SBA is part of the Wiener Forschungsfest, an outreach program to make research results accessible to the general public (more…)

The six papers in this special issue focus on availability, reliability, and security. Some of the topics covered include prevention of identity theft, biometric technology and authentication, and security considerations for RF identification. Guest editors: Ravi Sandhu, A Min Tjoa, Edgar Weippl. (more…)

Our article “Verification, Validation, and Evaluation in Information Security Risk Management” (Authors: Stefan Fenz and Andreas Ekelhart) got accepted at IEEE Security & Privacy. Check out the preprint at the IEEE Digital Library.

Abstract:
Over the last four decades, various information security risk management (ISRM) approaches have emerged. However, there is a lack of sound verification, validation, and evaluation methods for these approaches. While restrictions, such as the impossibility of measuring exact values for probabilities and follow-up costs, obviously exist, verification, validation, and evaluation of research is essential in any field, and ISRM is no exception. Individual approaches exist, but so far there is no systematic overview of the available methods. In this article we survey verification, validation and evaluation methods referenced in ISRM literature and discuss in which ISRM phases the methods should be applied. The selection of appropriate methods is demonstrated with a potential real-world example. This systematic analysis draws conclusions on the current status of ISRM verification, validation and evaluation and can serve as a reference for researchers and users of ISRM approaches who aim to establish trust in their results.

Markus Huber will work this summer on his research in Social Networking Privacy and Security at Carnegie Mellon University with Alessandro Acquisti.

Abstract. In the ongoing arms race between spammers and the multi-million dollar anti-spam industry, the number of unsolicited e-mail messages (better known as “spam”) and phishing has increased heavily in the last decade. In this paper, we show that our novel friend-in-the-middle attack on social networking sites (SNSs) can be used to harvest social data in an automated fashion. This social data can then be exploited for large-scale attacks such as context-aware spam and social-phishing. We prove the feasibility of our attack exemplarily on Facebook and identify possible consequences based on a mathematical model and simulations. Alarmingly, all major SNSs are vulnerable to our attack as they fail to secure the network layer appropriately.

FITM_TR-SBA-Research-0710-01.pdf

Our researchers of ISecLab have recently released some nice papers that are quoted on slashdot (see 1 and 2). More news reports on PCWorld, BBC and darkreading.

We celebrate the new grant COMET-K1 (more…)

quoted from ACM  Queue: “European researchers have deposited a “digital genome” time capsule inside a data storage facility known as the Swiss Fort Knox, which contains a blueprint that future generations can use to read data stored using obsolete technology. The capsule is the result of the four-year Planets project, which was launched to preserve the world’s digital assets as technology changes. “The time capsule being deposited inside Swiss Fort Knox contains the digital equivalent of the genetic code of different data formats,” says British Library archivist Adam Farquhar. Planets project researchers note that the European Union alone loses at least three billion euros worth of digital information every year. “Unlike hieroglyphics carved in stone or ink on parchment, digital data has a shelf life of years, not millennia,” says University of Technology of Vienna professor Andreas Rauber. The project aims to preserve data DNA, the information and tools to access and read historical digital material and prevent digital memory loss into the next century. “If we can nail the next 100 years, we figure we will be able to nail the next 100 years as well,” Farquhar says. ”

(more…) (Andreas Rauber @ SBA)

Pablo García Bringas and Igor Santos Grueiro visited SBA Research and we plan to collaborate in the area of privacy and forensics in social networks.

We are happy to have a new key research who focuses on workflow systems and security: Prof. Stefanie Rinderle-Ma (at the University of Vienna)

Markus Huber will give a seminar at the DSV SecLab on the 20 of May, with the title “Socio-technical information security attacks on basis of social networking sites”.

