TY - CHAP U1 - Konferenzveröffentlichung A1 - Hehnle, Philipp A1 - Keilbach, Pascal A1 - Lee, Hyun-Jin A1 - Lejn, Sabrina A1 - Steidinger, Daniel A1 - Weinbrenner, Marina A1 - Langweg, Hanno T1 - One click privacy for online social networks T2 - Computer Safety, Reliability, and Security : SAFECOMP 2017 Workshops, ASSURE, DECSoS, SASSUR, TELERISE, and TIPS, Trento, Italy, September 12, 2017, Proceedings N2 - We present an approach to reduce the complexity of adjusting privacy preferences for multiple online social networks. To achieve this, we quantify the effect on privacy for choices that users make, and simplify configuration by introducing privacy configuration as a service. We present an algorithm that effectively measures privacy and adjusts privacy settings across social networks. The aim is to configure privacy with one click. KW - Privacy KW - Social networks KW - Metrics for privacy KW - Configuration Y1 - 2017 SN - 978-3-319-66284-8 SB - 978-3-319-66284-8 U6 - https://dx.doi.org/10.1007/978-3-319-66284-8_37 DO - https://dx.doi.org/10.1007/978-3-319-66284-8_37 SP - 435 EP - 442 PB - Springer CY - Cham ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Himmel, Julia A1 - Siebler, Nikolas A1 - Lägeler, Felix A1 - Grupe, Marco A1 - Langweg, Hanno T1 - Privacy Points as a Method to Support Privacy Impact Assessments T2 - First International Workshop on Technical and Legal Aspects of Data Privacy and Security - TELERISE 2015 : May 18, 2015, Florence, Italy : Proceedings N2 - We introduce a lightweight and easy to use methodology to quantify relevant aspects of privacy based on the privacy points approach. KW - security of data KW - data privacy Y1 - 2015 SN - 978-1-4673-7097-4 SB - 978-1-4673-7097-4 U6 - https://dx.doi.org/10.1109/TELERISE.2015.17 DO - https://dx.doi.org/10.1109/TELERISE.2015.17 N1 - Volltextzugriff für Hochschulangehörige der HTWG Konstanz via Datenbank IEEE Xplore SP - 50 EP - 53 ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Keilbach, Pascal A1 - Kolberg, Jascha A1 - Gomez-Barrero, Marta A1 - Busch, Christoph A1 - Langweg, Hanno T1 - Fingerprint presentation attack detection using laser speckle contrast imaging T2 - 17th International Conference of the Biometrics Special Interest Group (BIOSIG), 26-28 Sept. 2018, Darmstadt, Germany N2 - With the increased deployment of biometric authentication systems, some security concerns have also arisen. In particular, presentation attacks directed to the capture device pose a severe threat. In order to prevent them, liveness features such as the blood flow can be utilised to develop presentation attack detection (PAD) mechanisms. In this context, laser speckle contrast imaging (LSCI) is a technology widely used in biomedical applications in order to visualise blood flow. We therefore propose a fingerprint PAD method based on textural information extracted from pre-processed LSCI images. Subsequently, a support vector machine is used for classification. In the experiments conducted on a database comprising 32 different artefacts, the results show that the proposed approach classifies correctly all bona fides. However, the LSCI technology experiences difficulties with thin and transparent overlay attacks. Y1 - 2018 SN - 978-3-88579-676-3 SB - 978-3-88579-676-3 SN - 978-1-5386-6007-2 SB - 978-1-5386-6007-2 U6 - https://dx.doi.org/10.23919/BIOSIG.2018.8552931 DO - https://dx.doi.org/10.23919/BIOSIG.2018.8552931 N1 - Volltextzugriff für Angehörige der Hochschule Konstanz via IEEE Xplore möglich SP - 49 EP - 58 PB - IEEE ER - TY - RPRT U1 - Forschungsbericht A1 - Langweg, Hanno T1 - Erfahrungsbericht Fortbildungssemester WS2018 Prof. Dr. Hanno Langweg N2 - Erfahrungsbericht zum Fortbildungssemester am Bundesamt für Sicherheit in der Informationstechnik (BSI) in Bonn Y2 - 2019 U6 - http://nbn-resolving.de/urn/resolver.pl?urn:nbn:de:bsz:kon4-opus4-19114 UN - http://nbn-resolving.de/urn/resolver.pl?urn:nbn:de:bsz:kon4-opus4-19114 SP - 6 S1 - 6 ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Langweg, Hanno A1 - Ringmann, Sandra Domenique T1 - Determining security requirements for cloud-supported routing of physical goods T2 - SPC 2017 : IEEE Workshop on Security and Privacy in the Cloud, 11 Oct. 2017, Las Vegas, NV, USA N2 - We present an analysis of how to determine security requirements for software that controls routing decisions