Thursday, June 30, 2016

DNS Cookies

When we type a URL in the address bar, our computer makes a DNS query to appropriate DNS servers and it gets the corresponding IP address, using which it accesses the target system. Protocols like SSL/TLS, HTTPS can ensure that the communication between the server and the client, after the domain name resolution is done for the server, is encrypted. But, what if an attacker takes advantage of the DNS communication between the client and the DNS server at the time of domain name resolution and affects that to transfer the traffic to malicious servers or make a DoS attack ? DNS Cookies is a security mechanism which is developed for that purpose.

DNS Cookies is a lightweight DNS transaction security mechanism that protects DNS servers and DNS clients from a variety of attacks like DoS attacks, DNS Amplification attacks, DNS Cache Poisoning etc. It is a lightweight mechanism and can work with other existing DNS transaction security mechanisms. It can even work in the presence of NAT and NAT – Protocol Transaction (NAT-PT).

Let’s understand what DNS Cookies is actually and how it works.

Security Concerns of DNS

There are a number of security concerns in the existing DNS system. Some of them are mentioned below :

DNS Server Denial of Service Attack 

When a DNS client makes a DNS request to DNS servers, it causes much computaional burden to the DNS serevers. A recursive server may issue one or more requests and process the responses, which takes muc computational resources. The situation may even get worse when DNSSEC is used, as DNSSEC performs many cryptographic computations to verify the authenticity of the DNS transation.

So, if an attacker forges source IP address and sends many DNS requests to the DNS servers, it would be very hard to identify that the requests are forged ones. Moreoevr, it is impossible to restrict IP addresses from which DNS requests should be honored and discarded otherwise.

As a result, an attacker can take advantage of that and send a large number of DNS requests to the DNS servers, so that the DNS servers get exhausted resulting in a DoS attack.

DNS Cache Poisoning

For the first time we type a URL in the addressbar, our computer will make a DNS query to appropriate DNS Server and once it gets a response, it will store the IP address in its DNS Cache, with a timestamp upto which the entry remains valid.

Within that time, if we type again, our computer will look at its DNS Cache for the entry.

Suppose, our computer has made a DNS query and waiting for a response from the DNS Servers. But, instead of an authentic response it gets a response containing IP address of the attacker's website. So, its DNS Cache will be poisoned and next time onwards, whenever the computer will try to resolve the IP address of the same URL, it will end up being to the attacker's website.

In similar way, DNS Cache of any DNS Server also may get poisoned. Because, ISP's DNS Server gets response from other DNS Servers and it stores the responses in its cache. If that cache is poisoned, the same poisoned entry will spread to all home routers and from them to all computers.

DNS Amplification Attack

If an attacker sends lots of DNS queries to DNS servers, but forges the IP address of a victim machne as the source IP address of all the packets, lots of DNS responses will be generated by the servers and all of them will reach the victim machine. Normally without any security mechanism, DNS servers cannot find out if the source IP of a DNS request is a forged one. As a result, as DNS responses are much larger in size, the responses will end up flooding the victim machine with responses and consuming its bandwidth. And, it will cause a DoS attack to the victim machine.

Existing DNS Security

There are a number of existing security mechanisms which can be used to secure DNS transactions. But, each of them has its own disadvantages.

For example, DNSSEC (How does DNSSEC work ?) is a security extension which can be used to verify the authenticity of a DNS transaction. DNSSEC can ensure that the response coming from a DNS server is an authentic one and it no doubt protects us from attacks like DNS Hijacking and DNS Cache Poisoning.

But, as mentioned earlier, DNSSEC performs many cryptographic computations to ensure security, which increases the computaional burden on the DNS servers. As a result, if an attacker forges IP addresses and sends many DNS requests to the DNS servers, it will aggravate the situation and can easily cause a DoS attack.

Another security mechanism is Transaction Signature or TSIG (How does TSIG work ? ) It uses cryptographic keys to establish a trust relationship between a DNS client and a DNS server and secure the DNS transation. TSIG provides good security, but it is non-trivial to deploy. It imposes much burden to the existing DNS system like the burden of pre-agreement and distribution of cryptoraphic keys, keeping track of server side key state and synchronization between a DNS client and a DNS server.

