DOCSLIB.ORG

The Broken Shield: Measuring Revocation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Broken Shield: Measuring Revocation The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PKI Doowon Kim and Bum Jun Kwon, University of Maryland, College Park; Kristián Kozák, Masaryk University, Czech Republic; Christopher Gates, Symantec; Tudor Dumitras, University of Maryland, College Park https://www.usenix.org/conference/usenixsecurity18/presentation/kim This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-931971-46-1 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PKI Doowon Kim Bum Jun Kwon Kristian´ Kozak´ University of Maryland University of Maryland Masaryk University Christopher Gates Tudor Dumitras, Symantec Research Labs University of Maryland Abstract code. A common security policy is to trust executables that carry valid signatures from unsuspicious publishers. Recent measurement studies have highlighted security The premise for trusting these executables is that the threats against the code-signing public key infrastructure signing keys are not controlled by malicious actors. (PKI), such as certificates that had been compromised Unfortunately, anecdotal evidence and recent measure- or issued directly to the malware authors. The primary ments of the Windows code-signing ecosystem have doc- mechanism for mitigating these threats is to revoke the umented cases of signed malware [8, 9, 12, 23, 26] and abusive certificates. However, the distributed yet closed potentially unwanted programs (PUPs) [1, 13, 17, 28], nature of the code signing PKI makes it difficult to evalu- where the trusted certificates were either compromised ate the effectiveness of revocations in this ecosystem. In or issued directly to the malware authors. The pri- consequence, the magnitude of signed malware threat is mary defense against these threats is to revoke the cer- not fully understood. tificates involved in the abuse. For the better studied In this paper, we collect seven datasets, including the Web’s PKI, prior measurements have uncovered impor- largest corpus of code-signing certificates, and we com- tant problems with this approach, including long revo- bine them to analyze the revocation process from end to cation delays [6, 29, 30], large bandwidth costs for dis- end. Effective revocations rely on three roles: (1) discov- seminating the revocation information [19], and clients ering the abusive certificates, (2) revoking the certificates that do not check whether certificates are revoked [19]. effectively, and (3) disseminating the revocation infor- In contrast, little is currently known about the effec- mation for clients. We assess the challenge for discover- tiveness of revocations in the code signing PKI. With- ing compromised certificates and the subsequent revoca- out this understanding, platform security protections risk tion delays. We show that erroneously setting revocation making incorrect assumptions about how critical revo- dates causes signed malware to remain valid even after cations are for end-host security and about the practical the certificate has been revoked. We also report failures challenges for implementing effective revocations in the in disseminating the revocations, leading clients to con- code-signing ecosystem. tinue trusting the revoked certificates. Code signing uses a default-valid trust model, where certificate chains remain trusted until proven compro- 1 Introduction mised. Due to this fact, missing or delayed revocations for a certificate involved in abuse allow bad actors to gen- The code-signing Public Key Infrastructure (PKI) is a erate trusted executables until the certificate expires or is fundamental building block for establishing trust in com- successfully added to a revocation list. puter software [22]. This PKI allows software publish- Abusive code-signing certificates may also present a ers to sign their executables and to embed certificates security threat beyond their expiration dates, which is an that bind the signing keys to the publishers’ real-world important distinction from the Web’s PKI where the ex- identities. In turn, client platforms can verify the signa- piration date limits the use of a compromised certificate tures and check the publishers, to confirm the integrity and also puts a limit on how long a revocation for that of third-party programs and to avoid executing malicious certificate must be maintained. To avoid re-signing and USENIX Association 27th USENIX Security Symposium 851 Role Finding Implication The mark-recapture estimation for the number of compro- Discovery There might be malware with compromised certificates that mised certificates suggests that even a large AV vendor can of remain a threat for a long time without being detected. Potentially only see about 36.5% of the population. CAs took on average 171.4 days to revoke the compro- Compromised Compromised certificates are not discovered and revoked mised certificates after the malware signed with the cer- Certificates for a long time. tificates appeared in the wild. Setting CAs erroneously set effective revocation dates for 62 cer- Wrong effective revocation date setting results in the sur- Revocation Date tificates, causing 402 signed malware to remain valid. vival of signed malware although its certificates is revoked. Clients have no way to check the revocation status of the 788 certificates contain neither CRLs nor OCSP points. certificates. 