44CON revisited: Secure Design in Software is still a new Concept

We have been to 44CON, and we returned with lots of ideas and scary news about the state of security in devices and applications. Given the ever spreading Internet of Things (IoT) you can see why connecting random devices via a network with no second thoughts about design, updates, or quality control is a bad idea. Don Bailey illustrated this perfectly in the keynote titled The Internet of Us. His presentation touched all of information security, but IoT featured a prominent role. We are really surrounded by the Internet of SIM cards (sadly which we cannot call IoS). This opens up a new perspective and demystifies the IoT hype.

You should watch Matt Wixey’s talk Hacking invisibly and silently with light and sound as soon as the videos are published. Matt discussed hardware hacking with sensors and sound/light sources such as lasers, computer screens, and LEDs. Transmitting data can be done by a variety of means, and you can do a lot with ultrasound or infrared. He also showed how to confuse drones by jamming their ultrasound sonar.

A shorter two hour version of The ARM Exploit Lab by Saumil Shah could be attended as an evening session. Given that the number of ARM processors tops that of x86/x86-64 five or six times, you should really think about getting to know ARM shell code and how exploits work on this platform. Right now finding a device where you can use these exploits is easy to find. In addition most are networked, so you can access them most probably, maybe even by war-dialling thanks to the Internet of SIMs. Or you just attack smartphones. The ways to use your new knowledge is without bounds. If you are interested, there will be a three-day course of The ARM Exploit Lab at DeepSec 2017.

So we enjoyed being at 44CON, meetings friends, and exchanging ideas about infosec. A big thanks to the crew! They made the event really smooth and worked a lot behind the scenes, so that everyone felt right at home. Looking forward to 44CON 2018!

DeepINTEL Conference approaches the next generation of IT Security

Strategic Information Security: Predicting the Present

DeepINTEL Conference presents Approaches to the Next Generation of Security

Many products and approaches of information security are trying hard to predict the future. There is always a lot of talk about threats of the future, detection of attacks before they arise or the magic word “pro-active”.  But the prediction of the future does not benefit your business if the present is still unknown. When it comes to information security this means: Do you now know enough about your current situation to make the right decisions within the next few hours? The DeepINTEL seminar conference, which takes place on 21st/22nd of September in Vienna, focuses on this strategic question.

Analogies distort Perception and Facts

Analogies are often used to illustrate connections. Especially in the areas of IT security, people use a lot of terms from the military sector. “Attack” and “defense” suggests this kinship, but this wording automatically evokes assumptions that are not met. Errors in communication protocols, code, program crashes, or hardware peculiarities are not weapons, no matter how much you stretch your imagination. You can not armour Internet accesses. There are also no bulletproof databases or mailboxes. The analogies quickly break down and obscure what is actually going on – What information about your own infrastructure and communication is available, and what does this data mean in terms of real risks? This knowledge can not simply be bought from service providers, you have to gather it through experience in your own field of business. Companies know their own processes very well, and this knowledge must be integrated into their IT security.

Security Intelligence as a collection of methods

In the media or in advertisements the term security intelligence very often has a different meaning. For security experts “security intelligence” means the knowledge of methods that can be used in an attack, the knowledge of the capabilities of the attacker, and the analysis of open source intelligence in the context of the expected risks. In concrete terms, this means to point out the means used against an organization, which must be neutralized or mitigated by its IT security. This also includes threats outside of technology, internal threats, the search for the right personnel, secure communication behaviour and much more. Security intelligence as a process is the necessary first step before you can start to implement, even begin to discuss security measures. For this reason, companies are hardly concerned with it and rely on external suppliers. DeepINTEL wants to offer you the opportunity to get acquainted with this topic. Some companies have successfully set up their own security intelligence teams, or at least developed methods to not build digital access barriers blindly. Ultimately, your IT security measures become more secure and more accurate.

In particular, areas such as critical infrastructure (energy supply, networks), finance, insurance, transport (freight forwarding companies, public transport, airports), health care or public authorities can benefit by adapting their digital defence to the very risks, they have to face.

Interactions are everywhere

An important topic DeepINTEL focuses on are interactions. In terms of security interactions between people or machines (in any combination) are always critical. No successful attack can do without them. At DeepINTEL presentations will focus on the manipulation of human action, on motivations and the profiles of internal aggressors, as well as on the influence of human memory and the role of propaganda in geopolitical conflicts.

We started out by explaining how important information is – but let’s not underestimate the role of disinformation. It is an important tool of all opponents in information security. The human factor gets passed over  way too often – Personnel departments can’t be protected only by technical means. Who effectively wants to attack an organization  will try to infiltrate and place their own personnel inside the company. One must not forget: Really effective attacks are prepared for months or years. There’s enough time to hire an accomplice or to persuade or blackmail an employee to become an internal threat. Such preparations can’t be traced within the logs of servers and applications: who relies on technology only to defend themselves against attacks are badly prepared.

But of course the technical aspect of IT Security will also be in focus of this years DeepINTEL: The conference features talks about the profiling of malicious software, the weak points of the power supply network, the failure of industrial control systems (SCADA) and human errors related to secure communication systems. Unfortunately there is no area of ​​modern infrastructure where you do not have to look for security gaps. The results presented are derived from actual incidents and real-life security tests – and present a good opportunity to think about setting up your own case studies aided by real information. Such business games are beneficial, just like fire drill exercises, and they help to build up realistic scenarios that your digital defense needs to consider.

