DeepSec 2017 Talk: Next-Gen Mirai Botnet – Balthasar Martin & Fabian Bräunlein

While you were living in a cave, devices took over the world and got connected to the network. This is the state of affairs we live in right now. As long as nothing happens we don’t notice anything about it. The Mirai (未来) botnet changed this all of a sudden. Consumer devices were drafted into an army of bots. Thanks to the proliferation of networked devices such as cameras, home routers, and others the botnet was very successful. The code was designed to run on embedded devices and is even online for inspection. Let’s take a look at how to improve Mirai.

Badly secured embedded devices enabled the largest DDoS attack on critical networks seen to date: The Mirai attacks in 2016 were largely pegged on Internet-exposed telnet with default credentials. While such telnet accounts are hopefully on their way out, Balthasar and Fabian had a look at the next available hacking options to compromise masses of IoT devices. It turns out that IP cameras can still be compromised remotely in many other ways – even if they are not exposed directly to the internet. In particular, they found issues in communication protocols, control servers and infrastructure design. Balthasar Martin and Fabian Bräunlein found such next-gen Mirai vulnerabilities, and they will demonstrate a number of them. After seeing what we saw, they say, you will have little doubt that there will always be a bot army of compromised embedded devices.

We asked Balthasar and Fabian a few questions about their topic of interest.

Please tell us the top 5 facts about your talk.

Without disclosing all interesting discoveries, here are four that we are really proud of:

  1. Cloud services expose our devices to the Internet, even if we put them behind a firewall.
  2. Cameras come in many shapes and brands, but most of them use one of few cloud services.
  3. It’s 2017 and people still invent proprietary protocols with big security holes.
  4. We learned two things from Mirai that turn out to be insufficient: “do not expose your device directly to the Internet” and “change any default credentials”.

How did you come up with it? was there something like an initial spark that set your mind on creating this talk?

The Mirai attacks last year caught our attention. Given that they were based on open telnet with default passwords, we were curious to know what else was hidden behind the complexity of those devices.

Why do you think this is an important topic?

The discrepancy between what is exploited (consumer devices) and who suffers from attacks (big companies, targeted individuals) is interesting to think about. Device owners usually don’t notice that they are being hacked. On the other end, the victims of DDoS attacks don’t control the device’s security. We think public awareness is especially important here.

Is there something you want everybody to know – some good advice for our readers maybe?

You may want to stay away from cloud-connected devices. In the case of cloud IP cameras, even when everything is properly secured, the vendors can still access your camera feeds, as all information is transmitted via their servers without end-to-end encryption.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Following the current trend, we think there will be device choices with solid security. Hopefully consumers start considering security more and if so, are able to recognize secure choices. Keeping track of current discussions about stricter liability of the manufacturer will be interesting, but globally, there will always be cheaper, less secure options. We need to keep thinking about DDoS mitigations, too.

Balthasar lives in Berlin where he pursues a Masters in IT-Systems engineering while working at SRLabs. He is fascinated by a world populated by “smart” devices that turn out to be as smart as a slice of bread. After the DDoS on Brian Krebs, he got curious about additional ways to disturb the global Internet matrix.






Fabian studied IT-Systems Engineering at HPI in Potsdam, but was always more curious about taking such systems apart. He now works as a Security Researcher and Consultant at Berlin-based hacker collective SRLabs. Fabians previous talks include hacking payment systems at 32c3 and travel systems at HEUREKA.

DeepSec 2017 Schedule Update, Review Status, Disputes, and Trainings

The DeepSec 2017 schedule is still preliminary. We are almost done, and we have a small update. Some of you have noticed that the schedule featured a training about mobile security. The outline as shown as in the schedule was identical to a different course from a different trainer. We received a complaint, we got the course materials to compare, and it turned out that only the outline of the workshop as shown online was identical, and the original table of contents was not part of the submission we received during the call for papers. The dispute has been settled. The trainer has apologised to the creator of the original table of contents. Nevertheless the trainer has asked to withdraw his submission. This means we will try to replace the slot in the schedule with a similar workshop. Stay tuned.

Please make sure that you do not use any material subject to copyright without permission. The motto of DeepSec 2017 is Science First!. This means that we want to foster the scientific method when people present their research and when they teach. Always use proper citations. Always ensure that everything you say and do can be backed up. We all have seen the presentations with images copied from search engine hits, but you have to check out the source and the legal issues before using them. This saves you and us a lot of trouble.

