Submit your Talk – Call for Papers for BSidesLondon

The Call for Papers for BSidesLondon is still running! If you haven’t submitted your talk yet, please do! The deadline is 27 March 2017. Don’t miss it!

The Wonderful World of Cyber is full of stuff to talk about. There is broken software all over the Internet (of Things). 0days await. Infrastructure is ready to be defended or attacked. Let others know about your ideas. If you have never presented at a conference before, then you should consider a submission for the rookie track. You have to start somewhere or somewhen, so why not at BSidesLondon?

Looking forward to listen to your presentation at BSidesLondon!

DeepINTEL 2017 – Modern Strategies for Information Security

Seminar on Digital Defence with Experts.

The news is full of reports covering attacks against networked systems and digital components. Every day there is new media coverage about stolen data, compromised accounts, the impact of malicious software, digital second strikes, cyber attacks between countries and new vulnerabilities in computer systems. All that leads to the impression that in the modern digital world we are almost helplessly vulnerable to attacks. Clever entrepreneurs benefit from the general uncertainty and sell countermeasures in the form of security software or other components, which, according to their praise, once installed will kill off every threat automatically. But the media don’t show the whole picture – hardly any report on “hacker attacks” could be called a realistic depiction of real life events. The consequence? It is not possible to build an effective strategy for your own information security based only on media reports and promises of clever vendors. Digital defence is as individual as fire protection or physical measures against burglaries – there is no standard solutions, no one-size-fits-all. What about the security of your own data? Do you know about the risks that may affect you and about the vulnerabilities of your company?

At DeepINTEL you have the opportunity to strategically reflect upon your digital protection. The seminar provides a platform for security officers and experts from threat analysis to work together on strategies for digital defence. Strategies from which you directly benefit as participants.

Security Intelligence and Knowledge

The current practice of companies when it comes to information security consists of protection by the catalogue of measures and security components from the vendor’s tray of the IT security industry. The ones, who really want to be sure, may additionally take a look at the end-of-the-year review or the trends for the upcoming year. However, this approach is completely out of touch with reality – many companies simply do not know which risks affect their own business. A real threat analysis and a thorough judgement of your opponents is the most important component of a good defence! Yet, it is often sadly lacking. Instead, protective devices are used according to their advertised abilities, often without accurate background knowledge about how and from which attacks one should actually be protected by the acquired safety components. But the necessary information would be easy to access, if you know how to, usually it is already available. Your company’s own operating data and a structured analysis of previous safety-related events are the way to improve your security. The magic word? “Security Intelligence”. The structure of your security measures must be based on facts and built methodically correct. To establish a functioning security infrastructure documented threats, data of your own infrastructure, actual dangers and appropriate indicators for a security incident have to be taken into account.

The DeepINTEL conference provides a platform for security officers and experts from the threat analysis to work together on strategies for digital defence. Security Intelligence is interdisciplinary and requires experience in analysis beyond the pure application of statistics. The flow of data, communication, the right metric, sure indicators for a break-in, the appropriate evaluation, or the correct deconstruction of IT into its individual parts must be carried out by experts. You can find this expertise at DeepINTEL.

Big data without content is no solution

Machine learning or Big Data are often used as buzz words to conceal ones own deficits. But with big words alone you can’t score points when it comes to IT security. You have to examine your own infrastructure and look for meaningful metrics. It is not about plenty, it’s about the right data records. Anyone who blindly analyzes data, misses the relevant threats. Even the best algorithms have to be used correctly. A methodological approach is very important. Perceived threats can not be measured and inevitably lead to security nihilism,a sentiment also easily evoked by reading the latest articles of everyday IT news.

Of course one has to draw attention to existing threats. But never forget that the side of the defence knows best about its own infrastructure and digital treasures. If you don’t use this advantage, you do your opponents an invaluable service.

