Our student team won this year's TDSE — a programming competition at TU Braunschweig. They developed a privacy preserving GPS tag which, with the corresponding Android app, can help locate lost cars or bicycles. The system features independence, robustness, security and a small digital footprint. To achieve this, the students avoided the use of third-party and cloud services and relied on open source software and encryption.
2. Cybersecurity Meetup Braunschweig hosted at IAS and IBR
Two days ago, the IAS and IBR institutes hosted the "2nd Cybersecurity Meetup Braunschweig". We welcomed 50 participants from academia (TU Braunschweig and Ostfalia) and industry (Siemens Mobility, Siemens AG, VW, Cymotive, IAV, heylogin, dynexo) at the Plaza of our Informatikzentrum for an evening of enlightening talks and engaging discussions. We were delighted to help organize this fantastic event and are eagerly looking forward to the third Cybersecurity Meetup.
Hacklab is over and the results are in! This time even more participants took on our challenges and proved their knowledge and skill in IT-security. We're happy and proud that the course received such positive feedback again.
To finish the semester off, we've met up at our award ceremony honouring the exceptional performance of the top of the leaderboard. After giving some insight into our perspective on the technical side of the course, we opened the discussion about different solutions and approaches to the tasks. We had a great time and really hope you did as well!
The Hacklab (Praktikum IT-Sicherheit 2), together with Seclab (Praktikum IT-Sicherheit), is a practical IT-security course inspired by Capture-the-Flag (CTF) competitions. Over the course of six units students hack small, vulnerable applications demonstrating their knowledge of common vulnerability classes and ability to craft exploits. Armed with the insights of the attacker's perspective, students become aware of possible pitfalls in software development.
If you missed the course this semester, you get another chance on the Hacklab next year in WS 2023/24. Additionally, we're offering the Seclab in SS 2023, which serves as a good foundation. See you there!
Trackers in mobile apps @ FireShonks
Malte Wessels, IAS master's graduate Benjamin Altpeter, and Lorenz Sieben gave their talk "Trackers in mobile apps and their legality—A look at the mobile tracking landscape" at FireShonks, representing both the IAS and Datenanfragen.de e.V. FireShonks is one of the decentralized end-of-year events organized by the chaos community.
They presented a technical deep dive into the current mobile tracking landscape, presenting research from the IAS including Benjamin's master thesis as well as additional research done for Datenanfragen.de e. V.
After covering the technical challenges associated with privacy studies on Android and iOS, as well as discussing their results and examples of privacy violations, they discussed the legal implications and counter-measures.
We are thrilled to announce that Marius Musch has successfully defended his dissertation and is now the IAS’s first doctor. We would like to congratulate Marius that his excellent work and dedication has payed off, and we wish him continued success in his future endeavors.
The inaugural rendition of the hacking and IT security challenge Deutschlands Bester Hacker featured 300 participants from all over Germany. After three online qualification rounds, the top 25 hackers met in Munich for the final hacking challenge.
Since the conference was held virtually last year, all authors of full papers were invited to bring a poster of their published work to this year's in-person conference.
Input sanitization is the main technique to defend against injection attacks such as Client-Side Cross-Site Scripting. With more and more functionality being offered in the form of web applications, the importance of correct sanitizing functions increases as well.
When websites have use-cases like displaying previews or screenshots of other websites, maintainers tend to shift from simple tools like curl to fully-fledged automated browsers, like Puppeteer, to match the ever-growing complexity of the modern Web. However, visiting arbitrary, user-controlled URLs with these browsers diligently requires them to be kept up-to-date. In our work, we investigated the phenomenon of server-side browsers at scale. We found that many websites run severely outdated browsers on the server-side, most of them not updated for more than six months, vulnerable to publicly available proof-of-concept exploits.