|
|
Papers
Chair: Tonimir Kišasondi
|
V. Taneski, M. Heričko, B. Brumen (University of Maribor, Faculty of Electrical Engineering and Computer Science, Maribor, Slovenia)
Password security – no change in 35 years? 
Background: Typically, a user is authenticated based on one of the three underlying principles: “what you know” (textual and graphical passwords), “what you are” (retinal, iris, voice and fingerprint scans) and “what you have” (smart cards or other tokens). Textual passwords are the subject of this paper, since they were first identified as a weak point in information system’s security, by Robert Morris and Ken Thompson in 1979. They found that 86% of the passwords were weak: being too short, containing lowercase letters only, digits only or a combination of the two, or being easily found in dictionaries or lists of names.
Objective: Because the use of passwords has always been, and continues to be, one of the most common control mechanisms for authenticating users of computerized information system, it was expected that Morris and Thompson would have raised the awareness of system users about the consequences of how they choose their passwords. However, despite the widespread use of passwords and their importance as the first line of defense in most information systems, little attention has been given to the characteristics of their actual use. Thus, the objective of this paper is to identify any problems that may arise in creating and using textual passwords.
Methods: In order to achieve our objective, we performed a systematic literature review (SLR) in the area of password use and password security. Our research is restricted to articles in journals, conference papers and book chapters written in English and published between 1979 and 2014. The search is conducted through IEEE Xplore, ScienceDirect, Springer Link, ACM Digital Library, and by using the Google search engine.
Results: The computer community has not made a very much-needed shift in password management for more than 30 years. It seems nothing has changed since Morris and Thompson addressed the issue of password security and published their results in 1979. Users and their passwords remain the weakest link – the main weakness in any password system is that users often choose easily guessable passwords: words, names, birthdates, etc., because they are easy to remember.
Conclusion: One way to decrease password guessability is to restrict the passwords accepted from the user by using a system (e.g., a password checker) that filters out easily guessed passwords (passwords that do not have enough entropy to be considered secure). These password checkers require that passwords have certain characteristics (usually defined in a password policy) before they are accepted by the system when the user enters a password. Password policies and password checkers can help users create strong and easy-to-remember passwords. However, despite password policy advice, users still tend towards creating weak and easy to guess passwords. This work will serve as a starting point for our further research in this area where we want to determine whether these password policies are useful to the users, and whether the users can easily apply them or the policies cause problems when creating and using passwords.
|
B. Brumen, A. Černezel (University of Maribor, Maribor, Slovenia)
Brute Force Analysis of PsychoPass-generated Passwords
Background: Recently, Cipresso et al proposed a novel method for generating textual passwords. The PsychoPass password can be created, memorized and recalled by thinking of an action sequence instead of a string of characters.
Objective: The objective of this paper is to analyze how and when the PsychoPass passwords are resilient to brute force attacks and how they compare to randomly generated ones.
Methods: The PsychoPass method was studied analytically. The number of possible different passwords that can be created using PsychoPass method was calculated for different possible settings.
Results: The PsychoPass generates passwords that are resilient to brute force attacks with password lengths comparable to those generated randomly. A PsychoPass-generated password with 16 characters is as strong as a completely randomly generated password of length 11 characters with mixed upper and lowercase letters, numbers and symbols, but can easily be remembered.
Conclusion: The PsychoPass method is an alternative to the existing passwords and is resilient to brute force attack. There is no known dictionary to enable the dictionary attack. The PsychoPass passwords look like random ones, eg. »aEy|dX%7Tu]6hJ«, but a user can easily remember it based on the action sequence instead of remembering its characters.
|
A. Donevski, S. Ristov, M. Gusev (Ss Cyril and Methodius University, Skopje, Macedonia)
Security Assessment of Eucalyptus' Web Management Interface
Eucalyptus is one of the most common open source cloud frameworks for building IaaS (Infrastructure as a Service) private or hybrid clouds. In this paper, we assess the security of the cloud framework web management interface of the newest version of the Eucalyptus cloud. The results of the security assessment analysis show that the cloud web management interface is vulnerable. We assess the security vulnerabilities and propose measures how to secure them.
