Heute (1. Februar) um 19 Uhr bietet Manuel Leithner im Rahmen des Web Salon 2012, veranstaltet von saferinternet.at, in Form eines Webinars praktische Tips und Informationen zum Thema Sicherheit auch für Computerunvertraute an. Die Teilnahme ist frei, Anmeldung jedoch erforderlich.

At BSidesVienna 2012, Manuel Leithner gave a talk on public transport titled “Hackers on a train – Toying with transportation”, detailing equipment and possible flaws in the on-board network infrastructure and ticketing system of WESTbahn.

Das Team der TU Wien “We_0wn_Y0u” konnte beim iCTF 2011 unter der Leitung von Adrian Dabrowski den Sieg erringen. In einem bis zuletzt spannenden neunstündigem Wettbewerb gegen über 85 internationale Mitbewerberteams stellten auch Martin Mulazzani, Peter Frühwirt und Manuel Leithner als Vertreter von SBA Research ihre Fähigkeiten rund um Angriffe auf und Verteidigung von IT-Infrastruktur unter Beweis.

Das finale Scoreboard ist hier ersichtlich. Mit einem breit gefächertem internationalen Teilnahmefeld (u.A. USA, Russland und China) zählt die iCTF zu den größten Capture the Flag-Contests weltweit. Foto

Pressecoverage von Standard, Presse, Kurier, Krone, Österreich

Severin Winkler is holding several lessons on secure development of web-applications in cooperation with CON•ECT. The core components of these talks are the top ten security leaks of web applications in 2010 identified by OWASP. The lessons include advanced security topics necessary for the development of modern web-applications and offer a focus on attack scenarios and counter strategies. (mehr…)

In August we will present our work on cloud storage security at the 20th USENIX Security Symposium in San Francisco. The paper, in essence, outlines new attacks on cloud storage services that use server-side data deduplication.

It includes a security analysis of Dropbox, a popular cloud storage service. By manipulating the client software unauthorized data access becomes possible, if the hash values of the files are known to an attacker. This attack is completely undetectable to the victim, and novel compared to recent attacks discussed in the media. Data possession proofs which have been used so far in the context of assessing whether a cloud storage operator is still in possession of a file are the only countermeasure.

We further define online slack space as a method to hide data in the cloud to thwart forensic investigations. Compared to regular file slack all files are stored in the cloud without leaving any evidence on local persistent storage.

You can find the paper here: Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. We have contacted Dropbox and they implemented countermeasures for our attacks while investigating the use of data possession proofs on the client side.

While performing traffic analysis on the current development version of Orbot, the official Android for Tor app, Manuel Leithner (Junior Researcher, SBA Research gGmbH) discovered that certain types of traffic (including VPN, GPS and videos) were not tunnelled through Tor. He subsequently developed a patch that enables full and enforced transparent proxying for all TCP and DNS traffic through the anonymisation service.

Our manuscript “Friend-in-the-middle Attacks: Exploiting Social Networking Sites for Spam” has been accepted for the upcoming special issue on Security and Privacy in Social Networks in the IEEE Journal of Internet Computing in May/Jun 2011. Preprint is available here.

In this article we have introduced friend-in-the-middle (FITM) attacks which are active eavesdropping attacks against social networking sites. By cloning a user’s authentication cookie which is transmitted in an unencrypted way, it becomes possible to completely impersonate the user. This can then be used to collect sensitive information in an automated fashion which ultimately enables large context-aware spam campaigns that propagate via social phishing. FITM attacks are applicable to the great majority of currently deployed SNSs, such as Facebook, Friendster, and Orkut. Based on FITM attacks we described three subsequent exploits: (1) Friend injection, (2) Application injection, and (3) Social engineering. We furthermore evaluated the impact of a large-scale spam attack on basis of FITM attacks. We therefore set-up a Tor exit node and analyzed the passing through HTTP traffic. Our experiments showed that finding possible FITM attack seeds for spam campaigns is cheap regarding time and hardware resources. Our attack simulation results furthermore suggest that based on the 4000 possible Facebook attack seeds we observed within two weeks, ~300.000 users could have been targeted with context-aware spam.

