News

Manuel Leithner’s book review was just published (DOI)

New Scientist: Markus Huber has developed software to help police use online clues to solve offline crimes

Manuel Leitner is holding a lesson about UCC Privacy & Security in cooperation with CON.ECT. The talk is centered on multidimensional communication including audio, video, text and files. Threats endangering the privacy of the transmitted data are shown and defense strategies are presented in this talk.  ( mehr… )

Our paper has been accepted: Social Network Forensics: Tapping the Data Pool of Social Networks.

Internetsicherheit, Hacker und Datenschutz

Der weltweite freie Datenverkehr hat auch seine Schattenseiten: Unbekümmerte Internetuser gehen viel zu unvorsichtig mit ihren Daten um, wichtige Webseiten weisen oft ernste Schwachstellen auf, Hacker finden immer wieder neue Methoden, in Computersysteme einzudringen. Edgar Weippl (Institut für Softwaretechnik und Interaktive Systeme, TU Wien, sba-research), Christian Platzer und Gilbert Wondracek (Seclab, Institut für Rechnergestützte Automation, TU Wien) werden mögliche Gefahren aufzeigen, über Methoden von Hackern erzählen und gemeinsam diskutieren, ob es überhaupt jemals ein „sicheres“ Internet geben kann. (Termin, TU forum)

A Bird’s-Eye View of Optimal Codes and Symmetric Cryptography from Combinatorial Designs

Dimitris E. Simos, Department of Mathematics, National Technical University of Athens,

 Abstract: In the past few decades, combinatorial design theory has grown to encompass a wider variety of investigations, many of which are not apparently motivated by any practical application. Rather, they are motivated by a desire to obtain a coherent and powerful theory of existence and properties of designs. Nevertheless, it comes as no surprise that applications in coding theory and communications continue to arise, and also that designs have found applications in new areas. Cryptography in particular has provided a new source of applications of designs in computer science, and simultaneously a field of new and challenging problems in design theory.

In this lecture, we present a number of applications of combinatorial designs in which the connection with classes of optimal codes and modern symmetric (private-key) cryptography appears to be substantial and meaningful. In the first part, we present some new results for self-dual codes and quasi-cyclic codes and exemplify some of their advantages in terms of encoding and decoding. In the continuum, we survey recent powerful private-key cryptosystems from special classes of combinatorial designs, that posses beautiful combinatorial properties. Practical aspects of the cryptosystems, in terms of security and cryptanalysis are analyzed and examples of real-time encryption and decryption are provided using cryptographic algorithms. We conclude, by providing a state-of-the-art comparison of private-key block ciphers in the field of modern cryptography.

Edgar Weippl is elected as vice president and will continue organizing the ECRIM fellowship program for Austria.

IT-SeCX 11.11.11: Markus Huber presents “Social Snapshots – Digitale Forensik für Soziale Netzwerke” at ITSeCX (more…)

Ulrich Bayer did hold a lesson on secure development of web applications at the “IKT-Zentren Akademie” of 2011. The talk included a theoretical and practical introduction to secure web application development and the most common attack vectors. (mehr…)

Cloud Speicherdienste als Angriffsvektoren.

based on our Usenix Security 2011 Paper (Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space), we will present some recent updates at the Sicherheitskonferenz Krems

We will teach a course in the summer school in Italy…

Manuel found and reported a vulnerability. Excerpt from the changelog (Piwik 1.6): “Security: we would like to thank the following people for their responsible disclosure: [...] Secure Business Austria [...] Thank you to all these people for disclosing security issues to the Piwik team, ensuring a healthy and safe experience for the whole community!“

We present a short overview of security issue in cloud-based storage services at conect’s Webinar series “Security & Risk Management” (more…)

Securing XML archives for Search Based Applications (Talk by John Tait; Oct 19; 10am SBA)

There has been a recent trend to produce what are known as Search Based Applications. One strand of this work is based on the observation that many organisation keep legacy transaction orientated systems up and running in order to allow information contained in those systems to continue to be accessed for audit and security purposes. This is quite different from the high transaction volumes the systems were originally designed for. So for example a credit card might keep an obsolete retailer and customer service applciation up and running purely so security investigators can accessed historic customer transaction patterns via ad hoc SQL queries.