|
T. Gržinić, D. Perhoč, M. Marić, F. Vlašić, T. Kulcsar (CARNet, Zagreb, Croatia)
CROFlux – a passive DNS replication method for detecting fast flux domains
Nowadays information systems are threatened by various types of attacks. If we look the most popular threats to security like distributed denial-of-service, malware distribution and spam we can recognize that they can be conducted using botnets. Botnets are networks of infected computers that are managed by a central point also called command and control center. These networks use various techniques in order to hide their usage or to amplify the damage of their attacks. One commonly used technique is fast flux, which exploits the DNS (domain name system) service. Fast flux tends to frequently change DNS records of fully qualified domain names, in such a way that DNS responds with IP addresses of different bots. These types of domains are usually used for hiding botnet command and controls servers, malware delivery or for hosting phishing pages. On the other side, hackers use fast flux for load balancing and proxy redirection in a way that makes malicious servers more resistant against detection or takedown attempts.
In this paper we will present our fast flux detection approach called CROFlux that relies on the passive DNS replication method. The presented model can significantly reduce the number of false positive detections, and can help to detect other suspicious domains that are used for fast flux. This algorithm is used and implemented in Advanced Cyber Defense Centre – a European project co-funded by the European Commission.
|
M. Kulenović, D. Đonko ( Faculty of Electrical Engineering University of Sarajevo, Sarajevo, Bosnia and Herzegovina)
A Survey of Static Code Analysis Methods for Security Vulnerabilities Detection
Software security is becoming highly important for universal acceptance of applications for many kinds of transactions. Automated code analyzers can be utilized to detect security vulnerabilities during the development phase. This paper is aimed to provide a survey on Static code analysis and how it can be used to detect security vulnerabilities. The most recent findings and publications are summarized and presented in this paper. This paper provides an overview of the gains, flows and algorithms of static code analyzers. It can be considered a stepping stone for further research in this domain.
|
M. Stipčević (Rudjer Boskovic Institute, Zagreb, Croatia)
Quantum random flip-flop based on random photon emitter and its applications in over-Turing computers, cryptography, signal processing and generation
We propose, experimentally realize and study possible applications of a new type of non-sequential logic element: random flip-flop. By definition it operates similarly to a conventional flip-flop except that it functions with probability of 1/2 otherwise it does nothing. We demonstrate one practical realization of the random flip-flop based on optical quantum random number generator and discuss possible usages of such a device in computers, cryptographic hardware and testing equipment.
|
P. Ribarski, L. Antovski (Finki, Skopje, Macedonia)
Comparison of ID-Based Blind Signatures from Pairings for E-Voting Protocols
Elliptic curves are gaining momentum as scientists are continuously proving their security and performance. Pairings over elliptic curves are relatively new in the world of cryptography. Researchers are coming with new cryptographic usage of pairings for over ten years. ID-based cryptography is also gaining popularitybecause of the certificate-less mode of work. Blind signatures are appropriate schemes when user anonymity is wanted as property. One possible type of blind signature is ID-based blind signature based on bilinear pairings. For easy computation we look into pairing-friendly elliptic curves for implementation of pairings. This paper will review state of the art ID-based blind signature schemes from pairings over elliptic curves which are suitable for building blind signatures as part of e-voting protocols. We give comparative results about the computation cost of arithmetic operations. In our knowledge, this is first paper which gives head-to-head bandwidth comparison of the interactive protocol in the signing algorithm of blind signature schemes. The results are easy to use when choosing appropriate blind signature scheme for e-voting protocols.
|
D. Hrestak (Fakultet elektrotehnike i računarstva, Zagreb, Croatia), S. Picek (Radboud University Nijmegen, Nijmegen, Netherlands)
Homomorphic Encryption in Cloud
Since the first mention of fully homomorphic encryption more than 30 years ago, there has been many attempts to develop such a system. Finally, in 2009 Craig Gentry succeeded. Homomorhic encryption brings great advantages but it seems that, at least for now, it also brings many problems. Still, with the developments in cloud computing, maybe we never needed it more than now to become practical. In this paper we are discussing the strengths and weaknesses of homomorphic encryption and we give a brief description of several promising schemes. Next, we give a special attention to the homomorphic encryption for cloud computing. Finally, we discuss some recent developments by IBM where they developed an open-source library to perform homomorphic encryption.
