• Title/Summary/Keyword: web vulnerability

Search Result 146, Processing Time 0.03 seconds

Vulnerability Analysis on the CNG Crypto Library (CNG 암호 라이브러리의 보안 취약점 분석)

  • Lee, Kyungroul;Oh, Insu;Lee, Sun-Young;Yim, Kangbin
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.42 no.4
    • /
    • pp.838-847
    • /
    • 2017
  • CNG which was released as a substitute of the previous CAPI (Cryptography API) library from Microsoft is constructed with individual modules based on the plug-in architecture, this means CNG is exceedingly helpful in the cost of development as well as the facility of extension. On the opposite side of these advantages, considerations on security issues are quite insufficient. Therefore, a research on security assurance is strongly required in the environment of distributing and utilizing the CNG library, hence, we analyze possible security vulnerabilities on the CNG library. Based on analyzed vulnerabilities, proof-of-concept tools are implemented and vulnerabilities are verified using them. Verified results are that contents of mail, account information of mail server, and authentication information of web-sites such as Amazon, E-bay, Google, and Facebook are exposed in Outlook program and Internet Explorer program using CNG library. We consider that the analyzed result in this paper can improve the security for various applications using CNG library.

A study on the Privacy threats factors of Cloud Services (클라우드 서비스의 프라이버시 침해 요인에 관한 연구)

  • Jeon, Jeong Hoon
    • Convergence Security Journal
    • /
    • v.15 no.5
    • /
    • pp.87-95
    • /
    • 2015
  • Recently, The cloud computing technology is emerging as an important issue in the world, and In technology and services, has attracted much attention. Cloud services have evolved from simple forms to complex forms(using multiple mobile devices and communication services(Kakao talk, Facebook, etc.). In particular, as the cloud is especially facilitated the collection of user information, it can now be analyzed with the user's taste and preference. And many of the benefits of the cloud became increasingly closely with our lives. However, the positive aspects of cloud computing unlike the includes several vulnerabilities. For this reason, the Hacking techniques according to the evolution of a variety of attacks and damages is expected. Therefore, this paper will be analyzed through case studies of attack and vulnerability to the privacy threats factors of the cloud computing services. and In the future, this is expected to be utilized as a basis for the Privacy security and Response.

A Study on Secure and Improved Single Sign-On Authentication System against Replay Attack (재전송 공격에 안전하고 개선된 Single Sign-On 인증 시스템에 관한 연구)

  • Kim, Hyun-Jin;Lee, Im-Yeong
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.5
    • /
    • pp.769-780
    • /
    • 2014
  • In general, internet users need to remember several IDs and passwords when they use diverse web sites. From an effective management perspective, SSO system was suggested to reduce user inconvenience. Kerberos authentication, which uses centralized system management, is a typical example of a broker-based SSO authentication model. However, further research is required, because the existing Kerberos authentication system has security vulnerability problems of password and replay attacks. In SSO authentication systems, a major security vulnerability is the replay attack. When user credentials are seized by attackers, an authorized session can be obtained through a replay attack. In this paper, an improved SSO authentication model based on the broker-based model and a secure lightweight SSO mechanism against credential replay attack is proposed.

An Analysis of International Research Trends in Green Infrastructure for Coastal Disaster (해안재해 대응 그린 인프라스트럭쳐의 국제 연구동향 분석)