Thank you for observing all safety procedures. We are looking forward to see you all at DeepSec 2017!

DeepSec 2017 Early Bird Tariff ends on 25 September

The early bird tariff for DeepSec 2017 (and ROOTS) ends on 25 September 2017. We recommend buying your ticket now. Save some money! In addition we ask you to book the workshop you want to visit as early as possible! Every year we see sad faces, because the workshop of your choice had to be cancelled. Our trainers need a minimum number of attendees. Some trainers need to catch flights and spend good parts of a whole day travelling. They can’t come to Vienna if the minimum number of trainees is not met. So do yourself a favour, make up your mind now, and book the training you want to have.

In case you cannot use online payment, let us know. We can invoice the ticket to you directly, if needed. Just drop us an email.

See you in Vienna!

Workshops, Trainings, Talks: DeepSec and ROOTS Schedule Update

As you might have noticed, the DeepSec schedule is not complete yet. Furthermore the ROOTS schedule is not published at all. The reason for this are the still pending reviews. The major part concerns ROOTS. ROOTS is an academic workshop where academic publications are presented. There has been some confusion about the term workshop. In the context of ROOTS this means presentations. This is why we have replaced the word workshops on the DeepSec web site and in (hopefully) all texts with the word training. Trainings are the two-day, well, trainings in advance of the DeepSec conference days. ROOTS features presentations, also called workshops in ROOTS-context, as does the DeepSec conference (on the conference days).

So we have trainings (the two-day training courses; one, the ARM exploit laboratory is for three days, be careful) and presentations. Some ROOTS submissions were not about academic publications, but were really proposals for trainings. We are currently working everything out, collect reviews, and votes on all submissions. Given that the DeepSec schedule is already filled and that the ROOTS reviews take more time (because of content and size of the programme committee), there are some slots left. Soon we have everything sorted out.

And since DeepINTEL is taking place during the next two days, please bear with us. We will update the schedule as soon as possible.

44CON revisited: Secure Design in Software is still a new Concept

We have been to 44CON, and we returned with lots of ideas and scary news about the state of security in devices and applications. Given the ever spreading Internet of Things (IoT) you can see why connecting random devices via a network with no second thoughts about design, updates, or quality control is a bad idea. Don Bailey illustrated this perfectly in the keynote titled The Internet of Us. His presentation touched all of information security, but IoT featured a prominent role. We are really surrounded by the Internet of SIM cards (sadly which we cannot call IoS). This opens up a new perspective and demystifies the IoT hype.

You should watch Matt Wixey’s talk Hacking invisibly and silently with light and sound as soon as the videos are published. Matt discussed hardware hacking with sensors and sound/light sources such as lasers, computer screens, and LEDs. Transmitting data can be done by a variety of means, and you can do a lot with ultrasound or infrared. He also showed how to confuse drones by jamming their ultrasound sonar.

A shorter two hour version of The ARM Exploit Lab by Saumil Shah could be attended as an evening session. Given that the number of ARM processors tops that of x86/x86-64 five or six times, you should really think about getting to know ARM shell code and how exploits work on this platform. Right now finding a device where you can use these exploits is easy to find. In addition most are networked, so you can access them most probably, maybe even by war-dialling thanks to the Internet of SIMs. Or you just attack smartphones. The ways to use your new knowledge is without bounds. If you are interested, there will be a three-day course of The ARM Exploit Lab at DeepSec 2017.

So we enjoyed being at 44CON, meetings friends, and exchanging ideas about infosec. A big thanks to the crew! They made the event really smooth and worked a lot behind the scenes, so that everyone felt right at home. Looking forward to 44CON 2018!

DeepINTEL Conference approaches the next generation of IT Security

Strategic Information Security: Predicting the Present

DeepINTEL Conference presents Approaches to the Next Generation of Security

Many products and approaches of information security are trying hard to predict the future. There is always a lot of talk about threats of the future, detection of attacks before they arise or the magic word “pro-active”.  But the prediction of the future does not benefit your business if the present is still unknown. When it comes to information security this means: Do you now know enough about your current situation to make the right decisions within the next few hours? The DeepINTEL seminar conference, which takes place on 21st/22nd of September in Vienna, focuses on this strategic question.

