Discussion

Putting the Science into Security – Infosec with Style

Posted by on January 27, 2017 at 9:00 am

The world of information security is full of publications. It’s like being in a maze of twisted little documents, all of them alike. Sometimes these works of art lack structure, deep analysis, or simply reproducibility. Others are perfectly researched, contain (a defence of) arguments, proofs of concept, and solid code or documentation to make a point. […]

The Sound of „Cyber“ of Zero Days in the Wild – don’t forget the Facts

Posted by on January 26, 2017 at 11:40 am

The information security world is full of buzzwords. This fact is partly due to the relationship with information technology. No trend goes without the right amount of acronyms and leetspeaktechnobabble. For many decades this was not a problem. A while ago the Internet entered mainstream. Everyone is online. The digital world is highly connected. Terms […]

Putting the Context into the Crypto of Secure Messengers

Posted by on January 21, 2017 at 9:15 am

Every once in a while the world of encrypted/secure/authenticated messaging hits the wall of usability. In the case for email Pretty Good Privacy (PGP) is an ancient piece of software. These days we have modern tools such as GnuPG, but the concept of creating keys, verifying identities (i.e. determining who is to trust), synchronising trust/keys […]

Scanning for TR-069 is neither Cyber nor War

Posted by on November 30, 2016 at 10:53 pm

The Deutsche Telekom was in the news. The reason was a major malfunction of routers at the end of the last mile. Or something like that. As always theories and wild assumptions are the first wave. Apparently a modified Mirai botnet tried to gain access to routers in order to install malicious software. The attacks […]

Disclosures, Jenkins, Conferences, and the Joys of 0Days

Posted by on November 17, 2016 at 1:37 pm

DeepSec 2016 was great. We have slightly recovered and deal with the aftermath in terms of administrivia. As announced on Twitter, we would like to publish a few thoughts on the remote code execution issue found by Matthias Kaiser. He mentioned the possibility in this presentation titled Java Deserialization Vulnerabilities – The Forgotten Bug Class. […]

DeepSec 2016 – expect 48 Hours of Failures and Fixes in Information Security

Posted by on November 10, 2016 at 9:00 am

The conference part of DeepSec 2016 has officially started. During the workshops we already discussed a lot of challenges (to phrase it lightly) for infrastructure and all kinds of software alike. The Internet of Things (IoT) has only delivered major flaws and gigantic Distributed Denial of Service attacks so far. There is even a worm […]

Screening of “A Good American” in Vienna with Bill Binney

Posted by on November 9, 2016 at 11:05 am

There will be a screening of the documentary A Good American in Vienna tomorrow. We highly recommend watching this film, even if you are not directly connected to information security. Threat intelligence has far-reaching consequences, and in the case of the world’s biggest intelligence agency it also affects you. A Good American will be shown […]

DeepSec 2016 Keynote: Security in my Rear-View Mirror – Marcus J. Ranum

Posted by on November 8, 2016 at 5:30 pm

Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. At this year’s DeepSec conference the keynote will be given by Marcus Ranum, who set […]

IT-SeCX 2016: Talk about Relationship between Software Development and IT Security

Posted by on November 3, 2016 at 5:30 pm

The IT-SeCX 2016 event takes place on 4 November at the St. Pölten University of Applied Sciences LLC. It’s a night of security talks, held by various speakers from the industry, academic world, and other institutions. We will give a presentation exploring the relationship between the fine art of software development and the dark art […]

DeepSec 2016 Talk: The Perfect Door and The Ideal Padlock – Deviant Ollam

Posted by on October 14, 2016 at 9:31 am

You have spent lots of money on a high-grade pick-resistant lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they’re right. But… the bulk of attacks that both penetration testers and also criminals attempt against doors have […]

Firmware Threats – House of Keys

Posted by on September 10, 2016 at 9:45 am

SEC Consult, our long-term supporter, has updated a report on the use of encryption keys in firmware. These hardcoded cryptographic secrets pose a serious threat to information security. The report features 50 different vendors and has some interesting statistics. The results were coordinated with CERT/CC in order to inform the vendors about the problem. The […]

Of Clouds & Cyber: A little Story about Wording in InfoSec

Posted by on September 5, 2016 at 5:15 pm

In case you ever received a message about our calls for papers, you may have noticed that we do not like the word cyber. Of course we know that it is used widely. Information security experts are divided if it should be used. Some do it, some reject it, some don’t know what to do […]

Information Warfare: “Breaking News” considered harmful

Posted by on August 31, 2016 at 4:13 pm

Eight years ago the stocks of UAL took a dive. Apparently a six year old news article resurfaced via Google. Googlebot, which is used to index news sites, confused one of the most popular web articles of The Sun-Sentinel with breaking news. The story contained the words United Airlines Files for Bankruptcy. Unfortunately a software […]

Transforming Secure Coding into Secure Design

Posted by on August 21, 2016 at 6:09 am

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code […]

A Perspective on Code and Components – assert(), don’t assume()

Posted by on July 21, 2016 at 12:43 pm

Have you ever looked closely at the tools you use on a daily basis? Taking things apart and putting them back together is an integral part of understanding the universe. Scientists do it all of the time (well, at least some do, there are things that can’t be put together easily once taken apart). So […]