for purchase in underground forums for $700 or more. Sophisticated versions with more robust features, support and sometimes source code access, are typically offered only to smaller, trusted group of clients and can cost approximately $15,000 or more. The kits typically contain a builder that can generate a botnet “executable,” configuration files, and web server files (e.g., script files that enable the website to be more interactive with the user, images, or templates to provide data management functionality) for use as the command and control server. 8. As set forth below, the Defendant creators and sellers of the interrelated “Zeus,” “Ice-IX” and “SpyEye” malicious code, which form the basis of the Zeus Botnets, are individuals known on the Internet as “Slavik,” “Monstr,” “Harderman,” “Gribodemon” and “nvidiag.” Over a period, beginning in approximately 2007, from the evidence I have reviewed, I conclude that these individuals have engaged in multiple acts to create, distribute, encourage and operate the Zeus Botnets in a continuous manner, leveraging each others’ work and often cooperating significantly to improve that code in the newer Zeus, Ice-IX and SpyEye software. 9. From the interrelated nature of the code and the operation of the code directed at intruding into computers of Microsoft’s customers, stealing their account credentials for online accounts, such as account login information for Microsoft services or other websites, or financial 4 and banking credentials, and by sending spam email propagating the code both from these victim computers and to users of Microsoft’s email services, I conclude that the purpose of the botnet code, the Zeus Botnets and the Defendants’ operation is to steal account credentials, personal identification information, steal funds and to further propagate the botnet infrastructure to do so. I conclude from these same facts, upon information and belief, that the Defendants must have known and intended that the botnet code, the Zeus Botnets and Defendants’ operation was to defraud end-user and corporate victims of the Zeus Botnets, by means of fraudulent pretenses and representations transmitted over the Internet, as further described below. As further described below, Microsoft has been directly injured in its business and property by these Defendants’ acts and their coordinated pattern of acts. 10. From the pricing of the code sold by these Defendants who have created the Zeus Botnets, and the scale of infected computers in the Zeus Botnets, as further discussed below, I conclude that these Defendant creators of the botnet code have obtained payment in a given year of $1,000 or more for such botnet code. 11. The sale and operation of the botnet code and the Zeus Botnets by these Defendants takes place on the Internet, including acts carried out in interstate and international communications and transmissions on and through the Internet. Zeus Botnet Code 12. The creator of the “Zeus” botnet code is a currently unidentified individual defendant, John Doe 1, who goes by the online nickname/handles “Slavik” or “Monstr.” John Doe 1 has also gone by the nicknames “IOO” and “Nu11.” Attached as Exhibit 5 is a true and correct copy of a report identifying the individual known as “Slavik” and “Monstr” as the author of the malicious Zeus botnet code. Attached as Exhibit 6 is a true and correct copy of an Internet forum discussing the Zeus botnet code, and identifying individuals know as “Slavik” and “Monstr” as the author. My investigation uncovered evidence that John Doe 1 may be contacted at messaging address [email protected]. 13. The “Zeus” botnet code was first identified by security researchers in 2007 when 5 reports surfaced that it was used to steal information from various organizations. From 2009 forward, instances of computers infected by the malicious Zeus software became more widespread. 14. In approximately November 2010, researchers began detecting a new version of Zeus called Zeus Version 2.1. This version of Zeus contained much of the same code as Version 2.0.8.9, but included further features designed to counter attempts to analyze or disable the botnet. For example, Version 2.1 includes a mechanism that verifies the digital signature on all of the botnet files and the data that it downloads, and further stores most of the botnet code’s strings in encoded form. The purpose of these features is likely to prevent competitors or security professionals from introducing configuration files into the botnet infrastructure in order to disable it. By spring 2011, a Zeus version 2.1.0.10 was being detected with more frequency and in June 2011 there was a notable peak in attacks carried out through Zeus 2.1.0.10 computers. While there were a number of variants of Zeus 2.1.0.10, each had an identical list of triggers, indicating a single operations team.