DNS Cookies is a lightweight security mechanism, which can be implemented easily with the existing DNS system and can work together with other security mechanisms. It does not have much overhead of pre-configuration etc.

How does DNS Cookies work ?

In DNS Cookies mechanism, each DNS server and each DNS client maintain a cookie. Each of them maintains a different cookie which can be used at the time of DNS transaction to make sure that the DNS request has indeed come from an authentic DNS client and its source IP address is not forged.

A client cookie is 8 byte long and it is a pseudorandom function of client IP, server IP and a secret quantity known only to the client. This pseudorandom function is secret to the client and can be changed periodically. Each DNS client will have a different cookie, which can be used with the DNS request to verify its authenticity. As a DNS cookie is only returned to the IP address from which the request was generated, it cannot be used to track internet users.

Similarly, each DNS server with different IP will have a different server cookie. This server cookie is a pseudoransom function of client cookie, client IP and a secret quntity known only to the server. This pseudorandom function is secret to the server and can be changed periodically. A DNS server must send different cookies for different clients.

DNS Cookies mechanism works in the following way :

  • A DNS client sends a DNS request and includes its client cookie along with the request. If it knows the server cookie, it sends the server cookie along with its own cookie.
  • The server receives the DNS request from the client with the client cookie. If the DNS request contains only the client cookie and not any server cookie, the server calculates a server cookie using the secret pseudorandom function using the client IP, received client cookie and the secret quantity known to the server. The server then processes the request and sends its cookie to the client, so that the client can refer it in future communications.
    On the other hand, if the server receives a server cookie along with the client cookie, it will verify the cookie and then process the request. It will then generate a response and send that along with the new server cookie if it generates one.
  • Different DNS clients behind a NAT box can use their own local IP addresses to have different client cookies. And, based upon these diferent client cookies, different server cookies can be generated which can be used in the DNS transactions without much confusion.

So, be aware of different security mechanisms so that you can protect your systems in a better way and stay safe, stay secured.

Sunday, June 19, 2016

What is a Zero Day Threat ?

If not redirected, please click here

A zero-day threat is a threat that exploits an unknown security vulnerability, even before the developers of the software are aware of it. It uses the unknown vulnerability in the software and creates complicated problems of data theft and identity theft. The threat is known as “zero-day” because once the flaw is discovered, the developers get zero-day to plan and advise mitigation against the threat.

Attack Vectors

Zero-day vulnerabilities can be exploited by the attackers through several attack vectors :

  • When a user visits a malicious website, the malicious code in the website can exploit some security vulnerability in the web browser to infect the system.
  • Cybercriminals can use social engineering to infect a system. For example, they may send a phishing email with an attachment, on clicking on which malicious code may start execution and download the malware into the system, thereby infecting it.
  • Attackers can use malvertising (How does malvertising work ? ) to inject malware-laden online advertisements into legitimate online advertising networks and webpages and infect a system.
  • Attackers can use drive-by downloads (How does drive-by download work ? ) to infect a system with the malware while the user visits a malicious website.
  • The attackers may even take advantage of known security vulnerabilities of Operating Systems and other commonly used software to infect the system with malware.

Zero-day Vulnerability Timeline

A Zero-day threat typically follows the timeline mentioned below :

  • Developers create a software, but it contains a security vulnerability unknowingly.
  • The software gets released and the attackers find out the vulnerability, even before the developers get a chance to find it out or fix it.
  • The attackers exploit that vulnerability and create malware.
  • The attackers use social engineering or take advantage of other security vulnerabilities of Operating Systems and other commonly used software to infect a system with the malware.
  • The attackers steal sensitive data from the infected sytems or plan for even more attacks.
  • The users come to know about the information and identity theft or the developers become aware of the vulnerability.
  • The developers respond quickly to release a patch to mitigate it.

How to prevent Zero Day Threat ?

A couple of steps can be taken to protect systems, once a zero-day threat becomes known for which no patch is released yet.

