SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT

News

Securing XML archives for Search Based Applications – John Tait

Securing XML archives for Search Based Applications (Talk by John Tait; Oct 19; 10am SBA)

There has been a recent trend to produce what are known as Search Based Applications. One strand of this work is based on the observation that many organisation keep legacy transaction orientated systems up and running in order to allow information contained in those systems to continue to be accessed for audit and security purposes. This is quite different from the high transaction volumes the systems were originally designed for. So for example a credit card might keep an obsolete retailer and customer service applciation up and running purely so security investigators can accessed historic customer transaction patterns via ad hoc SQL queries.

A better solution would be to archive the data in the transaction system to an XML store, and then use enterprise text search systems, like Lucene or Bing/FAST to provide the query facilities. However, this raises the question, does the XML data actually represent the data previously held in the transaction system, or has the data been altered in some way.

The seminar will discuss the security issues search based applications raises and seek to work with the audience to find ways forward with those issues.

CCS 2011: The Power of Procrastination

Clemens Kolbitsch recently finished his PhD  supervised by Engin Kirda and Chris Kruegel. Tomorrow, he will present his paper “The Power of Procrastination: Detection and Mitigation of Execution-Stalling Malicious Code” at CCS 2011. Clemens will shortly join our partner company TLLOD.

Manuel Leithner – ORF

Manuel Leithner presented weaknesses of Facebook, WLANs and Smartphones on ORF (youtube).

Talk on Cloud Security

Edgar Weippl presents the Usenix paper at the Conect Event on Security (schedule).

Data Loss Prevention

“Die letzten Veröffentlichungen sind zwar relativ gewichtig, weil es sich um sensible Daten handelt, aber technisch gesehen nicht unbedingt aufwendig”, sagt Martin Mulazzani von SBA Research, einem Wiener Forschungsinstitut für IT-Security (derstandard.at)

Secure development of web-applications – Secure Coding I + II

Severin Winkler is holding several lessons on secure development of web-applications in cooperation with CON•ECT. The core components of these talks are the top ten security leaks of web applications in 2010 identified by OWASP. The lessons include advanced security topics necessary for the development of modern web-applications and offer a focus on attack scenarios and counter strategies.

Guest speaker Melanie Volkamer: Usable Security in the Context of Electronic Elections

Guest speaker Melanie Volkamer: Usable Security in the Context of Electronic Elections

The subject of electronic voting has enjoyed several years of considerable interest both from election officials and IT security and cryptography researchers. The interest of election officials is based especially on the possibility to obtain fast and accurate results. Scientists are interested in the balance between anonymity and verifiability. Due to the different interests, there exists a gap between the complex but verifiable election protocols that are discussed in conferences and the black box-systems that are used in practice. This gap, which is also evident in many other applications, can only be closed by methods of the research area called ‘Usable Security’. Recent results on the example of the Helios Internet voting system will be presented during the talk. The presentation will also provide an overview of my previous research in the field of electronic voting and on current and planned projects in the area of ‘Usable Security’.

ACSAC 2011: Social Snapshots – Digital Forensics for Online Social Networks

We are going to present our social snapshot forensic tool at the Annual Computer Security Applications Conference (ACSAC) 2011.

Abstract:
Recently, academia and law enforcement alike have shown a strong demand for data that is collected from online social networks. In this work, we present a novel method for harvesting such data from social networking websites. Our approach uses a hybrid system that is based on a custom add-on for social networks in combination with a web crawling component. The datasets that our tool collects contain profile information (user data, private messages, photos, etc.) and associated meta-data (internal timestamps and unique identifiers). These social snapshots are significant for security research and in the field of digital forensics. We implemented a prototype for Facebook and evaluated our system on a number of human volunteers. We show the feasibility and efficiency of our approach and its advantages in contrast to traditional techniques that rely on application-specific web crawling and parsing. Furthermore, we investigate different use-cases of our tool that include consensual application and the use of sniffed authentication cookies. Finally, we contribute to the research community by publishing our implementation as an open-source project.