DeepINTEL Programme and Registry

Who wants to get into the future undamaged, must master the present. To use misguided analogies one last time: You can win every battle in the digital world and still lose the war. To escape this fate, sign up today to the DeepINTEL conference. There are still a few discounted tickets from the sponsor’s contingent. Contact us and get the booking code – better today then tomorrow.

The current program can be found at the DeepINTEL web site.

You can register directly at the DeepINTEL web site.

DeepSec 2017 Training: The ARM IoT Exploit Laboratory

If the Internet of Things (IoT) will ever leave puberty, it has to deal with the real world. This means dealing with lies, fraud, abuse, exploits, overload, bad tempered clients (and servers), and much more. Analysing applications is best done by looking at what’s behind the scenes. IoT devices, their infrastructure, billions of mobile devices, and servers are powered by processors using the Advanced RISC Machine (ARM) architecture. This design is different from the (still?) widespread Intel® x86 or the AMD™ AMD64 architecture. For security researchers dealing with exploits the change of design means that the assembly language and the behaviour of the processor is different. Developing ways to inject and modify code requires knowledge. Now for everyone who has dealt with opcodes, registers and oddities of CPUs, this is nothing new. Grab the documentation, ready the tools, and start experimenting. There is another way. Let your lab work be guided by an expert who has extensively done this for x86/x86-64 already. This is why we invited Saumil Shah to conduct the training The ARM IoT Exploit Laboratory at DeepSec 2017. Saumil has developed the training to be completely tailored for the ARM architecture.

The all new ARM IoT Exploit Laboratory is a fast paced 3-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.

The class concludes with an end-to-end “Firmware-To-Shell” hack, where we extract the firmware from a popular SoHo router, build a virtual environment to emulate and debug it, and then use the exploit to gain a shell on the actual hardware device. The goal is to give you an understanding on how the following topics work on ARM:

  • Introduction to the ARM CPU architecture
  • Exploring ARM assembly language
  • Understanding how functions work on ARM
  • Debugging on ARM systems
  • Exploiting Stack Overflows on ARM
  • Writing ARM Shellcode from the ground up
  • Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
  • Introduction to Return Oriented Programming
  • Bypassing exploit mitigation on ARM using ROP
  • Practical ROP chains on ARM
  • An introduction to firmware extraction
  • Emulating and debugging an IoT device firmware in a virtual environment
  • Case Study: From Firmware to Shell – exploiting an ARM router’s embedded firmware

This three day training definitely will save you from the frustration of spending three months with the architecture and compiler manuals on your lap (or second a screen). Plus you can see how to attack an actual firmware from an actual device. Just like in the movies! ☻ We recommend this training for anyone dealing with smartphones or devices in the very near future. You are already surrounded by ARM architecture processors and very definitely use them on a daily basis. So why not do some hard-core testing. Best you do this before the other side does!

Important: Please book as early as possible and bear in mind that this is the only three-day training! Three as in 0,1,2 or 1,2,3. This means the training start one day earlier than the other DeepSec training, i.e. the ARM Exploit Laboratory starts on 13 November 2017, Monday. Remember: Three days.

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.


DeepSec 2017 Talk: Malware Analysis: A Machine Learning Approach – Chiheb Chebbi

Software has a character. It can be beneficial. It can also be malicious. A networked business world and the Internet of connected individuals make life for malicious software, also known as malware, easier. Just like international travel facilitates the spread of diseases and parasites, the networked globe is a big advantage for malware. Researcher can hardly keep up with the numbers of detected viruses, worms, and trojan horses. So why not let machines look for malware on their own? Certainly automation already benefits the hunt for malicious code. Chiheb Chebbi has some ideas that can help.

Threats are a growing problem for people and organizations across the globe. With millions of malicious programs in the wild it has become hard to detect zero-day attacks and polymorphic viruses.This is why the need for machine learning-based detection arises. A good understanding of malware analysis and machine learning models is vital to ensure taking wise decisions and building a secure environment by being capable of correctly identifying and mitigating such potential threats. During the talk the audience will be introduced to machine learning models in cyber security and explore two different cutting edge models to detect malware and threats as case studies:

First, ‘Hidden Markov Models (HMM) for malware classification’ which is a very useful technique to detect certain challenging classes of malware, starting from the mathematics behind Markov chains, to HMM models training and evaluating clustering results.

The second case study is deep learning malware detection. The audience will dive deep into artificial neural networks and will learn how to build and optimize deep learning networks using machine learning libraries and tools (Tensorflow, Theano, Keras, Scikitlearn, etc.) and will discover how deep learning can be designed for intelligent malware detection.

We are looking forward to see his talk. If you have any connections to malware, you should probably attend, too.


