Transforming Secure Coding into Secure Design

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late.

Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart stuff will be exposed to threats. A Facebook party in your living room is the perfect example. It will quickly expose your infrastructure to all kinds of threats. That’s what IoT is required to handle. In the age of always connected devices your infrastructure won’t catch a break. You need secure design in the network protocols, in authentication, in the code itself; the list is long.

Where can you learn secure design? The best approach is to take a few steps back. Once you have committed to a programming language or any specifics, the design choices get restricted. Isolating the data you need to handle and all the interactions with other components is a good start. When it comes to selecting the right building blocks do not try to reinvent technology that is already out there. This is especially crucial for all the crypto parts. Encryption libraries and their parameters have been extensively researched by security researchers in the past three years. Take a look at best practices. Try to use reliable components. Use code that is around for a long time. Identify the threats your code will be facing. The list gets quite long, but it’s worth doing all these considerations before the first line of code is written. Then you can start to address the issues of secure coding.

A lot of products benefits from secure design. In case you forgot the design, there is always secure testing for those who put the security design into the code after the application hit the market.

Preliminary Schedule of DeepSec 2016 – almost done

We got over 100 submissions for DeepSec 2016! This is a new record. Consider that we have only room for about 40% of the content. While you may be impatient to hear about the trainings and the talks, please bear with us. We are in the final round of reviews and will have the preliminary schedule ready the day after tomorrow. You will be able to enjoy reading the announcement during your morning coffee break. Promised.

To give you a little sneak preview, here are the main topics we will be addressing with the content: cryptography, Internet of Things (IoT), social engineering, threat hunting, the current state of affairs in information security, networking stuff (both wired and wireless), penetration testing, exploit automation, attacking web applications, iOS exploits, physical security, world domination a.k.a. „cyber“ threats, and some 0talks we won’t tell much about just now.

Make sure you bring ample of time when attending DeepSec in November. We are especially proud to host top class trainings with trainers featuring in-depth knowledge and expertise – true to the spirit of DeepSec! See you in Vienna in November!

DeepSec 2016 – Thank you for all your submissions!

The DeepSec Call for Papers closed on 31 July 2016. We are currently reviewing the content. Thank you very much for your participation! The talks and workshops look awesome. We have a hard time deciding what will be part of the schedule and what has to be postponed.

For everyone who has missed the deadline, you can  still submit your talk or training. However we will consider all the others first.

Prepare for a fantastic DeepSec 2016!

DeepSec 2016 Call for Papers – Reminder – 24h to go!

The Call for Papers for the tenth DeepSec conference officially ends in 24 hours. This is a gentle reminder to submit your presentation or your kick-ass workshop.

OpenPGP.conf is calling for Content

If you don’t know what PGP means (or GPG), you should consult your favourite search engine. While it has a bad reputation for its usability, it is a lot more useful than the rumours might suggest (please attend your local CryptoParty chapter for more details). This is why the German Unix Users Group organises an OpenPGP.conf event. It takes place on 8/9 September 2016 in Cologne, Germany. The Call for Papers is still running, so  be quick and submit.

The international conference, initiated by Werner Koch, maintainer of the free OpenPGP implementation Gnu Privacy Guard (GnuPG), and organized by the German Unix Users Group Association introduces the subject of confidential and untampered with communication including, but not limited to

  • security aware users,
  • IT managers and architects responsible for security objectives,
  • software developers who plan to implement secure applications,
  • service providers who have to comply with security SLAs, and
  • activists and journalists interested in privacy issues.

During the two day conference in english language in Cologne, talks cover a comparison on popular key distribution protocols DANE and WKD, the alternative trust model Mesh, the API library GPGME, and the USB token environment Gnuk.

Presentations discuss threads imposed by certain use patterns of OpenPGP, publicly funded activities both on Germany’s federal level as well as EU approaches, a survey of the current state of OpenPGP adoption, and a retrospective of 25 years of the protocol.

