Kate Speaking at Kiwicon 9, Photograph by Kristina DC Hoeppner, original here*

Presentations

• Blackhat USA 2014 - Multipath TCP- Breaking Today’s Networks with Tomorrow’s Protocols - Slides, Paper, Video

MultiPath TCP (MPTCP) is an extension to TCP that enables sessions to use multiple network endpoints and multiple network paths at the same time, and to change addresses in the middle of a connection. MPTCP works transparently over most existing network infrastructure, yet very few security and network management tools can correctly interpret MPTCP streams. With MPTCP network security is changed: how do you secure traffic when you can’t see it all and when the endpoint addresses change in the middle of a connection? This session shows you how MPTCP breaks assumptions about how TCP works, and how it can be used to evade security controls. We will also show tools and strategies for understanding and mitigating the risk of MPTCP-capable devices on a network.

• Defcon’s Wall of Sheep - Multipath TCP- Breaking Today’s Networks with Tomorrow’s Protocols (Redux of BlackHat USA - See above.)

• TROOPERS15 - Multipath TCP- Breaking Today’s Networks with Tomorrow’s Protocols (Redux of BlackHat USA, delivered by Patrick Thomas - See above.) - Video

• Bsides Rochester - Multipath TCP- Breaking Today’s Networks with Tomorrow’s Protocols (Redux of BlackHat USA - See above.)

• Hushcon East - Multipath Madness, MPTCP, and Beyond - feat HTTP evasive fragmentation

In this talk, Kate briefly discusses MPTCP and its implications, and then explores how to undertake similar attacks over HTTP by abusing HTTP range requests. As well as introducing new tools and techniques abusing HTTP range requests, we produce HTTP requests that end before they start and only truly start after they end. MultiPath TCP (MPTCP) is an extension to TCP that works over existing networks and improves makes networks perform better for end users. It seems to unsettle network operators, and scare network security practitioners, but is fascinating to security people. When we discussed MPTCP’s network security implications at Blackhat USA 2014 we found an annoying number of people thought that blocking MPTCP would keep the status quo. They were wrong… While MPTCP uncovered some new techniques at filter and inspection evasion obvious, they have been possible for years without using MPTCP.

• Source Boston - Multipath TCP- Breaking Today’s Networks with Tomorrow’s Protocols (Redux of BlackHat USA - See above.)

• Nolacon - Multipath TCP- Breaking Today’s Networks with Tomorrow’s Protocols (Redux of BlackHat USA - See above.)

• Invite-only Conference, details witheld

• BSides Knoxville - Video

• Invite only trust group conference, details witheld - Dec 2015

• Kiwicon 9 - Multipath TCP- Breaking Today’s Networks with Tomorrow’s Protocols - Slides and Video on Request

• APRICOT 2016 - Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling transport protocols from what’s below Slides Video

As we move forward to an ever more hyper-connected future network protocols are shifting to enable powerful new functionality. Two interesting examples of this are Multipath TCP and QUIC. Multipath TCP (MPTCP) is an extension to TCP that works over existing infrastructure, while enabling connections to aggregate multiple network endpoints and paths, and allows endpoints to change addresses in the middle of a connection. QUIC is a UDP Application protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. With changes such as these, network management is changed, bringing up questions around how to you think about traffic when you can’t see it all, when endpoints manage their own end-to end routes, and when their addresses change in the middle of a connection. This session shows you how protocol changes are breaking assumptions about how internet traffic works, discusses some issues that arise if you treat the new Internet the same as the old one, and muses about what might be further down the multi-X road.

