Information Security...

14. June 2022

Information Security...

...sounds tiring. It is. But we have to get throug it.

(published on 28.04.2021 by Marianne Rudigier)

All of us.

Even when we think we can do without "smart" products[1]. Because that is almost impossible. For example, if I were to decide to do without all of these products, my everyday life would still be characterized by a "smart" or rather computerized environment. I do my work on a computer and I communicate regularly (and especially in the home office) via my smartphone. So, if I wanted to do without these products, I would have to take up a new profession. I enter my fitness center with a smart card that knows which services I'm allowed to use, and many stores I visit have sensors that can follow the movements of customers, among other things. There are cities that install "smart" sensors in streets, lanterns and sidewalks, and use "smart" power grids and traffic routes to identify peak times to better direct traffic flows. So I would have to be very cut off to avoid this "smartification."

In 2017, 8.4 billion devices were connected to the Internet. By 2021, there should have been around 35 billion devices[2]. The Internet is also increasingly becoming a component of cheaper devices (keyword: Internet of Things). On the one hand, because the cost of these technologies is steadily falling and, on the other, because manufacturers hope this will give them a competitive edge. And because it is possible.

In its entirety, a complex system is created in which everything is interconnected. Bruce Schneier (a renowned IT security specialist from the USA, whose book "Click here to kill everybody" is the main source of this article) uses the term "Internet+" for this, consisting of the Internet, the "smart" products and us humans. The Internet of Things is not particularly "smart" at present, but it will become continuously smarter. With all-encompassing interconnectivity, the Internet+ is not only becoming more powerful, but unfortunately also more vulnerable. During the development of the Internet, security was not given much attention[3]. Many of the original Internet protocols are still in use today. Since computer systems can be expanded almost at will, the problem of inadequate security grows along with the number of systems. In a "system of systems", the participating systems interact with each other. Weaknesses in one system can spread to others. This results in security vulnerabilities that no one anticipated during development. In 2017, for example, hackers penetrated a casino's network via an aquarium connected to the Internet and gained access to sensitive data (fascinating, isn't it?).

On top of that, attack technologies are also constantly improving. Attacks are becoming faster, cheaper and easier. What is only theoretically possible today will be put into practice tomorrow. And because our information systems will remain in use much longer than originally planned, we already have to think about the attackers who will use the technologies of the future when it comes to current developments. At the same time, however, security is often "forgotten" when software is created. High-quality software is not rewarded to the same extent as early completion or under-budgeting, which in turn leads to security vulnerabilities that - if found - must be patched promptly. However, many users do not know what "patching" means (and you can't blame them for not knowing).

As bad as such vulnerabilities are, however, the most common way hackers penetrate networks is by tricking the authentication process. They steal passwords, set up so-called man-in-the-middle attacks to abuse legitimate logins, or impersonate authorized users. However, hackers do not necessarily need security vulnerabilities in software to steal user data; in fact, a successful phishing campaign usually leads to the goal more easily and quickly.

80% of successful attacks are due to the misuse of access data. From mid-2016 to mid-2017, Google studied the behavior of Gmail users and found that 12 million (!) phishing attacks had been successfully carried out every week (!) during this period. The majority of passwords used are also of poor quality (123456 or qwertz are still extremely popular), making it easy for hackers to figure them out.

What's more, in exchange for supposedly free services, we give up control over our data and resources. Google, Microsoft, Amazon, Facebook and Apple (and Elon Musk and Bytedance, etc.) have astonishingly far-reaching control over what we can look at and what we can do and when. With the Internet+, the amount of data and companies collecting it will increase even more. Not enough, there is also an increasing risk that attacks will place a greater emphasis on altering or manipulating data (such as imagery, manipulating messages, and the like) to compromise its integrity (i.e., its accuracy and reliability). This is to influence decision-making in order to weaken trust in existing (political) systems or to cause physical damage.[4]

Reasons enough to take a closer look at the topic of information security, don't you think?

What can we do as TU Wien and in general as users of "smart" devices to protect ourselves and our data from these threats?

On the one hand, systems should be developed from the beginning in such a way that it is less likely that they will be successfully attacked (keyword: privacy by design and default...). For another, we should be much more conscious of our data, producing less data in the first place, disclosing it, deleting it, and, above all, protecting it with strong, unique passwords and, preferably, a second factor.