IT Security with Security Intelligence

What difference does Security Intelligence make for your IT? How do you incorporate its insights and knowledge into your own security system? The customary opinion among many service providers will lead you to coloured product palettes, supposed to do everything for you automatically. But in the real world, apart from the exhibitions and fairs where these solutions are presented, it’s not that easy. First of all, you need a clear picture of your infrastructure and reliable metrics, which provide information about the state of your own security. From this data, a picture emerges, on which the actual security strategy can be built upon. Digital defense is as individual as fire protection or physical measures against burglary. You won’t screw sensors on the walls at random and hope you cover the neuralgic points. You only get meaningful measurements when you focus on the critical points – and know how to find them.

The DeepINTEL conference would like to provide a platform for both experts and users to exchange ideas about methods of security intelligence. Modern information security is interdisciplinary because IT evolved into so much more since the days of mere electronic data processing of the 1960s. Delegation in the form of outsourcing only shifts your problems and makes you blind to threats. At the DeepINTEL, you have the opportunity to strategically reflect upon your digital protection.

The DeepINTEL conference will take place on the 21 & 22 September 2017 at the Imperial Riding School Renaissance Hotel in Vienna, Austria.

Putting the Science into Security – Infosec with Style

The world of information security is full of publications. It’s like being in a maze of twisted little documents, all of them alike. Sometimes these works of art lack structure, deep analysis, or simply reproducibility. Others are perfectly researched, contain (a defence of) arguments, proofs of concept, and solid code or documentation to make a point. Information security is a mixture of different disciplines such as mathematics, physics, computer science, psychology, sociology, linguistics, or history. It’s not about computers and networks alone. There is interaction between components. Protocols are involved. Even the simple act of logging in and staying in an active session requires in some parts to talk to each other. And then there are rituals. Scepticism is widespread in information security. Questioning your environment is the way to go, but you need to do it methodically and with evidence-based reasoning.

There is an emotional component to IT security too. „Everything is broken, everyone’s going to get hacked eventually.“ You hear this statement a lot, mostly from frustrated engineers. Well, we already know that stuff around us is badly designed or broken by design. Levels of brokenness vary depending on where the stuff (i.e. devices / technology) is being used. Important stuff gets more maintenance and security design than, let’s say, your toothbrush. At this point we can veer off and discuss the Internet of Things at length. Unless you methodically lead this discussion based on evidence, please, just don’t discuss it. The Internet of Things won’t go away just because it is broken (so far). We can handle substances too hot to touch or dangerous chemicals (again, no discussion, we can handle this stuff most of the time), so we can surely deal with dangerous bits. We just have to do it properly. This also means to realise that it is sometimes better to say „I don’t know what that means.“ until you have all the facts to decide what you see or hear.

To get the train of thought back on the infosec track, have a look at Hanno Böck‘s presentation titled „In Search of Evidence-Based IT-Security“. Origin of this talk was the work of Google’s Project Zero where the security of anti-virus engines, among other code, was discussed. Confronting the fancy advertising of security products with the fundamentals of theoretical computer science is a good test to see how evidence-based the approach is. Hanno suggests to take a look at the methods used in other fields where things and stuff are also complicated. Randomised controlled trials (RCTs) are an example. While RCTs are not without disadvantages, you don’t even find the most basic scientific methods in information security publications. White papers and documents titled “(field) study” are even worse. The lack of gathering facts and to process them scientifically makes information security research vulnerable to manipulation. Infosec people smile when cyber attacks are in the news or politicians talk about cyber war. That’s great, but the shoddy work found in some/many published „results“ leave too much room for ambiguous discussions. We agree with Hanno: „Applying rigorous science to IT security could provide a way out of the security nihilism that dominates the debate so often these days…And by learning from other fields Evidence-Based IT Security could skip the flaws that rife other fields of science.“

DeepSec 2017 will have a stronger focus on academic research in the field of information security. In case you need help improving the scientific approach in your project, please let us know. We might be able to help, and we know a lot of researchers who can also help. Plus there are already results of fine research online and published. Take a look at them. It is much easier to defend claims against the legal department of a vendor. Facts are your friend. Dealing with them correctly will save your day.

