|
|
Presented papers written in English and published in the Conference proceedings will be submitted for posting to IEEE Xplore.
| Papers |
Technical Track
Chair: Tonimir Kišasondi |
A. Malatras, I. Coisel, I. Sanchez (European Commission - DG Joint Research Centre, Ispra, Italy)
Technical Recommendations for Improving Security of Email Communications 
With billions of emails exchanged worldwide on a daily basis, email is nowadays considered to be one of the most widespread forms of digital communications. The massive deployment of this technology is certainly due to its ease of use and interoperability. This advantageous ubiquity of email communications comes nonetheless at the cost of security, which is often sidelined in favor of maintaining interoperability. As a consequence, email communications often fall short of protecting the privacy and the authenticity of the information exchanged. Taking into account the fact that email is used to exchange private and personal information, the latter risks become extremely prominent. We review here the outstanding privacy and security risks in worldwide email communications and we describe a set of practical countermeasures, based on combinations of existing standards, which are capable of effectively mitigating the identified risks. Based on this analysis we provide a set of technical recommendations to be followed by email providers in order to enhance security, whilst preserving interoperability with the ecosystem.
|
B. Brumen, J. Legvart (University of Maribor, Maribor, Slovenia)
Performance Analysis of Two Open Source Intrusion Detection Systems
Several studies have been conducted where authors compared the performance of open source Intrusion detection systems, namely Snort and Suricata. However, most studies were limited to either security indicators or performance measurements under the same operating system. The objective of this study is to give a comprehensive analysis of both products in terms of several security related and performance related indicators. In addition, we tested the products under two different operating systems. Two experiments were run to evaluate the effects of open source intrusion detection and prevention systems Snort and Suricata, operating systems Windows, Linux and various attack types on system resource usage, dropped packets rate and ability to detect intrusions. The results show that Suricata has a higher CPU and RAM utilization than Snort in all cases on both operating systems, but lower percentage of dropped packets when evaluated under five of six simulated attacks. Both products had the same number of correctly identified intrusions. The results show that Linux-based solutions consume more system resources, but Windows-based systems had a higher rate of dropped packets. This indicates that Windows-based solutions are inappropriate for these two intrusion detection and prevention systems.
|
S. Vrhovec (University of Maribor, Ljubljana, Slovenia)
Challenges of Mobile Device Use in Healthcare
The use of mobile devices in healthcare offers various new possibilities. The benefits of mobile device use in healthcare include improved mobility, communication and coordination of healthcare workers, reduced redundancy of health data and better accessibility of healthcare workers. Due to this, the use of mobile devices in healthcare is spreading very fast. However, the security aspects of mobile device use are often neglected because of the high adoption pace coupled with the fast development of mobile technologies. In health care where sensitive personal data is used this is a major issue. According to research, 44 percent of all data breaches happen in healthcare alone. Most of these breaches are directly related to mobile device use with a significant share related to mobile device theft and loss. In this paper we present the main issues of secure mobile device use in healthcare that both health institutions and practitioners need to address when adopting mobile devices.
|
S. Vrhovec (University of Maribor, Ljubljana, Slovenia)
Safe Use of Mobile Devices in the Cyberspace
As the number of mobile device users is rapidly growing and the use of mobile devices is spreading to new populations, such as seniors and kids, the users seem to be more and more vulnerable in the cyberspace despite widely available security measures. This is worrying as users usually store sensitive information on their mobile devices that are connected to the cyberspace almost continuously throughout day and night leaving many opportunities for potential attackers. The tendency of mobile device producers is to provide users with easy to use mobile devices that require a short learning curve. In part, this is achieved by disabling some security measures that require too much effort to understand and use efficiently. Additionally, mobile device users are often unaware of the security threats in the cyberspace lowering their motivation to learn how to use the available security measures. In this paper we present a review of key security threats in the cyberspace and available security measures that can help users adequately address them.
