First day of ARES Conference, which is held from 24 – 28 August 2015 at the Université Paul Sabatier, organized by SBA Research. We are welcoming 150 participants from more than 35 countries.
Members of SBA are at the CCC Camp in Mildenberg, Germany which takes place in an old brick factory from August 13-17, 2015. Despite attending talks on new attacks they will participate in the CTF and present some of their work in workshops & lightning talks.
The video presentation of the Security Afterworks Summer Special: Hacking Team Hacked? is now available on YouTube. The summer special took place on August 6, 2015 at SBA Research. More Information
The paper “Exciting FPGA Cryptographic Trojans using Combinatorial Testing” by Paris Kitsos (TEI of Western Greece and Industrial Systems Institute/RC ‘Athena’), Dimitris. E. Simos (SBA Research), Jose Torres-Jimenez (CINVESTAV-Tamaulipas) and Artemios G. Voyiatzis (SBA Research and Industrial Systems Institute/RC ‘Athena’) has been accepted for publication in the 26th IEEE International Symposium on Software Reliability Engineering (ISSRE 2015). ISSRE is one of the leading conferences for software reliability and testing. The results of this work establish a new research field for combinatorial testing and hardware malware detection.
On August 4th, 2015 Bernhard Garn presents the paper “Attack Pattern-Based Combinatorial Testing with Constraints for Web Security Testing” at the IEEE International Conference on Software Quality, Reliability and Security 2015 (QRS 2015) . The paper is a joint work between the Graz University of Technology (J. Bozic and F. Wotawa) and SBA Research (B. Garn, I. Kapsalis, D. Simos, S. Winkler). The results of the paper establish CT as an alternative method for web application security testing (focussing on XSS attacks), in particular when compared to fuzzers.
QRS 2015 takes place in Vancouver, Canada from August 03-05, 2015.
Aaron Zauner presented our preliminary results on the usage of TLS in the email ecosystem at the IETF meeting last week. As part of our project TLSiP we are actively scanning the Internet (/0) for TLS configurations as well as its problems with it.
As expected, TLS in email is way worse than in HTTPS: RC4 is supported by up to 80% across protocols, half of the certificates are self-signed and weak ciphers like RC2-CBC-MD5 are accepted by 40% of the servers using SMTP.
After a fruitful semester at SBA Research during his sabbatical leave between February and July 2015, Artemios G. Voyiatzis will be joining SBA Research on August 2015 and further develop our research programme. Artemios, a designated ACM Senior Member (2015), also joins the Vienna ACM SIGSAC Chapter. With Artemios onboard, SBA Research is now represented by two members in the ERCIM Security and Trust Management (STM) Working Group.
At the Applications of Computer Algebra Conference (ACA 2015), Bernhard Garn and Dimitris Simos give a talk about “Algebraic Modelling of Covering Arrays”. They present a novel approach to model Covering Arrays, which are at the center of their research field Combinatorial Testing. This theoretical result can be directly used to advance and enhance techniques used in Combinatorial Testing.
ACA 2015 takes place in Kalamata, Greece from July 20-23, 2015.
Katharina Krombholz is currently attending SOUPS 2015 (Symposium on usable privacy and security) in Ottawa, Canada. Today, she presented a position paper at the Workshop on Inclusive Privacy and Security and participated in a panel discussion on methods.
“Die OCG hat über die Arbeit des Österreichischen Integrationsfonds den ECDL Best Practice Award in der Kategorie “ECDL in Society” gewonnen. Das zeigt, dass Weiterbildungsmaßnahmen wie ECDL und ECDL Advanced für Personen mit Migrationshintergrund von grundlegender Bedeutung sind. Sich hier als OCG in Bezug auf IT aktiv, konstruktiv und unterstützend einzubringen, ist für mich ein Gebot der Stunde.” Markus Klemen über seine Ziele als neuer Präsident (mit Juni 2015) der Österreichischen Computer Gesellschaft (OCG) in einer Presseaussendung zu lesen hier: APA
RC4 is no longer considered secure, and should not be used anymore according to RFC7465 (RFC draft). New attacks can be used to decipher the communication content within days, like session cookies.
The past weeks we have been busy scanning more than 2 million HTTPS servers and their detailed TLS configuration using sslyze, out of a total of 44 million IPv4-wide. From those 2 million scanned hosts, 1.3 million or 61,7% allowed a CipherSuite with RC4, whereas 350.000 (or 16%) even preferred RC4 over more secure ciphers like AES or Camellia.
This does not necessarily mean that users are at risk, since the server picks the cipher to be used. If a modern and up to date browser is used, there is little risk for useres. Due to the widespread usage of RC4 however, older browsers are at risk. The details on the recent attacks on RC4 can be found here and here, and will be presented in August at USENIX Security 2015, members SBA Research will be there. RC4 must not be used anymore, details on how this could be prevented can be found at bettercrypto.org or in RFC7525.
[Update] More details on the numbers:
2.181.846 valid https hosts checked
1.347.105 accept at least one cipher-suite with RC4 enabled
834.741 do not accept one cipher suite with RC4
61.74 % accept RC4
2.181.846 valid https hosts checked
349.677 prefer any RC4 ciphersuite in any TLS version
1.832.169 do not prefer any RC4 ciphersuite
16.03% prefer RC4
Katharina Krombholz im Standard über ihre Forschung zur Verbesserung der Benutzerfreundlichkeitvon Technologien.
Den Artikel gibt es hier zu lesen.