Research Papers & Reports

Repository of my academic and industry publications.


.

2004 to 2019

All 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2006 2004

Authors and coauthors 2004 to 2019:

A. Saichev (1), Alexander Saichev (1), Bernhard Plattner (5), Bernhard Tellenbach (1), Brian Birkvald (1), Brian Trammel (1), Christof Jungo (1), D. Sornette (1), Didier Sornette (1), Dominik Schatzmann (1), Francisco Artes (3), Group Security Swisscom (1), Gunter Ollmann (2), Ivo Silvestri (1), Jonathan Smith (1), Martin May (4), Matt Blaze (1), S. Frei (1), Sandy Clark (1), Stefan Frei (42), T. Dubendorfer (1), T. Maillart (1), Thomas Duebendorfer (4), Thomas Kristensen (1), Thomas Maillart (1), Ulrich Fiedler (1), Urban Mäder (1), Yves Bieri (1)


Key Drivers of Cyber Security - Any lessons from history?

Stefan Frei
Understanding of the fundamental mechanics and limitations of cyber security

August 19, 2019, Swiss Departmet of Defense / VBS IOS Academy
Download Paper

.

Supply Chain Risks

Stefan Frei
This presentation is about the important but largely overlooked fact that we must assume that critical components of our infrastructure are already compromised, from applications and operating systems down the everyday devices, their firmware, hardware and individual chips. We have come to rely on a ..

June 12, 2019, ISSS Tagung
Download Paper

.

Cyber Threats in Aviation - Any lessons from history?

Stefan Frei
In connecting people and machines ever more closely together, the Internet has changed our lives forever in just two decades. These changes are disruptive, like the introduction of electricity, railroads, or airplanes. This latest digital innovation is not the first to prompt critical questions regarding ..

April 4, 2019, Deutsche Flugsicherung, DFS Sicherheitstag, Frankfurt
Download Paper

.

E-Voting Attack Simulation - How to inform politics with data?

Stefan Frei
See also the e-voting attack simulator https://www.evotesim.ch

June 19, 2018, ETH Security Event
Download Paper

.

Cyber security: data breaches & bug bounties

Stefan Frei, Group Security Swisscom
Increasing digitisation in our society and economy means that business, authorities and private individuals are storing larger, more critical pools of data of all types. It comes as no big surprise that the years-long series of enormous data breaches persisted at a high level 2016. In the past, data ..

September 9, 2017, Swisscom
Download Paper

.

Guest view: Cyber Security

Stefan Frei
In connecting people and machines ever more closely together, the internet has changed our lives forever. These changes are disruptive, like the introduction of the railroads and the automobile. This latest innovation is not the first to prompt critical questions regarding security and safety. New possibilities ..

June 1, 2017, SCOPE, Credit Suisse Asset Management (Switzerland) Ltd.
Download Paper

.

Gastkommentar: Cyber Security

Stefan Frei
Das Internet verbindet zunehmend Menschen und Maschinen und hat unser Leben nachhaltig verändert. Die Umwälzungen sind disruptiv, wie damals die Einführung der Eisenbahn oder des Automobils. Dies ist nicht die erste Innovation, welche kritische Fragen zur Sicherheit aufwirft. Neue Möglichkeiten wie ..

June 1, 2017, SCOPE, Credit Suisse Asset Management (Switzerland) Ltd.
Download Paper

.

FortiOS flow-mode detection bypass under certain conditions / CVE-2016-7541

Yves Bieri, Stefan Frei, Christof Jungo
A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process). This tends to impact long lived network sessions, with chances to be alive during and after an update, such as ..

November 22, 2016, Fortinet PSIRT Advisory, FG-IR-16-088, CVE-2016-7541
Download Paper

.

Cyber Threats in Aviation - Any Lessons from other Industries Experience with Cyber?

Stefan Frei
This talk first addresses the peculiarities of the cyber security field and what the software industry had to painfully learn in the past decades in order to adapt to these new threats. To understand the cyber landscape and how it affects aviation we classify threat actors and explain global developments ..

April 21, 2016, 8. Deutscher Verkehrspilotentag, Verein Cockpit
Download Paper

.

