SBA Research joins the kick-off meeting of the SCOTT project in Graz, Austria on May 22-23, 2017.

“Secure Connected Trustable Things” (SCOTT) brings together 57 partners from 12 countries (EU and Brazil) and from academia and industry alike. The SCOTT consortium will work in the next three years to extend the Internet of Things for wirelessly connected smart sensors and actuators to be used in building and home/smart infrastructure, mobility, health domains ensuring safety and security, privacy and trustability.

Dimitris Simos is invited to the Faculty of Engineering, University of Bergamo, Italy from May 22 to June 5 as visiting scholar. The host is Prof. Angelo Gargantini.

Web browsers were initially designed to retrieve resources on the world wide web in a static manner such that adding security checks in select locations throughout the codebase sufficiently provided the necessary security and privacy guarantees of the web. Instead of opting into security checks wherever resource loads are initiated throughout the codebase, we revamped the security architecture of Firefox so that security checks are performed by default.
This new security enforcement mechanism not only provides the same security guarantees for resource loads which encounter a server-side redirect, but also allows to perform additional privacy checks. For example, Firefox internally extended the Same Origin Policy by an Origin Attributes framework which allows to enforce the First Party Isolation technique for every resource load. First Party Isolation separates browsing contexts by the top-level domain (origin) the user visits to prevent embedded content from tracking users across sites.
Additionally, this new security enforcement mechanism fundamentally enables our HSTS Priming approach, a mechanism which allows to check if a third party HTTP resource is available over HTTPS. Where applicable, this security feature upgrades subresource loads from HTTP to HTTPS.

Bio
Christoph Kerschbaumer is a Web Platform Security and Privacy Engineer at Mozilla with over 10 years of experience in Secure Systems Development. His work focuses on all types of content security ranging from providing safe defaults to fighting cross site scripting as well as preventing man-in-the-middle attacks.
He received his PhD in Computer Science from the University of California, Irvine where he based his research on information flow tracking techniques within web browsers.
Prior to being a graduate research scholar, he received a M.Sc. and B.Sc. in Computer Science from the Technical University Graz, Austria.

Today Peter Kieseberg is giving a talk on „ IT-Compliance in der Praxis – Quo Vadis?” at the “GI Rechtsinformatik Treffen – LegalTech” at the Technical University of Munich.

Martina finally got her PhD officially awarded in today’s ceremony Sub auspiciis Praesidentis.

Our paper ‘“I Have No Idea What I’m Doing” – On the Usability of Deploying HTTPS’ has been accepted for publication at the USENIX Security Symposium 2017, to take place in Vancouver this August. 85 out of 522 submissions (acceptance rate 16%) have been accepted. Kudos to Katharina and Willi!

Abstract: Protecting communication content at scale is a difficult task, and TLS is the protocol most commonly used to do so. However it has been shown that deploying it in a truly secure fashion is challenging for a large fraction of online service operators. While Let’s Encrypt was specifically built and launched to ease the process of TLS deployments, this paper aims to understand the reasons for why it has been so hard to deploy correctly and studies the usability of the TLS deployment process for HTTPS. We performed a series of experiments with 28 knowledgable participants and revealed significant usability challenges that result in weak TLS configurations. Additionally, we conducted expert interviews with 7 experienced security auditors. Our results suggest that the deployment process is far too complex even for people with proficient knowledge in the field, and that server configurations should have stronger security by default. While the results from our expert interviews confirm the ecological validity of the lab study results, they additionally highlight that even educated users prefer solutions that are easy to use. An improved and less vulnerable workflow would be very beneficial to finding stronger configurations in the wild.

On May 11, Edgar Weippl talks about research challenges and research methods in applied information security at the Eleventh IEEE International Conference on Research Challenges in Information Science (RCIS 2017) in Brighton, UK.

