News

Paul Smith, Managing computer networks for resilience: it’s complicated, and going to get worse (but we have solutions), Dec 6, 11am, SBA Research

For various reasons, it is now well-understood that we cannot build perfectly secure computer networks — they’re too complicated and we simply do not have the budget. We need to start from the assumption that an attacker, at some point, will be successful; but we still want some service from the network. Therefore, we need to make the computer networks that support our critical information infrastructures resilient to attacks and a wide-range of other challenges, such as mis-configurations. In this talk, I will introduce a framework for network management, which can be used to support network operators when trying to ensure the resilience of their infrastructures. One of the key concepts in the framework is the idea of management patterns — recipes that can be applied to mitigate particular challenges. Looking ahead, this problem is only going to be more difficult, as computer networks are used to support new cyber-physical systems such as the smart grid. I will point to new research directions, in particular, in the application of patterns in this context.

Dr Paul Smith is a Senior Scientist in the Safety and Security Department of the AIT, Austrian Institute of Technology.  Previous to this appointment he was a Senior Research Associate at Lancaster University, UK.  He received his PhD in September 2003 and graduated in 1999 with an honours degree in Computer Science from Lancaster. Paul’s research interests lie in the various ways that networked (socio-technical) systems fail to provide a desired service when under duress from various challenges, such as attacks and mis-configurations.  He has participated in a number of international research projects, including the EU-funded ResumeNet project which investigated a framework for network resilience.  Currently, he is primarily working on the EU-funded PRECYSE and SECCRIT projects, which are investigating the security and resilience of critical information infrastructures.

Dec 6, 2013, 10 am, SBA Research

Zhendong Ma, Security and privacy engineering – design and build secure and privacy-preserving computer systems

Computer systems are increasingly integrated into our society and creating a parallel cyber space. Consequently, we become more and more dependent and hence vulnerable to the security and privacy threats from that space. Security and privacy engineering aims to design and build secure, privacy-preserving, and dependable computer systems. As two transcendent topics, security and privacy cut across many research areas and technological domains. This talk will give an overview of our research work on developing theories, methodologies, and techniques for designing and building secure and privacy-preserving systems such as vehicular communication systems, industrial control systems, and e-Government information systems. We show how security and privacy engineering provides methods and techniques to solve the problems within the context of several research projects, whether it is to harden legacy systems or to protect emerging technologies.

Dimitris Simos gives a talk about “An Overview of Code-based Cryptography” at the Austrian Institute of Technology (AIT) on December 5th.

Abstract:

In this talk, we address cryptographic schemes based on a particular type of alternative cryptography originating from error-correcting codes, called code-based cryptography. In this emerging field of cryptography the underlying hard problems which pose as its security assu\-mptions, decoding in a random linear code and recovering the code structure, does not seem so far to be susceptible to attacks mounted by quantum co\-mpu\-ters. The plan of the talk is two-fold: firstly, we introduce the necessary primitives from coding theory and in the aftermath we consider the theory and practice of code-based cryptographic systems. By this term, we mean the cry\-ptosystems in which the algorithmic primitive (the underlying one-way function) uses an error correcting code $\mathcal{C}$. This primitive may consist in adding an error to a word of $\mathcal{C}$ or in computing a syndrome relatively to a parity-check matrix of $\mathcal{C}$.

The first of those systems is a public-key encryption scheme and it was proposed by Robert J. McEliece in 1978. The private key is a random binary irreducible Goppa code and the public key is a random generator matrix of a randomly permuted version of that code. The ciphertext is a codeword to which some errors have been added, and only the owner of the private key (the Goppa code) can remove those errors. Three decades later, some Parameter adjustment have been required, but no attack is known to represent a serious threat on the system, even on a quantum computer. We give the state-of-the-art for the message security and key security of such code-based cryptographic systems, which are related to the hardness of the \textsc{Binary Syndrome Decoding} problem and to the hardness of the \textsc{Permutation Code Equivalence} problem, respectively. Also, we give the setting for these problems when a larger alphabet is desired and how this affects the design of code-based cryptographic systems.

