8 February 2016

DIKU student wins new Cyber Security award


Hauke Jan Lübbers has crafted the idea that will make internet browsers warn you when you visit a website infected with malware. The idea made him the winner of the new DANSK IT Cyber Security award that aims at making young people interested in the field and create innovative ideas that make a difference.

Presentation of the Cyber Security award

The award was presented at the DANSK IT it-security conference on 3 February 2016. Aside from the honour Hauke Jan Lübbers was also awarded 25.000 DKK sponsored by the audit and advisory firm KPMG.

- Hauke’s idea adresses a more and more widespread problem; IT criminals exploit the fact that it’s more or less impossible to detect if a website you visit is infected with malware and thereby makes you a target board for IT criminals, says Lars Ramkilde Knudsen, chairman of the DANSK IT selection board and professor at DTU, in a press release from DANSK IT.

With Hauke’s idea the HTML standard will be extended so that the browser can control the integrity and authenticity of the code. Visitors will be warned when they attempt to visit the website, for instance by a warning triangle.

The idea comes from a bachelor project - just further developed

The work on the idea already began during Hauke Jan Lübbers’ bachelor at the Cooperative State University Baden-Württemberg in Stuttgart, where he wrote a Firefox add-on to identify and block cross-site-scripting (XSS) attacks on the client-side. But it was not possible to automatically categorize benign and malicious code reliably.

When he saw that DANSK IT was seeking Denmark’s best idea for Cyber Security he had an opportunity to proceed working on the idea. He chose to tackle the problem from another side by providing more information from the server-side to differentiate between good and malicious JavaScript:

- My proposal adds an attribute to each JavaScript that enables the browser to check the integrity of the script while also making sure that it was not infected by a third person, says Hauke Jan Lübbers and concludes:

- Of course, there is no absolute security and there are some cases in which the attacker still could execute JavaScript if the web developer made certain grave mistakes - but the effects of a lot of very common mistakes would be mitigated.

Read more about Hauke Jan Lübbers’ idea in the links in the right column (in Danish).