IT & Mobile Security

Specifics of the Android operating system regarding security (e.g. SE-Linux, app isolation, inter-process communication) for mobile applications are discussed. Secure programming in the programming language Kotlin (Idiomatic Kotlin, Concurrency Patterns) is the basis for Android applications that incorporate data from web services, sensors and actuators. Understanding of risks, attacks and malware for Android applications is necessary in order to carry out reverse engineering or attacks independently. Finally, applications can be secured against attacks (hardening).

A central and critical aspect of computer security is software problems. Software security deals with the identification and active handling of security risks. Software security starts with good software engineering practices and includes the consideration of security aspects at every stage of the software development cycle. At a glance, this concerns the "Secure Software Development Lifecycle", "Secure Coding and Design Principles" and code analysis

The following topics are covered within the lecture: Number Theory, Review linear algebra, Galois Fields in a Nutshell, Asymetric primitives (RSA, Diffie-Hellman), Hashes, Symmetric Primitives (DES/AES/etc.), Key Exchange Protocols, Authentication Protocols, Zero-Knowledge Protocols, Public Key Infrastructure

Definition and characteristics of cloud computing, service and delivery models, practical experience with IaaS, PaaS and FaaS systems and serverless computing.

Fundamentals, architectures and functional principles of modern operating systems: System Call Interfaces, Device Management, Process and Resource Management, Memory Management, File Management.C as a system programming language and introduction to kernel development.

The course focuses on the security of layers 1-4 of the standardized OSI model (Open Systems Interconnection Model) and focuses in particular on attack possibilities and the corresponding defense strategies. At the beginning, this involves a repetition of the basic mechanisms in computer networks such as addressing, address resolution, routing and packet filtering. Further course contents: Physical Security, Layer-2 Security, VoIP Security, Wireless Security, Firewalls, 802.1X, Spoofing, Denial of Service attacks, their defense and tracing. Another part of the course is the development of current security topics from network technology in small groups, their practical structure in the laboratory and the presentation of the results.

Project management approaches; phases in project management; overview of agile project management; leadership of project teams; use of relevant project management tools and methods; basics, methods and techniques in change management; phases of change; overview of organisational development; attitude issues in organisational development; intervention techniques; dealing with conflicts.

The course provides a basic overview of the topics of the degree program. Topics: Motivation of attackers, attack methods, information gathering, exploitation of weaknesses in software, WiFI security, security tools

The basics include the special architecture of iOS with specifics such as crypto hardware for secure boot. Building on concepts of app isolation, sandboxing, and inter-process communication. Creation of secure software with the programming language Swift (e.g. Concurrency Patterns) is the basis for the creation of iOS applications. The typical user-interaction design paradigms and the use of corresponding system and cloud APIs enable the implementation of SwiftUI apps using actuators and sensors. In addition to a good user experience, accessibility is also guaranteed.

Once the basics of secure software and its principles have been understood, this course is dedicated to the integration of security into software designs and architectures ("DevOps Lifecy"). The course begins with "Architectural and Security Patterns", followed by "Service Oriented Architectures" and secure communication. An obligatory follow-up topic is "Access Control" (Authentication, Authorization) and session magamenent. Finally, "Continuouse Integration and Deployment" (CI/CD) accompanied by "Error Handling and Testing" round off the course.

The following topics are covered within the lecture: Application in example Internet Protocols (IPSec, SSL, TLS, SSH), Random Number Generators, Cryptographic Libraries & APIs for mobile Platform, Correct usage of cryptographic primitives in mobile solutions, Challenge/Response techniques, One Time Passwords, Elliptic Curves, Anonymity + Unlinkability. Additionally an introduction and overview of Quantum-Cryptography is provided.

Application scenarios for AI/ML in security-relevant practical issues are explained using concrete examples. The most important methods used, such as artificial neural networks and tree-based methods, are developed hands-on with the students so that the students themselves are able to handle similar application scenarios using AI/ML.

The course expands the basic knowledge in network security to include security for mobile devices and mobile infrastructures. Topics of the course are WLAN, WiMax, Bluetooth, NFC, etc. An introduction to mobile networks such as GSM, UMTS, LTE is followed by SSL, SSH and VPN technologies as the basis for a secure connection of distributed networks. VPN includes basics, authentication, implementation in OSI layers 2, 3, and 4. Furthermore, the course offers in-depth and core topics such as IPSec, "KeyManagement", encryption, performance, availability, DDOS remedy, "Network Monitoring", NIDS, algorithms for pattern recognition, "Honeypots/nets" and "Intrusion Prevention and Detection Systems".

