DOCSLIB.ORG

Investigations Into Decrypting Live Secure Traffic in Virtual Environments

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Investigations Into Decrypting Live Secure Traffic in Virtual Environments Investigations into Decrypting Live Secure Traffic in Virtual Environments Peter William Lindsay McLaren A thesis submitted in partial fulfilment of the requirements of Edinburgh Napier University, for the award of Doctor of Philosophy July, 2019 i COPYRIGHT Copyright in the text of this thesis rests with the Author. Copies (by any process) either in full or of extracts may be made only by instructions given by the Author and lodged in the Edinburgh Napier University Library. Details may be obtained from the Librarian. This page must form part of any such copies made. Further copies (by any process) of copies made by such instruc- tions may not be made without the permission (in writing) of the Author. The ownership of any intellectual property rights which may be described in this thesis is vested in the Author, subject to any prior agreement to the contrary, and may not be made available for use by third parties without the written permission of the Author, which will prescribe the terms and conditions of any such agreement. Further information on the conditions under which disclosures and exploitation may take place is available from the Dean of the School of Computing. ii DECLARATION No portion of the work referred to in this thesis has been sub- mitted in support of an application for another degree or qualifi- cation of this or any other university or other institute of learning. iii ACKNOWLDEGMENTS The PhD research has been a thoroughly stimulating experience with many peaks and troughs along the way. I would not have completed the work without support from my family, friends, and my supervisory team at Edinburgh Napier University. I would like to acknowledge my late parents who instilled my strong desire for learning. I am most grateful to my wife, Penny McLaren, for her commitment to my reaching this stage. I would like to acknowledge her encouragement throughout as well as her shouldering significant household activities during this process. Other family members and friends, such as ’Oxford comma Phil’, have also provided encouragement and recommendations when I might otherwise have yielded. I have had the benefit of an extended supervisory team as well as an independent panel chair, Professor Hazel Hall. I would like to thank you all. I appreciate the continued encouragement, sup- port, and reflection over many supervisory sessions from Doctor Gordon Russell, in particular once I returned to Australia. Thanks to Doctor Zhiyuan Tan for seeding the VMI idea, providing Uni- versity of Technology Sydney contacts, and for his interesting, thought-provoking viewpoints. Finally, my profound thanks to Professor William Bill Buchanan OBE for his energy, excitement, and lateral thinking abilities that encouraged me to explore new opportunities. Contents ABSTRACT xiv 1 Introduction 1 1.1 Context . .1 1.2 Significance . .2 1.3 Approach . .5 1.4 Research Questions . .8 1.5 Ethics . .9 1.6 Contributions . 12 1.7 Aims and Objectives . 14 1.8 Organisation of Thesis . 16 1.9 Publications . 18 2 Background and Theory 20 2.1 Introduction . 20 2.2 Cryptography in Digital Networks . 21 2.3 Symmetric Block Algorithms . 22 2.3.1 Modes of Operation . 23 2.3.2 Algorithms . 25 2.3.3 Advanced Encryption Standard . 27 2.4 Symmetric Stream Algorithms . 29 2.4.1 Algorithms . 30 2.4.2 ChaCha20 . 31 2.5 Conclusions . 33 iv CONTENTS v 3 Literature Review 35 3.1 Introduction . 35 3.2 Implementation Attacks . 36 3.2.1 Memory . 38 3.2.2 Virtualised Environments . 41 3.3 Virtual Machine Monitoring . 