.
A. Saichev (1), Alexander Saichev (1), Bernhard Plattner (5), Bernhard Tellenbach (1), Brian Birkvald (1), Brian Trammel (1), Christof Jungo (2), D. Sornette (1), Daniel Busch (1), Didier Sornette (1), Dominik Schatzmann (1), Francisco Artes (3), Group Security Swisscom (1), Gunter Ollmann (2), Ivo Silvestri (1), Jonathan Smith (1), Martin May (4), Matt Blaze (1), Raphael Reischuk (1), S. Frei (1), Sandy Clark (1), Stefan Frei (43), T. Dubendorfer (1), T. Maillart (1), Thomas Duebendorfer (4), Thomas Kristensen (1), Thomas Maillart (1), Ulrich Fiedler (1), Urban Mäder (1), Yves Bieri (1)
Stefan Frei, Christof Jungo, Daniel Busch, Raphael Reischuk
A call for systematic and independent testing of cyber products
.
Stefan Frei
Understanding of the fundamental mechanics and limitations of cyber security
.
Stefan Frei
This presentation is about the important but largely overlooked fact that we must assume that critical components of our infrastructure are already compromised, from applications and operating systems down the everyday devices, their firmware, hardware and individual chips. We have come to rely on a ..
.
Stefan Frei
In connecting people and machines ever more closely together, the Internet has changed our lives forever in just two decades. These changes are disruptive, like the introduction of electricity, railroads, or airplanes. This latest digital innovation is not the first to prompt critical questions regarding ..
.
Stefan Frei
See also the e-voting attack simulator https://www.evotesim.ch
.
Stefan Frei, Group Security Swisscom
Increasing digitisation in our society and economy means that business, authorities and private individuals are storing larger, more critical pools of data of all types. It comes as no big surprise that the years-long series of enormous data breaches persisted at a high level 2016. In the past, data ..
.
Stefan Frei
In connecting people and machines ever more closely together, the internet has changed our lives forever. These changes are disruptive, like the introduction of the railroads and the automobile. This latest innovation is not the first to prompt critical questions regarding security and safety. New possibilities ..
.
Stefan Frei
Das Internet verbindet zunehmend Menschen und Maschinen und hat unser Leben nachhaltig verändert. Die Umwälzungen sind disruptiv, wie damals die Einführung der Eisenbahn oder des Automobils. Dies ist nicht die erste Innovation, welche kritische Fragen zur Sicherheit aufwirft. Neue Möglichkeiten wie ..
.
Yves Bieri, Stefan Frei, Christof Jungo
A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process). This tends to impact long lived network sessions, with chances to be alive during and after an update, such as ..
.
Stefan Frei
This talk first addresses the peculiarities of the cyber security field and what the software industry had to painfully learn in the past decades in order to adapt to these new threats. To understand the cyber landscape and how it affects aviation we classify threat actors and explain global developments ..
.
Stefan Frei
With the rise of the internet and the increasing dependence of our society and economy on communication technologies, cyber security has become critical issue for all types of businesses. In just two decades, various industries were confronted with fundamentally new types of threats, threat actors and ..
.
Stefan Frei
In diesem Bericht beleuchten wir aus Sicht von Swisscom und der Schweiz die aktuelle Lage im Hinblick auf die Cyber-Bedrohungen und geben als führendes Schweizer ICT- Unternehmen eine Einschätzung der Entwicklungen für die kommenden 12 bis 24 Monate ab.
.
Stefan Frei
This report sheds light on the current status of cyber threats from the perspective of Swisscom and of Switzerland as a whole. As a leading Swiss ICT provider, we bring to you an evaluation of the developments forecast for the coming 12 to 24 months.
.
Stefan Frei
Dans le présent rapport, nous mettons en lumière la situation actuelle en matière de cybermenaces du point de vue de Swisscom et de la Suisse et, en tant qu’entreprise leader du marché des TIC en Suisse, donnons une estimation des développements attendus pour les 12 à 24 mois à venir.
.
Stefan Frei
In questa relazione presenteremo la situazione attuale delle cyber-minacce dal punto di vista di Swisscom e della Svizzera e, come principale azienda ICT svizzera, forniremo una stima sulla loro evoluzione nei prossimi 1-2 anni.
.
Stefan Frei
This talk is about security vulnerability disclosure principles and the speaker discussed the theory of what happens if someone buys every single vulnerability report for “just” 150.000 USD. A crazy idea, but in comparison to GDPs and revenues, it really starts to make sense and additionally: It is above ..
.
Stefan Frei
This paper explains how cyber criminals operate botnets and compromise victims at large scale, and informs organizations how to best utilize cyber threat intelligence to protect their business and deal with infected customers. In todays threat environment, security is as much about prevention as it is ..
.
Stefan Frei
Every data breach, regardless of its source, allows cyber criminals to refine current data, correlate it with new data, and create profiles that can identify millions of users – with severe consequences for their victims. Data that has been lost cannot be taken back - information such as social security ..
.
Stefan Frei, Francisco Artes
The global economy increasingly has come to rely on information systems, and yet society remains in the early phases of adapting to the related opportunities and threats. Security depends largely on ethical researchers reporting vulnerabilities under the practices of coordinated disclosure. Meanwhile, ..
.
Stefan Frei
Recently, there has been increased interest in the way in which security vulnerability information is managed and traded. Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software. ..
.
