XBOX 360 Forensics: A Digital Forensics Guide to Examining Artifacts. S. Bolt. ISBN: 978-1597496230.
http://dx.doi.org/10.1016/j.cose.2012.02.004

Annie I. Antón and Chenxi Wang are the keynote speakers at this year’s ARES conference.

Heute findet der 1st Young Researcher’s Day statt, der im Rahmen des OCG-Arbeitskreises IT-Sicherheit von uns mitgestaltet wird.

Dominik Malcik presents his research activities at Brno University of Technology.

Feb. 21st 2pm. @ SBA-Research

Dynamix: A Community-centric, Plug-and-Play Context Framework

Mobile users increasingly expect software applications to adapt fluidly across a broad range of everyday situations, environments and hardware platforms. Although contextual information is widely recognized as an essential foundation of self-adapting software, existing context modeling and management techniques presuppose significant domain expertise in the areas of mobile, distributed and ubiquitous computing. As a consequence, mobile developers transitioning from enterprise and desktop scenarios face significant (and often prohibitive) complexity when creating context-aware applications. To mitigate this complexity, we are developing Dynamix, a community-centric, plug-and-play context framework. Dynamix simplifies mobile application development through an extensible, OSGi-based framework that runs as a background service on a user’s Android-based device, modeling context information from the environment using the device itself as a sensing, processing and communications platform. Context modeling is performed by a tailored set of plug-ins, which are dynamically provisioned to the device over-the-air during runtime. Dynamix mediates the flow of context events (from plug-ins to applications) using a configurable Context Firewall, which enables users to precisely manage the privacy risk level of the contextual information available to each application. To foster the emergence of a vibrant open-source developer community, Dynamix defines an open plug-in model and open Web-based repository architecture, which enable external domain experts to create and share context plug-ins with the mobile developer community. This talk presents an overview of the Dynamix architecture (including our preliminary mobile security model), describes our prototype implementation and presents initial results.

The Vienna ACM SIGSAC Chapter has been chartered by ACM’s Chief Operating Officer on February 13, 2012. SBA Research is strongly involved in this chapter.

” (Without meaning to advocate over-reliance on it, penetration tests usually require a certain suite of tools. While standard utilities such as nmap, dirbuster and sqlmap tend to meet the needs of testers in most situations, some tricky assessments call for custom development or at least a skilled combination of tools. This is where Coding for Penetration Testers by Jason Andress and Ryan Linn comes in continue…)” (Computers & Security 31 (2012), p. 252)

Frau Ingrid Schaumüller-Bichl und Herr Edgar Weippl laden ganz herzlich zum 1st Young Researcher’s Day ein, der im Rahmen des OCG-Arbeitskreises IT-Sicherheit am 01.03.2012 stattfinden wird.

 Als Grundgedanke hinter diesem Event steht der Wunsch, dass jede österreichische Institution, die einen Security-Lehrgang bzw. Lehrschwerpunkt anbietet, ihren besten Studierenden die Möglichkeit gibt, die eigenen Arbeiten vorzutragen und so eine „Nachwuchsvernetzung“ zu fördern. Details zum Programm finden Sie hier: 1st Young Researcher’s Day

Der Young Researcher’s Day findet in den Räumen der OCG (Dampfschiffstraße 4, 1030 Wien) statt.

Wir ersuchen um eine Anmeldung bis zum 27.02.2012 an Yvonne Poul (ypoul@sba-research.org).

Journal of Wireless Mobile Networks, Ubiquitous computing, and Dependable Applications. ARES 2011 Special Issue
Volume 2, Number 4 (December, 2011), Advances in Applied Security. http://jowua.yolasite.com/vol2no4.php

futurezone, 20min.ch & pctipp.ch have a story about our work.

