As I found out, I hadn’t written any posts in the last 12 months. This despite the fact that we had published some interesting papers and three (?) Incidents happened at LastPass. The latter obviously has to do with one of my research topics, identity management. Maybe I’ll write a blog post about it soon. But today, let’s start with the papers.
A “house” conference for me is the ARES conference that took place in Vienna last year. Here, Nils Gruschka from the University of Oslo, Leonhard Ziegler, one of my students, and I published a paper on “Multi-Account-Dashboard for Authentication Dependency Analysis“. It is about user account networks that arise, for example, through single sign-on or fallback authentication (e.g., reset link via email). Security is only as good as its weakest link, and that can easily be a poorly chosen fallback method. In the paper, we present different methods to analyze exactly this as well as the possibility of lockouts. The whole thing was implemented by Leonhard Ziegler as a plugin for KeePass as a proof of concept. Based on this, he also conducted a small user study. A few follow-up works are already underway, which I’m looking forward to.
In addition, Wolfgang Hommel and I published a first step towards the taxonomy of attacks on identities and identity management systems at an ARES workshop. The paper arose from the need to structure these attacks for a master’s thesis and a lecture. After finding no comparable literature, we created a first taxonomy, which was published. This taxonomy is currently being improved and the appropriate countermeasures will then follow. You can find the paper next to ACM on arxiv.
IEEE ACCESS and MDPI
Two longer works on identity management have been published by IEEE Access and MDPI. At IEEE Access, you will find “Reference Service Model Framework for Identity Management“, an article on reference models for identity management designed with ArchiMate. Based on a meta-model described in detail, Wolfgang Hommel and I created models for different protocols, implementations, and directions. This leads to an overall model that shows the necessary interfaces and possible combinations. Based on this, useful tools are identified that can be installed.
In the article “Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT Infrastructures“, Sebastian Seeber, Wolfgang Hommel, and I try to develop a comprehensive improvement process for identity management, in particular identification, authentication, and authorization, which was practically studies with a case study.
Last week, the ICISSP conference took place in Lisbon, where I was able to present three papers and a poster. They are all publications based on student theses, which makes me even happier.
Anastasia Dimaratos developed a comparison metric for keystroke dynamics in her bachelor thesis, whereby suitable data sets and templates are still missing, in order to compare the approaches in a meaningful way. Nevertheless, it is an important topic, especially since individual companies are already experimenting with keystroke dynamics, for example, to indirectly identify fraudulent calls. I myself see Keystroke Dynamics as a method that can be used for continuous authentication – if it is implemented in compliance with data protection regulations. According to the current status, I would not use it as primary authentication, and attack vectors also need to be analyzed more closely. However, that was explicitly not part of the work.
Marcus Walkow’s master’s thesis and seminar work, on which the paper is based, dealt with the systematic search for identity-related data on the Internet. In the paper, we first categorized the information and information sources before describing the implementation from the master’s thesis. The search was illustrated using Olaf Scholz as an example. But why is this important? Each of us leaves information on the Internet. This information can be used for attacks, such as customizing phishing scams or guessing poorly-crafted, personally-identifying passwords.
In her bachelor thesis, Amélie Dieterich, supervised by Matthias Schopp, Lars Stiemert and Christoph Steininger, tested and evaluated persistence methods of malware on Windows operating systems using a developed metric in a test environment. The individual methods are equally good with two exceptions from the user account area. Changing an account is particularly bad as it removes access from the actual user, while creating an admin account scored slightly better than the rest. What is striking, however, is the difference between without and with built-in countermeasures. According to the study, Windows Defender cannot distinguish between legitimate and illegitimate users.
Finally, there is the poster shown above, which is based on Andreas Eipper’s bachelor thesis. The thesis and hence the paper are about creating a Blue Team scenario for beginners using the example of a brute force attack on an authentication page. Even if the scenario sounds simple, the systematic approach behind it (from structuring to learning objectives to a simple description language) can be reused for other scenarios. In addition, it is important to introduce students to practice at an early stage, and we have succeeded in doing so.