This year’s ARES conference was a great success. We really enjoyed our two keynotes; the videos of Gene Spafford and Ross Anderson are now online! (more on keynotes…)

Our annual event for partners, researchers and everyone who is interested in the research of our center (more…)

ACIIDS 2010: Context Oriented Analysis of Web 2.0 Social Network Contents (Amin Anjomshoaa, Vo Sao Khue, AMin Tjoa, Edgar Weippl, Michael Hollauf)

April 13, 2010 Passwort war gestern – SecLookOn ist heute! Statistische Sicherheitsanalyse von SecLookOn (http://www.adv.at/veranstaltungen/programme/ForITM20100413.pdf)

Andreas Schuster will present a special forensics workshop ragarding memory analysis. The workshop will take place on the 22/23 of april, 2010 and will focus on:

• Intel x86 hardware platform
• Random Access Memory (RAM)
• Techniques of adressing
• Forensic backup of the RAM, methods and tools
• Windows memory management
• Objects of the system kernel
• Applied techniques for analysis
• Use of the Microsoft debugger and the volatility framework
• Excercises on memory dumps

The course will be held in German.  You can find additional information and information on registration here : Workshop Description

http://www.adv.at/veranstaltungen/programme/SaaS_20100420.pdf

http://www.adv.at/veranstaltungen/programme/Virtualisierung20100408.pdf

Today, Stefan Fenz presents the paper “Ontology-based Generation of IT-Security Metrics” at the 25th ACM Symposium on Applied Computing.

Click here to browse and edit the security ontology online.

Mar 2, 2010 @SBA:

17:30 – 17:50, SBA: “Cloud-Tools” und Auswirkungen auf Sicherheitsanforderungen
17:50 – 18:25, SBA-Partner Security Research: Sicherheit und Virtualisierung
18:25 – 19:00, SBA-Partner factline: Bedeutung der Verlässlichkeit und Sicherheit für Zusammenarbeit über Web-Plattformen

(program)

The ‘Explore, Investigate and Correlate’ (EIC) Conceptual Framework for Digital Forensics Information Visualisation
by Grant Osborne, University of  Adelaide, South Australia

From March to May and from August to December 2010 Martin Mulazzani will work on his research in Privacy and Forensics at Purdue University in Elisa Bertino’s group.

G.Müller

Titel: Löst die aktuelle Sicherheitsforschung nur die bekannten Probleme?

Abstrakt:

Sicherheit war bisher Zugangskontrolle. Statistiken zeigen, dass dieses Paradigma immer weniger ausreicht und dass dadurch die Anwendungen des Cloud Computing und der Service-orientierung gefährdet sind. Man will n icht nur Zugang haben, sondern auch die Gewissheit, dass Vereinbarungen zu jeder Zeit eingehalten werden. Diese so geannte Nutzungskontrolle ist eigentlich die bekannte Zuverlässigkeit verstanden als die Sicherheit ergänzt um die Korrektheit der Dienste. Sicherheitslücken ermöglichen durch die unvermeidlichen Interferenzen die Ableitung von Informationen, die nur durch unzulässige Informationsflüsse möglich sind.

Der Vortrag stellt die gegenwärtige Ausgangs- und Sicherheitslage anhand von Statistiken über Sicherheitsverletzungen vor. Gerade durch die Defizite der Sicherheitsforschung ist es zu Schwachstellen gekommen, die man heute unter dem Begriff “Compliance” zusammengefasst nur sehr aufwändig bekämpfen kann. Es handelt sich dabei um Sicherheitsprpobleme bei Prozessen. Hierzu hat die DFG (Deutsche Forschungsgemeinschaft) unter dem Titel “zuverlässig sichere Systeme” ein Schwerpunktprogramm eingerichtet, das den Vortragende mitverantwortet. Es geht darum die Sicherheitsfrage über die Zugangskontrolle hinaus um die Zuverlässigkeit zu erweitern. Die praktischen und technischen Herausforderungen dazu stehen im Mittelpunkt des Vortrages.

SBA Research received a research grant to develop guidelines for forensic analysis of Web 2.0 technologies.