41 3.3.1 Virtual Machine Introspection . 44 3.3.2 Disk Introspection . 47 3.3.3 Memory Introspection . 48 3.3.4 Network Introspection . 51 3.3.5 Monitor Frequency . 53 3.4 Conclusions . 55 4 MemDecrypt: A Framework for Decrypting Secure Communications 57 4.1 Introduction . 57 4.2 Requirements Definition and Terms . 58 4.3 Design . 61 4.3.1 Description . 61 4.3.2 Data Collection Component . 64 4.3.3 Memory Analysis Component . 66 4.3.4 Decrypt Analysis . 71 4.4 Construction . 72 4.4.1 Hypervisors . 72 4.4.2 Data Collection . 76 4.4.3 Memory Analysis . 80 4.4.4 Decrypt Analysis . 81 4.5 Evaluation . 82 4.5.1 Test Criteria . 83 4.5.2 Test Approach . 84 4.5.3 Test Environment . 86 4.6 Extensibility . 86 4.7 Conclusions . 88 CONTENTS vi 5 Determining Insider Attack Data Exfiltration 90 5.1 Introduction . 90 5.2 SSH Protocol . 91 5.2.1 Set-up Phase . 92 5.2.2 Authentication Phase . 95 5.2.3 Connection Phase . 96 5.2.4 Secure File Transfer . 97 5.3 SSH Extension Design . 100 5.3.1 Data Collection . 101 5.3.2 Memory Analysis . 101 5.3.3 Decrypt Analysis . 103 5.4 SSH Extension Implementation . 104 5.4.1 Data Collection . 104 5.4.2 Memory Analysis . 105 5.4.3 Decrypt Analysis . 107 5.5 Evaluation . 107 5.5.1 Experimental Set-up . 108 5.5.2 Experimental Results . 109 5.5.3 Analysis . 113 5.6 Conclusions . 114 6 Decrypting Web Traffic 117 6.1 Introduction . 117 6.2 Background . 118 6.2.1 Protocol Versions . 118 6.2.2 Handshake, Change Cipher Specification, Ap- plication Data . 120 6.2.3 Record Protocol . 122 6.3 TLS Extension Design . 125 6.3.1 Data Collection . 125 6.3.2 Memory Analysis . 126 6.3.3 Decrypt Analysis . 130 6.4 TLS Extension Implementation . 131 CONTENTS vii 6.4.1 Data Collection . 131 6.4.2 Memory Analysis . 132 6.4.3 Decrypt Analysis . 135 6.5 Evaluation . 135 6.5.1 Experimental Set-up . 136 6.5.2 Experimental Results . 137 6.6 Conclusions . 141 7 Discovering Malware Activity Without Prior Knowl- edge 143 7.1 Introduction . 143 7.2 Sourcing Malware Samples . 145 7.3 OpenSSL Extension Evaluation . 148 7.4 Windows Library Extension Design . 151 7.5 Windows Library Extension Evaluation . 153 7.6 Conclusions . 156 8 Deriving ChaCha20 Key Streams From Targeted Memory Analysis 159 8.1 Introduction . 159 8.2 Background . 160 8.2.1 ChaCh20 Description . 160 8.2.2 ChaCha20 Implementations . 161 8.3 ChaCha20 Extension Design . 162 8.4 ChaCha20 Extension Implementation . 164 8.5 Evaluation . 165 8.5.1 Experimental Set-up . 167 8.5.2 Experimental Results . 168 8.6 Conclusions . 171 9 Conclusions and Future Work 173 9.1 Key Conclusions . 173 9.2 Achievement of Aim and Objectives . 174 CONTENTS viii 9.3 Key Contributions . 176 9.4 Future Work . 177 9.4.1 Investigative Gaps . 177 9.4.2 Potential Research Areas . 178 A Package Dependencies 218 B Hypervisor Research Review 219 C NetScantbl Plugin Output 220 D Malware Client Downloads 221 List of Figures 1-1 Investigative Approach . .8 2-1 CBC Mode Encryption and Decryption Process . 24 2-2 CTR Encryption and Decryption Process . 25 2-3 AES Encryption Process . 29 2-4 ChaCha Encryption Process . 31 3-1 Decryption Approaches . 37 4-1 High-level architecture . 62 4-2 Framework Activity Flow Diagram . 64 4-3 Analysis Framework Component Interaction . 64 4-4 Guessing Entropy . 69 4-5 Shannon Entropy . 69 4-6 Cumulative Entropy Distribution Example . 70 5-1 SSH Handshake . 92 5-2 SSH Client Key Exchange . 94 5-3 SSH Message Flow . 99 5-4 SSH Decrypt Output . 110 5-5 SSH Analysis Durations for Variable Key Lengths . 112 5-6 SSH Analysis Durations for Variable Modes . 112 5-7 SSH Decrypted Session . 116 6-1 TLS AES-GCM Application Data Messages . 124 6-2 TLS AES-CBC Application Data Messages . 125 6-3 TLS Extension AES Data Collection Flow . 