Vienna, Vienna, Austria
2K followers 500+ connections

Join to view profile

Services

Request proposal

Activity

Join now to see all activity

Experience & Education

  • Offensive.one

View Andreas’s full experience

See their title, tenure and more.

or

By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.

Licenses & Certifications

Join now to see all certifications

Publications

  • Getting pwn'd by AI: Penetration Testing with Large Language Models

    ESEC/FSE ’23, December 3–9, 2023, San Francisco, CA, USA

    The field of software security testing, more specifically penetration testing, requires high levels of expertise and involves many manual testing and analysis steps. This paper explores the potential use of
    large-language models, such as GPT3.5, to augment penetration testers with AI sparring partners. We explore two distinct use cases: high-level task planning for security testing assignments and low-
    level vulnerability hunting within a vulnerable virtual machine.

    For the latter,…

    The field of software security testing, more specifically penetration testing, requires high levels of expertise and involves many manual testing and analysis steps. This paper explores the potential use of
    large-language models, such as GPT3.5, to augment penetration testers with AI sparring partners. We explore two distinct use cases: high-level task planning for security testing assignments and low-
    level vulnerability hunting within a vulnerable virtual machine.

    For the latter, we implemented a closed-feedback loop between LLM-generated low-level actions with a vulnerable virtual machine (connected through SSH) and allowed the LLM to analyze the machine state for vulnerabilities and suggest concrete attack vectors which were automatically executed within the virtual machine. We discuss promising initial results, detail avenues for improvement,
    and close deliberating on the ethics of AI sparring partners.

    Other authors
    See publication

  • Understanding Hackers' Work: An Empirical Study of Offensive Security Practitioners

    ESEC/FSE ’23, December 3–9, 2023, San Francisco, CA, USA

    Offensive security-tests are commonly employed to pro-actively discover potential vulnerabilities. They are performed by specialists, also known as penetration-testers or white-hat hackers. The chronic
    lack of available white-hat hackers prevents sufficient security test coverage of software. Research into automation tries to alleviate this problem by improving the efficiency of security testing. To achieve
    this, researchers and tool builders need a solid understanding of how hackers…

    Offensive security-tests are commonly employed to pro-actively discover potential vulnerabilities. They are performed by specialists, also known as penetration-testers or white-hat hackers. The chronic
    lack of available white-hat hackers prevents sufficient security test coverage of software. Research into automation tries to alleviate this problem by improving the efficiency of security testing. To achieve
    this, researchers and tool builders need a solid understanding of how hackers work, their assumptions, and pain points.

    In this paper, we present a first data-driven exploratory qualitative study of twelve security professionals, their work and problems occurring therein. We perform a thematic analysis to gain insights into the execution of security assignments, hackers’ thought processes and encountered challenges. This analysis allows us to conclude with recommendations for researchers and tool builders, to increase the efficiency of their automation and identify novel areas
    for research.

    Other authors
    See publication

  • Enhancing Cloud Security and Privacy: Time for a New Approach?

    The Sixth International Conference on Innovative Computing Technology (INTECH 2016)

    Achieving cloud security is not a trivial problem and developing and enforcing good cloud security controls is a fundamental requirement if this is to succeed. The very nature of cloud computing can add additional problem layers for cloud security to an already complex problem area. We discuss why this is such an issue, consider what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals through the use of unikernel based…

    Achieving cloud security is not a trivial problem and developing and enforcing good cloud security controls is a fundamental requirement if this is to succeed. The very nature of cloud computing can add additional problem layers for cloud security to an already complex problem area. We discuss why this is such an issue, consider what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals through the use of unikernel based systems. The main thrust of this paper is to discuss the key issues which need to be addressed, noting which of those might be covered by our proposed approach. We discuss how our proposed approach may help better address the key security issues we have identified.

    Other authors

  • PBFT and Secret-Sharing in Storage Settings

    Twenty-fourth International Workshop on Security Protocols, At Brno, Czech Republic

    Recent publications combine secret-sharing with byzantine fault-tolerant distribution schemes into safe and secure storage systems. To our knowledge current publications describe chosen algorithms and implementations but do not highlight areas of conflict between secret-sharing and BFT algorithms in a systematic fashing. This paper presents different concrete problem areas and suggests possible solutions.

