Administrivia: How to access ROOTS and DeepSec 2017

We have received some question on how to attend the presentations of the 1st Reversing and Offensive-oriented Trends Symposium (ROOTS) 2017. It’s very easy. ROOTS is co-hosted with DeepSec 2017. This means if you attend DeepSec, you also attend ROOTS. In turn attending ROOTS gives you also access to the DeepSec conference. So you only need one ticket to access both events.

Bear in mind that our sponsors can give you discount codes for buying tickets. In addition we have a special programme for academics to give you the academic discount for the tickets. Don’t forget: Buying early means saving money! The early bird tariff is still valid until 25 September 2017. After that the ticket price increases. Do us and yourself a favour and book as early as possible. Thank you!

See you at ROOTS / DeepSec 2017!

Mythbusting: Anti-Virus Research considered dangerous

Everyone doing research in information security or doing any work in this field takes some risks. Since most of the „cyber stuff“ is black magic to others not working in this context, there are a lot of problems and severe misunderstandings. The Crypto Wars still haven’t been decided in favour of mathematics. Real people prefer end-to-end encryption over insecure communication all of the time. Proposals of severely damaging information security for all of us by using sanctioned malicious software are still being debated in parliaments. Backdoors, covert or otherwise, are no line of any defence, as many military strategists will readily tell you. Marcus Hutchins was in the news recently, because of claims that he developed a strand of malware tied to attacks on financial institutions. While you can debate all you want about the charges, this case has the potential to set a dangerous precedent for information security researchers. This is why we have translated the article titled Anti-Virus-Spezialisten werden von US-Justiz kriminalisiert written by Erich Möchel:

Anti-Virus Specialists criminalized by US Justice

Marcus Hutchins, who has put a stop to the “WannaCry” outbreak through a risky action, will be brought to court this week in Wisconsin. His “criminal offenses” are so incompetently formulated that according to the indictment every security investigator would have one foot in jail.

The arrest of British security expert Marcus Hutchins a week ago, including the charge of production and distribution of Trojan malicious software in the US, has triggered a real shock wave in the industry. The “offenses” listed in the indictment are formulated in such a way that “all security researchers of anti-virus companies have one foot in US prison” said Viennese security technician Michael Kafka to

Since then, “good” hackers (“white hats”) – mainly from Great Britain – have stopped to co-operate with government agencies. Because Hutchins case demonstrates, how a “white hat” can quickly get caught in the crossfire at a time when state actors and malware criminals (“black hats”) are less and less distinguishable. Hutchins (23) achieved world fame at the end of 2016, when he stopped the devastating outbreak of the “WannaCry” software single-handed in a risky action.

Criminals, Cops, Agents, Security Researchers

The arrest of Hutchins on his return from the security conference DefCon in Las Vegas a week ago is apparently due to the raid on the infamous illegal website AlphaBay, which disappeared a few weeks ago from the TOR network. The site was frequented mainly by criminals of all kinds, the rest of the audience consisted of covert investigators, agents of various secret services, and security researchers.

“That Whitehats are getting patterns of malicious software through such sites, and then testing them in lab environments, is simply part of their work. It is also important to share the findings with other security researchers and to discuss them in order to develop counter-measures. Especially Marcus was known to share his results very freely, and this accusation was apparently constructed from it“, says Michael Kafka.

A Trojan Video

Kafka has been interested in Hutchin’s work since 2013, he also met him during the 44CON security conference in the autumn of 2016 in London for a lengthy exchange of ideas.
In the indictment, Hutchins is accused ,among other things, of writing the Trojan “Kronos” in 2014 and producing an instructional video. Both claims are especially ridiculous because of the fact that instructional videos for malicious software are virtually never made by criminals, but always by their antagonists.

At the time between the middle of 2014 and the summer of 2015, to which the indictment refers for several similar “offences”, the then 20-year-old Hutchins has already been a new shooting star of the worldwide security scene. Hutchins’ work had contributed significantly to rendering the Botnet “Caberp”harmless – a Botnet attributed to notorious Russian criminals – and have it thoroughly analysed.

Expert shakes his Head in Disbelief

“No criminal would put the the results of analysis of malicious software up for public discussion”, Kafka said and shook his head in disbelief: “Criminals do the opposite. Public attention is ruinous for their business, which is based on undetected security gaps. And for this very reason there never has been the slightest suspicion that Marcus could work for the other side.” However, Hutchins openness could have caused his downfall, because one of the charges obviously refers to his work on so-called “rootkits”, malicious software for the camouflage of an espionage Trojan.