Analogies distort Perception and Facts

Analogies are often used to illustrate connections. Especially in the areas of IT security, people use a lot of terms from the military sector. “Attack” and “defense” suggests this kinship, but this wording automatically evokes assumptions that are not met. Errors in communication protocols, code, program crashes, or hardware peculiarities are not weapons, no matter how much you stretch your imagination. You can not armour Internet accesses. There are also no bulletproof databases or mailboxes. The analogies quickly break down and obscure what is actually going on – What information about your own infrastructure and communication is available, and what does this data mean in terms of real risks? This knowledge can not simply be bought from service providers, you have to gather it through experience in your own field of business. Companies know their own processes very well, and this knowledge must be integrated into their IT security.

Security Intelligence as a collection of methods

In the media or in advertisements the term security intelligence very often has a different meaning. For security experts “security intelligence” means the knowledge of methods that can be used in an attack, the knowledge of the capabilities of the attacker, and the analysis of open source intelligence in the context of the expected risks. In concrete terms, this means to point out the means used against an organization, which must be neutralized or mitigated by its IT security. This also includes threats outside of technology, internal threats, the search for the right personnel, secure communication behaviour and much more. Security intelligence as a process is the necessary first step before you can start to implement, even begin to discuss security measures. For this reason, companies are hardly concerned with it and rely on external suppliers. DeepINTEL wants to offer you the opportunity to get acquainted with this topic. Some companies have successfully set up their own security intelligence teams, or at least developed methods to not build digital access barriers blindly. Ultimately, your IT security measures become more secure and more accurate.

In particular, areas such as critical infrastructure (energy supply, networks), finance, insurance, transport (freight forwarding companies, public transport, airports), health care or public authorities can benefit by adapting their digital defence to the very risks, they have to face.

Interactions are everywhere

An important topic DeepINTEL focuses on are interactions. In terms of security interactions between people or machines (in any combination) are always critical. No successful attack can do without them. At DeepINTEL presentations will focus on the manipulation of human action, on motivations and the profiles of internal aggressors, as well as on the influence of human memory and the role of propaganda in geopolitical conflicts.

We started out by explaining how important information is – but let’s not underestimate the role of disinformation. It is an important tool of all opponents in information security. The human factor gets passed over  way too often – Personnel departments can’t be protected only by technical means. Who effectively wants to attack an organization  will try to infiltrate and place their own personnel inside the company. One must not forget: Really effective attacks are prepared for months or years. There’s enough time to hire an accomplice or to persuade or blackmail an employee to become an internal threat. Such preparations can’t be traced within the logs of servers and applications: who relies on technology only to defend themselves against attacks are badly prepared.

But of course the technical aspect of IT Security will also be in focus of this years DeepINTEL: The conference features talks about the profiling of malicious software, the weak points of the power supply network, the failure of industrial control systems (SCADA) and human errors related to secure communication systems. Unfortunately there is no area of ​​modern infrastructure where you do not have to look for security gaps. The results presented are derived from actual incidents and real-life security tests – and present a good opportunity to think about setting up your own case studies aided by real information. Such business games are beneficial, just like fire drill exercises, and they help to build up realistic scenarios that your digital defense needs to consider.

DeepINTEL Programme and Registry

Who wants to get into the future undamaged, must master the present. To use misguided analogies one last time: You can win every battle in the digital world and still lose the war. To escape this fate, sign up today to the DeepINTEL conference. There are still a few discounted tickets from the sponsor’s contingent. Contact us and get the booking code – better today then tomorrow.

The current program can be found at the DeepINTEL web site.

You can register directly at the DeepINTEL web site.

DeepSec 2017 Training: The ARM IoT Exploit Laboratory

If the Internet of Things (IoT) will ever leave puberty, it has to deal with the real world. This means dealing with lies, fraud, abuse, exploits, overload, bad tempered clients (and servers), and much more. Analysing applications is best done by looking at what’s behind the scenes. IoT devices, their infrastructure, billions of mobile devices, and servers are powered by processors using the Advanced RISC Machine (ARM) architecture. This design is different from the (still?) widespread Intel® x86 or the AMD™ AMD64 architecture. For security researchers dealing with exploits the change of design means that the assembly language and the behaviour of the processor is different. Developing ways to inject and modify code requires knowledge. Now for everyone who has dealt with opcodes, registers and oddities of CPUs, this is nothing new. Grab the documentation, ready the tools, and start experimenting. There is another way. Let your lab work be guided by an expert who has extensively done this for x86/x86-64 already. This is why we invited Saumil Shah to conduct the training The ARM IoT Exploit Laboratory at DeepSec 2017. Saumil has developed the training to be completely tailored for the ARM architecture.