  • Configure firewalls properly (How do firewalls work ? ).
  • Use only essential applications. A zero day threat mostly takes advantage of security vulnerabilities of applications to infect systems. And, lesser the applications, lesser are the vulnerabilities.
  • As mentioned earlier, a zero-day threat takes advantage of security vulnerabilities of Operating Systems and other commonly used software to infect a system. So, patch the Operating Systems and other software with most recent security patches.
  • Use Intrusion Detection and Prevention System (How does a IDS work ? ) or other advanced technologies like NGFW (How does Next Generation Firewall work ? ), NGAV (How does Next Generation Anti-Virus work ? ) or SSL Inspectors (How do SSL Inspectors work ? ) to detect and prevent threats.

Thursday, June 16, 2016

What is Device Fingerprinting ?

Device Fingerprinting is a technology using which information can be collected from a remote device so that the device can be identified uniquely. This technology is used to determine whether a computer being communicated is a trusted one. It does so by measuring various parameters like browsing data, Operating Systems, connection attributes etc and then by determining a risk profile of the device using which the trust factor of the device can be determined.

Why do we need Device Fingerprinting ?

Using a fake account, username, email address or IP address for each fraud attack is easy for a cyber criminal. But, using different devices each time is not so simple. And, that is the main motivation behind Device Fingerprinting.

Using Device Fingerprinting, a service provider can uniquely identify and track the device that accesses the service. It can determine the trust factor of the device, based upon which it can determine fraudulent activities and blacklist a fraudulent device once detected.

Device Fingerprinting is a powerful tool which can recognise returning criminals, even if he changes his name, IP address or browser cookies.

How does Device Fingerprinting detect fraudulent activities ?

Device Fingerprinting can detect a fraudulent device in a number of ways :

  • It can detect anomaly in a device based on factors like – whether the real IP address and location of the device are hidden, whether the device is a part of a botnet (What is a botnet ? ) etc.
  • It can fingerprint a device based upon whether the connected device is trying to exfiltrate a large amount of data over a short period of time and take decision based on that.
  • It can determine whether any fraudulent activities were done previously from the same device, ISP or location and determine trust factor of the device based on that.
  • It can determine whether accounts or subscripions from the connected device are being accessed or shared illegally.
  • It can even blacklist a device based on whether the device was previously found to be involved in any fraudulent activities.

Characteristics of Device Fingerprinting

A Device Fingerprinting solution should have the following characteristics :

  • Uniqueness – The device should be well differentiated from other devices based on the factors on which fingerprinting is done. In other words, the fingerprint should contain enough entropy.
  • Persistence – The fingerprint should be able to be used for a considerablt long amount of time. For example, fingerprints based on Operating Systems data is more persistent than that on browser data.
  • Resistance – The fingerprints should be resistent, i.e. it should not be able to be tampered easily by the fraudsters. For example, fingerprints based on cookies are not much resistant, as it can easily be deleted or copied.
  • Integration – Device Fingerprinting technology used should be easily integrated with the business requirements. For example, it is good if a set of web-APIs enable integration of Device Fingerprinting into the existing business.
  • Zero Impact – Device Fingerprinting solution should have no significant impact on customer experience and IT infrastructure. Customers should not need to install some additional software or use some hardware token.
  • No Delay – There should be no signifacnt delay in the Device Fingerprinting solution. It should be able to calculate device risk in real time.
  • First-time Fraud Detection – Device Fingerprinting solution should be able to effectiuvely protect against first-time fraud attempts. It can be done by looking at a number of factors like whether the device is hiding its IP, location or Geo, whether the device is compromised by malware or part of a botnet etc.

Various methods of Device Fingerprinting

There are two types of Device Fingerprinting :

  • Active Fingerprinting
  • Passive Fingerprinting

Active Fingerprinting

Active Fingerprinting is invasive and it requires the device to be fingerprinted to install additional software. It can access unique parameters of the device like drive serial number, device MAC address etc, based on which it can calculate the risk profile of the device. This method is more accurate, but as it requires end users to install additional software and give permissions, it may not be feasible always.

Passive Fingerprinting

Passive Fingerprinting is done without any obvious query to the client machine and hence, it is less invasive. It mainly uses information on TCP connection, Operating Systems, browser settings etc to profile the device. These attributes are mostly anonymous and has relatively less impact on the customer's privacy. As a result, this method is quite feasible for ecommerce, online media or retail financial businesses.