Apparently, unknowns used a few routines of his malicious software demonstration for their purposes, Hutchins himself publicly announced in an angry tweet in 2015. Such malware demos of security researchers are only isolated modules of a malicious software suite, the code of which is modified for demonstration purposes to explain its operating principle. From a technical point of view, this software is used to modify malicious software, which by itself can not be used to do anything bad.

The Charge in Wisconsin

Now this turned into a count of an indictment in the US state of Wisconsin, where another defendant resides, with which Hutchins had then communicated via AlphaBay. He is said to have offered a version of the lesser-known Trojan “Kronos” for sale, which contained modified elements of Hutchins code. Therefore, absurdly, Hutchins is now accused of being the author of the “Kronos” malware – which originates from the circle of Russian criminals – and of being involved in the sale. At the time, Hutchins was involved in the takedown of another large Botnet.

It’s rather likely that the enraged tweet mentioned above was directed at this unknown communication partner on AlphaBay, when Hutchins realized that his modified “hooking engine” had been built into malware by criminals. A “hooking engine” is a code for an entry point in an operating system to execute commands thereon. The possible applications for such an auxiliary software are numerous.

How “WannaCry” was stopped

The fact that Hutchins, in general, handled malware in a nonchalant way with a hands-on approach was shown in the case of “WannaCry”. On the day of the outbreak of the “WannaCry” worm, which paralysed in particular control computers for medical devices of British hospitals in series and brought logistics centres and production plants to a halt, Hutchins had quite quickly received a copy. When he first skimmed over the code, he found an Internet domain open in the code, which was not assigned and which, without further ado, he registered in his name.

“This was a very risky action. In the middle of such a malware explosion to be seen as the owner of a central element of this attack, is not everyone’s cup of tea,” says Kafka.

“The installation of the malicious software in an isolated network would have been the safe way to work out what the function of this domain was. But that would have taken several hours.”
By performing the same action in the wild, Hutchins, to his own amazement, had hit the “emergency stop switch” of the “WannaCry” software. The command-control servers, which directed the outbreak, regularly queried this domain. When it was suddenly no longer free, “WannaCry” stopped its own distribution.

„WannaCry“ & „Petya“, Courtesy NSA

“Such a ‘killswitch’ is a clear indicator of governmental malicious software, which usually also includes de-installation routines. To remove traces is paramount to state actors. For Criminals, on the other hand, this tends to be a minor matter” Kafka continued. The WannaCry worm (malicious software that replicates itself in order to spread to other computers is called a “worm”) came with an encrypted exploit for a capital Windows security gap, which captured computer in the infected net in a flash.”

NSA Malware hit the NATO Partners

The same or another military “cyber” group used NSA’s malicious software to shake the UKs healthcare system, pharmaceutical companies and logistics companies from Scandinavia (“WannaCry”), and then the energy supply of the Ukraine (“Petya”). It seems Hutchins has directly landed himself in a “cyber” skirmish between East and West. Therefore, other reasons than mere incompetence of US prosecutors, who can not even distinguish between black and white, might be involved in his arrest a week ago in Las Vegas.

Hutchins was released from prison in Las Vegas on Tuesday, but now he has to go to court in Wisconsin, where the unknown co-defendant, who made windy deals with small criminals over the allegedly so impenetrable “Darknet”,is imprisoned.

More on this Topic

DeepSec 2017 Preliminary Schedule published

After two weeks of intense reviewing we have published the preliminary schedule for DeepSec 2017. There are some blanks to fill, but this will be done in the coming weeks. We still have to do some reviews and wait for the speaker’s confirmation.

In case you noticed, the ROOTS track is not filled yet. The call for papers was extended to 26 August. This means the ROOTS schedule will be published at the end of September. We have to give the programme committee ample time to review all submissions. So if you want to present your research at ROOTS 2017, please ready your submission. Science first!

Decline of the Scientific Method: New (Austrian) “Trojan” Law without Technical Expertise

The Crypto Wars are still raging despite everyone relying on secure communication. Everyone means everyone. The good thing is that mathematics still works, even though some people wouldn’t want it to. The latest cryptographic review comes from Amber Rudd, the current UK Home Secretary. She said recently: “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” The corollary in turn states that DeepSec conferences aren’t attended by real people. Since we are not yet a purely robot-based event, there is something wrong with this approach to secure communication. The common denominator is simply the lack of technical expertise. There is no surprise there. Ever since the Internet was discovered by the rest of the world (which was in the 1990s, don’t get fooled by web sites who claim to have invented the Internet), politics, government, and society struggles to keep up. This is exactly why we constantly emphasise that DeepSec tries to bring together the world’s most renowned security professionals from academics, government, industry, and the underground hacking community – things go horribly wrong without experts who use and understand what science means. Hence our motto for DeepSec 2017 – Science First!

