The Call for Papers of DeepSec 2014 is still open. Since its motto is the power of knowledge we address everyone having knowledge. Information is the „cyber“ weapon of the 21rst century, we have heard. So if you know about the 0day that affects half the Internet, you should definitely think about presenting it at DeepSec 2014. ☻
Seriously, we have chosen this motto, because a lot of issues in information security deal with knowledge. If your IT staff knows about the latest threats, the capabilities of the defences, the state of the systems, and how to deal with problems, then you have a distinct advantage. Not knowing is usually the first step of running into problems. In this tradition we prefer disclosure of security-related knowledge. The dreaded CVE-2014-0160 is a good example. Imagine OpenSSL deployments still had the Heartbleed bug (which some of them still do, sadly) and no one knew about this. Ignorance isn’t always bliss. Disclosing this information will eventually render offensive tools ineffective. This was discussed by fx in his keynote for DeepSec 2012.
The submissions we received so far look very promising. Can you think of ways how knowledge can affect information security for better or worse? We bet you can, so let us know.
The ticket registration for DeepSec 2014 „The Octave“ is open. You can either use the embedded version on the DeepSec web site or go directly to the ticketing site. The tickets are now available for the early bird tariff. Make sure you get your tickets as soon as possible. The later tariffs are more expensive.
Although I’m new in the Bitcoin world I had a quite promising start. Earlier this month I was able to visit the Bitcoin Conference in Amsterdam and had some very good conversations with core developers from the Bitcoin Foundation and to my honor also the chance to talk to Gavin Andreesen, long-time lead developer and now chief scientist of the Bitcoin Foundation.
At DeepSec our first contact with Bitcoin was in 2012 when John Matonis, now Executive Director and Board Member of the Bitcoin Foundation, talked about the evolution of e-Money. But since then we hadn’t intense contact.
Tomorrow I will visit the Bitcoin Expo in Vienna and hope to meet new people in the community and discuss the latest trends and developments.
The fascinating thing about Bitcoin and the global block-chain is the cryptographic background and the decentralized consensus algorithm. This distributed algorithm is used today primarily to “sign” transactions of Bitcoins but also gives the opportunity to “deposit” text messages which are so to say “notarized” in a distributed, decentralized way.
Ethereum for example borrows the decentralized consesus of bitcoin and adds a “turing-complete” programming language to the blockchain in form of the so-called EVM or Ethereum Virtual Machine. In Ethereum Messages -or Transactions- can contain code, the so-called contract. The code in the contract can be used to control financial or semi-financial applications which will control transactions of e-money but it can also be used for non-financial applications like e-voting, decentralized e-government and possibly security applications.
Rivetz is suggesting to build a bridge between trusted computing and and the decentralized digital transactions of the Bitcoin world. Steven Sprague, CEO, gave me a quick introduction to some of the ideas, for example a TPM module could push security-fingerprints of a system into the block-chain and access them later to check for inconsistencies or modifications. He called this application the “digital birth certificate” of a machine.
Although the Bitcoin community doesn’t completely agree there is quite a large interest in an open standard, possibly even an IETF RFC, describing the bitcoin protocol family. Currently Bitcoin is published as a reference code on github without a full formal description of the protocol and interactions. The standardization is focused on the usage of the API of this reference code.
Many stakeholders like Bitcoin Exchanges, vendors of Bitcoin-Miners and third-party software-vendors who interact with the Bitcoin would like to see a formal open standard in addition to the reference code to facilitate new applications like described above.
Maybe next year or when Bitcoin reaches version 1.0 we will have the first drafts available.
I’m curious about the Bitcoin Expo tomorrow and I will post an update soon.
U.S. government officials are considering to prevent Chinese nationals from attending hacking and IT security conferences by denying visas. The ideas is „to curb Chinese cyber espionage“. While this initiative has been widely criticised and the measure is very easy to circumvent, it doesn’t come as a surprise. Recent years have shown that hacking has become more and more political. This aspect was already explored in the keynote of DeepSec 2012. So what is the real problem?
