DeepSec Video: Measuring the TOR Network

A lot of people use TOR for protecting themselves and others. Fortunately the TOR network is almost all around us. But what does it do? How can you get access to metrics?

TOR is an anonymisation network and by design doesn’t know anything about its users. However, the question about the structure of the user base often arises. Some people are just interested in the size of the network while others want details about the diversity of its users and relays. Furthermore, TOR is used as a circumvention tool. It is interesting to automatically detect censorship events and to see how the number of users changes in those countries.

TOR’s measurement team tries to give answer to those (and more) questions.

At DeepSec 2015 Jens Kubieziel explained the collection of different data and how measurement is done inside the network. He talked about some of the challenges the measurement team has faced and what results it delivers. TOR has currently more than 30 different measurement tools. The talk introduces you to some of them and show what you can do to profit from them.

DeepSec Video: Cryptographic Enforcement of Segregation of Duty within Work-Flows

Calling for encryption and implementing it may be easy at a first glance. The problem starts  when you have to grant access to data including a segregation of duty. Workflows with Segregation-of-Duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations.

At DeepSec 2015 Thomas Maus held a presentation explaining the problems and possible solutions.

DeepSec Video: Agile Security – The Good, The Bad, and mostly the Ugly

How do you manage your technical and operational security? Do you follow a model? If so, what’s the flavour? Do you borrow concepts from software development? In case you do or you plan to do, then Daniel Liber might have some ideas for you. At DeepSec 2015 he held a presentation about Agile and a possible relation to information security.

Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a ‘high level’ talk, or, sometimes, as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively.

This talk will help security engineers, developers and product owners and developers understanding both technical and operational security in Agile. Removing bottlenecks of security processes, eliminating security risks hidden inside of Agile methods, increasing the visibility of security tasks, in addition to how to perform the traditional security duties only in a faster, efficient pace – All of this will be covered in the talk, preventing possible fails and unexpected faults in your SDLC.

We would like to hear about your implementation of technical and operational security. Let’s hear them at DeepSec 2016.

DeepSec Video: How to Break XML Encryption – Automatically

XML is often the way to go when exchanging information between (business) entities. Since it is older than the widespread adoption of SSL/TLS, there is a special standard called XML Encryption Syntax and Processing. You can use XML encryption to encrypt any kind of data. So far, so good. But In recent years, XML Encryption became a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order to protect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard.

Juraj Somorovsky (Ruhr University Bochum) held a presentation at DeepSec 2015 explaining what these attacks look like.


DeepSec Video: Hacking Cookies in Modern Web Applications and Browsers

Cookies are solid gold when it comes to security. Once you have logged in, your session is the ticket to enter any web application. This is why most web sites use HTTPS these days. The problem is that your browser and the web applications needs to store these bits of information. Enter cookie hacking. A lot has changed since 1994,  and Dawid Czagan of Silesia Security Lab held  presentation at DeepSec 2015 about what you can and cannot do with cookies in modern web applications and browsers. Learn about user impersonation, remote cookie tampering, XSS and more.


DeepSec Video: File Format Fuzzing in Android – Giving a Stagefright to the Android Installer

The Stagefright exploit haunts the Android platform. The vulnerability was published in Summer 2015. It gives attackers a way to infect Android smartphones by using multimedia files such as pictures, text, and videos. This is a perfect vector since most people will look at media instantly. Dr. Aleksandr Yampolskiy gave a presentation at DeepSec 2010 about malicious software hidden in multimedia (the talk was aptly titled Malware goes to the Movies). So what if there are more bugs like this in the Android platform? Enter fuzzing technology.

Alexandru Blanda spoke at DeepSec2015 about fuzzing on the Android platform. This approach can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. Since these vulnerabilities affect critical components of the Android system, the impact of the results will be huge. It doesn’t matter if you  just have a crash. Software handling untrusted multimedia data must be capable of dealing with anything you throw at it. Better make sure.

Alexandru targets the Android APK installer and the Stagefright media framework with fuzzing. You are welcome to stress test any other component.

DeepSec 2015 in Pictures: Very photograph. Many pixel. Wow.

„Documentation, or it did not happen!“ This is probably the unofficial motto of information technologists (and security/audit people around the globe). For your convenience we put some images from DeepSec 2015 online. Have a  look!

DeepSec 2015

Thanks to Joanna Pianka for the great pictures!

DeepSec Video: Cryptography Tools, Identity Vectors for “Djihadists”

Wherever and whenever terrorism, „cyber“, and cryptography (i.e. mathematics) meet, then there is a lot of confusion. The Crypto Wars 2.0 are raging as you read this article. Cryptography is usually the perfect scapegoat for a failure in intelligence. What about the facts?

At DeepSec 2015 Julie Gommes talked about results of the studies done by the Middle East Media Research Institute (MEMRI). The Internet is the method of choice for communication: the number of sites calling for a “jihad” rose from 28 in 1997 to over 5,000 in 2005. The basic use of these sites for the purpose of basic classical communication began in the 2000s. It was replaced by that of social networks, allowing almost instant mass communication. Julie’s talk give you an overview about the tools used according to the study.

