presented by Geoff Huston, APNIC Chief Scientist, at the 2017 New Zealand Network Operators Group (NZNOG) meeting held in Tauranga, New Zealand from 26 to 27 January.
Senior Research & Development Scientist George Michaelson explains why the DNSSEC Key Rollover is important and why operators who perform DNSSEC validation must be aware of the rollover.
- An online advertisement included a measurement script that caused browsers to fetch unique URLs and DNS names in order to track user behavior and DNS resolver actions.
- Over 24 million unique DNS queries and URL fetches were generated per day.
- Analysis of the DNS query logs found that a significant percentage (25%) of queries were for URLs/names that had already been queried in the past, indicating "zombie" queries.
- Some DNS resolvers, particularly ones in Guatemala, Jordan, Canada, and the US, were responsible for a majority of zombie queries, with zombie query ratios over 50% of their total queries.
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
APNIC Senior Security Specialist Adli Wahid spoke on the importance and role of CERTs in helping prevent cyber attacks at the Philippines Cybersecurity Conference 2021, held online from 13 to 29 October 2021.
This document provides an introduction to Wi-Fi networking concepts including:
- A brief history of internet development leading to Wi-Fi technology.
- Explanations of Wi-Fi spectrum bands and wireless networking standards.
- Security risks associated with open and unencrypted Wi-Fi networks.
- Tools that can be used to analyze wireless network traffic and identify vulnerabilities.
- Best practices for securing wireless networks through encryption, segmentation, and other methods.
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
APNIC Chief Scientist Geoff Huston gave a presentation on the challenges of IPv6 implementation at the Broadband India Forum Session on IPv6, held online on 7 October 2021
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
The document discusses DDoS attacks in an IPv6 world and how CloudFlare provides an automatic IPv6 gateway. It notes that many security tools still lack IPv6 support, which could impede the ability to identify and filter attacks over IPv6. The document outlines some IPv6 attacks CloudFlare has seen, such as DNS cache-busted query attacks, and how botnets can unintentionally send attack traffic over IPv6 if the target has an AAAA record. It emphasizes that security practices need to be equal for both IPv4 and IPv6 to prevent future IPv6-based attacks.
This document summarizes common issues that cause failed eduroam authentications from the perspective of top level RADIUS servers, service providers, and identity providers. Some frequent problems include incorrectly configured user devices, older devices with outdated supplicant implementations, certificate checking issues, frequent password changes breaking configurations, and identity providers providing invalid configuration instructions. Diagnosing failures requires examining logs from each component to determine where communication breaks down. Standardizing configurations and improving device setup could help address many authentication failures.
Senior Research & Development Scientist George Michaelson explains why the DNSSEC Key Rollover is important and why operators who perform DNSSEC validation must be aware of the rollover.
- An online advertisement included a measurement script that caused browsers to fetch unique URLs and DNS names in order to track user behavior and DNS resolver actions.
- Over 24 million unique DNS queries and URL fetches were generated per day.
- Analysis of the DNS query logs found that a significant percentage (25%) of queries were for URLs/names that had already been queried in the past, indicating "zombie" queries.
- Some DNS resolvers, particularly ones in Guatemala, Jordan, Canada, and the US, were responsible for a majority of zombie queries, with zombie query ratios over 50% of their total queries.
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
APNIC Senior Security Specialist Adli Wahid spoke on the importance and role of CERTs in helping prevent cyber attacks at the Philippines Cybersecurity Conference 2021, held online from 13 to 29 October 2021.
This document provides an introduction to Wi-Fi networking concepts including:
- A brief history of internet development leading to Wi-Fi technology.
- Explanations of Wi-Fi spectrum bands and wireless networking standards.
- Security risks associated with open and unencrypted Wi-Fi networks.
- Tools that can be used to analyze wireless network traffic and identify vulnerabilities.
- Best practices for securing wireless networks through encryption, segmentation, and other methods.
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
APNIC Chief Scientist Geoff Huston gave a presentation on the challenges of IPv6 implementation at the Broadband India Forum Session on IPv6, held online on 7 October 2021
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
The document discusses DDoS attacks in an IPv6 world and how CloudFlare provides an automatic IPv6 gateway. It notes that many security tools still lack IPv6 support, which could impede the ability to identify and filter attacks over IPv6. The document outlines some IPv6 attacks CloudFlare has seen, such as DNS cache-busted query attacks, and how botnets can unintentionally send attack traffic over IPv6 if the target has an AAAA record. It emphasizes that security practices need to be equal for both IPv4 and IPv6 to prevent future IPv6-based attacks.
This document summarizes common issues that cause failed eduroam authentications from the perspective of top level RADIUS servers, service providers, and identity providers. Some frequent problems include incorrectly configured user devices, older devices with outdated supplicant implementations, certificate checking issues, frequent password changes breaking configurations, and identity providers providing invalid configuration instructions. Diagnosing failures requires examining logs from each component to determine where communication breaks down. Standardizing configurations and improving device setup could help address many authentication failures.