In order to illustrate how thing can go wrong, we have translated an article by Erich Möchel, a journalist specialised in all things digital. The original text was published at the FM4 web site and is called Neues „Trojaner“-Gesetz ohne technische Expertise.

New (Austrian) “Trojan” Law without Technical Expertise

By Erich Möchel

As the explanatory notes on the draft show, the convened expert group served mainly to legally secure the access rights of the police. There were no technicians among them.

As part of the “security package” of the federal government, which has been in appraisal since Monday, the use of police Trojans takes a central position. Ten out of a total of 16 pages of the explanatory notes on the new Code of Criminal Procedure concern the use of malicious software by the police. In order to implement this new, technically complex measure correctly, a high-level expert committee, consisting exclusively of lawyers, was convened.As a matter of fact, the subject matter of the discussion was only the legal basis, primarily the legal delimitation of the monitoring of encrypted communications in an “online search”. The legal hurdles for the search of a computer are significantly higher than for monitoring communications. The text not even mentions that both types of monitoring use the same type of Trojan malicious software.

“A kind of communications monitoring”

Apart from the lack of an assessment of its technological impact, the explanatory notes to the draft show that apparently no technicians were involved in this bill. In sum, the draft contains only one technically exactly formulated passage – which concerns a completely meaningless and therefore misleading fact – otherwise it’s just an abstract requirement catalogue of lawyers. And its foundation is based on basic assumptions, which are technically simply not tenable. One example of this is the juridical demarcation of an “online search” and “communications monitoring” which dominates the entire Trojan chapter.

Which Aspect was discussed

After a lengthy legal discussion, whether the “technical process of such an encryption can be considered as part of the transmission”, the convened experts arrive at the conclusion that this is indeed the case. The use of such a “software” is therefore “to be regarded as a kind of communications monitoring”, and could therefore be “delimited from online monitoring”. Thus “only the requirements of the secrecy of telecommunications must be met, but not the (more qualified) requirements of the IT fundamental right”, states the expert group.

This “IT fundamental right” is derived directly from Article 8 of the European Convention on Human Rights and demands a higher threshold for access of prosecutors. Thus, the fundamental rights of all Austrian citizens were discussed only in the light of the fact that state access should be facilitated as much as possible. Already the monitoring of traffic and conversations gets approved easily even in the case of minor offences. The conclusio of the experts on this point: It is therefore important “that a software is used, which [recognizes and] decodes only transport encryption”.

What a Trojan does

This is exactly what a Trojan doesn’t do, no matter, whether it is called “communications monitoring” or an “online search”. To operate at all, the malicious software must first take over the operating system of the terminal device, because a Trojan has to have administrator rights. It already needs that in order to install various auxiliary programs from a hidden server of the police authority on the monitored PC or smartphone. This involves massive interventions in the operating system and the storage media of the device, which must also be searched in order to identify anti-virus programs. In addition to the search for “digital fingerprints” of already known malicious software (“virus signatures”), anti-virus softwares also analyze the behaviour of installed software through heuristic methods.

Trojan twins

This is why every professional malicious software downloads a so-called “rootkit”, which deeply interferes with the operating system of the smartphone or PC in order to deceive anti-virus apps and conceal the technical processes on the device from the user. What the Trojan actually taps, depends solely on the features of one and the same software. In a whole series of completely identical functions, there is only one feature, and it’s technically trivial, which distinguishes the “monitoring Trojan” from the “communications Trojan”: The latter can not access files stored by the user himself.

However, on how private files could be identified as such without searching the storage medium the experts remain silent. The Ministry of Justice emphasizes that this is “technically possible,” the experts say measures must also be “practicable” and “target-oriented” and include “preventive measures against dispersed / collateral damage and provide effective abuse control”.

“Technically possible, practicable, precise”

Technically it is, of course, possible to program such a malware suite, and as the ongoing trojan attacks by criminals using blackmail software show, it is also “practicable” to contaminate a device over the Internet with a Trojan. How “target oriented” it is, however, to try to apply a Trojan to a certain terminal device via a mobile network, in which the IP addresses of tens of thousands of active terminals constantly change, is highly doubtful. In the only – at least to some extent –  technically meaningful passage of the whole explanation, it is not entirely clear whether this is a matter of blank ignorance or deliberate deception.

Hardware keylogger forbidden, software keylogger allowed

Literally, it says: “Only the installation of a program in the computer system” is permissible. “Other technical possibilities such as, for example, the collection of electromagnetic radiation “is firmly prohibited.