126 ix LIST OF FIGURES x 6-4 TLS Extension GCM Memory Analysis Flow . 127 6-5 TLS 1.2 AES-GCM Application Data Message . 132 6-6 TLS 1.2 Implicit AES-GCM IVs . 133 6-7 TLS 1.2 AES-GCM Candidate Key Blocks . 133 6-8 TLS 1.3 AES-GCM IVs . 135 6-9 TLS 1.2 AES-GCM Memory Analysis Log . 139 6-10 TLS 1.2 GCM and CBC Mode Analysis Durations 140 7-1 Zbot Fake . 146 7-2 Gozi Data Theft . 147 7-3 TorrentLocker/Crypt0L0cker Warning . 148 7-4 Zbot Application Data Message . 150 7-5 Windows Explorer High-entropy Regions . 152 7-6 Zbot Decrypt Log . 155 7-7 Zbot Server Log . 156 8-1 ChaCha20 SSH Base Structure in Memory . 169 8-2 ChaCha20 TLS Base structure in Memory . 169 8-3 ChaCha20 SSH Decrypt Output Example . 170 8-4 ChaCha20 TLS Memory & Decrypt Analysis Logs 170 8-5 ChaCha20 SSH Analysis Durations vs File Size . 171 C-1 Netscantbl Output . 220 List of Tables 3-1 VM Introspection Research Summary . 46 4-1 Logical Component Mapping to Requirements . 63 4-2 Hypervisor Comparison . 76 4-3 Entropy Thresholds . 81 4-4 Virtual Machine Configurations . 87 5-1 Applied SSH Algorithm Types . 94 5-2 SFTP Write File Message Types . 100 5-3 SSH Encrypted Payload Format . 103 5-4 Windows 7 vs Windows 10 Durations (secs) . 110 5-5 AES-CTR Upload File Size Analysis Durations (secs)111 5-6 AES-CTR Ubuntu Server Analysis Durations (secs) 113 6-1 TLS Version Usage Statistics . 119 6-2 TLS 1.2 Handshake Phase Messages . 121 6-3 TLS 1.2 GCM Key Block Fields . 123 6-4 AES-GCM Application Data Message Format . 123 6-5 AES-CBC Application Data Message Format . 124 6-6 Key Block Field Example . 134 6-7 TLS Analysis Duration Means - Operating Systems (secs) . 137 6-8 TLS Analysis W10 Duration Means - Other Varia- tions (secs) .
Load more

Recommended publications
  • BALG: Bypassing Application Layer Gateways Using Multi-Staged Encrypted Shellcodes
    Sebastian Roschke, Feng Cheng, Christoph Meinel: "BALG: Bypassing Application Layer Gateways Using Multi-Staged Encrypted Shellcodes" in Proceedings of the 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011), IEEE Press, Dublin, Ireland, pp. 399-406, 5, 2011. ISBN: 978-1-4244-9219-0. BALG: Bypassing Application Layer Gateways Using Multi-Staged Encrypted Shellcodes Sebastian Roschke Feng Cheng Christoph Meinel Hasso Plattner Institute (HPI) Hasso Plattner Institute (HPI) Hasso Plattner Institute (HPI) University of Potsdam University of Potsdam University of Potsdam 14482, Potsdam, Germany 14482, Potsdam, Germany 14482, Potsdam, Germany Email: [email protected] Email: [email protected] Email: [email protected] Abstract—Modern attacks are using sophisticated and inno- easily penetrated by simple tunneling. IDS needs to handle vative techniques. The utilization of cryptography, self-modified efficient evasion techniques. ALGs provide more restrictions code, and integrated attack frameworks provide more possibili- for network access by combining filtering on the application ties to circumvent most existing perimeter security approaches, such as firewalls and IDS. Even Application Layer Gateways layer and IDS techniques, such as deep packet inspection. (ALG) which enforce the most restrictive network access can be Most of ALG implementations provide filtering due to ap- exploited by using advanced attack techniques. In this paper, plication layer protocol compliance and even allow to block we propose a new attack for circumventing ALGs. By using certain commands within a specific protocol. Although ALGs polymorphic and encrypted shellcode, multiple shellcode stages, enforce a very restrictive access policy, it is still possible to protocol compliant and encrypted shell tunneling, and reverse channel discovery techniques, we are able to effectively bypass circumvent such devices by using modern attack techniques.