in the distribution of discrete physical goods. Requirements are derived from stakeholder interests and threat scenarios. Three deployment scenarios are discussed: cloud and hybrid deployment as well as on-premise installation for legacy sites. KW - Cloud computing KW - Security of data Y1 - 2017 U6 - https://dx.doi.org/10.1109/CNS.2017.8228691 DO - https://dx.doi.org/10.1109/CNS.2017.8228691 N1 - Volltextzugriff für Hochschulangehörige via Datenbank IEEE Xplore möglich SP - 514 EP - 521 ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Liao, Yi-Ching A1 - Langweg, Hanno T1 - Developing Metrics for Surveillance Impact Assessment T2 - IEEE 39th Annual Computer Software and Applications Conference, Volume 3, 1-5 July 2015, Taichung, Taiwan N2 - Conducting surveillance impact assessment is the first step to solve the "Who monitors the monitor?" problem. Since the surveillance impacts on different dimensions of privacy and society are always changing, measuring compliance and impact through metrics can ensure the negative consequences are minimized to acceptable levels. To develop metrics systematically for surveillance impact assessment, we follow the top-down process of the Goal/Question/Metric paradigm: 1) establish goals through the social impact model, 2) generate questions through the dimensions of surveillance activities, and 3) develop metrics through the scales of measure. With respect to the three factors of impact magnitude: the strength of sources, the immediacy of sources, and the number of sources, we generate questions concerning surveillance activities: by whom, for whom, why, when, where, of what, and how, and develop metrics with the scales of measure: the nominal scale, the ordinal scale, the interval scale, and the ratio scale. In addition to compliance assessment and impact assessment, the developed metrics have the potential to address the power imbalance problem through sousveillance, which employs surveillance to control and redirect the impact exposures. KW - surveillance KW - data privacy KW - security of data KW - software metrics Y1 - 2015 SN - 0730-3157 SS - 0730-3157 SN - 978-1-4673-6564-2 SB - 978-1-4673-6564-2 U6 - https://dx.doi.org/10.1109/COMPSAC.2015.245 DO - https://dx.doi.org/10.1109/COMPSAC.2015.245 N1 - Volltextzugriff für Hochschulangehörige via Datenbank IEEE Xplore SP - 297 EP - 302 ER - TY - JOUR U1 - Zeitschriftenartikel, wissenschaftlich - begutachtet (reviewed) A1 - Liao, Yi-Ching A1 - Langweg, Hanno T1 - Evidential reasoning for forensic readiness JF - The journal of digital forensics, security and law N2 - To learn from the past, we analyse 1,088 "computer as a target" judgements for evidential reasoning by extracting four case elements: decision, intent, fact, and evidence. Analysing the decision element is essential for studying the scale of sentence severity for cross-jurisdictional comparisons. Examining the intent element can facilitate future risk assessment. Analysing the fact element can enhance an organization's capability of analysing criminal activities for future offender profiling. Examining the evidence used against a defendant from previous judgements can facilitate the preparation of evidence for upcoming legal disclosure. Follow the concepts of argumentation diagrams, we develop an automatic judgement summarizing system to enhance the accessibility of judgements and avoid repeating past mistakes. Inspired by the feasibility of extracting legal knowledge for argument construction and employing grounds of inadmissibility for probability assessment, we conduct evidential reasoning of kernel traces for forensic readiness. We integrate the narrative methods from attack graphs/languages for preventing confirmation bias, the argumentative methods from argumentation diagrams for constructing legal arguments, and the probabilistic methods from Bayesian networks for comparing hypotheses. Y1 - 2016 SN - 1558-7215 SS - 1558-7215 U6 - https://dx.doi.org/10.15394/jdfsl.2016.1372 DO - https://dx.doi.org/10.15394/jdfsl.2016.1372 VL - 11 IS - 1 SP - 37 EP - 52 ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Ringmann, Sandra Domenique A1 - Langweg, Hanno T1 - Elicitation of security requirements for migration of OCR software to the cloud T2 - Collaborative European Research Conference, CERC2017 Karlsruhe University of Applied Sciences, Germany 