"An effective attack method based on information exposed by search engines" by Antonios Gouglidis, University of Macedonia
"Eavesdropping on encrypted VoIP conversations: phrase spotting attack and defense approaches" by Vasily Prokopov, KTH Royal Institute of Technology
"Schnorr signcryption" by Laura Savu, University of Bucharest
"Security techniques for protecting data in the cloud" by Venkata Sravan Kumar Maddineni, Blekinge Institute of Technology
"Concept and development of a Facebook application to raise security and risk awareness regarding social engineering" by Iwan Gulenko, Technical University Munich
"Fingerprinting Tor" by Pablo Carballude González, University of Birmingham
"The state of industrial control systems security and national critical infrastructure protection" by Adesina Tinuade, Lulea University of Technology
"A mobile application for preventing online sexual exploitation attacks" by Dimitrios Michalopoulos, University of Macedonia
"Detecting flooding attacks using power" by Jean Tajer, University of Paris Descartes (via skype)
"Knowledge of information security issues – a senior management and educational perspective" by Sarfraz Iqbal, Lulea University of Technology
"Key factors and challenges for the successful development of the e-security aspect of an organization’s security policy: an IS design and e-services approach" by Ali Mohammad Padyab, Lulea University of Technology
"Design of a security protocol for the mTAN procedure" by Daniel Zelle, University of Paderborn
Panel Discussion: "The Future of the Internet"
An effective attack method based on information exposed by search engines
Web 2.0 consists one of the most emergent technologies of the World Wide Web. This type of technologies can be made available to consumers through a series of web services. Nevertheless, as a relative new approach, it is prone to various security issues. One of these is the potential to use web services provided by search engines such as Google’s and Microsoft’s Bing, in order to identify and attack vulnerable systems. In this paper, we describe a 3-step methodology that can be fully automated in order to deploy massive attacks against vulnerable systems. The methodology described takes advantage of the Google Hacking technique and extends it with two more steps that of information manipulation and the deployment of an exploit. An implementation of a python script demonstrates the applicability and the efficiency of the proposed attack. A real-world example, taking advantage of the JBoss JMX Management Console faulty configuration, indicates the extension of the problem. We anticipate this initiative to help in the identification of similar attack methods and the development of newly and more effective countermeasures against this type of attack methods.
Eavesdropping on encrypted VoIP conversations: phrase spotting attack and defense approaches
Voice over IP (VoIP) has recently become an important part of our day to day life. As VoIP technology evolves, matures and becomes increasingly popular, it also gains the attention of attackers who wish to eavesdrop on VoIP conversations.
In this paper we first describe an attack that can identify phrases spoken within encrypted VoIP calls under certain (but commonly occurring) circumstances. Then we propose and analyze several methods to protect against phrase spotting attack. Finally, we introduce a model of a voice coder (vocoder) protected from this type of attack.
This article presents a new signcryption scheme which is based on the Schnorr digital signature algorithm. The new scheme represents my personal contribution to signcryption area. I have implemented the algorithm in a program and here are provided the steps of the algorithm, the results and some examples. The paper also contains the presentation of the original Signcryption scheme, based on ElGamal digital signature and discusses the practical applications of Signcryption in real life. The purpose of the study is to combine the public key encryption with Schnor digital signature in order to obtain less computational and communicational costs. Signcryption primitive is a better approach then Encrypt-then-Sign or Sign-then-Encrypt methods regarding the costs. All these algorithms offer the possibility to transmit a message over an insecure channel providing both authenticity and confidentiality.
Concept and development of a Facebook application to raise security and risk awareness regarding social engineering
Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.
"Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals
Website fingerprinting is the act of recognizing web traffic through surveillance despite the use of encryption or anonymizing software. The general idea is to leverage the fact that many web sites have specific fixed request patterns and response byte counts that are known beforehand. This information can be used to recognize your web traffic despite attempts at encryption or tunneling. Websites that have an abundance of static content and a fixed request structure tend to be vulnerable to this type of surveillance. Unfortunately, there is enough static content on most websites for this to be the case.
Detecting flooding attacks using power
A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.
Using UDP for denial-of-service attacks is not as straightfforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:
Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, and anonymizing the attacker's network location(s).
This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them.
Knowledge of information security issues – a senior management and educational perspective
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them.
These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Information assurance focuses on the reasons for assurance that information is protected, and is thus reasoning about information security.
Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers.
Key factors and challenges for the successful development of the e-security aspect of an organization’s security policy: an IS design and e-services approach
Design of a security protocol for the mTAN procedure
A Transaction authentication number, TAN or T.A.N. is used by some online banking services as a form of single use one-time passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.
TANs are believed to provide additional security because they act as a form of two-factor authentication. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.