The Sound of „Cyber“ of Zero Days in the Wild – don’t forget the Facts

The information security world is full of buzzwords. This fact is partly due to the relationship with information technology. No trend goes without the right amount of acronyms and leetspeaktechnobabble. For many decades this was not a problem. A while ago the Internet entered mainstream. Everyone is online. The digital world is highly connected. Terms such as cyber, exploit, (D)DoS, or encryption are used freely in news items. Unfortunately they get mixed up with words from earlier decades leading to cyber war(fare), crypto ransom(ware), dual use, or digital assets. Some phrases are here to stay. So let’s talk about the infamous cyber again.

In case you have not seen Zero Days by Alex Gibney, then go and watch it. It is a comprehensive documentary about the Stuxnet malware and elements of modern warfare (i.e. remote sabotage of infrastructure). Given the secrecy of the incident / operation it is the best compilation of facts and their non-existence up to date. No matter what you think of people using the word cyber for a variety of meanings digital warfare is here to stay. In essence it is an attack on communication and control infrastructure. Manipulating systems connected to physical devices has always been used for disrupting the Things without Internet. Cut a pipe(line), block a spinning wheel, loosen some screws, and there you go. Instant analogue sabotage. Using the benefits of modern connected industrial controllers turns this into digital sabotage – cyberwar. Like it or not, talking about semantics won’t help. The fact is that modern communication networks and the networked infrastructure is now being used for political, military, academic, entertainment, education, (organised) crime, business, cultural and multimedia purposes. This list isn’t even complete (and don’t worry, terrorism is already included in the list).

Reality has shifted the border between now and (science) fiction. If you want to deal with modern threats to your data and flow of information, then you need to catch up. Urgently, that is. To set the tone for 2017, here is a quote by Richard A. Clarke from the interview he gave for Zero Days.

„I’m old enough to have worked on nuclear arms control and biological weapons arms control and chemical weapons arms control. And I was told in each of those types of arms control, when we were beginning, “it’s too hard. There are all these problems. It’s technical. There’s engineering. There’s science involved. There are real verification difficulties. You’ll never get there.” Well, it took 20, 30 years in some cases, but we have a biological weapons treaty that’s pretty damn good. We have a chemical weapons treaty that’s pretty damn good. We’ve got three or four nuclear weapons treaties. Yes, it may be hard, and it may take 20 or 30 years, but it’ll never happen unless you get serious about it, and it’ll never happen unless you start it.…“

That’s one way of putting it. There are different perspectives. However no matter how you look at it, systems get attacked and compromised. That’s what you can see when you work with and in IT departments. Once you use networks, the threats will become part of your job description. Call it cyber if you like, but always include context and additional information. We need the facts. For 2017 we like to revisit the threat landscape and address the security implications with scientific accuracy. DeepINTEL will be the first event, DeepSec will follow. And we would like you to join us.

Putting the Context into the Crypto of Secure Messengers

Every once in a while the world of encrypted/secure/authenticated messaging hits the wall of usability. In the case for email Pretty Good Privacy (PGP) is an ancient piece of software. These days we have modern tools such as GnuPG, but the concept of creating keys, verifying identities (i.e. determining who is to trust), synchronising trust/keys with communication partners, and handling the software in case something goes wrong is quite a challenge. Plus things might change. People revoke their keys, devices get lost, data gets deleted, people create new keys or even (digital) identities, or do lots of things that is either anticipated by the software developers or not. Communication is not static. There are moving parts involved, especially the communication partners might move a lot.

So crypto is hard, we know this. Discussing secure messengers is also hard as The Guardian found out a couple of days ago. The author claimed that WhatsApp contains a „backdoor“ and that the messages can be re-encrypted and sent again. The whole story revolves around the generation of unique secrets keys and doing stuff with messages already being transported. Open Whisper Systems has commented on this article by providing the technical background, criticising the falsely used term „backdoor“, and explaining what is going on behind the scenes for WhatsApp and Signal. The reactions to the Guardian Article range from technically incorrect to outrageously dangerous for WhatsApp users relying on the protection of their messages.