Cyber Threats in Aviation - Any Lessons from other Industries Experience with Cyber?

Stefan Frei
With the rise of the internet and the increasing dependence of our society and economy on communication technologies, cyber security has become critical issue for all types of businesses. In just two decades, various industries were confronted with fundamentally new types of threats, threat actors and ..

September 7, 2015, FHP-Symposium, Forschungsnetzwerk für Verkehrspilotenausbildung
Download Paper

.

Cyber Security: die aktuelle Bedrohungslage und ihre Entwicklung

Stefan Frei
In diesem Bericht beleuchten wir aus Sicht von Swisscom und der Schweiz die aktuelle Lage im Hinblick auf die Cyber-Bedrohungen und geben als führendes Schweizer ICT- Unternehmen eine Einschätzung der Entwicklungen für die kommenden 12 bis 24 Monate ab.

September 1, 2015, Swisscom
Download Paper

.

Cyber security: the current threat status and its development

Stefan Frei
This report sheds light on the current status of cyber threats from the perspective of Swisscom and of Switzerland as a whole. As a leading Swiss ICT provider, we bring to you an evaluation of the developments forecast for the coming 12 to 24 months.

September 1, 2015, Swisscom
Download Paper

.

Cybersécurité: les menaces actuelles et leur évolution

Stefan Frei
Dans le présent rapport, nous mettons en lumière la situation actuelle en matière de cybermenaces du point de vue de Swisscom et de la Suisse et, en tant qu’entreprise leader du marché des TIC en Suisse, donnons une estimation des développements attendus pour les 12 à 24 mois à venir.

September 1, 2015, Swisscom
Download Paper

.

Cyber Security: minacce attuali e relativa evoluzione

Stefan Frei
In questa relazione presenteremo la situazione attuale delle cyber-minacce dal punto di vista di Swisscom e della Svizzera e, come principale azienda ICT svizzera, forniremo una stima sulla loro evoluzione nei prossimi 1-2 anni.

September 1, 2015, Swisscom
Download Paper

.

The known unknowns & outbidding cyber-criminals

Stefan Frei
This talk is about security vulnerability disclosure principles and the speaker discussed the theory of what happens if someone buys every single vulnerability report for “just” 150.000 USD. A crazy idea, but in comparison to GDPs and revenues, it really starts to make sense and additionally: It is above ..

December 31, 2014, BSides Security Conference, Hamburg
Download Paper

.

Cyber Crime Threat Intelligence - Turkey

Stefan Frei
This paper explains how cyber criminals operate botnets and compromise victims at large scale, and informs organizations how to best utilize cyber threat intelligence to protect their business and deal with infected customers. In todays threat environment, security is as much about prevention as it is ..

August 24, 2014, CSIS
Download Paper

.

Why Your Data Breach is My Problem

Stefan Frei
Every data breach, regardless of its source, allows cyber criminals to refine current data, correlate it with new data, and create profiles that can identify millions of users – with severe consequences for their victims. Data that has been lost cannot be taken back - information such as social security ..

March 25, 2014,
Download Paper

.

International Vulnerability Purchase Program (IVPP)

Stefan Frei, Francisco Artes
The global economy increasingly has come to rely on information systems, and yet society remains in the early phases of adapting to the related opportunities and threats. Security depends largely on ethical researchers reporting vulnerabilities under the practices of coordinated disclosure. Meanwhile, ..

December 17, 2013,
Download Paper

.

The Known Unknowns in Cyber Security

Stefan Frei
Recently, there has been increased interest in the way in which security vulnerability information is managed and traded. Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software. ..

December 5, 2013,
Download Paper

.

Correlation Of Detection Failures

Stefan Frei
A comparison of the block performances of multiple protection technologies reveals a significant correlation of failures to detect exploits. The number of exploits that were able to bypass layers of security is significantly higher than is the prediction for risk models ignoring correlation. This not ..

May 23, 2013,
Download Paper

.

Cybercrime Kill Chain vs. Defense Effectiveness – Subversion of Layered Security

Stefan Frei, Francisco Artes
Im Vortrag werden die Ergebnisse von Tests präsentiert, welche die Effektivität typischer Sicherheitstechnologien wie Firewalls, Intrusion Prevention Systems (IPS), Next Generation Firewalls (NGFW) und Desktop Antivirus messen.

