2014-09-16 | 13:24:54 UTC
Your IP

Publications - Papers

There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies and the other is to make it so complicated that there are no obvious deficiencies (C.A.R. Hoare)


  • International Vulnerability Purchase Program (IVPP)
    Stefan Frei, Francisco Artes
    Security depends largely on ethical researchers reporting vulnerabilities under the practices of coordinated disclosure. Meanwhile, the black market is expanding rapidly and offering large rewards for the same information. Traditional approaches based on “more of the same” cannot deliver better overall security. How much are those that bear the costs willing to pay to reduce their losses incurred as a result of cyber crime? It is time to examine the economics of depriving cyber criminals’ access to new vulnerabilities through the systematic purchase of all vulnerabilities discovered at or above black market prices.
    Published: December 17th, 2013
    [ Paper (pdf) | Area41 Slides (pdf) | NSS ]

  • The Known Unknowns
    Stefan Frei
    Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software. Based on data from popular bug bounty programs, we find that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. With specialized companies offering zero-day vulnerabilities for subscription fees that are well within the budget of a determined attacker, and with half a dozen boutique exploit providers jointly having the capacity to offer more than 100 exploits per year, privileged groups have the ability to compromise all vulnerable systems without the public ever being aware of the threats.
    Published: December 5th, 2013
    [ Paper | NSS]


  • Cybercrime Kill Chain vs. Effectiveness of Defense Layers
    Stefan Frei, Francisco Artes
    This talk examines the attackers' kill chain and the measured effectiveness of typical defense technologies such as Next Generation Firewalls, Intrusion Prevention Systems IPS, Antivirus/Malware Detection, and browsers internal protection. Empirical data on the effectiveness of security products derived from NSS Labs harsh real world testing is presented. We find a considerable gap of protection levels within/and across different security product groups. Using Maltego complex correlations between undetected exploits, crimware kits, and affected software vendor and products are demonstrated.
    Published: BlackHat Abu Dhabi, December 2012
    [ Talk | Paper | Supplement: Modeling Evasions]


  • Cybercriminals do not need administrative users, 2011
    Stefan Frei
    This paper discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.
    Published: Secunia, August 2011
    [ Paper ]

  • How to Secure a Moving Target with Limited Resources, 2011
    Stefan Frei, Brian Birkvald
    This white paper outlines the limitations of traditional defence mechanisms; specifically how cybercriminals have refined the malware manufacturing and development process to systematically bypass them – thereby initiating an arms race with defenders. Security patches are found to be a primary and effective means to escape this arms race as they remediate the root cause of compromise. However, timely patching of the software portfolio of any organisation is like chasing a continually moving target.
    Published: Secunia, July 2011
    [ Paper | Bibtex ]


  • Quantification of deviations from rationality with heavy-tails in human dynamics, 2010
    Thomas Maillart, Didier Sornette, Stefan Frei, Thomas Duebendorfer, Alexander Saichev
    The dynamics of technological, economic and social phenomena is controlled by how humans organize their daily tasks in response to both endogenous and exogenous stimulations. The general validity of the power law and the nature of other regimes remain unsettled. Using anonymized data collected by Google at the World Wide Web level, we identify the existence of several additional regimes characterizing the time required for a population of Internet users to execute a given task after receiving a message.
    Published: arXiv, July 2010
    [ Paper | Bibtex ]

  • The Security Exposure Of Software Portfolios, 2010
    Stefan Frei, Thomas Kristensen
    In this paper, we examine the software portfolio of the average user based on empirical data from over two million users frequently scanning their systems with Secunias Personal Software Inspector (PSI). We demonstrate, that the complexity and frequency of the actions required to keep a typical end-user system secure, most likely exceeds what users able to invest.
    Published: RSA Conference, San Francisco, March 2010
    [ Paper | Secunia Blog | Bibtex ]


  • Modelling the Security Ecosystem - The Dynamics of (In)Security, 2009
    Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammel
    In this paper we provide a metric for the success of the "responsible disclosure" process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the "free press" of the ecosystem.
    Published: Workshop on the Economics of Information Security (WEIS), London, June 2009
    [ Paper | HTML | Bibtex ]