Stefan Frei
A comparison of the block performances of multiple protection technologies reveals a significant correlation of failures to detect exploits. The number of exploits that were able to bypass layers of security is significantly higher than is the prediction for risk models ignoring correlation. This not ..
.
Stefan Frei, Francisco Artes
Im Vortrag werden die Ergebnisse von Tests präsentiert, welche die Effektivität typischer Sicherheitstechnologien wie Firewalls, Intrusion Prevention Systems (IPS), Next Generation Firewalls (NGFW) und Desktop Antivirus messen.
.
Stefan Frei
After the close of 2012 NSS Labs performed a comprehensive analysis of vulnerability data to identify industry wide threats and trends covering the last 10 years. Despite massive security investments of the software industry, vulnerability disclosures have risen considerably in 2012. Several additional ..
.
Stefan Frei, Francisco Artes
This talk examines the attackers' kill chain and the measured effectiveness of typical defense technologies such as Next Generation Firewalls, Intrusion Prevention Systems IPS, Antivirus/Malware Detection, and browsers internal protection. Empirical data on the effectiveness of security products derived ..
.
Stefan Frei
Analysing data from 2006 to 2011 reveals that the software industry is still unable to reduce the number of vulnerabilities in software. Comparing the average number of vulnerabilities affecting the products of the Top-20 vendors, it is clear that none of these vendors managed to reduce the number of ..
.
Stefan Frei
This paper discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.
.
.
Stefan Frei, Brian Birkvald
This white paper outlines the limitations of traditional defence mechanisms; specifically how cybercriminals have refined the malware manufacturing and development process to systematically bypass them – thereby initiating an arms race with defenders. Security patches are found to be a primary and effective ..
.
T. Maillart, D. Sornette, S. Frei, T. Dubendorfer, A. Saichev
The dynamics of technological, economic and social phenomena is controlled by how humans organize their daily tasks in response to both endogenous and exogenous stimulations. Queueing theory is believed to provide a generic answer to account for the often observed power-law distributions of waiting times ..
.
Sandy Clark, Stefan Frei, Matt Blaze, Jonathan Smith
Our analysis of software vulnerability data, including up to a decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability ..
.
Thomas Maillart, Didier Sornette, Stefan Frei, Thomas Duebendorfer, Alexander Saichev
The dynamics of technological, economic and social phenomena is controlled by how humans organize their daily tasks in response to both endogenous and exogenous stimulations. The general validity of the power law and the nature of other regimes remain unsettled. Using anonymized data collected by Google ..
.
Stefan Frei, Thomas Kristensen
In this paper, we examine the software portfolio of the average user based on empirical data from over two million users frequently scanning their systems with Secunias Personal Software Inspector (PSI). We demonstrate, that the complexity and frequency of the actions required to keep a typical end-user ..
.
Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammel
In this paper we provide a metric for the success of the "responsible disclosure" process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the "free press" of the ecosystem.
.
Thomas Duebendorfer, Stefan Frei
In this paper we analyze the effectiveness of different Web browsers update mechanisms; from Google Chrome's silent update mechanism to Opera's update requiring a full re-installation
.
Stefan Frei
In this thesis I examine the security ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. I analyze the paths vulnerability data take through the ecosystem, and the impact of each of these on security risk based on a quantitative analysis of 30,000 vulnerabilities ..
.
Stefan Frei, Thomas Duebendorfer, Bernhard Plattner
Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, ..
.
Stefan Frei, Bernhard Plattner
Das anhaltende Wachstum des E-Commerce im Internet bietet Kri- minellen gewaltige Aussichten für illegale Profite mit geringem Risiko. Hinter Viren, Spam, und Phishing stehen heute internatio- nal operierende Banden. Diese arbeiten hochprofessionell: Durch Arbeitsteilung, Automatisierung und Spezialisierung ..
.
Stefan Frei, Martin May
Obstacle course: The protection of IT networks from criminal attack can often fall at the first obstacle – the web browser. Stefan Frei of the Swiss Federal Institute of Technology tells Jim Banks that there is an insecurity iceberg standing in the way of accurate risk assesment at a time when organised ..
.
Stefan Frei, Thomas Duebendorfer, Gunter Ollmann, Martin May
If you were to "hack the planet" how many hosts do you think you could compromise through a single vulnerable application technology? A million? A hundred-million? A billion? What kind of application is so ubiquitous that it would enable someone to launch a planet-wide attack? - why, the Web browser ..
.
Stefan Frei, Martin May
In an independent research project at ETH Zurich, we monitored for more than 18 months the world’s top security advisory providers. Due to a short 30-minute monitoring interval, we discovered significant differences in quality, quantity, and timeliness.
.
Stefan Frei, Bernhard Tellenbach, Bernhard Plattner
We introduce the 0-day patch rate as a new metric to measure and compare the performance of the vulnerability handling and patch development processes of major software vendors. We use this metric to analyze the performance of Microsoft and Apple over the past six years.
.
Stefan Frei, Martin May, Ulrich Fiedler, Bernhard Plattner
We quantify the gap between exploit and patch availability for known vulnerabilities since 2000 and provide an analytical representation of our data which lays the foundation for further analysis and risk management.
.
Stefan Frei, Urban Mäder
The speed of technology innovation of civil jet engines is investigated. A technology measure based on airplane efficiency is derived and applied to jet airlines of different sizes and time periods, ranging back to the 1960's.
.
Stefan Frei, Gunter Ollmann, Ivo Silvestri
Analysis and empirical study on how mail non-delivery notifications processes can be exploited to launch denial of service attacks.
.
.