  • Song, Kihwan;Song, Jihoon;Seok, Youngsun;Kim, Hojoon;Lee, Junga
    • Journal of the Korean Society of Environmental Restoration Technology
    • /
    • v.26 no.1
    • /
    • pp.17-33
    • /
    • 2023
  • Disasters in coastal regions are a constant source of damage due to their uncertainty and complexity, leading to the proposal of green infrastructure as a nature-based solution that incorporates the concept of resilience to address the limitations of traditional grey infrastructure. This study analyzed trends in research related to coastal disasters and green infrastructure by conducting a co-occurrence keyword analysis of 2,183 articles collected from the Web of Science (WoS). The analysis resulted in the classification of the literature into four clusters. Cluster 1 is related to coastal disasters and tsunamis, as well as predictive simulation techniques, and includes keywords such as surge, wave, tide, and modeling. Cluster 2 focuses on the social system damage caused by coastal disasters and theoretical concepts, with keywords such as population, community, and green infrastructure elements like habitat, wetland, salt marsh, coral reef, and mangrove. Cluster 3 deals with coastal disaster-related sea level rise and international issues, and includes keywords such as sea level rise (or change), floodplain, and DEM. Finally, cluster 4 covers coastal erosion and vulnerability, and GIS, with the theme of 'coastal vulnerability and spatial technique'. Keywords related to green infrastructure in cluster 2 have been continuously appearing since 2016, but their focus has been on the function and effect of each element. Based on this analysis, implications for planning and management processes using green infrastructure in response to coastal disasters have been derived. This study can serve as a valuable resource for future research and policy in responding to and managing various disasters in coastal regions.

A Study on Vulnerability Prevention Mechanism Due to Logout Problem Using OAuth (OAuth를 이용한 로그아웃 문제로 인한 취약점 방지 기법에 대한 연구)

  • Kim, Jinouk;Park, Jungsoo;Nguyen-Vu, Long;Jung, Souhwan
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.1
    • /
    • pp.5-14
    • /
    • 2017
  • Many web services which use OAuth Protocol offer users to log in using their personal profile information given by resource servers. This method reduces the inconvenience of the users to register for new membership. However, at the time a user finishes using OAuth client web service, even if he logs out of the client web service, the resource server remained in the login state may cause the problem of leaking personal information. In this paper, we propose a solution to mitigate the threat by providing an additional security behavior check: when a user requests to log out of the Web Client service, he or she can make decision whether or not to log out of the resource server via confirmation notification regarding the state of the resource server. By utilizing the proposed method, users who log in through the OAuth Protocol in the public PC environment like department stores, libraries, printing companies, etc. can prevent the leakage of personal information issues that may arise from forgetting to check the other OAuth related services. To verify our study, we implement a Client Web Service that uses OAuth 2.0 protocol and integrate it with our security behavior check. The result shows that with this additional function, users will have a better security when dealing with resource authorization in OAuth 2.0 implementation.

The Direction for Development of Domestic Initial Response System for Chemical Terrorism (국내 화학테러 초기대응체제의 발전방향 (한·미 화학테러 초기대응체제 비교를 중심으로))

  • Eun, Chong-hwa
    • Journal of the Society of Disaster Information
    • /
    • v.5 no.2
    • /
    • pp.50-73
    • /
    • 2009
  • This paper is about the establishment of "Initial Response System." Initial response system is most important and should be treated urgently among all preparations for chemical terrorism. The objects of Initial response system are to protect civilians and the first responder who are exposed directly to chemical terrorism. Therefore, this paper suggests two main issues about Initial response system. One is to prepare immediate and exact information service system which assures the safety and survival of exposed people. The other is to build Scene Response System integrated with Command-Control Procedure for early finished situation. Compared to United States, overcoming the Chemical Terrorism requires to improve the contents of two categories: Counter Citizen Response part and Initial Scene Response part. For Counter citizen response part' s sake, the web-sites of Response leader agencies for searching information about chemical terrorism should be modified specifically. These web-sites have to be re-organized in detail. The existing Information service system which has been vaguely informed as "CBRNE Accident" needs to be divided as "CBRNE Accident" and "WMD terrorism." Further, each of them should be specialized in "Chemical', "Biological", and "Radiological" categories. There is a need to rearrange current Emergency Instruction for civilians against chemical terrorism in feasible way. At the same time, it should be applied consistently to all organizations through agreement between experts and related-organizations. For Initial Scene Response part's sake, "Initial scene response procedure (SOP)" and "Operational conception" should be produced through Simulated Exercises and workshops of all organizations related with initial response. These organizations have to cooperate with Ministry of Environment which is the main leader Agency as the center. Next, there is a need to develop a technology and Scene Response Equipments, and to standardize the response equipments which consider the capability of First Responders for chemical terrorism. Especially, improving capability of equipments is required to overcome the vulnerability of Scene Response Equipments.

