DOCSLIB.ORG

August 15–17, 2018 • Baltimore, Md

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
August 15–17, 2018 • Baltimore, Md AUGUST 15–17, 2018 BALTIMORE, MD, USA Wednesday, August 15 7:30 am–8:45 am Continental Breakfast 8:45 am–9:00 am Opening Remarks and Awards Program Co-Chairs: William Enck, North Carolina State University, and Adrienne Porter Felt, Google 9:00 am–10:00 am Keynote Address Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models James Mickens, Harvard University 10:00 am–10:30 am Break with Refreshments 10:30 am–12:10 pm Track 1 Track 2 Track 3 Security Impacting the Memory Defenses Censorship and Web Privacy Physical World ACES: Automatic Compartments for Fp-Scanner: The Privacy Implications of Fear the Reaper: Characterization and Fast Embedded Systems Browser Fingerprint Inconsistencies Detection of Card Skimmers Abraham A Clements, Purdue University and Antoine Vastel, Univ. Lille / Inria / Inria; Pierre Nolen Scaife, Christian Peeters, and Patrick Sandia National Labs; Naif Saleh Almakhdhub, Laperdrix, Stony Brook University; Walter Traynor, University of Florida Saurabh Bagchi, and Mathias Payer, Purdue Rudametkin, Univ. Lille / Inria / Inria; Romain BlackIoT: IoT Botnet of High Wattage University Rouvoy, Univ. Lille / Inria / IUF Devices Can Disrupt the Power Grid IMIX: In-Process Memory Isolation Who Left Open the Cookie Jar? A Saleh Soltan, Prateek Mittal, and H. Vincent EXtension Comprehensive Evaluation of Third-Party Poor, Princeton University Tommaso Frassetto, Patrick Jauernig, Cookie Policies Skill Squatting Attacks on Amazon Alexa Christopher Liebchen, and Ahmad-Reza Gertjan Franken, Tom Van Goethem, and Sadeghi, Technische Universität Darmstadt Wouter Joosen, imec-Distrinet, KU Leuven Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Adam HeapHopper: Bringing Bounded Model Effective Detection of Multimedia Protocol Bates, and Michael Bailey, University of Illinois, Checking to Heap Implementation Security Tunneling using Machine Learning Urbana-Champaign Moritz Eckert, Antonio Bianchi, and Ruoyu Diogo Barradas, Nuno Santos, and Luís CommanderSong: A Systematic Approach Wang, University of California, Santa Barbara; Rodrigues, INESC-ID, Instituto Superior Técnico, for Practical Adversarial Voice Recognition Yan Shoshitaishvili, Arizona State University; Universidade de Lisboa Christopher Kruegel and Giovanni Vigna, Xuejing Yuan, SKLOIS, Institute of Information Scalable Remote Measurement of University of California, Santa Barbara Engineering, Chinese Academy of Sciences. School Application-Layer Censorship of Cyber Security, University of Chinese Academy Guarder: An Efficient Heap Allocator with Benjamin VanderSloot, Allison McDonald, Will of Sciences.; Yuxuan Chen, Florida Institute Strongest and Tunable Security Scott, J. Alex Halderman, and Roya Ensafi, of Technology; Yue Zhao, SKLOIS, Institute of Sam Silvestro, Hongyu Liu, and Tianyi Liu, University of Michigan Information Engineering, Chinese Academy of University of Texas at San Antonio; Zhiqiang Lin, Sciences. School of Cyber Security, University Ohio State University; Tongping Liu, University of of Chinese Academy of Sciences.; Yunhui Long, Texas at San Antonio University of Illinois at Urbana-Champaign; Xiaokang Liu and Kai Chen, SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences. School of Cyber Security, University of Chinese Academy of Sciences.; Shengzhi Zhang, Florida Institute of Technology; Heqing Huang, IBM Thomas J. Watson Research Center; Xiaofeng Wang, Indiana University Bloomington; Carl A. Gunter, University of Illinois at Urbana-Champaign 12:10 pm–1:40 pm Lunch (on your own) The Career Luncheon for Students and Recent Grads will occur at this time. Wednesday, August 15 continues on next page ➜ Wednesday, August 15 (continued) 1:40 pm–3:20 pm Track 1 Track 2 Track 3 Understanding How Humans Vulnerability Discovery Invited Talks Authenticate ATtention Spanned: Comprehensive TBA Better managed than memorized? Studying Vulnerability Analysis of AT Commands the Impact of Managers on Password Within the Android Ecosystem Strength and Reuse Dave (Jing) Tian, Grant Hernandez, Joseph Sanam Ghorbani Lyastani, CISPA, Saarland Choi, Vanessa Frost, Christie