SBA Research is a research center for Information Security funded by the national initiative for COMET Competence Centers for Excellent Technologies. We bring together 25 companies, 4 Austrian universities, one university of applied sciences, a non-university research institute, and many international research partners to jointly work on challenges ranging from organizational to technical security.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


SBA Research at #CCCamp15

Members of SBA are at the CCC Camp in Mildenberg, Germany which takes place in an old brick factory from August 13-17, 2015. Despite attending talks on new attacks they will participate in the CTF and present some of their work in workshops & lightning talks.

Security Afterworks: Hacking Team Hacked? –> video available on YouTube

The video presentation of the Security Afterworks Summer Special: Hacking Team Hacked? is now available on YouTube. The summer special took place on August 6, 2015 at SBA Research. More Information

Paper accepted @ ISSRE 2015

The paper “Exciting FPGA Cryptographic Trojans using Combinatorial Testing” by Paris Kitsos (TEI of Western Greece and Industrial Systems Institute/RC ‘Athena’), Dimitris. E. Simos (SBA Research), Jose Torres-Jimenez (CINVESTAV-Tamaulipas) and Artemios G. Voyiatzis (SBA Research and Industrial Systems Institute/RC ‘Athena’) has been accepted for publication in the 26th IEEE International Symposium on Software Reliability Engineering (ISSRE 2015). ISSRE is one of the leading conferences for software reliability and testing. The results of this work establish a new research field for combinatorial testing and hardware malware detection.

ISSRE 2015 takes place from November 2 to November 5, 2015 in Gaithersburg, MD, USA and is ranked as A-Conference in CORE.

Bernhard Garn @ QRS 2015

On August 4th, 2015 Bernhard Garn presents the paper “Attack Pattern-Based Combinatorial Testing with Constraints for Web Security Testing” at the IEEE International Conference on Software Quality, Reliability and Security 2015 (QRS 2015) . The paper is a joint work between the Graz University of Technology (J. Bozic and F. Wotawa) and SBA Research (B. Garn, I. Kapsalis, D. Simos, S. Winkler). The results of the paper establish CT as an alternative method for web application security testing (focussing on XSS attacks), in particular when compared to fuzzers.

QRS 2015 takes place in Vancouver, Canada from August 03-05, 2015.

Aaron Zauner presented preliminary results on TLS usage in email

Aaron Zauner presented our preliminary results on the usage of TLS in the email ecosystem at the IETF meeting last week. As part of our project TLSiP we are actively scanning the Internet (/0) for TLS configurations as well as its problems with it.

As expected, TLS in email is way worse than in HTTPS: RC4 is supported by up to 80% across protocols, half of the certificates are self-signed and weak ciphers like RC2-CBC-MD5 are accepted by 40% of the servers using SMTP.

You can find the slides of his presentation here.
A recording of his talk is available here (starting around minute 36).

Artemios G. Voyiatzis stays at SBA Research

After a fruitful semester at SBA Research during his sabbatical leave between February and July 2015, Artemios G. Voyiatzis will be joining SBA Research on August 2015 and further develop our research programme. Artemios, a designated ACM Senior Member (2015), also joins the Vienna ACM SIGSAC Chapter. With Artemios onboard, SBA Research is now represented by two members in the ERCIM Security and Trust Management (STM) Working Group.

SBA Research joins ECSEL Austria

SBA Research joins ECSEL Austria.
Ecsel Austria

Bernhard Garn and Dimitris Simos @ ACA 2015

At the Applications of Computer Algebra Conference (ACA 2015), Bernhard Garn and Dimitris Simos give a talk about “Algebraic Modelling of Covering Arrays”. They present a novel approach to model Covering Arrays, which are at the center of their research field Combinatorial Testing. This theoretical result can be directly used to advance and enhance techniques used in Combinatorial Testing.

ACA 2015 takes place in Kalamata, Greece from July 20-23, 2015.

Katharina Krombholz @ SOUPS 2015

Katharina Krombholz is currently attending SOUPS 2015 (Symposium on usable privacy and security) in Ottawa, Canada. Today, she presented a position paper at the Workshop on Inclusive Privacy and Security and participated in a panel discussion on methods.