Chiheb Chebbi is an InfoSec enthusiast and Security Researcher with experience in various aspects of Information Security, focusing on investigation of advanced cyber attacks and researching cyber espionage and APT attacks.His core interest lies in “Web Applications security” and “Industrial Control Systems”. 2016 he was included in the Alibaba Security Research Center Hall Of Fame. He gave talks at the 4th Annual BSides Tampa IT Security Conference 2017 Florida USA, Black Hat Europe London 2016, NASA Space Apps Challenge 2015 and 2016, Global Windows Azure Boot camp 2014: Revolutionizing Education using cloud Computing, International Institute of technologies Sfax 2014: Introduction to Cloud Computing, Research Center in Informatics, Multimedia and Digital Data Processing of Sfax 2014: the future of Software industry.

DeepSec 2017 Keynote: Social Science First! – Dr. Jessica Barker

While the schedule is still preliminary, we have already some confirmations from our speakers. We are happy to announce Dr Jessica Barker as the keynote speaker for DeepSec 2017. Information security has a lot to do with interactions. Despite AI (a.k.a. Assisted Intelligence), „smart“ assistants (a.k.a. paper clips on steroids), and a metric ton of gadgets we still have a lot of contact with human beings. Marketing departments and tech people lost in code often forget this. Jessica will give you something to think about which you can’t discuss with Siri, Alexa, the Google AI, or even HAL 9000.

Bruce Schneier popularised the concept in 1999: cyber security is about people, process and technology. Yet almost two decades later, the industry still focuses so much more on technology than the other two dimensions of our discipline. For a long time, when the cyber security community has considered the human nature of cyber security, it has been within the context of a narrative that ‘humans are the weakest link’. In this talk, Dr Jessica Barker will argue that, if that is the case, then that is our failing as an industry. With reference to sociology, psychology and behavioural economics, Jessica will discuss why social science needs to be a greater priority for the cyber security community.

Curious? We are! Get your ticket to DeepSec 2017 and listen to Jessica’s presentation!

Dr Jessica Barker is a leader in the human nature of cyber security. Equipped with years of experience running her own consultancy, she recently co-founded a new cyber security company, Redacted Firm. Her consultancy experience, technical knowledge and sociology background give her unique insight, and she has a talent for translating technical messages to a non-technical audience.

Jessica delivers thought-provoking and engaging presentations across the world, at corporate events as well as practitioner and academic conferences. She also frequently appears on the BBC, Sky News, Channel 4 News, Channel 5 News, Radio 4’s Today programme, Radio 2’s Jeremy Vine show and more. She has been published in the Sunday Times and the Guardian, and frequently in industry press. She is regularly commissioned to write cyber security blog posts, and runs the website www.cyber.uk, dedicated to cyber security news, information and guidance.

Administrivia: How to access ROOTS and DeepSec 2017

We have received some question on how to attend the presentations of the 1st Reversing and Offensive-oriented Trends Symposium (ROOTS) 2017. It’s very easy. ROOTS is co-hosted with DeepSec 2017. This means if you attend DeepSec, you also attend ROOTS. In turn attending ROOTS gives you also access to the DeepSec conference. So you only need one ticket to access both events.

Bear in mind that our sponsors can give you discount codes for buying tickets. In addition we have a special programme for academics to give you the academic discount for the tickets. Don’t forget: Buying early means saving money! The early bird tariff is still valid until 25 September 2017. After that the ticket price increases. Do us and yourself a favour and book as early as possible. Thank you!

See you at ROOTS / DeepSec 2017!

Mythbusting: Anti-Virus Research considered dangerous

Everyone doing research in information security or doing any work in this field takes some risks. Since most of the „cyber stuff“ is black magic to others not working in this context, there are a lot of problems and severe misunderstandings. The Crypto Wars still haven’t been decided in favour of mathematics. Real people prefer end-to-end encryption over insecure communication all of the time. Proposals of severely damaging information security for all of us by using sanctioned malicious software are still being debated in parliaments. Backdoors, covert or otherwise, are no line of any defence, as many military strategists will readily tell you. Marcus Hutchins was in the news recently, because of claims that he developed a strand of malware tied to attacks on financial institutions. While you can debate all you want about the charges, this case has the potential to set a dangerous precedent for information security researchers. This is why we have translated the article titled Anti-Virus-Spezialisten werden von US-Justiz kriminalisiert written by Erich Möchel:

Anti-Virus Specialists criminalized by US Justice

Marcus Hutchins, who has put a stop to the “WannaCry” outbreak through a risky action, will be brought to court this week in Wisconsin. His “criminal offenses” are so incompetently formulated that according to the indictment every security investigator would have one foot in jail.

The arrest of British security expert Marcus Hutchins a week ago, including the charge of production and distribution of Trojan malicious software in the US, has triggered a real shock wave in the industry. The “offenses” listed in the indictment are formulated in such a way that “all security researchers of anti-virus companies have one foot in US prison” said Viennese security technician Michael Kafka to ORF.at.

Since then, “good” hackers (“white hats”) – mainly from Great Britain – have stopped to co-operate with government agencies. Because Hutchins case demonstrates, how a “white hat” can quickly get caught in the crossfire at a time when state actors and malware criminals (“black hats”) are less and less distinguishable. Hutchins (23) achieved world fame at the end of 2016, when he stopped the devastating outbreak of the “WannaCry” software single-handed in a risky action.