As a university, we have a great influence on the former in that we can instill an awareness of the concept of "privacy by design and default" in future developers of technology. This concept should not only be considered from the beginning of research projects. Information security and data protection should also be included in projects in the administration departments right from the start of the project.

Each and every one of us is called upon to deal consciously with data. On the one hand, we can protect our data by using secure passwords (and a unique one for each application! Please!), by encrypting our end devices, by storing data not locally on the computer but in centrally provided file systems (for private purposes, we recommend backing up data on an external, encrypted hard drive), and by considering whether using a service that is supposedly provided free of charge is really worth giving up privacy.

You can learn more about information security in our regular training sessions.

[1] Note: "smart" products are those that can collect and share data during the manufacturing and use phases.

[2] See: findstack.com/de/internet-of-things-statistics/, opens an external URL in a new window, opens an external URL in a new window (last accessed 04/26/2022).

[3] Note: The Internet was developed in a closed and trusted environment in academia and the military. Network security, while important, was nowhere near as complex as it is today, where it extends to business environments, around the world, to private homes, and to open wireless communications.

[4] Cf. to here. B. Schneier, Click here to kill everybody. Internet security risk and corporate and government responsibility. New York 2018.

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your settings for the use of cookies on this website.	1 year	HTML	Homepage TU Wien
SimpleSAML	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	Login TU Wien
SimpleSAMLAuthToken	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	Login TU Wien
fe_typo_user	Is needed so that in case of a Typo3 frontend login the session ID is recognized to grant access to protected areas.	session	HTTP	Homepage TU Wien
staticfilecache	Is needed to optimize the delivery time of the website.	session	HTTP	Homepage TU Wien
JESSIONSID	Is needed so that in case of a LectureTube the session ID is recognized to grant access to protected areas.	session	HTTP	LectureTube TU Wien
_shibsession_lecturetube	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	LectureTube TU Wien

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo TU Wien
_pk_ref	Is used to store the information of the users home website.	6 months	HTML	Matomo TU Wien
_pk_ses	Is needed to store temporary data of the visit.	30 minutes	HTML	Matomo TU Wien
nmstat	Is used to record the behaviour on the website. It is used to collect statistics about website usage, such as when the visitor last visited the website. The cookie does not contain any personal data and is only used for website analysis.	1000 days	HTML	Siteimprove
siteimproveses	Is used to track the sequence of pages that a visitor views during his/her visit to the website. The cookie does not contain any personal data and is used solely for website analysis.	session	HTTP	Siteimprove
AWSELB	Always occurs in pairs with siteimproveses (for load balancing on the provider server)	session	HTTP	Siteimprove