|
| Break |
Papers
Chair: Stjepan Groš |
I. Kounelis, S. Muftic (KTH, Stockholm, Sweden), J. Loeschner (European Commission - Joint Research Centre, Ispra, Italy)
Secure and Privacy-enhanced E-Mail System based on the Concept of Proxies
Security and privacy on the Internet and especially the e–mail, is becoming more and more important and crucial for the user. The requirements for the protection of e-mail include issues like tracking and privacy intrusions by hackers and commercial advertisers, intrusions by casual observers, and even spying by government agencies. In an expanding e-mail use in the digital world, Internet and mobile, the quantity and sensitivity of personal information has also tremendously expanded. Therefore, protection of data and transactions and privacy of user information is key and of interest for many users. Based on such motives, in this paper we present the design and current implementation of our secure and privacy-enhanced e-mail system. The system provides protection of e–mails, privacy of locations from which the e–mail system is accessed, and authentication of legitimate users. Differently from existing standard approaches, which are based on adding security extensions to e-mail clients, our system is based on the concept of proxy servers that provide security and privacy of users and their e-mails. It uses all required standards: S/MIME for formatting of secure letters, strong cryptographic algorithms, PKI protocols and certificates. We already have the first implementation and an instance of the system is very easy to install and to use.
|
K. Arbanas (Paying Agency for Agriculture, Fisheries and Rural Development, Zagreb, Croatia), D. Alagić (NTH Media d.o.o., Varaždin, Croatia)
Requirements of Practice in Relation to the Existing Information Technology and Security Management Competencies
Until few years ago professional certifications were something that is good, but not necessary to have during employment process. That could be seen from the published job advertisements for variety of IT and information security professionals. In such job ads, there was first required specific experience in the subject area where no confirmation of that experience in form of professional certification was needed. Later, in addition of required experience in subject area, the possession of certain certificates was referred as advantage in job ads. Nowadays, it almost becomes the rule that the requirement for employment, in addition to having specific experience in the subject area, is also possession of a professional certificate which confirms stated experience. Professional certifications primarily demonstrate experience and knowledge in a particular area but also, due to the necessity of re-certification every few years, show commitment to professional development and constant training. The guiding principle of this study was to determine how many such certified professionals there is in Croatia and what kind of skills and competencies employers indirectly seek by requiring possession of certain certificates in job advertisement.
|
T. Velki (UČITELJSKI FAKULTET, OSIJEK, Croatia), K. Šolić (Medicinski fakultet, Osijek, Croatia), H. Očevčić (Elektrotehnički fakultet, Osijek, Croatia)
Development of Users' Information Security Awareness Questionnaire (UISAQ) - Ongoing Work
As user is still weakest link regarding information security matters and studies on this subject are rare, the aim of this work is to develop general Users’ Information Security Awareness Questionnaire (UISAQ). Development consist of selecting suitable items for which is assumed that measure the level of security awareness and testing impact of each item in measurement by using descriptive statistics, factor analysis and reliability analysis.
Questionnaire consisted of 4 parts with total of 37 items. Results showed that first part of questionnaire, which consisted of 20 items that examine the common user’s risk behavior, should consist of 17 items (3 items had low factor loadings) separate in 3 subscales: first subscale measures risk behavior (k=6, α=0,61), second subscale measures maintenance of computer systems (k=6, α=0,67), and third one measures using other users data (k=5, α=0,66). Second part of questionnaire, which consisted of 6 items that measured the level of user’s information security, had high internal consistency (k=6, α=0,89) and a satisfactory factor loadings. Third part of questionnaire, which consisted of 5 items that measured the level of user’s beliefs about information security, should consist of 3 items (2 items significantly disrupted internal consistency) with high factor loadings and good internal consistency (α=0,76). Descriptive statistics showed that all the questions (n = 6) in the fourth part of the questionnaire, which had examined the password quality and security, had a full range of answers and that normal distribution wasn’t significantly violated (skewness and kurtosis coefficients are not greater than -/+ 2).