Criminals, Cops, Agents, Security Researchers

The arrest of Hutchins on his return from the security conference DefCon in Las Vegas a week ago is apparently due to the raid on the infamous illegal website AlphaBay, which disappeared a few weeks ago from the TOR network. The site was frequented mainly by criminals of all kinds, the rest of the audience consisted of covert investigators, agents of various secret services, and security researchers.

“That Whitehats are getting patterns of malicious software through such sites, and then testing them in lab environments, is simply part of their work. It is also important to share the findings with other security researchers and to discuss them in order to develop counter-measures. Especially Marcus was known to share his results very freely, and this accusation was apparently constructed from it“, says Michael Kafka.

A Trojan Video

Kafka has been interested in Hutchin’s work since 2013, he also met him during the 44CON security conference in the autumn of 2016 in London for a lengthy exchange of ideas.
In the indictment, Hutchins is accused ,among other things, of writing the Trojan “Kronos” in 2014 and producing an instructional video. Both claims are especially ridiculous because of the fact that instructional videos for malicious software are virtually never made by criminals, but always by their antagonists.

At the time between the middle of 2014 and the summer of 2015, to which the indictment refers for several similar “offences”, the then 20-year-old Hutchins has already been a new shooting star of the worldwide security scene. Hutchins’ work had contributed significantly to rendering the Botnet “Caberp”harmless – a Botnet attributed to notorious Russian criminals – and have it thoroughly analysed.

Expert shakes his Head in Disbelief

“No criminal would put the the results of analysis of malicious software up for public discussion”, Kafka said and shook his head in disbelief: “Criminals do the opposite. Public attention is ruinous for their business, which is based on undetected security gaps. And for this very reason there never has been the slightest suspicion that Marcus could work for the other side.” However, Hutchins openness could have caused his downfall, because one of the charges obviously refers to his work on so-called “rootkits”, malicious software for the camouflage of an espionage Trojan.

Apparently, unknowns used a few routines of his malicious software demonstration for their purposes, Hutchins himself publicly announced in an angry tweet in 2015. Such malware demos of security researchers are only isolated modules of a malicious software suite, the code of which is modified for demonstration purposes to explain its operating principle. From a technical point of view, this software is used to modify malicious software, which by itself can not be used to do anything bad.

The Charge in Wisconsin

Now this turned into a count of an indictment in the US state of Wisconsin, where another defendant resides, with which Hutchins had then communicated via AlphaBay. He is said to have offered a version of the lesser-known Trojan “Kronos” for sale, which contained modified elements of Hutchins code. Therefore, absurdly, Hutchins is now accused of being the author of the “Kronos” malware – which originates from the circle of Russian criminals – and of being involved in the sale. At the time, Hutchins was involved in the takedown of another large Botnet.

It’s rather likely that the enraged tweet mentioned above was directed at this unknown communication partner on AlphaBay, when Hutchins realized that his modified “hooking engine” had been built into malware by criminals. A “hooking engine” is a code for an entry point in an operating system to execute commands thereon. The possible applications for such an auxiliary software are numerous.

How “WannaCry” was stopped

The fact that Hutchins, in general, handled malware in a nonchalant way with a hands-on approach was shown in the case of “WannaCry”. On the day of the outbreak of the “WannaCry” worm, which paralysed in particular control computers for medical devices of British hospitals in series and brought logistics centres and production plants to a halt, Hutchins had quite quickly received a copy. When he first skimmed over the code, he found an Internet domain open in the code, which was not assigned and which, without further ado, he registered in his name.

“This was a very risky action. In the middle of such a malware explosion to be seen as the owner of a central element of this attack, is not everyone’s cup of tea,” says Kafka.

“The installation of the malicious software in an isolated network would have been the safe way to work out what the function of this domain was. But that would have taken several hours.”
By performing the same action in the wild, Hutchins, to his own amazement, had hit the “emergency stop switch” of the “WannaCry” software. The command-control servers, which directed the outbreak, regularly queried this domain. When it was suddenly no longer free, “WannaCry” stopped its own distribution.

„WannaCry“ & „Petya“, Courtesy NSA

“Such a ‘killswitch’ is a clear indicator of governmental malicious software, which usually also includes de-installation routines. To remove traces is paramount to state actors. For Criminals, on the other hand, this tends to be a minor matter” Kafka continued. The WannaCry worm (malicious software that replicates itself in order to spread to other computers is called a “worm”) came with an encrypted exploit for a capital Windows security gap, which captured computer in the infected net in a flash.”

NSA Malware hit the NATO Partners

The same or another military “cyber” group used NSA’s malicious software to shake the UKs healthcare system, pharmaceutical companies and logistics companies from Scandinavia (“WannaCry”), and then the energy supply of the Ukraine (“Petya”). It seems Hutchins has directly landed himself in a “cyber” skirmish between East and West. Therefore, other reasons than mere incompetence of US prosecutors, who can not even distinguish between black and white, might be involved in his arrest a week ago in Las Vegas.

Hutchins was released from prison in Las Vegas on Tuesday, but now he has to go to court in Wisconsin, where the unknown co-defendant, who made windy deals with small criminals over the allegedly so impenetrable “Darknet”,is imprisoned.

