 |
 |
 |
 |
Der Consultants Competence Circle ist eine Expertendiskussion zu aktuellen Themen aus Wirtschaft und Beratung. Edgar Weippl präsentiert Herausforderungen im Bereich der Informationssicherheit im Rahmen der Expertendiskussion.
29.8., 18 Uhr, Schloss Hunyadi, Schlossgasse 6, Maria Enzersdorf. Veranstaltet von der WKO-NÖ / UBIT.
On ARES’ last day, an informal workshop on research collaborations was held. Participants from Japan were Prof. Dr. Ryoichi Sasaki
Tokyo Denki University, Prof. Dr. Noboru Sonehara, National Institute of Informatics, Prof. Dr. Isao Echizen, National Institute of Informatics, Dr. Sven Wohlgemuth, National Institute of Informatics.
The ARES conference just started…
Usenix Security 2011: Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space
reports on Computerworld, Diogo’s blog, more blogs.
Pressemitteilung, heise, Der Standard, Die Presse, Futurezone, Kurier
Vulnerability Disclosure Policy von SBA Research
Bo Sun, a master’s student from KTH Stockholm, presents her master thesis on Access Control for Mobile Agents Baggage
Das Projekt “Modellbasiertes Testen der Systemsicherheit in der Praxis (MoBSeTIP)” beschäftigt sich mit der Anwendung des modellbasierten Testens (MBT) auf den Bereich des Testens der Informationssicherheit (Security Testing). Im Speziell geht es darum Testfälle, die Sicherheitsaspekte von Systemen abdecken, automatisiert zu generieren und auszuführen. Problemstellungen dabei sind das Finden einer geeigneten Modellierungssprache für Bedingungen der Informationssicherheit und die praktische Umsetzung der automatisierten Testfallgenerierung. Wenn man betrachtet das es derzeit aufgrund der steigenden Vernetzung und Komplexität von Systemen zu vermehrten Sicherheitsproblemen kommt, ist die zur Verfügungstellung von Werkzeugen für die Test solcher Systeme wichtig und von steigender Bedeutung für die Gesellschaft und die Wirtschaft.
Schwerpunkte im Rahmen von MoBSeTIP sind: (1) die Bereitstellung einer Modellierungssprache für Systemsicherheit, die gewünschten Eigenschaften und mögliche Angriffe abbilden lässt, (2) die Implementierung eines Werkzeugs zur Testfallgenierung ausgehend von den verfügbaren Modellen, (3) die Anwendung und Evaluierung der Werkzeuge auf ein konkretes Projekt der Firmenpartner, und (4) die Zusammenarbeit auf europäischer Ebene im Rahmen des ITEA 2 Projekts DIAMONDS (http://www.itea2-diamonds.org/index.html). Hier sollen sowohl die Testfallgenerierungswerkzeuge und zugrundeliegenden Methoden eingebracht werden. Die Erkenntnisse und Evaluierungsresultate für weitere Anwendungen und Fallstudien der europäischen Partnerfirmen fließen in MoBSeTIP ein.
Author: Dr. Shareeful Islam, Dr. Haralambos Mouratidis and Prof. Dr. Jan Jürjens
Abstract
Regulation compliance is getting more and more important for software systems that process and manage sensitive information. Therefore, identifying and analysing relevant legal regulations and aligning them with security requirements become necessary for the effective development of secure software systems. Nevertheless, Secure Software Engineering Modelling Languages (SSEML) use different concepts and terminology from those used in the legal domain for the description of legal regulations. This situation, together with the lack of appropriate background and knowledge of laws and regulations, introduces a challenge for software developers to elicit security requirements from the relevant laws and regulations and to trace the elicited requirements throughout the development stages. Our work contributes to develop a framework that supports the consideration of laws and regulations during the development of secure software systems. The proposed framework enables software developers (i) to correctly elicit security requirements from the appropriate laws and regulations; and (ii) to trace these requirements throughout the development stages in order to ensure that the design indeed supports the required laws and regulations. Our framework is based on existing work from the area of secure software engineering, and it complements this work with a novel and structured process and a well-defined method.