This document discusses open recursive DNS resolvers and the security issues they pose. It notes that while recursive resolvers are meant to cache and deliver DNS queries, many are not properly secured, allowing them to be abused for large reflection attacks. These attacks work by spoofing the source IP address of the victim in queries to open resolvers, which then send much larger responses to the victim, amplifying the attack traffic. The document shows that open resolvers come from networks all over the world and urges securing resolvers by filtering source addresses and disabling insecure recursive features.
This document discusses routing security and the Mutually Agreed Norms for Routing Security (MANRS) initiative. It begins with an overview of routing security issues like route hijacking and leaks that occur due to limitations in the Border Gateway Protocol (BGP). It then describes the four key actions of MANRS - filtering, anti-spoofing, coordination, and global validation - to address these problems. The rest of the document provides examples and explanations of how network operators can implement these MANRS actions to improve routing security.
This document provides an overview of broadband technologies and services. It discusses how broadband is defined as internet connections faster than 256 kbps and how demand for high-bandwidth applications is driving the need for faster connections. It then describes some common broadband technologies like DSL, cable modems, and fiber optics as well as older technologies like ISDN. It also discusses how broadband enables new applications and revenue opportunities for internet service providers.
The Indonesian Community for Hackers and Open Source (ECHO) is a group focused on hacking and open source activities. Founded in 2003, ECHO has 13 staff members and over 11,000 mailing list members. The group publishes newsletters, advisories, and maintains forums to share information about hacking techniques and open source projects.
This document summarizes Jeff Schmidt's presentation on Telstra's deployment of IPv6 for mobiles. Key points include:
1) Telstra implemented IPv6 to future-proof their network and address IPv4 depletion issues, using dual-stack and 464XLAT architectures.
2) Business drivers were addressing the growing traffic demand and enabling new technologies like IoT, while technical drivers addressed IPv4 depletion and inefficiencies.
3) The deployment included addressing and subnetting plans, network security designs, and testing multiple deployment models.
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
IP ServerOne is a Malaysian data center provider that manages over 4500 physical servers across 5 data centers. They experience 2-5 DDoS attacks per day, mostly ranging from 4.5-8.9 Gbps. To detect attacks, they use netflow to monitor traffic patterns and flag abnormal packet rates to single IPs. When an attack is detected, traffic is rerouted to on-premise filtering devices in less than 90 seconds to scrub attacks while allowing legitimate traffic. IP ServerOne advocates a hybrid mitigation approach using their own infrastructure alongside cloud-based protection.
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingKarri Huhtanen
A presentation at FUNET Technical Days 2021 about research projects combining (5G) SIM authentication to eduroam Finland and ongoing work and benefits with OpenRoaming global Wi-Fi roaming in roam.fi or eduroam Finland networks.
A10 Networks provides application delivery and DDoS protection solutions to help service providers and enterprises handle the massive growth in internet subscribers and traffic, as well as large-scale attacks. Their solutions leverage carrier-grade networking and scale to tens of gigabits per second to ensure the reliability of applications and protection from DDoS attacks. A10's solutions also help enable the transition from IPv4 to IPv6 as the number of devices exceeds the available IPv4 address space.
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
Combating DDoS and why peering is important in AsiaMyNOG
The document discusses CloudFlare's services for mitigating DDoS attacks and the importance of peering in Asia. CloudFlare works at the network level by routing traffic through its global network of data centers where it performs functions like DNS management, caching, and security. Peering is important because it improves performance, reduces costs, and helps CloudFlare better control routing and isolate attack traffic. The document demonstrates through tests how peering with different Asian providers results in traffic taking more optimal and local paths. Peering is especially important in Asia due to the region's network architecture and ensures CloudFlare can better ingest and mitigate DDoS attacks from multiple ports and locations.
The document provides an overview of encryption, authentication, and access control topics. It begins with a cryptography primer covering symmetric and asymmetric encryption techniques. It then discusses public key infrastructure concepts like certificates, certificate authorities, and establishing trust chains. It concludes with recommendations around using a private certificate authority versus a public one and considerations for certificate validity and OCSP. The overall goal is to explain how public keys, certificates, and other cryptographic methods can be used together to create secure authentication methods like 802.1X.
This document summarizes a presentation on practical cryptography, certificates, and 802.1X. It begins with an overview of cryptography basics like symmetric and asymmetric encryption. It then covers public key infrastructure concepts such as certificates, certificate authorities, and how they establish trust. The presentation concludes by explaining how certificates and cryptography are used together to enable 802.1X authentication.
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible) Dan York
A talk I gave at Vermont CodeCamp 11 on September 28, 2019.
---- Abstract ----
How well do your applications or websites work over IPv6? As the world runs out of IPv4 addresses, new mobile networks are being deployed as “IPv6-only” with IPv6-to-IPv4 gateways at the edge of those networks. The result is that apps and sites that work natively over IPv6 will be faster for users than apps and sites stuck on only IPv4. Many leading services have already made this transition, and Apple now requires IPv6 for all apps in their AppStore. In this session, you’ll learn about tips and tools to successfully migrate your applications and sites to work over both IPv4 and IPv6. Bring your questions and concerns - and sharing of success stories would be welcome, too.