The all new ARM IoT Exploit Laboratory is a fast paced 3-day intermediate level class intended for students who want to take their exploit writing skills to the ARM platform. The class covers everything from an introduction to ARM assembly all the way to Return Oriented Programming (ROP) on ARM architectures. Our lab environment features hardware and virtual platforms for exploring exploit writing on ARM based Linux systems and IoT devices.

The class concludes with an end-to-end “Firmware-To-Shell” hack, where we extract the firmware from a popular SoHo router, build a virtual environment to emulate and debug it, and then use the exploit to gain a shell on the actual hardware device. The goal is to give you an understanding on how the following topics work on ARM:

  • Introduction to the ARM CPU architecture
  • Exploring ARM assembly language
  • Understanding how functions work on ARM
  • Debugging on ARM systems
  • Exploiting Stack Overflows on ARM
  • Writing ARM Shellcode from the ground up
  • Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
  • Introduction to Return Oriented Programming
  • Bypassing exploit mitigation on ARM using ROP
  • Practical ROP chains on ARM
  • An introduction to firmware extraction
  • Emulating and debugging an IoT device firmware in a virtual environment
  • Case Study: From Firmware to Shell – exploiting an ARM router’s embedded firmware

This three day training definitely will save you from the frustration of spending three months with the architecture and compiler manuals on your lap (or second a screen). Plus you can see how to attack an actual firmware from an actual device. Just like in the movies! ☻ We recommend this training for anyone dealing with smartphones or devices in the very near future. You are already surrounded by ARM architecture processors and very definitely use them on a daily basis. So why not do some hard-core testing. Best you do this before the other side does!

Important: Please book as early as possible and bear in mind that this is the only three-day training! Three as in 0,1,2 or 1,2,3. This means the training start one day earlier than the other DeepSec training, i.e. the ARM Exploit Laboratory starts on 13 November 2017, Monday. Remember: Three days.

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest,, Hack-in-the-box and others. He has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.


DeepSec 2017 Talk: Malware Analysis: A Machine Learning Approach – Chiheb Chebbi

Software has a character. It can be beneficial. It can also be malicious. A networked business world and the Internet of connected individuals make life for malicious software, also known as malware, easier. Just like international travel facilitates the spread of diseases and parasites, the networked globe is a big advantage for malware. Researcher can hardly keep up with the numbers of detected viruses, worms, and trojan horses. So why not let machines look for malware on their own? Certainly automation already benefits the hunt for malicious code. Chiheb Chebbi has some ideas that can help.

Threats are a growing problem for people and organizations across the globe. With millions of malicious programs in the wild it has become hard to detect zero-day attacks and polymorphic viruses.This is why the need for machine learning-based detection arises. A good understanding of malware analysis and machine learning models is vital to ensure taking wise decisions and building a secure environment by being capable of correctly identifying and mitigating such potential threats. During the talk the audience will be introduced to machine learning models in cyber security and explore two different cutting edge models to detect malware and threats as case studies:

First, ‘Hidden Markov Models (HMM) for malware classification’ which is a very useful technique to detect certain challenging classes of malware, starting from the mathematics behind Markov chains, to HMM models training and evaluating clustering results.

The second case study is deep learning malware detection. The audience will dive deep into artificial neural networks and will learn how to build and optimize deep learning networks using machine learning libraries and tools (Tensorflow, Theano, Keras, Scikitlearn, etc.) and will discover how deep learning can be designed for intelligent malware detection.

We are looking forward to see his talk. If you have any connections to malware, you should probably attend, too.


Chiheb Chebbi is an InfoSec enthusiast and Security Researcher with experience in various aspects of Information Security, focusing on investigation of advanced cyber attacks and researching cyber espionage and APT attacks.His core interest lies in “Web Applications security” and “Industrial Control Systems”. 2016 he was included in the Alibaba Security Research Center Hall Of Fame. He gave talks at the 4th Annual BSides Tampa IT Security Conference 2017 Florida USA, Black Hat Europe London 2016, NASA Space Apps Challenge 2015 and 2016, Global Windows Azure Boot camp 2014: Revolutionizing Education using cloud Computing, International Institute of technologies Sfax 2014: Introduction to Cloud Computing, Research Center in Informatics, Multimedia and Digital Data Processing of Sfax 2014: the future of Software industry.