In the first part, typical attack patterns are analyzed and simulated in a laboratory environment. The focus is on the exploitation of programming errors and other typical weaknesses of software products (buffer overflows, SW exploitation, exploit development), mechanisms of operating systems to prevent exploits (ASLR, stack cookies, SafeSEH, DEP,..), reverse engineering. Another focus is the treatment of typical vulnerabilities and attack patterns of WEB applications and their avoidance. The course also focuses on the analysis of attack paths and protection mechanisms in Windows domain networks as well as Linux server environments. The third part of the course deals with the structured analysis of security problems and the procedure for penetration tests.

This course covers all important aspects of database security (DB Authentication, Application & Password Security, DB Authorization, Granular Access Control, DB2DB Communication, DB Encryption, DB Auditing). Storage and database systems in the field of big data are also examined on the basis of practical scenarios. In particular, however, the security aspects of these technologies as well as related best practices are discussed.

Overview of current data protection law with focus on the EU General Data Protection Regulation (principles, obligations), processing directory, information obligations, data security, data subject rights, transfer to third countries, etc.

Once the principles of secure software and services have been understood, this exercise consolidates knowledge with concrete implementation of web applications including infrastructure with backend.

In the course, complex attack scenarios of hackers are analyzed and simulated in a laboratory environment. The focus here is on the detection, analysis and design of defense methods against extensive, complex attack patterns. Topics: Malware analysis Code Analysis Reverse engineering Firmware Analysis Exploitation of race conditions Circumvention of protection mechanisms of the operating system: Bypass methods for ASLR, DEP, SafeSEH, SEHOP e.g. by ROP (Return Oriented Programming), Partial Overwriting of Memory Contents, HeapSpraying, etc. Circumvention of anti-virus protection mechanisms Attacks on cryptographic methods, secure/insecure methods Attacks on industrial control systems and their defense Attacks on WIndows Domain networks and their defense

Basic security principles of operating systems. Mandatory versus discretionary access control, security enhancements

The course is designed to provide students with hands-on experience in identifying, analyzing, and mitigating security risks and vulnerabilities in IT systems and mobile applications. The course focuses on hands-on project work that enables students to apply their knowledge and skills to real-world scenarios and develop effective security solutions.

This course teaches students about the basic principles of scientific work in the field of applied computer science. The course is intended to provide a well-founded introduction to the criteria of scientificness by focusing on the research area to be worked on. The course focuses on the following aspects: scientific writing style and basic principles of argumentation; Clear and concise academic writing skills in English; Formal design of scientific papers; Presentation of the research design, research questions and their formulations, topic search and limitation; Strategies of material procurement.

The students receive an overview of modern manifestations of computer crime on the basis of the Austrian Criminal Code, as well as any European norms that have to do with cybercrime in the broader sense. The criminal offences are explained and their context to everyday professional life is established on the basis of practical examples.

The aim of the lecture is to be able to represent and apply the following topics: Secure Systems Design, Attacks on embedded systems, Architectures integrated versus discrete secure systems, Trusted Execution Environments, Security Measures such as Trusted Boot, Secure Updates, Physical Uncloneable Functions, SW binding. Generation of random numbers, crypto accelerators, countermeasures in HW and SW, certification, ISO 7816

The aim of the lecture is to use different methods for the assessment of security in embedded systems. In particular, attack methods such as side channel analyses and fault analyses are considered. This is also taught practically in the exercise. Furthermore, security countermeasures and their implementation in SOCs will be discussed

Directory services and central authentication, monitoring of the IT infrastructure, Internet Protocol security (IPSec), central logging

Commission examination on selected subjects of the degree programme with cross-links to the Master's thesis. The board examination is carried out in accordance with the requirements for final examinations of FH Master‘s degree programmes pursuant to FHG as amended.

Students work independently on a research topic and write their Master's thesis. They are expected to use scientific research methods and demonstrate a high level of expertise in the respective field.

This course aims to demystify the writing process and teach the basics of effective scientific writing. Classes focus primarily on the process of writing. The course is presented in two parts: part (1) teaches students how to write effectively, concisely and clearly, and part (2) guides them through the preparation of their actual master's thesis.

The increasing digitalisation of our (private, public, professional) spheres of action as well as the current progress in the field of artificial intelligence underline the importance of a socially desirable design of technologies and their contexts of application. The course offers an introduction to two central approaches to the analysis of technologies, of acting with (digital) technology and of technology-related conflicts and problems: The participants will be introduced to the basics of applied ethics and its development in specific field ethics (e.g. technology ethics, information ethics, business ethics) as well as to the perspectives of technology assessment (TA). In addition to systematic approaches to ethics and TA (and related approaches to "Science, Technology & Society" or "Responsible Research & Innovation"), the topic is developed through the discussion of case studies, group work and the presentation of exemplary studies.

