quality and security program tirol annual...

QE LaB Annual Report 13/14

Annual Report 2014/2015

Quality and Security Program Tirol

Contents

About QSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

QSP Sponsoring Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

QSP Supporting Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

QSP Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

QSP Talks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

QSP Teaching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

inDay students 2014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

QSP Annual Report 14/152

About QSP

The Quality and Security Program Tirol is an initiative of the Institute of Computer Science at the University of Innsbruck to foster application-oriented education in the area of software engineering, information security and IT management.

QSP Tirol offers series of events such as Labs, Talks and Lectures given by renown experts and is dedicated to students enrolled in Tyrolean Universities.

QSP was inaugurated in November 2014 within the InDay students, a day with talks, labs and presentations at the Institute of Computer Science.

Vyacheslav Zakorzhevsky, Kaspersky Lab, and Prof. Dr. Ruth Breu, at the inDay students 2014

QSP Sponsoring Partners

www.arz.at

www.barracuda.com

www.egger.com

www.mils.com

QSP Annual Report 14/15 3

QSP Supporting Partners

www.kaspersky.com

http://sigma-star.at

www.av-comparatives.org

www.seppmed.de

The Supporting Partners of Quality and Security Program Tirol support the initiative by leading the QSP Labs and giving the QSP Talks.

http://lean42.com/de

The Quality and Security Program Tirol offers a broad sellection of one to three half day labs with renown experts and hands-on knowledge transfer addressed to the university students.

Since November 2014 untill June 2015 the students have had the possibility to attend 13 QSP Labs and to benefit from the knowledge of experienced experts from Kaspersky Lab, sepp.med, sigma star, University of Regensburg, ARZ Allgemeines Rechenzentrum, Lean42, Barracuda Networks, Gründer Consulting, ARM, itestra and IBM Austria.

QSP Labs

QSP Labs: November 2014 - June 2015

27.11.2014 Vyacheslav Zakorzhevsky, Kaspersky Lab Financial Malware and Corresponding Distribution Methods

28.11.1014 Martin Beißer, sepp.med gmbh Modellbasiertes Testdesign - Testfälle automatisch generieren

12.12.2014 Richard Weinberger, David Gstir, sigma star gmbh Reverse Engineering Network Appliances

09.-10.01.2015 Harry M. Sneed, University of Regensburg Analyzing and Testing Software Requirement Documents

16.01.2015 Dr. Helmut Gratl, ARZ Allgemeines Rechenzentrum GmbH Sicherheitsarchitektur(en) im Enterprise Umfeld

27.02.2015 Inge Hanschke, Lean42 GmbH EA Best Practices

http://www.gruender-consulting.com/


06.03.2015 Christian Kovatsch, ARZ Allgemeines Rechenzentrum GmbH Schwachstellen in Browser und Mobile Devices

13.03.2015 Helmut Gratl, ARZ Allgemeines Rechenzentrum GmbH Sicherheitsüberprüfungen (Theorie und Best Practice) im professionellem Umfeld

20.-21.03.1015 Martin Ortner and Gregor Koenig, Barracuda Networks Secure Internet Communication

17.-18.04.2015 Torsten Gründer, Gründer Consulting IT-Outsourcing Management

24.04.2015- Hannes Tschofenig, ARM Limited 08.05.2015- Internet of Things (IoT)22.05.2015-29.05.2015

26.06.2015 Tobias Simon, itestra GmbH Software-Qualität im Wandel der Zeit

» Vyacheslav Zakorzhevsky, Kaspersky Lab Financial Malware and Corresponding Distribution Methods

This lab explains all aspects of modern financial malware. Starting from history and evolution, modern stealing techniques and main distribution ways are discussed. The most popular methods - „Web-Injection“ - are demonstrated as well as, an example of real drive-by attack of virtual machine.

Vyacheslav Zakorzhevsky has been working in Kaspersky Lab since 2007. Initially, as a Virus Analyst, he was subsequently promoted to Head of Vulnerability Re-search Group. His main areas of interest are polymorphic viruses, exploits and financial malware. In 2014 Vyacheslav Zakorzhevsky was appointed as Head of Anti-Malware Team.