Finally, similar ideas have been used to design other cryptosystems. Among others, we will give an overview of some public-key systems, like the Niederreiter encryption scheme or the CFS signature scheme and in addition some identification schemes like the Girault’s or Stern’s zero-knowledge protocols. We conclude, with some issues regarding the practice of code-based cryptography which is a trade-off between security and efficiency.

Edgar Weippl präsentiert bei der ADV Veranstaltung Mobile Business 2013 aktuelle Forschungsarbeiten über Bedrohungen und Sicherheitsmaßnahmen.

Zusammen mit Robert Schischka (nic.at) und Josef Pichlmayr (Ikarus) diskutiert Adrian Dabrowski (SBA Research) am 5.Dezember 2013 in der WKO was im Netz wirklich passiert (more).

Adrian Dabrowski wurde am 28.11.2013 im Rahmen des EPILOG Wintersemester 2013 an der Technischen Universität Wien mit dem „Diploma Thesis Award sponsored by IEEE Austria Section“ für seine Diplomarbeit “Security Analysis of Metropolitan Locking Systems Using the Example of the City of Vienna” ausgezeichnet.

Edgar Weippl gave the opening keynote at this year’s SIN conference in Turkey on “Social Engineering Attacks on the Knowledge Worker and the Digital Native”. Together with Bart Preneel and Josef Pieprzyk, Edgar was on a panel discussion organized by Ali Aydin Selcuk

Vom 19. – 21. März 2014 findet die Fachtagung des Fachbereichs ”Sicherheit – Schutz und Zuverlässigkeit” der Gesellschaft für Informatik, die GI Sicherheit 2014 an der TU Wien statt, die von SBA Research gemeinsam mit Stefan Katzenbeisser, TU Darmstadt & CASED und in Kooperation mit der Österreichischen Computer Gesellschaft (OCG) ausgerichtet wird.

Die GI Sicherheit 2014 soll einem Publikum aus Forschung, Entwicklung und Anwendung ein Forum zur Diskussion von Herausforderungen, Trends, Techniken und neuesten wissenschaftlichen und industriellen Ergebnissen bieten. Es können auch schon in Englisch veröffentlichte Arbeiten nochmals in Deutsch eingereicht werden. Darüber hinaus wird die Sicherheit 2014 erstmals einen eigenen „practitioners track“ umfassen, für den insbesondere Einreichungen aus der Wirtschaft gesucht werden. Beiträge können beispielsweise Resultate aus industrieller Forschung und Entwicklung besprechen, durchgeführte Studien dokumentieren oder Berichte über „best practices“ enthalten.

Die GI Sicherheit ist die führende deutschsprachige Konferenz im Bereich der IT Security und wird 2014 zum ersten Mal in Wien stattfinden.
Die Submisson Deadline ist der 09. Dezember 2013. Weiter Infos: http://sicherheit2014.sba-research.org/

Markus Huber im Gespräch mit Der Standard über Datenschutz. Den Artikel “Nichts mehr zu verbergen”, gibt es hier online nachzulesen.

Nov 21, 09.00-12.00 @ SBA

Software security is becoming increasingly important due to numerous emerging threats exploiting software vulnerabilities.

This course begins with a broad overview of various software security threats and some of the most effective countermeasures used to thwart them. More specifically, software practitioners will learn how to build security into their software products throughout their lifecycle, using best practices and tools to minimize the chance of falling victim to a software attack.

This course will also provide a comprehensive coverage of practical knowledge in how to design secure software as well as insights on the significance of the role secure design plays during the software development life cycle. Some of the critical topics covered in this course include secure design principles and processes in addition to fundamental security concepts such as access control and encryption. This course also devotes a significant amount of time to discussing well-known secure design solutions, including architectural patterns and design patterns focusing on security countermeasures and concludes with the discussion of software security analysis and evaluation as mechanisms to assess the effectiveness of the secure design solutions implemented in the form of source code.