|
H. Jerković, P. Vranešić, S. Dadić (Zagreb School of Economics and Management, Zagreb, Croatia)
Securing Web Content and Services in Open Source Content Management Systems
Content management systems (CMS) are information systems designed dominantly for managing different types of publicly available web content although they could be used for various other purposes. Today, CMS open source solutions are one of the most popular platforms for developing web sites, portals, web shops and other publicly available content and services. Main problem in this area is lack of proper understanding of security issues and procedures which are frequently leaving content and services vulnerable for various types of attacks. This work focuses on risk analysis of main CMS open source systems from the point of security of data and services. Usual “points of failure” are analyzed as well as effects of human factor on overall security of systems, data and services.
|
I. Novković, S. Groš (Fakultet elektrotehnike i računarstva, Sveučilište u Zagrebu, Zagreb, Croatia)
Can Malware Analysts be Assisted in Their Work Using Techniques from Machine Learning?
When a malware analyst analyzes some code to determine if its malicious or not and what it is doing, he has to overcome protections built in by malware writer that tries to make it as hard as possible to get to the main functionality of the malware code. In practice that means that when malware analyst, while stepping through the code in some debugger like OllyDbg, hits call instruction or something similar has to decide if he's going to follow call or skip over it. Obviously, if the call is unimportant the best would be to skip it. The problem is that at that point analyst doesn't know if it is important or not. The problem is that creative malware writer can use anti debug techniques in such a way that they are hard to recognize and analyze, they can even come up with a new ways to make malware analysis harder. So, the question is is it possible to write a plugin for a debugger that, based on the current call instruction and data behind it, can suggest malware analyst what to do. In this paper we present a system that we designed and developed that would allow experiments to be performed to find out the answer to the aforementioned question.
|
S. Afonin (Moscow State University, Moscow, Russian Federation)
Performance Evaluation of a Rule-based Access Control Framework
Rule-based access control is a flexible approach to security policy specification in an information system: access permission for particular operation on an object is granted depending not only on user’s membership in a role, but on the object’s attributes as well. As objects attributes could be difficult to compute, the performance of rule-based access control systems is a serious concern in real life applications. In this paper the evaluation results for a rule-based access control system are presented. The evaluation was performed using the real workload to an information system with millions of objects and thousands of users divided into a dozen roles. The access control system dynamically translates access rules into SQL queries and uses various heuristics in order to minimize overall database workload induced by access control checks.
|
Social Engineering Track
Chair: Stjepan Groš |
Z. Lovrić Švehla, I. Sedinić, L. Pauk (Hrvatski Telekom, Zagreb, Croatia)
Going White Hat: Security Check by Hacking Employees Using Social Engineering Techniques
Security consists of three basic building blocks: people, processes and technology. Regardless of very refined processes and implemented state of the art security technology, there is always the same weakest link in the security chain: people. Social engineering is the practice of obtaining confidential information or valuable assets by manipulation of legitimate users or owners.
Being number one telecommunication company, which employs more than one thousand employees, who have access to sensitive data of millions of customers, Hrvatski Telekom is a very interesting target for social engineering activities. In order to identify the risk proportions, check of implemented security practices was performed by penetration testing using social engineering techniques.
In this paper the results of penetration testing using social engineering techniques are presented, as well as mitigation measures and lessons learned.
|
J. Andrić (NTH, Varaždin, Croatia), D. Oreški, T. Kišasondi (FOI, Varaždin, Croatia)
Analysis of Phishing Attacks against Students
Aim of this research was to examine familiarity of students in Croatia with threats in form of social engineering and phishing attacks. To get precise data, a practical assessment of student's capabilities to identify phishing or social engineering attacks against them was conducted with the help of a graphical pool that tried to identify what kind of scams or attacks were successful against students and what security topics are needed to identify and protect against phishing attempts. This paper shows the result of our work and the identified features that are problematic at students for detection of phishing and social engineering attacks.
|
L. Bošnjak, B. Brumen (Faculty of Electrical Engineering and Computer Science, University of Maribor, Maribor, Slovenia)
What Do Students Do with Their Assigned Default Passwords?