Passive Fingerprinting can be done using a number of methods :

  1. Browser TaggingIt uses information like cookies etc to identify a returning user.
  2. Browser FingerprintingIt uses information on HTML, Javascript, Flash etc available in the browser to profile the device. It may also use a combination of information like screen resolution, browser type, clock time, timezone, language etc to create a fingerprint.
  3. HTTP FingerprintingIt uses information available while communicating to the device using an HTTP connection. The information may include HTTP compression type, proxy support, language etc.
  4. Operating Systems FingerprintingThis method mainly makes use of Operating Systems data to profile the device.
  5. TCP FingerprintingIt uses information available on a TCP connection with the device, like connection speed etc.

Where is Device Fingerprinting used ?

Device Fingerprinting is used for fraud detection, protection against account hijacking, anti-bot and anti-scraping services, enterprise security management, protection against DDoS attacks etc. Bank or financial transactional websites can use Device Fingerprinting to isolate fraudulent patterns and stop them before causing any damage.

Device Fingerprinting can also be used for real-time targeted marketing, campaign measurement, profiling customers, limiting devices for accessing specific services etc, though the use of Device Fingerprinting for certain purposes raise the question of privacy.

Device Fingerprinting and Privacy

Use of Device Fingerprinting in certain cases does raise a concern for privacy advocates. Though this technology is mainly used for online fraud detection, it can pose a potential privacy concern for users if used otherwise.

For example, device profile obtained through Device Fingerprinting can be used for :

  • identify a user
  • track and analyse a user's browsing activity
  • collect enough information about the user to draw inferences about him or her

And, this can lead to a number of privacy concerns.

For example :

  • There can be a number of reasons a user would want to remain anonymous online. The reasons may include concerns about surveillance, personal safety, concerns about discrimination etc. Using Device Fingerprinting, an application or service provider may be able to identify a user, by looking at the fingerprint of the device. And, this may lead to serious privacy concern, as the information collected can be used by an adversary for causing harm or damages.
  • Device Fingerprinting can be used to track and analyze a user's browsing activities for the purpose of online marketing and advertising. This is no doubt a privacy concern if it is done without the knowledge of the user.
  • Using Device Fingerprinting, a service provider can draw inferences about a user. For example, information on device CPU and Operating Systems may reveal information about the user's purchasing capability and proclivity. And, this information can be exploited to discriminate a person from others, which is no doubt an invasion of privacy.

Ideally, if a service provider wants to implement Device Fingerprinting for a purpose other than online fraud detection, it should do the following :

  • The service provider should get explicit consent from the user, if the technology is used for the purpose of any advertising, marketing research or website analytics
  • The service provider should give detailed information about the fingerprinting, like how the data will be collected, used or the purpose of the data collection.

So, Device Fingerprinting is a technology which is a boon to us for the detection and prevention of online fraud, and rather a bane of us if used otherwise. This article just gave an introductory information about Device Fingerprinting. Hope it helped.

Sunday, June 5, 2016

Biometrics and Authentication

Authentication using passwords and PINs are no longer considered to be safe. We have seen a couple of recent incidences of data breach where user data is compromised and exploited for even further attacks. Two factor authentication is one option of dealing with it. But, that also cannot be considered to be sufficient. A two factor authentication system also can be compromised. We need some authentication mechanism in which the authentication data can be provided by the individual only and cannot be tampered with. And, that is the main motivation behind using biometric system.

What is Biometrics ?

The word “biometrics” is derived from the Greek word “bio” which means life and “metric” which means to measure. Biometrics refers to the automatic identification of a person based on his or her unique physiological or behavioral characteristics, such as fingerprints, voice pattern, iris, keystroke rhythm etc. These characteristics are unique to every individual and cannot be tampered easily. And, that is why biometric systems are today widely used for authentication purposes.

History of Biometrics

The history of biometrics dates back to 1870, with the measurement system of Alphonse Bertillon. In this measurement system, human body measurements such as skull diameter, arm and foot length etc used to be used to identify a person uniquely. Until 1920's, this system used to be used for identifying prisoners.

Later in 1960s, identification through fingerprints and facial measurements was proposed. In 1960's, the techniques of digital signal processing were developed and that enabled convenient processing and storing of the biometric data. And, that led to identification of individuals in an automated way.