CERT.at veranstaltet einmal pro Monat, jeden zweiten Mittwoch im Monat, einen “IT-Security Stammtisch” (Vortrag und anschliessendes Networken bei Speis und Trank im alten AKH). Im Mai haben wir Dr. Martin Schmiedecker (SBA) als Vortragenden gewinnen können.

Titel: Moderne Incident Response

Datum: 10.5.2017, 18:30

Ort: im Seminarraum des ZID, 1.Stock, Neues Institutsgebäude,
Universitätsstrasse 7, Uni Wien.

Abstract
========
This talk is about open-source tools for incident response, covering single PCs up to entire networks. Scalability is key, and I’ll briefly present the tools GRR, osquery and MIG which are developed by Google, Facebook and Mozilla, respectively. Furthermore I’ll discuss why getting a RAM image is so important, and how to efficiently capture network traffic for an entire network. Lastly, obstacles, and why reality is always different than anticipated.

Edgar Weippl presents insights on software security research at a workshop held today in Feldkirch, organized by Bachmann electronic GmbH.

More information here

Katharina Krombholz will present today at the UXCamp+ Vienna on usable security and privacy challenges in a connected world. You can find the full program here.

Members of SBA Research are at Ruhrsec, happening today and tomorrow in Bochum.

You can find the program here and might follow @Fr333k for live updates.

Alexei Zamyatin is working together with K. Wolter, S. Werner, C.E.A. Mulligan, P.G. Harrison and W.J. Knottenbelt at the Imperial College in London.

Last Sunday, students and faculty of SBA Research and TU Wien participated in the 2017 RuCTF Finals competition held in Yekaterinburg, Russia, as members of the team We_0wn_Y0u.

Students are primarily recruited from our “(Advanced) Internet Security” lecture series which is taught together with the Secure Systems Lab of TU Wien. The class is known as the “hacker lecture” at TU Wien. In this lecture students have to circumvent the security of an application approximately every two weeks in a safe environment. This prepares our students for security competitions like this one, as well as for securing commercial servers and networks in the future.

SBA supports this team financially and organizationally.

Martin Schmiedecker passed the exam to become a certified expert witness for the judicial system, for the areas of digital forensics (68.62) and computer security (68.60). Congratulations!

Scientific director Edgar Weippl has been interviewed by Austrian Broadcasting (ORF) radio channel OE1 on how to cope with password issues. The abstract of the interview can be found at www.orf.at, mobile version here.

Tomasz Miksa co-authored a whitepaper on machine-actionable data management plans (maDMPs). The whitepaper was used to seed the discussions at the 9th RDA Plenary in Barcelona, Spain and will lead to the establishment of new RDA groups.

The paper is published in the open-access Research Ideas and Outcomes (RIO) journal under DOI 10.3897/rio.3.e13086 and available for comments from the community, in the true spirit of open science.

The paper presents selected community-generated use cases that reflect the needs of various stakeholders. It also articulates a consensus about the need for a common standard for machine-actionable data management plans to enable future work in this area, thus making research outputs FAIR, i.e., Findable, Accessible, Interoperable, and Reusable.

The ERCIM News No. 109 has just been published at with a special theme on “Autonomous Vehicles“.

SBA Research contributes two articles in the “Research and Innovation” section of the issue. The first article is by Peter Kieseberg, Peter Frühwirt, and Sebastian Schrittwieser on “Security Testing for Mobile Applications“. The second article is by Georg Merzdovnik, Damjan Buhov, Artemios G. Voyiatzis, and Edgar Weippl on “u’smile – Secure Mobile Environments.

The full issue is available in PDF format here.

Members of SBA Research are at the Hagenberg IT Security Forum 2017.

Peter Kieseberg will present about Security in Industry 4.0 and IoT. The description of his talk can be found here. See also the full agenda.

Last Thursday, Katharina Krombholz visited Srdjan Capkun’s group at ETH Zurich and gave a talk on her research in usable security and privacy in the course of the ZISC lunch time seminar series.

The abstract of her talk can be found here.