The course deals with management systems for secure IT operations. Information Security Management Systems (ISMS) and Business Continuity Management Systems (BCM) are the core topics. Students gain an insight into the design, implementation, operation and ongoing development of the systems. Another focus is the establishment and operation of a SOC (Security Operation Center) and methods of incident response. Topics such as risk assessments and risk management as well as compliance requirements and the preparation of companies for ISO 27001 certification round off the topic.

Development of basic apps using the functionality of mobile frameworks. Furthermore advanced knowledge of interaction concepts, navigation patterns, touch and guestures as well as sensors and location based services. All aspects are treated with special focus on security.

The lecture gives a basic overview of the topics of the degree programme. Topics: Motivation of hackers, Attack vectors, Information gathering, Software Exploitation, Wireless Security, Security Tools

Software problems are a central critical aspect of computer security. Software security deals with active management of security risks. It starts with good software engineering practices and includes security aspects in each phase of software development. Students should get to know the fundamental principles of the development of secure software systems: – Secure Software Development Lifecycle – Reverse Engineering – Secure Coding Encapsulation Data Validation Representation Input Validation Output Encoding Error Handling & Logging Security Features Concurrency – Static Code Analysis

The following topics are covered within the lecture: Number Theory, Review linear algebra, Galois Fields in a Nutshell, Asymetric primitives (RSA, Diffie-Hellman), Formal Cryptosystems, Checksums, Hashes, Symmetric Primitives (DES/AES/etc.), Key Exchange Protocols, Authentication Protocols, Zero-Knowledge Protocols, Attacks & Defences, PKI – Concept

Definition and characteristics of cloud computing, service and deployment models, hands-on experience with IaaS and PaaS systems

Operating system basics, architectures and functional principles; special focus on operating systems in mobile systems and the specific requirements in this field, Introduction to C as a systems programming language and it's application; Virtualization principles

Platform specific app development for iOS. Knowledge of Prototyping, Storyboards, Application Architecture, iOS Design patterns. Paradigms of Swift programming. Selected frameworks to use sensors, actuators watch or cloud services.

The course covers layer 1-4 of the OSI-model (Open Systems Interconnection Model) as the main topic. The focus is placed on attack vectors against computer networks and their countermeasures and mitigation strategies. In the first part of the course, the basic mechanisms (Addressing, address resolution, routing and packet filtering) of computer networks are repeated to create a common basis. Topics: Physical Security, Layer-2 Security, VoIP-Security, WiFi Security, 802.1x, Spoofing, Denial of service attacks, trace back mechanisms and countermeasures. Another part of the course is to work in small groups on a current topic of network security, build a practical szenario in the lab and present the results in form of a group presentation.

System near apps using the competences acquired in "Mobile Operating Systems" (C-Programming). Mobile Platform Native app development for several mobile operating systems (iOS, WP8, …) including their special approaches and differences are covered.

Security is a very important topic for distributed software systems. In this lecture, different practices for the design of secure web applications are introduced. – Architectural Risk Analysis Secure Design Principles Threat Modeling – Secure Web Applications Web Application Architecture & Risk Analysis HTTP / HTTPS Protocol Client-Side Controls Access Control Authentication Session Management Authorization Data Stores XSS Prevention CSRF Prevention

Development of HTML5 web apps for different platforms (Web, Android, iOS). Selected HTML5 APIs are discussed, for example, to use local storage, sensors, gps for location based services or web sockets for real time web application. Furthermore, social media integration will be covered.

The following topics are covered within the lecture: Application in example Internet Protocols (IPSec, SSL, TLS, SSH), Random Number Generators, Cryptographic Libraries & APIs for mobile Platform, Correct usage of cryptographic primitives in mobile solutions, Challenge/Response techniques, One Time Passwords, Elliptic Curves, Anonymity + Unlinkability, selected advanced topics

This course covers all important aspects of Database Security (DB-Authentication, Applicaton & Password-Security, DB-Authorization, Granular Access Control, DB2DB Communication, DB-Encryption, DB Auditing). It also provides a thorough introduction to the subject of data quality by studying definitions of data quality, methods of measurement and assurance of data quality (e.g., metrics & constraints) and DB refactoring.

This course expands the basic knowledge of network security to get an insight into security for mobile devices and mobile infrastructures. The main topics of the course are Wireless LAN, WiMax, Bluetooth, NFC, etc. After an introduction to mobile networks such as GSM, UMTS, LTE follows SSL, SSH and VPN-technologies as the basis for a secure connection within distributed networks.  The topic VPN includes the basics, authentication and the implementation in the OSI layers 2, 3, and 4. In addition, the course discusses core topics such as IPSec, "KeyManagement", opportunistic encryption, performance, availability, DDOS-solution, " network monitoring ", NIDS, algorithms for pattern recognition, "honeypots/ -nets" as well as "Intrusion Prevention and Detection Systems". An outlook on "Next Generation Networks" like Sensornets and "Smart Grids" etc. concludes the course at hand.