Voice and fingerprints recognition systems were later developed and their applications included high security access control, personal locks and authentication of financial transactions since 1960's.

Later, biometric system based on face recognition and iris recognition was developed. And, today biometric systems based on fingerprints and face recognition, iris pattern recognition or keystroke rhythm and voice recognition are widely used.

Why Biometrics

There are a number of reasons for which biometrics are supposed to be reliable enough to be used for authentication purposes :

  • Biometric data of an individual can be produced by the individual only and the individual has to be physically present at the time of authentication. It is not easy to tamper with biometric data. And, this biometric system much reliable, as it can prevent illegitimate access based on stolen credentials.
  • As biometric data is unique for every individual and can be produced by the individual only, it can provide negative identification. If an individual is enrolled in a biometric system, he cannot later deny his enrollment.
  • In biometrics, one does not need to remember a huge number of credentials, as it happens in case of passwords or PINs. A password or PIN can be easily forgotten or broken if not strong enough. But, biometric data of an individual is strong enough not to guess or break.
  • In biometrics, one does not need to carry any physical tokens for authentication, as it is done for smart cards, magnetic stripe cards, photo ID cards, physical keys etc. So, biometric authentication is much more convenient for an individual.

Characteristics of Biometric Data

A biometric data should have the following characteristics so that it can reliably be used for authentication purposes :

  • Biometric data should be constant over a long period of time. There should be no significant differences in the biometric data based on factors like age, disease etc.
  • Biometric data of an individual should be unique and significantly different from another individual.
  • The captured biometric data should be conveniently stored in a format, which is easy to handle.
  • Biometric data of an individual should be impractical to mask or manipulate.
  • Biometric data of an individual should be digitally comparable with that of another individual.
  • Biometric data must be irreproducible by other means, unless the individual himself or herself produces the data.
  • Biometric data has to be accurate. It should not have any false acceptance or false rejection rate.

How does Biometric System work ?

A biometric system typically works in the following way :

  • An individual produces his or her biometric data. Normally, the biometric data is captured by a sensing device like a fingerprints scanner or a video camera.
  • Distinguishing characteristics are extracted from the raw biometric sample and converted into a biometric template.
  • The mathematical representation of the biometric template is registered and stored in the database.
  • Later, when an individual tries to authenticate producing his or her biometrics, the stored biometric data is compared with the given data for verification.

Types of Biometrics

Biometrics can be of two types :

  • Physiological Biometrics
  • Behavioral Biometrics

Physiological biometrics is based on some physiological characteristics of an individual, such as fingerprints, iris pattern, face recognition etc.

And, behavioral biometrics is based on behavioral characteristics of an individual, such as keystroke rhythm, signature, voice recognition etc.

The main differences between these two biometrics is, physiological biometrics does not get influenced by psycho-emotional state of an individual. It remains unchanged over time and emotional state. But, behavioral biometrics can be influenced by factors like emotional state or disease of an individual. So, physiological biometrics is supposed to be more reliable than behavioral biometrics.

Let's look at a couple of biometric systems and their advantages and disadvantages.

Face Recognition

Each individual has distinctive features in his facial image based on eyebrows, width of eyes, breadth of nose etc. The facial recognition system first captures the facial image of an individual and then differentiates the face from the background. It then extract features from the facial image.

There are around 80 features that a facial recognition system can make use of and these include jaw line length, eye socket depth, distance between the eyes, cheekbone shape, width of the nose etc.

The distinctive features are then suitably represented in a mathematical format and stored in the database. Later, this data is retrieved and compared with the collected data for authentication.


  • It is not intrusive.
  • It is hands-free and convenient.
  • It can be done from a distance. This can be useful if used responsibly for surveillance purpose for identifying criminals from a crowd.


  • A facial recognition system should be resistant to factors like facial expressions etc.
  • Face recognition may not work properly with factors like poor lighting, sunglasses, partially covered face, low resolution images etc.
  • If not used responsibly with the permission of the individual, face recognition can be a major privacy violation.

Iris Recognition

The iris is the colored ring around the pupil of a human being. It eyes has complex random patterns, which are unique and can be seen even from a certain distance. An iris recognition system anlyzes the complex random patterns of an iris and detects a person's identity based upon that.


