Posts Tagged ‘denial of service

E-mail Connection Management Settings

The following settings help prevent spam, viruses, directory harvest attacks, and other threats from entering your network. SurfControl recommends that you enable the following pre-screening options as directed below.

Note: These features require that you deploy E-mail Filter upstream from an anti-virus or other receiving mail server. In order to use the following features:

  1. Blacklist: A blacklist is an administrator-defined anti-spam tool that blocks e-mail from specified sources.Use this area to enter or import domains or e-mail addresses of sources from whom you do not want to receive e-mail. This is an effective way to block unwanted messages as soon as they enter E-mail Filter. You can also provide exclusions to your blacklist. For example, if the domain is on your blacklist, but you still want to receive e-mail from, you can enter on the Exclusions list and still receive e-mail from that user.
  2. Reverse DNS Lookup: The Reverse DNS Lookup feature can help detect spoofed e-mail by confirming that the sender’s PTR record matches the IP address included in the header. SurfControl recommends that you enable this option and leave the default action of Log Only. This allows you to take advantage of the Reverse DNS Lookup feature, but does not deny e-mail from sources that may have mis-configured DNS settings or have no PTR record. The Log Only option generates a log if there is a mismatch between the IP address and the domain name, but does not reject e-mail; this option lets you keep track of e-mail sent from illegitimate addresses.
  3. Realtime Blackhole List (RBL): This feature allows E-mail Filter to handshake with third-party “realtime blackhole lists,” (RBLs) which are externally hosted lists of known spammers. When RBL lookups are enabled and set to Deny Connection, E-mail Filter checks the sending host’s IPaddress against the RBL, verifying that the IP address is not on the spam list. If the IP address is on the list, E-mail Filter drops the connection. If not, E-mail Filter continues to process the e-mail. If you have enabled this option, you can enter domains, e-mail addresses, or IP addresses in the Exclusions list. This list contains senders for whom you do not want to perform the RBL lookup.
  4. Directory Harvest Detection: This feature protects your network from directory harvest and phishing attacks, and stops a significant amount of e-mail-based threats from entering your network. By integrating with your LDAP server, the Directory Harvest Detection feature ensures that incoming e-mail is addressed to users who are currently in your Active Directory structure.
  5. Denial of Service Detection: This feature detects attempts to use all your system resources. SurfControl recommends that you enable this feature, and increase the setting of 5 maximum incomplete sessions from each IP per hour to 50. At these default settings, E-mail Filter detects a denial of service attack if there are five incomplete sessions from one IP address per hour. If E-mail Filter detects a denial of service attack, E-mail Filter blocks all connections from that IP address for the next 24 hours.

Tags : , , , , , , , , , , , ,

Desirable Quantum Key Distribution Attributes

Broadly stated, QKD(Quantum Key Distribution) offers a technique for coming to agreement upon a shared random sequence of bits within two distinct devices, with a very low probability that other devices(eavesdroppers) will be able to make successful inferences as to those bits’ values. In specific practice, such sequences are then used as secret keys for encoding and decoding messages between the two devices. Viewed in this light, QKD is quite clearly a key distribution technique, and one can rate QKD’s strengths against a number of important goals for key distribution, as summarized in the following paragraphs.

Confidentiality of Keys : Confidentiality is the main reason for interest in QKD. Public key systems suffer from an ongoing uncertainty that decryption is mathematically intractable. Thus key agreement primitives widely used in today’s Internet security architecture, e.g., Diffie-Hellman, may perhaps be broken at some point in the future. This would not only hinder future ability to communicate but could reveal past traffic.Classic secret key systems have suffered from different problems, namely, insider threats and the logistical burden of distributing keying material. Assuming that QKD techniques are properly embedded into an overall secure system, they can provide automatic distribution of keys that may offer security superior to that of its competitors.

Authentication : QKD does not in itself provide authentication.Current strategies for authentication in QKD systems include prepositioning of secret keys at pairs of devices, to be used in hash-based authentication schemes, or hybrid QKD-public key techniques. Neither approach is entirely appealing. Prepositioned secret keys require some means of distributing these keys before QKD itself begins, e.g., by human courier,which may be costly and logistically challenging. Furthermore, this approach appears open to denial of service attacks in which an adversary forces a QKD system to exhaust its stockpile of key material, at which point it can no longer perform authentication. On the other hand, hybrid QKD-public key schemes inherit the possible vulnerabilities of public key systems to cracking via quantum computers or unexpectedadvances in mathematics.