Name	Purpose	Lifetime	Type	Provider
_ga	Is needed to distinguish the sessions of the users from each other.	persistent	HTTP	Google Analytics
_gali	Is needed to determine which links are clicked on a page.	expires immediately	HTTP	Google Analytics
_gat	This is a function-related cookie, whose tasks may differ.	2 years	HTTP	Google Analytics
_gid	Is needed to distinguish users and create statistics.	24 hours	HTTP	Google Analytics
_gads	Required to enable websites to display advertising from Google, including personalized advertising.	13 months	HTTP	Google Analytics
_gac_	Required by advertisers to measure user activity and the performance of their advertising campaigns.	90 days	HTTP	Google Analytics
_gcl_	Required by advertisers to determine how often users who click on their ads end up taking an action on their website.	90 days	HTTP	Google Analytics
_gcl_au	Contains a randomly generated user ID.	90 days	HTTP	Google
_gcl_aw	Is set when users click on a Google ad on the website and contains information about which ad was clicked.	90 days	HTTP	Google
__utma	Is used to record visits and visitors.	2 years	HTTP	Google Analytics
__utmb	Is used to detect new visits.	30 minutes	HTTP	Google Analytics
__utmc	Is used in connection with __utmb to determine whether it is a new (recent) visit.	session	HTTP	Google Analytics
__utmd	Is used to store and track visitor journeys through the site and classifies them into groups (marketing/tracking).	1 second	HTTP	Google Analytics
__utmt	Is needed to limit the query rate on Google Analytics.	10 minutes	HTTP	Google Analytics
__utmz	Is needed to determine from which source/campaign visitors come.	6 months	HTTP	Google Analytics
__utmvc	Is needed to collect information about user behavior on multiple websites. This information is used to optimize the relevance of advertising on the website.	24 hours	HTTP	Google AdSense
utm_source	Is needed to tag URLs with parameters to identify the campaigns that forward traffic.	expires immediately	HTTP	Google Analytics
__utm.gif	Is needed to save browser details.	session	HTTP	Google Analytics
gtag	Is needed to perform remarketing.	30 days	HTTP	Google AdSense
id	Is needed to perform remarketing.	2 years	HTTP	Google AdWords
1P_JAR	Is needed to optimize advertising, provide ads that are relevant to users, improve campaign performance reports, or prevent users from seeing the same ads more than once.	2 years	HTTP	Google
AID	Is needed to activate targeted advertising.	2 years	HTTP	Google Analytics
ANID	Is needed to display Google ads on non-Google websites.	2 years	HTTP	Google AdSense
APISID	Unknown functionality	2 years	HTTP	Google Ads Optimization
AR	Is needed to profile visitors' interests and display relevant ads on other websites. This cookie works by uniquely identifying your browser and device.	2 years	HTTP	Google AdSense
CONSENT	Is needed to store the preferences of visitors and personalize advertising.	persistent	HTTP	Google
DSID	Is needed by DoubleClick for advertising displayed in various places on the web and used to store the preferences of users.	2 years	HTTP	Doubleclick
DV	Is needed to store user preferences and other information. This includes, in particular, the preferred language, the number of search results to be displayed on the page, and the decision whether or not to activate the Google SafeSearch filter.	2 years	HTTP	Google
HSID	Contains the Google account ID and the last login time of the user.	2 years	HTTP	Google
IDE	Is needed by DoubleClick to record and report the actions of users on the website after viewing or clicking on one of the provider's ads, with the purpose of measuring the effectiveness of an advertisement and displaying targeted advertisements to users.	2 years	HTTP	Doubleclick
LOGIN_INFO	Is used to store the credentials of users of Google services.	2 years	HTTP	Google
NID	Is used to store information about user settings.	6 months	HTTP	Google
OTZ	Is needed to link activities of visitors with other devices that are previously logged in via the Google account. In this way, advertising is tailored to different devices.	1 month	HTTP	Google
RUL	Is needed by DoubleClick to determine whether advertising has been displayed correctly in order to make marketing activities more efficient.	1 year	HTTP	Doubleclick
SAPISID	Is needed by YouTube to store user settings and to calculate user bandwidth.	persistent	HTTP	Google
SEARCH_SAMESITE	Enables servers to mitigate the risk of CSRF and information leakage attacks by specifying that a particular cookie may only be sent on requests originating from the same registerable domain.	6 months	HTTP	Google
SID	Contains the Google account ID and the last login time of the user.	2 years	HTTP	Google
SIDCC	Is needed to store information about user settings and information for Google Maps.	3 months	HTTP	Google
SSID	Is needed to collect visitor information for videos hosted by YouTube on Google Maps integrated maps.	persistent	HTTP	Google