Short Bio
Dr. Shareeful Islam was awarded his PhD in Software Risk Management Model using goal-driven approach from chair of Software & Systems Engineering (I4), Technische Universität München, Germany. He has received M.Sc. degree in Information Communication System Security(ICSS) from the Royal Institute of Technology, Sweden. He also received M.Sc. degree in Computer Science (CS)and B. Sc. (Hon’s) in applied physics and electronics (APE) from the University of Dhaka, Bangladesh. He completed the ISO 9001:2001 lead auditor certification and is a certified quality management system auditor. He has more than 10 publication in well recognized journals. His main research interests are in the field of software risk management, software security and privacy. Special interests are risk management model, security and privacy, requirements engineering and modelling.
In August we will present our work on cloud storage security at the 20th USENIX Security Symposium in San Francisco. The paper, in essence, outlines new attacks on cloud storage services that use server-side data deduplication.
It includes a security analysis of Dropbox, a popular cloud storage service. By manipulating the client software unauthorized data access becomes possible, if the hash values of the files are known to an attacker. This attack is completely undetectable to the victim, and novel compared to recent attacks discussed in the media. Data possession proofs which have been used so far in the context of assessing whether a cloud storage operator is still in possession of a file are the only countermeasure.
We further define online slack space as a method to hide data in the cloud to thwart forensic investigations. Compared to regular file slack all files are stored in the cloud without leaving any evidence on local persistent storage.
You can find the paper here: Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. We have contacted Dropbox and they implemented countermeasures for our attacks while investigating the use of data possession proofs on the client side.
The presentation firstly covers the basics properties of image local feature extraction algorithms. Then a little bit closer description of algorithm selected for the implementation – SURF – and the platform – FPGA. Then it contains a summary of reasons why a new completely custom solution has been developed. The main concepts of the developed hardware, FPGA and software design are described next. The presentation is concluded with the module key parameters summary and a short video (1 min) showing the actual image interest point detector results. June 22, 13:30.
Stefan Katzenbeisser talks about privacy and mobile security (starting at 14:43)
1030 am: Guest talk by John Tait
Patent Search – a Challenging Problem!
To be valid a patent has to show that it it describes a novel and useful idea. The test of novelty is that at the date of filing there does not exist in the public domain (in another patent, or the academic literature, or elsewhere, for example in the news media) an earlier description of the invention. This earlier, invalidating, description might well be presented in another language or using quite different technical terms from the way the idea is expressed in the patent in question. Thus patent search is a very challenging information retrieval problem.
Patent Search is also economically important. It is difficult to estimate the total value of the patents in the world economy, but it certainly runs into many billions of euros, and many thousands of people around the world are employed in the patent ecosystem: in Patent Offices; patent attorneys; translators; software and data suppliers; and elsewhere.
The talk will overview the field of patent search, relate it to developments in semantic search, and in particular review some of the recent work reported in our new book “Current Challenges in atent Information Retrieval”.
Managing director Markus Klemen gave two talks at the BildungOnline conference in Hall in Tirol focusing on Security in Social Media. The Austrian Computer Society (OCG) organized the talk. The target audience were teachers, students and parents. Information about the talk, including the presentation sheets may be found at http://journal.ocg.at/index.php/bildung-karriere/1315.
Ivona Brandic, Energy Efficient Clouds
May 31, 10am SBA
Cloud computing is a promising technology for the realization of large, scalable, and on-demand provisioned computing infrastructures. Currently, many enterprises are adopting this technology to achieve high performance and scalability for their applications while maintaining low cost. Service provisioning in the Cloud is based on a set of predefined non-functional properties specified and negotiated by means of Service Level Agreements (SLAs). Cloud workloads are dynamic and change constantly. Thus, in order to reduce steady human interactions, self-manageable Cloud techniques are required to comply with the agreed customers’ SLAs. In this talk we discuss flexible and reliable management of SLAs, which is of paramount importance for both Cloud providers and consumers. On the one hand, the prevention of SLA violations avoids penalties that are costly to providers. On the other hand, based on flexible and timely reactions to possible SLA violation threats, user interaction with the system can be minimized enabling Cloud computing to take roots as a flexible and reliable form of on-demand computing. Furthermore, a trade-off has to be found between proactive actions that prevent SLA violations and those that reduce energy consumption, i.e., increase energy efficiency.