Despite being the most widely used method of authentication, passwords still pose a significant threat to an information system’s security. This threat is mostly attributed to the human factor, as users tend to select passwords that are easy to remember, but are not resilient to brute force or dictionary attacks. Worse yet, when not prompted to change their passwords on a regular basis, the users tend to keep their original passwords, or even default passwords set by the system. These bad practices have been addressed over the decades, with the intention to educate the users on the security risks associated with them. A case study on passwords, used by the Slovenian university students to access the online grading system, was conducted to examine whether passwords have improved over the course of the years. The results have shown that the vast majority of students continue to use the generated default passwords. Of the rest of the students, who have changed their passwords, a large percent uses short, simple passwords, consisting mainly of alphabetic or numeric characters. With no specific password policies enforced, user-created passwords remain to be weak, showing that users are still the Achilles’ heel of information security.
|
V. Taneski, M. Heričko, B. Brumen (University of Maribor, Maribor, Slovenia)
Analysing Real Students’ Passwords and Students’ Passwords Characteristics Received From a Questionnaire
Measuring strength of passwords is important in order to ensure the security of password-based authentication. Since passwords are still the most widely used method for authentication, there has been a considerable research on passwords and password strength. Yet, studies related to password still lack of access to plaintext passwords that are created under a specific password policy. Our research explores the connection between real students’ passwords used for managing students’ university account and students’ passwords characteristics received through a questionnaire. The objective of this paper is to explore whether the characteristics of passwords received through a questionnaire are in line with real university passwords. We analyze real students’ university passwords, using access to plaintext of these passwords, and compare the results to the ones as reported by students of the Faculty of Tourism and Faculty of electrical engineering and computer science, collected through the questionnaire. We find that there is a significant connection between the reported and the directly analyzed university passwords for the Faculty of Tourism, but no significant connection for the Faculty of electrical engineering and computer science. Our results for the Faculty of electrical engineering and computer science suggest that students’ answers to our questionnaire regarding password characteristics are not in-line with actual university passwords collected in plaintext.
|
Misc Track
Chair: Stjepan Groš |
M. Bača (Faculty of organization and informatics, Varaždin, Croatia), J. Ćosić (Independent researcher, Bihać, Bosnia and Herzegovina), P. Grd (Faculty of Organization and Informatics, Varaždin, Croatia)
Using DEMF in Process of Collecting Volatile Digital Evidence
Acquisition of volatile data for further forensic analysis still represents a challenge to both practitioners and researchers. The current tools used for acquisition of such data were focused exclusively on a way to capture content, however the development of forensic science, in particular in the area of digital evidence in terms of the admissibility in court, has introduced additional elements to be evaluated. Mainly, the integrity of the collected digital evidence, authenticity and other elements of the digital chain of evidence to be presented in court. This paper describes a framework for capturing volatile data using Digital Evidence Management Framework (DEMF) with regards to integrity of captured data.
|
T. Katulić (Faculty of Law, Zagreb, Croatia), G. Vojković (Faculty of Transport and Traffic Sciences, Zagreb, Croatia)
From Safe Harbour to European Data Protection Reform
European personal data protection laws have set the electronic communication privacy standards for more than two decades. Among these standards, the Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament (The Safe Harbour Decision) stood out as a cornerstone of transatlantic data protection regime. The Court of Justice of the EU decision in Maximillian Schrems vs. Data Protection Commissioner in late 2015 has declared the decision invalid. In the light of current TTIP negotiations, the long standing legislative reform of the European Data Protection legal framework and the revelations of widely spread unauthorized electronic surveillance, data collection, interception and access by intelligence services and authorities of several countries, there is an urgent need for improved data protection rules, especially regarding collection and export data via cloud services established and hosted outside EU. The purpose of this article is to analyse publicly available reform proposals marking the most significant updates to EU privacy laws since 1995 Data Protection Directive.