__SECURE-1PAPISID	Is needed for targeting purposes to create a profile of the interests of website visitors.	2 years	HTTP	Google
__SECURE-1PSID	Is needed for targeting purposes to create a profile of the interests of website visitors.	2 years	HTTP	Google
__SECURE-3PAPISID	Is needed for targeting purposes to create a profile of the interests of website visitors.	2 years	HTTP	Google
__SECURE-3PSID	Is needed for targeting purposes to create a profile of the interests of website visitors.	2 years	HTTP	Google
__SECURE-3PSIDCC	Is needed for targeting purposes to create a profile of the interests of website visitors.	2 years	HTTP	Google
__SECURE-APISID	Is needed to profile the interests of website visitors in order to display relevant and personalized advertising through retargeting.	8 months	HTTP	Google
__SECURE-HSID	Is needed to secure digitally signed and encrypted data from the unique Google ID and to store the last login time that Google uses to identify visitors, prevent fraudulent use of login data, and protect visitor data from unauthorized parties. This may also be used for targeting purposes to display relevant and personalized advertising content.	8 months	HTTP	Google
__SECURE-SSID	Is needed to store information about how visitors use the site and about the ads they may have seen before visiting the site. Also used to customize ads on Google domains.	8 months	HTTP	Google
test_cookie	Is set as a test to check whether the browser allows cookies to be set. Does not contain any identification features.	15 minutes	HTTP	Google
VISITOR_INFO1_LIVE	Is needed by YouTube to store user settings and to calculate user bandwidth.	6 months	HTTP	Youtube
facebook	Is used to Enable ad delivery or retargeting	90 days	HTTP	Meta (Facebook)
__fb_chat_plugin	Is needed to store and track interactions (marketing/tracking).	persistent	HTTP	Meta (Facebook)
_js_datr	Is needed to save user settings.	2 years	HTTP	Meta (Facebook)
_fbc	Is needed to save the last visit (marketing/tracking).	2 years	HTTP	Meta (Facebook)
fbm	Is needed to store account data (marketing/tracking).	1 year	HTTP	Meta (Facebook)
xs	Is needed to store a unique session ID (marketing/tracking).	1 year	HTTP	Meta (Facebook)
wd	Is needed to log the screen resolution.	1 week	HTTP	Meta (Facebook)
fr	Is needed to serve ads and measure and improve their relevance.	3 months	HTTP	Meta (Facebook)
act	Is needed to store logged in users (marketing/tracking).	90 days	HTTP	Meta (Facebook)
_fbp	Is needed to store and track visits to various websites (marketing/tracking).	3 months	HTTP	Meta (Facebook)
datr	Is needed to identify the browser for security and website integrity purposes, including account recovery and identification of potentially compromised accounts.	2 years	HTTP	Meta (Facebook)
dpr	Is used for analysis purposes. Technical parameters are logged (e.g. aspect ratio and dimensions of the screen) so that Facebook apps can be displayed correctly.	1 week	HTTP	Meta (Facebook)
sb	Is needed to store browser details and security information of the Facebook account.	2 years	HTTP	Meta (Facebook)
dbln	Is needed to store browser details and security information of the Facebook account.	2 years	HTTP	Meta (Facebook)
spin	Is needed for promotional purposes and social campaign reporting.	session	HTTP	Meta (Facebook)
presence	Contains the "chat" status of logged in users.	1 month	HTTP	Meta (Facebook)
cppo	Is needed for statistical purposes.	90 days	HTTP	Meta (Facebook)
locale	Is needed to save the language settings.	session	HTTP	Meta (Facebook)
pl	Required for Facebook Pixel.	2 years	HTTP	Meta (Facebook)
lu	Required for Facebook Pixel.	2 years	HTTP	Meta (Facebook)
c_user	Required for Facebook Pixel.	3 months	HTTP	Meta (Facebook)
bcookie	Is needed to store browser data (marketing/tracking).	2 years	HTTP	LinkedIn
li_oatml	Is needed to identify LinkedIn members outside of LinkedIn for advertising and analytics purposes.	1 month	HTTP	LinkedIn
BizographicsOptOut	Is needed to save privacy settings.	10 years	HTTP	LinkedIn
li_sugr	Is needed to store browser data (marketing/tracking).	3 months	HTTP	LinkedIn
UserMatchHistory	Is needed to provide advertising or retargeting (marketing/tracking).	30 days	HTTP	LinkedIn
linkedin_oauth_	Is needed to provide cross-page functionality.	session	HTTP	LinkedIn
lidc	Is needed to store performed actions on the website (marketing/tracking).	1 day	HTTP	LinkedIn
bscookie	Is needed to store performed actions on the website (marketing/tracking).	2 years	HTTP	LinkedIn
X-LI-IDC	Is needed to provide cross-page functionality (marketing/tracking).	session	HTTP	LinkedIn
AnalyticsSyncHistory	Stores the time when the user was synchronized with the "lms_analytics" cookie.	30 days	HTTP	LinkedIn
lms_ads	Is needed to identify LinkedIn members outside of LinkedIn.	30 days	HTTP	LinkedIn
lms_analytics	Is needed to identify LinkedIn members for analytics purposes.	30 days	HTTP	LinkedIn
li_fat_id	Required for indirect member identification used for conversion tracking, retargeting and analytics.	30 days	HTTP	LinkedIn
U	Is needed to identify the browser.	3 months	HTTP	LinkedIn
_guid	Is needed to identify a LinkedIn member for advertising via Google Ads.	90 days	HTTP	LinkedIn

News

Information Security...