This method from the nineties has become obsolete since the disappearance of tube screens. In addition, “the incorporation of hardware components into the computer system (eg a” keylogger “) is not permitted, in spite of the fact that hardware keyloggers are probably only still available in technical museums. However, the explanations are silent on the legality of software keyloggers, because without such a function, a Trojan could not make any recordings of WhatsApp chats, and then transfer them to a command-control server of the authorities.

DeepSec 2017 Schedule, ROOTS, and Closing of Call for Papers

Thanks a lot for your submissions! We are currently in the final phase of the review. Expect the first draft of the schedule for the end of the week. Important: Don’t forget that the Call for Papers for the 1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS) is still open and was extended to 15 August 2017! Please submit and help us to put more science into infosec! Given the headlines in the IT (security) news we need all the facts we can get.

Last Call – DeepSec 2017 “Science First!” – Call for Papers

Today our Call for Papers for DeepSec 2017 (motto Science first!) officially ends. We are still up to our necks in submissions, but if you have content and want to join, then make sure you submit now! All in-time submissions will be preferred over the ones that missed the d(r)eadline!

The call for papers for the 1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS) still runs until 5 August 2017. Make sure you don’t miss this deadline in case you want to beef up the science content of infosec!

Our reviewers love to hear from you!

Unicorns in the Wild – Information Security Skills and how to achieve them

Everyone talks about information security, countering „cyber“ threats, endless feats of hackers gone wrong/wild, and more epic stories. Once you have realised that you are reading the news and not a script for a TV series, you are left with one question: What are information security skills? The next question will probably be: How do you train to be „information secure“? Let’s take a look at possible answers.

First of all, yes, you can study information security or security-related topics. Universities, schools, and companies offer lectures, training, exercises, etc. Great. However it may not help you right away. We talked with top quality head hunters from a nameless big corporation. When they look for infosec specialists, they filter for anyone having worked in three different fields related to computer science (applied or otherwise) for at least two to three years respectively. Tunnel vision is not what you want when dealing with a complex infrastructure of hardware and software, some under your control, some parts belonging to someone else. One of the best combinations is system administration, software development, and support (the level is not important, but you have to talk to actual people about actual IT problems).

Once upon a time system administrators were generalists. Decades ago your first career move into this field was answering yes to the question if there’s someone around who knows computers. It’s still true, only the question also covers Wi-Fi, networks in general, apps, hand-held devices, TV sets, refrigerators, washing machines, coffee machines, vending machines, and almost everything that need electric power and connects to some network. Dealing with this computing stuff gives you a lot of insight into how systems interact, what goes wrong (things will go wrong, trust me, if in doubt look up the meme „down, not across“), how you can fix things, and what things definitely cannot be fixed. You also get your daily dose of coding since no system administrator can survive without scripting things – also known as orchestration or automation, thanks to the cloud gods who invented devops.

Software developers learn how to solve problems by using the programming language of the day. It really doesn’t matter where to begin, as with system administration. Since there exists no general purpose computer or operating system to solve every problem on the planet, there is also no single programming language fit for all purposes. Make sure you understand what kinds of code there are. Having a peek at the processor level doesn’t hurt. Try to understand the ecosystems your software project lives in. There is a plethora of computing platforms out there. Try to understand the reason for their existence, and all the interactions they have with the actual hardware that runs the code. As with system administration things will inevitably go wrong from time to time. Make sure your code can handle the real world – always.

So far we have covered hardware and software. Now for the most important aspect of the information security world: human interaction. All support staff gets more interaction than they can handle, at times. You cannot understand social engineering and how adversaries target the human element of the digital infrastructure if you haven’t experience communication. Support staff shares major problems with system administrators and software developer: misunderstandings, lack of information, working with hypotheses, asking countless questions to get to the crucial information, report containing wrong information, and much more. Dealing with these issues in real-time is a challenge. It will give you a lot of insight into how small problems can turn into big ones.

If you are wondering which way to go, chances are that you already experienced a part of the disciplines described in this article. Provided you still want to deal with information security problems, which can be very frustrating and impossible to solve, you just need to gain more insight into the fields you haven’t got into yet. It’s not easy, but few digital job are. This is also why we have problems answering the question to who attends DeepSec. We aim for the mix of sysadmins, devops, developers, infosec experts, CEOs, CTOs, auditors, architects, and users. You need to see the horizon in order to see the storms coming. And unicorns can’t swim.

DeepINTEL Schedule updated – Psychology and Power Grids

We have updated the schedule for DeepINTEL 2017. The human mind and power grids are both critical infrastructure. Both can be manipulated and switched off, arguably. And most of us use both every day. So this is why we added two more presentations to the schedule.