Sufficiently Rapid Key Delivery : Key distribution systems must deliver keys fast enough so that encryption devices do not exhaust their supply of key bits. This is a race between the rate at which keying material is put into place and the rate at which it is consumed for encryption or decryption activities. Today’s QKD systems achieve on the order of 1,000 bits/second throughput for keying material, in realistic settings, and often run at much lower rates. This is unacceptably low if one uses these keys in certain ways, e.g., as one-time pads for high speed traffic flows. However it may well be acceptable if the keying material is used as input for less secure (but often secure enough) algorithms such as the Advanced Encryption Standard. Nonetheless, it is both desirable and possible togreatly improve upon the rates provided by today’s QKD technology.

Robustness : This has not traditionally been taken into account by the QKD community. However, since keying material is essential for secure communications, it is extremely important that the flow of keying material not be disrupted, whether by accident or by the deliberate acts of an adversary (i.e. by denial of service). Here QKD has provided a highly fragile service to date since QKD techniques have implicitly been employed along a single point-to-point link. If that link were disrupted,whether by active eavesdropping or indeed by fiber cut, all flow of keying material would cease. In our view a meshed QKD network is inherently far more robust than any single point-to-point link since it offers multiple paths for key distribution.

Distance- and Location-Independence : In the ideal world,any entity can agree upon keying material with any other(authorized) entity in the world. Rather remarkably, the Internet’s security architecture does offer this feature – any computer on the Internet can form a security association with any other, agreeing upon keys through the Internet IPsec protocols. This feature is notably lacking in QKD, which requires the two entities to have a direct and unencumbered path for photons between them, and which can only operate fora few tens of kilometers through fiber.

Resistance to Traffic Analysis : Adversaries may be able to perform useful traffic analysis on a key distribution system,e.g., a heavy flow of keying material between two points might reveal that a large volume of confidential information flows, or will flow, between them. It may thus be desirable to impede such analysis. Here QKD in general has had a rather weak approach since most setups have assumed dedicated, point-to-point QKD links between communicating entities which thus clearly lays out the underlying key distribution relationships.


Tags : , , , , , , , , , , , , , , , , , , , , , , , ,

RFID Security and Privacy Risks

RFID tags may pose security and privacy risks to both organizations and individuals. Unprotected tags may have vulnerabilities to eavesdropping, traffic analysis, spoofing or denial of service. Unauthorized readers may compromise privacy by accessing tags without adequate access control. Even if tag contents are protected, individuals may be tracked through predictable tag responses; essentially a traffic analysis attack violating “location privacy”. Spoofing of tags may aid thieves or spies. Saboteurs could threaten the security of systems dependent on RFID technology through denial of service.

Any parties with their own readers may interrogate tags lacking read access control, although only within a relatively short tag read range of a few meters. While anyone could also scan nearby optical barcodes, they cannot do so wirelessly at a rate of hundreds of reads per second. The very properties making RFID technology attractive interms of efficiency make it vulnerable to eavesdropping. Aggregate logistics and inventory data hold significant financial value for commercial organizations and their competitors. A store’s inventory labeled with unprotected tags may be monitored by competitors conducting surreptitious scans. Sales data maybe gleaned by correlating changes over time. Individuals carrying items with unsecured tags are vulnerable to privacy violations. A nearby eavesdropper could scan the contents of your pockets or bag; valuable data to nosy neighbors, market researchers or thieves in search of ripe victims.

Another important privacy concern is the tracking of individuals by RFID tags. A tag reader at a fixed location could track RFID-labeled clothes or bank notes carriedby people passing by. Correlating data from multiple tag reader locations could track movement, social interactions, and financial transactions. Concerns over location privacy were recently raised when a major tire manufacturer began embedding RFID tagsinto all their products . Even if the tags only contain product codes rather than unique serial numbers, individuals could still be tracked by the “constellation” of  products they carry. Someone’s unique taste in brands could betray their identity.

In addition to threats of passive eavesdropping and tracking, an infrastructure dependent on RFID tags may be susceptible to denial of service attacks or tag spoofing. By spoofing valid tags, a thief could fool automated checkout or security systems into thinking a product was still on a shelf. Alternatively, a thief could rewrite or replace tags on expensive items with spoofed data from cheaper items. Saboteurs could disruptsupply chains by disabling or corrupting a large batch of tags.

Tags : , , , , , , , , , , , , ,