Event

The Praktikum Security, Usability and Society will cover topics both of usable security and privacy programming, and how to conduct user studies. To reserve a place, please, register on the WiWi portal and send an email with your chosen topic, plus a back-up one, to mattia.mossano@kit.edu . Topics are assigned first-come-first-served until all of them are filled. Topics in italics have been already assigned.

Application deadline    12.04.2024
Assignment                   15.04.2024
Confirmation deadline 19.04.2024

Important dates:

Kick-off:                                               17.04.2024, 09:00 AM CET in Big Blue Button - Link

Report & code feedback deadline: 26.07.2024, 23:59 CET
Feedback on Report & code:           16.08.2024, 23:59 CET
Final report + code deadline:           01.09.2024, 23:59 CET

Presentation draft deadline:            06.09.2024, 23:59 CET
Feedback on presentation draft:    13.09.2024, 23:59 CET
Final presentation deadline:            17.09.2024, 23:59 CET

Presentation day:                              18.09.2024, 09:00 CET

Topics:

Privacy Friendly Apps

In this area, students complete an app (or an extension of an app) among our Privacy-Friendly Apps. Please click the following link to know more about them:  https://secuso.aifb.kit.edu/english/105.php . Students are provided with a point list of goals, containing both basic features mandatory to pass the course and more advanced ones that heighten the final grade.

Title: NoPhish App
Number of students: 2 Ba/Ma
Description: The NoPhish app was one of the first measures from the NoPhish concept. The app has been around for a long time and has not been updated since then. Accordingly, the task of the project is to make the app functional for the current Android version. The app is also to be optimised so that updates, e.g. new chapters, can be added easily.

Programming Usable Security Intervention

In this subject, students develop a part of coding, an extension, or another programming task dealing with various usable security interventions, eg as an extension. Eg TORPEDO (  https://secuso.aifb.kit.edu/english/TORPEDO.php  ) or PassSec + (  https://secuso.aifb.kit.edu/english/PassSecPlus.php  ). Just as before, students are provided with a point list of goals, containing both basic features mandatory to pass the course and more advanced ones that heighten the final grade.

Title: Hacking TORPEDO
Number of students: 1-2 Ba/Ma
Description: TORPEDO has existed for many years both as a Thunderbird add-on and as a web extension. TORPEDO is intended to help address various forms of phishing attacks and thereby protect the user, e.g. against various manipulations of the domain or additional tooltips. However, no targeted attacks on TORPEDO have yet been found. The aim of the work is to subject TORPEDO to a stress test and also to develop attacks that specifically target the implementation of TORPEDO.

Title: Making e-mails more visible by embedding moving images
Number of students: 1 Ma
Description: In case of a security incident, it is necessary to inform the affected persons about their vulnerabilities as soon as possible. Within the context of the INSPECTION project, we are currently informing website owners via e-mail about security related vulnerabilities on their websites. Although e-mails have been shown to be the most cost-efficient means to deliver such information, they have not lead to an appropriate remediation rate. While speaking to the affected website owners we learned that they would appreciate more information, although not being delivered as more text in the e-mail. Also, we learned that most e-mails were not read because they were considered spam. Thus, we need to find a way to make e-mail notifications more effective in raising peoples’ awareness. Videos have been proven effective to raise awareness in the context of IT security. The goal of the project will be, to explore ways to embed videos in an e-mail via HTML (either as gifs or as preview to a YouTube video). The challenge is to make this e-mail readable for different clients and webmail as well as getting it delivered through spam filters.

Designing Security User studies

These topics are related to how to set up and conduct user studies of various types. Online studies, interviews and lab studies are possible. At the end of the semester, the students present a report / paper and a talk in which they present their methodologies and the results of small pre-studies.