DeepSec 2017 Keynote: Social Science First! – Dr. Jessica Barker

While the schedule is still preliminary, we have already some confirmations from our speakers. We are happy to announce Dr Jessica Barker as the keynote speaker for DeepSec 2017. Information security has a lot to do with interactions. Despite AI (a.k.a. Assisted Intelligence), „smart“ assistants (a.k.a. paper clips on steroids), and a metric ton of gadgets we still have a lot of contact with human beings. Marketing departments and tech people lost in code often forget this. Jessica will give you something to think about which you can’t discuss with Siri, Alexa, the Google AI, or even HAL 9000.

Bruce Schneier popularised the concept in 1999: cyber security is about people, process and technology. Yet almost two decades later, the industry still focuses so much more on technology than the other two dimensions of our discipline. For a long time, when the cyber security community has considered the human nature of cyber security, it has been within the context of a narrative that ‘humans are the weakest link’. In this talk, Dr Jessica Barker will argue that, if that is the case, then that is our failing as an industry. With reference to sociology, psychology and behavioural economics, Jessica will discuss why social science needs to be a greater priority for the cyber security community.

Curious? We are! Get your ticket to DeepSec 2017 and listen to Jessica’s presentation!

Dr Jessica Barker is a leader in the human nature of cyber security. Equipped with years of experience running her own consultancy, she recently co-founded a new cyber security company, Redacted Firm. Her consultancy experience, technical knowledge and sociology background give her unique insight, and she has a talent for translating technical messages to a non-technical audience.

Jessica delivers thought-provoking and engaging presentations across the world, at corporate events as well as practitioner and academic conferences. She also frequently appears on the BBC, Sky News, Channel 4 News, Channel 5 News, Radio 4’s Today programme, Radio 2’s Jeremy Vine show and more. She has been published in the Sunday Times and the Guardian, and frequently in industry press. She is regularly commissioned to write cyber security blog posts, and runs the website, dedicated to cyber security news, information and guidance.

Administrivia: How to access ROOTS and DeepSec 2017

We have received some question on how to attend the presentations of the 1st Reversing and Offensive-oriented Trends Symposium (ROOTS) 2017. It’s very easy. ROOTS is co-hosted with DeepSec 2017. This means if you attend DeepSec, you also attend ROOTS. In turn attending ROOTS gives you also access to the DeepSec conference. So you only need one ticket to access both events.

Bear in mind that our sponsors can give you discount codes for buying tickets. In addition we have a special programme for academics to give you the academic discount for the tickets. Don’t forget: Buying early means saving money! The early bird tariff is still valid until 25 September 2017. After that the ticket price increases. Do us and yourself a favour and book as early as possible. Thank you!

See you at ROOTS / DeepSec 2017!

Mythbusting: Anti-Virus Research considered dangerous

Everyone doing research in information security or doing any work in this field takes some risks. Since most of the „cyber stuff“ is black magic to others not working in this context, there are a lot of problems and severe misunderstandings. The Crypto Wars still haven’t been decided in favour of mathematics. Real people prefer end-to-end encryption over insecure communication all of the time. Proposals of severely damaging information security for all of us by using sanctioned malicious software are still being debated in parliaments. Backdoors, covert or otherwise, are no line of any defence, as many military strategists will readily tell you. Marcus Hutchins was in the news recently, because of claims that he developed a strand of malware tied to attacks on financial institutions. While you can debate all you want about the charges, this case has the potential to set a dangerous precedent for information security researchers. This is why we have translated the article titled Anti-Virus-Spezialisten werden von US-Justiz kriminalisiert written by Erich Möchel:

Anti-Virus Specialists criminalized by US Justice

Marcus Hutchins, who has put a stop to the “WannaCry” outbreak through a risky action, will be brought to court this week in Wisconsin. His “criminal offenses” are so incompetently formulated that according to the indictment every security investigator would have one foot in jail.