Tickets are available at the conference website. A number of discounts are available for students, GUUG members, and for those who book until August 8, 2016. Some discounts can be combined. Tickets include food and drinks during the conference and attendance to the social event.

So, go forth, make crypto, not „cyberwar“.

A Perspective on Code and Components – assert(), don’t assume()

Have you ever looked closely at the tools you use on a daily basis? Taking things apart and putting them back together is an integral part of understanding the universe. Scientists do it all of the time (well, at least some do, there are things that can’t be put together easily once taken apart). So lets focus on components and how they interact.

ASN.1 and libraries that deal with it are popular components. Few people get a kick out of ASN.1, so they use code that does it. It’s just an example for parts that handle data being sent to and received from other systems. We live in a networked world, so communication is a crucial part of modern software. So to use business lingo: Most software works by delegating tasks to third-party code. It helps to focus on the problem the software needs to solve. While this is no epiphany it’s something worth remembering. Usually you rely on these components to do their job. What happens if a particular tasks fails? The manual says that you will get a proper return code or error condition in order to take adequate steps. This works in theory and in well-designed projects where all the rules of secure coding are observed. The guidelines for dealing with failure works somewhat less for code being produced under pressure. Products that need to hit the market in a short time frame are prone to bugs. BIOS/(U)EFI, Wi-Fi drivers (where standards are ready after they are already implemented), apps on mobile devices, your new shiny OS release prior to an important exhibition or press conference, Internet of Things stuff, everything beginning with smart, and probably the occasional prototype from start-ups serve well to illustrate this point.

Information security people know this, or at least they should. Penetration testers and software quality testers know a lot about components, as do sysadmins (this is why they still and will always hate printers). So if you are in charge of a development team, please make sure you eliminate as much assumptions as you can. Networks will fail, servers will be unreachable, data integrity will be compromised, system resources will be tight, and so on. There is an endless list of issues to think about. I’d like to illustrate the point with two links to material that takes a really close look at database software of all kinds. Take a look at Jepsen. It is a project designed to stress test the claims of distributed databases, queues, consensus systems, and similar tools. In addition there are notes from Kyle Kingsbury titled An introduction to distributed systems. Make sure everyone on your teams gets this memo and reads it! No exceptions!

If you are wondering how much effort proper coding (you may also call is secure coding, but it is really the same thing) is, here’s a quote from the Jepsen web site: „Would you like to see a system analyzed? … A full analysis and writeup typically take a couple months.“

There you go. Now fix stuff. See you later!

Intelligence on the Silver Screen: A Good American Kickstarter Campaign

Surveillance has a bad reputation. No one likes to be watched. Yet infosec researchers, sysadmins, and developers talk a lot about log files. We need to watch stuff for various reasons. You got your mail logs, diagnostic messages, performance metrics, network addresses, and more painstakingly sorted by timestamps and maybe geolocation. Log data is part of information technology. It gets interesting once you store, process and mine this data. Some people like to collect it all and do all kinds of Big Data stuff with it. Others filter out the relevant bits of information and work with that. Opinion is divided, results may vary.

Enter A Good American, the documentary which was screened in Vienna during the DeepSec 2015 conference. It has been shown all over the world. The film itself is fully funded, finished and travelling the festival circuit at the moment. However it isn’t exactly a blockbuster you’ll find in theatres everywhere. This is why there is a Kickstarter campaign to help showing the documentary to people who might be interested but have missed it so far. Go to the web site and have a look!

Why are we telling you this? Well, we believe that the wonderful world of security intelligence should be subject to discussion as the world of information security already is; and maybe even more so. Plus we like to discuss all things intel at our DeepINTEL event.

Call for Papers – DeepSec 2016 – Reminder

The Call for Papers for DeepSec 2016 ends on 31 July 2016. If you have some top content, a new way to break the Internet of Things, a piece of code that lets the director of the FBI sweat (for whatever reasons), then let us know. Basically anything that breaks stuff, melts networks/applications/hardware, or singes the fur off things is a good choice (see isic for the original quote). Despite the Internet of Things not being yours it can be 0wned any way. Have a go and tell us!