The question remains: What should a secure messenger do, when it detects that a communication partner has changed security parameters? The answer is different for WhatsApp and Signal. As you know from network security you can default to accept or deny/drop. With messages you can either drop the message until the communication partner has confirmed the change and possibly re-verified the identity of the communication partner; or you can route the message. Regardless what you do, it is a valid choice provided the encryption is sound and you tell the user(s) about it. The preferred choice depends on the context. If you have very disciplined communication partners, then this event is an indication that something is wrong. If you communication partners periodically change devices, don’t do any backups, eat SIM cards for breakfast, and play around with installed apps, then this might be nothing to worry about.

Examining the context is often all you can do. The tools are there to help you. Even PGP with the dreaded Web of Trust and its 1990s usability offers you some information to make a decision. The crucial point of secure communication is to keep track of identities and do the verification of contacts right. Given your threat model you can do this by a phone call or a personal meeting. It’s your decision.

DeepSec Administrivia for 2017, the Year of the Cyber

2017 is in full swing, and it didn’t wait long. December was full of „hacking“ news. It seems digital war(e)fare knows no break. We will address some of the issues in a series of blog articles. Also we have uploaded the DeepSec 2016 videos to Vimeo. Attendees and speaker will get access before we publish the videos for everyone. This is our review in case someone doesn’t like a video or needs to adapt the description.

The date for DeepSec will be published soon, along with the date. We look to the fourth quarter of the year, as usual. The Call for Papers will be online in February. If you got some ideas, write them to us. We have plenty of topics to address. The most pressing problem was raised at the 33C3. Go and watch the presentation titled In Search of Evidence-Based IT-Security. A lot of people cry wolf and have no facts to back up their claims. The scientific method is not just a fashion choice. Facts govern our lives. Why should this be any different in information security?

Speaking of facts, we will host a DeepINTEL event in May 2017. The past year(s) have shown that any discussion about threats and adversary capabilities inevitably combine the words agenda, fake, news, and cyber in arbitrary order. While disinformation is a key ingredient of (military) warfare, it doesn’t really help your defence. Defending against attacks and determining what intruders will do or have been doing requires hard facts and a rational analysis. You will not find this in media channels, press conferences, politics, or social media. You will probably have to attend DeepINTEL. Looking forward to meet you there.

As for the other topics we thought about during cold Winter nights, you will read about them in the upcoming blog articles.

Security BSides Events – Give a Present to the Community

You most certainly have heard about the security BSides events. If you are not sure what gift to get, why not help out the BSides events a bit? BSides London is looking for help. BSides Ljubljana has started its call for papers. Have a look and give them a hand.

Happy Holidays!

Posted in Conference. No Comments

Scanning for TR-069 is neither Cyber nor War

The Deutsche Telekom was in the news. The reason was a major malfunction of routers at the end of the last mile. Or something like that. As always theories and wild assumptions are the first wave. Apparently a modified Mirai botnet tried to gain access to routers in order to install malicious software. The attacks lasted from Sunday to Monday and affected over 900,000 customers. These routers often are the first point of contact when it comes to a leased line. Firewalls and other security equipment usually comes after the first contact with the router. There are even management ports available, provided the ISP has no filters in place. The TR-069 (Technical Report 069) specification is one management interface, and it has its security risks.

Now that the dust has settled the Deutsche Telekom and politicians are quick to point out that „Cyber“ is going on, a „Cyber NATO“ is needed, the law needs to be amended (because once you have a law against something, It™ will never ever happen again), someone needs to take the blame, and more meaningless phrases are needed to not address the problem at hand. Golem.de has published a good summary and a comment on these remarks (in German). A detailed in-depth analysis showed that no TR-069 exploit was working on the targets. Instead the devices just failed to work. Which is very different from warfare or any other targeted attack.