Load more

Recommended publications
  • NATIONAL ARBITRATION FORUM DECISION Imageshack Corp. V
    NATIONAL ARBITRATION FORUM DECISION ImageShack Corp. v. RegisterFly.com-Ref#17592297 c/o Whois Protection Services- ProtectFly.com Claim Number: FA0505000473833 PARTIES Complainant is ImageShack Corp. (“Complainant”). Respondent is Steven Baxt (“Respondent”), represented by John Berryhill, of Dann, Dorfman, Herrell, and Skillman P.C., 1601 Market Street, Suite 2400, Philadelphia, PA 19103. REGISTRAR AND DISPUTED DOMAIN NAME The domain name at issue is <imageshack.com>, registered with Enom, Inc. PANEL The undersigned certify that they have acted independently and impartially and to the best of their knowledge have no known conflict in serving as Panelists in this proceeding. Jeffrey M. Samuels, Chair Honorable Nelson A. Diaz Peter L. Michaelson PROCEDURAL HISTORY Complainant submitted a Complaint to the National Arbitration Forum electronically on May 9, 2005; the National Arbitration Forum received a hard copy of the Complaint on May 16, 2005. On May 10, 2005, Enom, Inc. confirmed by e-mail to the National Arbitration Forum that the domain name <imageshack.com> is registered with Enom, Inc. and that the Respondent is the current registrant of the name. Enom, Inc. has verified that Respondent is bound by the Enom, Inc. registration agreement and has thereby agreed to resolve domain-name disputes brought by third parties in accordance with ICANN’s Uniform Domain Name Dispute Resolution Policy (the “Policy”). On May 24, 2005, a Notification of Complaint and Commencement of Administrative Proceeding (the “Commencement Notification”), setting a deadline of June 13, 2004, by which Respondent could file a Response to the Complaint, was transmitted to Respondent via e-mail, post and fax, to all entities and persons listed on Respondent’s registration as technical, administrative and billing contacts, and to [email protected] by e-mail.
    [Show full text]
  • The Arbitration of Celebrity Domain Name Disputes
    1 - 1 - THE ARBITRATION OF CELEBRITY DOMAIN NAME DISPUTES BY THE HONOURABLE NEIL BROWN QC 1 The Problem You would think that celebrities, being what they are, would be keen to register their names as domain names, set up their own websites and use the websites to promote themselves. Some do, but others seem to have been slow off the mark, only to find that someone else has got up earlier and in effect stolen their name, registered it as a domain name and used the domain name to set up an unauthorized website. Of course, it can be worse than that: the domain name is sometimes linked directly to a pornography website or used as a bait to attract internet users who are then switched to a website selling anything form Viagra to Pacific cruises 2. This, of course, can give the celebrity a bad name or even a worse name than he or she had previously. Or he or she could just be made a figure of fun: see for instance the unfortunate events recounted in David Pecker v. Mr. Ferris , WIPO Case No. D2006-1514. Mr. David Pecker, apart from having an interesting surname, is Chairman and CEO of American Media, Inc (AMI) the publisher of several prominent lifestyle magazines. One can readily understand Mr. Pecker’s concern about not only having his name used as domain name without his permission, but more particularly about its being linked to a pornography site and hence linked in the public mind with pornography itself. It actually became worse in Mr.
    [Show full text]
  • Brand Owners in ICANN-Land: the Reality of DNS Expansion
    9/13/2017 Brand Owners in ICANN-land: the reality of DNS expansion J. Scott Evans | Director, Trademarks, Marketing, Copyright and DNS Policy © 2017 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Past History . 1998 ICANN created with goal to bring competition to the domain name system. Before ICANN one company served as both the sole registrar and registry: Network Solutions, Inc. Seven original generic top level domain . .com; .net; .org; .gov; . mil; .edu; .int and =/- 200 county code top level domains (e.g, .us; .uk; .de) . 2000 ICANN holds first “proof of concept” round of expansion by adding 7 new top level domains . .aero; .biz; .coop; .info; .museum; .name and .pro . 2003/04 ICANN holds second “proof of concept” round of expansion by adding 6 new top level domains . .asia; .cat; .jobs; .mobi; .tel and .travel © 2017 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 2 1 9/13/2017 Original Protections . How did you protect your trademark prelaunch? . Sunrise registrations . Trademark Claim Notice . How did you protect your trademark post launch? . Uniform Dispute Resolution Procedure (UDRP) . In US, lawsuit under the Anti-Cybersquatting Consumer Protection Act © 2017 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 3 The Grand Plan . June 2008 ICANN votes to expand the number of top level of domains . October 2008 ICANN publishes Applicant Guidebook with no trademark protections . March 2009 ICANN empanels Implementation Review Team (“IRT”) . June 2009 IRT report recommends tapestry of IP protections . Trademark Clearinghouse . Sunrise Registrations . Trademark Claims Notice . Uniform Rapid Suspension System . Post Registration Dispute Resolution Process . December 2009 Special Trademark Issues review team issue report amending IRT recommendations.