The Stakes Have Changed – The Changing Security Landscape by Tony TeoMyNOG
The document discusses the changing security landscape regarding distributed denial of service (DDoS) attacks. Some key points:
- DDoS attacks are increasing greatly in size, with the largest attacks exceeding 1 terabit per second. Many organizations now experience attacks over 100 gigabits per second.
- Botnets of infected internet of things devices have been used in large DDoS attacks in recent years, including attacks over 600 gigabits targeting various websites and infrastructure.
- The availability of inexpensive DDoS tools online has led to a rise in the frequency of attacks, with over half of internet service providers now seeing more than 50 attacks per month.
The document discusses Aruba's eSupport project which includes enhancing the Airheads community experience by integrating the support site, community, and partner center. It also discusses upcoming solutions like the Solutions Exchange for pre-building sample configurations and mentions the release of AOS 6.2.1.2. Various wireless issues and troubleshooting techniques are then covered such as reducing channel busy, fixing low SNR, and new troubleshooting tools in AOS 6.3 like client packet capture. Reminders are provided about resources such as the TAC quick reference guide, validated reference designs, and raising a support ticket.
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...SolarWinds
In this webcast, we’ll dive deeper into NetFlow and discuss day-to-day networking challenges and highlight common use cases that will help you better leverage the flow technology and its applications to troubleshoot many networking problems.
This webcast covers some key topics including:
• Introduction to NetFlow and other flow technologies
• Configuring your network to collect flow data
• Some everyday use cases for effective network monitoring
-- Troubleshooting network issues
-- Anomaly detection
-- Tracking cloud performance
-- Monitoring the impact of BYOD traffic
-- Monitoring Quality of Service (QoS) and Type of Service (ToS)
-- Capacity Planning
This PDF describe how F5 ASM can detect and mitigate Application DDoS as well as Fine Tuning the DDoS profile thresholds. this file is public.
f5 ddos best practices
f5 ddos protection recommended practices
f5 ddos protection recommended practices
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna BasuLounge47
This document summarizes internet security over time. It discusses past vulnerabilities like weak authentication on CCTV systems and clickjacking attacks. It then covers the Heartbleed vulnerability, which allowed memory leaks in TLS implementations. This vulnerability affected OpenSSL versions and allowed stealing of usernames, passwords, private keys and other sensitive data. The document discusses how the vulnerability worked and how it was fixed with a bounds check. It also notes the vulnerability's impact in the real world and references further technical information.
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...Peter LaFond
If you own a website, specifically a WordPress site, it's time to move from HTTP to HTTPS. Google is implementing a Carrot-and-Stick plan to get you there. This WordCamp talk touched on the basics of HTTPS/SSL/TLS and Google's plan to make the web more secure. These slides cite links with supporting information.
This document discusses open recursive DNS resolvers and the security issues they pose. It notes that while recursive resolvers are meant to cache and deliver DNS queries, many are not properly secured, allowing them to be abused for large reflection attacks. These attacks work by spoofing the source IP address of the victim in queries to open resolvers, which then send much larger responses to the victim, amplifying the attack traffic. The document shows that open resolvers come from networks all over the world and urges securing resolvers by filtering source addresses and disabling insecure recursive features.
This document discusses routing security and the Mutually Agreed Norms for Routing Security (MANRS) initiative. It begins with an overview of routing security issues like route hijacking and leaks that occur due to limitations in the Border Gateway Protocol (BGP). It then describes the four key actions of MANRS - filtering, anti-spoofing, coordination, and global validation - to address these problems. The rest of the document provides examples and explanations of how network operators can implement these MANRS actions to improve routing security.
This document provides an overview of broadband technologies and services. It discusses how broadband is defined as internet connections faster than 256 kbps and how demand for high-bandwidth applications is driving the need for faster connections. It then describes some common broadband technologies like DSL, cable modems, and fiber optics as well as older technologies like ISDN. It also discusses how broadband enables new applications and revenue opportunities for internet service providers.
The Indonesian Community for Hackers and Open Source (ECHO) is a group focused on hacking and open source activities. Founded in 2003, ECHO has 13 staff members and over 11,000 mailing list members. The group publishes newsletters, advisories, and maintains forums to share information about hacking techniques and open source projects.
This document summarizes Jeff Schmidt's presentation on Telstra's deployment of IPv6 for mobiles. Key points include:
1) Telstra implemented IPv6 to future-proof their network and address IPv4 depletion issues, using dual-stack and 464XLAT architectures.
2) Business drivers were addressing the growing traffic demand and enabling new technologies like IoT, while technical drivers addressed IPv4 depletion and inefficiencies.
3) The deployment included addressing and subnetting plans, network security designs, and testing multiple deployment models.
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
IP ServerOne is a Malaysian data center provider that manages over 4500 physical servers across 5 data centers. They experience 2-5 DDoS attacks per day, mostly ranging from 4.5-8.9 Gbps. To detect attacks, they use netflow to monitor traffic patterns and flag abnormal packet rates to single IPs. When an attack is detected, traffic is rerouted to on-premise filtering devices in less than 90 seconds to scrub attacks while allowing legitimate traffic. IP ServerOne advocates a hybrid mitigation approach using their own infrastructure alongside cloud-based protection.