You can find the paper here: Social Snapshot ACSAC11 preprint

securityconference.ch

Today, Edgar Weippl speaks in Zurich on Cloud Security and takes part in a discussion (more…)

Roundtable: EU-Informationsveranstaltung “Rechtsinformatik”

Edgar Weippl takes part in the round table on electronic identities.
9.00 — 16.30, Haus der Europäischen Union
Wipplingerstraße 35, Vienna

Future Network Zurich: IT-Trends

Edgar Weippl presents SBA’s research on cloud security in Zurich at Future network’s meeting.

Talk on Technical Aspects of Privacy at the Forum Privacy of the Austrian Computer Society

Edgar Weippl gives a presentation of technical options to provide privacy at the Forum Privacy of the Austrian Computer Society. (ORF.at)

CCC – Cloud Computing – Himmelhohe Erwartungen oder doch nur trendiges Nebelreißen?

Der Consultants Competence Circle ist eine Expertendiskussion zu aktuellen Themen aus Wirtschaft und Beratung. Edgar Weippl präsentiert Herausforderungen im Bereich der Informationssicherheit im Rahmen der Expertendiskussion.
29.8., 18 Uhr, Schloss Hunyadi, Schlossgasse 6, Maria Enzersdorf. Veranstaltet von der WKO-NÖ / UBIT.

Japan – Austria Research Workshop

On ARES’ last day, an informal workshop on research collaborations was held. Participants from Japan were Prof. Dr. Ryoichi Sasaki
Tokyo Denki University, Prof. Dr. Noboru Sonehara, National Institute of Informatics, Prof. Dr. Isao Echizen, National Institute of Informatics, Dr. Sven Wohlgemuth, National Institute of Informatics.

ARES Conference

The ARES conference just started…

Usenix Security 2011: Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

Usenix Security 2011: Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

Abstract Full paper
Video

reports on Computerworld, Diogo’s blog, more blogs.

Security assessment of HP’s banqpro

Schwachstelle in Konfiguration von UPC Routern

Access Control for Mobile Agents Baggage

Bo Sun, a master’s student from KTH Stockholm, presents her master thesis on Access Control for Mobile Agents Baggage

Bridge Grant accepted: MOdel-Based SEcurity Testing In Practice (MoBSeTIP)

Das Projekt “Modellbasiertes Testen der Systemsicherheit in der Praxis (MoBSeTIP)” beschäftigt sich mit der Anwendung des modellbasierten Testens (MBT) auf den Bereich des Testens der Informationssicherheit (Security Testing). Im Speziell geht es darum Testfälle, die Sicherheitsaspekte von Systemen abdecken, automatisiert zu generieren und auszuführen. Problemstellungen dabei sind das Finden einer geeigneten Modellierungssprache für Bedingungen der Informationssicherheit und die praktische Umsetzung der automatisierten Testfallgenerierung. Wenn man betrachtet das es derzeit aufgrund der steigenden Vernetzung und Komplexität von Systemen zu vermehrten Sicherheitsproblemen kommt, ist die zur Verfügungstellung von Werkzeugen für die Test solcher Systeme wichtig und von steigender Bedeutung für die Gesellschaft und die Wirtschaft.

Schwerpunkte im Rahmen von MoBSeTIP sind: (1) die Bereitstellung einer Modellierungssprache für Systemsicherheit, die gewünschten Eigenschaften und mögliche Angriffe abbilden lässt, (2) die Implementierung eines Werkzeugs zur Testfallgenierung ausgehend von den verfügbaren Modellen, (3) die Anwendung und Evaluierung der Werkzeuge auf ein konkretes Projekt der Firmenpartner, und (4) die Zusammenarbeit auf europäischer Ebene im Rahmen des ITEA 2 Projekts DIAMONDS (http://www.itea2-diamonds.org/index.html). Hier sollen sowohl die Testfallgenerierungswerkzeuge und zugrundeliegenden Methoden eingebracht werden. Die Erkenntnisse und Evaluierungsresultate für weitere Anwendungen und Fallstudien der europäischen Partnerfirmen fließen in MoBSeTIP ein.