    [Show full text]
  • BUTERA & ANDREWS Attorneys at Law 1301 Pennsylvania Avenue
    BUTERA & ANDREWS Attorneys at Law 1301 Pennsylvania Avenue, N.W. Washington, D.C. 20004-1701 202-347-6875 Philip S. Corwin, Partner [email protected] By E-Mail: [email protected] February 15, 2008 Suzanne R. Sene Office of International Affairs National Telecommunications and Information Association 1401 Constitution Avenue, NW Room 4701 Washington, DC 20230 Re: Docket No. 071023616-7617-01; Notice of Inquiry regarding Midterm Review of the Joint Project Agreement (JPA) between the Department of Commerce and ICANN Dear Ms. Sene: This comment letter is submitted by the Internet Commerce Association (ICA) in regard to the November 2, 2007 Federal Register notice in regard to the above-referenced Docket item. ICA is a not-for-profit trade association representing the direct search industry. Its global membership is composed of individuals and companies that invest in domain names (DNs) and develop and monetize the associated websites, as well as providers of services to such entities. ICA’s members collectively hold portfolios comprised of tens of millions of DNs. Domain name investors and developers are the new media and e-commerce companies of the twenty-first century, with the current asset value of the direct search industry standing in excess of $10 billion and with these assets generating at least $1-2 billion in annual advertising revenues and associated e-commerce transactions. ICA’s mission is to promote the benefits of the activities of professional domain name investors, owners and developers to the press, advertisers, and governmental authorities on a global basis; and to strive for fairness among regulators and in ICANN’s dispute resolution process as well as in the taxation and treatment of DN registrants under all relevant laws, regulations, and agreements in the U.S.
    [Show full text]
  • 21 February 2007 Registerfly.Com, Inc. 404 Main Street, Suite 401
    21 February 2007 Registerfly.Com, Inc. 404 Main Street, Suite 401 Boonton, NJ 07005 Attn: Glenn Stansbury Re: Notice of Breach of ICANN Registrar Accreditation Agreement Dear Glenn: This letter is a formal notice of several breaches of sections 3.4, 3.9, and 4.1 of Registerfly.Com, Inc.’s (“Registerfly”) Registrar Accreditation Agreement (“RAA”). Under section 5.3.4 of the RAA, Registerfly has 15 working days to cure the breaches described in this letter. If the breaches are not cured in that period, then the Internet Corporation for Assigned Names and Numbers (“ICANN”) may give notice of termination of the RAA, after which Registerfly may initiate arbitration to determine the appropriateness of termination. As you are aware, ICANN staff has met with executive management of Registerfly on at least three occasions over the past year and exchanged numerous email messages and telephone calls in an attempt to resolve the issues described below. Despite repeated assurances of progress, the volume of complaints directed to ICANN about Registerfly continues to grow on a daily basis. ICANN provides you with the following information regarding Registerfly’s breaches and potential breaches of the RAA. I. Consensus Policy Breaches A. Governing Provisions Section 4.1 obligates ICANN-accredited registrars to abide by any Consensus Policies. One such applicable Consensus Policy is the 12 July 2004 Policy on Transfer of Registrations between Registrars (“Inter-Registrar Transfer Policy”), available at http://www.icann.org/transfers/policy-12jul04.htm. The Inter-Registrar Transfer Policy (“Transfer Policy”) limits the situations in which a losing Registrar may deny a transfer request.