  • PDF

Emulation-Based Fuzzing Techniques for Identifying Web Interface Vulnerabilities in Embedded Device Firmware (임베디드 디바이스 펌웨어의 웹 인터페이스 취약점 식별을 위한 에뮬레이션 기반 퍼징 기법)

  • Heo, Jung-Min;Kim, Ji-Min;Ji, Cheong-Min;Hong, Man-Pyo
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.6
    • /
    • pp.1225-1234
    • /
    • 2019
  • The security of the firmware is more important because embedded devices have become popular. Network devices such as routers can be attacked by attackers through web application vulnerabilities in embedded firmware. Therefore, they must be found and removed quickly. The Firmadyne framework proposes a dynamic analysis method to find vulnerabilities after emulating firmware. However, it only performs vulnerability checks according to the analysis methods defined in the tool, thus limiting the scope of vulnerabilities that can be found. In this paper, fuzzing is performed in emulation-based environment through fuzzing, one of the software security test techniques. We also propose a Fabfuzz tool for efficient emulation based fuzzing. Experiments have shown that in addition to the vulnerabilities identified in existing tools, other types of vulnerabilities have been found.

Design and Implementation of Linux-based Integrated Security System(LISS) Using Open Security Tools (공개 보안 도구를 이용한 리눅스 기반 통합 보안 시스템의 설계 및 구현)

  • Jeon, Yong-Hee;Kim, Min-Soo;Jang, Jung-Sook
    • The KIPS Transactions:PartC
    • /
    • v.11C no.4
    • /
    • pp.485-496
    • /
    • 2004
  • The wide spread of Internet makes susceptible to the attacks via communication Web from hackers using the vulnerability of both computer and network systems. In this paper, we design and implement an integrated security system, named as LISS(Linux-based Integrated Security System) in which an integrated security management is possible. This system is based on the open operating system, Linux and consists of open security tools, which is effective in security management of Linux based-servers. We also construct a test-bed in order to testify the performance of the LISS. It is revealed that the implemented system captures all the attack Patterns generated from Network Mapper.

Development of Efficient Order Communication and Pharmacy Supporting System for Traditional Korean Medicine (효율적인 한의 처방조제지원시스템 개발)

  • Kim, Chul;Kim, Sang-Kyun;Jang, Hyun-Chul;Kim, An-Na;Kim, Ik-Tae;Song, Mi-Young
    • Korean Journal of Oriental Medicine
    • /
    • v.16 no.3
    • /
    • pp.127-133
    • /
    • 2010
  • The purpose of this study is to develop the order communication system for Traditional Korean Medicine(TKM) which can support prescribing decisions and provide the toxicological information. The relative vulnerability of the infrastructure of TKM has made us start the study. We carried out the benchmarking for TKM charting solution firstly, and then designed the intelligent search and supporting method for prescription decisions. We developed of the medical herbs database and the web-based order communication program which can be used in medical field actually. This system supplies a various functions to oriental medical doctors such as management for prescription history, search for herb's effects, generating prescriptions, inventory management, alerting of toxicity and taboo, guideline for taking medicine, and so on. The design and implementation process has been described in this research. We expect that this system will play an important role in electronic medical record(EMR) or electronic health record(EHR) binding diagnosis and management functions.

A Design for Single Web Authentication at Network Service Foundation (네트워크 서비스 기반의 단일 웹 인증 설계)

  • Lee, Jae-Wan;Ban, Kyung-Sig;Kim, Hyoung-Jin
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2007.06a
    • /
    • pp.457-460
    • /
    • 2007
  • Recently, Network companies have introduced security solutions to protect the network from intrusions, attacks and viruses but the network has still weakness and vulnerability. It is time to bring more stable and reliable authentication system that would meet the Internet user's need. In this study, Current broadband networks don't have hierarchic and stable authentication solutions. And so, an integrated and hierarchic system is needed to provide a various kinds of application services.

  • PDF