22 - 23 September 2017, Proceedings KW - Security requirements KW - Stakeholder interests KW - Cloud Y1 - 2018 UR - https://www.cerc-conference.eu/wp-content/uploads/2018/06/CERC-2017-proceedings.pdf SN - 2220-4164 SS - 2220-4164 SP - 210 EP - 212 ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Ringmann, Sandra Domenique A1 - Langweg, Hanno T1 - Elicitation of security requirements for migration of OCR software to the cloud T2 - Collaborative European Research Conference (CERC2017), 22 - 23 September 2017, University of Applied Sciences Karlsruhe, Germany Y1 - 2017 UR - www.cerc-conference.eu/wp-content/uploads/2018/06/CERC-2017-proceedings.pdf SN - 2220-4161 SS - 2220-4161 SP - 210 EP - 212 ER - TY - JOUR U1 - Zeitschriftenartikel, wissenschaftlich - begutachtet (reviewed) A1 - Ringmann, Sandra Domenique A1 - Langweg, Hanno A1 - Waldvogel, Marcel T1 - Requirements for legally compliant software based on the GDPR JF - On the Move to Meaningful Internet Systems. OTM 2018 Conferences - Confederated International Conferences: CoopIS, C&TC, and ODBASE 2018, Valletta, Malta, October 22-26, 2018, Proceedings, Part II (Lecture Notes in Computer Science book series ; Vol. 11230) N2 - We identify 74 generic, reusable technical requirements based on the GDPR that can be applied to software products which process personal data. The requirements can be traced to corresponding articles and recitals of the GDPR and fulfill the key principles of lawfulness and transparency. Therefore, we present an approach to requirements engineering with regard to developing legally compliant software that satisfies the principles of privacy by design, privacy by default as well as security by design. Y1 - 2018 SN - 978-3-030-02670-7 SB - 978-3-030-02670-7 SN - 978-3-030-02671-4 SB - 978-3-030-02671-4 U6 - https://dx.doi.org/10.1007/978-3-030-02671-4_15 DO - https://dx.doi.org/10.1007/978-3-030-02671-4_15 SP - 258 EP - 276 PB - Springer CY - Cham ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Schuckert, Felix A1 - Hildner, Max A1 - Katt, Basel A1 - Langweg, Hanno T1 - Source Code Patterns of Cross Site Scripting in PHP Open Source Projects T2 - Proceedings of the 11th Norwegian Information Security Conference (NISK 2018), Sep. 19-20, 2018, Longyearbyen, Svalbard, Norway (NISK Journal ; Vol. 11) N2 - To get a better understanding of Cross Site Scripting vulnerabilities, we investigated 50 randomly selected CVE reports which are related to open source projects. The vulnerable and patched source code was manually reviewed to find out what kind of source code patterns were used. Source code pattern categories were found for sources, concatenations, sinks, html context and fixes. Our resulting categories are compared to categories from CWE. A source code sample which might have led developers to believe that the data was already sanitized is described in detail. For the different html context categories, the necessary Cross Site Scripting prevention mechanisms are described. Y1 - 2018 UR - http://ojs.bibsys.no/index.php/NISK/article/view/576/492 SN - 1893-6563 SS - 1893-6563 SN - 1894-7735 SS - 1894-7735 SP - 13 S1 - 13 ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Schuckert, Felix A1 - Hildner, Max A1 - Katt, Basel A1 - Langweg, Hanno T1 - Source Code Patterns of Buffer Overflow Vulnerabilities in Firefox T2 - Sicherheit 2018 : Sicherheit, Schutz und Zuverlässigkeit : Konferenzband der 9. Jahrestagung des Fachbereichs Sicherheit in der Gesellschaft für Informatik e. V. (GI) : 25. - 27. April 2018 in Konstanz N2 - We investigated 50 randomly selected buffer overflow vulnerabilities in Firefox. The source code of these vulnerabilities and the corresponding patches were manually reviewed and patterns were identified. Our main contribution are taxonomies of errors, sinks and fixes seen from a developer's point of view. The results are compared to the CWE taxonomy with an emphasis on vulnerability details. Additionally, some ideas are presented on how the taxonomy could be used to improve the software security education. Y1 - 2018 UR - https://dl.gi.de/bitstream/handle/20.500.12116/16298/sicherheit2018-08.pdf SN - 978-3-88579-675-6 SB - 978-3-88579-675-6 U6 - https://dx.doi.org/10.18420/sicherheit2018_08 DO - https://dx.doi.org/10.18420/sicherheit2018_08 SP - 107 EP - 118 PB - Gesellschaft für Informatik e.V. CY - Bonn ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Schuckert, Felix A1 - Katt, Basel A1 - Langweg, Hanno T1 - Source code patterns of SQL injection vulnerabilities T2 - Proceedings of the 12th International Conference on Availability, Reliability and Security (ARES '17), Reggio Calabria, Italy, August 29 - September 01, 2017 N2 - Many secure software development methods and tools are well-known and understood. Still, the same software security vulnerabilities keep occurring. To find out if new source code patterns evolved or the same patterns are reoccurring, we investigate SQL injections in PHP open source projects. SQL injections are well-known and a core part of software security education. For each common part of SQL injections, the source code patterns are analysed. Examples are pointed out showing that developers had software security in mind, but nevertheless created vulnerabilities. A comparison to earlier work shows that some categories are not found as often as expected. Our main contribution is the categorization of source code patterns. Y1 - 2017 SN - 978-1-4503-5257-4 SB - 978-1-4503-5257-4 U6 - https://dx.doi.org/10.1145/3098954.3103173 DO - https://dx.doi.org/10.1145/3098954.3103173 N1 - Volltextzugriff für Angehörige der Hochschule Konstanz via ACM möglich. SP - 7 S1 - 7 PB - ACM CY - New York ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Schuckert, Felix A1 - Katt, Basel A1 - Langweg, Hanno T1 - Difficult XSS Code Patterns for Static Code Analysis Tools T2 - Computer Security - ESORICS 2019 International Workshops, IOSec, MSTEC, and FINSEC Luxembourg City, Luxembourg, September 26-27, 2019 N2 - We present source code patterns that are difficult for modern static code analysis tools. Our study comprises 50 different open source projects in both a vulnerable and a fixed version for XSS vulnerabilities reported with CVE IDs over a period of seven years. We used three commercial and two open source static code analysis tools. Based on the reported vulnerabilities we discovered code patterns that appear to be difficult to classify by static analysis. The results show that code analysis tools are helpful, but still have problems with specific source code patterns. These patterns should be a focus in training for developers. Y1 - 2020 SN - 978-3-030-42050-5 SB - 978-3-030-42050-5 SN - 978-3-030-42051-2 SB - 978-3-030-42051-2 U6 - https://dx.doi.org/10.1007/978-3-030-42051-2_9 DO - https://dx.doi.org/10.1007/978-3-030-42051-2_9 N1 - Zugriff auf den Volltext im Campusnetz der Hochschule Konstanz möglich. SP - 123 EP - 139 PB - Springer CY - Cham ER - TY - CHAP U1 - Buchbeitrag A1 - Zinsmaier, Sandra A1 - Langweg, Hanno T1 - Agile test automation for web applications BT - a security perspective T2 - Empirical research for software security : foundations and experience Y1 - 2018 SN - 978-1-4987-7641-7 SB - 978-1-4987-7641-7 SP - 209 EP - 247 PB - CRC Press CY - Boca Raton ER - TY - CHAP U1 - Konferenzveröffentlichung A1 - Zinsmaier, Sandra A1 - Langweg, Hanno A1 - Waldvogel, Marcel T1 - A Practical Approach to Stakeholder-driven Determination of Security Requirements based on the GDPR and Common Criteria T2 - ICISSP 2020, Proceedings of the 6th International Conference on Information Systems Security and Privacy, February 25-27, 2020, Valletta, Malta N2 - We propose and apply a requirements engineering approach that focuses on security and privacy properties and takes into account various stakeholder interests. The proposed methodology facilitates the integration of security and privacy by design into the requirements engineering process. Thus, specific, detailed security and privacy requirements can be implemented from the very beginning of a software project. The method is applied to an exemplary application scenario in the logistics industry. The approach includes the application of threat and risk rating methodologies, a technique to derive technical requirements from legal texts, as well as a matching process to avoid duplication and accumulate all essential requirements. KW - Common Criteria KW - GDPR KW - Privacy by Design KW - Requirements Engineering KW - Security by Design Y1 - 2020 SN - 978-989-758-399-5 SB - 978-989-758-399-5 U6 - https://dx.doi.org/10.5220/0008960604730480 DO - https://dx.doi.org/10.5220/0008960604730480 IS - Vol. 1 SP - 473 EP - 480 PB - SciTePress ER -