Beyond eduroam: Combining eduroam, (5G) SIM authentication and OpenRoamingKarri Huhtanen
A presentation at FUNET Technical Days 2021 about research projects combining (5G) SIM authentication to eduroam Finland and ongoing work and benefits with OpenRoaming global Wi-Fi roaming in roam.fi or eduroam Finland networks.
A10 Networks provides application delivery and DDoS protection solutions to help service providers and enterprises handle the massive growth in internet subscribers and traffic, as well as large-scale attacks. Their solutions leverage carrier-grade networking and scale to tens of gigabits per second to ensure the reliability of applications and protection from DDoS attacks. A10's solutions also help enable the transition from IPv4 to IPv6 as the number of devices exceeds the available IPv4 address space.
Preventing Traffic with Spoofed Source IP address
Presented by
Md. Abdullah Al Naser
Sr. Systems Specialist
MetroNet Bangladesh Ltd
Founder, Founder, mn -LAB
info@mn-lab.net
Combating DDoS and why peering is important in AsiaMyNOG
The document discusses CloudFlare's services for mitigating DDoS attacks and the importance of peering in Asia. CloudFlare works at the network level by routing traffic through its global network of data centers where it performs functions like DNS management, caching, and security. Peering is important because it improves performance, reduces costs, and helps CloudFlare better control routing and isolate attack traffic. The document demonstrates through tests how peering with different Asian providers results in traffic taking more optimal and local paths. Peering is especially important in Asia due to the region's network architecture and ensures CloudFlare can better ingest and mitigate DDoS attacks from multiple ports and locations.
The document provides an overview of encryption, authentication, and access control topics. It begins with a cryptography primer covering symmetric and asymmetric encryption techniques. It then discusses public key infrastructure concepts like certificates, certificate authorities, and establishing trust chains. It concludes with recommendations around using a private certificate authority versus a public one and considerations for certificate validity and OCSP. The overall goal is to explain how public keys, certificates, and other cryptographic methods can be used together to create secure authentication methods like 802.1X.
This document summarizes a presentation on practical cryptography, certificates, and 802.1X. It begins with an overview of cryptography basics like symmetric and asymmetric encryption. It then covers public key infrastructure concepts such as certificates, certificate authorities, and how they establish trust. The presentation concludes by explaining how certificates and cryptography are used together to enable 802.1X authentication.
Yes, IPv6 is Real! How To Make Your Apps Work (And Be As Fast As Possible) Dan York
A talk I gave at Vermont CodeCamp 11 on September 28, 2019.
---- Abstract ----
How well do your applications or websites work over IPv6? As the world runs out of IPv4 addresses, new mobile networks are being deployed as “IPv6-only” with IPv6-to-IPv4 gateways at the edge of those networks. The result is that apps and sites that work natively over IPv6 will be faster for users than apps and sites stuck on only IPv4. Many leading services have already made this transition, and Apple now requires IPv6 for all apps in their AppStore. In this session, you’ll learn about tips and tools to successfully migrate your applications and sites to work over both IPv4 and IPv6. Bring your questions and concerns - and sharing of success stories would be welcome, too.
The Stakes Have Changed – The Changing Security Landscape by Tony TeoMyNOG
The document discusses the changing security landscape regarding distributed denial of service (DDoS) attacks. Some key points:
- DDoS attacks are increasing greatly in size, with the largest attacks exceeding 1 terabit per second. Many organizations now experience attacks over 100 gigabits per second.
- Botnets of infected internet of things devices have been used in large DDoS attacks in recent years, including attacks over 600 gigabits targeting various websites and infrastructure.
- The availability of inexpensive DDoS tools online has led to a rise in the frequency of attacks, with over half of internet service providers now seeing more than 50 attacks per month.
The document discusses Aruba's eSupport project which includes enhancing the Airheads community experience by integrating the support site, community, and partner center. It also discusses upcoming solutions like the Solutions Exchange for pre-building sample configurations and mentions the release of AOS 6.2.1.2. Various wireless issues and troubleshooting techniques are then covered such as reducing channel busy, fixing low SNR, and new troubleshooting tools in AOS 6.3 like client packet capture. Reminders are provided about resources such as the TAC quick reference guide, validated reference designs, and raising a support ticket.
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...SolarWinds
In this webcast, we’ll dive deeper into NetFlow and discuss day-to-day networking challenges and highlight common use cases that will help you better leverage the flow technology and its applications to troubleshoot many networking problems.
This webcast covers some key topics including:
• Introduction to NetFlow and other flow technologies
• Configuring your network to collect flow data
• Some everyday use cases for effective network monitoring
-- Troubleshooting network issues
-- Anomaly detection
-- Tracking cloud performance
-- Monitoring the impact of BYOD traffic
-- Monitoring Quality of Service (QoS) and Type of Service (ToS)
-- Capacity Planning
This PDF describe how F5 ASM can detect and mitigate Application DDoS as well as Fine Tuning the DDoS profile thresholds. this file is public.
f5 ddos best practices
f5 ddos protection recommended practices
f5 ddos protection recommended practices
Safety & Security Risks in the Hyper-Connected World - IoT - Tamaghna BasuLounge47
This document summarizes internet security over time. It discusses past vulnerabilities like weak authentication on CCTV systems and clickjacking attacks. It then covers the Heartbleed vulnerability, which allowed memory leaks in TLS implementations. This vulnerability affected OpenSSL versions and allowed stealing of usernames, passwords, private keys and other sensitive data. The document discusses how the vulnerability worked and how it was fixed with a bounds check. It also notes the vulnerability's impact in the real world and references further technical information.
