SBA Research is a research center for Information Security funded by the national initiative for COMET Competence Centers for Excellent Technologies. We bring together 25 companies, 4 Austrian universities, one university of applied sciences, a non-university research institute, and many international research partners to jointly work on challenges ranging from organizational to technical security.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


Aaron Zauner presented preliminary results on TLS usage in email

Aaron Zauner presented our preliminary results on the usage of TLS in the email ecosystem at the IETF meeting last week. As part of our project TLSiP we are actively scanning the Internet (/0) for TLS configurations as well as its problems with it.

As expected, TLS in email is way worse than in HTTPS: RC4 is supported by up to 80% across protocols, half of the certificates are self-signed and weak ciphers like RC2-CBC-MD5 are accepted by 40% of the servers using SMTP.

You can find the slides of his presentation here.
A recording of his talk is available here (starting around minute 36).

Artemios G. Voyiatzis stays at SBA Research

After a fruitful semester at SBA Research during his sabbatical leave between February and July 2015, Artemios G. Voyiatzis will be joining SBA Research on August 2015 and further develop our research programme. Artemios, a designated ACM Senior Member (2015), also joins the Vienna ACM SIGSAC Chapter. With Artemios onboard, SBA Research is now represented by two members in the ERCIM Security and Trust Management (STM) Working Group.

SBA Research joins ECSEL Austria

SBA Research joins ECSEL Austria.
Ecsel Austria

Bernhard Garn and Dimitris Simos @ ACA 2015

At the Applications of Computer Algebra Conference (ACA 2015), Bernhard Garn and Dimitris Simos give a talk about “Algebraic Modelling of Covering Arrays”. They present a novel approach to model Covering Arrays, which are at the center of their research field Combinatorial Testing. This theoretical result can be directly used to advance and enhance techniques used in Combinatorial Testing.

ACA 2015 takes place in Kalamata, Greece from July 20-23, 2015.

Katharina Krombholz @ SOUPS 2015

Katharina Krombholz is currently attending SOUPS 2015 (Symposium on usable privacy and security) in Ottawa, Canada. Today, she presented a position paper at the Workshop on Inclusive Privacy and Security and participated in a panel discussion on methods.

Markus Klemen über seine Ziele in der OCG

“Die OCG hat über die Arbeit des Österreichischen Integrationsfonds den ECDL Best Practice Award in der Kategorie “ECDL in Society” gewonnen. Das zeigt, dass Weiterbildungsmaßnahmen wie ECDL und ECDL Advanced für Personen mit Migrationshintergrund von grundlegender Bedeutung sind. Sich hier als OCG in Bezug auf IT aktiv, konstruktiv und unterstützend einzubringen, ist für mich ein Gebot der Stunde.” Markus Klemen über seine Ziele als neuer Präsident (mit Juni 2015) der Österreichischen Computer Gesellschaft (OCG) in einer Presseaussendung zu lesen hier: APA

Artikel in der Computerwelt


RC4 is no longer considered secure, and should not be used anymore according to RFC7465 (RFC draft). New attacks can be used to decipher the communication content within days, like session cookies.

The past weeks we have been busy scanning more than 2 million HTTPS servers and their detailed TLS configuration using sslyze, out of a total of 44 million IPv4-wide. From those 2 million scanned hosts, 1.3 million or 61,7% allowed a CipherSuite with RC4, whereas 350.000 (or 16%) even preferred RC4 over more secure ciphers like AES or Camellia.

This does not necessarily mean that users are at risk, since the server picks the cipher to be used. If a modern and up to date browser is used, there is little risk for useres. Due to the widespread usage of RC4 however, older browsers are at risk. The details on the recent attacks on RC4 can be found here and here, and will be presented in August at USENIX Security 2015, members SBA Research will be there. RC4 must not be used anymore, details on how this could be prevented can be found at or in RFC7525.

[Update] More details on the numbers:
2.181.846 valid https hosts checked
1.347.105 accept at least one cipher-suite with RC4 enabled
834.741 do not accept one cipher suite with RC4
61.74 % accept RC4

2.181.846 valid https hosts checked
349.677 prefer any RC4 ciphersuite in any TLS version
1.832.169 do not prefer any RC4 ciphersuite
16.03% prefer RC4

Please contact Martin Mulazzani in case of questions.
Press Release RC4

Article in

Mission für mehr IT-Security

Katharina Krombholz im Standard über ihre Forschung zur Verbesserung der Benutzerfreundlichkeitvon Technologien.
Den Artikel gibt es hier zu lesen.

Mission für mehr IT-Security

Prize Competition: “Start Secure 2015”

SBA Research, the Federal Ministry of the Interior, and the Kuratorium Sicheres Österreich are organising a competition for IT security Start-ups and ideas for cybersecurity solutions.

The deadline for submissions (in German or English) is September 30, 2015.

Competition entries are to be send to A jury will select the best five entries; the winners will be announced at the end of October 2015.

