005 Computerprogrammierung, Programme, Daten
Refine
Departments, institutes and facilities
- Institut für Cyber Security & Privacy (ICSP) (109) (remove)
Document Type
- Conference Object (79)
- Article (23)
- Part of a Book (2)
- Book (monograph, edited volume) (1)
- Contribution to a Periodical (1)
- Research Data (1)
- Doctoral Thesis (1)
- Preprint (1)
Year of publication
Language
- English (109) (remove)
Keywords
- Usable Security (6)
- HTTP (5)
- security (5)
- Cloud (4)
- GDPR (4)
- REST (4)
- Risk-based Authentication (4)
- Web (4)
- Authentication (3)
- Big Data Analysis (3)
- SOA (3)
- web caching (3)
- web services (3)
- Cloud Security (2)
- Malware analysis (2)
- Password (2)
- Privacy (2)
- SOAP (2)
- Security (2)
- TLS (2)
- WS-Security (2)
- XML Signature (2)
- XML Signature Wrapping (2)
- usable privacy (2)
- API Documentation (1)
- API usability (1)
- Account (Datenverarbeitung) (1)
- Account Security (1)
- Adaptive Media Streaming (1)
- Adaptive Streaming (1)
- Advance Encryption Standard (1)
- Affective computing (1)
- Analysis (1)
- Authentication features (1)
- Authentifikation (1)
- Botnet tracking (1)
- Botnets (1)
- Browser cache (1)
- Cache Poisoning (1)
- Certificates (1)
- Cipher Block Chain (1)
- Cloud Computing security (1)
- Cloud Malware Injection (1)
- Cloud Standards (1)
- CoAP (1)
- Computer Security (1)
- Computersicherheit (1)
- Conficker (1)
- Conformance Testing (1)
- Content Security Policies (1)
- Countermeasures (1)
- Cyber Attacks (1)
- Cyber Security (1)
- Cybercrime (1)
- Cybercrime Legislation (1)
- DASH (1)
- DNSSEC (1)
- Data Compression (1)
- Data Protection Officer (1)
- Data Reduction (1)
- Data Tiles (1)
- Denial of Service (1)
- Design patterns (1)
- Developer Centered Security (1)
- Difference-coding (1)
- Digital Ecosystem (1)
- Digital signatures (1)
- E-Health (1)
- Employee data protection (1)
- Evaluation (1)
- Expert Interviews (1)
- File carving (1)
- Fragmented files (1)
- Frontend architecture (1)
- Full-text Search (1)
- HTML5 (1)
- HTTPS (1)
- Header whitelisting (1)
- Host-Based Code Injection Attacks (1)
- Human factors (1)
- Human-Robot-Interaction (HRI) (1)
- Implementation Challenges (1)
- Informational self-determination (1)
- Intermediaries (1)
- Internet Technology (1)
- IoT services security (1)
- JOSE (1)
- JPEGs (1)
- JSON (1)
- Large-Scale Online Services (1)
- Legal metrology (1)
- Live Streaming (1)
- Login (1)
- Malware (1)
- Malware Detection (1)
- Memory forensics (1)
- Mental Models (1)
- Message Authentication (1)
- Microservices (1)
- Multimedia Communication (1)
- Multimedia forensics (1)
- Online Services (1)
- OpenStack (1)
- PHR (1)
- Partial Data Protection (1)
- Partial Signature (1)
- PartialEncryption (1)
- Password Masking (1)
- Password Visualization (1)
- Passwords (1)
- Passwort (1)
- Performance (1)
- Personal Health Record (1)
- Phishing (1)
- Privacy engineering (1)
- Privacy in the workplace (1)
- Privacy patterns (1)
- Privacy perceptions (1)
- Public Key Infrastructure (1)
- Push-based Streaming (1)
- RACS (1)
- RBAR (1)
- REST security (1)
- Restful Web Services (1)
- Risk-Based Account Recovery (1)
- Risk-based Authentication (RBA) (1)
- SAML (1)
- SELMA (1)
- SaaS (1)
- Secure Cloud Storage (1)
- Secure Coding Practices (1)
- Secure data transfer (1)
- Security APIs (1)
- Security Protocol (1)
- Semantic gap (1)
- Service-Oriented Architecture (1)
- Software Security (1)
- Stuxnet (1)
- Testing (1)
- Testing Tool (1)
- Thin Client (1)
- Two-factor Authentication (1)
- UI-Dressing (1)
- URI (1)
- Usable Security and Privacy (1)
- User-Centered Design (1)
- Video (1)
- Warnings (1)
- Web Browser (1)
- Web Browser Cache (1)
- Web Information Systems and Technologies (1)
- Web Interfaces and Applications (1)
- Web Portal (1)
- Web Security (1)
- Web Service (1)
- Web Service Security (1)
- Web Services and Web Engineering (1)
- WebSocket (1)
- WebSockets (1)
- Wind Fields (1)
- Wind Flow Visualization (1)
- Workflow (1)
- XML (1)
- XML Security (1)
- XSpRES (1)
- attacks (1)
- caching (1)
- cooperation (1)
- cryptographic apis (1)
- developer console (1)
- distributed systems (1)
- emotion recognition (1)
- employee privacy (1)
- end-to-end security (1)
- factor analysis (1)
- focus groups (1)
- human-centred design (1)
- humanoidrobot (1)
- informational self-determination (1)
- intervention mechanisms (1)
- latent class analysis (1)
- mental models (1)
- participatory design (1)
- privacy at work (1)
- privacy by design (1)
- security and privacy literacy (1)
- security warning design (1)
- services (1)
- signature (1)
- social robots (1)
- software development (1)
- structural equation modeling (1)
- transparency-enhancing technologies (1)
- usable privacy controls (1)
- usable secure email (1)
- user interface design (1)
- visualization (1)
- web services security (1)