Although developed questionnaire requires more work and validation, first results showed that UISAQ has potential to become a good and reliable measure of users’ security awareness in the future.
|
K. Skračić, P. Pale, B. Jeren (FER, Zagreb, Croatia)
Question based user authentication in commercial environments
The aim of this paper is to analyze question based user authentication methods and the limitations in their implementation and use in commercial environments.
Textual passwords present the dominant knowledge based authentication method for authenticating users. It relies on a shared secret which is known only to the user and the authenticator. Also, the method relies on users being able to recall their password during authentication. We propose that an authentication method should inherently be able to remind the user what the answer is, while at the same time it should not leek any information to third parties.
Question based authentication presents a way of authenticating users by posing questions to which only a legitimate user would know the answer to. However, authenticating users by allowing them to answer questions has some practical limitations. Also, the strength of the authentication process relies on the information used to construct authentication questions which could have implication on the security and integrity of the authentication process.
In this paper we give an overview of some of the existing question based authentication methods and categorizes the existing types of questions available for authentication. Also, we conduct a feasibility study of their use in commercial environments based on related work and their practical limitations and weaknesses.
|
G. Wahane, A. Kanthe (Sinhagad Institue of Technology Lonavala, Pune, India), D. Simunic (Faculty of Electrical Engineering and Computing, University of Zegreb, Zagreb, Croatia)
Technique for Detection of Cooperative Black Hole Attack using True-link in Mobile Adhoc Network
Mobile Ad Hoc Network (MANET) is a collection of communication devices or nodes that wish to communicate without any fixed infrastructure and per-determined organization of available links. Security is a major challenge for these networks owing to their features of open medium, dynamically changing topologies. The black hole attack is a well known security threat in MANET. However, it spuriously replies for any route request without having any active route to the specified destination. Sometimes the black hole nodes cooperate with each other with the aim of dropping packets these are known as cooperative black hole attack. This proposed work suggests the modification of Ad Hoc on Demand Distance Vector Routing Protocol (AODV). We are going to use a technique for detecting as well as defending against a cooperative black hole attack using True-link concept. True-link is a timing based countermeasure to the cooperative black hole attack. This paper also decreases the end to end delay, normalized routing overhead and increases throughput and packet delivery ratio.
|
Z. Avdagić (Faculty of Electrical Engineering, Sarajevo, Bosnia and Herzegovina), A. Midžić (Join Stock Company BH Telecom Sarajevo, Sarajevo, Bosnia and Herzegovina)
The Effects of Combined Application of SOM, ANFIS and Subtractive Clustering in Detecting Intrusions in Computer Networks
Building a system for the detection and prevention of intrusions into computer networks is a major challenge. Huge amounts of network traffic that process these systems are characterized by diversity and the data are described by a number of attributes. In addition, input data are often changing in a relatively short period of time, creating a completely new traffic patterns. This significantly complicates the identification of potentially unwanted network traffic. The aim of this paper is to present and analyze the effects of combined application of Self Organizing Map (SOM), Adaptive Neuro Fuzzy Inference System (ANFIS), Subtractive Clustering (SC) and Voting Mechanism (VM) in building systems for intrusion detection in computer networks in order to maintain an acceptable level of efficiency of data processing and increased system adaptivity.
|
I. Sedinić, Z. Lovrić, T. Perušić (Hrvatski Telekom d.d., Zagreb, Croatia)
Customer and User education as a tool to increase security level
Abstract: In activities to assure security of IT/NT systems and Data, with all technical development, more and more sophisticated cyber criminals and increased number of attacks, people are still the weakest link in the chain. In case of telecom operators this are not only company employees but also employees of vendors and partners same as a customers. To improve such situation, education is a cornerstone of activities. In this paper will be discussed different ways how to educate each of mentioned groups, what prerequisites for such education are and how technology could help in execution. Additionally, based on examples from telecom operator, results of such approach will be shown.