13 CRLs and 15 OCSP servers had reachability issues. Dissemination OCSP servers responded with unknown or unauthorized of messages. CAs improperly maintain their CRLs and OCSP servers. Revocation 19 certificates have inconsistent responses from CRLs and Information OCSP; they are valid from OCSP but are revoked in CRLs. Errors in the revocation process are made, and later re- 278 revoked certificates were added and then later removed tracted. CAs misunderstood the code signing PKI and re- from 18 CRLs. moved expired certificates from CRLs. Table 1: Summary of findings. distributing binaries when a signing certificate expires, files, while soft revocations that set a revocation date af- Windows developers may extend the validity of binaries ter the issuance date may not cover undiscovered signed they release by including a trusted timestamp, provided malware. Moreover, the CAs also must properly main- by a Time-Stamping Authority (TSA), that certifies the tain their revocation infrastructure so that the informa- signing time of a binary. If a malicious binary is cor- tion of compromise can be disseminated to the clients. If rectly signed and timestamped before the expiration date the dissemination is not handled as it should be, it may of the certificate, it will remain trusted even after its cer- reduce the incentives for revoking code signing certifi- tificate expires—unless the certificate is revoked. This cates. These challenges render the code signing ecosys- means that prompt and effective revocations, even of ex- tem opaque and difficult to audit, which contributes to an pired certificates, are critical in the code signing PKI. under-appreciation of the security threats that result from An effective revocation process faces additional chal- ineffective revocations. lenges in the code signing ecosystem. This process in- In this paper, we present an end-to-end measurement volves three roles: (1) discovering certificates that are of certificate revocations in the code signing PKI; in compromised or controlled by malicious actors; (2) re- particular, how effective is the current revocation pro- voking these certificates effectively; and (3) disseminat- cess from discovery to dissemination, and what threats ing the revocation information so that it is broadly avail- are introduced if the process is not properly done. Our able. work extends prior works in the code signing PKI; previ- Unlike in the Web’s PKI, where potentially com- ous studies have focused on signed PUPs [1, 13, 28] and promised certificates can be discovered systematically signed malware [12], but there is no study of code sign- through network scanning [6, 29, 30], in the code sign- ing certificate revocation process yet. Unlike the prior ing PKI this requires discovering signed malware or PUP studies in the Web’s PKI [2, 6, 7, 10, 19] where TLS cer- samples on end-hosts around the world. Security compa- tificate can be collected by scanning the Internet, we are nies involved in this discovery process cannot observe all unable to utilize a comprehensive corpus of code sign- the hosts where a maliciously signed binary may appear. ing certificates since there is no official repository for This also makes it a challenge to detect the total number code signing certificates. To overcome the challenge, of certificates that are actively being used to sign mal- we utilize data sets that are publicly released from prior ware, which leads to an incorrect perception about the research [1, 13] and increase our coverage with Syman- need and urgency of revocations. Even though a signed tec’s internal repository of binary samples. We extract malicious binary is discovered, it is difficult to determine 145,582 unique leaf code signing certificates from the the date when a certificate revocation should become ef- data sets. From the code signing certificates, we also ex- fective. Hard revocations that invalidate the entire life tract 215 Certificate Revocation Lists (CRLs) used only of the certificate may invalidate too many benign signed for code signing certificates,
Load more

Recommended publications
  • Mind Your Own Business: a Longitudinal Study of Threats and Vulnerabilities in Enterprises
    Mind your Own Business: A Longitudinal Study of Threats and Vulnerabilities in Enterprises Abstract—Enterprises own a significant fraction of the hosts to, financial assets, and security investment. Thus, it is very connected to the Internet and possess valuable assets, such as likely that the best practices mentioned above do not equally financial data and intellectual property, which may be targeted apply to all of them. by attackers. They suffer attacks that exploit unpatched hosts and install malware, resulting in breaches that may cost millions Currently, it is not clear how the security posture of in damages. Despite the scale of this phenomenon, the threat and enterprises differ according to different factors and whether vulnerability landscape of enterprises remains under-studied. The enterprises are indeed more secure than consumer hosts, i.e., security posture of enterprises remains unclear, and it’s unknown if their security investment is paying off. In this paper, we aim whether enterprises are indeed more secure than consumer hosts. to throw light into these questions by conducting a large-scale To address these questions, we perform the largest and longest longitudinal measurement study of enterprise security. We an- enterprise security study up to date. Our data covers nearly alyze the enterprise threat landscape including the prevalence 3 years and is collected from 28K enterprises, belonging to 67 industries, which own 82M hosts and 73M public-facing servers. of malware and PUP in enterprise hosts and how common security practices, such as vulnerability patching and operating Our measurements comprise of two parts: an analysis of system updates are handled.