There are a number of limited protection strategies available to social networking users, such as using browser extensions such as EFF HTTPS Everywhere. The Tor browser bundles include the EFF HTTPS Everywhere extension since May 2010. Social networking providers ultimately have to protect their users against FITM attacks by securing the communication channels of their services with HTTPS. At the time of writing Facebook has announced that they will offer optional HTTPS support for their web service. We strongly advice users to make use of this option once it will become available to everyone.

Entry in IEEE Xplore

We kindly ask you to participate in our information security knowledge management survey. The survey is conducted by publicly-funded research institutions SBA Research (AT), Newcastle University (UK), and Vienna University of Technology (AT). We conduct the survey to explore potential ways of enabling companies and professionals to share information security knowledge through the application of collaborative semantic web technologies. The aggregated survey results will be published within publically-accessible research publications.

Survey: http://www.sba-research.org/survey/index.php?sid=73314

Thank you for your support.

We are attending CCS 2010 in Chicago and present a poster and a paper at the AISec Workshop, http://www.aisec.info.

The SBA FIT-IT proposal “INFORM” (Internet Forensic Framework) has been awarded the 2nd place in the competition for the best proposal among all proposals for “Trust in IT-Systems” in 2009.

The goal of “INFORM” is to study current challenges in computer forensics and to produce tools that enricht the toolset of a forensic analysist. In the traditional approach, the seizure of the suspects hard drives is used to analyse traces of malicious activities. With the widesread availability of hard drive encryption tools, online file storate systems and bootable Linux distributions that leave no traces on the hard drive, new tools and procedures are needed to support the evidence collection process. Social networks and anonymization networks pose further challenges for online forensics that will be adressed by “INFORM”.

The news report on futurezone and derstandard.

Löst die aktuelle Sicherheitsforschung nur die bekannten Probleme?

Sicherheit war bisher Zugangskontrolle. Statistiken zeigen, dass dieses Paradigma immer weniger ausreicht und dass dadurch die Anwendungen des Cloud Computing und der Service-orientierung gefährdet sind. Man will n icht nur Zugang haben, sondern auch die Gewissheit, dass Vereinbarungen zu jeder Zeit eingehalten werden. Diese so geannte Nutzungskontrolle ist eigentlich die bekannte Zuverlässigkeit verstanden als die Sicherheit ergänzt um die Korrektheit der Dienste. Sicherheitslücken ermöglichen durch die unvermeidlichen Interferenzen die Ableitung von Informationen, die nur durch unzulässige Informationsflüsse möglich sind.  Der Vortrag stellt die gegenwärtige Ausgangs- und Sicherheitslage anhand von Statistiken über Sicherheitsverletzungen vor. Gerade durch die Defizite der Sicherheitsforschung ist es zu Schwachstellen gekommen, die man heute unter dem Begriff “Compliance” zusammengefasst nur sehr aufwändig bekämpfen kann. Es handelt sich dabei um Sicherheitsprpobleme bei Prozessen. Hierzu hat die DFG (Deutsche Forschungsgemeinschaft) unter dem Titel “zuverlässig sichere Systeme” ein Schwerpunktprogramm eingerichtet, das den Vortragende mitverantwortet. Es geht darum die Sicherheitsfrage über die Zugangskontrolle hinaus um die Zuverlässigkeit zu erweitern. Die praktischen und technischen Herausforderungen dazu stehen im Mittelpunkt des Vortrages.

G.Müller

Titel: Löst die aktuelle Sicherheitsforschung nur die bekannten Probleme?

Abstrakt:

Sicherheit war bisher Zugangskontrolle. Statistiken zeigen, dass dieses Paradigma immer weniger ausreicht und dass dadurch die Anwendungen des Cloud Computing und der Service-orientierung gefährdet sind. Man will n icht nur Zugang haben, sondern auch die Gewissheit, dass Vereinbarungen zu jeder Zeit eingehalten werden. Diese so geannte Nutzungskontrolle ist eigentlich die bekannte Zuverlässigkeit verstanden als die Sicherheit ergänzt um die Korrektheit der Dienste. Sicherheitslücken ermöglichen durch die unvermeidlichen Interferenzen die Ableitung von Informationen, die nur durch unzulässige Informationsflüsse möglich sind.