    [Show full text]
  • VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring Release 3.6 August 2002
    VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring Release 3.6 August 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7814742= Text Part Number: 78-14742-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Configuring SSH and Telnet
    Configuring SSH and Telnet This chapter describes how to configure Secure Shell Protocol (SSH) and Telnet on Cisco NX-OS devices. This chapter includes the following sections: • About SSH and Telnet, on page 1 • Licensing Requirements for SSH and Telnet, on page 3 • Prerequisites for SSH and Telnet, on page 3 • Guidelines and Limitations for SSH and Telnet, on page 3 • Default Settings for SSH and Telnet, on page 4 • Configuring SSH , on page 4 • Configuring Telnet, on page 15 • Verifying the SSH and Telnet Configuration, on page 17 • Configuration Example for SSH, on page 18 • Configuration Example for SSH Passwordless File Copy, on page 19 • Additional References for SSH and Telnet, on page 21 About SSH and Telnet This section includes information about SSH and Telnet. SSH Server You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients. The user authentication mechanisms supported for SSH are RADIUS, TACACS+, LDAP, and the use of locally stored usernames and passwords. SSH Client The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another Cisco NX-OS device or to any other device that runs the SSH server. This connection provides an outbound Configuring SSH and Telnet 1 Configuring SSH and Telnet SSH Server Keys connection that is encrypted.
    [Show full text]
  • Secured Connectivity Why It Matters and How to Protect Your Organization
    Secured Connectivity Why it Matters and How to Protect Your Organization While every attempt has been made to ensure the accuracy and completeness of the information in this document, some typographical or technical errors may exist. Hummingbird Connectivity – a division of Open Text cannot accept responsibility for customers’ losses resulting from the use of this document. The information contained in this document is subject to change without notice. This document contains proprietary information that is protected by copyright. This document, in whole or in part, may not be photocopied, reproduced, or translated into another language without prior written consent from Hummingbird Connectivity. This edition published September 2008 www.hummingbird.com 2 Contents The Security Challenge 4 Security in Organizations 5 Driving Security 6 Structural Factors 6 External Factors 6 Connectivity — A Definition 7 Security Risks in a Connectivity World 8 Weak Authentication 8 Easy Protocol Decoding 8 Data Authenticity and Integrity Tampering 8 Solutions for Secured Connectivity 9 SSL 9 Kerberos 10 Secure Shell 11 ® Connectivity SecureTerm 12 ™ Connectivity Secure Shell 14 Connectivity Secure Server 16 Secure Replacement for Telnet and FTP 16 High Performance and Scalability 16 Glossary of Terms 18 www.hummingbird.com 3 The Security Challenge Security is the hot topic today. Although, companies have been slow to recognize the importance of security things have changed during the last decade. Security is a top priority and there are no indications that this will end any time soon. The costs of security (or lack thereof) have now been clearly identified, and the picture does not look very good.