Stefan Schumacher of the Magdeburg Institute for Security Research talks about Manipulating Human Memory for Fun and Profit. Since memory is crucial for forensics, you should spent some thoughts on this matter. Your brain doesn’t cope well with cryptographically signed timestamps or hashes. Since you need to understand all aspects of the environment, the human psychology is part of every „cyber“ strategy – before and after incidents.

Mathias Dalheimer’s presentation is titled The Power Grid is vulnerable – and it’s really hard to fix this. Anyone familiar with physics won’t be surprised. However the modern power grid is also connected to networks which make things a lot more interesting. The attack vectors keep growing: renewable energy, IoT devices, and electric vehicles have been added to the equation. The talk will dive deep into how our power supply can fail and will most definitely be attacked. Real attacks that have happened in the past will also be discussed.

Make sure to get your ticket to DeepINTEL to join the discussion. Bring electric power and a spare brain!

Malicious Software explores new Business Models – Politics

Malicious software has become a major component of criminal business and geopolitics. In addition it is a convenient explanation for anything one does not want to investigate. Since code always come from somewhere you have to ask yourself many more questions when it comes to infected networks and compromised hosts. What is the agenda of the day? Journalist Erich Möchel has written an article about the arms race regarding malicious software. We have translated the original text from German to English. Expect the state of cyber in your network to rise in the course of the next years.

Arms race with Malicious Software enters a dangerous Phase

The enormous damage done by “Petya” and “WannaCry” can be traced back to a single, reworked tool from the leaked NSA pool of the “Shadow Brokers”. Experts assume that this is only the beginning.

The latest outbreak of malicious software in the past week shows the dangerousness of the new phase the ”cyber” arms race has entered in the beginning of 2017. The core functions of “Petya” – like the ones of “WannaCry” that came before – stem from a large arsenal of high-quality malicious software, which had been developed for the NSA, but fell into the hands of an enemy intelligence service in 2016.

By now there is hardly any doubt that both campaigns were not carried out by criminals but state actors. In addition, the anti-virus industry assumes that these outbreaks were only the beginning and another arsenal could appear on the net. This arsenal of the CIA is already on Wikileaks, where since March new espionage programs are being presented every week.

The semi-leaked Arsenal of the CIA

Julian Assange’s team keeps the programs to themselves, but alongside Wikileaks and the CIA itself, there is a third party,still unknown,who has this convolute of about a thousand espionage programs and digital burglary tools at its command. Whoever has exfiltrated this enormous data set from the intranet of the CIA, which is strictly separated from the Internet, and passed it on, has the same data set at his disposal, also containing all the malicious programs unpublished by Wikileaks.

This is a comprehensive wiki for the “cyber” warriors of the CIA, including manuals, tutorials, and related programs, which are clearly different from those of the NSA. All CIA programs are easy to apply and to use because they have not been written for programmers, but for taught “cyber lateral entrants”. Furthermore, this entire set of malicious software was not written for the systematic complete tapping of data streams à la NSA, but for targeted ad-hoc espionage. For each eventuality, it provides one with simple but suitable auxiliary tools.

“Outlaw Country”

While the NSA prefers meaningless, randomly generated codes for their programs, the CIA’s nomenclature is quite striking. The latest release of Wikileaks published on Friday is called “Outlaw Country” (“Land of the Lawless”) and targets Linux servers and gateways. “OutlawCountry” causes infected computers to route traffic from a company or government network to the Internet via hidden servers of the CIA. Since at the internet gateways and firewallls of large networks SSL / TLS encryption gets routinely broken up in order to enable anti-virus scans of incoming, encrypted data streams, the user’s login data and passwords for any websites can also be tapped.

The case of “Petya” is an example of what can happen if such malicious programs fall into the hands of third parties who want to do something else than just spy. Apart from its name “Petya” has very little in common with an eponymous blackmail software, known since 2015. In the case of the new “Petya”, according to all the malware analysts, first-class “exploit” named EternalBlue, which had been used by the NSA for many years to exploit a serious windows vulnerability, has been combined with new features.

If Money Collection does not work

While EternalBlue was written for specific, “manual” espionage missions against certain networks, Pseudo-“Petya” caused “EternalBlue” to spread independently by the means of a so called “worm”. In whichever internal network machines were identified, which windows systems were not up-to-date, they were captured by the NSA exploit. The camouflage as a blackmail software, however, did not last long after anti-virus experts had found out that the hard disks were not encrypted but formatted, that is, overwritten.

Furthermore, the only software module that did not work at all in this otherwise very efficient attack was the mechanism for collecting the ransom money. Prior to this, “WannaCry” had also proved to be ineffective precisely in that respect. Here too, the collection function was highly deficient. As is apparent from the blockchain data, these two spectacular malware fireworks have gained no more than $ 100,000 in bitcoins around the world. Since all transactions with these bitcoins are traceable, their conversion into real money will be difficult and, above all, diminished by high financial losses.