Espionage, be it „cyber“ or not, revolves around information. This is exactly why we have a problem with the word „cyber“. Methods of transporting information have been around for a long time. Guglielmo Marconi and Heinrich Hertz raised problems for information security long before the Internet did. The only difference is the ease of setting up Internet connectivity compared to wireless transmissions (if you discount Wi-Fi networks). Technology crosses borders ever since the first wireless transmission. Networked drones, the Internet of Things, and other developments are just the extension of technological concepts. Moreover the concept of IT security is a team effort. No country, no business, no organisation, and no hacker group by itself can implement a „fail-safe“ security concept. Being part of the Internet means to be connected to the weakest link, like it or not. End points with full-disk encryption and the latest VPN setup compromised by malicious software are the perfect example. If firewalls can’t do perimeter protection on their own, so do blocked visa requests.
DeepSec has maintained its neutral stance throughout the years. IT security needs places where every group can talk freely to other groups (or individuals). DeepSec still is the conference to go where security professionals from academics, government, industry, and the (underground) hacking community can have a chat. The Call for Papers titled „The Power of Knowledge“ stresses this. If you have content illustrating the role of cooperation in IT security, then we are very keen to hear from you!
After a couple of months tinkering behind the scenes we can finally open our Call for Papers for DeepSec 2014! The upcoming DeepSec 2014 will be in November at our well-known conference hotel. We accept submissions as of now, and we are keen to hear your ideas. To give you some thoughts on what we are looking for: DeepSec 2014 is all about the Power of Knowledge!
The past years have shown that knowledge is a true „cyber“ weapon. Everyone recalling the endless discussions about full/responsible/no/delayed disclosure of bugs affecting the security of IT systems can relate to the power of knowledge. Other might not be so lucky and grasp what knowledge means when turned into exploits and compromised systems. This is why we want your contribution to DeepSec 2014 centred around knowledge. Let’s go totally „cyber“ with bits of information!
Information leaks is a good start. Knowing leaked credentials lead to security problems. Leaked crypto keys make your heart bleed and compromise encrypted communication. How can you obtain information? What needs to be done to prevent leaks? Secure communication channels are under constant attacks. How can you defend your data transmissions against the wolves in the middle?
Disclosure is another hot topic. What do you do if you know of a critical vulnerability? Do you name it and design a logo first? Do you tell the vendors and developers? When do you tell them? Do you tell them the whole story or only bits of it?
Defenders need to know what attackers are planning. The military calls this reconnaissance. It’s an essential part of most operations, and it’s basically all about gaining more knowledge. What needs to be done to improve your defence in terms of reconnaissance? We know that the IT security market has a ton of words for this (plus loads of products), but what do you actually do? Tell us how you distinguish the bad intel from the good bits.
Developers need to know what can happen to their precious code. Secure programming is all the fashion these days, but how is it done? Can you come up with ideas to boost the knowledge of coders? Do you know ways to test software used on production systems? Can you show how to break code and possibly suggest fixes for critical bugs? Let’s hear about it!
If you can answer at least one of these questions, then you have the power of knowledge. Congratulations! Share it with our audience. Don’t forget to submit your talk or workshop first!
We are back from the BSidesLondon 2014, and we had a great time. It was good to meet everyone to get some new ideas and to work on old ideas too. The Rookie Track was a success. We had a hard time deciding which talk was best. We managed to find a winner which will be invited to attend DeepSec 2014. Congratulations to Georgi Boiko!
The Rookie Track recordings will be published online depending on the choice of the speaker. Some are already online. Here is a list of talks you can already watch. More are being published in the coming weeks (we will update this list).
Go and watch the talks! Tell the speaker what you think (be polite!). They all did a good job, honour their efforts. We all have to start somewhere.
The published documents about the NSA’s capabilities have led to a review of cryptographic tools. Mastering SSL/TLS by itself can be tricky. This is especially true if you have to deal with clients that do not take advantage of the latest TLS protocols. System administrators and developers are well advised to keep an eye on the capabilities of libraries and the algorithms available for securing network communication. We recommend to have a look at the publication of the Applied Crypto Hardening project in case you wish to review your crypto deployment.
The standardisation of cryptographic methods has been criticised as well. Apart from the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) there is a lot of discussion going on where the practices of standardisation are being questioned. Given the design problem in standardised algorithms the term APT hiding in plain sight has been coined. So what is the best advice for the deployment of cryptography in production environments? What are the capabilities of your adversaries? We try to give some answers at the annual Grazer Linuxtage event on 5 April 2014. The talk „NSA und die Kryptographie: Wie sicher ist sicher?“ will address some of the developments of the past months. While we can only deal with the tip of the iceberg, we hope to give a good start for interested people where to start when it comes to reviewing cryptographic tools and protocols in action. We invite you to attend the Grazer Linuxtage and have a chat with us about the problem and possible solutions.