» Martin Beißer, sepp.med gmbh Modellbasiertes Testdesign - Testfälle automatisch generieren

The lab is dedicated to the method of model-based testing - designed to provi-de objective test design on a solid, systematic basis and therefore of increasing importance and attention. Test models are special graphical models created for example in the known UML tools from which automatically concrete, executable test cases can be derived. The aim of the lab is to introduce the methodology of the graphical test designs.

Martin Beißer has conducted his PhD in Seismology. His industrial experience concern the quality assurance and software development. Since 2000, Martin Beißer has been working for sepp.med gmbh, in the area of .mzT Methodology and Test Design.


» Richard Weinberger, David Gstir, sigma star gmbh Reverse Engineering Network Appliances

Modern appliances use complex firmware which can harm corporate security as they may carry backdoors or are exploitable due to vulnerabilities. In this lab va-rious reverse engineering methods are presented and examined. Students learn what basic components most network appliances share and how these can be attacked in order to find vulnerabilities or to understand how specific products work.

Richard Weinberger is co-founder of sigma star gmbh which offers Linux kernel consulting services. Besides the kernel, he has a strong focus on various low level components of Linux including virtualization techniques.

David Gstir graduated at the Graz University of Technology where he specialized in IT Security. He is a senior software engineer and security expert at the sigma star consulting team.

» Harry M. Sneed, University of Regensburg Analyzing and Testing Software Requirement Documents

In this lab Harry M. Sneed summarizes the history of software requirements engi-neering and explains how requirement documents have been checked in the past. He then presents a new automated approach to analyzing the text documents and generating logical test cases from them. He demonstrates the approach on several requirement documents taken from industry before giving the students the opportunity to practice the method themselves on sample documents.

Harry M. Sneed has been working in testing since 1977 when he took over the position of test manager for the Siemens ITS project. At this time he set up the first com-mercial test laboratory in Budapest. Since then he has written 22 books and over 400 articles. He has developed more than 50 different tools.

» Dr. Helmut Gratl, ARZ Allgemeines Rechenzentrum GmbH Sicherheitsarchitektur(en) im Enterprise Umfeld

The lab concerns the issues like: general security architecture principles and gui-delines, procedures, requirements and restrictions, framework, standards, zone models, operational IT security management, organization and responsibilities, processes, compliance, auditability, and risk assessment.

Dr. Helmut Gratl has been working in the area of IT Security and Architecture for more than 20 years. He has many years of experience in developing complex IT security architectures, creating enterprise security policies and implementing IT security audits. He has received CISSP and CEH certificates.

» Inge Hanschke, Lean42 GmbH EA Best Practices

EA embraces all the processes required to document, analyze and plan an enterprise`s IT landscape. Based on the experience of many projects and long discussions with both customers and academic researchers Inge Hanschke conso-lidates a comprehensive and practical toolkit for the strategic management of IT landscapes. In the lab which reflects the existing frameworks in EA, e.g. TOGAF, she demonstrates some of these best practices.

Inge Hanschke is Managing Director of Lean42 GmbH. Her assignments include the Lean42 EAM methods. Since she has gained her degree in information tech-nology, she has worked as IT manager for user-side enterprises, an ERP product company, and IT service providers. She has successfully aligned both IT and ser-vice portfolios with a view to the business’ requirements.

» Christian Kovatsch, ARZ Allgemeines Rechenzentrum GmbH Schwachstellen in Browser und Mobile Devices

This Lab is dedicated to the identification of security vulnerabilities through Ja-vascript, profile building through Browser and mobile devices, and identifying the „failover“ errors in HTTPS stack of IOS.


» Helmut Gratl, ARZ Allgemeines Rechenzentrum GmbH Sicherheitsüberprüfungen (Theorie und Best Practice) im professionellem Umfeld

The lab concerns the issue of security verification and covers the following points: classification, standards (OWASP, OSSTMM, BSI, NIST), definition of framework, process of implementation, measures and report, and procurement.

» Martin Ortner, Gregor Koenig, Barracuda Networks Secure Internet Communication

The main purpose of Transport Layer Security (TLS) is to transmit data in a secure and confidential way over an unsecured network. It is de-facto standard for secu-red communication in the internet. This lab provides a profound knowledge and understanding of the algorithms used in TLS in order to circumvent the known pitfalls and weaknesses. It explains the technical background of the cryptographic algorithms used in TLS as well as the existing attacks in an understandable and practical way and presents strategies to prevent them.