Smartphone-Applikationen zum Versenden von kostenlosen Kurznachrichten erfreuen sich auch in Österreich zunehmender Beliebtheit, allen voran WhatsApp, das auf bereits mehr als 180 000 Smartphones in Österreich installiert ist. Die einfache Konfiguration – das Anlegen eines Benutzerkontos ist nicht erforderlich – trägt einerseits zu dieser rasanten Verbreitung bei, andererseits sorgt dieses Konzept auch für gravierende Schwachstellen wie aktuelle Forschungsarbeitendes Wiener IT-Sicherheitskompetenzzentrums SBA Research zeigt.

Von neun getesteten Applikationen für iPhone und Android konnte keine einzige restlos überzeugen und die teils gravierenden Sicherheitslücken, welche die Privatsphäre der Nutzer gefährden, überraschten selbst die Sicherheitsforscher von SBA Research. So konnten etwa Benutzerkonten mühelos übernommen werden und in weiterer Folge Nachrichten dieser Nutzer empfangen und gesendet werden. Auch gelang es den Forschern, die Status-Nachrichten aller WhatsApp-Nutzer von ganz Österreich auszulesen und sogar zu verändern. Sicherheitsspezialist Peter Kieseberg erklärt: “Nutzern ist nicht klar, dass diese Systeme ein viel niedrigeres Sicherheitsniveau haben als Dienste, die direkt vom Netzbetreiber zur Verfügung gestellt werden – wie etwa SMS. Sie geben durch die Nutzung dieser neuen Kurznachrichtendienste sensitive Informationen unbewusst der Öffentlichkeit preis. Wer würde annehmen, dass ein Statustext den eigentlich nur die eigenen Kontakte sehen können, durch einen einfachen Trick von jedermann abgerufen werden kann?”.

Der Hersteller von WhatsApp konnte bereits einige der Sicherheitslücken schließen, andere Schwachstellen existieren jedoch nach wie vor. Die Ergebnisse der Sicherheitsanalyse werden Anfang Februar auf der renommierten IT-Sicherheitskonferenz NDSS in San Diego, USA präsentiert.

Kontakt:
SBA Research
Peter Kieseberg (pkieseberg@sba-research.org, +43 660 3126291)

SBA Research ist ein Forschungsinstitut für Informationssicherheit mit Sitz in Wien. Die Tätigkeit von SBA Research konzentriert sich auf organisatorische und technische Aspekte der Informationssicherheit. Schwerpunkte sind Governance, Risk and Compliance, Datenschutz und Schutz der Privatsphäre, Sicherheit in der Softwareentwicklung und Hardware- und Netzwerksicherheit. SBA Research beschäftigt mehr als 80 Mitarbeiter.

We will present a paper on smartphone message application security at NDSS 2012.

You can find a preprint of the paper here: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.

From the abstract: In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced. These services offer free calls and text messages to other subscribers, providing an Internet-based alternative to the traditional communication methods managed by cellular network carriers such as SMS, MMS and voice calls. While user numbers are estimated in the millions, very little attention has so far been paid to the security measures (or lack thereof) implemented by these providers.
In this paper we analyze nine popular mobile messaging and VoIP applications and evaluate their security models with a focus on authentication mechanisms. We find that a majority of the examined applications use the user’s phone number as a unique token to identify accounts, which further encumbers the implementation of security barriers. Finally, experimental results show that major security flaws exist in most of the tested applications, allowing attackers to hijack accounts, spoof sender-IDs or enumerate subscribers.

Semantic Search: New Developments

John Tait, Jan 31, 14:30 SBA Research

The term Semantic Search is becoming fashionable, but there are a number of problems with the term.

1) There are at least two forms of semantic search. One is based more-or-less hand programmed knowledge sources, like domain ontologies or thesauri. The other is based on emergent properties of the data being searched, using techniques like Latent Semantic Analysis or clustering. It is far from clear that the results of applying the two approaches are similar or even compatible.

2) It is often assumed that semantic search is in some sense different from surface text search: which implies that normal old-fashioned Google search (for example) is equivalent to random string search, when of course the underlying statistics depend critically on the fact that both the queries and corpora are natural language (English or German) words with underlying semantics.

