SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


Blocks and Chains now available

Our book on blockchains has just been published:
Blocks and Chains: Introduction to Bitcoin, Cryptocurrencies, and Their Consensus Mechanisms.
Aljosha Judmayer, Nicholas Stifter, Katharina Krombholz, and Edgar Weippl

SACMAT Panel on Access Control in Mobile Operating Systems

Ninghui Li organized a panel on Access Control in Mobile Operating Systems with Xiaofeng Wang, Aafer Yousra, and Edgar Weippl (SACMAT).

Peter Kieseberg @ Imagine 2017

Today Peter Kieseberg from SBA research is giving a talk on „Big Data im Zeichen der GDPR: Technische Fragen aus der Praxis“ at Imagine 2017.

Empirical Research: Peering, Net Neutrality and Privacy

Edgar Weippl gives a talk on privacy at Iowa State University

Adrian Dabrowski at the ETSI 5G Security Meeting

Adrian Dabrowski is today at the ETSI in Sophia Antipolis, presenting at the ETSI 5G Security workshop, part of the Security Week at ETSI. You can find the Agenda here.


SBA at Linz Cyber Security Conference 2017

Today, Martin Schmiedecker presents at the Linz Cyber Security Conference 2017 on “Online Anonymity beyond Tor”. The slides can be found here.

You can find the full schedule here.

Stefan Jakoubi on putting a focus on visibility

Stefan Jakoubi talks about putting a focus on visibility at the Software Architecture Day organised by CON.ECT Informunity.

Artemios G. Voyiatzis at Cranfield University, UK

Artemios G. Voyiatzis is visiting Cranfield University in the UK. He is hosted by the TES Centre. During his stay, Artemios gives a talk about “Engineering Lifetime Information Security” at the 5th Through-life Engineering Services Summer School (June 5-9, 2017).

A short tour to Bletchley Park nearby and the Colossus computer was very much appreciated.

Peter Kieseberg @ Privacy Forum in Vienna

Today, Vinzenz Heußler (University of Vienna) and Peter Kieseberg (SBA Research) give a talk on “Privacy by Design Data Exchange between CSIRTs” at the Annual Privacy Forum in Vienna.

Invited Talk at SPI 2017 on Empirical Research, Privacy and Usability

Edgar Weippl gives an invited talk at SPI 2017 in Brno.

Colloquium Talk by Dimitris Simos @ University of Bergamo

Dimitris Simos is invited to give a colloquium talk at the University of Bergamo, Italy regarding “combinatorial methods and algorithms in security testing”.

Secure Connected Trustable Things (SCOTT) project kick-off

SBA Research joins the kick-off meeting of the SCOTT project in Graz, Austria on May 22-23, 2017.

“Secure Connected Trustable Things” (SCOTT) brings together 57 partners from 12 countries (EU and Brazil) and from academia and industry alike. The SCOTT consortium will work in the next three years to extend the Internet of Things for wirelessly connected smart sensors and actuators to be used in building and home/smart infrastructure, mobility, health domains ensuring safety and security, privacy and trustability.

Dimitris Simos @ University of Bergamo

Dimitris Simos is invited to the Faculty of Engineering, University of Bergamo, Italy from May 22 to June 5 as visiting scholar. The host is Prof. Angelo Gargantini.

Christoph Kerschbaumer: Enforcing Security in Firefox

Web browsers were initially designed to retrieve resources on the world wide web in a static manner such that adding security checks in select locations throughout the codebase sufficiently provided the necessary security and privacy guarantees of the web. Instead of opting into security checks wherever resource loads are initiated throughout the codebase, we revamped the security architecture of Firefox so that security checks are performed by default.
This new security enforcement mechanism not only provides the same security guarantees for resource loads which encounter a server-side redirect, but also allows to perform additional privacy checks. For example, Firefox internally extended the Same Origin Policy by an Origin Attributes framework which allows to enforce the First Party Isolation technique for every resource load. First Party Isolation separates browsing contexts by the top-level domain (origin) the user visits to prevent embedded content from tracking users across sites.
Additionally, this new security enforcement mechanism fundamentally enables our HSTS Priming approach, a mechanism which allows to check if a third party HTTP resource is available over HTTPS. Where applicable, this security feature upgrades subresource loads from HTTP to HTTPS.