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...Peter LaFond
If you own a website, specifically a WordPress site, it's time to move from HTTP to HTTPS. Google is implementing a Carrot-and-Stick plan to get you there. This WordCamp talk touched on the basics of HTTPS/SSL/TLS and Google's plan to make the web more secure. These slides cite links with supporting information.
As presented at ITExpo 2017 and the April Peerlyst Tel-Aviv security Meetup.
Can your company afford to ignore VoIP security? With the number of attacks on your telephone services and mobile devices your chance of being attacked and financial liability is at an all time high. This session offers an introductory primer to securing your VoIP PBX. This talk will include explanations about common attacks, how they can find you, and common techniques you can use to defend your company.
Sec Tor Towards A More Secure Online BankingNick Owen
My presentation on securing online banking at Sector. Covers two-factor authentication for sessions, mutual https authentication: http://www.wikidsystems.com/learn-more/technology/mutual_authentication
and transaction authentication: http://www.wikidsystems.com/learn-more/technology/transaction_authentication
Token Authentication for Java ApplicationsStormpath
Everyone building a web application that supports user login is concerned with security. How do you securely authenticate users and keep their identity secure? With the huge growth in Single Page Applications (SPAs), JavaScript and mobile applications, how do you keep users safe even though these are 'unsafe' client environments?
This presentation will demystify HTTP Authentication and explain how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
E-commerce is thriving but faces many challenges. Standardization, trust, business-to-business transactions, and intellectual property protection present open research questions. As e-commerce expands to new areas like wireless and agent-based systems, additional challenges arise regarding security, privacy, and establishing trust in new environments and between new parties. Continued research aims to address these challenges and further innovation in electronic commerce.
Presentation on topics beyond the conventional ethical hacking , discusses job factors and scope in the security field :) this was presented in LPU (Lovely Professional University) as a Seminar with attendees over 200. Meet m e at FB if u want it fb/nipun.jaswal
Passwords are often reused and breached, exposing users to risk. While hashing passwords provides some protection, attackers can still crack passwords using GPUs, ASICs, and password lists from previous breaches. Public-key cryptography avoids sending passwords over networks but early approaches were still vulnerable. New password-authenticated key exchange (PAKE) protocols use blinding techniques and oblivious transfers to allow password-derived keys while preventing offline cracking. Implementation requires integration with operating systems and browsers, but proof-of-concepts demonstrate the potential to significantly improve password security.
To protect data integrity and identify the source, HTTPS uses symmetric and asymmetric encryption during exchanges. Certificate Authorities issue trusted certificates, though some have concerns about centralized control. Sysadmins can enable HTTPS on servers through protocols like TLS and cipher suites. Developers ensure mixed content and cookies are properly secured. While some older browsers have compatibility issues, HTTPS is becoming essential for privacy, SEO, and new technologies. OVH helps with free SSL certificates and gateways to simplify HTTPS implementation.
TLS (Transport Layer Security) is the newer version of SSL that enables HTTPS and secure communication over the internet. It protects users' privacy by preventing snooping, tampering, and impersonation of identities. While TLS encryption protects the connection, it does not prevent all vulnerabilities within a web application itself. As TLS and security standards continue to evolve, it will become increasingly important for all websites, regardless of their perceived importance, to implement HTTPS to keep users and data safe online.
The document discusses certification authorities (CAs) and alternatives to the current CA model. It provides background on what a CA is and how the current system works. It then discusses recent security issues with CAs and the responses to those issues. Finally, it explores some potential alternatives and enhancements to CAs, including DANE, Certificate Transparency, CAA, and public key pinning. The presentation aims to provide context around CAs while also outlining new approaches that could further improve security and trust.
Webinar: Goodbye RSA. Hello Modern Authentication.SecureAuth
If you are seeking an alternative to RSA’s rigid workflows, costly maintenance and obstructive user experience, there is a better way. SecureAuth has helped hundreds of RSA customers move to an access control solution that offers more flexibility, visibility and can reduce total cost of ownership by over 50%.
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
The document discusses Perspectives, a system that aims to strengthen SSH-style host authentication by using multiple network notaries to monitor and verify public keys for hosts. It describes how Perspectives works, including how notaries probe hosts to monitor keys over time, how clients query notaries to check key consistency, and how this approach provides improved security compared to traditional PKI or SSH-style authentication alone while retaining simplicity and low cost.
The document provides numerous tips and recommendations for securing a website, including installing antivirus software and updating security patches, using strong passwords, disabling unnecessary access like SSH, and taking regular backups of the site and databases. It also warns about the risks of loading untested scripts, plugins, and code onto a site and cautions about properly sanitizing external data submitted to scripts.
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
The document discusses certificate pinning and provides information on implementing it for Android, iOS, and Windows platforms. It describes certificate pinning as associating a host with an expected certificate or public key to prevent man-in-the-middle attacks. The document outlines pros and cons of certificate pinning, and provides code examples and links to resources for implementing pinning on different mobile platforms.