Raules, Kevin University; Michael Schilling, Saarland University; Butler, and Patrick Traynor, University of Florida; Sascha Fahl, Leibniz University Hannover; Sven Hayawardh Vijayakumar, Lee Harrison, Amir Bugiel, CISPA, Saarland University; Michael Rahmati, and Mike Grace, Samsung Research Backes, CISPA Helmholtz Center i.G. America Forgetting of Passwords: Ecological Theory Charm: Facilitating Dynamic Analysis of and Data Device Drivers of Mobile Systems Xianyi Gao, Yulong Yang, Can Liu, Christos Seyed Mohammadjavad Seyed Talebi and Mitropoulos, and Janne Lindqvist, Rutgers Hamid Tavakoli, UC Irvine; Hang Zhang and University; Antti Oulasvirta, Aalto University Zheng Zhang, UC Riverside; Ardalan Amiri Sani, The Rewards and Costs of Stronger UC Irvine; Zhiyun Qian, UC Riverside Passwords in a University: Linking Inception: System-wide Security Testing of Password Lifetime to Strength Real-World Embedded Systems Software Ingolf Becker, Simon Parkin, and M. Angela Nassim Corteggiani, EURECOM, Maxim Sasse, University College London Integrated; Giovanni Camurati and Aurélien Rethinking Authentication and Access Francillon, EURECOM Control for the Home Internet of Things Acquisitional Rule-based Engine for (IoT) Discovering Internet-of-Thing Devices Weijia He, University of Chicago; Maximilian Xuan Feng, Beijing Key Laboratory of IOT Golla, Ruhr-University Bochum; Roshni Padhi Information Security Technology, Institute of and Jordan Ofek, University of Chicago; Markus Information Engineering, CAS, China; Qiang Li, Dürmuth, Ruhr-University Bochum; Earlence School of Computer and Information Technology, Fernandes, University of Washington; Blase Ur, Beijing Jiaotong University, China; Haining University of Chicago Wang, Department of Electrical and Computer Engineering, University of Delaware, USA; Limin Sun, Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, China 3:20pm–3:50 pm Break with Refreshments 3:50 pm–5:30 pm Track 1 Track 2 Track 3 Web Applications Anonymity Invited Talks A Sense of Time for JavaScript and Node. How do Tor users interact with onion TBA js: First-Class Timeouts as a Cure for Event services? Handler Poisoning Philipp Winter, Anne Edmundson, Laura M. James C. Davis, Eric R. Williamson, and Roberts, Marshini Chetty, and Nick Feamster, Dongyoon Lee, Virginia Tech Princeton University Freezing the Web: A Study of ReDoS Towards Predicting Efficient and Vulnerabilities in JavaScript-based Web Anonymous Tor Circuits Servers Armon Barton, University of Texas at Arlington; Cristian-Alexandru Staicu and Michael Pradel, Matthew Wright, Rochester Institute of TU Darmstadt Technology; Jiang Ming and Mohsen Imani, NAVEX: Precise and Scalable Exploit University of Texas at Arlington Generation for Dynamic Web Applications BurnBox: Self-Revocable Encryption in a Abeer Alhuzali, Rigel Gjomemo, Birhanu World Of Compelled Access Eshete, and V.N. Venkatakrishnan, UIC Nirvan Tyagi, Cornell Tech; Muhammad Haris Rampart: Protecting Web Applications from Mughees, Cornell Tech and UIUC; Thomas CPU-Exhaustion Denial-of-Service Attacks Ristenpart and Ian Miers, Cornell Tech Wei Meng, Chinese University of Hong An Empirical Analysis of Anonymity in Kong; Chenxiong Qian, Georgia Institute of Zcash Technology; Shuang Hao, University of Texas George Kappos, Haaroon Yousaf, Mary Maller, at Dallas; Kevin Borgolte, Giovanni Vigna, and and Sarah Meiklejohn, University College Christopher Kruegel, University of California, London Santa Barbara; Wenke Lee, Georgia Institute of Technology Wednesday, August 15 continues on next page ➜ Wednesday, August 15 (continued) 6:00 pm–7:30 pm USENIX Security ’18 Symposium Reception Mingle with fellow attendees at the USENIX Security ‘18 Reception, featuring dinner, drinks, and the chance to connect with other attendees, speakers, and symposium organizers. 