Scanning for TR-069 is neither Cyber nor War

René Pfeiffer/ November 30, 2016/ Discussion, High Entropy, Internet

The Deutsche Telekom was in the news. The reason was a major malfunction of routers at the end of the last mile. Or something like that. As always theories and wild assumptions are the first wave. Apparently a modified Mirai botnet tried to gain access to routers in order to install malicious software. The attacks lasted from Sunday to Monday and affected over 900,000 customers. These routers often are the first point of contact when it comes to a leased line. Firewalls and other security equipment usually comes after the first contact with the router. There are even management ports available, provided the ISP has no filters in place. The TR-069 (Technical Report 069) specification is one management interface, and it has its security risks. Now that the dust has settled the Deutsche Telekom

Read More

Disclosures, Jenkins, Conferences, and the Joys of 0Days

René Pfeiffer/ November 17, 2016/ Conference, Discussion, High Entropy

DeepSec 2016 was great. We have slightly recovered and deal with the aftermath in terms of administrivia. As announced on Twitter, we would like to publish a few thoughts on the remote code execution issue found by Matthias Kaiser. He mentioned the possibility in this presentation titled Java Deserialization Vulnerabilities – The Forgotten Bug Class. First let’s explain some things about how DeepSec runs the Call for Papers, the submissions, and the conference. During the Call for Papers process our speakers send us title, abstract, and mostly an in-depth description of the presentation’s content. This means that we usually know what’s going to happen, except for the things that are actually said and shown during the presentation slot. Since we do not offer any live video streams and publish all presentation slides after we

Read More

DeepSec 2016 – expect 48 Hours of Failures and Fixes in Information Security

René Pfeiffer/ November 10, 2016/ Conference, Discussion

The conference part of DeepSec 2016 has officially started. During the workshops we already discussed a lot of challenges (to phrase it lightly) for infrastructure and all kinds of software alike. The Internet of Things (IoT) has only delivered major flaws and gigantic Distributed Denial of Service attacks so far. There is even a worm for LEDs these days. And we haven started the conference preparations yet. So we have plenty of reasons to talk about what went wrong, what will go wrong, and what we can do about it. The world of information security is not always about good news. Something has to break, before it can be repaired – usually. Systems administrators know this, for some it’s their daily routine. Nevertheless we hope everyone at DeepSec gets some new insights, fresh ideas,

Read More

Screening of “A Good American” in Vienna with Bill Binney

René Pfeiffer/ November 9, 2016/ Discussion, High Entropy, Security Intelligence

There will be a screening of the documentary A Good American in Vienna tomorrow. We highly recommend watching this film, even if you are not directly connected to information security. Threat intelligence has far-reaching consequences, and in the case of the world’s biggest intelligence agency it also affects you. A Good American will be shown at 1000, Village Cinema Wien Mitte, and at 1600, Audimax of the Technische Universität Wien (you need to send an email with a RSVP to attend). All of this takes place in the course of a lecture about the topic. Markus Huber and Martin Schmiedecker have kindly organised everything. Bill Binney will be present, too. So you can directly talk to him and ask him questions. We highly recommend not to miss this opportunity.

DeepSec 2016 Talk: Obfuscated Financial Fraud Android Malware: Detection And Behavior Tracking – Inseung Yang

Sanna/ November 9, 2016/ Conference, Development, Internet, Report, Security

In Korea in particular, hackers have distributed sophisticated and complex financial fraud android malware through various means of distribution, such as SMS phishing, Google play, compromised web servers and home routers (IoT). In some cases, both smartphone and PC users are targeted simultaneously. Inseung Yang and his team collect mobile android malware via an automated analysis system, detect obfuscations and malicious packer apps. In his presentation Inseung Yang will describe trends of malicious android apps and obfuscated mobile malware in Korea. He’ll explain the policy methods for Korean mobile banking and the attack methods used by hackers, f.ex. the stealing of certifications, fake banking apps that require the  security numbers issued to users when they open their accounts, Automatic Response Service(ARS) phishing attacks in conjunction with Call Forwarding, and the requesting of the One Time Password(OTP) number. But

Read More

DeepSec 2016 Keynote: Security in my Rear-View Mirror – Marcus J. Ranum

Sanna/ November 8, 2016/ Conference, Discussion, Security, Stories

Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. At this year’s DeepSec conference the keynote will be given by Marcus Ranum, who set up the first email server for whitehouse.gov. He will reflect upon over 30 years of IT security and make a few wild guesses for where this all may wind up. Spoiler alert: Security will not be a “solved” problem. Marcus answered a few questions beforehand: Please tell us the Top 5 facts about your talk. I’ll be talking about how the security market evolves from here. I’ll be talking about the relationship between security and management It’s going to be depressing. I have

Read More

DeepSec 2016 Talk: Systematic Fuzzing and Testing of TLS Libraries – Juraj Somorovsky

Sanna/ November 8, 2016/ Conference, Development, Security

In his talk Juraj Somorovsky presents TLS-Attacker, a novel framework for evaluating the security of TLS libraries. Using a simple interface, TLS-Attacker allows security engineers to create custom TLS message flows and arbitrarily modify TLS message contents in order to test the behavior of their TLS libraries. Based on TLS-Attacker, he and his team first developed a two-stage TLS fuzzing approach. This approach automatically searches for cryptographic failures and boundary violation vulnerabilities. It allowed him to find unusual padding oracle vulnerabilities and overflows/overreads in widely used TLS libraries, including OpenSSL, Botan, and MatrixSSL. Juraj’s findings encouraged the use of comprehensive test suites for the evaluation of TLS libraries, including positive as well as negative tests. He and his team used TLS-Attacker to create such a test suite framework, which finds further problems in TLS libraries. TLS-Attacker is an open source tool, and is currently being deployed for internal

Read More

DeepSec2016 Talk: Smart Sheriff, Dumb Idea: The Wild West of Government Assisted Parenting – Abraham Aranguren & Fabian Fäßler

Sanna/ November 4, 2016/ Conference, Legal, Security, Stories

Would you want to let your kids discover the darker corners of the Internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the “Smart Sheriff” app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team!

Read More

DeepSec 2016: Social Engineering remains the most dangerous Threat to Companies – DeepSec offers a Workshop on the Defence of social Manipulation as part of IT

Sanna/ November 3, 2016/ Conference, Press, Schedule, Training

If you follow the news on information security, you see superlative after superlative. Millions of passwords were stolen. Hundreds of thousands of cameras suddenly became tools for blackmail. Countless data got copied unauthorized. Often, after a few paragraphs, your read about technical solutions that should put a stop to these burglaries. Therefore one forgets that nowadays hermetically locked doors can be easily opened just by a telephone call or an e-mail message. According to a publication of the British Federation of Small Businesses, almost 50% of attacks are social engineering attacks, which means attacks through social manipulation.Thus, investments in technical defense measures remain completely ineffective. Mere security awareness does not help anymore In the past approaches to defend against attacks on the weak spot human being have focused on awareness trainings. But in our

Read More

IT-SeCX 2016: Talk about Relationship between Software Development and IT Security

René Pfeiffer/ November 3, 2016/ Discussion, Veranstaltung

The IT-SeCX 2016 event takes place on 4 November at the St. Pölten University of Applied Sciences LLC. It’s a night of security talks, held by various speakers from the industry, academic world, and other institutions. We will give a presentation exploring the relationship between the fine art of software development and the dark art of information security. We all know about bugs, glitches, error conditions, and flat failures of software design. There are links between the development cycle and the work of information security experts (or sysadmins who always have to deal with things that break). If you deal with any of these professions mentioned, you should drop by and attend the talk. IT-Security Community Exchange 2016, 4 November 2016, at 1915 – Wechselwirkungen zwischen Softwareentwicklung und IT Security FH St. Pölten Matthias

Read More

DeepSec2016 Talk: Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets – Gerhard Klostermeier

Sanna/ November 3, 2016/ Conference, Internet, Security

Wireless desktop sets have become more popular and more widespread in the last couple of years. From an attacker’s perspective, these radio-based devices represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords. Wireless transmissions offer attackers a big advantage: you don’t have to be around to attack something or someone. Plus the victims often don’t know what it happening. At DeepSec 2016 Gerhard Klostermeier will present the results of research on the matter of wireless mouse/keyboard attacks. Furthermore you he will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities. We recommend this talk to anyone still using old-fashioned input devices for creating content. Gerhard is interested in all things

Read More

DeepSec 2016 Talk: Assessing the Hacking Capabilities of Institutional and Non-institutional Players – Stefan Schumacher

Sanna/ November 3, 2016/ Conference, Security, Security Intelligence

Cyberwar, Cyberterror and Cybercrime have been buzzwords for several years now. Given the correct context, using cyber has merits. However Cyber-Headlines are full with Cyber-Reports about Cyber-Incidents, Cyber-Hacking and Cyber-Cyber in general. However, that whole discussion does not only suffer from sensationalism of journalists and bloggers, there are also some fundamental problems, says Stefan Schumacher. We are still lacking useful definitions for modern IT security threats and we still have to think about the assessment of capabilities in the IT field.Besides institutional actors like states and their military and intelligence community we also have to assess the capabilities of non-institutional actors like terrorist groups or organised crime. Unlike the assessment of classic military strength (eg. fighting power or Kriegsstärkenachweise), assessing the capabilities and powers of actors in the IT field is much more complicated

Read More

DeepSec 2016 Talk: Why Companies Must Control Their Data in the Era of IoT – and How To – Kurt Kammerer

Sanna/ November 3, 2016/ Conference, Internet, Interview, Security

In his talk Kurt Kammerer addresses any company’s dilemma: The need for data sharing in the era of IoT while at the same time controlling access and ownership. In order to succeed in business, it is imperative to make data available to customers, suppliers and business partners. However, the explosion and the proclaimed free flow of data can turn against an organisation and threaten its very existence, if not professionally controlled. We asked Mr. Kammerer a few questions beforehand. Please tell us the top 5 facts about your talk. The relevance of “data” increases by the day and “data” is imperative to compete. Therefore, it is an asset companies must control. Data ownership is increasingly being challenged in the era of cloud/IoT (who created the data and who actually owns it?) Not exercising enough control

Read More

Why you should attend DeepSec 2016 – Last Call

René Pfeiffer/ November 2, 2016/ Conference

There are many reasons to go to DeepSec this year. It doesn’t matter if you worked on your presentation slides on the way to work, got hacked by a nation state, own a smart device, defused cyber weapons, or simply fight the T-Virus in a hospital. The DeepSec conference is the place to be for exchanging war stories (hey, everyone is at cyber war with someone these days) or talking about ideas to do the next project right. Plus we have to celebrate 10 years of DeepSec conferences! Tickets are still available via our online booking service. In case you have problems booking online, please get in contact with us. We can work something out. Looking forward to see all of you in Vienna next week!

FHOÖ supports DeepSec 2016 Conference!

René Pfeiffer/ November 1, 2016/ Conference

We are glad to announce that the University of Applied Sciences Upper Austria supports the DeepSec 2016 conference! Their motto teaching and learning with pleasure – researching with curiosity fits perfectly to information security. Their courses cover more than just computer science. If you are interested in engineering, economics, management, media, communications, environment, or energy, then you should take a look at their courses. You can talk to students and staff at their booth. They will show your a selection of projects from the field of information security. Don’t hesitate, ask them with curiosity!