Secure Information Technology Center – Austria

Fingerprinting Code of Mobile Applications

Kategorie: IT-Security

The analysis of applications for mobile platforms (Android, iOS) has shown that security-relevant problems are often not to be found in the application code itself, but are introduced by components of third-party software. Often, these problematic code parts are made freely available and are thus found in many applications. If the program code is obfuscated by the manufacturer, it becomes very difficult to find precarious code parts.
Weiter lesen…

Device Enrolment Using Flexible Authentication

Kategorie: IT-Security

Managed devices are already established in corporate environments. Small businesses and end users, however, rarely benefit from such complex systems and dedicated infrastructures.
This project compiled concepts for authenticating devices, with a focus on the initial authentication as part of enrolment processes as well as easy and convenient revocation of permissions. This initial authentication needs to be flexible in order to take the different characteristics and features of current devices into account and possible create device policies on-demand.
The actual communication between enrolled devices and a service, on the other hand, should be kept as simple as possible. This is feasible due to virtually all (client) devices supporting technologies like TLS. A demonstrator illustrates that an OS-independent implementation of the proposed concepts is possible.
Weiter lesen…

Utilizing Policy Enforcement System to Control Mobile Distributed Applications

Kategorie: Cloud Computing, IT-Security

XACML is the de-facto standard in the area of data security policy languages. It enables to centralize the evaluation and administration of access control rules. This project extends XACML to enable centralized controlling of distributed mobile application. Without applying optimizations, applications render unusable due to heavy losses in performance.
Furthermore, this concept does not require a static Internet connectivity of the mobile devices and also works with occassional connectivity to the policy evaluation infrastructure.

Weiter lesen…

Traces on the Internet

Kategorie: IT-Security, Web Technologies

Almost all activities on the Internet leave traces, which, when combined accordingly, can help identify an induvial with sufficient certainty. One of the main reasons for this is that the technical foundation of the Internet dates back to a time when privacy and data protection were not relevant. However, most components involved are considered as critical infrastructure. Thus, they cannot simply be replaced. As a result, additional measures need to be taken, in order to keep one’s identity secret and to leave as little traces as possible. Especially on application level, a lot of traces are left.

Weiter lesen…

25

July

2017

Blockchain & Smart Contracts

Kategorie: IT-Security

The Blockchain was developed as part of the cryptocurrency Bitcoin by a person or a group of persons using the synonym Satoshi Nakamoto. The Blockchain is a distributed ledger that consists of a chain of blocks. The attached report explains different types of Blockchains as well as different consensus algorithms. The report focuses on the Ethereum platform, as it seems to be a promising platform for the execution of so called smart contracts. Smart contracts are autonomous applications which are executed in the Blockchain network. This provides applications with no downtime and high censorship resistance. Based on the Blockchain technology and on smart contracts a messenger was developed.
Weiter lesen…

Traffic Analysis of Mobile Applications

Kategorie: IT-Security

As a supporting measure for the inspection of mobile applications, the data sent and received to/from the Internet has always been of interest. If data was transfered in plain text, intuitive conclusions could be drawn about their use in the context of a mobile application. Due to the fact that more and more network traffic is encrypted (HTTPS / TLS), the meaningfulness of captured data packets becomes limited and, consequently, allows only little conclusions to be drawn about the actually transmited content.
Weiter lesen…

24

May

2017

Analysis of Browser-Extensions

Kategorie: IT-Security, Web Technologies

Browser extensions can extend the functionality of modern web browsers almost arbitrarily. However, they are often used for malicious activities, due to their ability to easily access sensitive data (i.e. Cookies). Likewise, benign but faulty extensions can be used for targeted attacks by exploiting errors in the implementation. Usually, the security mechanisms of modern browsers only provide limited protection against such attacks. Thus, the present study deals with dangers posed from benign browser extensions.

Weiter lesen…

5

May

2017

State of the Art Services for Direct Communication

Kategorie: Cloud Computing, IT-Security

Direct data transfer and direct communication services are becoming increasingly relevant due to widespread availability of high bandwidth Internet connections. At the same time, some properties of today’s Internet infrastructure overcomplicate the act of establishing direct end-to-end connections. This is mostly due to legacy technologies still dominating some key components of the TCP/IP stack. To make matters worse, this is unlikely to change significantly for the foreseeable future.
Weiter lesen…

24

April

2017

Automated Reasoning over Security Policies

Kategorie: Cloud Computing, eGovernment, IT-Security, Web Technologies

Applied approaches on authorization management often focus on a single system or environment, neglecting the need to address the security of data sharing processes that span various entities and organizations.
In the course of this work, we address the shortcomings of existing frameworks by separating authorization management from particular organizations, their business or resource models. We establish a framework that defines abstract means to manage the security of resources distributed across diverse services using a unified service and policy description models. Weiter lesen…

15

March

2017

Security Aspects of Web-APIs

Kategorie: Cloud Computing, eGovernment, IT-Security, Web Technologies

Web-APIs represent a significant building block of the modern Web. They enable efficient and technology neutral data and process integration between diverse entities and platforms. As an innovation driver, they facilitate the creation of new business models and products. The broad variety of APIs, as well as the need to efficiently manage their lifecycles, motivated the inception of specifications and tools to ease and accelerate their development and integration in programmatic environments. Weiter lesen…