    [Show full text]
  • Forescout Counteract® Endpoint Support Compatibility Matrix Updated: October 2018
    ForeScout CounterACT® Endpoint Support Compatibility Matrix Updated: October 2018 ForeScout CounterACT Endpoint Support Compatibility Matrix 2 Table of Contents About Endpoint Support Compatibility ......................................................... 3 Operating Systems ....................................................................................... 3 Microsoft Windows (32 & 64 BIT Versions) ...................................................... 3 MAC OS X / MACOS ...................................................................................... 5 Linux .......................................................................................................... 6 Web Browsers .............................................................................................. 8 Microsoft Windows Applications ...................................................................... 9 Antivirus ................................................................................................. 9 Peer-to-Peer .......................................................................................... 25 Instant Messaging .................................................................................. 31 Anti-Spyware ......................................................................................... 34 Personal Firewall .................................................................................... 36 Hard Drive Encryption ............................................................................. 38 Cloud Sync ...........................................................................................
    [Show full text]
  • Hostscan 4.8.01064 Antimalware and Firewall Support Charts
    HostScan 4.8.01064 Antimalware and Firewall Support Charts 10/1/19 © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco public. Page 1 of 76 Contents HostScan Version 4.8.01064 Antimalware and Firewall Support Charts ............................................................................... 3 Antimalware and Firewall Attributes Supported by HostScan .................................................................................................. 3 OPSWAT Version Information ................................................................................................................................................. 5 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.890.0 for Windows .................................................. 5 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.890.0 for Windows ........................................................ 44 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.824.0 for macos .................................................... 65 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.824.0 for macOS ........................................................... 71 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.730.0 for Linux ...................................................... 73 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.730.0 for Linux .............................................................. 76 ©201 9 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
    [Show full text]
  • Printmgr File
    ˆ200F$l2ZLVgqon1gÈŠ 200F$l2ZLVgqon1g¨ VDI-W7-PR3-1248 SYMANTEC CORPORATION Donnelley Financial12.6.30 EGV yanns0ap24-May-2018 22:26 EST 594139 TX 1 2* SYMANTEC CORP PAL HTM ESS 0C Page 1 of 1 UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM SD SPECIALIZED DISCLOSURE REPORT Symantec Corporation (Exact Name of Registrant as Specified in its Charter) Delaware 000-17781 77-0181864 (State or other jurisdiction of (Commission (IRS Employer incorporation or organization ) File Number) Identification No.) 350 Ellis Street, Mountain View, California 94043 (Address of Principal Executive Offices) (Zip Code) Nicholas R. Noviello, Executive Vice President and Chief Financial Officer (650) 527-8000 (Name and telephone number, including area code, of the person to contact in connection with this report.) Not Applicable (Former Name or Former Address, if Changed Since Last Report) Check the appropriate box below to indicate the rule pursuant to which this form is being filed, and provide the period to which the information in this form applies: Rule 13p-1 under the Securities Exchange Act (17 CFR 240.13p-1) for the reporting period January 1 to December 31, 2017 ˆ200F$l2ZLVhV$Vk6$Š 200F$l2ZLVhV$Vk6$ VDI-W7-PFL-0639 SYMANTEC CORPORATION Donnelley Financial12.6.29 EGV ahern0ap24-May-2018 23:14 EST 594139 TX 2 3* SYMANTEC CORP PAL HTM ESS 0C Page 1 of 1 Item 1.01. Conflict Minerals Disclosure and Report. Conflict Minerals Disclosure A copy of the Conflict Minerals Report of Symantec Corporation (“Symantec”) for the reporting period January 1 to December 31, 2017 is filed as Exhibit 1.01 to this specialized disclosure report on Form SD and is also available at Symantec’s website at https://www.symantec.com/about/corporate-responsibility/resources/corporate-responsibility-policies .