In case you are inclined to teaching we also host top quality workshops, just before the conference. If you got material to keep a group of nerds, pentesters, and people worried about the state of information security busy, then drop us your abstract.

See you all in the CfP database soon!

The Internet of Threats revisited

Everyone is talking about the Internet of Things. Connecting household applications (yes, applications, appliances is so 1990s) to a network hasn’t been more fun than now. Also measuring things is great. Today most sensors are deployed to generate endless streams of data because we can, not because there is a need for it. And I haven’t even talked about the information security aspect yet. Let’s take a step back into 1995/1996. Those were the days of the first browser wars. Jamie Zawinski has a quote of the Law of Software Envelopment on his web site.

Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.

The proof of concept was undertaken by creating the Netscape Mail and News client. Processing email once was an art only done by specialised software (also known as email clients). Despite its age email is still a major way of communicating. It’s less instant, but who likes to attend messenger apps that constantly ring? Exactly. To rephrase the law or phrase a corollary, the Internet of Things might produce something like this.

Every device attempts to expand until it can send data to the Internet. Those devices which cannot so expand are replaced by ones which can.

Let’s do a test. Count the sensors of the devices right near you. Multiply this number by the number of devices connected to a network. Multiply by two if one of these networks is connected to the Internet. There you go, we now have a metric. The higher the number, the more modern your environment is. Probably. Now let’s take a step back. Information security experts keenly wait for the Internet of Things to be deployed. Ubiquitous networked devices with code running on them and interfaces are the epitome of exposure. You probably now the term exposure from incidents like the Three Mile Island partial meltdown, Fukushima Daiichi nuclear disaster, or the Goiânia accident. The remark is not meant to bash new technologies. It’s just a reminder that the security people (regardless if nuclear, biological, military, or information/data is involved) always think about exposure and the resulting attack surface. Once you connect a device to a network, it is exposed. You suddenly have to deal with data driven attacks that play by the rules, at least superficially, or crazy code that floods your system with random data. Since few code has security on the top 3 design features, things will happen eventually. In addition a lot of networked computing is based on little black boxes we don’t know much about. We have gotten used to not knowing what a particular chip set actually does. Past DeepSec conferences have featured presentations about malicious hypervisors in hardware.The door to the world.The Internet of Things features a lot more little black boxes along with broken protocols, bad security design, and lots of exposure. Before you start ranting about the current state of affairs, there will be no fix. Devices with network capabilities will be shipped, deployed, connected, attacked, and exploited. This is the cycle of life. Why should the IoT take a shortcut? Everything that will happen to your networked refrigerator has already happened to web servers, databases, VoIP systems, telephones, office software, and printers. Information security is not about what happens if; it’s about what to do when it already happened.

If you know some brave IoT designers, users, or vendors, please tell them to drop by at the next DeepSec conference. We should talk. Unfortunately they don’t answer our emails, so please spread the word.

Early Birds, save the Date! BSidesVienna has opened the Call for Papers!

Grab your calendars, you have to be in Vienna on 12 November 2016! BSidesVienna is accepting your submissions for an awesome community conference. The range of topics is wide, so don’t ask yourself “Is this interesting or not?” – just submit and come to Vienna in November!

While you are preparing your submission, you might want to make some extra space in your calendar for DeepSec 2016. The submission we got so far look great. Crypto, the Internet of Stuff (IoT), exploit labs, pentesting training, and more waits for you. Make sure you get the Early Bird prices for your tickets!

DeepSec welcomes Google as Sponsor for the next Conference

We are proud and happy to announce Google as sponsor for DeepSec 2016!

Google haGoogle Logos been a supporter of DeepSec in the past. While we may not need to introduce Google to you, we would like to point out that they have a very capable security team and that members of their researchers have held presentations at DeepSec conferences. Google staff is often around, so take the advantage and talk to them.