Mobile devices are becoming the favored location for storing and doing everything we need, anywhere we want. From personal email, to company confidential information, including the social networks, location services and even online banking - we are storing our lives on mobile devices.
Is all of this information secure, or are we now facing some of the same problems we faced before in personal computing ? Have we learned something?
During this talk we discuss the most common problems affecting mobile devices, from Layer 1 to Layer 7. From poor GSM encryption, to poor application development, and everything in between. What are the risks? Are there solutions?
https://codebits.eu/intra/s/session/219
A talk about attacks against SSL that have been uncovered in the last 3-4 years. This talk delves into about what exactly was attacked and how it was attacked and how SSL is still a pretty useful piece of technology.
This was given at null Bangalore April Meeting.
A modern approach to safeguarding your ICS and SCADA systemsAlane Moran
Tempered Networks' presentation at the recent Rockwell Automation Fair 2016 helps viewers understand why it's so challenging and complex to connect and secure industrial IoT and SCADA systems. The future of networking and security must be based on 'host identity' not spoofable IP addresses.
Harvard's network operations center (NOC) is a set of web applications and tools that offer transparency and push "self service" to customers in a secure, verified, and granular way.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE Febless Hernane
Cici AI simplifies tasks like writing and research with its user-friendly platform. Users sign up, input queries, customize responses, and edit content as needed. It offers efficient saving and exporting options, making it ideal for enhancing productivity through AI assistance.
Decentralized Justice in Gaming and EsportsFederico Ast
Discover how Kleros is transforming the landscape of dispute resolution in the gaming and eSports industry through the power of decentralized justice.
This presentation, delivered by Federico Ast, CEO of Kleros, explores the innovative application of blockchain technology, crowdsourcing, and incentivized mechanisms to create fair and efficient arbitration processes.
Key Highlights:
- Introduction to Decentralized Justice: Learn about the foundational principles of Kleros and how it combines blockchain with crowdsourcing to develop a novel justice system.
- Challenges in Traditional Arbitration: Understand the limitations of conventional arbitration methods, such as high costs and long resolution times, particularly for small claims in the gaming sector.
- How Kleros Works: A step-by-step guide on the functioning of Kleros, from the initiation of a smart contract to the final decision by a jury of peers.
- Case Studies in eSports: Explore real-world scenarios where Kleros has been applied to resolve disputes in eSports, including issues like cheating, governance, player behavior, and contractual disagreements.
- Practical Implementation: Detailed walkthroughs of how disputes are handled in eSports tournaments, emphasizing speed, cost-efficiency, and fairness.
- Enhanced Transparency: The role of blockchain in providing an immutable and transparent record of proceedings, ensuring trust in the resolution process.
- Future Prospects: The potential expansion of decentralized justice mechanisms across various sectors within the gaming industry.
For more information, visit kleros.io or follow Federico Ast and Kleros on social media:
• Twitter: @federicoast
• Twitter: @kleros_io
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. ITSarthak Sobti
Network Security and Cyber Laws
Detailed Course Content
Unit 1: Introduction to Network Security
- Introduction to Network Security
- Goals of Network Security
- ISO Security Architecture
- Attacks and Categories of Attacks
- Network Security Services & Mechanisms
- Authentication Applications: Kerberos, X.509 Directory Authentication Service
Unit 2: Application Layer Security
- Security Threats and Countermeasures
- SET Protocol
- Electronic Mail Security
- Pretty Good Privacy (PGP)
- S/MIME
- Transport Layer Security: Secure Socket Layer & Transport Layer Security
- Wireless Transport Layer Security
Unit 3: IP Security and System Security
- Authentication Header
- Encapsulating Security Payloads
- System Security: Intruders, Intrusion Detection System, Viruses
- Firewall Design Principles
- Trusted Systems
- OS Security
- Program Security
Unit 4: Introduction to Cyber Law
- Cyber Crime, Cyber Criminals, Cyber Law
- Object and Scope of the IT Act: Genesis, Object, Scope of the Act
- E-Governance and IT Act 2000
- Legal Recognition of Electronic Records
- Legal Recognition of Digital Signatures
- Use of Electronic Records and Digital Signatures in Government and its Agencies
- IT Act in Detail
- Basics of Network Security: IP Addresses, Port Numbers, and Sockets
- Hiding and Tracing IP Addresses
- Scanning: Traceroute, Ping Sweeping, Port Scanning, ICMP Scanning
- Fingerprinting: Active and Passive Email
Unit 5: Advanced Attacks
- Different Kinds of Buffer Overflow Attacks: Stack Overflows, String Overflows, Heap and Integer Overflows
- Internal Attacks: Emails, Mobile Phones, Instant Messengers, FTP Uploads, Dumpster Diving, Shoulder Surfing
- DOS Attacks: Ping of Death, Teardrop, SYN Flooding, Land Attacks, Smurf Attacks, UDP Flooding
- Hybrid DOS Attacks
- Application-Specific Distributed DOS Attacks
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...Web Inspire
What is CRO?
