eTVRA, a Threat, Vulnerability and Risk Assessment Tool for eEurope

Rossebø, Judith E. Y.; Cadzow, Scott; Sijben, Paul

doi:10.1007/11755593_38

Cited by 6 publications

(5 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The exploitation of well known vulnerabilities of DNS-based procedures is a clear way of attacking the ENUM service. A recent analysis of critical threats to ENUM may be found in [19,20]. Rossebø et al present in these works their risk assessment analysis of the ENUM service based on a methodology proposed by the European Telecommunications Standards Institute (ETSI) [5].…”

Section: Threats To the Enum Servicementioning

confidence: 99%

“…Moreover, the DNS protocol uses clear text operations, which means that either a passive attack, such as eavesdropping, or an active attack, such as man-in-the-middle, can be carried out by unauthorized users to capture queries and responses. Although this can be considered as acceptable for the resolution of host names on Web services, an associated loss of privacy when using DNS for the resolution of ENUM queries is reported in [19,20] as a critical threat.…”

Section: Threats To the Enum Servicementioning

confidence: 99%

“…Nevertheless, the use of the DNS protocol on new lookup services, such as the ENUM suite of protocols, clearly introduces a new dimension. Vulnerabilities on the DNS, allowing the disclosure of data associated with people's information, such as their telephone numbers, is a critical threat [19,20]. Let us summarize these privacy weaknesses from the following three different scopes: (1) DNS local resolvers, (2) communication channel, and (3) remote DNS servers.…”

Section: Privacy Weakness In the Dns Protocolmentioning

confidence: 99%

See 2 more Smart Citations

Anonymous Resolution of DNS Queries

Castillo-Pérez

García-Alfaro

2008

On the Move to Meaningful Internet Systems: OTM 2008

View full text Add to dashboard Cite

Abstract. The use of the DNS as the underlying technology of new resolution name services can lead to privacy violations. The exchange of data between servers and clients flows without protection. Such an information can be captured by service providers and eventually sold with malicious purposes (i.e., spamming, phishing, etc.). A motivating example is the use of DNS on VoIP services for the translation of traditional telephone numbers into Internet URLs. We analyze in this paper the use of statistical noise for the construction of proper DNS queries. Our objective aims at reducing the risk that sensible data within DNS queries could be inferred by local and remote DNS servers. We evaluate the implementation of a proof-of-concept of our approach. We study the benefits and limitations of our proposal. A first limitation is the possibility of attacks against the integrity and authenticity of our queries by means of, for instance, man-in-the-middle or replay attacks. However, this limitation can be successfully solved combining our proposal together with the use of the DNSSEC (DNS Security extensions). We evaluate the impact of including this complementary countermeasure.

show abstract

Section: Threats To the Enum Servicementioning

confidence: 99%

Section: Threats To the Enum Servicementioning

confidence: 99%

Section: Privacy Weakness In the Dns Protocolmentioning

confidence: 99%

See 1 more Smart Citation

Anonymous Resolution of DNS Queries

Castillo-Pérez

García-Alfaro

2008

On the Move to Meaningful Internet Systems: OTM 2008

View full text Add to dashboard Cite

show abstract

“…The eTVRA tool prototype was presented at the iTrust 2006 demonstration session in May, 2006 accompanied by short paper appearing in the iTrust proceedings [18]. The focus of the short paper was on presenting the eTVRA tool prototype, and as such does not provide a detailed discussion of the eTVRA method.…”

Section: Introductionmentioning

confidence: 99%

eTVRA, a Threat, Vulnerability and Risk Assessment Method and Tool for eEurope

Rossebø

Cadzow

Sijben³

2007

The Second International Conference on Availability, Reliability and Security (ARES'07)

Self Cite

View full text Add to dashboard Cite

The telecommunications environment is evolving into Next Generation Networks (NGN). On an NGN, telecommunications services are recreated on IP networks, this creates a demand on standardization bodies to adapt and meet the needs of these emerging networks. Securing the service environment for eBusiness and the underlying network are crucial areas cited in the eEurope action plan [1]. Standardization provides an important means for securing the NGN and establishing trust in its services and infrastructure in order to enable the development of modern public services. In response to this, we have developed a threat, vulnerability and risk assessment (eTVRA) method and tool for use in standardisation. Using the eTVRA method and tool, the threats to NGNs can be analyzed and a set of recommended countermeasures identified that when implemented will reduce the overall risk to users of NGNs. In this paper we present the eTVRA method and tool along with the results of its application to the use of Enhanced Number (ENUM) [2] and SIP [17] in the NGN.

show abstract

“…The Who We note that creating a 3W-tree is in conformance with the general methodology of Threat Vulnerability and Risk Assessment (TVRA) [67], which has been designed as a threat, vulnerability and risk assessment method and tool for use whilst writing standards. The purpose of using the TVRA in standardization is to be able to identify vulnerabilities and mitigate the risks and then assess the vulnerabilities that exist in the system with the countermeasures applied.…”

Section: W-treementioning

confidence: 99%

Cryptographic keys from noisy data : theory and applications

Buhan¹

View full text Add to dashboard Cite

Biometric security systems that verify a person's identity by scanning fingers, hands, eye or face are becoming more and more common. As a result biometrics is one of the fastest growing industries. Applications for biometrics range from homeland security (for example the European biometric passport), physical access to various facilities (banks, amusement parks, office buildings, computer terminals, etc) and health and social services.Utilizing biometrics for personal authentication is more convenient and than current methods such as passwords or PINs (nothing to carry or remember). Another important advantage of biometric authentication is that it links events to a user (passwords or token can be lost or stolen) and is becoming socially acceptable and inexpensive. Biometric authentication requires comparing a registered or enrolled biometric sample (biometric template or identifier) against a newly captured biometric sample (for example, a fingerprint captured during a login).However, biometric authentication is not perfect and the output of a biometric authentication system can be subject to errors due to imperfections of the classification algorithm, poor quality of biometric samples, or an intruder who has tampered with the biometric authentication systems. Although biometric authentication is intended primarily to enhance security, storing biometric information in a database introduces new security and privacy risks, which increase if the database is connected to a network. This is the case in most practical situations.The most severe threats are: impersonation, where an attacker steals templates from a database and constructs a synthetic biometric sample that passes authentication; irrevocability, where once compromised, biometrics cannot be updated or reissued; privacy, which is the exposure of sensitive personal information without the consent of the owner. A solution to these threats is to apply templateprotection techniques, which make it hard for an attacker to recover the biometric data from the templates.This thesis looks at security aspects of biometric authentication and proposes solutions to mitigate the risk of an attacker who tries to misuse biometric information or who bypasses modules of biometric systems to achieve his malicious goals. vii Our contribution is threefold. Firstly we propose 3W-tree, an analysis tool used to identify critical attack scenarios for a biometric system. We apply the 3W-tree design tool to the SmartGun biometric recognition system with the purpose of identifying critical security issues. Secondly, we explore the challenges of secure template protection, which are both theoretical and practical and we put forward solutions to part of the issues. Thirdly, we present a practical solution to the secure template transfer, which should allow transfer of the biometric traits between two biometrically enabled devices when no security infrastructure is available and the users are no security experts. viii AcknowledgementsThe last four years were an unforgettable exp...

show abstract

eTVRA, a Threat, Vulnerability and Risk Assessment Tool for eEurope

Cited by 6 publications

References 2 publications

Anonymous Resolution of DNS Queries

Anonymous Resolution of DNS Queries

eTVRA, a Threat, Vulnerability and Risk Assessment Method and Tool for eEurope

Cryptographic keys from noisy data : theory and applications

Contact Info

Product

Resources

About