    [Show full text]
  • Q3 Consumer Endpoint Protection Jul-Sep 2020
    HOME ANTI- MALWARE PROTECTION JUL - SEP 2020 selabs.uk [email protected] @SELabsUK www.facebook.com/selabsuk blog.selabs.uk SE Labs tested a variety of anti-malware (aka ‘anti-virus’; aka ‘endpoint security’) products from a range of well-known vendors in an effort to judge which were the most effective. Each product was exposed to the same threats, which were a mixture of targeted attacks using well-established techniques and public email and web-based threats that were found to be live on the internet at the time of the test. The results indicate how effectively the products were at detecting and/or protecting against those threats in real time. 2 Home Anti-Malware Protection July - September 2020 MANAGEMENT Chief Executive Officer Simon Edwards CONTENTS Chief Operations Officer Marc Briggs Chief Human Resources Officer Magdalena Jurenko Chief Technical Officer Stefan Dumitrascu Introduction 04 TEstING TEAM Executive Summary 05 Nikki Albesa Zaynab Bawa 1. Total Accuracy Ratings 06 Thomas Bean Solandra Brewster Home Anti-Malware Protection Awards 07 Liam Fisher Gia Gorbold Joseph Pike 2. Threat Responses 08 Dave Togneri Jake Warren 3. Protection Ratings 10 Stephen Withey 4. Protection Scores 12 IT SUPPORT Danny King-Smith 5. Protection Details 13 Chris Short 6. Legitimate Software Ratings 14 PUBLICatION Sara Claridge 6.1 Interaction Ratings 15 Colin Mackleworth 6.2 Prevalence Ratings 16 Website selabs.uk Twitter @SELabsUK 6.3 Accuracy Ratings 16 Email [email protected] Facebook www.facebook.com/selabsuk 6.4 Distribution of Impact Categories 17 Blog blog.selabs.uk Phone +44 (0)203 875 5000 7.
    [Show full text]
  • RECOMMENDED MERGER of AVAST PLC with NORTONLIFELOCK INC
    NOT FOR RELEASE, PUBLICATION OR DISTRIBUTION, IN WHOLE OR IN PART, DIRECTLY OR INDIRECTLY, IN, INTO OR FROM ANY JURISDICTION WHERE TO DO SO WOULD CONSTITUTE A VIOLATION OF THE RELEVANT LAWS OR REGULATIONS OF SUCH JURISDICTION FOR IMMEDIATE RELEASE THIS ANNOUNCEMENT CONTAINS INSIDE INFORMATION 10 August 2021 RECOMMENDED MERGER of AVAST PLC with NORTONLIFELOCK INC. to be effected by means of a Scheme of Arrangement under Part 26 of the Companies Act 2006 Summary Further to the announcements made by NortonLifeLock Inc. (“NortonLifeLock”) and Avast plc (“Avast” or the “Company”) on 14 July 2021, the boards of NortonLifeLock and Avast are pleased to announce that they have reached agreement on the terms of a recommended merger of Avast with NortonLifeLock, in the form of a recommended offer by Nitro Bidco Limited (“Bidco”), a wholly- owned subsidiary of NortonLifeLock, for the entire issued and to be issued ordinary share capital of the Company (the “Merger”). It is intended that the Merger will be effected by means of a Court- sanctioned scheme of arrangement under Part 26 of the Companies Act (the “Scheme”). The boards of NortonLifeLock and Avast believe the Merger has compelling strategic logic and represents an attractive opportunity to create a new, industry leading consumer Cyber Safety business, leveraging the established brands, technical expertise and innovation of both groups to deliver substantial benefits to consumers, shareholders and other stakeholders. Under the terms of the Merger, Avast Shareholders will be entitled to receive: for each Avast Share held: USD 7.61 in cash and 0.0302 of a New NortonLifeLock Share in respect of their entire holding of Avast Shares (the “Majority Cash Option”).