Control Computer as the real Target

The NSA’s EternalBlue exploit was targeted only at computers with critical control and switching functions, which are usually connected to an internal network, but not to the Internet. This supposedly high security due to separation from the Internet has led to the fact that the security of such control PCs has generally been neglected so far. What happens when people try to save money through extending the maintenance cycles of their service contracts was demonstrated by the British health system, where controllers for medical devices were badly hit by “WannaCry”.

As the “Postmortem” analyses show, the epicenter of pseudo-“Petya” was the Ukraine, the first series of infections mainly concerned computers and switchgear of power suppliers and telecoms there. Through its non-controllable worm function “Petya” afterwards quickly spread to other networks worldwide. The initiators hazarded the consequences of the resulting collateral damage and the “Shadow Brokers” had little scruples to simply publish high-quality digital intrusion tools on the net.

Forecast: Cloudy

In quite the same way – but probably even easier – many individual modules from the digital CIA burglar toolbox could be re-used for other purposes. When it comes to “security” by separating control computers from the Internet, the CIA arsenal also includes a module called “BrutalKangaroo”. Its core function is to bounce over the so-called “air gap” into a physically separated “isle network”, as is typical for systems like the ones used for power plant control.

Digital Security of the Future: Technology and Algorithms alone are no Substitute for Strategy

Unfortunately, you can not rely on antivirus programs when it comes to the security of your own business. Antivirus programs do not read newspapers, they do not attend lectures, they don’t protect you from social engineering or know the meaning of Facebook friends or Twitter tweets. False friends, indeed.

The continuous monitoring and evaluation of threats is the next step in information security. This aspect has always been an important part of digital defense. Today’s discussion often centers around the term Security Intelligence, which unites different approaches. The DeepINTEL is Austria’s first event, which, since 2012, has been taking up this topic – in all its facets, because modern information security is interdisciplinary. Lectures by experts from various fields of science, defence and industry: At DeepINTEL you have the opportunity to strategically rethink your digital protection and improve it decisively.

Internal Threats are often underestimated

The most dangerous threats come from within. That is to say, if modern companies can still distinguish between internal and external at all – social engineering is a dangerous threat, which overcomes any technological barrier. Mostly unintentionally, but in the case of targeted attacks long prepared and deliberately, actions lead to compromised systems or information to be inserted or removed. The presentation of Professor Ulrike Hugl is devoted to classifying internal threats according to motivation and behaviour. Profiles based on current cases will be presented and discussed. From this, you can derive methods for your own defence.

Real-time is no longer good enough

Analysing threats and reacting in real time is no longer enough. Who’s just on a par with the attacker can’t prevent damage. This is true for almost all protection systems currently used in companies and public authorities. An effective defence requires several ways to anticipate the next steps of the opponents and to take action against them in a targeted and coordinated way. Only a few manage to take the next step forward towards the use of adaptive measures. At DeepINTEL, Matthias Seul, an expert from the IBM Protector team will analyse the facts and share his experiences.

Telltale Metadata and Behavioural Patterns

Measurable relationships between entities and behaviour patterns of actors are key information for threat analysis. With ProcDOT, Christian Wojner is presenting a tool in his DeepINTEL lecture that uses malicious software to draw conclusions from the behaviour of the code and compare it. A visualisation based on time stamps and graphs is used, which composes thousands of individual activities into one overall picture. Compared to classical methods this information is much more meaningful because cross-connections between variants of malicious software and activities become visible. The analysis of social networks achieves something similar. Using the example of Twitter there’ll be an impressive demonstration at DeepINTEL on how to visualize the data flow between and the networks of various groups using publicly accessible information (Open Source Intelligence, OSINT). The principle can be applied to the entire spectrum of social media.

Disinformation and Cyber War

Any dispute uses disinformation as a weapon, no matter whether the opponents oppose each other analogously or digitally. The outbreak of the Petya.2017 virus is a good example. The malicious software was never meant to be ransomware. Rather, its aim was to achieve media attention and to spread a specific story. At DeepINTEL Volker Kozok will talk about another highly topical example: He discusses elements of the Russian cyber war strategy by means of the Russian and Ukrainian activities in networks. The borders between cybercrime, hacktivism, and state sponsored actions are blurred, making an easy assignment, as it is portrayed in the media, very difficult. The lecture also illuminates the narratives and Russian propaganda, as they are disseminated in Germany, as well as the role of online trolls and social bots.

Unfortunately, when it comes to information security, a company can not shut itself off from geopolitical events. Antivirus programs do not read newspapers nor attend lectures, so the importance of security events must be taken into account by the IT department.