Dr. Gregor Koenig has been working for Barracuda Networks AG since 2013 where he develops products for secure internet communication. Before joining Barracu-da Networks Dr. Koenig was a scientist at the Austrian Institute of Technology in the field of bio-signal processing for medical devices. He wrote his PhD thesis at the Medical University of Vienna and was a lecturer at the Technical University of Vienna. Previously he worked for Frequentis AG in the research and development of safety-critical communication systems for air-traffic security.

Martin Ortner graduated with a master’s degree from the department of Secu-re Information Systems at the University of Applied Sciences Upper Austria. He joined Barracuda Networks AG in 2011 where as a Software Developer Quality Assurance he creates network security products.

» Torsten Gründer, Gründer Consulting IT-Outsourcing Management

The lab provides a concrete and practical knowledge about strategic outsourcing projects, their design and implementation. Based on typical scenarios, partici-pants will learn to avoid common mistakes, to control risks and specifically to take advantage of the opportunities resulted from outsourcing. Key aspects of this lab are: project organization and management, specifications, contracts, pricing mo-dels, transition, project control, termination management, as well as case studies and experience of more than 120 outsourcing projects.

Torsten Gründer is an expert in the area of Outsourcing, an author and lecturer. For over 15 years, as a Managing Director of Gründer Consulting GmbH, he has been providing consultancy services in IT Services/IT Oursourcing. He has develo-ped the OMIT Reference Model - the project management method for successful outsourcing implementation.

» Hannes Tschofenig, ARM Limited Internet of Things (IoT)

An increasing number of every-day devices not only contain a microcontroller inside but they are also connected with the Internet. In this course the students learn about ARM-based microprocessors (in particular the Cortex M0 from Nor-dic Semiconductor), how to program these processors, work with sensors and actuators, how to communicate with other devices (particularly smart phones and tablets) using Bluetooth Smart (which is a fairly new low-power radio tech-nology), and Internet technologies used in IoT deployments.

Hannes Tschofenig is employed by ARM Limited, a company known for their wi-dely used low-power microprocessors found in tablets, mobile phones, and em-bedded devices. He is focused on developing global standards to make the Inter-net work better. For the past 14+ years he has been active in one of the leading Internet standards developing organizations, the Internet Engineering Task Force (IETF) contributing to more than 60 technical specifications on security, privacy, and emergency services. Prior employers include EDPS, Nokia, and Siemens.


» Tobias Simon, itestra GmbH Software-Qualität im Wandel der Zeit

Quality requirements change over time due to the technical progress and requi-rements of the environment. In this lab, the lab expert and the students discuss how to define the software quality and its relevance in the economy. With con-crete, practical examples, the lab attendants gain a detailed insight into the un-derstanding of quality by the computer scientists and entrepreneurs.

Tobias Simon received his Degree in Computer Science at the Technical University of Munich. He has been working for itestra GmbH since 2006. His main focus concerns: Quality Analysis of Central Software Systems and Re-Engineering and Optimation of Legal Systems.

27.11.1014 Rainer Böhme, Wilhelms-Universität Münster Kryptographische Währungen als Zahlungsmittel: Prinzipien, Potenziale und Probleme am Beispiel Bitcoin

The financial sector was one of the first commercial users of digital technology and later cryptography. In this talk Rainer Böhme presents the possible opera-tions on cryptographic currencies using the example of Bitcoin.

Rainer Böhme is an assistant professor at the Institute of Business Information Technology, the University of Münster and specialises in IT security. His research focuses on economic aspects of IT security and data protection, digital forensics and cyber crime as well as privacy-enhancing technology.

28.01.2015 Hannes Tschofenig, ARM Limited Securing the Internet of Things

Every day innovative companies and crowd funding projects launch new products in the area of smart cities, home automation, and wearables. Companies as well as researchers are exploring ways to make software and hardware development easier for the masses. Standardized Internet protocols and the availability of software libraries play an important role in lowering the barrier of entry. What is the place of security and privacy in this exciting development? Based on the work at ARM, the industry‘s leading supplier of microprocessor technology, Han-nes Tschofenig describes in his talk how a security solution for Internet of Things could look and what threats can be mitigated.