Let’s face it. Most devices out there (Internet of Things or not) can be fried by using the ISIC (IP Stack Integrity Checker) tool for a couple of minutes. You should try this at home. There is not war, and there is no „cyber“ going on. It’s just the missing defence-in-depth concept at work.

Disclosures, Jenkins, Conferences, and the Joys of 0Days

DeepSec 2016 was great. We have slightly recovered and deal with the aftermath in terms of administrivia. As announced on Twitter, we would like to publish a few thoughts on the remote code execution issue found by Matthias Kaiser. He mentioned the possibility in this presentation titled Java Deserialization Vulnerabilities – The Forgotten Bug Class. First let’s explain some things about how DeepSec runs the Call for Papers, the submissions, and the conference.

During the Call for Papers process our speakers send us title, abstract, and mostly an in-depth description of the presentation’s content. This means that we usually know what’s going to happen, except for the things that are actually said and shown during the presentation slot. Since we do not offer any live video streams and publish all presentation slides after we have given the speaker a chance to redact and change things, the disclosure of anything is limited to the audience at DeepSec. Even if you do a full disclosure, it is technically not. That’s a fact, not an excuse. Furthermore we support all of our speakers during the submission process, on stage, and after that. If you as a conference do not give this support for anything that might happen, then what’s the point in inviting someone? Once you publish the schedule, you’re in. Don’t cop out!

Any kind of disclosure comes with a discussion on how to do it. Basically you get disclosure in all shades and all flavours. In our heart we very much like full disclosure (we grew up with reading Bugtraq and stuff like that years before). We suggest reading the superb article Full Disclosure is a necessary evil written by Aleph One in 2001. True, most vendors/developers/communities like to get some advance information on critical bugs in order to fix the problem. Sadly this statement is based on the assumption that whoever produces the code is willing to do this. There are records of bugs that were critical and weren’t fixed for years (or longer). This is still the case. So, no matter what flavour of disclosure you like, the information about the bug has to be published, and it has to be published with a fixed deadline. There is nothing to postpone. The bug is real, it affects users, it is being exploited. Time is running out. End of story.

Lastly we don’t like the term 0day (or zero-day). It’s a fancy word. It sounds dangerous (it might be, it might be not, most of the time it is, but then it depends on what the affected code does). The 0day is at the end of the life cycle from vulnerability to bug and to a working and tested exploit. In order to wreak havoc you have to do some software development including testing to come up with results that can be recreated. Neither a vulnerability nor a bug is a 0day.

Of course we understand vendors, developers, and communities that care about the security record of their code. Plus we like security researchers who don’t give out the details too early. Thanks to Matthias Kaiser for being responsible and professional. In case you got the wrong impression from a medium that asks you to explain quantum field theory in 140 characters, then something went wrong. We are sorry for any conclusions derived from instant news messages.

We hope to see vendors, developers, security researchers, user, and everyone else at  DeepSec 2017. We can discuss the joys of 0days live with as many characters and coffee as we want.

DeepSec 2016 – expect 48 Hours of Failures and Fixes in Information Security

The conference part of DeepSec 2016 has officially started. During the workshops we already discussed a lot of challenges (to phrase it lightly) for infrastructure and all kinds of software alike. The Internet of Things (IoT) has only delivered major flaws and gigantic Distributed Denial of Service attacks so far. There is even a worm for LEDs these days. And we haven started the conference preparations yet.

So we have plenty of reasons to talk about what went wrong, what will go wrong, and what we can do about it. The world of information security is not always about good news. Something has to break, before it can be repaired – usually. Systems administrators know this, for some it’s their daily routine. Nevertheless we hope everyone at DeepSec gets some new insights, fresh ideas, and more ways to tackle the Wonderful World of Information Security. We can’t wait to see the presentations!

Enjoy the conference!

Screening of “A Good American” in Vienna with Bill Binney

There will be a screening of the documentary A Good American in Vienna tomorrow. We highly recommend watching this film, even if you are not directly connected to information security. Threat intelligence has far-reaching consequences, and in the case of the world’s biggest intelligence agency it also affects you.