|
Z. Kummer (FINA, Zagreb, Croatia), V. Lebinac (Veleučilište Velika Gorica, Velika Gorica, Croatia)
Izradba zastitnog profila pomocu ISO 27K kontrola
Svaki IT proizvod bilo programski bilo sklopovski treba uz funkcionalnost jamčiti točnost, pouzdanost i zaštitu potrebnih vrijednosti. Zaštitni profil jamči da proizvod ima ugrađene zaštitne potrebe. Izradba zaštitnog profila je dugotrajan i skup proces. Za vrijedne IT proizvode izrađuje se zaštitni profil koji potvrđuje da proizvod uz funkcionalne zahtjeve zadovoljava i sigurnosne zahtjeve. Današnji IT proizvodi osim svoje složenosti i veličine doživljavaju vrlo česte i značajne promjene. Svaka promjena iziskuje izradbu novog zaštitnog profila što nije u većini slučajeva praktično pa čak ni moguće radi trajanja izradbe zaštitnog profila. ISO 27K standard za upravljanje informacijskom sigurnošću može se iskoristiti za izradbu zaštitnog profila IT proizvoda kao jednostavnija varijanta općih kriterija. Iako zaštita ne smije utjecati na funkciju proizvoda, njezina isprepletenost s funkcijom čini naknadno ugrađivanje zaštite u IT proizvod praktički nemogućom misijom. Radi toga se zaštita mora ugrađivati počevši od samog oblikovanja IT proizvoda. U radu će se kao primjer za predloženi postupak koristiti centralizirano upravljanje korisnicima koji koriste ssh protokol od oblikovanja do ostvarenja. U svim koracima razvoja funkcije biti će prisutne i ugrađivane zaštitne kontrole ISO 27K standarda.
|
F. Gabela, A. Gabela (BH Telecom d.d. Sarajevo, Sarajevo, Bosnia and Herzegovina)
Djela protiv intelektualnog vlasništva, kod kojih se kao sredstvo izvršenja krivičnih djela javljaju računari, računarske mreže, kao i njihovi proizvodi
Porast upotrebe informacionih tehnologija, odnosno globalne računarske mreže, stvorile su mogućnosti novih oblika krivičnih djela u vezi napada na intelektualno vlasništvo - kršenje autorskih i njima sličnih prava i industrijskog vlasništva, što je zahtjevalo da zakonodavaci iz mnogih država i međunarodnih organizacija izmjene legislativu kako bi mogli pratiti ove promjene. Unifikacija i efikasna međunarodna saradnja, osnovne su pretpostavke za bolju koordinaciju nadnacionalnih napora za suzbijanje ove vrste krivičnih djela. U ovom radu izložen je i pregled propisa koji su na pravnoj snazi u Bosni i Hercegovini, a odnose se na suzbijanje krivičnih djela u vezi napada na intelektualno vlasništvo.
|
|
Basic information:
Chairs:
Stjepan Groš (Croatia), Tonimir Kišasondi (Croatia), Željko Hutinski (Croatia)
International Program Committee Chairman:
Petar Biljanović (Croatia)
International Program Committee:
Alberto Abello Gamazo (Spain), Slavko Amon (Slovenia), Vesna Anđelić (Croatia), Michael E. Auer (Austria), Mirta Baranović (Croatia), Ladjel Bellatreche (France), Eugen Brenner (Austria), Andrea Budin (Croatia), Željko Butković (Croatia), Željka Car (Croatia), Matjaž Colnarič (Slovenia), Alfredo Cuzzocrea (Italy), Marina Čičin-Šain (Croatia), Marko Delimar (Croatia), Todd Eavis (Canada), Maurizio Ferrari (Italy), Bekim Fetaji (Macedonia), Tihana Galinac Grbac (Croatia), Liljana Gavrilovska (Macedonia), Matteo Golfarelli (Italy), Stjepan Golubić (Croatia), Francesco Gregoretti (Italy), Stjepan Groš (Croatia), Niko Guid (Slovenia), Yike Guo (United Kingdom), Jaak Henno (Estonia), Ladislav Hluchy (Slovakia), Vlasta Hudek (Croatia), Željko Hutinski (Croatia), Mile Ivanda (Croatia), Hannu Jaakkola (Finland), Leonardo Jelenković (Croatia), Dragan Jevtić (Croatia), Robert Jones (Switzerland), Peter Kacsuk (Hungary), Aneta Karaivanova (Bulgaria), Dragan Knežević (Croatia), Mladen Mauher (Croatia), Igor Mekjavic (Slovenia), Branko Mikac (Croatia), Veljko Milutinović (Serbia), Alexandru-Ioan Mincu (Slovenia), Vladimir Mrvoš (Croatia), Jadranko