QSP TalksBeside the QSP Labs, university students have also an opportunity to attend eve-ning events with presentations given by experts from industry and academia.

QSP Talks: November 2014 - June 2015

27.11.2014 Stefan Ortloff, Kaspersky Lab A Retrospective View On Banking Malware

Banking-trojans are seen from the criminal perspective the most direct way to steal other people’s money. There is a big four that never seems to go away: Car-berp, Citadel, SpyEye, and especially Zeus. In this talk, Stefan Ortloff gives a retro-spective view on banking malware, mostly on the notorious ZeuS-Trojan aka ZBot.

Stefan Ortloff has more than 15 years of experience in the IT industry, in different business areas and as a freelancer. He joined Kaspersky Lab in 2007. In 2010 he was appointed to the position of Virus Analyst in the Global Research & Analysis Team. Stefan Ortloff specializes in reverse-engineering, analysis of botnets and forensics. Also non-Windows, specifically Linux-based malware is included in his area of interest.


29.04.2015 Václav Pech, JetBrains JetBrains MPS - Speaking your language

Václav Pech‘ talk is dedicated to the Domain Specific Languages and the possibili-ty to design own DSL - business rules, workflow definitions, structured configura-tions or handy language extensions that simplify the life.

Václav Pech is a software developer in server-side Java technologies, distributed and concurrent systems, modern programming languages and DLSs. He joined JetBrains to create top-notch development tools. He is involved in the MPS pro-ject, developing a projectional DSL workbench and building customized DSLs.

18.06.2015 Michael Brunner, Christian Sillaber, Universität Innsbruck Herausforderungen für Next Generation IT Compliance Management Systeme

The topic of IT Compliance includes all those measures which serve the compli-ance with legal requirements, policies and security objectives of the company‘s internal IT. In addition to legal compliance, the associated risk reduction is targe-ted by process standardization and centralized control of security measures on a company-wide efficiency and effectiveness. This talk presents the background and the requirements of IT Compliance and the associated frameworks. With a background of current standards and best practices, the specific challenges will be discussed and demonstrated, with an emphasis on future compliance manage-ment dealing with increasing complexity of systems and networking applications.

Ing. Michael Brunner, MSc worked as an IT consultant and as a senior software developer before completing his studies in Computer Science. Since 2013 he has been working as a research assistant in the research group Quality Engineering at the University of Innsbruck.

Mag. Christian Sillaber, MSc is a research associate in the research group Quality Engineering at the University of Innsbruck. His research interests concern operati-onal safety management and the qualitative evaluation of safety documentation.

QSP Teaching comprises elective lectures and labs in the area of Software Engineering and Information Security offered within the Bachelor and Master Program in Computer Science at the University of Innsbruck.

» Felix Erlacher, Matthias Gander, Clemens Sauerwein: Angewandte Infor-mationssicherheit (Lecture, WS 2014/15)

» Dr. Matthias Farwick: Domain-specific Language Engineering (Lecture, SS 2015)

Additionally, QSP Tirol offers Bachelor and Master Theses in collaboration with the QSP Partners .

Master Theses

» Automated Malware Tests on Smartphones Christoph Leitner

Bachelor Theses

» Evaluierung einer Plattform für Wissensmanagement in einer IT Abteilung Martin Haslinger

» Designing Secure Architectures for Cloud-Deployed Data Peter Kirk

» Workflow Management System for Automated Malware Removal Tests Juri Seelmann

QSP Teaching


inDay students 2014

The first issue of inDay students took place on November 27th, 2014. Its mission was to bring together students of Computer Science and inform them about the research groups, collaborating industry partners and spin-offs.

The winner of the Students‘ Projects Slam: Sebastian Stabinger with Dr. Andreas Doblander (ARZ) and Michael Danzl (Egger Holz)

The audience at inDay students 2014 presentations


Contact:

Prof. Dr. Ruth BreuInstitute of Computer ScienceUniversity of InnsbruckTechnikerstrasse 21a6020 InnsbruckTel: +43 (0)512-507-53203Fax: +43 (0)512-507-53029