7:30 pm–8:30 pm USENIX Security ’18 Lightning Talks This is intended as an informal session for short and engaging presentations on recent unpublished results, work in progress, or other topics of interest to USENIX Security attendees. As in the past, talks do not always need to be serious and funny talks are encouraged! This year, USENIX will generously sponsor awards for the most engaging talks. Bragging rights and small cash prizes can be yours for a great talk! For full consideration, submit your lightning talk via the lighting talk submission form, which will be available here soon, through July 27, 2018. Only talks submitted by this deadline will be considered for the awards. You can continue submitting talks via the submission form or by emailing [email protected] until Wednesday, August 15, 2018, 12:00 pm EDT. Thursday, August 16 8:00 am–9:00 am Continental Breakfast 9:00 am–10:30 am Track 1 Track 2 Track 3 Privacy in a Digital World Attacks on Crypto & Crypto Invited Talks Unveiling and Quantifying Facebook Libraries TBA Exploitation of Sensitive Personal Data for Efail: Breaking S/MIME and OpenPGP Email Advertising Purposes Encryption using Exfiltration Channels José González Cabañas, Ángel Cuevas, and Damian Poddebniak, Münster University of Rubén Cuevas, Department of Telematic Applied Sciences; Jens Müller, Ruhr University Engineering, Universidad Carlos III de Madrid Bochum; Christian Dresen,
Load more

Recommended publications
  • Jane Hutt: Businesses That Have Received Welsh Government Grants During 2011/12
    Jane Hutt: Businesses that have received Welsh Government grants during 2011/12 1 STOP FINANCIAL SERVICES 100 PERCENT EFFECTIVE TRAINING 1MTB1 1ST CHOICE TRANSPORT LTD 2 WOODS 30 MINUTE WORKOUT LTD 3D HAIR AND BEAUTY LTD 4A GREENHOUSE COM LTD 4MAT TRAINING 4WARD DEVELOPMENT LTD 5 STAR AUTOS 5C SERVICES LTD 75 POINT 3 LTD A AND R ELECTRICAL WALES LTD A JEFFERY BUILDING CONTRACTOR A & B AIR SYSTEMS LTD A & N MEDIA FINANCE SERVICES LTD A A ELECTRICAL A A INTERNATIONAL LTD A AND E G JONES A AND E THERAPY A AND G SERVICES A AND P VEHICLE SERVICES A AND S MOTOR REPAIRS A AND T JONES A B CARDINAL PACKAGING LTD A BRADLEY & SONS A CUSHLEY HEATING SERVICES A CUT ABOVE A FOULKES & PARTNERS A GIDDINGS A H PLANT HIRE LTD A HARRIES BUILDING SERVICES LTD A HIER PLUMBING AND HEATING A I SUMNER A J ACCESS PLATFORMS LTD A J RENTALS LIMITED A J WALTERS AVIATION LTD A M EVANS A M GWYNNE A MCLAY AND COMPANY LIMITED A P HUGHES LANDSCAPING A P PATEL A PARRY CONSTRUCTION CO LTD A PLUS TRAINING & BUSINES SERVICES A R ELECTRICAL TRAINING CENTRE A R GIBSON PAINTING AND DEC SERVS A R T RHYMNEY LTD A S DISTRIBUTION SERVICES LTD A THOMAS A W JONES BUILDING CONTRACTORS A W RENEWABLES LTD A WILLIAMS A1 CARE SERVICES A1 CEILINGS A1 SAFE & SECURE A19 SKILLS A40 GARAGE A4E LTD AA & MG WOZENCRAFT AAA TRAINING CO LTD AABSOLUTELY LUSH HAIR STUDIO AB INTERNET LTD ABB LTD ABER GLAZIERS LTD ABERAVON ICC ABERDARE FORD ABERGAVENNY FINE FOODS LTD ABINGDON FLOORING LTD ABLE LIFTING GEAR SWANSEA LTD ABLE OFFICE FURNITURE LTD ABLEWORLD UK LTD ABM CATERING FOR LEISURE LTD ABOUT TRAINING
    [Show full text]
  • Ultra-Clever Attacks
    Security Now! Transcript of Episode #663 Page 1 of 22 Transcript of Episode #663 Ultra-Clever Attacks Description: This week we will examine two incredibly clever, new, and bad attacks named eFail and Throwhammer. But first we catch up on the rest of the past week's security and privacy news, including the evolution of UPnProxy, a worrisome flaw discovered in a very popular web development platform, the first anniversary of EternalBlue, the exploitation of those GPON routers, this week's disgusting security headshaker, a summary of the RSA Conference's security practices survey, the appearance of persistent IoT malware, a significant misconception about hard drive failure, an interesting bit of listener feedback, and then a look at two VERY clever new attacks. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-663.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-663-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson is here with all the week's news plus a couple of clever attacks - cleverly named, as well. One's called eFail, and it really is an issue if you use PGP or S/MIME to encrypt your email. The other's called Throwhammer, and I'll let Steve explain how that works. It's all coming up next on Security Now!. Leo Laporte: This is Security Now! with Steve Gibson, Episode 663, recorded Tuesday, May 15th, 2018: Ultra-Clever Attacks. It's time for Security Now!, the show where we cover your security and privacy online with this guy right here, Mr.