    [Show full text]
  • NBAR2 Standard Protocol Pack 1.0
    NBAR2 Standard Protocol Pack 1.0 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 © 2013 Cisco Systems, Inc. All rights reserved. CONTENTS CHAPTER 1 Release Notes for NBAR2 Standard Protocol Pack 1.0 1 CHAPTER 2 BGP 3 BITTORRENT 6 CITRIX 7 DHCP 8 DIRECTCONNECT 9 DNS 10 EDONKEY 11 EGP 12 EIGRP 13 EXCHANGE 14 FASTTRACK 15 FINGER 16 FTP 17 GNUTELLA 18 GOPHER 19 GRE 20 H323 21 HTTP 22 ICMP 23 IMAP 24 IPINIP 25 IPV6-ICMP 26 IRC 27 KAZAA2 28 KERBEROS 29 L2TP 30 NBAR2 Standard Protocol Pack 1.0 iii Contents LDAP 31 MGCP 32 NETBIOS 33 NETSHOW 34 NFS 35 NNTP 36 NOTES 37 NTP 38 OSPF 39 POP3 40 PPTP 41 PRINTER 42 RIP 43 RTCP 44 RTP 45 RTSP 46 SAP 47 SECURE-FTP 48 SECURE-HTTP 49 SECURE-IMAP 50 SECURE-IRC 51 SECURE-LDAP 52 SECURE-NNTP 53 SECURE-POP3 54 SECURE-TELNET 55 SIP 56 SKINNY 57 SKYPE 58 SMTP 59 SNMP 60 SOCKS 61 SQLNET 62 SQLSERVER 63 SSH 64 STREAMWORK 65 NBAR2 Standard Protocol Pack 1.0 iv Contents SUNRPC 66 SYSLOG 67 TELNET 68 TFTP 69 VDOLIVE 70 WINMX 71 NBAR2 Standard Protocol Pack 1.0 v Contents NBAR2 Standard Protocol Pack 1.0 vi CHAPTER 1 Release Notes for NBAR2 Standard Protocol Pack 1.0 NBAR2 Standard Protocol Pack Overview The Network Based Application Recognition (NBAR2) Standard Protocol Pack 1.0 is provided as the base protocol pack with an unlicensed Cisco image on a device.
    [Show full text]
  • Fdc3302e Frequency Distribution Chassis
    "Smarter Timing Solutions" FDC3302e Frequency Distribution Chassis User Manual USM3302-0800-000 Revision 2 March 2019 FDC3302e Frequency Distribution Chassis User Manual Preface Thank you for purchasing the Frequency Distribution Chassis. Our goal in developing this product is to bring you a distribution chassis that will quickly, easily and reliably meet or exceed your system requirements. Your new FDC3302e is fabricated using the highest quality materials and manufactur- ing processes available today, and will give you years of trouble-free service. About EndRun Technologies EndRun Technologies is dedicated to the development and refinement of the technologies required to fulfill the demanding needs of the time and frequency community. The instruments produced by EndRun Technologies have been selected as the timing reference for a variety of industries and applications - computer networks, satellite earth stations, power utilities, test ranges, broadcast and telecommunications systems and more. EndRun Technologies is committed to fulfilling your precision timing needs by providing the most advanced, reliable and cost-effective time and frequency equipment available in the market today. Trademark Acknowledgements IBM-PC, UNIX, Windows NT are registered trademarks of the respective holders. Part No. USM3302-0800-000 Revision 2 March 2019 Copyright © EndRun Technologies 2007-2019 FDC3302e User Manual About This Manual This manual will guide you through simple installation and set up procedures. Introduction – The Frequency Distribution Chassis, how it works, where to use it, its main features. Basic Installation – How to connect, configure and test your distribution chassis. Console Port – Description of the console commands for use over the serial port or optional network port.
    [Show full text]
  • An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers
    applied sciences Article An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers Riaz Ullah Khan 1,* , Xiaosong Zhang 1, Rajesh Kumar 1 , Abubakar Sharif 1, Noorbakhsh Amiri Golilarz 1 and Mamoun Alazab 2 1 Center of Cyber Security, School of Computer Science & Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China; [email protected] (X.Z.); [email protected] (R.K.); [email protected] (A.S.); [email protected] (N.A.G.) 2 College of Engineering, IT and Environment, Charles Darwin University, Casuarina 0810, Australia; [email protected] * Correspondence: [email protected]; Tel.: +86-155-2076-3595 Received: 19 March 2019; Accepted: 24 April 2019; Published: 11 June 2019 Abstract: In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features.