Contrary to the opinion of certain politicians the Paris attackers did not use any encryption at all. The Islamic State lacks the knowledge of mathematics to even fake cryptographic software in propaganda messages. Why should criminals have less problems with encrypted communication than governments or businesses? Don’t be fooled by propaganda; proper encryption is a cornerstone of (information) security.

DeepSec Video: Chw00t: How To Break Out from Various Chroot Solutions

Information security borrows a lot of tools from the analogue world. Keys, locks, bars, doors, walls, or simply jails (to use a combination). Most operating systems support isolation of applications in various levels. You may call it change root (or chroot) or even jails environment. The containment is not perfect, but it helps to separate applications and to have a better control of the access to resources. Breaking out of chroots is possible, and there are various ways to do this. So preparing a tight configuration is the key. At DeepSec 2015 Balazs Bucsay held a presentation about how to create a reasonably “secure” chroot environment or how to breakout from a misconfigured one.

If you a considering to use chroots/jails as a way to build compartments, make sure you know what you are doing. The same is true for virtualisation technology, by the way.

DeepSec Video: Building a Better Honeypot Network

„It’s a trap!“ is a well-known quote from a very well-known piece of science fiction. In information security you can use bait to attract malicious minds. The bait is called honeypot or honeynet (if you have a lot of honeypots tied together with network protocols). A honeypot allows you to study what your adversaries do with an exposed system. The idea has been around for over a decade. There’s even a guide on how to start. Josh Pyorre has some ideas how you can extend your basic honeypot in order to boost the knowledge gain. At DeepSec 2015 he showed the audience how to process attack-related data, to automate analysis and create actionable intelligence. Why else would you run a honeypot?

So go forth and multiply the output of your honeynet!

DeepSec Video: Advanced SOHO Router Exploitation

Routers are everywhere. They hold the networks together, Internet or not. Most small office/home office (SOHO) infrastructure features routers these days. Given the development cycles and rigorous QA cycles there have to be bugs in the firmware (apart from the vendor supplied backdoors). Lyon Yang (Vantage Point Security) held a presentation about a series of 0-day vulnerabilities that can be used to hack into tens of thousands of SOHO Routers. Even though the corporate „cloud“ might be „super secure“ against „cyber attacks“, the lonely office router most probably isn’t. Weak links sink ships, or something. We recorded the presentation at DeepSec 2015, and you can watch it online.

It’s worth learning MIPS and ARM shell code. x86 (and x86_64) is sooooo 1990s. Happy hacking!

DeepSec Video: 50 Shades of WAF – Exemplified at Barracuda and Sucuri

Sometimes your endpoint is a server (or a couple thereof). Very often your server is a web server. A lot of interesting, dangerous, and odd code resides on web servers these days. In case you have ever security-tested web applications, you know that these beasts are full of surprises. Plus the servers get lots of requests, some trying to figure out where the weaknesses are. This is how web application firewalls (WAF) come into play. Firewalls have come a long way from inspecting layer 3/4 traffic up to all the peculiarities of layer 7 protocols. Once your firewall turns ALG and more, things get complicated. Since security researchers love complexity Ashar Javed has taken a look at WAF systems. Here is his presentation held at DeepSec 2015.

He found 50 ways to bypass the default signatures dealing with the detection of cross-site scripting (XSS). He concentrated on appliances / cloud-based solutions  from two vendors. The bypasses can be used for other WAF products as well, so don’t relax.

Make sure you know your web applications inside out when exposing them to untrusted networks. Be thorough and don’t deploy code you don’t fully understand.

DeepSec Video: Temet Nosce – Know thy Endpoint Through and Through; Processes to Data

Endpoint security is where it all starts. The client is the target most attackers go after. Once you have access there (let’s say by emailing cute cat videos), you are in. Compromised systems are the daily routine of information security. Even without contact  with the outside world, you have to think about what happens next. Thomas Fischer has thought a lot about scenarios concerning the endpoint, and he presented his findings at the DeepSec 2015 conference.

To quote from the talk: This presentation will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that living as close as possible to Ring 0 makes it possible to see how a malicious process or party is acting and the information being touched. There you go. Have a look!

DeepSec Video: Cyber Cyber Cyber Warfare: Mistakes from the MoDs

The  word cyber has entered the information security circus a couple of years ago. It should have been long gone according to its creator William Gibson. Meanwhile everything has developed into something being cyber – CSI, war, politics, security, homes, cars, telephones, and more. Inventing new words helps to distract. Distraction is what Raoul Chiesa has seen in the last five years, while training various military units in different countries. He held a presentation at DeepSec 2015 about his experiences.

While we don’t use the word cyber when talking about (information) security, others sadly do. So think of Information Warfare or Information Offensive Operations when hearing cyber and don’t let yourself be distracted by the fog of war.

DeepSec Video: The German Data Privacy Laws and IT Security

Data protection and information security are often seen as different species. Why? Where is the difference between protection, defence, security, and offence? There are a lot of relations between the terms. Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) gave a presentation at DeepSec 2015 on how to link privacy with security: „Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. This presentation will also show how it can be used to further IT security especially in the SME sector. This mostly refers to the identification and description of processes that work with data and therefore have to be protected.“

Data protection and privacy are not the enemies of your shiny new Big Data business model (YMMV, of course). Lacking protection is. Remember Stefan’s talk when you hear more about Safe Harbour II.