    [Show full text]
  • Efail: Breaking S/MIME and Openpgp Email Encryption Using Exfiltration Channels
    Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels Damian Poddebniak and Christian Dresen, Münster University of Applied Sciences; Jens Müller, Ruhr University Bochum; Fabian Ising and Sebastian Schinzel, Münster University of Applied Sciences; Simon Friedberger, NXP Semiconductors, Belgium; Juraj Somorovsky and Jörg Schwenk, Ruhr University Bochum https://www.usenix.org/conference/usenixsecurity18/presentation/poddebniak This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels Damian Poddebniak1, Christian Dresen1, Jens Muller¨ 2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, and Jorg¨ Schwenk2 1Munster¨ University of Applied Sciences 2Ruhr University Bochum 3NXP Semiconductors, Belgium Abstract is designed to protect user data in such scenarios. With end-to-end encryption, the email infrastructure becomes OpenPGP and S/MIME are the two prime standards merely a transportation service for opaque email data and for providing end-to-end security for emails. We de- no compromise – aside from the endpoints of sender or scribe novel attacks built upon a technique we call mal- receiver – should affect the security of an end-to-end en- leability gadgets to reveal the plaintext of encrypted crypted email. emails. We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails. These snippets S/MIME and OpenPGP. The two most prominent stan- abuse existing and standard conforming backchannels to dards offering end-to-end encryption for email, S/MIME exfiltrate the full plaintext after decryption.
    [Show full text]
  • PGP Und S/MIME: So Funktioniert Efail | Heise Security
    05/12/2019 PGP und S/MIME: So funktioniert Efail | heise Security Anmelden Suchen Menü Anzeige Anzeige Die optimale Warenpräsentation Georg Haag AG WEITERE INFOS News Hintergrund Events Foren Kontakt Security > Hintergrund > PGP und S/MIME: So funktioniert Efail PGP und S/MIME: So funktioniert Efail Dienste Hintergrund 14.05.2018 16:21 Uhr – Jürgen Schmidt Security Consulter Emailcheck Netzwerkcheck Browsercheck Anti-Virus Krypto-Kampagne secIT 2020 Der Trepunkt für Security-Anwender und -Anbieter Hochkarätiges Vortragsprogramm mit Top- Referenten Über 10 Stunden redaktionelle Vorträge Die Angrie auf verschlüsselte E-Mails mit S/MIME und OpenPGP lassen sich eigentlich Über 50 Aussteller ganz einfach erklären. Wenn man sie einmal verstanden hat, weiß man auch, warum das Spannende Workshops & Expert-Talks zum mit dem Fixen nicht ganz so einfach ist. Thema IT-Sicherheit Top-Keynote: "Krypto-Papst" Bruce Schneier Ein Forscherteam rund um Sebastian Schinzel hat erfolgreiche Angrie gegen verschlüsselt verschickte E-Mails demonstriert. Dabei gelangt der Angreifer in den Besitz zumindest eines Jetzt Ticket sichern! Teils des Klartexts der Mails. Betroen sind die beiden am weitesten verbreiteten Standards für E-Mail-Verschlüsselung S/MIME und OpenPGP – und in der ein oder anderen Form nahezu Alerts! alle Alert-Meldungen » alle E-Mail-Programme. Die wichtigste Voraussetzung für einen erfolgreichen Angri ist, dass der Angreifer die verschlüsselte Mail unterwegs abfangen und manipulieren kann. Das düre Firefox, Firefox ESR, Tor Browser in vielen Fällen zutreen, in denen die Ende-zu-Ende-Verschlüsselung von PGP oder S/MIME Splunk-Plattform (Cloud, Light, eigentlich Schutz bieten soll. Enterprise) Das grundsätzliche Problem der E-Mail-Verschlüsselung ist die Tatsache, dass die E-Mails IBM Spectrum Protect Server nicht oder zumindest nicht ausreichend gegen solche Manipulationen gesichert sind.