Der Vortrag stellt die gegenwärtige Ausgangs- und Sicherheitslage anhand von Statistiken über Sicherheitsverletzungen vor. Gerade durch die Defizite der Sicherheitsforschung ist es zu Schwachstellen gekommen, die man heute unter dem Begriff “Compliance” zusammengefasst nur sehr aufwändig bekämpfen kann. Es handelt sich dabei um Sicherheitsprpobleme bei Prozessen. Hierzu hat die DFG (Deutsche Forschungsgemeinschaft) unter dem Titel “zuverlässig sichere Systeme” ein Schwerpunktprogramm eingerichtet, das den Vortragende mitverantwortet. Es geht darum die Sicherheitsfrage über die Zugangskontrolle hinaus um die Zuverlässigkeit zu erweitern. Die praktischen und technischen Herausforderungen dazu stehen im Mittelpunkt des Vortrages.

Guest lecture by Prof. Rinderle-Ma on “Evolution von organisatorischen Strukturen und deren Effekte in prozessorientierten Informationssystemen”  (Feb 2, 10 am, SBA)

From January to March 2010, Stefan Fenz will work as a visiting scholar at the Stanford Center for Biomedical Informatics Research at Stanford University. He will develop and implement novel methods for the ontology-based generation of Bayesian networks.

SBA Research co-organizes the conference with the University of Klagenfurt. See www.syssec.at/dachsecurity2010 for more details.

Edgar Weippl presents the opening talk at this year’s ADV security event (IT-Sicherheit für Fortgeschrittene). (more…)

112 People visited our information security-specific program at Lange Nacht der Forschung 2009. The program hosted by Secure Business Austria comprised privacy issues, wireless security, password security, and forensics. EVVA supported our program by presenting the latest lock innovations to our visitors.

We are happy to announce that our SBA2 proposal has been accepted by the jury. The research grants enable us to continue our research till 2014. German press releases can be found at APA and FFG.

On November 7 2009 16:27 – 00:00 Secure Business Austria hosts an information security-specific program at Lange Nacht der Forschung. The program comprises live demonstrations and awareness training in the fields of

• wireless security,
• password security,
• social engineering,
• privacy,
• lockpicking,
• mobile storage security,
• credit card fraud, and
• digital forensics.

We invite everybody to join us at Favoritenstrasse 16 1040 Wien.

Peter Kleissner (http://www.peterkleissner.com/) presented his Stoned Bootkit and new research directions to circumvent full disk encryption.

Today we attend the highly prestigious International Conference on Business Process Management (BPM’2009) and present our paper “Business Process-based Resource Importance Determination” in the main track.

Our paper “A Reference Model for Risk-Aware Business Process Management” has been accepted at the 4th International Conference on Risks and Security of Internet and Systems (CRISIS2009).

Our paper “Towards Automating Social Engineering Using Social Networking Sites” has been accepted at the International Conference on Privacy, Security, Risk and Trust (PASSAT2009).

From 18th to 19th June 2009 Aad van Moorsel and Simon E. Parkin from Newcastle University will visit our research center. Our goal is to identify and initialize joint research projects between Newcastle University and Secure Business Austria in the field of economically justified security solutions.

On 18th June 2009 9am Aad van Moorsel and Simon E. Parkin will give a public talk on their Trust Economics project. Trust Economics is a research project, which is conducted jointly by Hewlett-Packard, Merrill-Lynch, Newcastle University, University College London and University of Bath. Its objective is to develop a methodology that allows companies to make decisions about security investments based on costs and benefits for the company. Aad van Moorsel and Simon Parkin will present their recent work on knowledge base support for IT security investment decisions. The distinguishing feature of the Trust Economics knowledge base is the inclusion of the human behavioral aspect in its underlying information security ontology. In addition to their recent research results and technology developments, we will discuss the rationale behind the Trust Economics project.

Edgar Weippl gives a talk on Database Forensic at the Security Forum in Hagenberg (http://www.securityforum.at/vortraege.php).

Abstract: Whenever data is being processed, there are many places where parts of the data are temporarily stored; thus forensic analysis can reveal past activities, create a (partial) timeline and restore deleted data. While this fact is well known for computer forensic and multiple tools to forensically analyze data exit, the systematic analysis of database systems has only recently begun.

Clearly, database system are bound to leave more extensive traces since they not only store a file but, in addition, need indexes, rollback segments and log files. In this tutorial we will cover the basics of forensic analysis particularly focusing on database systems.