May 14, 2013, BSI, Tagungsbund zum 13. Deutschen IT-Sicherheitskongress p.497, 2013
Download Paper

.

Vulnerability Threat Trends

Stefan Frei
After the close of 2012 NSS Labs performed a comprehensive analysis of vulnerability data to identify industry wide threats and trends covering the last 10 years. Despite massive security investments of the software industry, vulnerability disclosures have risen considerably in 2012. Several additional ..

February 4, 2013,
Download Paper

.

Cybercrime Kill Chain vs. Effectiveness of Defense Layers

Stefan Frei, Francisco Artes
This talk examines the attackers' kill chain and the measured effectiveness of typical defense technologies such as Next Generation Firewalls, Intrusion Prevention Systems IPS, Antivirus/Malware Detection, and browsers internal protection. Empirical data on the effectiveness of security products derived ..

December, 2012, BlackHat Abu Dhabi
Download Paper

.

Secunia Yearly Report 2011

Stefan Frei
Analysing data from 2006 to 2011 reveals that the software industry is still unable to reduce the number of vulnerabilities in software. Comparing the average number of vulnerabilities affecting the products of the Top-20 vendors, it is clear that none of these vendors managed to reduce the number of ..

April 14, 2012, Secunia
Download Paper

.

Cybercriminals do not need administrative users

Stefan Frei
This paper discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.

August, 2011, Secunia
Download Paper

.

End-Point Security Failures - Insight gained from Secunia PSI scans?

Stefan Frei

July 1, 2011, International Symposium on Engineering Secure Software and Systems, Madrid
Download Paper

.

How to Secure a Moving Target with Limited Resources

Stefan Frei, Brian Birkvald
This white paper outlines the limitations of traditional defence mechanisms; specifically how cybercriminals have refined the malware manufacturing and development process to systematically bypass them – thereby initiating an arms race with defenders. Security patches are found to be a primary and effective ..

July, 2011, Secunia
Download Paper

.

Quantification of deviations from rationality with heavy-tails in human dynamics

T. Maillart, D. Sornette, S. Frei, T. Dubendorfer, A. Saichev
The dynamics of technological, economic and social phenomena is controlled by how humans organize their daily tasks in response to both endogenous and exogenous stimulations. Queueing theory is believed to provide a generic answer to account for the often observed power-law distributions of waiting times ..

May 2, 2011, Physical Review E, vol. 83, Issue 5, id. 056101
Download Paper

.

Familiarity Breeds Contempt: The Honeymoon Effect and The Role of Legacy Code in Zero-Day Vulnerabilities

Sandy Clark, Stefan Frei, Matt Blaze, Jonathan Smith
Our analysis of software vulnerability data, including up to a decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability ..

December 6, 2010, ACSAC 2010
Download Paper

.

Quantification of deviations from rationality with heavy-tails in human dynamics

Thomas Maillart, Didier Sornette, Stefan Frei, Thomas Duebendorfer, Alexander Saichev
The dynamics of technological, economic and social phenomena is controlled by how humans organize their daily tasks in response to both endogenous and exogenous stimulations. The general validity of the power law and the nature of other regimes remain unsettled. Using anonymized data collected by Google ..

July 23, 2010, arXiv
Download Paper

.

The Security Exposure Of Software Portfolios

Stefan Frei, Thomas Kristensen
In this paper, we examine the software portfolio of the average user based on empirical data from over two million users frequently scanning their systems with Secunias Personal Software Inspector (PSI). We demonstrate, that the complexity and frequency of the actions required to keep a typical end-user ..

March 1, 2010, RSA
Download Paper

.

Modelling the Security Ecosystem - The Dynamics of (In)Security

Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammel
In this paper we provide a metric for the success of the "responsible disclosure" process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the "free press" of the ecosystem.

June 24, 2009, Workshop on the Economics of Information Security (WEIS)
Download Paper

.