    Other authors

  • Quantum Key Distribution Software maintained by AIT

    QCMC 2012

    Other authors
    See publication

  • Timing synchronization with photon pairs for quantum communications

    QCMC 2012

    Other authors
    See publication

  • The SECOQC quantum key distribution network in Vienna

    New Journal of Physics

    In this paper, we present the quantum key distribution (QKD) network designed and implemented by the European project SEcure COmmunication based on Quantum Cryptography (SECOQC) (2004–2008), unifying the efforts of 41 research and industrial organizations. The paper summarizes the SECOQC approach to QKD networks with a focus on the trusted repeater paradigm. It discusses the architecture and functionality of the SECOQC trusted repeater prototype, which has been put into operation in Vienna in…

    In this paper, we present the quantum key distribution (QKD) network designed and implemented by the European project SEcure COmmunication based on Quantum Cryptography (SECOQC) (2004–2008), unifying the efforts of 41 research and industrial organizations. The paper summarizes the SECOQC approach to QKD networks with a focus on the trusted repeater paradigm. It discusses the architecture and functionality of the SECOQC trusted repeater prototype, which has been put into operation in Vienna in 2008 and publicly demonstrated in the framework of a SECOQC QKD conference held from October 8 to 10, 2008.

    Other authors
    See publication

  • ARCHISTAR: Towards Secure and Robust Cloud Based Data Sharing

    IEEE CloudCom 2015

    Cloud based collaboration give rise to many new applications and business opportunities in both domains, business and private. However building such systems in a secure and robust manner is a challenging tasks. We present a new architecture and prototype implementation for secure data sharing called ARCHISTAR, which is based on distributed storage technology and avoids any single point of trust or failure. It protects user data for confidentiality, integrity and availability – even from cloud…

    Cloud based collaboration give rise to many new applications and business opportunities in both domains, business and private. However building such systems in a secure and robust manner is a challenging tasks. We present a new architecture and prototype implementation for secure data sharing called ARCHISTAR, which is based on distributed storage technology and avoids any single point of trust or failure. It protects user data for confidentiality, integrity and availability – even from cloud providers – and resist active attacks or failures in a resilient way.

    Other authors

  • Exchanging Database Writes with modern Cryptography

    The First International Conference on Advances in Cyber-Technologies and Cyber-Systems CYBER2016, At Italy

    Modern cryptography provides for new ways of solving old problems. This paper details how HMACs or AEAD can be employed as an alternative to a traditional server-side temporal session store. This cryptography-based approach reduces the server-side need for state. When applied to database-based user-management systems it removes all database alteration statements needed for confirmed user sign-up and greatly removes database alteration statements for typical ``forgot password'' use-cases. As…

    Modern cryptography provides for new ways of solving old problems. This paper details how HMACs or AEAD can be employed as an alternative to a traditional server-side temporal session store. This cryptography-based approach reduces the server-side need for state. When applied to database-based user-management systems it removes all database alteration statements needed for confirmed user sign-up and greatly removes database alteration statements for typical ``forgot password'' use-cases. As there is no temporary data stored within the server database system, there is no possibility of creating orphaned or abandoned data records. However, this new approach is not generic and can only be applied if implemented use-cases fulfill requirements. This requirements and implications are also detailed within this paper. All examples are based upon common ``user sign-up''- and ``password forgotten/reset''-functionalities.

    Other authors

  • New release of an open source QKD software: design and implementation of new algorithms, modularization and integration with IPSec

    -

    Quantum Key Distribution (QKD) involves in a first step a physical exchange of quantum signals between a pair of devices, which can be carried out in numerous different ways. Whatever the realization of this ”physical layer” of QKD is, it outputs a pair of strongly correlated bit strings. The latter have then to be distilled by a fundamentally universal classical, post-processing protocol to yield Information Theoretically Secure (ITS)
    keys. Post-processing communication requires…

    Quantum Key Distribution (QKD) involves in a first step a physical exchange of quantum signals between a pair of devices, which can be carried out in numerous different ways. Whatever the realization of this ”physical layer” of QKD is, it outputs a pair of strongly correlated bit strings. The latter have then to be distilled by a fundamentally universal classical, post-processing protocol to yield Information Theoretically Secure (ITS)
    keys. Post-processing communication requires communication channel authentication, itself using key material. Key management in well defined crypto contexts is therefore a must for ITS post processing operation. Moreover real world QKD systems need to be seamlessly integrated in standard communication and to inter-operate with higher level applications providing communication security.

    Other authors
    See publication

Languages

  • German

    Native or bilingual proficiency

  • English

    Full professional proficiency

Recommendations received

1 person has recommended Andreas

Join now to view

More activity by Andreas

View Andreas’ full profile

  • See who you know in common
  • Get introduced
  • Contact Andreas directly
Join to view full profile

Explore more posts

Explore top content on LinkedIn

Find curated posts and insights for relevant topics all in one place.

View top content

Add new skills with these courses

See all courses