More on this Topic

DeepSec 2017 Preliminary Schedule published

After two weeks of intense reviewing we have published the preliminary schedule for DeepSec 2017. There are some blanks to fill, but this will be done in the coming weeks. We still have to do some reviews and wait for the speaker’s confirmation.

In case you noticed, the ROOTS track is not filled yet. The call for papers was extended to 26 August. This means the ROOTS schedule will be published at the end of September. We have to give the programme committee ample time to review all submissions. So if you want to present your research at ROOTS 2017, please ready your submission. Science first!

Decline of the Scientific Method: New (Austrian) “Trojan” Law without Technical Expertise

The Crypto Wars are still raging despite everyone relying on secure communication. Everyone means everyone. The good thing is that mathematics still works, even though some people wouldn’t want it to. The latest cryptographic review comes from Amber Rudd, the current UK Home Secretary. She said recently: “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” The corollary in turn states that DeepSec conferences aren’t attended by real people. Since we are not yet a purely robot-based event, there is something wrong with this approach to secure communication. The common denominator is simply the lack of technical expertise. There is no surprise there. Ever since the Internet was discovered by the rest of the world (which was in the 1990s, don’t get fooled by web sites who claim to have invented the Internet), politics, government, and society struggles to keep up. This is exactly why we constantly emphasise that DeepSec tries to bring together the world’s most renowned security professionals from academics, government, industry, and the underground hacking community – things go horribly wrong without experts who use and understand what science means. Hence our motto for DeepSec 2017 – Science First!

In order to illustrate how thing can go wrong, we have translated an article by Erich Möchel, a journalist specialised in all things digital. The original text was published at the FM4 web site and is called Neues „Trojaner“-Gesetz ohne technische Expertise.

New (Austrian) “Trojan” Law without Technical Expertise

By Erich Möchel

As the explanatory notes on the draft show, the convened expert group served mainly to legally secure the access rights of the police. There were no technicians among them.

As part of the “security package” of the federal government, which has been in appraisal since Monday, the use of police Trojans takes a central position. Ten out of a total of 16 pages of the explanatory notes on the new Code of Criminal Procedure concern the use of malicious software by the police. In order to implement this new, technically complex measure correctly, a high-level expert committee, consisting exclusively of lawyers, was convened.As a matter of fact, the subject matter of the discussion was only the legal basis, primarily the legal delimitation of the monitoring of encrypted communications in an “online search”. The legal hurdles for the search of a computer are significantly higher than for monitoring communications. The text not even mentions that both types of monitoring use the same type of Trojan malicious software.

“A kind of communications monitoring”

Apart from the lack of an assessment of its technological impact, the explanatory notes to the draft show that apparently no technicians were involved in this bill. In sum, the draft contains only one technically exactly formulated passage – which concerns a completely meaningless and therefore misleading fact – otherwise it’s just an abstract requirement catalogue of lawyers. And its foundation is based on basic assumptions, which are technically simply not tenable. One example of this is the juridical demarcation of an “online search” and “communications monitoring” which dominates the entire Trojan chapter.

Which Aspect was discussed

After a lengthy legal discussion, whether the “technical process of such an encryption can be considered as part of the transmission”, the convened experts arrive at the conclusion that this is indeed the case. The use of such a “software” is therefore “to be regarded as a kind of communications monitoring”, and could therefore be “delimited from online monitoring”. Thus “only the requirements of the secrecy of telecommunications must be met, but not the (more qualified) requirements of the IT fundamental right”, states the expert group.

This “IT fundamental right” is derived directly from Article 8 of the European Convention on Human Rights and demands a higher threshold for access of prosecutors. Thus, the fundamental rights of all Austrian citizens were discussed only in the light of the fact that state access should be facilitated as much as possible. Already the monitoring of traffic and conversations gets approved easily even in the case of minor offences. The conclusio of the experts on this point: It is therefore important “that a software is used, which [recognizes and] decodes only transport encryption”.

What a Trojan does

This is exactly what a Trojan doesn’t do, no matter, whether it is called “communications monitoring” or an “online search”. To operate at all, the malicious software must first take over the operating system of the terminal device, because a Trojan has to have administrator rights. It already needs that in order to install various auxiliary programs from a hidden server of the police authority on the monitored PC or smartphone. This involves massive interventions in the operating system and the storage media of the device, which must also be searched in order to identify anti-virus programs. In addition to the search for “digital fingerprints” of already known malicious software (“virus signatures”), anti-virus softwares also analyze the behaviour of installed software through heuristic methods.

Trojan twins

This is why every professional malicious software downloads a so-called “rootkit”, which deeply interferes with the operating system of the smartphone or PC in order to deceive anti-virus apps and conceal the technical processes on the device from the user. What the Trojan actually taps, depends solely on the features of one and the same software. In a whole series of completely identical functions, there is only one feature, and it’s technically trivial, which distinguishes the “monitoring Trojan” from the “communications Trojan”: The latter can not access files stored by the user himself.

However, on how private files could be identified as such without searching the storage medium the experts remain silent. The Ministry of Justice emphasizes that this is “technically possible,” the experts say measures must also be “practicable” and “target-oriented” and include “preventive measures against dispersed / collateral damage and provide effective abuse control”.

“Technically possible, practicable, precise”

Technically it is, of course, possible to program such a malware suite, and as the ongoing trojan attacks by criminals using blackmail software show, it is also “practicable” to contaminate a device over the Internet with a Trojan. How “target oriented” it is, however, to try to apply a Trojan to a certain terminal device via a mobile network, in which the IP addresses of tens of thousands of active terminals constantly change, is highly doubtful. In the only – at least to some extent –  technically meaningful passage of the whole explanation, it is not entirely clear whether this is a matter of blank ignorance or deliberate deception.

Hardware keylogger forbidden, software keylogger allowed

Literally, it says: “Only the installation of a program in the computer system” is permissible. “Other technical possibilities such as, for example, the collection of electromagnetic radiation “is firmly prohibited.

This method from the nineties has become obsolete since the disappearance of tube screens. In addition, “the incorporation of hardware components into the computer system (eg a” keylogger “) is not permitted, in spite of the fact that hardware keyloggers are probably only still available in technical museums. However, the explanations are silent on the legality of software keyloggers, because without such a function, a Trojan could not make any recordings of WhatsApp chats, and then transfer them to a command-control server of the authorities.

DeepSec 2017 Schedule, ROOTS, and Closing of Call for Papers

Thanks a lot for your submissions! We are currently in the final phase of the review. Expect the first draft of the schedule for the end of the week. Important: Don’t forget that the Call for Papers for the 1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS) is still open and was extended to 15 August 2017! Please submit and help us to put more science into infosec! Given the headlines in the IT (security) news we need all the facts we can get.

Last Call – DeepSec 2017 “Science First!” – Call for Papers

Today our Call for Papers for DeepSec 2017 (motto Science first!) officially ends. We are still up to our necks in submissions, but if you have content and want to join, then make sure you submit now! All in-time submissions will be preferred over the ones that missed the d(r)eadline!

The call for papers for the 1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS) still runs until 5 August 2017. Make sure you don’t miss this deadline in case you want to beef up the science content of infosec!

Our reviewers love to hear from you!

Unicorns in the Wild – Information Security Skills and how to achieve them

Everyone talks about information security, countering „cyber“ threats, endless feats of hackers gone wrong/wild, and more epic stories. Once you have realised that you are reading the news and not a script for a TV series, you are left with one question: What are information security skills? The next question will probably be: How do you train to be „information secure“? Let’s take a look at possible answers.

First of all, yes, you can study information security or security-related topics. Universities, schools, and companies offer lectures, training, exercises, etc. Great. However it may not help you right away. We talked with top quality head hunters from a nameless big corporation. When they look for infosec specialists, they filter for anyone having worked in three different fields related to computer science (applied or otherwise) for at least two to three years respectively. Tunnel vision is not what you want when dealing with a complex infrastructure of hardware and software, some under your control, some parts belonging to someone else. One of the best combinations is system administration, software development, and support (the level is not important, but you have to talk to actual people about actual IT problems).

Once upon a time system administrators were generalists. Decades ago your first career move into this field was answering yes to the question if there’s someone around who knows computers. It’s still true, only the question also covers Wi-Fi, networks in general, apps, hand-held devices, TV sets, refrigerators, washing machines, coffee machines, vending machines, and almost everything that need electric power and connects to some network. Dealing with this computing stuff gives you a lot of insight into how systems interact, what goes wrong (things will go wrong, trust me, if in doubt look up the meme „down, not across“), how you can fix things, and what things definitely cannot be fixed. You also get your daily dose of coding since no system administrator can survive without scripting things – also known as orchestration or automation, thanks to the cloud gods who invented devops.

Software developers learn how to solve problems by using the programming language of the day. It really doesn’t matter where to begin, as with system administration. Since there exists no general purpose computer or operating system to solve every problem on the planet, there is also no single programming language fit for all purposes. Make sure you understand what kinds of code there are. Having a peek at the processor level doesn’t hurt. Try to understand the ecosystems your software project lives in. There is a plethora of computing platforms out there. Try to understand the reason for their existence, and all the interactions they have with the actual hardware that runs the code. As with system administration things will inevitably go wrong from time to time. Make sure your code can handle the real world – always.

So far we have covered hardware and software. Now for the most important aspect of the information security world: human interaction. All support staff gets more interaction than they can handle, at times. You cannot understand social engineering and how adversaries target the human element of the digital infrastructure if you haven’t experience communication. Support staff shares major problems with system administrators and software developer: misunderstandings, lack of information, working with hypotheses, asking countless questions to get to the crucial information, report containing wrong information, and much more. Dealing with these issues in real-time is a challenge. It will give you a lot of insight into how small problems can turn into big ones.

If you are wondering which way to go, chances are that you already experienced a part of the disciplines described in this article. Provided you still want to deal with information security problems, which can be very frustrating and impossible to solve, you just need to gain more insight into the fields you haven’t got into yet. It’s not easy, but few digital job are. This is also why we have problems answering the question to who attends DeepSec. We aim for the mix of sysadmins, devops, developers, infosec experts, CEOs, CTOs, auditors, architects, and users. You need to see the horizon in order to see the storms coming. And unicorns can’t swim.