• Associated Interview

Media Coverage

RT - Boom Bust with Erin Ade

• Video

Publications

Assessing and Improving Authentication Confidence Management - M Pearce, R Hunt, Z Zeadally - Information Management and Computer Security - http://www.emeraldinsight.com/journals.htm?articleid=1864094&show=abstract

Purpose: The purpose of this paper is to address some weaknesses in the handling of current multi‐factor authentication, suggests some criteria for overcoming these weaknesses and presents a simple proof of concept authentication system. Design/methodology/approach: First, this paper evaluates some of the underlying practices and assumptions in multi‐factor authentication systems. Next, the paper assesses the implications of these when compared to a quantitative authentication risk management approach. Based upon these implications this paper next note the requirements for an improved system and detail some related research areas that meet these requirements. Finally, this paper discussed how a system that meets these requirements through the application of that research could provide benefits and outlined a simple points‐based authentication system. Findings: The paper proposes that many of the weaknesses in authentication confidence management could be effectively mitigated through the deployment of a factor independent multi‐modal fusion quantitative authentication‐based system. This paper details a simple point‐based approach that does this and discuss how addressing the problems in handling authentication confidence could further optimise risk management in multi‐factor authentication systems. Practical implications: This paper’s suggestions for optimising multi-factor authentication have many implications within medium to high‐security commercial and government applications. Correct authentication risk handling enables decisions regarding risk and authentication to be made more accurately. Originality/value: This implications of the issues discussed in this paper have relevance to anyone who deploys or uses any medium to high‐security authentication system. As the bottom end of the medium to high‐security range includes online banking, there are implications for a wide range of stakeholders.

Development and Evaluation of a Secure Web Gateway Using Existing Open Source and ICAP Tools - M Pearce, R Hunt -Presented at 10th SECAU Security Congress, Perth, Australia - http://ro.ecu.edu.au/ism/96

This work in progress paper discusses the development and evaluation of an open source secure web gateway. The proof of concept system uses a combination of open source software (including the Greasyspoon ICAP Server, Squid HTTP proxy, and Clam Antivirus) to perform the various security tasks that range from simple (such as passive content insertion) to more advanced (such as active content alteration) by modules installed on the server. After discussing the makeup of the proof of concept system we discuss our evaluation methodology for both effectiveness and performance. The effectiveness was tested using comparative analysis of groups of self-browsing high interaction client honeypots (employing a variety of security measures) and recording different system alteration rates. Performance was tested across a wide range of variables to determine the failure conditions and optimal set up for the components used.

Development and evaluation of a secure web gateway with messaging functionality : utilizing existing ICAP and open-source tools to notify and protect end users from Internet security threats - M Pearce - Master’s Thesis, University of Canterbury - http://ir.canterbury.ac.nz/handle/10092/5457

Abstract: Secure web gateways aim to protect end user systems against web based threats. Many proprietary commercial systems exist. However, their mechanisms of operation are not generally publicly known. This project undertook development and evaluation of an open source and standards based secure web gateway. The proof of concept system developed uses a combination of open source software (including the Greasyspoon ICAP Server, Squid HTTP proxy, and Clam Antivirus) and Java modules installed on the ICAP server to perform various security tasks that range from simple (such as passive content insertion) to more advanced (such as active content alteration). The makeup of the proof of concept system and the evaluation methodology for both effectiveness and performance are discussed. The effectiveness was tested using comparative analysis of groups of self-browsing high interaction client honey pots (employing a variety of security measures) and recording different system alteration rates. Performance was tested across a wide range of variables to determine the failure conditions and optimal set up for the components used. The system developed met the majority of the goals set, and results from testing indicate that there was an improvement in infection rates over unprotected systems. Performance levels attained were suitable for small scale deployments, but optimization is necessary for larger scale deployments.

Virtualization: Issues, security threats, and solutions- M Pearce, R Hunt, Z Zeadally - ACM Computing Surveys (CSUR), Volume 45 Issue 2, February 2013 - http://dl.acm.org/citation.cfm?id=2431216

The decoupling of physical and logical states gives virtualization inherent security benefits. However, the design, implementation, and deployment of virtualization technology have also opened up novel threats and security issues which, while not particular to system virtualization, take on new forms in relation to it. Reverse engineering becomes easier due to introspection capabilities, as encryption keys, security algorithms, low-level protection, intrusion detection, or antidebugging measures can become more easily compromised. Furthermore, associated technologies such as virtual routing and networking can create challenging issues for security, intrusion control, and associated forensic processes. We explain the security considerations and some associated methodologies by which security breaches can occur, and offer recommendations for how virtualized environments can best be protected. Finally, we offer a set of generalized recommendations that can be applied to achieve secure virtualized implementations.