    [Show full text]
  • Getting Started with Your Dedicated Server
    Getting Started Guide Getting Started With Your Dedicated Server Setting up and hosting a domain on your Linux® Dedicated Server using Plesk 8.0®. Getting Started with Your Dedicated Server ‐ Plesk 8.0 Version 1.1 (06.23.08) © Copyright 2008. All rights reserved. Distribution of this work or derivative of this work is prohibited unless prior written permission is obtained from the copyright holder. Trademarks Used in This Book Linux® is a registered trademark of Linus Torvalds. Plesk® is a registered trademark of SW­soft Holdings, LTD. SSH® and Secure Shell® are trademarks of SSH Communications Security, Inc. RedHat® and Fedora® are registered trademarks of Red Hat Software, Inc. Mac® is a registered trademark of Apple Computer, Inc. UNIX® is a registered trademark of The Open Group. Windows XP®, Entourage®, and Outlook® are registered trademarks of Microsoft Corporation in the United States and/or other countries. Thunderbird™ is an unregistered trademark of the Mozilla Foundation. All other trademarks and copyrights are the property of their respective owners. Table of Contents Introduction iv Security Information iv Reprovisioning Your Server vi Getting Help vi Other Resources vii 1 Setting Up Your Dedicated Server 1 Choosing a Host Name, User ID, and Password 1 Choosing a Host Name 1 Choosing a User ID 2 Choosing a Password for Your Server 2 Logging in to Your Manager for the First Time 3 2 Connecting to Your Dedicated Server 5 Connecting to Your Server Using Plesk 5 Connecting to Your Server Using SSH 10 Gaining Root Access on Your
    [Show full text]
  • Remote File Access System for Generic Ericsson Processor Boards
    Remote File Access System for Generic Ericsson Processor Boards DANIEL JESÚS GARCÍA MORAL KTH Information and Communication Technology Degree project in Communication Systems Second level, 30.0 HEC Stockholm, Sweden Remote File Access System for Generic Ericsson Processor Boards File transfer service, Random Access Memory-based file system and secure file transfer solution research DANIEL JESÚS GARCÍA MORAL Master’s Degree Project Supervisor: Lukas Karlsson Examiner: Mark Smith Stockholm, Sweden October 2011 iii Abstract Generic Ericsson Processor boards are general purpose hardware platforms which provide generic processing services. They support the Unified Exten- sible Firmware Interface Specification. They have several network interfaces available and they are connected to Ericsson’s laboratory network. Several servers are also connected to this network. These boards require periodic firmware upgrades. They also require acquiring new firmware components and data files. Currently, an application to download or upload files from and to Ericsson’s laboratory servers when an Operating System has not already been booted does not exist. Therefore, the files have to be transferred to USB drives which are connected later to the boards in order to transfer the files. This is a time consuming operation which decreases Er- icsson’s productivity. In addition, although Generic Ericsson Processor boards have an optional solid-state drive as secondary storage, Ericsson wants to be able to operate without it. This is because this secondary storage is not al- ways available and Ericsson does not want to use it when the Generic Ericsson Processor boards are operating before an Operating System has been loaded. They prefer to use Random Access Memory storage.
    [Show full text]
  • Securing the Border Gateway Protocol by Stephen T
    September 2003 Volume 6, Number 3 A Quarterly Technical Publication for From The Editor Internet and Intranet Professionals In This Issue The task of adding security to Internet protocols and applications is a large and complex one. From a user’s point of view, the security- enhanced version of any given component should behave just like the From the Editor .......................1 old version, just be “better and more secure.” In some cases this is simple. Many of us now use a Secure Shell Protocol (SSH) client in place of Telnet, and shop online using the secure version of HTTP. But Securing BGP: S-BGP...............2 there is still work to be done to ensure that all of our protocols and associated applications provide security. In this issue we will look at Securing BGP: soBGP ............15 routing, specifically the Border Gateway Protocol (BGP) and efforts that are underway to provide security for this critical component of the Internet infrastructure. As is often the case with emerging Internet Virus Trends ..........................23 technologies, there exists more than one proposed solution for securing BGP. Two solutions, S-BGP and soBGP, are described by Steve Kent and Russ White, respectively. IPv6 Behind the Wall .............34 The Internet gets attacked by various forms of viruses and worms with Call for Papers .......................40 some regularity. Some of these attacks have been quite sophisticated and have caused a great deal of nuisance in recent months. The effects following the Sobig.F virus are still very much being felt as I write this. Fragments ..............................41 Tom Chen gives us an overview of the trends surrounding viruses and worms.