A better solution would be to archive the data in the transaction system to an XML store, and then use enterprise text search systems, like Lucene or Bing/FAST to provide the query facilities. However, this raises the question, does the XML data actually represent the data previously held in the transaction system, or has the data been altered in some way.

The seminar will discuss the security issues search based applications raises and seek to work with the audience to find ways forward with those issues.

Clemens Kolbitsch recently finished his PhD  supervised by Engin Kirda and Chris Kruegel. Tomorrow, he will present his paper “The Power of Procrastination: Detection and Mitigation of Execution-Stalling Malicious Code” at CCS 2011. Clemens will shortly join our partner company TLLOD.

Manuel Leithner presented weaknesses of Facebook, WLANs and Smartphones on ORF (ORF, youtube).

Edgar Weippl presents the Usenix paper at the Conect Event on Security (overview, details, schedule).

“Die letzten Veröffentlichungen sind zwar relativ gewichtig, weil es sich um sensible Daten handelt, aber technisch gesehen nicht unbedingt aufwendig”, sagt Martin Mulazzani von SBA Research, einem Wiener Forschungsinstitut für IT-Security (derstandard.at)

Severin Winkler is holding several lessons on secure development of web-applications in cooperation with CON•ECT. The core components of these talks are the top ten security leaks of web applications in 2010 identified by OWASP. The lessons include advanced security topics necessary for the development of modern web-applications and offer a focus on attack scenarios and counter strategies. (mehr…)

Guest speaker Melanie Volkamer: Usable Security in the Context of Electronic Elections

The subject of electronic voting has enjoyed several years of considerable interest both from election officials and IT security and cryptography researchers. The interest of election officials is based especially on the possibility to obtain fast and accurate results. Scientists are interested in the balance between anonymity and verifiability. Due to the different interests, there exists a gap between the complex but verifiable election protocols that are discussed in conferences and the black box-systems that are used in practice. This gap, which is also evident in many other applications, can only be closed by methods of the research area called ‘Usable Security’. Recent results on the example of the Helios Internet voting system will be presented during the talk. The presentation will also provide an overview of my previous research in the field of electronic voting and on current and planned projects in the area of ‘Usable Security’.

We are going to present our social snapshot forensic tool at the Annual Computer Security Applications Conference (ACSAC) 2011.

Abstract:
Recently, academia and law enforcement alike have shown a strong demand for data that is collected from online social networks. In this work, we present a novel method for harvesting such data from social networking websites. Our approach uses a hybrid system that is based on a custom add-on for social networks in combination with a web crawling component. The datasets that our tool collects contain profile information (user data, private messages, photos, etc.) and associated meta-data (internal timestamps and unique identifiers). These social snapshots are significant for security research and in the field of digital forensics. We implemented a prototype for Facebook and evaluated our system on a number of human volunteers. We show the feasibility and efficiency of our approach and its advantages in contrast to traditional techniques that rely on application-specific web crawling and parsing. Furthermore, we investigate different use-cases of our tool that include consensual application and the use of sniffed authentication cookies. Finally, we contribute to the research community by publishing our implementation as an open-source project.

You can find the paper here: Social Snapshot ACSAC11 preprint

Today, Edgar Weippl speaks in Zurich on Cloud Security and takes part in a discussion (more…)

Edgar Weippl takes part in the round table on electronic identities.
9.00 — 16.30, Haus der Europäischen Union
Wipplingerstraße 35, Vienna (more…)

Edgar Weippl presents SBA’s research on cloud security in Zurich at Future network’s meeting (more…).

Edgar Weippl gives a presentation of technical options to provide privacy at the Forum Privacy of the Austrian Computer Society. (ORG, ORF.at)