Events & News

ZISC organizes a number events. The annual ZISC Workshop brings together leading experts to present and discuss their latest research results on a chosen information security and privacy topics. The weekly ZISC Lunch Seminar presentations illustrate the research done at the affiliated research groups and invite exciting speakers from other research institutes and companies.

Latest News

ZISC Chair Prof. Srdjan Capkun named IEEE fellow

The IEEE Fellow Committee announced the newly elevated IEEE Fellows of 2022 — amongst them is ZISC Chair and ETHZ Professor Srdjan Capkun.

This distinction is reserved for selected IEEE members with extraordinary accomplishments.

During his career, Prof. Capkun has made numerous significant research contributions in the areas of wireless security and systems security. His ground-breaking research on distance bounding and proximity verification have helped to shape an exciting new research area. These results have also been commercialised by the 3bd. In addition, the research of Prof. Capkun examined cellular systems, such as LET and 5G networks, and identified important security and privacy issues. He was also a part of a team of researchers who designer a privacy-preserving contact tracing system that became the basis for the Swiss Covid App and the Exposure Notification framework adapted by Google and Apple. Prof. Capkun’s research on authentication technologies formed the basis for the Futurae start-up that specialises on secure and user-friendly authentication solutions. He has also created numerous research results related to trusted execution environments, security of microarchitectures, blockchain technology and digital currencies.

The ZISC center congratulates Prof. Capkun on this amazing achievement!

Applied Crypto Group wins Distinguished Paper Award at ACM CCS

The paper “Victory by KO: Attacking OpenPGP Using Key Overwriting” by Lara Bruseghini (ETH Zurich & Proton AG), Daniel Huigens  (Proton AG) and Kenny Paterson (ETH Zurich) won a distinguished paper award at ACM CCS 2022 this week.

The annual conference is one of the top four security conferences and was held this year in Los Angeles, where Lara accepted the award on behalf of the team. The paper has already had a substantial impact on the use of OpenPGP in practice: multiple libraries have updated their code and the OpenPGP standard under development at the IETF now includes the countermeasures recommended in the paper. In addition, the “key overwriting” or “KO” attack vector is proving to be very useful in the group’s follow-up work on cloud storage systems.

To read more about the paper, please visit https://www.kopenpgp.com/

 

Digital emblem for International Red Cross

 

For over 150 years, three distinctive emblems, the red cross, red crescent, and more recently the red crystal, have been used in times of armed conflict. International law protects people who wear them, and also the facilities (for instance buildings or transport) which use them.

In the context of a cyberwar, is it possible to have a digital version of these emblems? For instance, servers, laptops, mobile phones and other equipment of a hospital could be victims of a cyberattack launched by a state, causing damage not only to the equipment but also to their operations and impacting the people under their care. A digital emblem would allow to signal protection to state-based cyber-operations and thus permit attackers to recognise such systems as protected under international law . Naturally in this context several challenges arise: A digital emblem should be easy to embed in current systems and easy to recognise by attackers, but at the same time it should be hard to abuse in order to claim protection over assets not covered by international law.

In order to tackle this challenge, the International Committee of the Red Cross (ICRC) in Geneva is working with Johns Hopkins University, the ITMO University of St. Petersburg, Russia, and the Center for Cyber Trust, a joint research center of ETH Zurich and Germany’s University of Bonn, to develop a technological solution. One of the proposals, designed within the Center for Cyber Trust is called ADEM (Authenticated Digital EMblem). ADEM uses public key cryptography to create robust machine-readable certificates to be used by protected entities in network communications, allowing attackers to read them anonymously. Prof. Basin and Felix Linker explain this design in an article of the ICRC’s blog. ADEM has been included in an official report of the ICRC together with other digital emblem solutions. This report has been recently featured by several media outlets, including The Washington Post, The Lieber Institute at West Point, AP News and The Record.

Distinguished Artifact Award at USENIX Security 2022

The paper  “Automating Cook Consent and GDPR Violation Detection” by Dino Bollinger, Karel Kubicek, Carlos Cotrini, and David Basin received the Distinguished Artifact Award at USENIX Security 2022. Congratulations!

The European Union’s General Data Protection Regulation (GDPR) requires websites to inform users about personal data collection and request consent for cookies. Yet the majority of websites do not give users any choices, and others attempt to deceive them into accepting all cookies. The paper’s authors document the severity of this situation through an analysis of potential GDPR violations in cookie banners in almost 30k websites. They identify six novel violation types, such as incorrect category assignments and misleading expiration times, and we find at least one potential violation in a surprising 94.7% of the analyzed websites.

The authors address this issue by giving users the power to protect their privacy. They develop a browser extension, called CookieBlock, that uses machine learning to enforce GDPR cookie consent at the client. It automatically categorizes cookies by usage purpose using only the information provided in the cookie itself. At a mean validation accuracy of 84.4%, their model attains a prediction quality competitive with expert knowledge in the field. Additionally, their approach differs from prior work by not relying on the cooperation of websites themselves. The four authors empirically evaluate CookieBlock on a set of 100 randomly sampled websites, on which it filters roughly 90% of the privacy-invasive cookies without significantly impairing website functionality.

Read the whole paper here.

MEGA – Malleable Encryption Goes Awry

The paper “MEGA – Malleable Encryption Goes Awry” by Matilda Backendal, Miro Haller and Kenny Paterson from the Applied Crypto Group was accepted to the IEEE Symposium on Security & Privacy 2023.

MEGA is a cloud-based storage system with 250 million users worldwide, storing more than 1000 Petabytes of data. The team uncovered five significant cryptographic vulnerabilities in the MEGA system. These were disclosed to MEGA in March 2022 and some of them were patched in June. The work received media attention from Ars Technica, Hacker News, The Register, and more.

Further details, including the paper itself, can be found at: https://mega-awry.io.