The European General Data Protection Regulation requires the implementation of Technical and Organizational Measures (TOMs) to reduce the risk of illegitimate processing of personal data. For these measures to be effective, they must be applied correctly by employees who process personal data under the authority of their organization. However, even data processing employees often have limited knowledge of data protection policies and regulations, which increases the likelihood of misconduct and privacy breaches. To lower the likelihood of unintentional privacy breaches, TOMs must be developed with employees’ needs, capabilities, and usability requirements in mind. To reduce implementation costs and help organizations and IT engineers with the implementation, privacy patterns have proven to be effective for this purpose. In this chapter, we introduce the privacy pattern Data Cart, which specifically helps to develop TOMs for data processing employees. Based on a user-centered design approach with employees from two public organizations in Germany, we present a concept that illustrates how Privacy by Design can be effectively implemented. Organizations, IT engineers, and researchers will gain insight on how to improve the usability of privacy-compliant tools for managing personal data.
Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication
(2024)
Risikobasierte Authentifizierung (RBA) ist ein adaptiver Ansatz zur Stärkung der Passwortauthentifizierung. Er überwacht eine Reihe von Merkmalen, die sich auf das Loginverhalten während der Passworteingabe beziehen. Wenn sich die beobachteten Merkmalswerte signifikant von denen früherer Logins unterscheiden, fordert RBA zusätzliche Identitätsnachweise an. Regierungsbehörden und ein Erlass des US-Präsidenten empfehlen RBA, um Onlineaccounts vor Angriffen mit gestohlenen Passwörtern zu schützen. Trotz dieser Tatsachen litt RBA unter einem Mangel an offenem Wissen. Es gab nur wenige bis keine Untersuchungen über die Usability, Sicherheit und Privatsphäre von RBA. Das Verständnis dieser Aspekte ist jedoch wichtig für eine breite Akzeptanz.
Diese Arbeit soll ein umfassendes Verständnis von RBA mit einer Reihe von Studien vermitteln. Die Ergebnisse ermöglichen es, datenschutzfreundliche RBA-Lösungen zu schaffen, die die Authentifizierung stärken bei gleichzeitig hoher Menschenakzeptanz.
Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example
(2023)
Online services have difficulties to replace passwords with more secure user authentication mechanisms, such as Two-Factor Authentication (2FA). This is partly due to the fact that users tend to reject such mechanisms in use cases outside of online banking. Relying on password authentication alone, however, is not an option in light of recent attack patterns such as credential stuffing.
Risk-Based Authentication (RBA) can serve as an interim solution to increase password-based account security until better methods are in place. Unfortunately, RBA is currently used by only a few major online services, even though it is recommended by various standards and has been shown to be effective in scientific studies. This paper contributes to the hypothesis that the low adoption of RBA in practice can be due to the complexity of implementing it. We provide an RBA implementation for the open source cloud management software OpenStack, which is the first fully functional open source RBA implementation based on the Freeman et al. algorithm, along with initial reference tests that can serve as a guiding example and blueprint for developers.
Digital ecosystems are driving the digital transformation of business models. Meanwhile, the associated processing of personal data within these complex systems poses challenges to the protection of individual privacy. In this paper, we explore these challenges from the perspective of digital ecosystems' platform providers. To this end, we present the results of an interview study with seven data protection officers representing a total of 12 digital ecosystems in Germany. We identified current and future challenges for the implementation of data protection requirements, covering issues on legal obligations and data subject rights. Our results support stakeholders involved in the implementation of privacy protection measures in digital ecosystems, and form the foundation for future privacy-related studies tailored to the specifics of digital ecosystems.
Login Data Set for Risk-Based Authentication
Synthesized login feature data of >33M login attempts and >3.3M users on a large-scale online service in Norway. Original data collected between February 2020 and February 2021.
This data sets aims to foster research and development for <a href="https://riskbasedauthentication.org">Risk-Based Authentication (RBA) systems. The data was synthesized from the real-world login behavior of more than 3.3M users at a large-scale single sign-on (SSO) online service in Norway.
Risk-based authentication (RBA) aims to protect users against attacks involving stolen passwords. RBA monitors features during login, and requests re-authentication when feature values widely differ from those previously observed. It is recommended by various national security organizations, and users perceive it more usable than and equally secure to equivalent two-factor authentication. Despite that, RBA is still used by very few online services. Reasons for this include a lack of validated open resources on RBA properties, implementation, and configuration. This effectively hinders the RBA research, development, and adoption progress.
