Person:

Ahamad, Mustaque

Permanent Link

https://hdl.handle.net/1853/71046

Associated Organization(s)

Organizational Unit

School of Computer Science

Full item page

Publication Search Results

Now showing 1 - 10 of 32

One-Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokens

(Georgia Institute of Technology, 2012-02) Dacosta, Italo ; Chakradeo, Saurabh ; Ahamad, Mustaque ; Traynor, Patrick

HTTP cookies are the de facto mechanism for session authentication in web applications. However, their inherent security weaknesses allow attacks against the integrity of web sessions. HTTPS is often recommended to protect cookies, but deploying full HTTPS support can be challenging due to performance and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed in a variety of ways even when HTTPS is enabled. In this paper, we propose One-Time Cookies (OTC), a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by signing each user request with a session secret securely stored in the browser. Unlike other proposed solutions, OTC does not require expensive state synchronization in the web application, making it easily deployable in highly distributed systems. We implemented OTC as a plugin for the popular WordPress platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies - a negligible overhead for most web applications. Moreover, we show that OTC can be combined with HTTPS to effectively add another layer of security to web applications. In so doing, we demonstrate that One-Time Cookies can significantly improve the security of web applications with minimal impact on performance and scalability.
CT-T: MedVault-ensuring security and privacy for electronic medical records

(Georgia Institute of Technology, 2011-08-31) Blough, Douglas M. ; Liu, Ling ; Sainfort, Francois ; Ahamad, Mustaque
One-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials

(Georgia Institute of Technology, 2011) Dacosta, Italo ; Chakradeo, Saurabh ; Ahamad, Mustaque ; Traynor, Patrick

Many web applications are vulnerable to session hijacking attacks due to the insecure use of cookies for session management. The most recommended defense against this threat is to completely replace HTTP with HTTPS. However, this approach presents several challenges (e.g., performance and compatibility concerns) and therefore, has not been widely adopted. In this paper, we propose “One-Time Cookies” (OTC), an HTTP session authentication protocol that is efficient, easy to deploy and resistant to session hijacking. OTC’s security relies on the use of disposable credentials based on a modified hash chain construction. We implemented OTC as a plug-in for the popular WordPress platform and conducted extensive performance analysis using extensions developed for both Firefox and Firefox for mobile browsers. Our experiments demonstrate the ability to maintain session integrity with a throughput improvement of 51% over HTTPS and a performance approximately similar to a cookie-based approach. In so doing, we demonstrate that one-time cookies can significantly improve the security of web sessions with minimal changes to current infrastructure.
A Crow or a Blackbird?: Using True Social Network and Tweeting Behavior to Detect Malicious Entities in Twitter

(Georgia Institute of Technology, 2010) Balasubramaniyan, Vijay A. ; Maheswaran, Arjun ; Mahalingam, Viswanathan ; Ahamad, Mustaque ; Venkateswaran, H.

The growing popularity of Twitter and its ability to enable near instantaneous sharing of information has made it a target of attacks by malicious entities who use it to spam and provide links to malware. There is evidence that these entities are using increasingly sophisticated techniques that mimic the behavior of reputed sources to avoid detection. We use novel mechanisms that utilize the true social network of users, the quality of information produced by them and their tweeting behavior to identify such entities. A scheme based on these mechanisms is even able to detect malicious entities that collude to establish dense social networks. Using actual data from a representative sample of 278, 758 Twitter users, we demonstrate the effectiveness of this approach by showing that (1) we identified 5334 accounts that had links to unsafe websites, and (2) over a period of 31 days, 181 accounts that our algorithm identified as potentially malicious were subsequently suspended by Twitter. We believe our algorithm is one of the first to automatically deal with a broad range of malicious entities present in Twitter.
A Patient-centric, Attribute-based, Source-verifiable Framework for Health Record Sharing

(Georgia Institute of Technology, 2009) Mohan, Apurva ; Bauer, David ; Blough, Douglas M. ; Ahamad, Mustaque ; Bamba, Bhuvan ; Krishnan, Ramkumar ; Liu, Ling ; Mashima, Daisuke ; Palanisamy, Balaji

The storage of health records in electronic format, and the wide-spread sharing of these records among different health care providers, have enormous potential benefits to the U.S. healthcare system. These benefits include both improving the quality of health care delivered to patients and reducing the costs of delivering that care. However, maintaining the security of electronic health record systems and the privacy of the information they contain is paramount to ensure that patients have confidence in the use of such systems. In this paper, we propose a framework for electronic health record sharing that is patient centric, i.e. it provides patients with substantial control over how their information is shared and with whom; provides for verifiability of original sources of health information and the integrity of the data; and permits fine-grained decisions about when data can be shared based on the use of attribute-based techniques for authorization and access control. We present the architecture of the framework, describe a prototype system we have built based on it, and demonstrate its use within a scenario involving emergency responders' access to health record information.
Privacy Preserving Grapevines: Capturing Social Network Interactions Using Delegatable Anonymous Credentials

(Georgia Institute of Technology, 2009) Balasubramaniyan, Vijay A. ; Lee, Younho ; Ahamad, Mustaque