Selected aspects of mobile development like cross-plattform code generation are presented in this lecture.

The course covers the topic of Penetration Testing (also known as white hat hacking oder ethical hacking). In the first part typical attack verctors are analyzed and simulated in a laboratory environment. The main focus is placed on the exploitation of programming errors and other typical weaknesses of software products (Buffer overflows, race conditions, logical errors). Students are aware of exploit development methods and exploit mitigation mechanisms of modern operating systems (ASLR, Stack cookies, SafeSEH, DEP,..). Another focus is to understand typical weaknesses and attack patterns of WEB applications and the mitigation steps to avoid them. The third part of the course covers the structured analysis of security problems and steps used in a Penetration test. (Analysis, preparation, exploitation, documentation, giving recommendations)

This course teaches students about the basic principles of scientific work in the field of applied computer sciences. It is an introduction into the fascinating field of research. The course shows the power of theory and literature, helps formulating intriguing research questions, provides an overview of scientific methods and data analysis, and gives hints on how to derive insightful conclusions out of results. Using this topic area, we will understand what it means to 'do science' and to develop skills such as how to do literature review, how to critically read and review written papers, hold oral presentations and posters.

The course offers an application-oriented study of Big Data data models, architectures and principles. Storage and database systems in the Big Data environment are tested using practice-oriented scenarios. In particular, the security aspects of these technologies, as well as related best practices, are discussed. Special care is taken to provide enough room for discussion of current technological developments in the area of ??Big Data.

Enterprise applications consist typically of different services manufactures in different programming languages, which operate on different platforms. Service oriented architectures and microservices are attempts to realize such huge heterogenous distributed systems. In this lecture, the following security relevant topics of web services are introduced – Web Service Architecture & Risk Analysis – Access Control Authentication Authorization – XML Attacks & Schema Validation – Message Encryption Published Identifiers Digital Signatures Encrypting Representations

The course covers advanced attack scenarios of experienced hackers. The attack vectors are analyzed and simulated in a lab environment. The main focus is on the detection, analysis and design of countermeasures. Topics: Malware analysis Code analysis Reverse engineering Firmware analysis Race conditions in software Bypass methods of exploit mitigation mechanisms like ASLR, SafeSEH, SEHOP, DEP by using advanced exploitation techniques like ROP (return oriented programming), Heap Spraying, partial overwrite of memory areas,.. Bypass anti virus protection Attacks against cryptographic systems, secure/unsecure algorithms and implementations Attacks against ICS systems and countermeasures

Basic, inherent security mechanisms of operating systems, especially those common in mobile environments. Security enhancements, specific high security operating systems, security certification of operating systems

Students are expected to independently carry out a medium sized project of average difficulty. The tasks of this project reflect most of the main objectives of the master program.

An introduction into quantum cryptography, its physical fundamentals and technical implementation as well as a comparison to standard cryptographic methods, revealing the benefits and drawbacks of quantum cryptography and its present state of development.

Introduction on Secure Elements • Key Parameters Secure Implementation and building blocks • Mobile Phone and Device security • CPUs • Memory technology • Secure Cryptographic Implementations • Random Number Generators • Physical uncloneable functions

Introduction on Embedded Secure Elements • Programming Interfaces • Secure System Integration * Attack Scenarios and Countermeasures • Differential Power Analysis and EMA Attacks • Light Attacks • Timing Analysis • Countermeasures in HW and SW • Setups for Analysis and Attacks * Common Criteria Certification • Definition • Development Process and Security Evaluation • Lifecycle

Directory services and single-sign-on, monitoring, high availability and scalability, Internet Protocol Security (IPsec)

The final examination on the master thesis.

Students work independently on a research topic and write their master thesis. They are expected to make use of scientific research methods and to demonstrate a high level of expertise in the particular field of their thesis.

This seminar aims at helping students to develop effective scientific writing skills (clear and effective academic writing; note-taking; paraphrasing; register) becasue not matter how professional a student/ researcher's background may be, often difficulties arise in conveying technical and academic content concisely in English. The objective of the course is to improve the participants' written expression in English: identifiyng and practicing common phrases and terms used in scientific writing, common errors' correction.

This course is designed to guide students through the process of writing their master thesis.

The course will cover management systems for secure IT operations. Information Security Management Systems (ISMS) and Business Continuity Management Systems (BCM) are the core topics. Students are given an insight into the conception, introduction, operation and ongoing improvement of the systems. Topics such as risk assessments and risk management as well as compliance requirements and the preparation of companies for an ISO 27001 certification round off the topic.