Seminar Conference

The DeepINTEL conference aims to provide a platform where both experts and users can share and exchange ideas about methods of security intelligence. Modern information security is interdisciplinary because it is about so much more than electronic data processing like back in the 1960s. Delegation in the form of outsourcing only shifts problems and makes you blind to threats. At DeepINTEL you have the opportunity to strategically rethink your digital protection and improve it decisively.

The DeepINTEL conference takes place on 21/22. September 2017 at the Imperial Riding School – A Rennaissance Hotel in Vienna. The preliminary schedule is also available for download.

ROOTS 2017, DeepSec, and DeepINTEL Call for Papers are still open

Our wonderful world of technology is full of surprises, bugs, intentional weaknesses, adversaries, defenders, vendors, and users. Some software just got more lines of code instead of a decent audit or refactoring. Everything is turning smart, but no one knows what smart really means. Big Data is all the fashion, Big Knowledge still isn’t. So there is ample opportunity for security research. And we haven’t mentioned recent weaknesses such as Stack Clash or broken hyperthreading yet.

Strategy hasn’t evolved much either. Most high profile attacks seem to contain a lot of cyber, originating from Russia, USA, Israel, North Korea, or China. The context matters, as do the agendas of all parties involved. A thorough and careful analysis can shape the digital defence of your future. This is why we like to discuss methods, incidents, and the role of intelligence in information security.

And then there is the scientific method. Sadly not all of security research is really research. Science is hard if you want to get it right. Full disclosure and defending your claims against certain vendors is one way of ensuring your findings are correct. Past DeepSec conferences featured presentations based on scientific publications. We like to foster proper information security research. This is why the 1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS) will be co-hosted with DeepSec 2017.

If you have some research or content you wish to present before an international audience, then let us know by using the following Call for Papers form.

And remember; the motto for 2017 is Science First!

BSidesLondon 2017 – Sharing is indeed Caring

When airport security meets information security it’s usually BSidesLondon time. It was a great experience. And since DeepSec sponsors the Rookie Track we had a very tough decision to make. It’s really hard to pick a winner. A lot of presentations were excellent, and the presenters made the most out of the 15 minutes. The winner is Thaís for her introduction to malware analysis by using satisfiability modulo theories (SMT). If you get the chance of seeing her presenting somewhere, BSidesLondon logotake a seat and listen to her.

We also like to recommend Colette‘s presentation titled ‘How the f**k do I get in? One woman’s struggle to break into cyber security!’. Despite the title it was not a rant, it was a clear and concise summary of the state of affairs for women in technology. We hope to hear more about this, and we encourage you to ask Colette for a presentation in case you organise an event. We did.

The motto sharing is caring is often abused, and the context in which it is used varies wildly. Chris Kubecka explained in the keynote Freaky Leaks from a Chic Geek what her understanding is. Indeed leaks are all around us. And leaks are here to stay, given that networks, software, and systems are not as airtight as advertising wants us to believe. Plus leaks are also used wildly out of context. She addressed some important issues regarding disclosure and incident reporting (or vulnerability reporting, depending on how many already know about the weakness). It’s amazing what people maintaining and „installing“ industrial controls systems can and will do. Industry 4.0 and Smart Power Plants are anything but smartly designed or implemented. Her presentation was full of examples on how to deal with information about critical weaknesses. Make sure you think about implications before they happen, regardless on which side you are on.

We shared and cared a lot. Thanks to the BSidesLondon crew, all speakers, all trainers, and all the sponsors!

The Future of Entangled Security States – Quantum Computing Conference in Berlin

Quantum computing is a fashionable term these days. Some IT news articles are talking about post-quantum cryptographyTaken from, qbits, and more quantum stuff. If you don’t know how the terms relate to each other, what entangled states in quantum physics are, and what everything has to do with computing, then you will have a hard time figuring out what it means for you and your infrastructure. The relationship to cryptography is yet another matter best explored after you know the basics.

Using quantum effects in computing and cryptography is already done. The best example are some hardware random generators which use properties of, well, the hardware to harvest entropy. And then there is quantum key distribution (QKD). It is a method to ensure secure communication between two or more nodes. Vienna even had a working QKD network named SECOQC which was created in 2008.

So how can you learn more? Our friends at stage a conference about quantum computing on 23 June 2017 in Berlin. The conference is aptly titled Dawn of the Quantum Era. Leading experts will explain about the current state of quantum computing, quantum communication and quantum cryptography.

In one intense conference day, IT decision makers and those, who are interested in the future will learn everything that’s important about the very subject. Where does quantum mechanics stay and what has research so far brought to light? What is the current state of research in the development of quantum computers? What can quantum algorithms and quantum encryption do? And which challenges postquantity encryption has to face? These are just a few of the questions to be answered at the upcoming conference. Participants will also discuss which future technology is more promising: supercomputer or quantum computer.

