Mohammed Almeshekah

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or… عرض المزيد

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications. When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme. However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatz passwords — the “fake passwords”. When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system that someone attempted to crack the password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. عرض أقل

As the convergence between our physical and digital worlds continue at a rapid pace, securing our digital information is vital to our prosperity. Most current typical computer systems are unwittingly helpful to attackers through their predictable responses. In everyday security, deception plays a prominent role in our lives and digital security is no different. The use of deception has been a cornerstone technique in many successful computer breaches. Phishing, social engineering, and… عرض المزيد

As the convergence between our physical and digital worlds continue at a rapid pace, securing our digital information is vital to our prosperity. Most current typical computer systems are unwittingly helpful to attackers through their predictable responses. In everyday security, deception plays a prominent role in our lives and digital security is no different. The use of deception has been a cornerstone technique in many successful computer breaches. Phishing, social engineering, and drive-by-downloads are some prime examples.

Deception-based security mechanisms focus on altering adversaries' perception of computer systems in a way that can confuse them and waste their time and resources. These techniques exploit adversaries' biases and present them with a plausible alternative to the truth bringing a number of unique advantages to computer security. In addition, deception has been widely used in many areas of computing for decades and security is no different. However, deception has only been used haphazardly in computer security.

We present a framework where deception can be planned and integrated into computer defenses. We posit how the well-known Kerckhoffs's principle has been misinterpreted to drive the security community away from deception-based mechanisms. We present two schemes that employ deception to protect users' passwords during transmission and at rest when they are stored on a computer server. Moreover, we designed and built a centralized deceptive server that can be hooked to internet-facing servers giving them the ability to return deceptive responses. These three schemes are designed, implemented, and analyzed for their security and performance. عرض أقل

Deceptive techniques played a prominent role in many hu- man conflicts throughout history. Digital conflicts are no different as the use of deception has found its way to computing since at least the 1980s. However, many computer defenses that uses deception were ad-hoc attempts to incorporate deceptive elements in them. In this paper, we present a model that can be used to plan and integrate deception in computer security defenses. We present an overview of why deception fundamentally works… عرض المزيد

Deceptive techniques played a prominent role in many hu- man conflicts throughout history. Digital conflicts are no different as the use of deception has found its way to computing since at least the 1980s. However, many computer defenses that uses deception were ad-hoc attempts to incorporate deceptive elements in them. In this paper, we present a model that can be used to plan and integrate deception in computer security defenses. We present an overview of why deception fundamentally works and what are the essential principles in using such techniques. We investigate the unique advantages deception-based mechanisms bring to traditional computer security defenses. Furthermore, we show how our model can be used to incorporate deception to many part of computer systems and discuss how we can use such techniques effectively. A successful deception should present plausible alternative(s) to the truth and these should be de- signed to exploit specific adversaries’ biases. We investigate these biases and discuss how can they be used by presenting a number of examples. عرض أقل

As the convergence between our physical and digital worlds continues at a rapid pace, much of our information is becoming available online. In this paper we develop a novel taxonomy of methods and techniques that can be used to protect digital information. We discuss how information has been protected and show how we can structure our methods to achieve better results. We explore complex relationships among these protection techniques grouped into four categories; namely denial and… عرض المزيد

As the convergence between our physical and digital worlds continues at a rapid pace, much of our information is becoming available online. In this paper we develop a novel taxonomy of methods and techniques that can be used to protect digital information. We discuss how information has been protected and show how we can structure our methods to achieve better results. We explore complex relationships among these protection techniques grouped into four categories; namely denial and isolation, degradation and obfuscation, negative information and deception and adversary attribution and counter-operations. We present analysis of these relationships and discuss how can they be applied at different scales within organizations. We also identify some of the areas that are worth further investigation. We map these protection techniques against the cyber kill-chain model and discuss some findings.

Moreover, we identify the use of deceit as a useful protection technique that can significantly enhance the security of computer systems. We posit how the well-known Kerckhoffs’s principle has been misinterpreted to drive the security community away from deception-based mechanisms. We examine advantages these techniques can have when protecting our information in addition to traditional methods of denial and hardening. We show that by intelligently introducing deceit in information systems, we not only lead attackers astray, but also give organizations the ability to detect leakage; create doubt and uncertainty in leaked data; add risk at the adversaries’ side to using the leaked information; and significantly enhance our abilities to attribute adversaries. We discuss how to overcome some of the challenges that hinder the adoption of deception-based techniques and present some recent work, our own contribution, and some promising directions for future research. عرض أقل

The ubiquity of identity management systems in people's online activities has lead to a significant growth in the number of identity management solutions. These systems have been designed to help users manage their digital identities and, at the same time, give online service providers the ability to control users' access to their services. Because these systems handle users' personal information, privacy and security issues are of great importance.
However, since service providers usually… عرض المزيد

The ubiquity of identity management systems in people's online activities has lead to a significant growth in the number of identity management solutions. These systems have been designed to help users manage their digital identities and, at the same time, give online service providers the ability to control users' access to their services. Because these systems handle users' personal information, privacy and security issues are of great importance.
However, since service providers usually favour systems that lead to maximize their profits more than systems with advanced security and privacy features, studying the economics of identity managements systems is an important subject. In order to drive service providers to adopt more secure and privacy enhanced identity management systems, these systems should appeal to them, not only for their technological advancements, but more importantly, for their economic value.
In this dissertation, we aim to provide new and profound insights into the economics of identity management systems by applying several well-known economic theories such as network externalities and information asymmetry. In addition, we examine the economics of some widely deployed identity management systems such as OpenID, Microsoft Passport and Microsoft CardSpace. Moreover, we propose a novel scheme for making the current user-centric identity management systems more economically incentivized. We do this by integrating the concept of web metering, which is widely used in the Internet advertisement market, into the user-centric identity management systems. We also provide a proof of concept of this integration within the CardSpace's framework. عرض أقل