    [Show full text]
  • The State of IT Security in Germany 2018 the STATE of IT SECURITY in GERMANY 2018
    The State of IT Security in Germany 2018 THE STATE OF IT SECURITY IN GERMANY 2018 2 THE STATE OF IT SECURITY IN GERMANY 2018 | FOREWORD Foreword Our modern, high-tech society depends on the functio- In its 2018 report on the state of IT security in Germany, nal integrity of information technologies and commu- the BSI has presented a well-founded and comprehen- nication systems, effective infrastructure and a secure sive overview of the threats facing our country, our supply of energy. These systems are the foundation for people and our economy in cyberspace. Above all, how- technical progress and economic development in our ever, it illustrates the successful and indispensable efforts country. the BSI undertakes on our behalf. Germany, its residents, businesses and governmental agencies remain in the As such systems grow more complex and all the areas crosshairs of those looking to carry out cyberattacks. of our information society become more interconnect- Taking on these challenges and devising rapid, efficient ed, however, the risks posed by disruptions and attacks responses to the latest dangers in cyberspace remains from within Germany or abroad are increasing as well. the central task of the BSI and its employees. Threats in cyberspace are highly dynamic, and cyber attacks are becoming more adaptive and professional. Both IT systems and the methods used to attack them are constantly evolving at a rapid pace. The Federal Government takes seriously its responsibili- ty to ensure security also in cyberspace by maintaining a framework of IT security laws, pursuing a cybersecurity strategy and strengthening the relevant agencies.
    [Show full text]
  • Security Now! #663 - 05-15-18 Ultra-Clever Attacks
    Security Now! #663 - 05-15-18 Ultra-Clever Attacks This week on Security Now! This week we will examine two incredibly clever, new (and bad) attacks named eFail and Throwhammer. But first we catchup on the rest of the past week's security and privacy news, including the evolution of UPnProxy, a worrisome flaw discovered in a very popular web development platform, the 1st anniversary of EternalBlue, the exploitation of those GPON routers, this week's disgusting security head shaker, a summary of the RSA conference's security practices survey, the appearance of persistent IoT malware, a significant misconception about hard drive failure, an interesting bit of listener feedback... then a look at two VERY clever new attacks. Security News Spectre NextGen: No news yet on these next eight (with one being a biggie) Spectre problems. UPnProxy matures: Last month Akamai detailed the use of UPnP to proxy public traffic. UPnP is only intended to rewrite packet destinations to the LAN IP... but many don't check. Now, security firm Imperva reports and details the next step in evolution https://www.imperva.com/blog/2018/05/new-ddos-attack-method-demands-a-fresh-approach-t o-amplification-assault-mitigation/ Step 1: Locating an open UPnP router This can be done in any number of ways, from running a wide-scale scan with SSDP requests to simply using the Shodan search engine to look for the “rootDesc.xml” file commonly found on such devices. In the screenshot below, you can see that running this query yielded over 1.3 million results.