Christoph Kerschbaumer is a Web Platform Security and Privacy Engineer at Mozilla with over 10 years of experience in Secure Systems Development. His work focuses on all types of content security ranging from providing safe defaults to fighting cross site scripting as well as preventing man-in-the-middle attacks.
He received his PhD in Computer Science from the University of California, Irvine where he based his research on information flow tracking techniques within web browsers.
Prior to being a graduate research scholar, he received a M.Sc. and B.Sc. in Computer Science from the Technical University Graz, Austria.

Peter Kieseberg @ GI Rechtsinformatik Treffen – LegalTech

Today Peter Kieseberg is giving a talk on „ IT-Compliance in der Praxis – Quo Vadis?” at the “GI Rechtsinformatik Treffen – LegalTech” at the Technical University of Munich.

Congratulations Dr. Martina Lindorfer

Martina finally got her PhD officially awarded in today’s ceremony Sub auspiciis Praesidentis.

Paper accepted at USENIX Security 2017

Our paper ‘“I Have No Idea What I’m Doing” – On the Usability of Deploying HTTPS’ has been accepted for publication at the USENIX Security Symposium 2017, to take place in Vancouver this August. 85 out of 522 submissions (acceptance rate 16%) have been accepted. Kudos to Katharina and Willi!

Abstract: Protecting communication content at scale is a difficult task, and TLS is the protocol most commonly used to do so. However it has been shown that deploying it in a truly secure fashion is challenging for a large fraction of online service operators. While Let’s Encrypt was specifically built and launched to ease the process of TLS deployments, this paper aims to understand the reasons for why it has been so hard to deploy correctly and studies the usability of the TLS deployment process for HTTPS. We performed a series of experiments with 28 knowledgable participants and revealed significant usability challenges that result in weak TLS configurations. Additionally, we conducted expert interviews with 7 experienced security auditors. Our results suggest that the deployment process is far too complex even for people with proficient knowledge in the field, and that server configurations should have stronger security by default. While the results from our expert interviews confirm the ecological validity of the lab study results, they additionally highlight that even educated users prefer solutions that are easy to use. An improved and less vulnerable workflow would be very beneficial to finding stronger configurations in the wild.

Edgar Weippl gives a keynote at RCIS 2017

On May 11, Edgar Weippl talks about research challenges and research methods in applied information security at the Eleventh IEEE International Conference on Research Challenges in Information Science (RCIS 2017) in Brighton, UK.

Modern Incident Response at Stammtisch veranstaltet einmal pro Monat, jeden zweiten Mittwoch im Monat, einen “IT-Security Stammtisch” (Vortrag und anschliessendes Networken bei Speis und Trank im alten AKH). Im Mai haben wir Dr. Martin Schmiedecker (SBA) als Vortragenden gewinnen können.

Titel: Moderne Incident Response

Datum: 10.5.2017, 18:30

Ort: im Seminarraum des ZID, 1.Stock, Neues Institutsgebäude,
Universitätsstrasse 7, Uni Wien.

This talk is about open-source tools for incident response, covering single PCs up to entire networks. Scalability is key, and I’ll briefly present the tools GRR, osquery and MIG which are developed by Google, Facebook and Mozilla, respectively. Furthermore I’ll discuss why getting a RAM image is so important, and how to efficiently capture network traffic for an entire network. Lastly, obstacles, and why reality is always different than anticipated.

Edgar Weippl on software security

Edgar Weippl presents insights on software security research at a workshop held today in Feldkirch, organized by Bachmann electronic GmbH.

More information here

Katharina Krombholz at UXCamp+ Vienna

Katharina Krombholz will present today at the UXCamp+ Vienna on usable security and privacy challenges in a connected world. You can find the full program here.