A Good American will be shown

All of this takes place in the course of a lecture about the topic. Markus Huber and Martin Schmiedecker have kindly organised everything. Bill Binney will be present, too. So you can directly talk to him and ask him questions. We highly recommend not to miss this opportunity.

DeepSec 2016 Talk: Obfuscated Financial Fraud Android Malware: Detection And Behavior Tracking – Inseung Yang

In Korea in particular, hackers have distributed sophisticated and complex financial fraud android malware through various means of distribution, such as SMS phishing, Google play, compromised web servers and home routers (IoT). In some cases, both smartphone and PC users are targeted simultaneously.

Inseung Yang and his team collect mobile android malware via an automated analysis system, detect obfuscations and malicious packer apps. In his presentation Inseung Yang will describe trends of malicious android apps and obfuscated mobile malware in Korea. He’ll explain the policy methods for Korean mobile banking and the attack methods used by hackers, f.ex. the stealing of certifications, fake banking apps that require the  security numbers issued to users when they open their accounts, Automatic Response Service(ARS) phishing attacks in conjunction with Call Forwarding, and the requesting of the One Time Password(OTP) number.

But Inseung will not only talk about recent trends of obfuscated malicious android apps in Korea, he’ll also explain various mobile protection techniques to prevent you from obfuscation, packing and anti-debugging and other methods used to obstruct the detection and analysis of malware.

inseung-yangInseung Yang is a member of the Analysis Team at KrCERT/CC, KISA.

 

DeepSec 2016 Keynote: Security in my Rear-View Mirror – Marcus J. Ranum

Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche.

At this year’s DeepSec conference the keynote will be given by Marcus Ranum, who set up the first email server for whitehouse.gov. He will reflect upon over 30 years of IT security and make a few wild guesses for where this all may wind up. Spoiler alert: Security will not be a “solved” problem.

Marcus answered a few questions beforehand:

Please tell us the Top 5 facts about your talk.

  • I’ll be talking about how the security market evolves from here.
  • I’ll be talking about the relationship between security and management
  • It’s going to be depressing.
  • I have been working in security since the mid/late 1980s and I don’t think we have made any progress at all
  • I don’t think we will make much progress in the near-term future, either.

Is there something you want everyone to know?

It’s all about management cost.

marcus-ranumMarcus J. Ranum works for Tenable Security, Inc. and is a world-renowned expert on security system design and implementation. He has been involved in every level of the security industry from product coder to CEO of a successful start-up. He is an ISSA fellow and holds achievement and service awards from several industry groups.

DeepSec 2016 Talk: Systematic Fuzzing and Testing of TLS Libraries – Juraj Somorovsky

In his talk Juraj Somorovsky presents TLS-Attacker, a novel framework for evaluating the security of TLS libraries. Using a simple interface, TLS-Attacker allows security engineers to create custom TLS message flows and arbitrarily modify TLS message contents in order to test the behavior of their TLS libraries. Based on TLS-Attacker, he and his team first developed a two-stage TLS fuzzing approach. This approach automatically searches for cryptographic failures and boundary violation vulnerabilities. It allowed him to find unusual padding oracle vulnerabilities and overflows/overreads in widely used TLS libraries, including OpenSSL, Botan, and MatrixSSL.

Juraj’s findings encouraged the use of comprehensive test suites for the evaluation of TLS libraries, including positive as well as negative tests. He and his team used TLS-Attacker to create such a test suite framework, which finds further problems in TLS libraries.

TLS-Attacker is an open source tool, and is currently being deployed for internal tests in Botan and MatrixSSL. We asked Juraj Somorovsky some questions about his matter of interest.

Please tell us the top 5 facts about your talk.