A wide variety of services allow users to meet online and communicate with each other, building new social relationships and reinforcing older ones. Unfortunately, malicious entities can exploit such services for fraudulent activities such as spamming. It is critical that these services protect users from unwanted interactions, especially when new relationships are being established - the introduction problem. The problem of assessing that a social network connection is no longer beneficial is also important due to the dynamic nature of such networks. A large number of new connections are established through existing, weak social ties (for example, friend of a friend). On the other hand, the willingness of a user to continue interactions with an existing relationship is an indication of his or her endorsement of that relationship. The interaction history of a user provides valuable information about both new social network connections and the validity of established ones. However, capturing this interaction history is rife with privacy concerns. In this paper, we create a transferable token framework, based on delegatable anonymous credentials (DAC - Crypto 2009), that captures interaction history in a privacy preserving manner. By using the Groth Sahai proof system, we extend DACs to allow for single use tokens with the ability to identify token double spenders. We show that such tokens can, simultaneously, demonstrate the existence of a social network path and capture the continued validity of a social network connection. We present an implementation of this DAC based token framework and utilize it in a Voice over IP (VoIP) setting to enable legitimate user interactions in the presence of a spammer threat model. Our results indicate that we are able to achieve low false positive and false negative rates for realistic threat scenarios without disclosing a user’s social network connections.
ITR/SI: Guarding the next internet frontier: countering denial of information

(Georgia Institute of Technology, 2008-12-19) Ahamad, Mustaque ; Omiecinski, Edward ; Pu, Calton ; Mark, Leo ; Liu, Ling
Emerging Cyber Threats Report for 2009

(Georgia Institute of Technology, 2008-10-15) Ahamad, Mustaque ; Amster, Dave ; Barrett, Michael ; Cross, Tom ; Heron, George ; Jackson, Don ; King, Jeff ; Lee, Wenke ; Naraine, Ryan ; Ollmann, Gunter ; Ramsey, Jon ; Schmidt, Howard A. ; Traynor, Patrick

On October 15, 2008, the Georgia Tech Information Security Center (GTISC) hosted its annual summit on emerging security threats and countermeasures affecting the digital world. At the conclusion of the event, GTISC released this Emerging Cyber Threats Report—outlining the top five information security threats and challengesfacing both consumer and business users in 2009. This year’s summit participants include security experts from the public sector, private enterprise and academia, reinforcing GTISC’s collaborative approach to addressing information security technology and policy challenges. "As one of the leading academic research centers focused on information security, GTISC believes strongly that a proactive and collaborative approach to understanding emerging threats will help us develop more effective information security technologies and strategies," said Mustaque Ahamad, director of GTISC. "The annual GTISC Security Summit on Emerging Cyber Security Threats and our annual Emerging Cyber Threats Report seek to give us a better understanding of the cyber security challenges we will face in the years ahead." GTISC research and advance interviews with key information security experts from government, industry and academia uncovered five specific trends and some profound questions that will drive threats and countermeasures in 2009 and beyond, including: Malware, Botnets, Cyber warfare, Threats to VoIP and mobile devices, and The evolving cyber crime economy. In an effort to inform the broader community about current and future risks, this report will describe each emerging threat, existing or potential countermeasures, and how the threat may evolve in the coming year. In addition, our experts will offer their opinion on the role that Internet security education and regulation may play in further preventing the spread of cyber crime.
The 2008 GTISC Security Summit - Emerging Cyber Security Threats

(Georgia Institute of Technology, 2008-10-15) Ahamad, Mustaque ; Goodman, Seymour E. ; Rouland, Christopher Jay ; Elder, Robert J., Jr. ; Kwon, Mischel ; Lee, Wenke ; Moore, Morris ; Noonan, Thomas E. ; Ramsey, Jon ; Ransome, James ; Thompson, Heath

Welcome address by Mustaque Ahamad, Director, Georgia Tech Information Security Center, Professor, College of Computing. Opening remarks by Sy Goodman, Professor and Co-Director, Center for International Strategy, Technology, and Policy ; Chris Rouland, Adjunct Lecturer College of Computing. Introduction by Tom Noonan, former chairman, president and chief executive officer of Internet Security Systems, Inc. Keynote address: Global Operations and Mission Assurance in a Contested Cyber Environment by Lt. General Robert J. Elder, Jr., Commander Eighth Air Force, Barksdale Air Force Base. Panel Discussions: Moderator: Thomas E. Noonan, Entrepreneur ; Mischel Kwon, Director, United States Computer Emergency Readiness Team; National Cyber Security Division, U.S. Department of Homeland Security ; Wenke Lee, Associate Professor, Georgia Tech Information Security Center ; Morris Moore, Vice President of Security Technology, Motorola's Applied Research and Technology Center ; Jon Ramsey, Chief Technology Officer, SecureWorks ; Jim Ransome, Senior Director, Secure Unified Wireless and Mobility Solutions Corporate Security Programs and Global Government Solutions, Cisco ; Heath Thompson, Director, Product Development, IBM/Internet Security Systems
Using Byzantine Quorum Systems to Manage Confidential Data

(Georgia Institute of Technology, 2004-04-01) Subbiah, Arun ; Ahamad, Mustaque ; Blough, Douglas M.

This paper addresses the problem of using proactive cryptosystems for generic data storage and retrieval. Proactive cryptosystems provide high security and confidentiality guarantees for stored data, and are capable of withstanding attacks that may compromise all the servers in the system over time. However, proactive cryptosystems are unsuitable for generic data storage uses for two reasons. First, proactive cryptosystems are usually used to store keys, which are rarely updated. On the other hand, generic data could be actively written and read. The system must therefore be highly available for both write and read operations. Second, existing share renewal protocols (the critical element to achieve proactive security) are expensive in terms of computation and communication overheads, and are time consuming operations. Since generic data will be voluminous, the share renewal process will consume substantial system resources and cause a significant amount of system downtime. Two schemes are proposed that combine Byzantine quorum systems and proactive secret sharing techniques to provide high availability and security guarantees for stored data, while reducing the overhead incurred during the share renewal process. Several performance metrics that can be used to evaluate proactively-secure generic data storage schemes are identified. The proposed schemes are thus shown to render proactive systems suitable for confidential generic data storage.