    [Show full text]
  • Territorialization of the Internet Domain Name System
    Scholarly Commons @ UNLV Boyd Law Scholarly Works Faculty Scholarship 2018 Territorialization of the Internet Domain Name System Marketa Trimble University of Nevada, Las Vegas -- William S. Boyd School of Law Follow this and additional works at: https://scholars.law.unlv.edu/facpub Part of the Intellectual Property Law Commons, International Law Commons, and the Internet Law Commons Recommended Citation Trimble, Marketa, "Territorialization of the Internet Domain Name System" (2018). Scholarly Works. 1020. https://scholars.law.unlv.edu/facpub/1020 This Article is brought to you by the Scholarly Commons @ UNLV Boyd Law, an institutional repository administered by the Wiener-Rogers Law Library at the William S. Boyd School of Law. For more information, please contact [email protected]. Territorialization of the Internet Domain Name System Marketa Trimble* Abstract Territorializationof the internet-the linking of the internet to physical geography is a growing trend. Internet users have become accustomed to the conveniences of localized advertising, have enjoyed location-based services, and have witnessed an increasing use of geolocation and geo- blocking tools by service and content providers who for various reasons- either allow or block access to internet content based on users' physical locations. This article analyzes whether, and if so how, the trend toward territorializationhas affected the internetDomain Name System (DNS). As a hallmark of cyberspace governance that aimed to be detached from the territorially-partitionedgovernance of the physical world, the DNS might have been expected to resist territorialization-a design that seems antithetical to the original design of and intent for the internet as a globally distributed network that lacks a single point of control.
    [Show full text]
  • In the United States District Court for the Northern District of Alabama Western Division
    Case 7:07-cv-01153-RDP Document 49 Filed 11/09/2007 Page 1 of 19 FILED 2007 Nov-09 PM 01:15 U.S. DISTRICT COURT N.D. OF ALABAMA IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ALABAMA WESTERN DIVISION MICHAEL MOORE; RONALD P. } GENTRY, } } Plaintiffs, } } v. } Case No.: 7:07-CV-1153-RDP } ENOM, INC.; et al., } } Defendants. } MEMORANDUM OPINION This case is before the court on the Motion to Dismiss Pursuant to Federal Rule of Civil Procedure 12(b)(2) filed by Defendant Internet Corporation For Assigned Names and Numbers (“ICANN”) on August 30, 2007. (Doc. # 22).1 After submission by both parties of initial briefs on the matter of personal jurisdiction over ICANN (Docs. # 23, 33), and a request by Plaintiffs to conduct discovery on the defenses raised in the motions to dismiss filed by Defendants (Doc. # 29), the court held a telephone conference on September 20, 2007. The parties agreed during the conference that Plaintiffs would be given the opportunity to file any additional factual or legal support regarding the court’s personal jurisdiction over Defendant ICANN before the court took the matter under submission, and ICANN was permitted a reply. (Docs. # 36, 37, 38, 39, 40, 41). Additionally, Plaintiffs were permitted to file a Third Amended Complaint on October 8, 2007, which gave them another opportunity to correct and amend their allegations of jurisdiction. (Doc. 1 By order dated September 20, 2007, the portion of Defendant ICANN’s motion seeking dismissal on the basis of Fed. R. Civ. P. 12(b)(6) was denied, without prejudice.