Title: Usability of Password Managers in Virtual Reality
Number of students: 2 Ma
Description: The pre-dominant form of authentication in Virtual Reality (VR) are passwords. Passwords create a burden for users in the VR environment because of special input methods and the virtual keyboard [Stephenson, S. et al (2022). SoK: Authentication in Augmented and Virtual Reality]. Password Managers (PMs) can support the user with handling this problem [Mayer, P. et al. (2022). Why Users (Don't) Use Password Managers at a Large Educational Institution]. They offer auto-filling features, store credentials in an overview or generate complex and secure passwords. Especially in the VR context, where typing a password is slow and complex, PMs can be beneficial. We want to explore the different PMs in VR and test the usability to find challenges and possible solutions.

Run Usable Security Studies and Results Analysis

These topics are related to run and analyse the results of user-studies. Online studies, interviews and lab studies are all possible, depending on the topic. At the end of the semester, the students present a report / paper with the analyses conducted and a talk in which they present the results.

Title: Visualization of Eye Gaze Patterns during Authetication Tasks
Number of students: 1 Ba/Ma
Description: In this project, students will analyze and visualize eye gaze data collected during two specific authentication tasks: the Dot Task and the Slider Task. The primary objective is to represent subjects' eye movements visually, enhancing the understanding of gaze patterns during the authentication process. *Dot Task Visualization:* For the Dot Task, participants were instructed to focus on a sequence of dots displayed on a screen. The dataset includes the positions of these dots and the corresponding gaze locations of the subjects. The student's task is to create a dynamic visualization that not only represents these positions accurately but also illustrates the sequence in which the dots were focused on by the subjects. *Slider Task Visualization:* The Slider Task involved presenting participants with a series of images, for which both the images' locations on the screen and the subjects' gaze locations are recorded. The challenge is to develop a heatmap visualization based on this data, effectively demonstrating the concentration and dispersion of gaze points across different images.

Title: How do website owners become aware that their website was hacked?
Number of student: 1 Ma
Description: We identified website owners that were affected by a hack on their website and sent them a notification. During the course of the notification process, we also identified several websites who seemingly remediated the hack before our notification. We now wanted to find out, how those website owners got aware of the hack. If they were notified by a third party, we would also like to know how and by whom they were notified and what their feelings were with respect to the notification. To answer these questions, a survey was designed and pre-tested with a sample of website owners.  The study was run as an online survey using SosciSurvey. The aim of this lab topic will be to improve the survey based on the findings of the pre-study (https://publikationen.bibliothek.kit.edu/1000160718) and sent out invitations to the survey to around 100 website owners.

Title: Phishing through homographic attacks in messengers and social networks
Number of students: 1-2 Ba/Ma
Description: The task will be to test three types of attacks in messengers and social networks that work in some email clients. First is the link  mismatch attack, where the link text differs from the actual link target. Second is an attack in which the actual link target is disguised by URL encoding [https://en.wikipedia.org/wiki/URL_encoding], and finally homographic attacks which uses Internationalized Domain Names [https://en.wikipedia.org/wiki/IDN_homograph_attack], in which Latin characters are replaced by characters of a different alphabet in the domain name. The attacks are predefined, so no knowledge of phishing techniques is required.

Title: Usability Study of Mobile Authentication for Elderly Users with Rheumatoid Arthritis (English only)
Number of students: 1 Ba/Ma
Description: Authentication is an ever important topic, especially in the mobile context. However, it becomes even more relevant when considering accessibility to it. Nowadays, a common authentication method is using a PIN. Yet, given the low hand mobility of users affected by rheumatoid arthritis, sometimes using PINs can be difficult. In this topic, the student will conduct several sessions of an already designed lab study with various participants using arthritis simulation gloves to evaluate three PIN-pad interfaces aimed at making authentication more accessible. The study will also investigate the preferences of users regarding PIN-pad interfaces through drawings and proposals of changes. The student will then analyse the results through inferential statistics. Depending on the quality of the outcome, the results will then be published in a paper and the student will be added to the authors list.

This event counts towards the KASTEL certificate. Further information on how to obtain the certificate can be found on the SECUSO website (https://secuso.aifb.kit.edu/Studium_und_Lehre.php) .