44 research outputs found
Novel classes of side channels and covert channels
When assessing the security of security-critical systems, it is crucial to consider conceptually new attacks, as appropriate countermeasures can only be implemented against known threats. Consequently, in this thesis we explore new classes of attacks and evaluate countermeasures. Our contribution is three-fold. We identify two previously unknown side channel attacks, i.e., attacks that exploit unintended information leakage. First, we consider optical emanations, i.e., the unavoidable emanation of every monitor. We demonstrate how to exploit tiny reflections in stationary objects and the human eye, and even diffuse reflections in objects such as the user';s shirt. Second, we study acoustic emanations of dot-matrix printers and show that the printed text can be reconstructed from a recording of the sound emitted while printing. Furthermore, we demonstrate a conceptually new covert channel: whereas side channels leak information unintentionally, in a covert channel there is an explicit sender that cooperates with the receiver. We present a new covert channel in the peer-reviewing process in scientific publishing that reveals the reviewer';s identity to the author. We additionally expose several related problems in the design of the PostScript language.Das Aufdecken neuer Arten von Angriffen ist wichtig zur Verbesserung der Sicherheit von sicherheitskritischen Systemen, da nur für bekannte Angriffe Gegenmaßnahmen ergriffen werden können. Deshalb untersuchen wir in dieser Arbeit neue Arten von Angriffen sowie geeignete Gegenmaßnahmen. Die Arbeit gliedert sich in drei Teile. Zunächst demonstrieren wir zwei neue Seitenkanalangriffe, also Angriffe die unbeabsichtigte Informationslecks ausnutzen. Zum Einen betrachten wir optische Abstrahlungen von Monitoren. Wir zeigen, dass das Bild des Monitors aus Reflexionen in verschiedenen Objekten rekonstruiert werden kann: aus winzigen Reflexionen in vielen stationären Objekten sowie im menschlichen Auge, und sogar aus diffusen Reflexionen beispielsweise auf dem Hemd eines Nutzers. Zum Anderen untersuchen wir die akustischen Abstrahlungen von Nadeldruckern und zeigen, dass der gedruckte Text aus einer Aufnahme der Druckgeräusche rekonstruiert werden kann. Des Weiteren demonstrieren wir einen neuen verdeckten Kanal: Während Seitenkanäle normalerweise durch unvorsichtige Implementierung entstehen, werden die Daten auf einem verdeckten Kanal absichtlich übertragen. Wir demonstrieren einen neuen verdeckten Kanal im Peer-Review-Prozess zur Begutachtung wissenschaftlicher Publikationen, welcher die Identität der Gutachter offenlegt. Darüberhinaus weisen wir auf mehrere grundlegende Probleme im Design der PostScript Sprache hin
"I Knew It Was Me": Understanding Users' Interaction with Login Notifications
Login notifications are intended to inform users about recent sign-ins and
help them protect their accounts from unauthorized access. The notifications
are usually sent if a login occurs from a new location or device, which could
indicate malicious activity. They mostly contain information such as the
location, date, time, and device used to sign in. Users are challenged to
verify whether they recognize the login (because it has been them or someone
they know) or to proactively protect their account from unwanted access by
changing their password. In two user studies, we explore users' comprehension,
reactions, and expectations of login notifications. We utilize two treatments
to measure users' behavior in response to login notifications sent for a login
they initiated themselves or based on a malicious actor relying on statistical
sign-in information. Users feel relatively confident identifying legitimate
logins but demonstrate various risky and insecure behaviors when it comes to
malicious sign-ins. We discuss the identified problems and give recommendations
for service providers to ensure usable and secure logins for everyone
Towards Quantum Large-Scale Password Guessing on Real-World Distributions
Password-based authentication is a central tool for end-user security.
As part of this, password hashing is used to ensure the security of passwords at rest.
If quantum computers become available at sufficient size, they are able to significantly speed up the computation of preimages of hash functions.
Using Grover\u27s algorithm, at most, a square-root speedup can be achieved, and thus it is expected that quantum password guessing also admits a square-root speedup.
However, password inputs are not uniformly distributed but highly biased.
Moreover, typical password attacks do not only compromise a random user\u27s password but address a large fraction of all users\u27 passwords within a database of millions of users.
In this work, we study those quantum large-scale password guessing attacks for the first time.
In comparison to classical attacks, we still gain a square-root speedup in the quantum setting when attacking a constant fraction of all passwords, even considering strongly biased password distributions as they appear in real-world password breaches.
We verify the accuracy of our theoretical predictions using the LinkedIn leak and derive specific recommendations for password hashing and password security for a quantum computer era
Talking to the Overlooked: A Nationwide Telephone Survey with Four Groups Under-represented in Privacy and Security Studies
Online surveys - a primary research tool in the field of usable security and
privacy research - frequently rely on web-panel platforms. However, these
platforms tend not to generalize well to specific user groups. Our study
addresses this research gap by studying security and privacy perceptions of
four under-represented groups. We conducted telephone interviews with n = 1003
participants in Germany: (I) teenagers aged 14-17, (II) older adults 70+, (III)
people with low formal education, and (IV) people with migration background. We
found these groups to be under-represented in our online comparison survey. We
further identified target group-specific perceptions for each group compared to
the general population, e.g., regarding their experiences with cybercrime, and
provide detailed insight into the privacy and security knowledge and behavior
of each group. Our findings underscore the effectiveness of telephone
interviews and lay the foundation for further research on these groups
Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study
Passwords are still a mainstay of various security systems, as well as the
cause of many usability issues. For end-users, many of these issues have been
studied extensively, highlighting problems and informing design decisions for
better policies and motivating research into alternatives. However, end-users
are not the only ones who have usability problems with passwords! Developers
who are tasked with writing the code by which passwords are stored must do so
securely. Yet history has shown that this complex task often fails due to human
error with catastrophic results. While an end-user who selects a bad password
can have dire consequences, the consequences of a developer who forgets to hash
and salt a password database can lead to far larger problems. In this paper we
present a first qualitative usability study with 20 computer science students
to discover how developers deal with password storage and to inform research
into aiding developers in the creation of secure password systems