    [Show full text]
  • Itu-Draft-Cctld-Guide.Pdf
    Policy, Business, Technical and Operational Considerations for the Management of a country code Top Level Domain (ccTLD) APRIL 2008 DRAFT For further information, please contact the ITU-D ICT Applications and Cybersecurity Division at <[email protected]> draft Acknowledgements The objective of this report is to outline the numerous technical and procedural aspects of establishing and operating a ccTLD (Country Code Top-Level Domain) registry. This draft report was commissioned by the ITU Development Sector’s ICT Applications and Cybersecurity Division and prepared by Mr. Jim Reid, RTFM Ltd., Bothwell, Scotland. Many thanks to Robert Shaw, Head of the ICT Applications and Cybersecurity Division, for initiating this project. Several people, including Jaap Akkerhuis, Rob Austein, Ayitey Bulley, Brian Candler, John Klensin, Andy Linton, Dave Meyer, Mike O'Dell, and Oscar A. Robles-Garay have made suggestions or offered editorial comments about earlier versions of this document. These comments contributed significantly to whatever clarity the document has, but the author bears responsibility for the content. This material is partially based upon work supported by the National Science Foundation under Grant No. NCR-9981821. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. For further information and to make comments on this document, please contact: ICT Applications and Cybersecurity Division (CYB) Policies and Strategies Department Bureau for Telecommunication Development International Telecommunication Union Place des Nations 1211 Geneva 20, Switzerland Telephone: +41 22 730 5825/6052 Fax: +41 22 730 5484 E-mail: [email protected] Website: www.itu.int/ITU-D/cyb/ Disclaimer The opinions expressed in this report are those of the author(s) and do not necessarily represent the views of the International Telecommunication Union (ITU) or its membership.
    [Show full text]
  • Registry Operator's Report
    REGISTRY OPERATOR’S REPORT March 2006 Afilias Limited Monthly Operator Report – March 2006 As required by the ICANN/Afilias Limited Registry Agreement (Section 3.15.1) this report provides an overview of Afilias Limited activity through the end of the reporting month. The information is primarily presented in table and chart format with text explanations as deemed necessary. Information is provided in order as listed in Appendix T of the Registry Agreement. Report Index Section 1 Accredited Registrar Status Section 2 Service Level Agreement Performance Section 3 INFO Zone File Access Activity Section 4 Completed SRS/System Software Releases Section 5 Domain Names Under Sponsorship - Per Registrar Section 6 Nameservers Under Management Per Registrar Section 7 Domain Names Registered by Afilias Section 8 WhoIs Service Activity Section 9 Monthly Growth Trends Section 10 Total Number of Transactions by Subcategory by Month Section 11 Total Number of Failed Transactions by Subcategory by Month Section 12 Daily Transaction Range Section 13 INFO Geographical Registrations Distribution Section 14 INFO Deleted Names Section 15 INFO Restored Names Section 16 INFO Violations of Registrar Restore Report Copyright © 2001-2006 Afilias Limited Page 2 of 42 Afilias Limited Monthly Operator Report – March 2006 Section 1 – Accredited Registrar Status – March 2006 Table 1 displays the current number and status of the ICANN accredited registrars. The registrars are grouped into three categories: 1.Operational registrars: Those who have authorized access into the Shared Registration System (SRS) for processing domain name registrations. 2.Registrars in the Ramp-up Period: Those who have received a password to the Afilias Operational Test and Evaluation (OT&E) environment.
    [Show full text]
  • In the United States District Court for the Northern District of Alabama Western Division
    FILED 2007 Aug-30 PM 03:13 U.S. DISTRICT COURT N.D. OF ALABAMA IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ALABAMA WESTERN DIVISION MICHAEL MOORE; ) RONALD P. GENTRY, ) ) Plaintiffs, ) CIVIL ACTION NO. ) 7:07-cv-01153-RDP v. ) (OPPOSED) ) INTERNET CORPORATION FOR ASSIGNED ) ENOM, INC’S BRIEF IN SUPPORT NAMES AND NUMBERS; ENOM, INC.; and ) OF MOTION TO DISMISS FOR REGISTERFLY.COM, INC., ) FAILURE TO STATE A CLAIM ) Defendants. ) ______________________________________ ) ) Table of Contents I. Introduction......................................................................................................................... 1 II. Statement of Facts............................................................................................................... 1 III. Argument ............................................................................................................................ 4 A. The Standard of Review After Bell Atlantic Corp. v. Twombly ............................. 4 B. All of Plaintiffs’ Claims Against eNom Should Be Dismissed. ............................. 6 1. Plaintiffs’ Antitrust Claims Should Be Dismissed.......................................6 a. Plaintiffs Lack Standing to Bring their Antitrust Claims................. 6 b. Plaintiffs Have Not Alleged a Violation of the Antitrust Laws. ................................................................................................ 9 c. That a Single Entity Controls the Legacy A Root Server Does Not Demonstrate Injury to Competition. ........................................