3) Semantic Search depends critically on text annotation processes during indexing: but these are potentially corruptable by malefactors. How can this be prevented?

The seminar will explore these three issues, and attempt to find a better definition of the term semantic search and to identify some ways forward.

“In a paper they presented at the Usenix Security Symposium in August, Martin Mulazzani and his colleagues at SBA Research [PDF], in Vienna, described several ways in which deduplication could be used to access files uploaded to Dropbox. ” (quoted verbatim from Christian Cachin et al., A Cloud you can Trust, IEEE Spectrum, Dec 2011)

Manuel Leithner’s book review was just published (more…)

Die aktuelle Ausgabe der Zeitschrift Öffentliche Sicherheit enthält einen Artikel zum IKT-Sicherheitsseminar, wo Markus Klemen einen Vortrag zum Thema Soziale Netzwerke gehalten hat.

The key researcher Stefan Katzenbeisser gave a talk at 28C3 (derStandard.at, heise.de, futurezone.at, diePresse.com, reuters.com, telegraph.co.uk, bbc.co.uk)

Ein Praktikumsantrag im Rahmen des Femtech-Programms (http://www.ffg.at/femtech-praktika) wurde angenommen. Katharina Krombholz wird im Jänner ein Praktikum und eine Diplomarbeit zum Sicherheit in Sozialen Netzwerken beginnen und bestehende Forschungsarbeiten unterstützen.

Johann Steszgal (ETSI ITS WG5) gives a lecture on Security Issues of IPv6 Communications in Cooperative Intelligent Transportation Systems for students of our class Organizational Aspects of Security.

Our researchers plan future research in cooperation with NII:

• Dr. N. Sonehara,  Information and Society Research Director at NII and Project Reader at ROIS/TRIC.
• Dr. Y. Ichifuji, ROIS/TRIC
• Dr. I. Echizen, Associate Professor at NII.
• Dr. S. Wohlgemuth, Associate Professor at NII and ROIS/TRIC

Key researcher Stefan Katzenbeisser gives a  guest lecture on enterprise rights management for students of our class Advanced Internet Security.

Starting at 3pm

Dr. N. Sonehara, “Data-centric Socio-Informatics Supporting Public Policy Decision Making, NII and ROIS/TRIC.
Dr. Y. Ichifuji, “Web Data Driven Information Circulation and Its application of Resilience Evaluation”, ROIS/TRIC
Dr. I. Echizen, “Multimedia Location Privacy Control Mechanism”, NII
Dr. S. Wohlgemuth, “Resilient Social System Design Methods”, ROIS/TRIC, Associate Professor at NII / ROIS

Heute findet die Generalversammlung statt. Markus Klemen gibt einen Überblick über das erfolgreiche letzte Jahr und die Revision des K-ind-Zeitraums.

Sigrun Goluch: The development of homomorphic cryptography From RSA to Gentry’s privacy homomorphism

Ever since the discovery of public-key cryptography by Diffie and Hellman in 1976, the necessity for total privacy of digital data has become stronger and stronger, especially since the internet has become an indispensable part of both our private and work lives. Naturally, the question for more secure encryption schemes arose in the past few decades.
One way to achieve con?dentiality in applications, such as online banking, electronic voting, virtual networks etc. are
homomorphic and especially fully homomorphic cryptographic schemes. Fully homomorphic cryptosystems or privacy homomorphisms were introduced by Rivest, Adleman, and Dertouzous in 1978. They asked for a way to allow a third, untrusted party to carry out extensive computation on encrypted data, without having to decrypt fi?rst. The search for fully homomorphic cryptosystems began and ended almost 4 decades later when Craih Gentry published his fully homomorphic method. Although not yet useful for practical applications, it ended the long search for the in 1978 emerged question about the existence of privacy homomorphisms.

We now have a Twitter account for our news section. Follow us at @SBA_Research on Twitter.