Novel classes of side channels and covert channels

When assessing the security of security-critical systems, it is crucial to consider conceptually new attacks, as appropriate countermeasures can only be implemented against known threats. Consequently, in this thesis we explore new classes of attacks and evaluate countermeasures. Our contribution is three-fold. We identify two previously unknown side channel attacks, i.e., attacks that exploit unintended information leakage. First, we consider optical emanations, i.e., the unavoidable emanation of every monitor. We demonstrate how to exploit tiny reflections in stationary objects and the human eye, and even diffuse reflections in objects such as the user';s shirt. Second, we study acoustic emanations of dot-matrix printers and show that the printed text can be reconstructed from a recording of the sound emitted while printing. Furthermore, we demonstrate a conceptually new covert channel: whereas side channels leak information unintentionally, in a covert channel there is an explicit sender that cooperates with the receiver. We present a new covert channel in the peer-reviewing process in scientific publishing that reveals the reviewer';s identity to the author. We additionally expose several related problems in the design of the PostScript language.Das Aufdecken neuer Arten von Angriffen ist wichtig zur Verbesserung der Sicherheit von sicherheitskritischen Systemen, da nur für bekannte Angriffe Gegenmaßnahmen ergriffen werden können. Deshalb untersuchen wir in dieser Arbeit neue Arten von Angriffen sowie geeignete Gegenmaßnahmen. Die Arbeit gliedert sich in drei Teile. Zunächst demonstrieren wir zwei neue Seitenkanalangriffe, also Angriffe die unbeabsichtigte Informationslecks ausnutzen. Zum Einen betrachten wir optische Abstrahlungen von Monitoren. Wir zeigen, dass das Bild des Monitors aus Reflexionen in verschiedenen Objekten rekonstruiert werden kann: aus winzigen Reflexionen in vielen stationären Objekten sowie im menschlichen Auge, und sogar aus diffusen Reflexionen beispielsweise auf dem Hemd eines Nutzers. Zum Anderen untersuchen wir die akustischen Abstrahlungen von Nadeldruckern und zeigen, dass der gedruckte Text aus einer Aufnahme der Druckgeräusche rekonstruiert werden kann. Des Weiteren demonstrieren wir einen neuen verdeckten Kanal: Während Seitenkanäle normalerweise durch unvorsichtige Implementierung entstehen, werden die Daten auf einem verdeckten Kanal absichtlich übertragen. Wir demonstrieren einen neuen verdeckten Kanal im Peer-Review-Prozess zur Begutachtung wissenschaftlicher Publikationen, welcher die Identität der Gutachter offenlegt. Darüberhinaus weisen wir auf mehrere grundlegende Probleme im Design der PostScript Sprache hin

"I Knew It Was Me": Understanding Users' Interaction with Login Notifications

Login notifications are intended to inform users about recent sign-ins and help them protect their accounts from unauthorized access. The notifications are usually sent if a login occurs from a new location or device, which could indicate malicious activity. They mostly contain information such as the location, date, time, and device used to sign in. Users are challenged to verify whether they recognize the login (because it has been them or someone they know) or to proactively protect their account from unwanted access by changing their password. In two user studies, we explore users' comprehension, reactions, and expectations of login notifications. We utilize two treatments to measure users' behavior in response to login notifications sent for a login they initiated themselves or based on a malicious actor relying on statistical sign-in information. Users feel relatively confident identifying legitimate logins but demonstrate various risky and insecure behaviors when it comes to malicious sign-ins. We discuss the identified problems and give recommendations for service providers to ensure usable and secure logins for everyone

Towards Quantum Large-Scale Password Guessing on Real-World Distributions

Password-based authentication is a central tool for end-user security. As part of this, password hashing is used to ensure the security of passwords at rest. If quantum computers become available at sufficient size, they are able to significantly speed up the computation of preimages of hash functions. Using Grover\u27s algorithm, at most, a square-root speedup can be achieved, and thus it is expected that quantum password guessing also admits a square-root speedup. However, password inputs are not uniformly distributed but highly biased. Moreover, typical password attacks do not only compromise a random user\u27s password but address a large fraction of all users\u27 passwords within a database of millions of users. In this work, we study those quantum large-scale password guessing attacks for the first time. In comparison to classical attacks, we still gain a square-root speedup in the quantum setting when attacking a constant fraction of all passwords, even considering strongly biased password distributions as they appear in real-world password breaches. We verify the accuracy of our theoretical predictions using the LinkedIn leak and derive specific recommendations for password hashing and password security for a quantum computer era

Talking to the Overlooked: A Nationwide Telephone Survey with Four Groups Under-represented in Privacy and Security Studies

Online surveys - a primary research tool in the field of usable security and privacy research - frequently rely on web-panel platforms. However, these platforms tend not to generalize well to specific user groups. Our study addresses this research gap by studying security and privacy perceptions of four under-represented groups. We conducted telephone interviews with n = 1003 participants in Germany: (I) teenagers aged 14-17, (II) older adults 70+, (III) people with low formal education, and (IV) people with migration background. We found these groups to be under-represented in our online comparison survey. We further identified target group-specific perceptions for each group compared to the general population, e.g., regarding their experiences with cybercrime, and provide detailed insight into the privacy and security knowledge and behavior of each group. Our findings underscore the effectiveness of telephone interviews and lay the foundation for further research on these groups

Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study

Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems