DeepSec 2016 is coming! We have set up the Call for Paper manager to accept your submissions for talks and workshops. Keep the „cyber“ distractions low, maximise content. DeepSec is all about hard facts and solid research.
The Internet of Stuff/Things has gained momentum. Given the current IoT security designs, this technology will keep security researchers busy for decades to come. Tell us how to break the smart home of the future.
The Crypto Wars are on again. Forget quantum computers! Think about how crypto will work in the age of golden keys and backdoor privileges. Of course you can also talk about the state of cryptography and post-quantum algorithms. DeepSec has always had a decent crypto content.
We will give you some more ideas on what to submit in the course of the next weeks right here on this blog.
Hope to see you at DeepSec 2016 – the tenth DeepSec conference! Yay!
During the premiere of „A Good American“ we had a chat with journalists. Markus Sulzbacher of Der Standard wanted to know what the implication of the so-called Bundestrojaner (litterally federal trojan, the colloquial German term for the concept of inserting government malware in order to extract information from a suspect’s computer and telephone devices). The idea is to infect a computer system with malicious software that sits in the background and to siphon off the hard-to-get data connected to communication (i.e. messengers, Skype, emails, etc.). We have translated the interview from German to English for you. You can find the original on Der Standard web site.
Der Standard 12.04.2016
Police praise the software as a “wonder weapon against terror”. But for IT expert René Pfeiffer the planned introduction of governmental spying software is no suitable measure for the fight against crime.
Interview: Markus Sulzbacher
Standard: What speaks against the use of governmental spying software?
Pfeiffer: The use requires a manipulation of the device you’re going to spy on. In combination with an ongoing police investigation any form of manipulation is extremely questionable, regarding the evidential value of information and data extracted this way. A federal Trojan relies on an infrastructure, which intentionally keeps computer systems in a state of weakness in term of information security. It’s like a flat with predetermined breaking points on doors and windows. This goes against all principles of IT Security.
Standard: Is there such a thing like a “controlled” use of state espionage software?
Pfeiffer: You can compare malware to it’s biological pendants, bacteria and viruses. Everyone who believes in a controlled use of governmental spying software also believes in the controlled use of biological weapons. As soon as such code is set free, it can be examined and used to program new malware.
Standard: How can one protect oneself against a federal Trojan technically?
Pfeiffer: In the end a federal Trojan is governmental malware and behaves exactly like a digital Trojan horse, from which you protect yourself against by using anti-virus programs and other software. The target of spy attempts, your very own digital infrastructure, can’t distinguish a federal from a criminal Trojan. The outcome is the same, and since we haven’t been able to get rid of past and existing malware yet, we won’t be capable to protect ourselves from this one by using technology alone.
Standard: How does one gets to know about security gaps, information, which is key to programming such spying software?
Pfeiffer: There are companies, specialised in the targeted search and selling of vulnerabilities and exploits of all kinds of software. Efficiency determines the price: You pay a certain price and get information about a particular vulnerability, sometimes including the code to attack it on certain operating systems or applications. Depending on the price, vulnerabilities even come with a warranty: If a security gap has been detected and gets closed, you get a new one for free. Today the trade in vulnerabilities and exploits is socially accepted. It used to be a criminal domain.
Standard: Has there been an incident where the use of a federal Trojan has paid off?
Pfeiffer: I don’t know of a single case, where such a software has helped to so solve or prevent a crime. Anyway, sadly this is not the purpose of these measures, which are called for every time after an act of terror has been committed. They just help to secure the budget for the next few years. Right now IT is sexy, everybody relies upon it: The call for spying software seems more in keeping with the times than to call for more competent personnel and better education. Better still, you don’t have to explain yourself: Digital tools sound like magic, they’re justified by trend. Facts are so yesterday.
Essentially the debate about government-supplied malicious software is the same as with encryption backdoors. The discussion won’t go away by itself. Time to think about the case as Thorsten Benner and Mirko Hohmann from the Global Public Policy Institute (GPPi) in Berlin did. If you have any thoughts, save them for the upcoming Call for Papers for DeepSec.
In case you are forensically inclined, we might have a little Call for Papers email for you. There is a lot of strange code around in the Internet and other networks. Decoding what code does without getting your san(d)box blown apart is a fine art. We are interested in getting in touch with researchers in the field of malicious software and digital forensics. Software developers need to know what you have seen. So if you got some ideas, research, or interesting content, drop us your email address.
The world economy is threatened by a new strain of microorganisms. These so-called cyber pathogens spread via networks and the touch of digital devices. They can also lie dormant for days and months, only to spring to life when the victim’s immune system is at its weakest point. It is widely believed that cyber pathogens can infect the population of a whole country and wipe it completely off the grid of the Earth. Current antidotes can only treat the symptoms. The best way to get rid off the pathogens is to resort to physical means and destroy every surface it can cling to. Amputation of infected tissue also works. Unless security researchers will find a suitable vaccination soon, every single one of us is at risk.
The cyber pathogen threat is the reason for an alliance of famous three letter agencies. The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the US Department of Defense (DoD), and the Centers for Disease Control and Prevention (CDC) have announced to pool their resources in order to contain the spread of the microbes. Furthermore a research team will be created to study the characteristics of the cyber pathogens. Experts still lack the knowledge about the origin, ways of infection, metabolism, and possible mutations. However all experts agree that the pathogens require electric power, semiconductor material, and a way to transmit their DNA. Infection usually happens airborne (i.e. wireless), direct contact (i.e. wired), or by touch of infected tissue (i.e. storage media). Some cyber pathogens can also jump species. New life styles such as the Internet of Things may strongly accelerate infection rate and lead to a pandemic.
The FBI has announced that it will ask companies whose consumer products have been infected with cyber pathogens to cooperate. Chip manufacturers have offered their support by publishing ways to disinfect devices. The workaround requires to keep the temperature of processor and memory chips above 100°C / 212°F for more than one hour. It is also recommended to wear gloves at all times when working with keyboards or touch screens. Some people go to extremes and dump their cell phones and SIM cards after a couple of uses to get fresh ones. This strategy is highly recommended for everyone exposed to classified information. For some reason cyber pathogens are attracted to data that is being protected. Researchers believe that the high nutritional values of confidential data is the cause.
We are looking forward to hear more from the efforts to counter digital bacteria and other threats to mankind.
We already published a Call for Papers for the upcoming DeepINTEL 2016. Here are some thoughts to get your creativity going.
Standard solutions and off-the-shelf products to solve your security needs are remains from the 1990s. Everything else has gone smart, and that’s how you have to address security problems in the future. NSA director Admiral Michael Rogers told the audience of the RSA Conference 2016 that the NSA cannot counter the digital attacks it faces on its own. GCHQ, the NSA’s British counterpart, has publicly stated that the £860m budget to counter digital adversaries is not sufficient to defend Britain’s digital assets.
Modern digital defence needs a sound foundation of data to base decisions on. You can neither combat a forest fire or an infectious disease by blindly throwing money at it. You need to defend where it counts, and security intelligence information will be your guide. This is why we like to recommend the DeepINTEL conference to you. The event is a gathering of experts on this matter, and it is closed to the public. All speakers and participants sign a non-disclosure agreement, so that everyone can talk more openly. DeepINTEL acts as a small and agile think tank where you can openly discuss the state of information and infrastructure security. It’s easy to burn millions of €/$/£ with randomly chosen security measures without getting any improvement.
We are actively looking for smart ideas to do away with Full Take™ and Big Data™. Getting the right intel is key, not collecting as much as you can. If you have some thoughts on this matter, let us know.
For everyone attending DeepSec 2015 we organised a private screening of the film “A Good American”. Everyone else now gets the chance to see this film in theatres beginning on 18 March 2016. Next week there will be the premiere in Vienna, Linz, and Innsbruck here in Austria. Bill Binney will be present himself, and he will answer questions from the audience.
We highly recommend “A Good American” to everyone dealing with information security, regardless of the level. Full take and Big Data is not always the answer to your security challenges. Every gadget around is turning smart, and so should you.
We hope to see you at the premiere here in Vienna next week!
BSidesLondon is coming up. Grab your calendar, mark the dates, and think about content to submit! The Call for Papers runs until 28 March. BSidesLondon is a community-driven event, so it’s up to the infosec community to fill it with decent talks about all things cyber, shiny, and broken (by design). We are looking forward to see a great schedule after the CfP ends. Make it happen!
Like the Force wireless data/infrastructure packets are all around us. Both have a light and a dark side. It all depends on your intentions. Lacking the midi-chlorians we have to rely on other sources to get a picture of the wireless forces in and around the (network) perimeter. At DeepSec 2015 Milan Gabor held a presentation about visualisation of wi-fi packets:
Today visualizing Wi-Fi traffic is more or less limited to console windows and analyze different logs from an aircrack-ng toolset. There are some commercial tools, but if we want to stay in the Open/Free Source Code (FOSS) area we need to find better solutions. So we used ELK stack to gather, hold, index and visualize data and a modified version of an airodump tool for input. With this you can create amazing dashboards, correlate some interesting data and do some deep digging for Wi-Fi packets. It gives hackers and also administrators a quick view into Wi-Fi space and offers a range of new possibilities to get interesting data really fast.
One half of the talk will be dedicated to a presentation of how this can be done, telling you about some issues that we had and solutions to them, while the rest of the talk will be demonstrating the true power of our research.
Have a look and implement it for your network!
Network defence starts inside the network, not at the perimeter. Make sure your clients cannot be exploited by players outside your network – not even while operating „normally“.
Routers are everywhere. If you are connected to the Internet, your next router takes care of all packets. So basically your nearest router (or next hop as the packet girls and guys call them) is a prime target for attackers of any kind. Since hard-/software comes in various sizes, colours, and prices, there is a big difference in quality, i.e. how good your router can defend itself. Jose Antonio Rodriguez Garcia, Ivan Sanz de Castro, and Álvaro Folgado Rueda (independent IT security researchers) held a presentation about the security of small office/home office SOHO routers at DeepSec 2015.
Domestic routers have lately been targeted by cybercrime due to the huge amount of well-known vulnerabilities which compromise their security. The purpose of our publication is to assess SOHO router security by auditing a sample of these devices and to research innovative attack vectors. More than 60 previously undisclosed security vulnerabilities have been discovered throughout 22 popular home routers, meaning that manufacturers and Internet Service Providers have still much work to do on securing these devices. A wide variety of attacks could be carried out by exploiting the different types of vulnerabilities discovered during this research.
Gentle reminder: The concept of BYOD includes every weak SOHO link on the market. Enjoy thinking about this little fact.
Handling incidents means that you have to handle information quickly. Collecting, collaboration, and getting the right piece of intel in crucial moments is the key. CERTs know this, and this is why there is IntelMQ.
IntelMQ is a solution for collecting and processing security feeds, pastebins, and tweets using a message queue protocol. It’s a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give incident responders an easy way to collect & process threat intelligence, thus improving the incident handling processes of CERTs.
Get your messaging right before you run into a (security) incident.
Testing the defences of a network, applications, or infrastructure can be tough. Often you spend lots of days, the results not being proportionate to the time spent. How do you assess success when doing penetration testing? How to test, what tools to use, and who should be doing the testing? Johnny Deutsch has some answers for you. He held a presentation at DeepSec 2015 about this topic.
We recommend watching this presentation to everyone thinking about requesting a penetration test or, of course, everyone actually doing these tests.
Software development has made tremendous progress in the past decades. Tools to develop and to deploy applications have evolved. The trouble is that these tools often lack security design. Attacking software distribution channels such as update servers, package managers, and ISO downloads have been discussed widely in the past. What about the new kids on the bloc? Continuous Integration (CI) tools provide excellent attack surfaces due to no/poor security controls, the distributed build management capability and the level of access/privileges in an enterprise.
At DeepSec 2015 Nikhil Mittal looked at the CI tools from an attacker’s perspective, using them as portals to get a foothold in a target’s network and for lateral movement. He showed how to execute attacks like command and script execution, credentials stealing, and privilege escalation; how to not only compromise the build process but the underlying Operating System and even entire Windows domains. No memory corruption bugs need to be exploited and only the features of the CI tools are used.
Amazing what modern technology can do. Make sure you know about it if you are connected to any continuous integration tools.
Unfortunately the Internet doesn’t follow the rules of economic theory. Unlimited growth is a myth best kept for feeding your unicorns. Of course, the Internet has grown, but the mathematics and physics behind network flows stay the same. If your pipe is full, then you are going nowhere. This is why Distributed Denial of Service (DDoS) attacks still work. You can counter or evade these attacks, but they can happen. We invited Dave Lewis of Akamai to DeepSec 2015 to hear his view on the current state of affairs where DDoS is concerned.
For the record: DDoS is not hacking and no hacking attack. Spread your „cyber“ somewhere else.
Given that reconnaissance is the first step of a successful attack, anonymity has become more important than ever. The Invisible Internet Project (I2P) and the TOR project are prominent tools to protect against prying eyes (five or more). TOR is widely used. Users of anonymity services will notice that the price for extra protection is less speed in terms of latency and probably bandwidth. Researchers have published a method to attain high-speed network performance, called HORNET. HORNET is designed as a low-latency onion routing system that operates at the network layer thus enabling a wide range of applications. Our system uses only symmetric cryptography for data forwarding yet requires no per-flow state on intermediate nodes. This design enables HORNET nodes to process anonymous traffic at over 93 Gb/s. At DeepSec 2015 Chen Chen explained how it works.
We are looking forward to hear more from HORNET implementations in the future.