Edgar Weippl gives a presentation on cloud security and privacy on Nov 20 (more)

Das Bewusstsein für Informationssicherheit und IT-Compliance ist in der jüngeren Vergangenheit stark gestiegen. SBA Research trägt diesem Umstand Rechnung und erweitert ihr Leistungsspektrum.

Am 14.11.2013 durften wir rund 50 interessierte Partner zu dem Event “SBA lädt ein - Secure Your Business ” begrüßen, um unsere neue Sparte Professional & Trusted Services vorzustellen. Darüber hinaus war es uns eine große Ehre, dass die Israelische Botschaft drei auf diesem Gebiet spezialisierte israelische Unternehmen präsentieren hat. Der Abend wurde mit Fachgesprächen und gutem Essen sowie Natur-Bier der Brauerei Leutschach abgerundet.

Alles über unsere neue Sparte Professional & Trusted Services erfahren Sie hier.

Cryptography for the Next Generation Cloud, Daniel Slamanig, Graz University of Technology, 8010 Graz, Austria

As is common practice in research, many new cryptographic techniques have been developed to tackle either a theoretical question orforeseeing a soon to become reality application. Cloud computing is one of these new areas, where new concepts in cryptography as well existing theoretical concepts are expected to unveil its power by bringing striking new features to the cloud. Recent uncoverings of large scale Internet surveillance activities (involving large cloud providers) suggest that a considerable amount of cryptography needs to be involved to make future cloud applications secure and privacy friendly. Among these cryptographic methods are various functional encryption approaches (homomorphic encryption, attribute-based encryption, predicate encryption, searchable encryption), cryptographic methods for privacy friendly authentication (ring and group signatures as well as anonymous credentials), cryptographic methods for checking the availability of remote data (provable data possession and proofs of retrievability) as well as methods to hide access patterns for outsourced data (private information retrieval and oblivious random access memory). In this talk, we provide an overview of (recent) cryptographic approaches particularly interesting in the cloud setting as well as examples of their application.

New Privacy-Preserving Proxy-Type Signature Schemes, Christian Hanser, Graz University of Technology, 8010 Graz, Austria

In this talk, we present two new proxy type signature schemes, which, in contrast to conventional proxy signature schemes, hide the delegated message space from outsiders. In short, proxy signature schemes allow an originator to delegate signing rights for messages out of a predefined message space to a semi-trusted party, the so-called proxy. The proxy is allowed sign messages on behalf of the originator and any third party is then able to verify, whether the proxy has produced a valid signature for a message out of the intended message space. So far, however, the originator was required to publish and sign an abstract description of the delegated message space, which may not always be desireable. We give two new types of proxy signature schemes, Blank Digital Signatures and Warrant-Hiding Proxy Signatures, which address this issue by hiding messages not signed by proxies from outsiders. While the message space in case of Warrant-Hiding Proxy Signatures is an enumeration of all possible messages, the message space in case of Blank Digital Signatures is more complex. It can be seen as a form, which consists of elements with fixed content and elements that allow to select one out of several choices in order to derive a valid message.

The external professors were  Stefan Katzenbeisser (TU Darmstadt) and  Engin Kirda (Northeastern Univ., Boston). Advisors were Edgar Weippl and A Min Tjoa.

The researchers of SBA Research together with Stefan Katzenbeisser and Haya Shulman at CCS 2013, which was held from 04th - 08th November 2013 in Berlin, Germany.

Yvonne Poul was asked to support the organising team with the local organisation at CCS 2013.

Nov 12, 1pm @SBA

Der Vortrag richtet den Fokus auf das Potential von Tschebyscheff-Polynomen für datenschutzfreundliche Techniken des Data Mining. Es werden zwei Protokolle betrachtet: 1) Die sichere Berechnung des arithmetischen Mittels nach Kiltz, Leander und Malone-Lee (2005). 2) Das sichere verteilte Lernen von Entscheidungsbäumen nach Lindell und Pinkas (2002). Die Untersuchungen zeigen, dass in beiden Protokollen deutliche Effizienzgewinne durch die Verwendung von Tschebyscheff-Polynomen erzielt werden können. Dies hat seine Ursache in den besseren Approximationseigenschaften der abgebrochenen Tschebyscheff-Entwicklungen im Vergleich zu den abgebrochenen Taylor-Reihen.