    [Show full text]
  • Bachelorthesis Efail an Evaluation of the Thunderbird Email Client
    Hochschule Bonn-Rhein-Sieg University of Applied Sciences Fachbereich Informatik Department of Computer Science Bachelorthesis im Studiengang Bachelor of Computer Science Efail An Evaluation of the Thunderbird Email Client von Jan Arends First supervisor: Prof. Dr.-Ing. Kerstin Lemke-Rust Second supervisor: Dr. Thomas Ostreich¨ Date: December 14, 2018 Declaration of Authorship I declare that I have authored this paper independently, that I have not used other than the declared sources / resources, and that I have explicitly marked all material which has been quoted either literally or by content from the used sources. ..................................... ..................................... Location, Date Signature CONTENTS Contents List of Figures i Listings ii List of Abbreviations iii 1 Introduction 1 1.1 Motivation . .1 1.2 This work . .2 2 Background 4 2.1 Email history . .4 2.2 Email architecture . .4 2.3 Information security . .5 2.4 Cryptography . .6 2.4.1 Bitwise operations . .6 2.4.2 Encryption . .7 2.4.3 Block modes of operation . .9 2.4.4 Modification Detection Code (MDC) . 11 2.5 Vulnerabilities . 11 3 MIME and End-to-End Encryption 12 3.1 MIME . 12 3.2 Secure MIME . 13 3.3 OpenPGP . 14 3.4 Implementations . 14 3.4.1 Mozilla Thunderbird . 14 3.4.2 Enigmail . 15 3.4.3 GNU Privacy Guard (GnuPG) . 15 4 Efail 16 4.1 Message acquisition . 16 4.2 Exfiltration channels . 17 4.3 The attack procedure . 17 4.4 Direct Exfiltration Attack . 18 4.4.1 MIME boundaries . 18 4.4.2 Abusing boundaries . 19 4.5 Malleability Gadget Attack . 21 4.5.1 Malleability gadgets .
    [Show full text]
  • EFAIL Social Engineering Physical Security Autumn 2018
    CSE 484 / CSE M 584: Computer Security and Privacy EFAIL Social Engineering Physical Security Autumn 2018 Tadayoshi (Yoshi) Kohno [email protected] Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ... Admin • Lab 2 out Nov 5, due Nov 20, 4:30pm • Looking ahead: • HW 3 out ~Nov 19, due ~Nov 30 • Lab 3 out ~Nov 26, due Dec 7 (Quiz Section on Nov 29) • No class Nov 12 (holiday) • No class Nov 21; video review assignment instead 11/15/2018 CSE 484 / CSE M 584 2 Admin • Final Project Proposals: Nov 16 – group member names and brief description • Final Project Checkpoint: Nov 30 – preliminary outline and references • Final Project Presentation: Dec 10 – 12-15-minute video – must be on time • Explore something of interest to you, that could hopefully benefit you or your career in some way – technical topics, current events, etc 11/15/2018 CSE 484 / CSE M 584 3 EFAIL (New (in the history of crypto) Results, 5/14/2018) • Public earlier this year • Effects many email encryption systems – OpenPGP-based systems – S/MIME-based systems • Good example of – Chosen-ciphertext attacks – Interplay between different components of a larger system – Related to aspects of web security 11/15/2018 4 [Images from https://efail.de/] Apple Mail, iOS Mail, Mozilla Part 2, with Thunderbird captured ciphertext 1. Attacker captures existing encrypted message 2. Attacker creates multi-part message 3. Attacker sends to
    [Show full text]
  • Bitcoin and the Japanese Retail Investor
    BITCOIN AND THE JAPANESE RETAIL INVESTOR by Maksym Grinenko Graduate Programme for Transcultural Studies eighth generation Heidelberg University A dissertation submitted in fulfllment of the requirements for the degree of Doctor of Philosophy under the supervision of Prof. Dr. Harald Fuess Prof. Dr. Hans Martin Krämer July 29, 2019 Abstract The objective of this research is to examine the Bitcoin rally of 2017 as it occurred in Japan and establish a greater context for why it was the Japanese retail investors that propelled the nation to being the largest trader of the cryptocurrency at the end of the year. This dissertation begins with the examination of the technical and economical properties of Bitcoin by classifying it as fulflling two roles: that of a means of payment and that of an investment commodity. Following that is a description of Bitcoin’s roots and the history of its non-speculative usage. These chapters serve as a base for examin- ing the cryptocurrency’s role in Japan. The third chapter examines the Japanese retail investor and the Japanese retail investment landscape with a focus on the question of the low rates of risk-asset participation in face of a favorable investment environment. Historical context is drawn upon to argue that the present situation, wherein most fnan- cial assets are kept as cash, is rather the result of the historical path dependence than the present-day conditions in which Japanese retail investors operate. The fnal chapter addresses the question of high-risk activities in the form of gambling and margin trading by a group of predominantly middle-aged men and connects this propensity to engage in zero-sum games with Bitcoin’s success in Japan.