  • Dissertation: Security Econometrics - The Dynamics of (In)Security, 2009
    Stefan Frei
    In this thesis I examine the security ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. I analyze the paths vulnerability data take through the ecosystem, and the impact of each of these on security risk based on a quantitative analysis of 30,000 vulnerabilities disclosed over the past decade.
    [ Book | HTML | Bibtex ]

  • Why Silent Updates Boost Security, 2009
    Thomas Duebendorfer, Stefan Frei
    In this paper we analyze the effectiveness of different Web browsers update mechanisms; from Google Chrome's silent update mechanism to Opera's update requiring a full re-installation
    Published: CRITIS 2009 Critical Infrastructures Security Workshop, Bonn, 05-May-2009
    [ Paper | HTML | Slides (pdf) | Blog | Bibtex | Media Coverage]

  • Firefox (In) security update dynamics exposed, 2009
    Stefan Frei, Thomas Duebendorfer, Bernhard Plattner
    How (in)secure is your Internet browser? You never know. One way to know more is to look at how frequently it gets updated, at global scale
    Published: ACM SIGCOMM Computer Communication Review, January 2009
    [ Paper | HTML | Bibtex ]


  • Understanding the Web browser threat, 2008
    Stefan Frei, Thomas Duebendorfer, Gunter Ollmann, Martin May
    Examination of vulnerable online Web browser populations and the "insecurity iceberg"
    Published: DefCon 16 2008, 10-Aug-2008, Las Vegas, USA,
    [ Paper | HTML | Slides (pdf) | Bibtex | Media Coverage ]

  • Putting private and government CERT’s to the test, 2008
    Stefan Frei, Martin May
    In an independent research project at ETH Zurich, we monitored for more than 18 months the world’s top security advisory providers. Due to a short 30-minute monitoring interval, we discovered significant differences in quality, quantity, and timeliness.
    Published: FIRST Annual Conference 2008, 27-Jun-2008, Vancouver, Canada
    [ Paper | Slides (pdf) | Bibtex ]

  • 0-Day Patch - Exposing Vendors (In)security Performance
    Stefan Frei, Bernhard Tellenbach, Bernhard Plattner
    We introduce the 0-day patch rate as a new metric to measure and compare the performance of the vulnerability handling and patch development processes of major software vendors. We use this metric to analyze Microsoft and Apple.
    Published: BlackHat 2008 Europe, 27-Mar-2008 Amsterdam NL
    [ Paper | HTML | Slides (pdf) | Bibtex | Media Coverage ]


  • Large-Scale Vulnerability Analysis, 2006
    Stefan Frei, Martin May, Ulrich Fiedler, Bernhard Plattner
    We quantify the gap between exploit and patch availability for known vulnerabilities since 2000 and provide an analytical representation of our data which lays the foundation for further analysis and risk management.
    Published: ACM SIGCOMM 2006 Workshop, 11-Sep-2006 Pisa, Italy
    [ Paper | Bibtex ]

  • Technology Speed of Civil Jet Engines, 2006
    Stefan Frei, Urban Mäder
    The speed of technology innovation of civil jet engines is investigated. A technology measure based on airplane efficiency is derived and applied to jet airlines of different sizes and time periods, ranging back to the 1960's.
    Published: Case study at MTEC, 2006
    [ Paper ]

  • The Speed of (In)Security, 2006
    Stefan Frei, Martin May
    In depth analysis of the speed of security vs. the speed of insecurity.
    Published: BlackHat 2006 USA, 03-Aug-2006 Las Vegas, USA
    [ Paper | Bibtex ]


  • Mail DDoS Attacks through Non Delivery Messages, 2004
    Stefan Frei, Gunter Ollmann, Ivo Silvestri
    Analysis and empirical study on how mail non-delivery notifications processes can be exploited to launch denial of service attacks.
    Published: FullDisclosure, 05-Apr-2004
    [ Paper | HTML | Bibtex ]