Markus Klemen über seine Ziele in der OCG

“Die OCG hat über die Arbeit des Österreichischen Integrationsfonds den ECDL Best Practice Award in der Kategorie “ECDL in Society” gewonnen. Das zeigt, dass Weiterbildungsmaßnahmen wie ECDL und ECDL Advanced für Personen mit Migrationshintergrund von grundlegender Bedeutung sind. Sich hier als OCG in Bezug auf IT aktiv, konstruktiv und unterstützend einzubringen, ist für mich ein Gebot der Stunde.” Markus Klemen über seine Ziele als neuer Präsident (mit Juni 2015) der Österreichischen Computer Gesellschaft (OCG) in einer Presseaussendung zu lesen hier: APA

Artikel in der Computerwelt


RC4 is no longer considered secure, and should not be used anymore according to RFC7465 (RFC draft). New attacks can be used to decipher the communication content within days, like session cookies.

The past weeks we have been busy scanning more than 2 million HTTPS servers and their detailed TLS configuration using sslyze, out of a total of 44 million IPv4-wide. From those 2 million scanned hosts, 1.3 million or 61,7% allowed a CipherSuite with RC4, whereas 350.000 (or 16%) even preferred RC4 over more secure ciphers like AES or Camellia.

This does not necessarily mean that users are at risk, since the server picks the cipher to be used. If a modern and up to date browser is used, there is little risk for useres. Due to the widespread usage of RC4 however, older browsers are at risk. The details on the recent attacks on RC4 can be found here and here, and will be presented in August at USENIX Security 2015, members SBA Research will be there. RC4 must not be used anymore, details on how this could be prevented can be found at or in RFC7525.

[Update] More details on the numbers:
2.181.846 valid https hosts checked
1.347.105 accept at least one cipher-suite with RC4 enabled
834.741 do not accept one cipher suite with RC4
61.74 % accept RC4

2.181.846 valid https hosts checked
349.677 prefer any RC4 ciphersuite in any TLS version
1.832.169 do not prefer any RC4 ciphersuite
16.03% prefer RC4

Please contact Martin Mulazzani in case of questions.
Press Release RC4

Article in

Mission für mehr IT-Security

Katharina Krombholz im Standard über ihre Forschung zur Verbesserung der Benutzerfreundlichkeitvon Technologien.
Den Artikel gibt es hier zu lesen.

Mission für mehr IT-Security

Prize Competition: “Start Secure 2015”

SBA Research, the Federal Ministry of the Interior, and the Kuratorium Sicheres Österreich are organising a competition for IT security Start-ups and ideas for cybersecurity solutions.

The deadline for submissions (in German or English) is September 30, 2015.

Competition entries are to be send to A jury will select the best five entries; the winners will be announced at the end of October 2015.

The prizes are:

  • 1st place: 10.000 €
  • 2nd place: 5.000 €
  • 3rd place: 3.000 €
  • 4th and 5th place: 1.000 €

For more information please see:

Details on Internet-wide Scans from SBA

To clarify what we are scanning on the Internet, here are some details on the project and which tools we use. Most importantly: if you want your IP to be excluded from future scans, please send an email to

For quite some time now we scan Internet-wide for well-known ports that use TLS, most notably HTTPS and XMPP-related ports as well as all email protocols that support TLS or STARTTLS. For that we use sslyze and masscan or zmap for discovery, tools that can scan the entire IPv4 range within minutes (given a fast enough Internet connection).

You can find a project description of TLSiP here (unfortunately german-only). Please contact Martin Mulazzani if you have any questions.

Katharina Krombholz awarded as Fem Tech Expert

Katharina Krombholz, researcher at SBA Research, has been awarded as Fem Tech Expert of the month July by the Austrian Ministry for Transport, Innovation and Technology. The goal of this initiative is to promote successful female scientists in technical fields.
See the interview:

Guest Talk: Soft Biometrics: Applications in Security, Beauty Estimation and Healthcare

Antitza Dantcheva, post-doctoral fellow at the STARS team, INRIA Sophia Antipolis, France, gives a guest talk about “Soft Biometrics: Applications in Security, Beauty Estimation and Healthcare”. Abstract

Tuesday, 07.07.2015 , 14:00-15:00

This event is hosted by the Vienna ACM SIGSAC Chapter.

Dimitris Simos @ INRIA

Dimitris Simos is visiting INRIA Paris-Rocquencourt during 6 – 11 July. He is hosted by the project team SECRET.