"An effective attack method based on
  information exposed by search engines" by Antonios Gouglidis,
  University of Macedonia

"Eavesdropping on encrypted VoIP
  conversations: phrase spotting attack and defense approaches" by Vasily Prokopov, KTH Royal Institute
  of Technology

"Schnorr signcryption" by Laura Savu, University of
  Bucharest

"Security techniques for protecting data
  in the cloud" by Venkata Sravan Kumar
  Maddineni
, Blekinge Institute of Technology

"Concept and development of a Facebook
  application to raise security and risk awareness regarding social
  engineering" by Iwan Gulenko,
  Technical University Munich

"Fingerprinting Tor" by Pablo Carballude González,
  University of Birmingham

"The state of industrial control systems
  security and national critical infrastructure protection" by Adesina Tinuade, Lulea
  University of Technology

"A mobile application for preventing
  online sexual exploitation attacks" by Dimitrios
  Michalopoulos
, University of Macedonia

"Detecting flooding attacks using
  power" by Jean Tajer,
  University of Paris Descartes (via skype)

"Knowledge of information security
  issues – a senior management and educational perspective" by Sarfraz Iqbal, Lulea
  University of Technology

"Key factors and challenges for the
  successful development of the e-security aspect of an organization’s security
  policy: an IS design and e-services approach" by Ali Mohammad Padyab, Lulea
  University of Technology

"Design of a security protocol for the
  mTAN procedure" by Daniel Zelle,
  University of Paderborn

 

Panel Discussion: "The Future of the Internet"

 

An effective attack method based on information exposed by search engines

Web 2.0 consists one of the most emergent technologies of the World Wide Web. This type of technologies can be made available to consumers through a series of web services. Nevertheless, as a relative new approach, it is prone to various security issues. One of these is the potential to use web services provided by search engines such as Google’s and Microsoft’s Bing, in order to identify and attack vulnerable systems. In this paper, we describe a 3-step methodology that can be fully automated in order to deploy massive attacks against vulnerable systems. The methodology described takes advantage of the Google Hacking technique and extends it with two more steps that of information manipulation and the deployment of an exploit. An implementation of a python script demonstrates the applicability and the efficiency of the proposed attack. A real-world example, taking advantage of the JBoss JMX Management Console faulty configuration, indicates the extension of the problem. We anticipate this initiative to help in the identification of similar attack methods and the development of newly and more effective countermeasures against this type of attack methods.

 

Eavesdropping on encrypted VoIP conversations: phrase spotting attack and defense approaches

Voice over IP (VoIP) has recently become an important part of our day to day life. As VoIP technology evolves, matures and becomes increasingly popular, it also gains the attention of attackers who wish to eavesdrop on VoIP conversations.

In this paper we first describe an attack that can identify phrases spoken within encrypted VoIP calls under certain (but commonly occurring) circumstances. Then we propose and analyze several methods to protect against phrase spotting attack. Finally, we introduce a model of a voice coder (vocoder) protected from this type of attack.

Schnorr signcryption

This article presents a new signcryption scheme which is based on the Schnorr digital signature algorithm. The new scheme represents my personal contribution to signcryption area. I have implemented the algorithm in a program and here are provided the steps of the algorithm, the results and some examples. The paper also contains the presentation of the original Signcryption scheme, based on ElGamal digital signature and discusses the practical applications of Signcryption in real life. The purpose of the study is to combine the public key encryption with Schnor digital signature in order to obtain less computational and communicational costs. Signcryption primitive is a better approach then Encrypt-then-Sign or Sign-then-Encrypt methods regarding the costs. All these algorithms offer the possibility to transmit a message over an insecure channel providing both authenticity and confidentiality.

Concept and development of a Facebook application to raise security and risk awareness regarding social engineering

Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

"Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals

Fingerprinting Tor

Website fingerprinting is the act of recognizing web traffic through surveillance despite the use of encryption or anonymizing software. The general idea is to leverage the fact that many web sites have specific fixed request patterns and response byte counts that are known beforehand. This information can be used to recognize your web traffic despite attempts at encryption or tunneling. Websites that have an abundance of static content and a fixed request structure tend to be  vulnerable to this type of surveillance. Unfortunately, there is enough static content on most websites for this to be the case.

 

Detecting flooding attacks using power

A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.

Using UDP for denial-of-service attacks is not as straightfforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:

  • Check for the application listening at that port;
  • See that no application listens at that port;
  • Reply with an ICMP Destination Unreachable packet.

Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, and anonymizing the attacker's network location(s).

This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them.

Knowledge of information security issues – a senior management and educational perspective

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them.

These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Information assurance focuses on the reasons for assurance that information is protected, and is thus reasoning about information security.

Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers.

Key factors and challenges for the successful development of the e-security aspect of an organization’s security policy: an IS design and e-services approach

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them.

These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Information assurance focuses on the reasons for assurance that information is protected, and is thus reasoning about information security.

Design of a security protocol for the mTAN procedure

A Transaction authentication number, TAN or T.A.N. is used by some online banking services as a form of single use one-time passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

TANs are believed to provide additional security because they act as a form of two-factor authentication. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.