Tag Archive

DeepSec 2016 Talk: Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor – Mikhail A. Utin

Published on September 22, 2016 By sanna

The blue/red pill analogy has been used a lot when it comes to hypervisor security and virtualisation. While there are reliable ways to determine if your code runs in a hypervisor or not, the underlying problem still persists. How do you know if the platform your code runs on watches every single move, i.e. instruction […]

Of Clouds & Cyber: A little Story about Wording in InfoSec

Published on September 5, 2016 By lynx

In case you ever received a message about our calls for papers, you may have noticed that we do not like the word cyber. Of course we know that it is used widely. Information security experts are divided if it should be used. Some do it, some reject it, some don’t know what to do […]

Digital Naval Warfare – European Safe Harbor Decree has been invalidated

Published on October 8, 2015 By lynx

The global cargo traffic on the Internet needs to revise its routes. The Court of Justice of the European Union has declared the so-called „Safe Harbor“ agreement between the European Commission (EC) and US-American companies as invalid. The agreement was a workaround to export the EU Directive 95/46/EC on the protection of personal data to […]

New MJS Article: Trusting Your Cloud Provider – Protecting Private Virtual Machines

Published on June 17, 2015 By lynx

Once you live in the Cloud, you shouldn’t spent your time daydreaming about information security. Don’t cloud the future of your data. The Magdeburger Journal zur Sicherheitsforschung published a new article by Armin Simma (who talked about this topic at DeepSec 2014). The Paper titled »Trusting Your Cloud Provider: Protecting Private Virtual Machines« discusses an […]

DeepSec 2014 Talk: Cloud-based Data Validation Patterns… We need a new Approach!

Published on October 28, 2014 By sanna

Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. Everyone relying on these […]

DeepSec 2014 Talk: Trusting Your Cloud Provider – Protecting Private Virtual Machines

Published on September 12, 2014 By lynx

The „Cloud“ technology has been in the news recently. No matter if you use „The Cloud™“ or any other technology for outsourcing data, processes and computing, you probably don’t want to forget about trust issues. Scattering all your documents across the Internet doesn’t require a „Cloud“ provider (you only need to click on that email […]

DeepSec 2013 Video: Pivoting In Amazon Clouds

Published on February 23, 2014 By lynx

The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At […]

DeepSec 2013 Video: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

Published on February 18, 2014 By lynx

The „Cloud“ is the Fiddler’s Green of information technology. It’s a perpetual paradise built high above the ground where mortal servers and software dwell. Everyone strives to move there eventually, because once you are in digital paradise, then all your sorrows end. So much for the theory. The reality check tell a different story. This […]

DeepSec 2013 Video: Cracking And Analyzing Apple iCloud Protocols

Published on January 17, 2014 By lynx

The „Cloud“ has been advertised as the magic bullet of data management. Basically you put all your precious eggs into one giant basket, give it to someone else, and access your data from everywhere – provided you have a decent Internet connection. Since someone else is now watching over your data, you do not always […]

DeepSec 2013 Talk: Cracking And Analyzing Apple iCloud Protocols: iCloud Backups, Find My iPhone, Document Storage

Published on November 3, 2013 By lynx

The „Cloud“ technology is a wonderful construct to hide anything, because the „Cloud“ itself is no technology. Instead it is constructed out of a variety of different protocols, storage systems, applications, virtualisation and more. So „Clouds“ provide a good cover. Ask any fighter pilot. They will also confirm that the „Cloud“ is a great hunting […]

DeepSec 2013 Talk: Pivoting In Amazon Clouds

Published on October 17, 2013 By lynx

The „cloud“ infrastructure is a crucial part of information technology. Many companies take advantage of outsourced computing and storage resources. Due to many vendors offering a multitude of services, the term „cloud“ is often ill-defined and misunderstood. This is a problem if your IT security staff needs to inspect and configure your „cloud“ deployment with […]

DeepSec 2013 Talk: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

Published on October 16, 2013 By lynx

The „Cloud“ doesn’t stop when it comes to government data. Once government authorities play with outsourcing a lot more regulations need to be reviewed. Mikhail Utin talks about new results and a continuation of his last presentation at DeepSec conference: Our second presentation at DeepSec on so named “Cloud Computing” (CC) and associated services (CCS) […]

All Your Clouds are to Belong to Whom?

Published on August 5, 2012 By lynx

There are probably less than 5 persons on this planet who know what cloud computing really means. The figure might be exaggerated, but while enterprises, consultants and vendors try to figure out the best cloud for their business model the attackers already take advantage of cloud infrastructure. Let’s disregard climate dependencies and extraordinary political environments […]

Talk: Do They Deliver – Practical Security and Load Testing of Cloud Service Providers

Published on September 13, 2011 By lynx

No technology has produced more hot air and confusion than All Things Cloud™. This is not meant to be the introduction for yet another rant. It serves to illustrate what happens when you talk about complex infrastructure and use too much simplification. The Cloud infrastructure is no off-the-shelf gadget you can buy by the dozen, […]