Edgar R. Weippl

Security in e-learning

Quick Start.- Authors.- Teachers.- Managers.- Students.- In-Depth.- Protecting Content.- Security Risk Analysis.- Personal Security Checklist.- Access Control, Authentication & Auditing.- Cryptography.- Additional Resources.- PGP - Pretty Good Privacy.- Plagiarism Detection and Prevention.

Security Ontologies: Improving Quantitative Risk Analysis

IT-security has become a much diversified field and small and medium sized enterprises (SMEs), in particular, do not have the financial ability to implement a holistic IT-security approach. We thus propose a security ontology, to provide a solid base for an applicable and holistic IT-security approach for SMEs, enabling low-cost risk management and threat analysis. Based on the taxonomy of computer security and dependability by Landwehr, a heavy-weight ontology can be used to organize and systematically structure knowledge on threats, safeguards, and assets. Using this ontology, each threat scenario can be simulated with a different protection profile as to evaluate the effectiveness and the cost/benefit ratio of individual safeguards

QR code security

This paper examines QR Codes and how they can be used to attack both human interaction and automated systems. As the encoded information is intended to be machine readable only, a human cannot distinguish between a valid and a maliciously manipulated QR code. While humans might fall for phishing attacks, automated readers are most likely vulnerable to SQL injections and command injections. Our contribution consists of an analysis of the QR Code as an attack vector, showing different attack strategies from the attackers point of view and exploring their possible consequences.

A frame of reference for research of integrated governance, risk and compliance (GRC)

Governance, Risk and Compliance (GRC) is an emerging topic in the business and information technology world. However to this day the concept behind the acronym has neither been adequately researched, nor is there a common understanding among professionals. The research at hand provides a frame of reference for research of integrated GRC that was derived from the first scientifically grounded definition of the term. By means of a literature review the authors merge observations, an analysis of existing definitions and results from prior surveys in the derivation of a single-phrase definition. The definition is evaluated and improved through a survey among GRC professionals. Finally a frame of reference for GRC research is constructed.

Advanced social engineering attacks

Social engineering has emerged as a serious threat in virtual communities and is an effective means to attack information systems. The services used by todays knowledge workers prepare the ground for sophisticated social engineering attacks. The growing trend towards BYOD (bring your own device) policies and the use of online communication and collaboration tools in private and business environments aggravate the problem. In globally acting companies, teams are no longer geographically co-located, but staffed just-in-time. The decrease in personal interaction combined with a plethora of tools used for communication (e-mail, IM, Skype, Dropbox, LinkedIn, Lync, etc.) create new attack vectors for social engineering attacks. Recent attacks on companies such as the New York Times and RSA have shown that targeted spear-phishing attacks are an effective, evolutionary step of social engineering attacks. Combined with zero-day-exploits, they become a dangerous weapon that is often used by advanced persistent threats. This paper provides a taxonomy of well-known social engineering attacks as well as a comprehensive overview of advanced social engineering attacks on the knowledge worker.

Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard

This paper introduces an ontology-based framework to improve the preparation of ISO/IEC 27001 audits, and to strengthen the security state of the company respectively. Building on extensive previous work on security ontologies, we elaborate on how ISO/IEC 27001 artifacts can be integrated into this ontology. A basic introduction to security ontologies is given first. Specific examples show how certain ISO/IEC 27001 requirements are to be integrated into the ontology; moreover, our rule-based engine is used to query the knowledge base to check whether specific security requirements are fulfilled. The aim of this paper is to explain how security ontologies can be used for a tool to support the ISO/IEC 27001 certification, providing pivotal information for the preparation of audits and the creation and maintenance of security guidelines and policies.

Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam

Friend-in-the-middle attacks on social networking sites can be used to harvest social data in an automated fashion. Attackers can then exploit this data for large-scale attacks using context-aware spam and social phishing. The authors prove the feasibility of such an attack and simulate the impact on Facebook. Alarmingly, all major social networking sites are vulnerable to this attack because they fail to appropriately secure the network layer.

Social snapshots: digital forensics for online social networks

Recently, academia and law enforcement alike have shown a strong demand for data that is collected from online social networks. In this work, we present a novel method for harvesting such data from social networking websites. Our approach uses a hybrid system that is based on a custom add-on for social networks in combination with a web crawling component. The datasets that our tool collects contain profile information (user data, private messages, photos, etc.) and associated meta-data (internal timestamps and unique identifiers). These social snapshots are significant for security research and in the field of digital forensics. We implemented a prototype for Facebook and evaluated our system on a number of human volunteers. We show the feasibility and efficiency of our approach and its advantages in contrast to traditional techniques that rely on application-specific web crawling and parsing. Furthermore, we investigate different use-cases of our tool that include consensual application and the use of sniffed authentication cookies. Finally, we contribute to the research community by publishing our implementation as an open-source project.

Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis?

Software obfuscation has always been a controversially discussed research area. While theoretical results indicate that provably secure obfuscation in general is impossible, its widespread application in malware and commercial software shows that it is nevertheless popular in practice. Still, it remains largely unexplored to what extent today’s software obfuscations keep up with state-of-the-art code analysis and where we stand in the arms race between software developers and code analysts. The main goal of this survey is to analyze the effectiveness of different classes of software obfuscation against the continuously improving deobfuscation techniques and off-the-shelf code analysis tools. The answer very much depends on the goals of the analyst and the available resources. On the one hand, many forms of lightweight static analysis have difficulties with even basic obfuscation schemes, which explains the unbroken popularity of obfuscation among malware writers. On the other hand, more expensive analysis techniques, in particular when used interactively by a human analyst, can easily defeat many obfuscations. As a result, software obfuscation for the purpose of intellectual property protection remains highly challenging.

Multidisciplinary Research and Practice for Information Systems

Researchers often have to understand new knowledge areas, and identify research gaps and immature areas in them. They have to understand and link numerous publications to achieve this goal. This is difficult, because natural language has to be analyzed in the publications, and implicit relations between them have to be discovered. We propose to utilize the structuring possibilities of ontologies to make the relations between publications, knowledge objects (e.g., methods, tools, notations), and knowledge areas explicit. Furthermore, we use Kitchenham’s work on structured literature reviews and apply it to the ontology. We formalize relations between objects in the ontology using Codd’s relational algebra to support different kinds of literature research. These formal expressions are implemented as ontology queries. Thus, we implement an immature research area analysis and research gap identification mechanism. The ontology and its relations are implemented based on the Semantic MediaWiki+ platform.