|
S. Aksentijević (Aksentijević Forensics and Consulting, Ltd., Rijeka, Croatia), T. Đugum, K. Šakić (National Park Krka, Šibenik, Croatia)
Information Security Assessment in Nature Parks
In this paper, specific requirements for information security assessment will be set along with proposal for the model specially tailored to suit the audit needs of the information systems within nature parks - protected and conserved areas. Elements of information security management system for nature parks are described along with specific information security elements called „situations“ to be evaluated. Proposed model is set in a way to provide quantitative evaluation of the overall system of information security management. The audit approach involves definition of cardinal events of information security, assets, threats and related vulnerabilities. Final outcome of the assessment is not only mark that represents overall state of affairs within information security management system, but also a set of recommendations for remedial measures and implementation of controls of information security in nature parks in order to elevate already achieved and determined compliance level. Proposed model is tested in case of nature park “Krka” in Croatia and the test results provide unique and adequate insight in achieved level of information security management system compliance.
|
M. Vuković (Faculty of Electrical Engineering and Computing, University of Zagreb, Zagreb, Croatia), M. Kordić (Ministry of the Interior, Zagreb, Croatia), D. Jevtić (Faculty of Electrical Engineering and Computing, University of Zagreb, Zagreb, Croatia)
Clustering Approach for User Location Data Privacy in Telecommunication Services
User location has become an important aspect of user's context that may bring valuable insights into user habits and preferences. Various services and applications tend to collect user location data for the purpose of analysis and providing personalized content to the users. This paper examines location data privacy across some aspects of location data processing regarding to European Commission ePrivacy directives. The intent of the new legislation is to strengthen and unify data protection for individuals within the European Union. It is necessary to strike a reasonable balance between the data controllers' business interests and the privacy of data subjects. The Data Protection Directive requires data controllers to observe a number of principles when they process personal data. These principles not only protect the rights of those about whom the data is collected but also reflect good business practices that contribute to reliable and efficient data processing. For this purpose, we propose a new approach for location data processing in which the location data is scaled corresponding to the type of service. Neural processing technique is used for location data clustering. This approach proposes a dedicated server used for location data clustering with adaptive cluster dimensions.
|
M. Ramljak (FER, Split, Croatia)
Analiza sigurnosnih ranjivosti inteligentnih sučelja za upravljanje podatkovnim centrom
Inteligentno sučelje za upravljanje platformom (IPMI) iako razvijeno od strane i danas velikih kompanija, predvodnika u informacijskom svijetu, ne bi se trebao ponositi svojim imenom. Razvijen prije gotovo dvadeset godina, protokol i danas sadrži neke od velikih sigurnosnih propusta koji će biti analizirani dalje u članku. IPMI protokol standardizira komunikaciju između servera različitih proizvođača na način da komuniciraju na isti način bez obzira na samog proizvođača. Sama činjenica i razlog razvoja protokola je vidljiva iz perspektive velikih informacijski centara gdje razna oprema cijelo vrijeme mora biti dostupna i upravljiva. Upravo u tome i leži glavna veličina sigurnosnih nedostataka IPMI protokola. Iako razne kompanije troše velike količine sredstava da bi podaci i servisi na kojima počiva njihovo poslovno djelovanje bili sigurni, dalje u članku će se vidjeti koliko je ta sigurnost neosnovana i krhka. Kao temelj ovog članka će se prikazati rezultati analize većine sigurnosnih nedostataka IPMI implementacije na modernom hardveru danas dostupnom na tržištu kao i usporedbe rezultata među proizvođačima. Iako moderni sustavi, vrijedni stotine tisuća dolara, rezultati su poražavajući.