Invited talk: A framework to support alignment of secure software engineering with legal regulations

Author: Dr. Shareeful Islam, Dr. Haralambos Mouratidis and Prof. Dr. Jan Jürjens

Abstract
Regulation compliance is getting more and more important for software systems that process and manage sensitive information. Therefore, identifying and analysing relevant legal regulations and aligning them with security requirements become necessary for the effective development of secure software systems. Nevertheless, Secure Software Engineering Modelling Languages (SSEML) use different concepts and terminology from those used in the legal domain for the description of legal regulations. This situation, together with the lack of appropriate background and knowledge of laws and regulations, introduces a challenge for software developers to elicit security requirements from the relevant laws and regulations and to trace the elicited requirements throughout the development stages. Our work contributes to develop a framework that supports the consideration of laws and regulations during the development of secure software systems. The proposed framework enables software developers (i) to correctly elicit security requirements from the appropriate laws and regulations; and (ii) to trace these requirements throughout the development stages in order to ensure that the design indeed supports the required laws and regulations. Our framework is based on existing work from the area of secure software engineering, and it complements this work with a novel and structured process and a well-defined method.

Short Bio
Dr. Shareeful Islam was awarded his PhD in Software Risk Management Model using goal-driven approach from chair of Software & Systems Engineering (I4), Technische Universität München, Germany. He has received M.Sc. degree in Information Communication System Security(ICSS) from the Royal Institute of Technology, Sweden. He also received M.Sc. degree in Computer Science (CS)and B. Sc. (Hon’s) in applied physics and electronics (APE) from the University of Dhaka, Bangladesh. He completed the ISO 9001:2001 lead auditor certification and is a certified quality management system auditor. He has more than 10 publication in well recognized journals. His main research interests are in the field of software risk management, software security and privacy. Special interests are risk management model, security and privacy, requirements engineering and modelling.

USENIX Security ’11: Dark Clouds on the Horizon

In August we will present our work on cloud storage security at the 20th USENIX Security Symposium in San Francisco. The paper, in essence, outlines new attacks on cloud storage services that use server-side data deduplication.

It includes a security analysis of Dropbox, a popular cloud storage service. By manipulating the client software unauthorized data access becomes possible, if the hash values of the files are known to an attacker. This attack is completely undetectable to the victim, and novel compared to recent attacks discussed in the media. Data possession proofs which have been used so far in the context of assessing whether a cloud storage operator is still in possession of a file are the only countermeasure.

We further define online slack space as a method to hide data in the cloud to thwart forensic investigations. Compared to regular file slack all files are stored in the cloud without leaving any evidence on local persistent storage.

You can find the paper here: Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space. We have contacted Dropbox and they implemented countermeasures for our attacks while investigating the use of data possession proofs on the client side.

Jan Svab: FPGA-based Computer Vision Embedded Module

The presentation firstly covers the basics properties of image local feature extraction algorithms. Then a little bit closer description of algorithm selected for the implementation – SURF – and the platform – FPGA. Then it contains a summary of reasons why a new completely custom solution has been developed. The main concepts of the developed hardware, FPGA and software design are described next. The presentation is concluded with the module key parameters summary and a short video (1 min) showing the actual image interest point detector results. June 22, 13:30.

Stefan Katzenbeisser on ZDF (German TV)

Stefan Katzenbeisser talks about privacy and mobile security (starting at 14:43)

John Tait: Patent Search- a Challenging Problem!

1030 am: Guest talk by John Tait

Patent Search – a Challenging Problem!

To be valid a patent has to show that it it describes a novel and useful idea. The test of novelty is that at the date of filing there does not exist in the public domain (in another patent, or the academic literature, or elsewhere, for example in the news media) an earlier description of the invention. This earlier, invalidating, description might well be presented in another language or using quite different technical terms from the way the idea is expressed in the patent in question. Thus patent search is a very challenging information retrieval problem.

Patent Search is also economically important. It is difficult to estimate the total value of the patents in the world economy, but it certainly runs into many billions of euros, and many thousands of people around the world are employed in the patent ecosystem: in Patent Offices; patent attorneys; translators; software and data suppliers; and elsewhere.

The talk will overview the field of patent search, relate it to developments in semantic search, and in particular review some of the recent work reported in our new book “Current Challenges in atent Information Retrieval”.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close