    [Show full text]
  • Fast Internet-Wide Scanning: a New Security Perspective
    Fast Internet-Wide Scanning: A New Security Perspective by Zakir Durumeric A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in the University of Michigan 2017 Doctoral Committee: Professor J. Alex Halderman, Chair Associate Professor Michael Bailey, University of Illinois Urbana-Champaign Research Professor Peter Honeyman Professor Vern Paxson, University of California, Berkeley Assistant Professor Florian Schaub Zakir Durumeric [email protected] ORCID iD: 0000-0002-9647-4192 © Zakir Durumeric 2017 ACKNOWLEDGMENTS I want to thank my advisor J. Alex Halderman, as well as Michael Bailey and Vern Paxson, for their support and guidance over the past six years. I have learned an immense amount both professionally and personally from each of you, and I would not be where I am today without you. I also thank my two other committee members—Peter Honeyman and Florian Schaub—as well as Prabal Dutta and Brian Noble for their time and advice. I would not have been able to complete this dissertation without the help of family and friends. I want to thank my parents Oguz Durumeric and Robin Paetzold, and my brother Aleksander Durumeric for their unwavering support. I am further grateful for the friends who have kept me sane: Brad Campbell, Noah Klugman, Kevin Lu, Corey Melnick, Pat Pannuto, Bethany Patten, Lane Powell, and Audrey Shelton. I thank my labmates and others in the department for their camaraderie and discussion: David Adrian, Jethro Beekman, Matthew Bernhard, Denis Bueno, Mike Chow, Meghan Clark, Rob Cohn, Jakub Czyz, David Devecsery, Chris Dzombak, Denis Foo Kune, Bran- den Ghena, Grant Ho, Will Huang, James Kasten, Deepak Kumar, Kyle Lady, Frank Li, Zane Ma, Bill Marczak, Allison McDonald, Ariana Mirian, Paul Pearce, Drew Springall, Benjamin VanderSloot, Eric Wustrow, and Jing Zhang.
    [Show full text]
  • Server Authentication on the Past, Present, and Future Internet
    Server Authentication on the Past, Present, and Future Internet by James Douglas Kasten, Jr. A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in The University of Michigan 2015 Doctoral Committee: Associate Professor J. Alex Halderman, Chair Professor Mingyan Liu Assistant Professor Harsha V. Madhyastha Professor Atul Prakash c James Douglas Kasten, Jr. 2015 All Rights Reserved TABLE OF CONTENTS LIST OF FIGURES :::::::::::::::::::::::::::::::: vi LIST OF TABLES ::::::::::::::::::::::::::::::::: x ABSTRACT ::::::::::::::::::::::::::::::::::::: xii CHAPTER I. Introduction .................................1 1.1 Summary of Main Contributions . .6 1.2 Structure of Thesis . .8 II. Analysis of the HTTPS Certificate Ecosystem [43] ............9 2.1 Introduction . .9 2.2 Background . 11 2.3 Related Work . 12 2.4 Methodology . 14 2.4.1 Host Discovery . 15 2.4.2 Collecting TLS Certificates . 16 2.4.3 Reducing Scan Impact . 17 2.4.4 Data Collection Results . 18 2.4.5 Is Frequent Scanning Necessary? . 19 2.4.6 Server Name Indication Deployment . 20 2.5 Certificate Authorities . 20 2.5.1 Identifying Trusted Authorities . 22 2.5.2 Sources of Intermediates . 23 2.5.3 Distribution of Trust . 24 2.5.4 Browser Root Certificate Stores . 25 2.5.5 Name Constraints . 26 2.5.6 Path Length Constraints . 27 2.5.7 Authority Key Usage . 27 2.6 Leaf Certificates and Hosting . 28 ii 2.6.1 Keys and Signatures . 28 2.6.2 Incorrectly Hosted Trusted Certificates . 30 2.6.3 Invalid Authority Types . 31 2.6.4 Certificate Revocation . 31 2.7 Unexpected Observations .
    [Show full text]