Secure Information Technology Center – Austria

Static Analysis of Windows Phone Applications

Kategorie: IT-Security

The objective of the project was to analyse a number of Windows Phone Apps on common security issues. It started with the manual analysis of selected applications. Soon it became evident that many of the analysis steps can be easily automated to save time. Another observation was that several applications suffer from similar security issues.
Weiter lesen…

Browser Plugin to interact with SkyTrust

Kategorie: IT-Security

Online services for data storage (e.g. Dropbox, Google Drive) provide no ability to encrypt stored data prior to the actual upload process. Desktop programs of third-party vendors are in principle capable of supplying this functionality. However, these applications are likely not available for specific (mobile) operating systems or fail to protect sensitive key material adequately. As a consequence, in this project a browser plugin for Google Chrome has been elaborated as a proof-of-concept which rewrites existing browser interfaces in order to insert a transparent encryption layer. Instead of relying on tertiary desktop applications, cryptographic operations are performed on a secure platform, named Skytrust, which also protects the used key material. The advantage of this apporach is that existing web applications require no adaptation in order to cryptographically protect a user’s data. Weiter lesen…

Platform Independent CMA System

Kategorie: Cloud Computing, IT-Security

Despite their continuously growing popularity, mobile end-user devices still suffer from limited computing resources. This complicates the use of complex mobile applications that require resource-intensive computations.
Recently, several frameworks have been developed that enable mobile applications to follow the cloud-based mobile augmentation (CMA) approach. This approach defines a strategy to dynamically outsource resource-intensive tasks to external resources. None of the existing frameworks focuses on cross-platform applicability and interoperability issues. It turns out that all of the existing frameworks are tailored to specific platforms and specific operating systems. Furthermore, security is not tackled at all by any of the frameworks.
Weiter lesen…

Static analysis of selected Android applications

Kategorie: IT-Security

In this project, it has been analyzed on how a set of selected applications is capable of overcoming real-world threats. Based on current attack vectors, we have derived concrete inspection criteria and applied them on our dataset. As a result, it was feasible to uncover deficiencies in 8 of 10 analyzed applications. The found issues significantly undermine the achievable security level and can lead to the exposure of secrets and the leak of sensitive data to unrelated parties. Weiter lesen…

Firefox plugin highlighting security information

Kategorie: IT-Security

Typically, browsers keep the display of security-related information about called web pages to a minimum. While it is clearly indicated whether the connection to a server is encrypted, more fine-grained information is not printed or can only be retrieved by overcoming hurdles.

As a consequence, the objective of this project consisted in developing an extensible addon for Mozilla Firefox which inspects called domains regarding security-critical aspects and summarizes the results for security-affine users. Weiter lesen…

20

June

2015

Analysis of Windows Phone Applications

Kategorie: IT-Security

This document provides an overview of current possibilities regarding application analysis on the Windows Phone 8 and 8.1 platform. For this, it lists possibly application sources, explains the different Windows Phone unlocking stages and finally it describes possible analysis methods. The document is meant to be a short study on these two aspects, reference to further, more comprehensive work is made. It concludes that the Windows platform and its applications offer great possibilities regarding application analysis.

Weiter lesen…

TPMv2 Analysis

Kategorie: IT-Security

The “Trusted Computing” technology offers interesting  concepts and methods to increase the trustworthiness of connected systems. By adding a new component to a computer, it is possible to watch the behaviour of the computer and protect it from unwanted behaviour caused by malicious software. Trusted Computing does not only protect local systems, it also helps to attest the state of a remote system. In 2009 A-SIT evaluated “Trusted Computing” and its central component the Trusted Platform Module. The study (DE) engaged on the TPM v1.2, which was enrolled to the mass market.

Recently the Trusted Computing Group introduced the updated TPM v2 specification. While the new version is not yet integrated into mass-market systems, some manufactures provide first chip samples. A-SIT analysed the TMPv2 specifications and synthesized a TPM v2 emulator from the specifications. The results are currently prepared and will be released soon.

Citizen Card Plugin for KeePass

Kategorie: IT-Security

KeePass is a free password manager. It can protect your passwords using a master password, a key file, or by binding it to the Windows account.

This A-SIT plugin extends the functionality of KeePass. It adds support for the Austrian Citizen Card (Ecard G2 & G3 cards, ACOS cards). With this plugin you can use your Citizen Card to protect your password database. This plugin generates a random key and encrypts it with the Citizen Card. Every time the database is unlocked the plugin will decrypt the key using your smartcard and pin. Additionally you can use a password or bind the database to your Windows account to further increase the security.

Weiter lesen…

Threats posed by malicious USB devices

Kategorie: IT-Security

The flexibility of USB supports the integration of a variety of devices via a common interface without authentication. Since a computer cannot recognize a USB device until it is connected, it identifies a device by using the information it provides about itself. A user, in turn, expects from USB devices, the functionality they are designed for. In the recent past, manipulated USB devices have appeared that can not be detected as a threat to current protection measures.

Within the scope of a short study, known methods have been summarized that enable the manipulation of USB devices in order to attack a computer. After a brief introduction to the USB standard, known attack vectors have been subsumed. Particular attention has been paid to the manipulation of the firmware of USB flash drives (“BadUSB” attack). Practical case studies have been used to highlight the problem and to illustrate the possible consequences of an attack. Finally, the use of possible protective mechanisms has been discussed.
Weiter lesen…