The prizes are:

  • 1st place: 10.000 €
  • 2nd place: 5.000 €
  • 3rd place: 3.000 €
  • 4th and 5th place: 1.000 €

For more information please see:

Details on Internet-wide Scans from SBA

To clarify what we are scanning on the Internet, here are some details on the project and which tools we use. Most importantly: if you want your IP to be excluded from future scans, please send an email to

For quite some time now we scan Internet-wide for well-known ports that use TLS, most notably HTTPS and XMPP-related ports as well as all email protocols that support TLS or STARTTLS. For that we use sslyze and masscan or zmap for discovery, tools that can scan the entire IPv4 range within minutes (given a fast enough Internet connection).

You can find a project description of TLSiP here (unfortunately german-only). Please contact Martin Mulazzani if you have any questions.

Katharina Krombholz awarded as Fem Tech Expert

Katharina Krombholz, researcher at SBA Research, has been awarded as Fem Tech Expert of the month July by the Austrian Ministry for Transport, Innovation and Technology. The goal of this initiative is to promote successful female scientists in technical fields.
See the interview:

Guest Talk: Soft Biometrics: Applications in Security, Beauty Estimation and Healthcare

Antitza Dantcheva, post-doctoral fellow at the STARS team, INRIA Sophia Antipolis, France, gives a guest talk about “Soft Biometrics: Applications in Security, Beauty Estimation and Healthcare”. Abstract

Tuesday, 07.07.2015 , 14:00-15:00

This event is hosted by the Vienna ACM SIGSAC Chapter.

Dimitris Simos @ INRIA

Dimitris Simos is visiting INRIA Paris-Rocquencourt during 6 – 11 July. He is hosted by the project team SECRET.

Digital Business Trends: Ja dürfen die denn das?

Edgar Weippl was on a panel discussion on new business models, technology and legal constraints. “Cloud solutions allow startups to scale their technical infrastructure quickly, but scaling is hard when it comes to different national legal systems” (OTS, Video statements, Photos).

Photos: APA-Fotoservice/Preiss

Blogpost on Globally Scaling Technology and Legal Matter.

ERCIM News No. 102

The ERCIM News No. 102 has just been published at

SBA Research contributed with two articles:
CyPhySec: Defending Cyber-Physical Systems by Johanna Ullrich and Edgar Weippl
CyberROAD: Developing a Roadmap for Research in Cybercrime and Cyberterrorism by Peter Kieseberg

Vienna Cyber Diplomacy Day

Ulrich Bayer, Aljosha Judmayer and Edgar Weippl presented how cyber-fraud is conducted and
use and misuse of BitCoin at the Vienna Cyber Diplomacy Day organized in Hofburg.

Edgar Weippl

SBA Research im Windows Server 2003 noch auf Drittel aller Server: Support-Ende im Juli

“Die IT-Sicherheitsexperten von SBA Research gehen davon aus, dass derzeit noch rund ein Drittel aller Server auf dem veralteten System laufen – und sehen daher entsprechenden Handlungsbedarf. „E-Mail-Server, Web-Server oder gar Netzwerk-Server können nicht mehr sicher gegen Bedrohungen abgeschirmt werden, wenn es keinen aktuellen Support dafür gibt. Das stellt eine enorme Gefahrenquelle für Unternehmen dar, da sie dadurch angreifbar von außen sind. Ein IT-Sicherheitsrisiko, das sich durch den Umstieg auf aktuelle Systeme jedoch leicht vermeiden lässt“, so Andreas Tomek.”



SBA Research sends several students to IPICS, Edgar Weippl gives a lecture and we also sponsor the summer school.

Researchers of SBA Research found several critical security vulnerabilities in the Koha Library software via Combinatorial Testing

Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos of the Combinatorial Security Testing Team of SBA Research found several critical security vulnerabilities in the Koha Library Software. The vulnerabilities involve a variety of serious issues like unauthenticated SQL Injection, Local File Inclusions, XSS and XRFS which allow remote attackers to completely compromise the web application and web server. After a full disclosure to the community the development team of Koha fixed all issues and published a security release. SBA Research would like to thank Chris Cormack and his team.

Koha is a leading open source Integrated Libray Systen (ILS), used world-wide by thousands of public, school and special libraries. It has an active community and several commercial supporters like LibLime, ByWaterSolutionsand and BibLibre. Famous Koha users include the Museum of Natural History in Vienna, the UNIDO library and the Spanish Ministry of Culture.

More details can be found at:

Typical Security Flaws in Large Distributed Systems. E-Health Summit Austria.

Edgar Weippl presents an analysis of typical security flaws found in large distributed systems at the “E-Health Summit Austria“.
Edgar Weippl

SBA Research as experts on “Supernowak”

Katharina Krombholz and Matthias Gusenbauer served as IT experts on “Supernowak”, produced by Puls4 and broadcasted on June 11, 2015. Together with Rainhard Nowak they showed how many data one is unknowingly releasing while shopping, running or googling.