The arrest of British security expert Marcus Hutchins a week ago, including the charge of production and distribution of Trojan malicious software in the US, has triggered a real shock wave in the industry. The “offenses” listed in the indictment are formulated in such a way that “all security researchers of anti-virus companies have one foot in US prison” said Viennese security technician Michael Kafka to

Since then, “good” hackers (“white hats”) – mainly from Great Britain – have stopped to co-operate with government agencies. Because Hutchins case demonstrates, how a “white hat” can quickly get caught in the crossfire at a time when state actors and malware criminals (“black hats”) are less and less distinguishable. Hutchins (23) achieved world fame at the end of 2016, when he stopped the devastating outbreak of the “WannaCry” software single-handed in a risky action.

Criminals, Cops, Agents, Security Researchers

The arrest of Hutchins on his return from the security conference DefCon in Las Vegas a week ago is apparently due to the raid on the infamous illegal website AlphaBay, which disappeared a few weeks ago from the TOR network. The site was frequented mainly by criminals of all kinds, the rest of the audience consisted of covert investigators, agents of various secret services, and security researchers.

“That Whitehats are getting patterns of malicious software through such sites, and then testing them in lab environments, is simply part of their work. It is also important to share the findings with other security researchers and to discuss them in order to develop counter-measures. Especially Marcus was known to share his results very freely, and this accusation was apparently constructed from it“, says Michael Kafka.

A Trojan Video

Kafka has been interested in Hutchin’s work since 2013, he also met him during the 44CON security conference in the autumn of 2016 in London for a lengthy exchange of ideas.
In the indictment, Hutchins is accused ,among other things, of writing the Trojan “Kronos” in 2014 and producing an instructional video. Both claims are especially ridiculous because of the fact that instructional videos for malicious software are virtually never made by criminals, but always by their antagonists.

At the time between the middle of 2014 and the summer of 2015, to which the indictment refers for several similar “offences”, the then 20-year-old Hutchins has already been a new shooting star of the worldwide security scene. Hutchins’ work had contributed significantly to rendering the Botnet “Caberp”harmless – a Botnet attributed to notorious Russian criminals – and have it thoroughly analysed.

Expert shakes his Head in Disbelief

“No criminal would put the the results of analysis of malicious software up for public discussion”, Kafka said and shook his head in disbelief: “Criminals do the opposite. Public attention is ruinous for their business, which is based on undetected security gaps. And for this very reason there never has been the slightest suspicion that Marcus could work for the other side.” However, Hutchins openness could have caused his downfall, because one of the charges obviously refers to his work on so-called “rootkits”, malicious software for the camouflage of an espionage Trojan.

Apparently, unknowns used a few routines of his malicious software demonstration for their purposes, Hutchins himself publicly announced in an angry tweet in 2015. Such malware demos of security researchers are only isolated modules of a malicious software suite, the code of which is modified for demonstration purposes to explain its operating principle. From a technical point of view, this software is used to modify malicious software, which by itself can not be used to do anything bad.

The Charge in Wisconsin

Now this turned into a count of an indictment in the US state of Wisconsin, where another defendant resides, with which Hutchins had then communicated via AlphaBay. He is said to have offered a version of the lesser-known Trojan “Kronos” for sale, which contained modified elements of Hutchins code. Therefore, absurdly, Hutchins is now accused of being the author of the “Kronos” malware – which originates from the circle of Russian criminals – and of being involved in the sale. At the time, Hutchins was involved in the takedown of another large Botnet.

It’s rather likely that the enraged tweet mentioned above was directed at this unknown communication partner on AlphaBay, when Hutchins realized that his modified “hooking engine” had been built into malware by criminals. A “hooking engine” is a code for an entry point in an operating system to execute commands thereon. The possible applications for such an auxiliary software are numerous.

How “WannaCry” was stopped

The fact that Hutchins, in general, handled malware in a nonchalant way with a hands-on approach was shown in the case of “WannaCry”. On the day of the outbreak of the “WannaCry” worm, which paralysed in particular control computers for medical devices of British hospitals in series and brought logistics centres and production plants to a halt, Hutchins had quite quickly received a copy. When he first skimmed over the code, he found an Internet domain open in the code, which was not assigned and which, without further ado, he registered in his name.

“This was a very risky action. In the middle of such a malware explosion to be seen as the owner of a central element of this attack, is not everyone’s cup of tea,” says Kafka.