Conversion Rate Optimization, or CRO, is the process of enhancing your website to increase the percentage of visitors who take a desired action. This could be anything from purchasing a product to signing up for a newsletter. Essentially, CRO is about making your website more effective in turning visitors into customers.
Why is CRO Important?
CRO is crucial because it directly impacts your bottom line. A higher conversion rate means more customers and revenue without needing to increase your website traffic. Plus, a well-optimized site improves user experience, which can lead to higher customer satisfaction and loyalty.
3. Security on the Internet
How do you know that you are going to where
you thought you were going to?
4. Security on the Internet
How do you know that you are going to where
you thought you were going to?
5. Security on the Internet
Also, how can you keep your session a secret
from wire(less) snoopers?
6. Security on the Internet
Also, how can you keep your session a secret
from wire(less) snoopers?
7. Opening the Connection:
First Steps
Client:
DNS Query:
www.commbank.com.au?
DNS Response:
104.97.235.12
TCP Session:
TCP Connect 104.97.235.12, port 443
8. Hang on…
$ dig -x 104.97.235.12 +short
a104-97-235-12.deploy.static.akamaitechnologies.com.
That’s not an IP addresses that was allocated to the Commonwealth Bank!
The Commonwealth Bank of Australia has 140.168.0.0 - 140.168.255.255
and 203.17.185.0 - 203.17.185.255
So why should my browser trust that 104.97.235.12 is really the “proper” web
site for the Commonwealth Bank of Australia, and not some dastardly evil
scam designed to steal my passwords and my money?
How can my browser tell the difference between an intended truth and a lie?
11. The Power of Primes
(me)d ≡ m (mod n)
As long as d and n are relatively large, and n is
the product of two large prime numbers, then
finding the value of d when you already know
the values of e and n is computationally
expensive
12. Why is this important?
Because much of the
foundation of Internet
Security rests upon this
prime number relationship
19. Domain Name Certification
• The Commonwealth Bank of Australia has generated a key
pair
• And they passed a certificate signing request to a company
called “Symantec”
• Who is willing to vouch (in a certificate) that the entity who
goes by the domain name of www.commbank.com.au also
has a certain public key value
• So if I can associate this public key with a connection then I
have a high degree of confidence that I’ve connected to
www.commbank.com.au, as long as I am prepared to trust
Symantec and the certificates that they issue
20. Domain Name Certification
• The Commonwealth Bank of Australia has generated a key
pair
• And they passed a certificate signing request to a company
called “Symantec”
• Who is willing to vouch (in a certificate) that the entity who
goes by the domain name of www.commbank.com.au also
has a certain public key value
• So if I can associate this public key with a connection then I
have a high degree of confidence that I’ve connected to
www.commbank.com.au, as long as I am prepared to trust
Symantec and the certificates that they issue
21. Local Trust
The cert I’m being
asked to trust was
issued by a certification
authority that my
browser already trusts –
so I trust that cert!
22. Local Trust or Local
Credulity*?
That’s a big list of people to
Trust
Are they all trustable?
*
30. What’s going wrong here?
• The TLS handshake cannot specify WHICH CA
should be used to validate the digital
certificate
• Your browser will allow ANY CA to be used to
validate a certificate
31. What’s going wrong here?
• The TLS handshake cannot specify WHICH CA
should be used to validate the digital
certificate
• Your browser will allow ANY CA to be used to
validate a certificate
32. What’s going wrong here?
• The TLS handshake cannot specify WHICH CA
should be used to validate the digital
certificate
• Your browser will allow ANY CA to be used to
validate a certificate
Here’s a lock – it might be the
lock on your front door for all I
know.
The lock might LOOK secure,
but don’t worry – literally ANY
key can open it!
33. What’s going wrong here?
• There is no incentive for quality in the CA
marketplace
• Why pay more for any certificate when the
entire CA structure is only as strong as the
weakest CA
• And you browser trusts a LOT of CAs!
– About 60 – 100 CA’s
– About 1,500 Subordinate RA’s
– Operated by 650 different organisations
See the EFF SSL observatory
http://www.eff.org/files/DefconSSLiverse.pdf
34. In a commercial environment
Where CA’s compete with each other for market
share
And quality offers no protection
Than what ‘wins’ in the market?
?
35. In a commercial environment
Where CA’s compete with each other for market
share
And quality offers no protection
Than what ‘wins’ in the market?
51. EECert TLSA record generation
; Convert the public key certificate to DER format
; Generate the SHA256 hash
; Add DNS gunk!
$ /usr/bin/openssl x509 -in /usr/local/etc/letsencrypt/live/www.dotnxdomain.net/cert.pem -outform DER |
/usr/bin/openssl sha256 |
cut -d ' ' -f 2 |
awk '{print ”_443._tcp.www.dotnxdomain.net IN TLSA 3 0 1 " $1}'
_443._tcp.www.dotnxdomain.net. 899 IN TLSA 3 0 1 D42101BCCE941D22E8E467C5D75E77EC4A7B8B7C9366C6A878CB4E15 7E602F17
$ dig +dnssec TLSA _443._tcp.www.dotnxdomain.net.