To close this gap, we provide the first long-term RBA analysis on a real-world large-scale online service. We collected feature data of 3.3 million users and 31.3 million login attempts over more than 1 year. Based on the data, we provide (i) studies on RBA’s real-world characteristics plus its configurations and enhancements to balance usability, security, and privacy; (ii) a machine learning–based RBA parameter optimization method to support administrators finding an optimal configuration for their own use case scenario; (iii) an evaluation of the round-trip time feature’s potential to replace the IP address for enhanced user privacy; and (iv) a synthesized RBA dataset to reproduce this research and to foster future RBA research. Our results provide insights on selecting an optimized RBA configuration so that users profit from RBA after just a few logins. The open dataset enables researchers to study, test, and improve RBA for widespread deployment in the wild.
The processing of employees’ personal data is dramatically increasing, yet there is a lack of tools that allow employees to manage their privacy. In order to develop these tools, one needs to understand what sensitive personal data are and what factors influence employees’ willingness to disclose. Current privacy research, however, lacks such insights, as it has focused on other contexts in recent decades. To fill this research gap, we conducted a cross-sectional survey with 553 employees from Germany. Our survey provides multiple insights into the relationships between perceived data sensitivity and willingness to disclose in the employment context. Among other things, we show that the perceived sensitivity of certain types of data differs substantially from existing studies in other contexts. Moreover, currently used legal and contextual distinctions between different types of data do not accurately reflect the subtleties of employees’ perceptions. Instead, using 62 different data elements, we identified four groups of personal data that better reflect the multi-dimensionality of perceptions. However, previously found common disclosure antecedents in the context of online privacy do not seem to affect them. We further identified three groups of employees that differ in their perceived data sensitivity and willingness to disclose, but neither in their privacy beliefs nor in their demographics. Our findings thus provide employers, policy makers, and researchers with a better understanding of employees’ privacy perceptions and serve as a basis for future targeted research
on specific types of personal data and employees.
Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than two-factor authentication and just as secure. However, users currently obtain RBA's high security and usability benefits at the cost of exposing potentially sensitive personal data (e.g., IP address or browser information). This conflicts with user privacy and requires to consider user rights regarding the processing of personal data. We outline potential privacy challenges regarding different attacker models and propose improvements to balance privacy in RBA systems. To estimate the properties of the privacy-preserving RBA enhancements in practical environments, we evaluated a subset of them with long-term data from 780 users of a real-world online service. Our results show the potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy. We outline research directions that need to be considered to achieve a widespread adoption of privacy preserving RBA with high user acceptance.
Components and Architecture for the Implementation of Technology-Driven Employee Data Protection
(2021)
Recent years have seen extensive adoption of domain generation algorithms (DGA) by modern botnets. The main goal is to generate a large number of domain names and then use a small subset for actual C&C communication. This makes DGAs very compelling for botmasters to harden the infrastructure of their botnets and make it resilient to blacklisting and attacks such as takedown efforts. While early DGAs were used as a backup communication mechanism, several new botnets use them as their primary communication method, making it extremely important to study DGAs in detail.
In this paper, we perform a comprehensive measurement study of the DGA landscape by analyzing 43 DGAbased malware families and variants. We also present a taxonomy for DGAs and use it to characterize and compare the properties of the studied families. By reimplementing the algorithms, we pre-compute all possible domains they generate, covering the majority of known and active DGAs. Then, we study the registration status of over 18 million DGA domains and show that corresponding malware families and related campaigns can be reliably identified by pre-computing future DGA domains. We also give insights into botmasters’ strategies regarding domain registration and identify several pitfalls in previous takedown efforts of DGA-based botnets. We will share the dataset for future research and will also provide a web service to check domains for potential DGA identity.
Helping Johnny to Analyze Malware: A Usability-Optimized Decompiler and Malware Analysis User Study
(2016)
In education, finding the appropriate learning pace that fits to the members of a large group is a challenging task. This becomes especially evident when teaching multidisciplinary subjects such as epidemiology in medicine or computer science in most study programs, since lecturers have to face a very heterogeneous state of previous knowledge. Approaching this issue requires an individual supervision of each and every student, which is obviously bounded by the available resources. Moreover, when referring back to the second example, writing computer programs requires a complex installation and configuration of development tools. Many beginning programmers already become stuck at this entry stage. This paper introduces WHELP, a Web-based Holistic E-Learning Platform, which provides an integrated environment enabling the learning and teaching of computer science topics without the need to install any software. Moreover, WHELP includes an interactive feedback system for each programming exercise, where lecturers or tutors can supply comments, improvements, code assistance or tips helping the students to accomplish their tasks. Furthermore, WHELP offers a statistical analysis module as well as a real-time classroom polling system both promoting an overview of the state of knowledge of a course. In addition to that, WHELP enables collaborative working including code-sharing and peer-to-peer learning. This feature enables students to work on exercises simultaneously at distinct places. WHELP has been successfully deployed in the winter term 2013 at the Cologne University of Applied Sciences supporting the 120 students and 3 lecturers to learn and teach basic topics of computer science in an engineering study program.