Leaks are problems you don’t want in your infrastructure. While this is clear for water pipes, it is not so clear for digital data. Copying is a part of the process, and copying data is what your systems do all day. A leak comes into existence when someone without access privileges gets hold of data. The industry has coined the term data leak/loss prevention (DLP) for products trying to stop intruders from ex-filtrating your precious files. Just like other defence mechanisms DLP systems cannot be bought and switched on. You have to know where your data lives, which software you use, what data formats need to be protected, and so on.
We invited Andreas Wiegenstein to talk about data loss prevention in SAP systems. His presentation was held at the DeepSec 2013 conference and introduces a fundamentally new concept: Static Data Leak Prevention. While most DLP solutions analyze network traffic during runtime, S-DLP is designed to identify data leaks already during application development.
We recommend this talk to anyone running a SAP environment including additional applications (which will probably be everyone running SAP).
Your iOS or Android smartphone can do a lot. „There’s an app for that!“ is also true for information security. So what can you do? We have seen smartphones used as an attack platform for penetration testing. You can use them for wardriving, and, of course, for running malicious software (next to „normal“ software which can do a lot too). At DeepSec 2013 Andre Gironda unlocked some of the mysteries of the iDevice and Android-device memory intrinsics, filesystem/process sandboxes, and the OO runtime by walking through the techniques, including common obfuscations. His talk is recommended to anyone interested in the capabilities of modern smartphones.
Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes of the botnet consist of virtually unsecured IPv4 devices – modems and other network equipment. Point of entry where mostly Telnet management interfaces exposed to the Internet. Analysing the devices that were part of the Carna Botnet is well worth the effort. This is why we invited Parth Shukla (Australian Computer Emergency Response Team, AusCERT) to present his findings about the Carna Botnet at DeepSec 2013.
„A complete list of compromised devices that formed part of the Carna Botnet was obtained exclusively by Parth Shukla. This list is NOT publicly available from any source. This data was acquired directly from the anonymous researcher who performed the Internet Census. As confirmed by the researcher, AusCERT to date remains the only organization and researcher in the world that has the complete dataset. Relevant snippets of this data, however, have been provided to CERTs around the world in order to reduce the threat made explicit by the Carna Botnet.
This presentation at DeepSec will provide up-to-date analyses of all the different identifying information for each of the compromised devices that formed part of the Botnet. This detailed analysis will indicate the prevalence of easily-exploited vulnerabilities in different countries, regions and in the devices of different manufacturers. Therefore, what these security problems mean for DeepSec attendees, IT professionals and manufacturers around the world will be thoroughly examined. The ultimate aim of this presentation is to continue to draw public awareness to the larger concerns for information security professionals worldwide and for the world’s largest economy of Europe. Hopefully, this awareness will persuade manufacturers and even local ISPs to collaborate and address this problem. The Carna Botnet reminds us all that there are numerous, simpler vulnerabilities at risk of exploitation and in need of immediate attention.“
We highly recommend listening to this presentation.
Predicting the future is very hard when it comes to information technology. However in terms of security analysis it is vital to keep your head up and try to anticipate what attackers might try next. You have to be as creative as your adversaries when designing a good defence. This is why we invited Konstantinos Karagiannis (BT) to DeepSec 2013. Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.
The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems?
At DeepSec 2013 Andrés Riancho showed what attackers can do once they get access to the company Amazon’s root account. There is more to it than a simple login. You have to deal with EC2, SQS, IAM, RDS, meta-data, user-data, Celery, etc. His talk follows a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user.
Regardless of how your infrastructure looks, you should definitely take a look at Andrés’ talk. The „Cloud“ is different from a typical non-„Cloud“ setup. Your security defence mechanisms have to take this into account.
Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems running the same software. If you manage to break into one node, the chances are good that you have access to all nodes. That’s pretty neat.
At DeepSec 2013 John Fitzpatrick and Luke Jennings of MWR InfoSecurity talked about their tests with supercomputers. Their presentation covers the research and demonstrates some of the most interesting and significant vulnerabilities they have uncovered so far. They also demonstrated exploits and previously undocumented attack techniques live so you can see how to get root on 20,000 nodes all at once. The material they are covering affects the majority of the top 500 supercomputers.
Even if you don’t run a supercomputer in your basement or at work, we recommend to listen to their presentation.