  • It gives an overview of the recent attacks on TLS (Transport Layer Security).
  • It presents an open source framework for the evaluation of TLS libraries, which can be used by security researchers or developers: TLS-Attacker.
  • It shows how to use TLS-Attacker to test and fuzz TLS libraries, or how to create custom proof-of-concept attacks.
  • It presents vulnerabilities found with TLS-Attacker, including padding oracles in OpenSSL, Botan and MatrixSSL.
  • It shows a video from South Park.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

In the recent years we could observe many vulnerabilities in important TLS implementations. We saw attacks targeting improper encryption algorithms and configurations, complex state machine attacks, or buffer overflows and overreads. This motivated us to create a tool that allows security researchers to easily implement proof-of-concept attacks, or execute fuzzing and find such attacks automatically.

Why do you think this is an important topic?

TLS is arguably the most important cryptographic protocol. We use it every day in our browser to login on our favourite web sites or to execute secure payments. Its security evaluation is therefore of a huge importance.

Is there something you want everybody to know – some good advice for our readers maybe?

This talk is for everybody who is interested in TLS and secure crypto protocols. As a security researcher or pentester you will learn how to execute specific attacks like padding oracles. As a security developer you will learn how to evaluate the security of your TLS servers.

A prediction about the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

The new TLS 1.3 standard is being developed. This standard will be integrated into new TLS libraries, including further novel TLS features and extensions. These new implementations will lead to novel security bugs and problems. We hope that with a careful systematic TLS fuzzing and testing new security problems can be eliminated.

 

photo_jurajDr. Juraj Somorovsky is a security researcher at the Ruhr University Bochum, and co-founder of Hackmanit GmbH. He is a co-author of several TLS attacks (e.g., DROWN), and the main developer of a flexible tool for TLS analyses: TLS-Attacker (https://github.com/RUB-NDS/TLS-Attacker). He presented his work at many scientific and industry conferences, including Usenix Security, Blackhat, Deepsec or OWASP Europe.

DeepSec2016 Talk: Smart Sheriff, Dumb Idea: The Wild West of Government Assisted Parenting – Abraham Aranguren & Fabian Fäßler

Would you want to let your kids discover the darker corners of the Internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games?

Worry no longer, the South Korean government got you covered. Simply install the “Smart Sheriff” app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!

Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved in the first and, who would have guessed, second penetration test against the “Smart Sheriff” app, will share their findings. Maybe everything went allright, maybe the million kids forced to have this app run on their devices are safe. Maybe. But if so would there be a talk about it?

We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?

Going over the first and second pentest results we will share our impressions about the “security” of this ecosystem and show examples about the “comprehensive” vendor response, addressing “all” the findings impeccably. This talk is a great example of how security research concerning a serious political decision and mandatory measures might achieve nothing at all – or of how a simple pentest together with excellent activist work may spark a political discussion and more.

 

abraham-arangurenAbraham was an honors student in Information Security at university. From 2000 until 2007 his work experience was mostly defensive: Fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with a special focus on web app security. He is a senior member of the Cure53 team, and a senior consultant for Version 1 – the top IT consultancy in Ireland. Abraham is also the creator of “Practical Web Defense” – a hands-on eLearnSecurity attack and defense course, as well as an OWASP OWTF project leader, and sometimes writes on http://7-a.org or twitter as @7a_ and @owtfp.
Abraham holds a Major degree and a Diploma in Computer Science apart from a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+.

As a shell scripting fan trained by unix dinosaurs Abraham wears a proud manly beard.

Previous presentations and some recordings can be found here and here.

fabian-fa%cc%88slerFabian did his bachelors degree in collaboration with IBM and is now doing his masters degree at the technical university in Berlin. He was always interested in IT security and started to seriously get into it after he discovered CTF competitions in 2011, and has since won the the German Cyber Security Challenge twice.

Fabian is a senior penetration tester for Cure53 and holds an Offensive Security Certified Professional (OSCP) certification.

Fabian is interested in all computer topics from low level hardware up to high level web applications and writes about it on his blog and on  twitter .

Contrary to Abraham, Fabian cannot grow a full beard.