“The installation of the malicious software in an isolated network would have been the safe way to work out what the function of this domain was. But that would have taken several hours.”
By performing the same action in the wild, Hutchins, to his own amazement, had hit the “emergency stop switch” of the “WannaCry” software. The command-control servers, which directed the outbreak, regularly queried this domain. When it was suddenly no longer free, “WannaCry” stopped its own distribution.

„WannaCry“ & „Petya“, Courtesy NSA

“Such a ‘killswitch’ is a clear indicator of governmental malicious software, which usually also includes de-installation routines. To remove traces is paramount to state actors. For Criminals, on the other hand, this tends to be a minor matter” Kafka continued. The WannaCry worm (malicious software that replicates itself in order to spread to other computers is called a “worm”) came with an encrypted exploit for a capital Windows security gap, which captured computer in the infected net in a flash.”

NSA Malware hit the NATO Partners

The same or another military “cyber” group used NSA’s malicious software to shake the UKs healthcare system, pharmaceutical companies and logistics companies from Scandinavia (“WannaCry”), and then the energy supply of the Ukraine (“Petya”). It seems Hutchins has directly landed himself in a “cyber” skirmish between East and West. Therefore, other reasons than mere incompetence of US prosecutors, who can not even distinguish between black and white, might be involved in his arrest a week ago in Las Vegas.

Hutchins was released from prison in Las Vegas on Tuesday, but now he has to go to court in Wisconsin, where the unknown co-defendant, who made windy deals with small criminals over the allegedly so impenetrable “Darknet”,is imprisoned.

More on this Topic

DeepSec 2017 Preliminary Schedule published

After two weeks of intense reviewing we have published the preliminary schedule for DeepSec 2017. There are some blanks to fill, but this will be done in the coming weeks. We still have to do some reviews and wait for the speaker’s confirmation.

In case you noticed, the ROOTS track is not filled yet. The call for papers was extended to 26 August. This means the ROOTS schedule will be published at the end of September. We have to give the programme committee ample time to review all submissions. So if you want to present your research at ROOTS 2017, please ready your submission. Science first!

Decline of the Scientific Method: New (Austrian) “Trojan” Law without Technical Expertise

The Crypto Wars are still raging despite everyone relying on secure communication. Everyone means everyone. The good thing is that mathematics still works, even though some people wouldn’t want it to. The latest cryptographic review comes from Amber Rudd, the current UK Home Secretary. She said recently: “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” The corollary in turn states that DeepSec conferences aren’t attended by real people. Since we are not yet a purely robot-based event, there is something wrong with this approach to secure communication. The common denominator is simply the lack of technical expertise. There is no surprise there. Ever since the Internet was discovered by the rest of the world (which was in the 1990s, don’t get fooled by web sites who claim to have invented the Internet), politics, government, and society struggles to keep up. This is exactly why we constantly emphasise that DeepSec tries to bring together the world’s most renowned security professionals from academics, government, industry, and the underground hacking community – things go horribly wrong without experts who use and understand what science means. Hence our motto for DeepSec 2017 – Science First!

In order to illustrate how thing can go wrong, we have translated an article by Erich Möchel, a journalist specialised in all things digital. The original text was published at the FM4 web site and is called Neues „Trojaner“-Gesetz ohne technische Expertise.

New (Austrian) “Trojan” Law without Technical Expertise

By Erich Möchel

As the explanatory notes on the draft show, the convened expert group served mainly to legally secure the access rights of the police. There were no technicians among them.

As part of the “security package” of the federal government, which has been in appraisal since Monday, the use of police Trojans takes a central position. Ten out of a total of 16 pages of the explanatory notes on the new Code of Criminal Procedure concern the use of malicious software by the police. In order to implement this new, technically complex measure correctly, a high-level expert committee, consisting exclusively of lawyers, was convened.As a matter of fact, the subject matter of the discussion was only the legal basis, primarily the legal delimitation of the monitoring of encrypted communications in an “online search”. The legal hurdles for the search of a computer are significantly higher than for monitoring communications. The text not even mentions that both types of monitoring use the same type of Trojan malicious software.

“A kind of communications monitoring”

Apart from the lack of an assessment of its technological impact, the explanatory notes to the draft show that apparently no technicians were involved in this bill. In sum, the draft contains only one technically exactly formulated passage – which concerns a completely meaningless and therefore misleading fact – otherwise it’s just an abstract requirement catalogue of lawyers. And its foundation is based on basic assumptions, which are technically simply not tenable. One example of this is the juridical demarcation of an “online search” and “communications monitoring” which dominates the entire Trojan chapter.