DeepSec welcomes SEC4YOU as Conference Sponsor!

DeepSec would not be possible without the support from sponsors. So we welcome SEC4YOU as sponsor for the next DeepSec 2016!

SEC4YOU offers serSEC4YOUvices regarding advanced auditing, penetration testing, and vendor-agnostic IT security consulting. SEC4YOU experts support your team when it comes to test and to implement security measures. Especially when it comes to compliance requirements, you will need assistance to make sure that nothing goes wrong. SEC4YOU’s portfolio covers IT security analysis (dealing with risks and threats to your organisation), auditing, ISO 27001 certification (with or without BSI standards), creation of security policies, risk management, information security management system (ISMS), internal government and revision processes. Their experts are well-versed with clients from internal auditing, accounting/controlling, information technology, data protection, risk/compliance management, and information security. Plus they like hackers! Make sure you have a chat with them when attending DeepSec.

Tags: ,
Posted in Conference by . 3 Comments

DeepSec 2015 Slides: Bridging the Air-Gap – Data Exfiltration from Air-Gap Networks! Much Slides! Very Animated! Wow!

The presentation titled Bridging the Air-Gap – Data Exfiltration from Air-Gap Networks was held at DeepSec 2015. Since the presentation format was not meant to be printed or viewed with generic documents viewers, the slide deck had to be converted. The slides in PDF format can be downloaded from this link:
For an animated version of the slides, use one of these links:
or in short

Mind the gap and enjoy!

DeepINTEL 2016 – Save the Date for Security Intelligence

Analysing threat intelligence hasn’t been more important. We all know that bad things will happen. That’s not the issue to worry about. You should spend some thoughts on why something happens, what methods are involved, and what your adversaries look like on the inside. Defending your assets is much more than using a fence, some doors, and badges for your employees. We would like to welcome you to DeepINTEL to discuss security intelligence in-depth.

The DeepINTEL 2016 has been moved. Save the new date; DeepINTEL will take place on 20/21 September. The location hasn’t changed, and good weather has been ordered. Make sure you order your tickets!

BSidesLND2016 Rookie Track Review

Sitting through the Rookie Track at BSidesLondon is something we really enjoy. This year the quality of the presentations was amazing. Of course, the rookie’s mentors take a part of the blame for that. Good training gives you always a head start. Nevertheless someone has to stand in front of the crowd and fill the 15 minutes slot with content. All rookies did a good job. It was hard to pick a clear winner. The jury took more than three iterations to find a conclusion. Locard made it, and we welcome him to DeepSec 2016 in November. Honourable mentions go to @Shlibness, @Oxana_Sereda and @callygarr.

For you we have some thoughts on the presentations we saw and on the methods being used.

Think of your presentation as code. Make it lean and mean. It’s easy to implement your favourite function in 200K lines of code. Make it smaller. The same is true for your presentation. Writing a book about your favourite topic is easy. Squeezing everything the audience needs to know and you have to say into a presentation slot of 15 minutes (or 30, 45, 60, 90, …) is hard. It requires a thorough understanding of the facts and the theory. In addition you need ideas how to present your thoughts with minimal distraction. Good illustrations will help you. Using text will also do, but you need to reduce it as well. No fillers, no noise, just use the minimal code necessary.

Stage fright will be your enemy (even if you are not an Android phone). If you have a problem with crowds, think about not drinking loads of your favourite caffeinated drug. Try to relax before your presentation begins (starting with breakfast gives you a good start, relaxing seconds before your talk doesn’t make much sense). Have a chat with the audience. You need to introduce yourself any way, so why not ask people from the audience some questions? Once you are past the first seconds or minutes of your talk, you most probably have forgotten your nervousness. Besides, being nervous is a sign that you care, so there’s nothing to worry about.

For everyone thinking of entering the Rookie Track at BSidesLondon 2017: Please do! We will be pleased to see you presenting your ideas!