DeepINTEL Schedule updated – Psychology and Power Grids

We have updated the schedule for DeepINTEL 2017. The human mind and power grids are both critical infrastructure. Both can be manipulated and switched off, arguably. And most of us use both every day. So this is why we added two more presentations to the schedule.

Stefan Schumacher of the Magdeburg Institute for Security Research talks about Manipulating Human Memory for Fun and Profit. Since memory is crucial for forensics, you should spent some thoughts on this matter. Your brain doesn’t cope well with cryptographically signed timestamps or hashes. Since you need to understand all aspects of the environment, the human psychology is part of every „cyber“ strategy – before and after incidents.

Mathias Dalheimer’s presentation is titled The Power Grid is vulnerable – and it’s really hard to fix this. Anyone familiar with physics won’t be surprised. However the modern power grid is also connected to networks which make things a lot more interesting. The attack vectors keep growing: renewable energy, IoT devices, and electric vehicles have been added to the equation. The talk will dive deep into how our power supply can fail and will most definitely be attacked. Real attacks that have happened in the past will also be discussed.

Make sure to get your ticket to DeepINTEL to join the discussion. Bring electric power and a spare brain!

Malicious Software explores new Business Models – Politics

Malicious software has become a major component of criminal business and geopolitics. In addition it is a convenient explanation for anything one does not want to investigate. Since code always come from somewhere you have to ask yourself many more questions when it comes to infected networks and compromised hosts. What is the agenda of the day? Journalist Erich Möchel has written an article about the arms race regarding malicious software. We have translated the original text from German to English. Expect the state of cyber in your network to rise in the course of the next years.

Arms race with Malicious Software enters a dangerous Phase

The enormous damage done by “Petya” and “WannaCry” can be traced back to a single, reworked tool from the leaked NSA pool of the “Shadow Brokers”. Experts assume that this is only the beginning.

The latest outbreak of malicious software in the past week shows the dangerousness of the new phase the ”cyber” arms race has entered in the beginning of 2017. The core functions of “Petya” – like the ones of “WannaCry” that came before – stem from a large arsenal of high-quality malicious software, which had been developed for the NSA, but fell into the hands of an enemy intelligence service in 2016.

By now there is hardly any doubt that both campaigns were not carried out by criminals but state actors. In addition, the anti-virus industry assumes that these outbreaks were only the beginning and another arsenal could appear on the net. This arsenal of the CIA is already on Wikileaks, where since March new espionage programs are being presented every week.

The semi-leaked Arsenal of the CIA

Julian Assange’s team keeps the programs to themselves, but alongside Wikileaks and the CIA itself, there is a third party,still unknown,who has this convolute of about a thousand espionage programs and digital burglary tools at its command. Whoever has exfiltrated this enormous data set from the intranet of the CIA, which is strictly separated from the Internet, and passed it on, has the same data set at his disposal, also containing all the malicious programs unpublished by Wikileaks.

This is a comprehensive wiki for the “cyber” warriors of the CIA, including manuals, tutorials, and related programs, which are clearly different from those of the NSA. All CIA programs are easy to apply and to use because they have not been written for programmers, but for taught “cyber lateral entrants”. Furthermore, this entire set of malicious software was not written for the systematic complete tapping of data streams à la NSA, but for targeted ad-hoc espionage. For each eventuality, it provides one with simple but suitable auxiliary tools.

“Outlaw Country”

While the NSA prefers meaningless, randomly generated codes for their programs, the CIA’s nomenclature is quite striking. The latest release of Wikileaks published on Friday is called “Outlaw Country” (“Land of the Lawless”) and targets Linux servers and gateways. “OutlawCountry” causes infected computers to route traffic from a company or government network to the Internet via hidden servers of the CIA. Since at the internet gateways and firewallls of large networks SSL / TLS encryption gets routinely broken up in order to enable anti-virus scans of incoming, encrypted data streams, the user’s login data and passwords for any websites can also be tapped.

The case of “Petya” is an example of what can happen if such malicious programs fall into the hands of third parties who want to do something else than just spy. Apart from its name “Petya” has very little in common with an eponymous blackmail software, known since 2015. In the case of the new “Petya”, according to all the malware analysts, first-class “exploit” named EternalBlue, which had been used by the NSA for many years to exploit a serious windows vulnerability, has been combined with new features.

If Money Collection does not work

While EternalBlue was written for specific, “manual” espionage missions against certain networks, Pseudo-“Petya” caused “EternalBlue” to spread independently by the means of a so called “worm”. In whichever internal network machines were identified, which windows systems were not up-to-date, they were captured by the NSA exploit. The camouflage as a blackmail software, however, did not last long after anti-virus experts had found out that the hard disks were not encrypted but formatted, that is, overwritten.

Furthermore, the only software module that did not work at all in this otherwise very efficient attack was the mechanism for collecting the ransom money. Prior to this, “WannaCry” had also proved to be ineffective precisely in that respect. Here too, the collection function was highly deficient. As is apparent from the blockchain data, these two spectacular malware fireworks have gained no more than $ 100,000 in bitcoins around the world. Since all transactions with these bitcoins are traceable, their conversion into real money will be difficult and, above all, diminished by high financial losses.