    [Show full text]
  • Saint Francis Healthcare Stays Safe from Cyberattacks Secures Thousands of Endpoints Vital to Patient Care
    GravityZone Success Story Saint Francis Healthcare stays safe from cyberattacks Secures thousands of endpoints vital to patient care THE CUSTOMER Saint Francis Healthcare System is a 308-bed facility serving more than 713,000 people Industry throughout Missouri, Illinois, Kentucky, Tennessee and Arkansas. The progressive, innovative Healthcare regional tertiary care referral center has been named one of the top 100 “Best Places to Work in Healthcare” by Modern Healthcare magazine for six consecutive years. Headquarters Cape Girardeau, Missouri, U.S.A Employees THE CHALLENGE 3,000 (IT staff, 24) With patients’ health at stake, physicians need uninterrupted access to vital medical information. Challenges Saint Francis Healthcare System’s previous antivirus software, from Trend Micro, made this Faulty antivirus software more challenging because it erroneously blocked critical applications, requiring doctors to call for blocked physicians’ access to support at all hours. critical applications while scan storms crippled virtual desktop The Trend Micro software also created scan storms, dragging virtual desktop sessions to a crawl. performance. A second security This forced the IT team to remove antivirus programs from the virtual desktop infrastructure, solution created policy conflicts leaving thousands of endpoints unprotected. and an administrative burden. To fill the gap, IT added protection with Malwarebytes. Still, the infamous CryptoLocker Solution ransomware evaded the protective layer, disrupting productivity. Because policies across Trend Bitdefender GravityZone Micro and Malwarebytes often conflicted, engineers couldn’t keep up with the constant fixes, Enterprise Security Suite, which further exposed endpoint protection to risk. deployed on premises to protect physical and virtual desktops, and servers and ensure secure, THE SOLUTION reliable access to vital medical To consolidate and strengthen endpoint protection, Saint Francis Healthcare System evaluated and administrative applications.
    [Show full text]
  • Nortonlifelock to Acquire Avira in $360M Deal
    Source: Research and Markets December 10, 2020 05:58 ET NortonLifeLock to Acquire Avira in $360M Deal Dublin, Dec. 10, 2020 (GLOBE NEWSWIRE) -- ResearchAndMarkets.com published a new article on the IT security industry "NortonLifeLock to Acquire Avira in $360M Deal" NortonLifeLock has announced that it will acquire German IT security firm Avira for around $360 million in an all cash deal from Investcorp Technology Partners. Avira provides customers with a suite of software security solutions, including anti-malware, threat intelligence and IoT solutions to protect users' online identity and private data. The company has built a customer base of millions around its freemium model which allows users to install Avira antivirus software for free but with less functionality than paid versions. Avira has also grown its customer base via white label deals with strategic partners like NTT, Deutsche Telekom and more. By acquiring Avira, NortonLifeLock hopes to expand into the freemium consumer market as well as strong markets in Europe and other emerging regions. Avira chief executive Travis Witteveen and chief technology officer Matthias Ollig will join NortonLifeLock's leadership team after the deal's closing which is expected in the fourth quarter of 2021. To see the full article and a list of related reports on the market, visit"NortonLifeLock to Acquire Avira in $360M Deal" About ResearchAndMarkets.com ResearchAndMarkets.com is the world's leading source for international market research reports and market data. We provide you with the latest data on international and regional markets, key industries, the top companies, new products and the latest trends.
