Auflistung nach Autor:in "Holz, Thorsten"
1 - 10 von 14
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragEine Analyse von 33 Gigabyte gestohlener Keylogger-Daten(Informatik 2009 – Im Focus das Leben, 2009) Holz, Thorsten; Engelberth, Markus; Freiling, Felix C.
- KonferenzbeitragA Comparative Study of Teaching Forensics at a University Degree Level(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Anderson, Philip; Dornseif, Maximillian; Freiling, Felix C.; Holz, Thorsten; Irons, Alastair; Laing, Christopher; Mink, MartinComputer forensics is a relatively young University discipline which has developed strongly in the United States and the United Kingdom but is still in its infancy in continental Europe. The national programmes and courses offered therefore differ in many ways. We report on two recently established degree programmes from two European countries: Great Britain and Germany. We present and compare the design of both programmes and conclude that they cover two complementary and orthogonal aspects of computer forensics education: (a) rigorous practical skills and (b) competence for fundamental research discoveries.
- ZeitschriftenartikelCross-architecture bug search in binary executables(it - Information Technology: Vol. 59, No. 5, 2017) Pewny, Jannik; Garmany, Behrad; Gawlik, Robert; Rossow, Christian; Holz, ThorstenWith the general availability of closed-source software for various CPU architectures, there is a need to identify security-critical vulnerabilities at the binary level. Unfortunately, existing bug finding methods fall short in that they i) require source code, ii) only work on a single architecture (typically x86), or iii) rely on dynamic analysis, which is difficult for embedded devices. In this paper, we propose a system to derive bug signatures for known bugs. First, we compute semantic hashes for the basic blocks of the binary. When can then use these semantics to find code parts in the binary that behave similarly to the bug signature, effectively revealing code parts that contain the bug. As a result, we can find vulnerabilities, e.g., the famous Heartbleed vulnerabilities, in buggy binary code for any of the supported architectures (currently, ARM, MIPS and x86).
- KonferenzbeitragErmittlung von Verwundbarkeiten mit elektronischen Ködern(Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004, 2004) Dornseif, Maximillian; Gärtner, Felix C.; Holz, ThorstenAls elektronische Köder (honeypots) bezeichnet man Netzwerkressourcen, deren Wert darin besteht, angegriffen und kompromittiert zu werden. Oft sind dies Computer, die keine spezielle Aufgabe im Netzwerk haben, aber ansonsten nicht von regulären Rechnern zu unterscheiden sind. Köder können zu Köder-Netzwerken (honeynets) zusammengeschlossen werden. Sie sind mit spezieller Software ausgestattet, die die Forensik einer eingetretenen Schutzzielverletzung erleichtert. Durch die Vielfalt an mitgeschnittenen Daten kann man deutlich mehr über das Verhalten von An- greifern in Netzwerken lernen als mit herkömmlichen forensischen Methoden. Dieser Beitrag stellt die Philosophie der Köder-Netzwerke vor und beschreibt die ersten Erfahrungen, die mit einem solchen Netzwerk an der RWTH Aachen gemacht wurden.
- KonferenzbeitragGraphneighbors: hampering shoulder-surfing attacks on smartphones(Sicherheit 2014 – Sicherheit, Schutz und Zuverlässigkeit, 2014) Altiok, Irfan; Uellenbeck, Sebastian; Holz, ThorstenToday, smartphones are widely used and they already have a growing market share of more than 70 % according to recent studies. These devices often contain sensitive data like contacts, pictures, or even passwords that can easily be accessed by an attacker if the phone is not locked. Since they are mobile and used as everyday gadgets, they are susceptible to get lost or stolen. Hence, access control mechanisms such as user authentication are required to prevent the data from being accessed by an attacker. However, commonly used authentication mechanisms like PINs, passwords, and Android Unlock Patterns suffer from the same weakness: they are all vulnerable against different kinds of attacks, most notably shoulder-surfing. A promising strategy to prevent shoulder-surfing is to only enter a derivation of the secret during the authentication phase. In this paper, we present a novel authentication mechanism based on the concept of graphical neighbors to hamper shoulder-surfing attacks. Results of a usability evaluation with 100 participants show that our implementation called GRAPHNEIGHBORS is applicable in comparison to commonly used authentication mechanisms.
- KonferenzbeitragHoneypots and limitations of deception(„Heute schon das Morgen sehen“, 19. DFN-Arbeitstagung über Kommunikationsnetze in Düsseldorf, 2005) Dornseif, Maximillian; Holz, Thorsten; Müller, SvenTo learn more about attack patterns and attacker behavior, the concept of electronic decoys - usually network resources (computers, routers, or switches) deployed to be probed, attacked, and compromised – is currently en vogue in the area of IT security under the name honeypots. These electronic baits claim to lure in attackers and help in assessment of vulnerabilities. We give a basic introduction into honeypot concepts and present exemplary honeypot-based research in the area of phishing. Because honeypots are more and more deployed within computer networks, malicious attackers start to devise techniques to detect and circumvent these security tools. In the second part of this paper we focus on limitations of current honeypotbased methodologies. We show how an attacker typically proceeds when attacking this kind of systems and present diverse tools and methods of deception and counter deception.
- KonferenzbeitragLearning more about attack patterns with honeypots(Sicherheit 2006, Sicherheit – Schutz und Zuverlässigkeit, 2006) Holz, Thorsten
- KonferenzbeitragA malware instruction set for behavior-based analysis(Sicherheit 2010. Sicherheit, Schutz und Zuverlässigkeit, 2010) Trinius, Philipp; Willems, Carsten; Holz, Thorsten; Rieck, KonradWe introduce a new representation for monitored behavior of malicious software called Malware Instruction Set (MIST). The representation is optimized for effective and efficient analysis of behavior using data mining and machine learning techniques. It can be obtained automatically during analysis of malware with a behavior monitoring tool or by converting existing behavior reports. The representation is not restricted to a particular monitoring tool and thus can also be used as a meta language to unify behavior reports of different sources.
- KonferenzbeitragMonkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients(SICHERHEIT 2008 – Sicherheit, Schutz und Zuverlässigkeit. Beiträge der 4. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 2008) Ikinci, Ali; Holz, Thorsten; Freiling, FelixClient-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project [Iki]. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internet-scale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.
- KonferenzbeitragReconstructing people's lives: A case study in teaching forensic computing(IMF 2008 – IT Incident Management & IT Forensics, 2008) Freiling, Felix C.; Holz, Thorsten; Mink, MartinIn contrast to the USA and the UK, the academic field of forensic computing is still in ist infancy in Germany. To foster the exchange of experiences, we report on lessons learnt in teaching two graduate level courses in forensic computing at a German university. The focus of the courses was to give a research-oriented introduction into the field. The first course, a regular lecture, was accompanied by two practical exercises: (1) a live-analysis of a compromised honeypot, and (2) a dead-analysis of a set of hard disks purchased on the web. The second course was a labatory course with extensive experiments including forensic analysis of mobile phones. We give an overview over these courses and pay special attention to the reports resulting from the exercises which clearly document the ubiquity of data avilable to forensic analysis.