Amongst others, Speakers include Prof. Dr. Vlatko Vedral from the University of Oxford as well as Tracy Northup from the University of Innsbruck, who holds the current quantum computer speed world record. Silicon Valley will be also represented: Will Zeng comes from the quantum startup Rigetti, in which known Venture capital investor Andreessen Horowitz has invested in recently. Stefan Filipp, one of the leading quantum researchers at IBM will also be present as a speaker.

The conference Dawn of the Quantum Era takes place on the 23rd of June 2017 at the Zoo Palace in Berlin. You can find the final programme on the conference’s website as well as the biographies of all the speakers and short abstracts of their talks. Conference tickets are already available.

Biometrics and Failures in understanding Security – Copy & Paste Iris Scans

Biometrics has an irresistible attraction. Simply by mentioning the fact that you can measure parts (or surfaces) of the body and convert them to numbers a lot of people are impressed out of their mind. Literally. In theory biometric information serves as a second set of data to be used for any purposes. A common purpose is to use it for authentication. Most physical sources of biometric data are easily accessible. Fingers (for fingerprints), eyes (for your iris), limbs (for your veins), voice (for the Cloud), and other examples show this well.Biometrics can be copied Where does the security come into play? Well, it doesn’t.

For starters, passwords can be changed. Biometrics can’t unless you have a transplant. In contrast to passwords biometrics can be faked. The biometric source can be copied. In most cases this is as easy as doing a scan and printing it again. The German Chaos Computer Club has repeatedly demonstrated that copies work extremely well. They used simple iris photographs (for gaining access to a Samsung Galaxy S8) and fingerprint copies (to overcome Apple Touch ID) in the past. Almost any multi-factor authentication beats this security record easily.

Furthermore the biometric check is based on a comparison of digital data sets. Algorithms compensate for variations during the measurement, i.e. the scan phase, of the body part used. Since no two measurements are alike, there is some room for errors. This can be exploited by adversaries. Think of it as trying to manipulate optical character recognition (OCR) by manipulating text and fonts. You can do this for voices, too. Recently a Canadian company was in the news, because they showed recreated voices of Barack Obama and Donald Trump. The source were samples from interviews and speeches.

So please don’t use biometrics as a silver bullet to solve problems which can be solved more efficiently by other technologies. And don’t use sensors designed to work for and in your living-room for critical security. In case you won’t do this, we welcome you or your company as a show case at DeepSec 2017. The presentation title might even contain your name.

Disinformation Warfare – Attribution makes you Wannacry

After the Wannacry malware wreaked havoc in networks, ticket vending machines, companies, and hospitals the clean-up has begun. This also means that the blame game has started. The first round of blame was distributed between Microsoft and the alleged inspiration for the code. The stance on vulnerabilities of security researchers is quite clear. Weaknesses in software, hardware, protocols, or design needs to be documented and published. This is the only way to address the problem and to give the defenders a chance to react. The discussion about how to deal with the process is ongoing and will most likely never come to a conclusion. What about the source of the attack?

Attribution is hard. Knowing who attacked has become increasingly difficult in the analogue world. Take any of the conflicts around the world and have a look. There is no clear picture of who did what exactly for which reason. When it comes to cyber warfare you basically have to deal with lots of disinformation. We have had many talks about the use of the Internet and other networks in digital skirmishes. Routing data via a different set of connections is the core property of the Internet. You cannot trace the trajectory of a projectile. You can only rely on the forensic analysis of the attack (and even this is disputed since forensic software can be manipulated) and on data you see in network interactions. Deception is the basic ingredient of any attack. The glorified open field battles where people run at each other screaming is not what you can expect from real situations.

There are speculations that Wannacry was launched by North Korea. Russia, China, and North Korea are the default origins any analysis starts with (the only exception being Stuxnet for obvious reasons). Most people forget that false flags operations are a common military tactic. There is an easy recipe to fake an attack. Want to look like APT28? No problem. Need a specific origin for your reconnaissance? That’s what the cloud is for! You can also use the vast archive of malicious software as a starting point. The code, contrary to the truth, is out there.

Getting intelligence right is as hard as getting the attribution right. It’s not impossible, but you have to keep this in mind when reading the news about incidents such as Wannacry or others. The last attack didn’t even take advantage of the Internet of Things. Imagine that! We have just seen a glimpse of the future. If you want to prepare yourself for what’s next, you need to get your intelligence right in addition to your security. Why not join us in September for DeepINTEL and think about strategies for the future?