    [Show full text]
  • Summary Report 2020 Awards, Winners, Comments
    Independent Tests of Anti-Virus Software Summary Report 2020 Awards, winners, comments TEST PERIOD : 2020 LANGUAGE : ENGLISH LAST REVISION : 15TH JANUARY 2021 WWW.AV-COMPARATIVES.ORG Summary Report 2020 www.av-comparatives.org Content INTRODUCTION 3 MANAGEMENT SUMMARY 5 ANNUAL AWARDS 9 PRICING 16 USER EXPERIENCE REVIEW 18 AVAST FREE ANTIVIRUS 21 AVG ANTIVIRUS FREE 24 AVIRA ANTIVIRUS PRO 27 BITDEFENDER INTERNET SECURITY 30 ESET INTERNET SECURITY 34 F-SECURE SAFE 38 G DATA INTERNET SECURITY 41 K7 TOTAL SECURITY 45 KASPERSKY INTERNET SECURITY 48 MCAFEE TOTAL PROTECTION 52 MICROSOFT DEFENDER ANTIVIRUS 55 NORTONLIFELOCK NORTON 360 DELUXE 58 PANDA FREE ANTIVIRUS 61 TOTAL AV ANTIVIRUS PRO 64 TOTAL DEFENSE ESSENTIAL ANTI-VIRUS 67 TREND MICRO INTERNET SECURITY 70 VIPRE ADVANCED SECURITY 73 FEATURELIST COMES HERE 76 COPYRIGHT AND DISCLAIMER 77 2 Summary Report 2020 www.av-comparatives.org Introduction About AV-Comparatives We are an independent test lab, providing rigorous testing of security software products. We were founded in 2004 and are based in Innsbruck, Austria. AV-Comparatives is an ISO 9001:2015 certified organisation. We received the TÜV Austria certificate for our management system for the scope: “Independent Tests of Anti-Virus Software”. http://www.av-comparatives.org/iso-certification/ AV-Comparatives is the first certified EICAR Trusted IT-Security Lab http://www.av-comparatives.org/eicar-trusted-lab/ At the end of every year, AV-Comparatives releases a Summary Report to comment on the various consumer anti-virus products tested over the course of the year, and to highlight the high-scoring products of the different tests that took place over the twelve months.
    [Show full text]
  • Endpoint Integrity Check\221\316\211\236\210\352\227\227.Xlsx
    エンドポイントインテグリティチェック - アンチウイルス対応メーカ一覧 360safe.com AEC, spol. s r.o. ALWIL Software AT & T AVG Technologies Agnitum Ltd AhnLab, Inc. Aliant America Online, Inc. Antiy Labs Authentium, Inc. Avanquest Publishing USA, Inc. Avira GmbH Beijing Rising Technology Corp. Ltd. Bell Bell Aliant BellSouth Bitdefender BullGuard Ltd. CJSC Returnil Software CMC Information Security Cat Computer Services Pvt. Ltd. Central Command , Inc. Check Point, Inc Cisco Systems, Inc. ClamAV ClamWin Comodo Group Computer Associates International, Inc Coranti, Inc Crawler LLC Cyber Defender Corp. Defender Pro LLC ESTsoft Corp. EathLink, Inc Emsi Software GmbH Eset Software F-Secure Corp. FairPoint Faronics Corporation Fortinet, Inc Frisk Software International GData Software AG GFI Software Grisoft, Inc. H+BEDV Datentechnik GmbH HAURI, Inc IKARUS Software GmbH Internet Security Systems, Inc. Jiangmin, Inc K7 Computing Pvt. Ltd. kaspersky Labs Kingsoft Corp. LANDesk Software, Ltd. Lavasoft, Inc. Lumension Security McAfee, Inc. MicroWorld Microsoft Corp. N-able Technologies Inc Nano Security New Technology Wave Inc. Norman ASA ONO Omniquad PC Tools Software PCSecurityShield Panda Software Parallels, Inc. Preventon Technologies Ltd. Prevx Ltd. Quick Heal Technologies (P) Ltd. Radialpoint Inc. Rogers SOFTWIN SalD Ltd. Security Coverage Inc. Sereniti, Inc. Shavlik Technologies Sophos, Plc Sunbelt Software Symantec Corp. TELUS Thirtyseven4, LLC. Tobit.Software Trend Micro, Inc. Troppus Software Corporation TrustPort, a.s. VCOM VMware, Inc. Verizon Videotron Virgin Broadband Virgin Media Virus BlokAda Ltd. Virus Buster Ltd. Webroot Software, Inc Yahoo!, Inc Zone Labs LLC e frontier, Inc. eEye Digital Security iolo technologies, LLC.