|
|
Basic information:
Chairs:
Stjepan Groš (Croatia), Tonimir Kišasondi (Croatia)
International Program Committee Chairman:
Petar Biljanović (Croatia)
International Program Committee:
Slavko Amon (Slovenia), Vesna Anđelić (Croatia), Michael E. Auer (Austria), Mirta Baranović (Croatia), Almir Badnjevic (Bosnia and Herzegovina), Bartosz Bebel (Poland), Ladjel Bellatreche (France), Eugen Brenner (Austria), Andrea Budin (Croatia), Željko Butković (Croatia), Željka Car (Croatia), Matjaž Colnarič (Slovenia), Alfredo Cuzzocrea (Italy), Marina Čičin-Šain (Croatia), Marko Delimar (Croatia), Todd Eavis (Canada), Maurizio Ferrari (Italy), Bekim Fetaji (Macedonia), Tihana Galinac Grbac (Croatia), Paolo Garza (Italy), Liljana Gavrilovska (Macedonia), Matteo Golfarelli (Italy), Stjepan Golubić (Croatia), Francesco Gregoretti (Italy), Stjepan Groš (Croatia), Niko Guid (Slovenia), Yike Guo (United Kingdom), Jaak Henno (Estonia), Ladislav Hluchy (Slovakia), Vlasta Hudek (Croatia), Željko Hutinski (Croatia), Mile Ivanda (Croatia), Hannu Jaakkola (Finland), Leonardo Jelenković (Croatia), Dragan Jevtić (Croatia), Robert Jones (Switzerland), Peter Kacsuk (Hungary), Aneta Karaivanova (Bulgaria), Mladen Mauher (Croatia), Igor Mekjavic (Slovenia), Branko Mikac (Croatia), Veljko Milutinović (Serbia), Vladimir Mrvoš (Croatia), Jadranko F. Novak (Croatia), Jesus Pardillo (Spain), Nikola Pavešić (Slovenia), Vladimir Peršić (Croatia), Tomislav Pokrajcic (Croatia), Slobodan Ribarić (Croatia), Janez Rozman (Slovenia), Karolj Skala (Croatia), Ivanka Sluganović (Croatia), Vlado Sruk (Croatia), Uroš Stanič (Slovenia), Ninoslav Stojadinović (Serbia), Jadranka Šunde (Australia), Aleksandar Szabo (Croatia), Laszlo Szirmay-Kalos (Hungary), Davor Šarić (Croatia), Dina Šimunić (Croatia), Zoran Šimunić (Croatia), Dejan Škvorc (Croatia), Antonio Teixeira (Portugal), Edvard Tijan (Croatia), A Min Tjoa (Austria), Roman Trobec (Slovenia), Sergio Uran (Croatia), Tibor Vámos (Hungary), Mladen Varga (Croatia), Marijana Vidas-Bubanja (Serbia), Boris Vrdoljak (Croatia), Damjan Zazula (Slovenia)
Registration / Fees:
|
REGISTRATION / FEES
|
Price in EUR
|
|
Before May 16, 2016
|
After May 16, 2016
|
| Members of MIPRO and IEEE |
180
|
200
|
| Students (undergraduate and graduate), primary and secondary school teachers |
100
|
110
|
| Others |
200
|
220
|
Contact:
Stjepan Groš
Faculty of Electrical Engineering and Computing
Unska 3
HR-10000 Zagreb, Croatia
E-mail: stjepan.gros@fer.hr
 Opatija, with its 170 years long tourist tradition, is the leading seaside resort of the Eastern Adriatic and one of the most famous tourist destinations on the Mediterranean. With its aristocratic architecture and style Opatija has been attracting renowned artists, politicians, kings, scientists, sportsmen as well as business people, bankers, managers for more than 170 years.
The tourist offering of Opatija includes a vast number of hotels, excellent restaurants, entertainment venues, art festivals, superb modern and classical music concerts, beaches and swimming pools and is able to provide the perfect response to all demands.
Opatija, the Queen of the Adriatic, is also one of the most prominent congress cities on the Mediterranean, particularly important for its international ICT conventions MIPRO that have been held in Opatija since 1979 gathering more than a thousand participants from more than forty countries. These conventions promote Opatija as the most desirable technological, business, educational and scientific center in Southeast Europe and the European Union in general.
For more details please look at www.opatija.hr/ and www.opatija-tourism.hr/.
|
|
|
|
| Currently there are no news |
|
|
|
|
|