Why Silent Updates Boost Security

Thomas Duebendorfer, Stefan Frei
In this paper we analyze the effectiveness of different Web browsers update mechanisms; from Google Chrome's silent update mechanism to Opera's update requiring a full re-installation

May 5, 2009, CRITIS 2009 Critical Infrastructures Security Workshop
Download Paper

.

Security Econometrics - The Dynamics of (In)Security

Stefan Frei
In this thesis I examine the security ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. I analyze the paths vulnerability data take through the ecosystem, and the impact of each of these on security risk based on a quantitative analysis of 30,000 vulnerabilities ..

January, 2009, ETH Zurich
Download Paper

.

Firefox (In)Security Update Dynamics Exposed

Stefan Frei, Thomas Duebendorfer, Bernhard Plattner
Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, ..

January, 2009, ACM SIGCOMM
Download Paper

.

Cyber-Crime als Dienstleistung

Stefan Frei, Bernhard Plattner
Das anhaltende Wachstum des E-Commerce im Internet bietet Kri- minellen gewaltige Aussichten für illegale Profite mit geringem Risiko. Hinter Viren, Spam, und Phishing stehen heute internatio- nal operierende Banden. Diese arbeiten hochprofessionell: Durch Arbeitsteilung, Automatisierung und Spezialisierung ..

December 4, 2008, igma, Zeitschrift für Datenrecht und Informationssicherheit, 8. Jg, Heft 4
Download Paper

.

Obstacle course

Stefan Frei, Martin May
Obstacle course: The protection of IT networks from criminal attack can often fall at the first obstacle – the web browser. Stefan Frei of the Swiss Federal Institute of Technology tells Jim Banks that there is an insecurity iceberg standing in the way of accurate risk assesment at a time when organised ..

October 10, 2008, CIMA Excellence in Leadership
Download Paper

.

Understanding The Web Browser Threat

Stefan Frei, Thomas Duebendorfer, Gunter Ollmann, Martin May
If you were to "hack the planet" how many hosts do you think you could compromise through a single vulnerable application technology? A million? A hundred-million? A billion? What kind of application is so ubiquitous that it would enable someone to launch a planet-wide attack? - why, the Web browser ..

August 10, 2008, DEFCON 16
Download Paper

.

Putting Private And Government CERT’s To The Test

Stefan Frei, Martin May
In an independent research project at ETH Zurich, we monitored for more than 18 months the world’s top security advisory providers. Due to a short 30-minute monitoring interval, we discovered significant differences in quality, quantity, and timeliness.

June 28, 2008, FIRST Conference, Vancouver, 2008
Download Paper

.

0-Day Patch - Exposing Vendors (In)security Performance

Stefan Frei, Bernhard Tellenbach, Bernhard Plattner
We introduce the 0-day patch rate as a new metric to measure and compare the performance of the vulnerability handling and patch development processes of major software vendors. We use this metric to analyze the performance of Microsoft and Apple over the past six years.

March 27, 2008, BLACKHAT Europe 2008
Download Paper

.

Large-Scale Vulnerability Analysis

Stefan Frei, Martin May, Ulrich Fiedler, Bernhard Plattner
We quantify the gap between exploit and patch availability for known vulnerabilities since 2000 and provide an analytical representation of our data which lays the foundation for further analysis and risk management.

September 11, 2006, ACM SIGCOMM 2006 Workshop
Download Paper

.

Technology Speed of Civil Jet Engines

Stefan Frei, Urban Mäder
The speed of technology innovation of civil jet engines is investigated. A technology measure based on airplane efficiency is derived and applied to jet airlines of different sizes and time periods, ranging back to the 1960's.

June 6, 2006, MTEC Case Study
Download Paper

.

Mail DDoS Attacks through Non Delivery Messages

Stefan Frei, Gunter Ollmann, Ivo Silvestri
Analysis and empirical study on how mail non-delivery notifications processes can be exploited to launch denial of service attacks.

April 5, 2004, Full Disclosure
Download Paper

.


.

About

HOME | TOOLS | BUG BOUNTY | TOP 10 | PUBLICATIONS IP Address: 100.24.122.228
Date Time: 2019-10-17 23:39:25
Recent Papers
Recent Press Coverage
© 2000-2019 Stefan Frei
techzoom.net