Im Rahmen von IMPACT 2011 fanden vier interessante Vorträge statt.
Prof. Dr. Stefan Katzenbeisser – TU Darmstadt – Privacy by Design – Technischer Datenschutz für hochsensible Daten
Prof. Davide Balzarotti, Ph.D. – EURECOM Sophia Antipolis – G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries
Prof. Dr. Günther Pernul – Universität Regensburg – On the Maturity of RBAC – A Survey and Classification of the Research Area
Günther Wiesauer – CEO Underground_8, Linz – Sicherheitsarchitektur für moderne Firewallsysteme
(more…)
Markus Huber will hold a seminar on Social Network Security at the DSV Form in Stockholm on the 19th of May.
May 10, 2011, 10am @ SBA: Designing Truthful Mechanisms
Angelina Vidali
In this talk I will present my work on many different aspects of one of the most fundamental problems in algorithmic game theory (and more specifically algorithmic mechanism design), the problem of scheduling unrelated machines to minimize the makespan and I will also explain its connection with the problem of designing truthful combinatorial auctions. We assume that the machines behave like selfish players: they have to get paid in order to process the tasks, and would lie about their processing times if they could increase their utility in this way. The problem was proposed and studied in the seminal paper of Nisan and Ronen, where it was shown that the approximation ratio of mechanisms is between 2 and n.
While performing traffic analysis on the current development version of Orbot, the official Android for Tor app, Manuel Leithner (Junior Researcher, SBA Research gGmbH) discovered that certain types of traffic (including VPN, GPS and videos) were not tunnelled through Tor. He subsequently developed a patch that enables full and enforced transparent proxying for all TCP and DNS traffic through the anonymisation service.
Sensitivity Based Generalization Error for Single and Multiple Classifier Systems with Applications
Abstract
Generalization error model provides a theoretical support for a classifier’s performance in terms of prediction accuracy. However, existing models give very loose error bounds. This explains why classification systems generally rely on experimental validation for their claims on prediction accuracy. In this talk we will revisit this problem and explore the idea of sensitivity measure in developing a new generalization error model based on the assumption that only prediction accuracy on unseen points in a neighborhood of a training point will be considered, since it will be unreasonable to require a classifier to accurately predict unseen points “far away” from training samples. Relationship between the new model and the regularization technique will be examined and a number of generic as well as domain specific applications will be presented.
Daniel S Yeung, Chair Professor, School of Computer Science and Engineering, South China University of Technology, Guangzhou, China, Junior Past President, IEEE Systems, Man and Cybernetics Society, Fellow of IEEE
Martin Mulazzani now works on Trudie (TRUDIE – Trust Relationships in the Underground Economy, Sponsor: FIT-IT Trust in IT-Systems 3. Call, Austria)
Our paper Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space was accepted. Unfortunately we cannot provide a preprint because the affected vendor(s) still need the time to fix some things…
Rails 3.0.5 doesn’t validate the input for the X-Forwarded-For field in the header sent by clients with a class C remote-addr. (see: TRUSTED_PROXIES). (Security Focus, more details…)
We are happy to have Gilbert Wondracek as a senior researcher on our team.
His last two IEEE S&P papers:
Interdependencies among Critical Infrastructures, both inside the ICT domain and between ICT and other sectors (e.g. Oil&Gas and Transport), are complex to be understood. Critical Infrastructures risks always change due to new threats, interdependencies and possible scenarios. (more…)