    [Show full text]
  • Demystifying the IP Blackspace
    Demystifying the IP Blackspace Quentin Jacquemart1 , Pierre-Antoine Vervier2, Guillaume Urvoy-Keller3, and Ernst Biersack4 1 Eurecom, Sophia Antipolis [email protected] 2 Symantec Research Labs, Sophia Antipolis Pierre-Antoine [email protected] 3 Univ. Nice Sophia Antipolis, CNRS, I3S, UMR 7271, 06900 Sophia Antipolis [email protected] 4 [email protected] Abstract. A small part of the IPv4 address space has still not been assigned for use to any organization. However, some of this IP space is announced through BGP, and is, therefore, globally reachable. These prefixes which are a subset of the bogon prefixes, constitute what we call the blackspace. It is generally admitted that the blackspace stands to be abused by anybody who wishes to carry out borderline and/or illegal activities without being traced. The contribution of this paper is twofold. First, we propose a novel methodology to accurately identify the IP blackspace. Based on data collected over a period of seven months, we study the routing-level characteristics of these networks and identify some benign reasons why these networks are announced on the Internet. Second, we focus on the security threat associated with these networks by looking at their application-level footprint. We identify live IP addresses and leverage them to fingerprint services running in these networks. Using this data we uncover a large amount of spam and scam activities. Finally, we present a case study of confirmed fraudulent routing of IP blackspace. 1 Introduction The global BGP (Boder Gateway Protocol) routing table now contains over 600k dis- tinct IPv4 prefixes. A few of these prefixes should not be globally announced (such as the private IP space) and are collectively referred to as bogon prefixes.
    [Show full text]
  • Ensuring Audit Log Accountability Through Hash Based Techniques
    International Journal of Future Computer and Communication, Vol. 1, No. 4, December 2012 Ensuring Audit Log Accountability through Hash Based Techniques Rashmita Jena, M. Aparna, Chinmaya Sahu, Rajeev Ranjan, and Rajesh Atmakuri trying to meet his sales requirements for a fiscal year. He Abstract—Audit logs are now considered good practice and a might attempt to change the transaction dates to make it standard approach for business systems. The integrity of the appear that they had transpired within the previous fiscal year auditing records themselves is critical. By simply storing all the when, in reality, they had not. Consider a school database interactions in a separate audit log does not guarantee the where a student who receives a “F” in one of his subjects, in integrity of the log. Data tampering can be done through unauthorized access and in some cases through authorized users. which he needs at least a “B”, could be highly tempted to try Results of such action can be unpleasant for business and their to dishonestly change his grade to a “B” in the database. This clients. Therefore, a demand for audit log security is needed would be an example of a student who would have to hack more than ever. This paper describes a mechanism based on into the system, unless of course the student somehow had cryptographic hash functions and trusted timestamping that access to the database containing the grade. prevents an outsider or inside intruder from silently corrupting The above discussed examples provide just a few of the the audit log. In addition it is shown that the proposed mechanism can be realized in database systems with little reasons why someone might want to tamper with a database.
    [Show full text]