  • Iris recognition technology is not very intrusive as it does not need direct contact between the subject and the camera.
  • Iris recognition can be done using simple video technology.
  • Error rates of iris recognition system is very low and it can be reliably used for authentication purpose.


  • Scanning iris may be inconvenient, as it can be covered by objects like eyelid or eyelashes.
  • Iris recognition biometrics may prove difficult for people with blindness or cataract.
  • The camera involved for taking iris image should have correct amount of illumination, otherwise it may prove difficult to capture the accurate image of the iris.

Fingerprints Recognition

In this method, digital representation of a fingerprint is scanned using a fingerprint scanner and then features are extracted based on ridges and valleys of the finger. Later, these features are used to identify and authenticate an individual. Among all biometric techniques, fingerprint recognition is the most popular method and is widely used.


  • Fingerprints of an individual develops at the age of about seven months and remains unchanged for the rest of the life. These characteristics do not change easily and so, can be used reliably for authentication.


  • For some people it is intrusive, as it is still related to criminal identification.
  • Captured biometric data is large and needs compression to store efficiently.

Keystroke Rhythm Recognition

Each individual has his own typing rhythm and based on that biometric authentication can be done. The main features used in this technology are :

  • Latencies between two successive keystrokes.
  • Finger placement.
  • Pressure applied on the keys.
  • Overall typing speed.


  • It is simple to implement and does not require any specialized hardware.


  • Keystroke rhythm can be influenced by various circumstances like psycho-emotional state, hand injury, fatigueness of the individual etc. So, it has limited accuracy.

Challenges of Biometric Authentication

There are a couple of challenges of using biometric authentication :

  • If stored biometric data is compromised, it would be a major privacy concern. Biometric data of an individual, unlike other credentials like passwords or PINs, cannot be changed.
  • One has to make sure the collected biometric data is not influenced by noise or errors. Biometric systems must endure failures within a rational bound and give reliable results.

Are Biometric Systems vulnerable to hacking ?

Biometric system is still in its infancy and cannot be considered to be 100% secure. A biometric system can be compromised in a number of ways :

  • Attackers can use a backdoor to bypass authentication and gain unauthorized access of the system.
  • Attackers can provide facsimile of the actual biometrics to gain access. In the worst case, the attacker can use body parts not attached to the owner to gain access. A biometric system should be able to tell the difference between a live body part and an amputated one.
  • At the time of enrollment, biometric data of an individual is collected and stored in a database, so that it can later be compared with the collected biometric data for authentication. An attacker can perpetrate a Man-In-The-Middle Attack while storing the biometric data and manipulate the data to take advantage of that later.

So, biometric systems cannot be considered to be fully secure. However, two factor authentication comprising of biometric data of an individual and something you know like a password or PIN will increase the security to a great extent and provide effective countermeasures.

Biometrics and Privacy

Privacy is a big concern for biometrics. We have seen couple of incidences where the use of biometrics call for questions for privacy advocates. For example, using face recognition technology, one can monitor public places and use the scanned images to indentify known criminals. But, if the scanning is done without the knowledge of the public and utilizing a technology which is not fully understood for its impacts, then it is a big privacy concern.

Privacy concern also exists about how the biometric data stored in a database can be used. Using or sharing the biometric data without the individual's knowledge is also a big privacy concern.

Also, biometric systems should be safeguarded from fraudulent activities and data breaches. Biometrics of an individual, unlike other credentials, cannot be changed.

Applications of Biometrics

Biometrics are used in a number of places :

  • It is used in military programs.
  • To survey a busy place to identify known criminals.
  • To access accounts in banks.
  • For ATM transactions, using special purpose kiosks.
  • To secure online banking.
  • For PC or network access.
  • In air travel, to reduce the inspection processing time for authorized travellers.
  • To control travelers crossing the national or state border.
  • Some countries include biometric information in passports, in terms of barcode or smart chips.

So, no authentication system is fully secure. But, biometrics if used responsibly with caution, can enhance security to a large extent. This article just gave some basic information on biometrics. Hope you liked it.

Read More

What is Device Fingerprinting ?