F. Novak (Croatia), Jesus Pardillo (Spain), Nikola Pavešić (Slovenia), Vladimir Peršić (Croatia), Goran Radić (Croatia), Slobodan Ribarić (Croatia), Janez Rozman (Slovenia), Karolj Skala (Croatia), Ivanka Sluganović (Croatia), Vlado Sruk (Croatia), Uroš Stanič (Slovenia), Ninoslav Stojadinović (Serbia), Jadranka Šunde (Australia), Aleksandar Szabo (Croatia), Laszlo Szirmay-Kalos (Hungary), Davor Šarić (Croatia), Dina Šimunić (Croatia), Zoran Šimunić (Croatia), Dejan Škvorc (Croatia), Antonio Teixeira (Portugal), Edvard Tijan (Croatia), A Min Tjoa (Austria), Roman Trobec (Slovenia), Ivana Turčić Prstačić (Croatia), Sergio Uran (Croatia), Tibor Vámos (Hungary), Mladen Varga (Croatia), Marijana Vidas-Bubanja (Serbia), Boris Vrdoljak (Croatia), Robert Wrembel (Poland), Baldomir Zajc (Slovenia), Damjan Zazula (Slovenia)
Registration / Fees:
|
REGISTRATION / FEES
|
Price in EUR
|
|
Before May 12, 2014
|
After May 12, 2014
|
| Members of MIPRO and IEEE |
180
|
200
|
| Students (undergraduate and graduate), primary and secondary school teachers |
100
|
110
|
| Others |
200
|
220
|
Contact:
Stjepan Groš
Faculty of Electrical Engineering and Computing
Unska 3
HR-10000 Zagreb, Croatia
E-mail: stjepan.gros@fer.hr
Opatija - 170 years of tourism:
 Opatija – the cradle of European and Croatian tourism, a favourite destination of the aristocracy, film and music stars, artists, writers and visitors from all over the world, who come here every year to enjoy the charm of this Adriatic town – this year celebrates its 170th anniversary as a tourist resort.
This is a tradition that provides certain obligations, but is also a guarantee of quality. The reputation of a top destination that stretches back seventeen decades is today reflected in the wide range of facilities and services on offer that all together make Opatija an attractive destination for all seasons.
Opatija owes its unique image to its ideal location on the spot where the wooded slopes of Mount Učka descend all the way down to the coast, providing perfect shade along the thirteen-kilometre-long Lungomare seafront promenade. Just as the Opatija area is a meeting point of the sea and the mountain, its visual impression is a blend of different styles, as this is a melting pot where magnificent Central European elegance, playful Mediterranean charm and the historically-rich medieval architecture of the small towns in the hinterland come together.
In addition to the architecture that leaves a strong impression on every visitor, especially when the town is viewed from the sea, and its lush parks and gardens that have been Opatija's trademarks since its beginnings as a tourist resort, Opatija also has hotels and restaurants whose quality ranks alongside that of any other European destination. Opatija's gastronomic offer is based on a Mediterranean cuisine rich in fresh fish and seafood and locally grown seasonal ingredients, while the traditional recipes of this region reveal a wealth of flavours and can be sampled in the area's numerous taverns.
Opatija entered the European stage in the mid-19th century as a health resort for the European nobility, and health tourism has remained one of the main segments of the town's tourism offer right up to the present day. However, top medical experts and a wide range of spa & wellness services are just one of the reasons for visiting this town located at the top of Kvarner Bay. Also known as "the town of festivals", Opatija boasts a number of events throughout the year. The theatrical performances and concerts that take place at the magnificent Open Air Theatre are particularly impressive.
For more details please look at www.opatija.hr/ and www.opatija-tourism.hr/.
|
|
|
|
| Currently there are no news |
|
|
|
|
|