    [Show full text]
  • Deriving Chacha20 Key Streams from Targeted Memory Analysis
    Deriving ChaCha20 Key Streams From Targeted Memory Analysis Peter McLaren, William J Buchanan, Gordon Russell, Zhiyuan Tan School of Computing, Edinburgh Napier University, Edinburgh, UK. Abstract—There can be performance and vulnerability con- keys without impacting the target and for target applications cerns with block ciphers, thus stream ciphers can used as an alter- to be unaware of extraction. native. Although many symmetric key stream ciphers are fairly The rest of the paper is structured as follows. Section II resistant to side-channel attacks, cryptographic artefacts may exist in memory. This paper identifies a significant vulnerability discusses related research including side-channel studies and within OpenSSH and OpenSSL and which involves the discovery background on stream ciphers and ChaCha20 cipher imple- of cryptographic artefacts used within the ChaCha20 cipher. This mentations is presented in Section III. Section IV provides can allow for the cracking of tunneled data using a single targeted relevant details of the framework and its implementation is memory extraction. With this, law enforcement agencies and/or given in Section V. The results are presented and discussed in malicious agents could use the vulnerability to take copies of the encryption keys used for each tunnelled connection. The Section VI and conclusions drawn in Section VII. user of a virtual machine would not be alerted to the capturing of the encryption key, as the method runs from an extraction II. RELATED WORK of the running memory. Methods of mitigation include making This paper focuses on the decrypting network traffic en- cryptographic artefacts difficult to discover and limiting memory crypted with ChaCha20-Poly1305 cipher.
    [Show full text]
  • Arxiv:2002.12439V1 [Quant-Ph]
    Quantum Attacks without Superposition Queries: the Offline Simon’s Algorithm Xavier Bonnetain1,3, Akinori Hosoyamada2,4, Mar´ıaNaya-Plasencia1, Yu Sasaki2, and Andr´eSchrottenloher1 1 Inria, France {xavier.bonnetain,maria.naya plasencia,andre.schrottenloher}@inria.fr 2 NTT Secure Platform Laboratories, Tokyo, Japan {hosoyamada.akinori,sasaki.yu}@lab.ntt.co.jp 3 Sorbonne Universit´e, Coll`ege Doctoral, F-75005 Paris, France 4 Nagoya University, Nagoya, Japan Abstract. In symmetric cryptanalysis, the model of superposition queries has led to surprising results, with many constructions being broken in polynomial time thanks to Simon’s period-finding algorithm. But the practical implications of these attacks remain blurry. In contrast, the re- sults obtained so far for a quantum adversary making classical queries only are less impressive. In this paper, we introduce a new quantum algorithm which uses Simon’s subroutines in a novel way. We manage to leverage the algebraic struc- ture of cryptosystems in the context of a quantum attacker limited to classical queries and offline quantum computations. We obtain improved quantum-time/classical-data tradeoffs with respect to the current liter- ature, while using only as much hardware requirements (quantum and classical) as a standard exhaustive search with Grover’s algorithm. In particular, we are able to break the Even-Mansour construction in quan- tum time O˜(2n/3), with O(2n/3) classical queries and O(n2) qubits only. In addition, we improve some previous superposition attacks by reducing the data complexity from exponential to polynomial, with the same time complexity. Our approach can be seen in two complementary ways: reusing superpo- sition queries during the iteration of a search using Grover’s algorithm, or alternatively, removing the memory requirement in some quantum attacks based on a collision search, thanks to their algebraic structure.
    [Show full text]