We will teach a course in the summer school in Italy…
Manuel found and reported a vulnerability. Excerpt from the changelog (Piwik 1.6): “Security: we would like to thank the following people for their responsible disclosure: […] Secure Business Austria […] Thank you to all these people for disclosing security issues to the Piwik team, ensuring a healthy and safe experience for the whole community!“
We present a short overview of security issue in cloud-based storage services at conect’s Webinar series “Security & Risk Management”.
Securing XML archives for Search Based Applications (Talk by John Tait; Oct 19; 10am SBA)
There has been a recent trend to produce what are known as Search Based Applications. One strand of this work is based on the observation that many organisation keep legacy transaction orientated systems up and running in order to allow information contained in those systems to continue to be accessed for audit and security purposes. This is quite different from the high transaction volumes the systems were originally designed for. So for example a credit card might keep an obsolete retailer and customer service applciation up and running purely so security investigators can accessed historic customer transaction patterns via ad hoc SQL queries.
A better solution would be to archive the data in the transaction system to an XML store, and then use enterprise text search systems, like Lucene or Bing/FAST to provide the query facilities. However, this raises the question, does the XML data actually represent the data previously held in the transaction system, or has the data been altered in some way.
The seminar will discuss the security issues search based applications raises and seek to work with the audience to find ways forward with those issues.
Clemens Kolbitsch recently finished his PhD supervised by Engin Kirda and Chris Kruegel. Tomorrow, he will present his paper “The Power of Procrastination: Detection and Mitigation of Execution-Stalling Malicious Code” at CCS 2011. Clemens will shortly join our partner company TLLOD.
Manuel Leithner presented weaknesses of Facebook, WLANs and Smartphones on ORF (youtube).
Edgar Weippl presents the Usenix paper at the Conect Event on Security (schedule).
“Die letzten Veröffentlichungen sind zwar relativ gewichtig, weil es sich um sensible Daten handelt, aber technisch gesehen nicht unbedingt aufwendig”, sagt Martin Mulazzani von SBA Research, einem Wiener Forschungsinstitut für IT-Security (derstandard.at)
Severin Winkler is holding several lessons on secure development of web-applications in cooperation with CON•ECT. The core components of these talks are the top ten security leaks of web applications in 2010 identified by OWASP. The lessons include advanced security topics necessary for the development of modern web-applications and offer a focus on attack scenarios and counter strategies.
Guest speaker Melanie Volkamer: Usable Security in the Context of Electronic Elections
The subject of electronic voting has enjoyed several years of considerable interest both from election officials and IT security and cryptography researchers. The interest of election officials is based especially on the possibility to obtain fast and accurate results. Scientists are interested in the balance between anonymity and verifiability. Due to the different interests, there exists a gap between the complex but verifiable election protocols that are discussed in conferences and the black box-systems that are used in practice. This gap, which is also evident in many other applications, can only be closed by methods of the research area called ‘Usable Security’. Recent results on the example of the Helios Internet voting system will be presented during the talk. The presentation will also provide an overview of my previous research in the field of electronic voting and on current and planned projects in the area of ‘Usable Security’.