Processes specify how personal and business data are dealt with in information systems.  Traditionally, process control in this context means prevention, i.e. ensure processes’ adherence to security and privacy policies.  In contexts where process flexibility and changes happen, preventive approaches become no longer practicable.  This talk argues that in order to secure business processes, prevention must be complemented with a posteriori process controls to detect policy violations.

SBA is now member of PlanetLab, a globally distributed research network.

Ulrich Bayer spricht heute bei der Veranstaltung “Datenschutz und IT-Sicherheit” der ARGE Daten über “Aktuelle IT-Sicherheitsrisiken in der Praxis”.

Fast täglich berichten Medien über neue Schwachstellen, Gefahren beim Browsen im Internet und jugendliche Hacker. In diesem Vortrag sollen aktuelle Sicherheitslücken anhand von Beispielen aus der Praxis beleuchtet werden. Was muss man als Anwender beim Surfen im Internet oder beim Einsatz von Smartphone-Apps berücksichtigen? Ziel des Vortrags ist es durch sachliche Darstellung der Risiken und Live-Demonstrationen ein ausgewogenes Bewusstsein für IT-Sicherheit zu vermitteln.

Weiter Infos zur Veranstaltung hier.

In course of the ENISA Security Awareness Month 2013, Katharina Krombholz gave a talk about digital forensics at the University of Applied Science FH Technikum Wien.

Johanna Ullrich received the annualy-presented “Diplomarbeitspreis der Stadt Wien” (Diploma award of the city of Vienna) for her diploma thesis “Header compression of IPsec in powerline networks”. Within this work, she worked on finding the right balance for secure data transmission directly over the power grid which offers just a limited bandwith. The award has been presented within a graduation ceremony on October 18th, 2013 at the Kuppelsaal of the Vienna University of Technology.

Die netidee, eine Initiative der Internet Foundation Austria, ist Österreichs größte Internet-Förderaktion und unterstützt jährlich innovative Projekte. Am 24. Oktober stellte die Internet Foundation Austria im Rahmen des „netidee best of“ Events die SiegerInnen des heurigen 8. Calls vor –unter ihnen Adrian Dabrowski und Katharina Krombholz mit ihrem Projekt ”P3F Picture Privacy Policy Framework“. Knapp 200 Gäste aus allen Branchen wohnten einem Abend voller Internet-Innovationen samt  künstlerischer Uraufführung im Museumsquartier Wien bei.

Fotografin: Anna Rauchenberger

“Verwendet man ein Kryptohandy, ist das Abhören schwieriger – aber nicht unmöglich.” Edgar Weippl im Ö1 Mittagsjournal.
Hier nachzulesen und nachzuhören.

Oct 21, 10 am @SBA. This is a joint event with the IEEE SMC chapter Austria.

Nowadays, many applications need to handle large amounts of streaming data, which often presents a skewed distribution, i.e. one or more classes are largely under-represented in comparison to the others. Unfortunately, little effort has been directed towards the classification of skewed data streams, although class-imbalance learning has already been studied in the area of pattern recognition on static data. Furthermore, while existing class-imbalance learning methods increase the recognition accuracy on minority class, they often harm the global classification accuracy. Motivated by these observations, we develop an approach suited for classifying skewed data streams, which integrates two ensembles of classifiers, each one suited for non-skewed and skewed data. This approach substantially increases the global accuracy compared to existing classification methods for skewed data. Experimental tests have been carried out on three public datasets showing interesting results. As a further contribution, we will study metrics to evaluate the performance of skewed data streams classification. We will also review the literature on class-imbalance learning, and skewed data streams classification.