Control Computer as the real Target

The NSA’s EternalBlue exploit was targeted only at computers with critical control and switching functions, which are usually connected to an internal network, but not to the Internet. This supposedly high security due to separation from the Internet has led to the fact that the security of such control PCs has generally been neglected so far. What happens when people try to save money through extending the maintenance cycles of their service contracts was demonstrated by the British health system, where controllers for medical devices were badly hit by “WannaCry”.

As the “Postmortem” analyses show, the epicenter of pseudo-“Petya” was the Ukraine, the first series of infections mainly concerned computers and switchgear of power suppliers and telecoms there. Through its non-controllable worm function “Petya” afterwards quickly spread to other networks worldwide. The initiators hazarded the consequences of the resulting collateral damage and the “Shadow Brokers” had little scruples to simply publish high-quality digital intrusion tools on the net.

Forecast: Cloudy

In quite the same way – but probably even easier – many individual modules from the digital CIA burglar toolbox could be re-used for other purposes. When it comes to “security” by separating control computers from the Internet, the CIA arsenal also includes a module called “BrutalKangaroo”. Its core function is to bounce over the so-called “air gap” into a physically separated “isle network”, as is typical for systems like the ones used for power plant control.

Digital Security of the Future: Technology and Algorithms alone are no Substitute for Strategy

Unfortunately, you can not rely on antivirus programs when it comes to the security of your own business. Antivirus programs do not read newspapers, they do not attend lectures, they don’t protect you from social engineering or know the meaning of Facebook friends or Twitter tweets. False friends, indeed.

The continuous monitoring and evaluation of threats is the next step in information security. This aspect has always been an important part of digital defense. Today’s discussion often centers around the term Security Intelligence, which unites different approaches. The DeepINTEL is Austria’s first event, which, since 2012, has been taking up this topic – in all its facets, because modern information security is interdisciplinary. Lectures by experts from various fields of science, defence and industry: At DeepINTEL you have the opportunity to strategically rethink your digital protection and improve it decisively.

Internal Threats are often underestimated

The most dangerous threats come from within. That is to say, if modern companies can still distinguish between internal and external at all – social engineering is a dangerous threat, which overcomes any technological barrier. Mostly unintentionally, but in the case of targeted attacks long prepared and deliberately, actions lead to compromised systems or information to be inserted or removed. The presentation of Professor Ulrike Hugl is devoted to classifying internal threats according to motivation and behaviour. Profiles based on current cases will be presented and discussed. From this, you can derive methods for your own defence.

Real-time is no longer good enough

Analysing threats and reacting in real time is no longer enough. Who’s just on a par with the attacker can’t prevent damage. This is true for almost all protection systems currently used in companies and public authorities. An effective defence requires several ways to anticipate the next steps of the opponents and to take action against them in a targeted and coordinated way. Only a few manage to take the next step forward towards the use of adaptive measures. At DeepINTEL, Matthias Seul, an expert from the IBM Protector team will analyse the facts and share his experiences.

Telltale Metadata and Behavioural Patterns

Measurable relationships between entities and behaviour patterns of actors are key information for threat analysis. With ProcDOT, Christian Wojner is presenting a tool in his DeepINTEL lecture that uses malicious software to draw conclusions from the behaviour of the code and compare it. A visualisation based on time stamps and graphs is used, which composes thousands of individual activities into one overall picture. Compared to classical methods this information is much more meaningful because cross-connections between variants of malicious software and activities become visible. The analysis of social networks achieves something similar. Using the example of Twitter there’ll be an impressive demonstration at DeepINTEL on how to visualize the data flow between and the networks of various groups using publicly accessible information (Open Source Intelligence, OSINT). The principle can be applied to the entire spectrum of social media.

Disinformation and Cyber War

Any dispute uses disinformation as a weapon, no matter whether the opponents oppose each other analogously or digitally. The outbreak of the Petya.2017 virus is a good example. The malicious software was never meant to be ransomware. Rather, its aim was to achieve media attention and to spread a specific story. At DeepINTEL Volker Kozok will talk about another highly topical example: He discusses elements of the Russian cyber war strategy by means of the Russian and Ukrainian activities in networks. The borders between cybercrime, hacktivism, and state sponsored actions are blurred, making an easy assignment, as it is portrayed in the media, very difficult. The lecture also illuminates the narratives and Russian propaganda, as they are disseminated in Germany, as well as the role of online trolls and social bots.

Unfortunately, when it comes to information security, a company can not shut itself off from geopolitical events. Antivirus programs do not read newspapers nor attend lectures, so the importance of security events must be taken into account by the IT department.

Seminar Conference

The DeepINTEL conference aims to provide a platform where both experts and users can share and exchange ideas about methods of security intelligence. Modern information security is interdisciplinary because it is about so much more than electronic data processing like back in the 1960s. Delegation in the form of outsourcing only shifts problems and makes you blind to threats. At DeepINTEL you have the opportunity to strategically rethink your digital protection and improve it decisively.

The DeepINTEL conference takes place on 21/22. September 2017 at the Imperial Riding School – A Rennaissance Hotel in Vienna. The preliminary schedule is also available for download.