_443._tcp.www.dotnxdomain.net. 899 IN TLSA 3 0 1 D42101BCCE941D22E8E467C5D75E77EC4A7B8B7C9366C6A878CB4E15 7E602F17
_443._tcp.www.dotnxdomain.net. 899 IN RRSIG TLSA 13 5 900 20200724235900 20170122043100 56797 www.dotnxdomain.net.
dUYD1sMIpBc6RsUhturFzz5G8qX6oaDGRzaD/q6n+YJi2kqzDfWZls6F 3X1mXdpeQQYz52yOUOcdWvFRO9TQZQ==
52. SPKI TLSA record generation
; Generate the public key
; Convert it to DER format
; Generate the SHA256 hash
; Add DNS gunk!
$ /usr/bin/openssl x509 -in /usr/local/etc/letsencrypt/live/www.dotnxdomain.net/cert.pem -pubkey -noout |
openssl rsa -pubin -outform der |
/usr/bin/openssl sha256 |
cut -d ' ' -f 2 |
awk '{ print "_443._tcp.www.ndotnxdomain.net IN TLSA 3 1 1 " $1}’
_443._tcp.www.ndotnxdomain.net IN TLSA 3 1 1 df3a810d998cfddf8fa935ed33065ee27a67747366e2da40ddefef2b3a2032eb
53. TLS with DANE
• Client receives server cert in Server Hello
– Client lookups the DNS for the TLSA Resource
Record of the domain name
– Client validates the presented certificate against
the TLSA RR
• Client performs Client Key exchange
55. Just one problem…
• The DNS is full of liars and lies!
• And this can compromise the integrity of
public key information embedded in the DNS
• Unless we fix the DNS we are no better off
than before with these TLSA records!
56. Just one response…
• We need to allow users to validate DNS
responses for themselves
• And for this we need a Secure DNS framework
• Which we have – and its called DNSSEC!
57. DNSSEC Interlocking Signatures
. (root)
.com
.example.com
www.example.com
. Key-Signing Key – signs over
. Zone-Signing Key – signs over
DS for .com (Key-Signing Key)
.com Key-Signing Key – signs over
.com Zone-Signing Key – signs over
DS for example .com (Key-Signing Key)
example.com Key-Signing Key – signs over
example.com Zone-Signing Key – signs over
www.example.com
58. DNSSEC Interlocking Signatures
. (root)
.com
.example.com
www.example.com IN A 192.0.1
. Key-Signing Key – signs over
. Zone-Signing Key – signs over
DS for .com (Key-Signing Key)
.com Key-Signing Key – signs over
.com Zone-Signing Key – signs over
DS for example .com (Key-Signing Key)
example.com Key-Signing Key – signs over
example.com Zone-Signing Key – signs over
www.example.com
59. DNSSEC Interlocking Signatures
. (root)
.com
.example.com
www.example.com IN A 192.0.1
. Key-Signing Key – signs over
. Zone-Signing Key – signs over
DS for .com (Key-Signing Key)
.com Key-Signing Key – signs over
.com Zone-Signing Key – signs over
DS for example .com (Key-Signing Key)
example.com Key-Signing Key – signs over
example.com Zone-Signing Key – signs over
www.example.com
Is the signature for this record valid?
Is the ZSK for example.com valid?
Is the KSK for example.com valid?
Is this DS equal to the hash of the KSK?
Is the signature for this record valid?
Is the ZSK for .com valid?
Is the KSK for .com valid?
Is this DS equal to the hash of the KSK?
Is the signature for this record valid?
Is the ZSK for . valid?
Is the KSK for . valid?
60. DNSSEC Interlocking Signatures
. (root)
.com
.example.com
www.example.com IN A 192.0.1
. Key-Signing Key – signs over
. Zone-Signing Key – signs over
DS for .com (Key-Signing Key)
.com Key-Signing Key – signs over
.com Zone-Signing Key – signs over
DS for example .com (Key-Signing Key)
example.com Key-Signing Key – signs over
example.com Zone-Signing Key – signs over
www.example.com
Is the signature for this record valid?
Is the ZSK for example.com valid?
Is the KSK for example.com valid?
Is this DS equal to the hash of the KSK?
Is the signature for this record valid?
Is the ZSK for .com valid?
Is the KSK for .com valid?
Is this DS equal to the hash of the KSK?
Is the signature for this record valid?
Is the ZSK for . valid?
Is the KSK for . valid?
As long as you have a valid
local trust anchor for the
root zone then you can
validate a signed DNS
response by constructing
this backward path to the
local root trust anchor
61. DANE + DNSSEC
• Query the DNS for the TLSA record of the
domain name and ask for the DNSSEC
signature to be included in the response
• Validate the signature to ensure that you have
an unbroken signature chain to the root trust
point
• At this point you can accept the TLSA record
as the authentic record, and set up a TLS
session based on this data
69. Look - No DNS!
• Server packages server cert, TLSA record and
the DNSSEC credential chain in a single bundle
• Client receives bundle in Server Hello
– Client performs validation of TLSA Resource
Record using the supplied DNSEC signatures plus
the local DNS Root Trust Anchor without
performing any DNS queries
– Client validates the presented certificate against
the TLSA RR
• Client performs Client Key exchange