    [Show full text]
  • SWITCH-CERT Report on the Latest IT Security and Privacy Trends May / June 2018
    SWITCH-CERT report on the latest IT security and privacy trends May / June 2018 I. Microsoft will never contact you by phone: support scam continues to gain momentum They are certainly nothing new, but are becoming ever more sophisticated, expensive and widespread. What we are talking about are phone calls, usually from an English- speaking person posing as a representative from Microsoft or another well-known ICT company. The caller will use a pretext; for example, that the system of the person being called has reported an error message or that there are problems with the licence agreement. The scammers tell the victim that their Microsoft licence will have to be blocked for security reasons and that, in order to avoid this, they can have the problem fixed on their machine immediately via remote access or purchase a support plan or warranty. To add weight to their arguments, they ask their victim to open Microsoft’s support tool, Event Viewer. This program does, in fact, list error messages in most cases. This list of mundane and harmless error messages gives the phone phishers relevant reasons for obtaining credit card details or payments in another form (e.g. iTunes cards) from the victim. Fraudsters can take it even further with the remote access scenario: the person being called is told to download a remote maintenance program, which gives the criminal unrestricted access to the system – including a backdoor for illegal activities or running SWITCH Security, PO Box, 8021 Zurich +41 44 268 15 40 [email protected] securityblog.switch.ch security.switch.ch 1 © SWITCH 2018 bots.
    [Show full text]
  • Cyberwar 27 Sept 2020
    LV Geostrategie und Geopolitik Fachbereich 1 49069 Osnabrück Cyberwar Grundlagen-Methoden-Beispiele 27.09.2020 Zusammenfassung Der Cyberwar (Cyberkrieg) ist die kriegerische Auseinandersetzung mit den Mitteln der Informationstechnologie. Dieses Arbeitspapier unternimmt eine aktuelle Bestandsaufnahme und geht auf die theoretischen und praktischen Probleme ein. In der Praxis ist der Cyberwar ein integraler Bestandteil militärischen Handelns, lässt sich jedoch nicht ganz von der Spionage trennen, da das Eindringen in und Aufklären von gegnerischen Systemen wesentlich für das weitere Vorgehen ist. Nach einem Überblick über Angriffsmethoden, Angreifer (Advanced Persistent Threats), Spionagetools, Cyberwaffen und der Cyberverteidigung liegt ein besonderes Augenmerk auf der Einordnung von Cyberangriffen (Attribution) und der Smart Industry (Industrie 4.0). Anschließend werden die Cyberwar-Strategien der USA, Chinas, Russlands und weiterer führender Akteure besprochen. Weitere Kapitel befassen sich der Künstlichen Intelligenz, der Smart Industry, smarten Systemen und biologischen Anwendungen. Cyberwar – 27.09.2020 1 apl. Prof. Dr. Dr. K. Saalbach Inhalt 1. Grundlagen ........................................................................................................... 7 1.1 Einführung ................................................................................................................ 7 1.2 Hintergrund ............................................................................................................... 7 1.3 Cyberwar
    [Show full text]
  • Efail Attack and Its Implications
    Efail attack and its implications Juraj Somorovsky Damian Poddebniak1, Christian Dresen1, Jens Müller2, Fabian Ising1, Sebastian Schinzel1, Simon Friedberger3, Juraj Somorovsky2, Jörg Schwenk2 About this talk • Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels. Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2018 • Johnny, you are fired! Spoofing OpenPGP and S/MIME Signatures in Email. Jens Müller, Marcus Brinkmann, Damian Poddebniak, Hanno Böck, Sebastian Schinzel, Juraj Somorovsky, Jörg Schwenk. USENIX Security 2019 Email. 3 Internet Message Format („Email“) From: Alice To: Bob Subject: Breaking News Congratulations, you have been promoted! 4 Multipurpose Internet Mail Extensions (MIME) From: Alice To: Bob Subject: Breaking News Content-Type: text/plain Congratulations, you have been promoted! 5 Multipurpose Internet Mail Extensions (MIME) From: Alice To: Bob Subject: Breaking News Content-Type: multipart/mixed; boundary="BOUNDARY" --BOUNDARY Content-type: text/plain Congratulations, you have been promoted! --BOUNDARY Content-type: application/pdf Contract... --BOUNDARY-- 6 av1.com av2.com smtp.corp1 smtp.corp2 imap.corp2 imap.corp1 archive.corp1 archive.corp2 av1.com smtp.corp1 imap.corp1 archive.corp1 There is no such thing as “My Email”. 10 av1.com smtp.corp1 Assumption: imap.corp1 Attacker has archive.corp1 access to emails! Motivation for using end-to-end encryption Insecure Transport • TLS might
    [Show full text]