Which Aspect was discussed

After a lengthy legal discussion, whether the “technical process of such an encryption can be considered as part of the transmission”, the convened experts arrive at the conclusion that this is indeed the case. The use of such a “software” is therefore “to be regarded as a kind of communications monitoring”, and could therefore be “delimited from online monitoring”. Thus “only the requirements of the secrecy of telecommunications must be met, but not the (more qualified) requirements of the IT fundamental right”, states the expert group.

This “IT fundamental right” is derived directly from Article 8 of the European Convention on Human Rights and demands a higher threshold for access of prosecutors. Thus, the fundamental rights of all Austrian citizens were discussed only in the light of the fact that state access should be facilitated as much as possible. Already the monitoring of traffic and conversations gets approved easily even in the case of minor offences. The conclusio of the experts on this point: It is therefore important “that a software is used, which [recognizes and] decodes only transport encryption”.

What a Trojan does

This is exactly what a Trojan doesn’t do, no matter, whether it is called “communications monitoring” or an “online search”. To operate at all, the malicious software must first take over the operating system of the terminal device, because a Trojan has to have administrator rights. It already needs that in order to install various auxiliary programs from a hidden server of the police authority on the monitored PC or smartphone. This involves massive interventions in the operating system and the storage media of the device, which must also be searched in order to identify anti-virus programs. In addition to the search for “digital fingerprints” of already known malicious software (“virus signatures”), anti-virus softwares also analyze the behaviour of installed software through heuristic methods.

Trojan twins

This is why every professional malicious software downloads a so-called “rootkit”, which deeply interferes with the operating system of the smartphone or PC in order to deceive anti-virus apps and conceal the technical processes on the device from the user. What the Trojan actually taps, depends solely on the features of one and the same software. In a whole series of completely identical functions, there is only one feature, and it’s technically trivial, which distinguishes the “monitoring Trojan” from the “communications Trojan”: The latter can not access files stored by the user himself.

However, on how private files could be identified as such without searching the storage medium the experts remain silent. The Ministry of Justice emphasizes that this is “technically possible,” the experts say measures must also be “practicable” and “target-oriented” and include “preventive measures against dispersed / collateral damage and provide effective abuse control”.

“Technically possible, practicable, precise”

Technically it is, of course, possible to program such a malware suite, and as the ongoing trojan attacks by criminals using blackmail software show, it is also “practicable” to contaminate a device over the Internet with a Trojan. How “target oriented” it is, however, to try to apply a Trojan to a certain terminal device via a mobile network, in which the IP addresses of tens of thousands of active terminals constantly change, is highly doubtful. In the only – at least to some extent –  technically meaningful passage of the whole explanation, it is not entirely clear whether this is a matter of blank ignorance or deliberate deception.

Hardware keylogger forbidden, software keylogger allowed

Literally, it says: “Only the installation of a program in the computer system” is permissible. “Other technical possibilities such as, for example, the collection of electromagnetic radiation “is firmly prohibited.

This method from the nineties has become obsolete since the disappearance of tube screens. In addition, “the incorporation of hardware components into the computer system (eg a” keylogger “) is not permitted, in spite of the fact that hardware keyloggers are probably only still available in technical museums. However, the explanations are silent on the legality of software keyloggers, because without such a function, a Trojan could not make any recordings of WhatsApp chats, and then transfer them to a command-control server of the authorities.

DeepSec 2017 Schedule, ROOTS, and Closing of Call for Papers

Thanks a lot for your submissions! We are currently in the final phase of the review. Expect the first draft of the schedule for the end of the week. Important: Don’t forget that the Call for Papers for the 1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS) is still open and was extended to 15 August 2017! Please submit and help us to put more science into infosec! Given the headlines in the IT (security) news we need all the facts we can get.

Last Call – DeepSec 2017 “Science First!” – Call for Papers

Today our Call for Papers for DeepSec 2017 (motto Science first!) officially ends. We are still up to our necks in submissions, but if you have content and want to join, then make sure you submit now! All in-time submissions will be preferred over the ones that missed the d(r)eadline!

The call for papers for the 1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS) still runs until 5 August 2017. Make sure you don’t miss this deadline in case you want to beef up the science content of infosec!

Our reviewers love to hear from you!