Management Console Access – Obscurity by Security and vice versa

René Pfeiffer/ February 28, 2021/ Discussion, Security

Every discussion about security sooner or later connects to the wonderful word obscurity. Mentioning security by obscurity is a guaranteed way of losing sight of the facts. It is vital to actually fix weaknesses and introduce strong separation of systems when implementing security. Furthermore, the leakage of useful information to potential adversaries should be eliminated. That’s the theory. Enter the discussions we have witnessed in real life and in the Internet. A common tactic is to strip information from communication protocols that is not needed for transporting the message. Version numbers, host names, addresses, and other pieces of data are often removed when a server answers requests. Especially web applications send a ton of useful information to clients. You can see the structure of the web space, components used for rendering, server systems involved,

Read More

Encryption, Ghosts, Backdoors, Interception, and Information Security

René Pfeiffer/ December 20, 2018/ Discussion, High Entropy

While talking about mobile network security, we had a little chat about the things to come and to think about. Compromise of communication is a long-time favourite. Hats of all colours need to examine metadata and data of messages. Communication is still king when it comes to threat analysis and intrusion detection. That’s nothing new. So someone pointed toward a published article. Some of you may have read the article titled Principles for a More Informed Exceptional Access Debate written by GCHQ’s Ian Levy and Crispin Robinson. They describe GCHQs plan for getting into communication channels. Of course, “crypto for the masses” (yes, that’s crypto for cryptography, because you cannot pay your coffee with it) or “commodity, end-to-end encrypted services” are also mentioned. They explicitly claim that the goal is not to weaken encryption

Read More

DeepSec2018 Talk: Manipulating Human Memory for Fun and Profit – Stefan Schumacher

Sanna/ October 31, 2018/ Conference, Discussion

Manipulating the Human Memory for Fun and Profit, or: Why you’ve never met Bugs Bunny in DisneyLand Hacking is not limited to technical things — like using a coffee machine to cook a soup — but also makes use of social engineering. Social engineering is the (mis)use of human behaviour like fixed action patterns, reciprocity or commitment and consistency. Simple social engineering attacks like phishing mails do not require much preparation, but more complex ones do so. Especially when one wants to set up some kind of advanced persistent threat in the psychological domain. So, besides the psychological fundamentals of social engineering we also did research on human memory, how it works, how it pretty much fails to store what really happened, and how it can be misused for a sinister purpose. The fundamental

Read More

DeepSec 2018 Talk: Security Response Survival Skills – Benjamin Ridgway

Sanna/ October 17, 2018/ Conference, Security

Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak “Hello?” barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong… Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds. Often these people are scared, angry, or otherwise emotionally impaired. Drawing from years of real-word experience,

Read More

Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

René Pfeiffer/ October 9, 2018/ Conference, Discussion, Press, Security

DeepSec and Privacy Week highlight consequences of backdoors in IT Vienna (pts009/09.10.2018/09:15) – Ever since the first messages were sent, people try to intercept them. Today, our modern communication society writes more small, digital notes than one can read along. Everything is protected with methods of mathematics – encryption is omnipresent on the Internet. The state of security technology is the so-called end-to-end encryption, where only the communication partners have access to the conversation content or messages. Third parties can not read along, regardless of the situation. The introduction of this technology has led to a battle between security researchers, privacy advocates and investigators. Kick down doors with Horses In end-to-end encryption the keys to the messages, as well as the content itself, remain on the terminal devices involved in the conversation. This is

Read More

DeepSec 2018 Talk: Left of Boom – Brian Contos

Sanna/ September 13, 2018/ Conference, Discussion, Security

By Brian Contos, CISO of Verodin: “The idea for my presentation “Left of Boom” was based on conversations I was having with some of my co-workers at Verodin. Many people on our team are former military and some served in Iraq and Afghanistan where they engaged in anti-IED (Improvised Explosive Device) missions. During these conversations I first heard the term, Left of Boom, and the more we discussed it, the more I found similarities with cybersecurity. Left of Boom was made popular in 2007 in reference to the U.S. military combating improvised IED used by insurgents in Afghanistan and Iraq. The U.S. military spent billions of dollars developing technology and tactics to prevent and detect IEDs before detonation, with a goal of disrupting the bomb chain. This is an analog to cybersecurity as we

Read More

Whatever happened to CipherSaber?

René Pfeiffer/ September 11, 2018/ High Entropy

Some of you still know how a modem sounds. Back in the days of 14400 baud strong encryption was rare. Compression was king. Every bit counted. And you had to protect yourself. This is where CipherSaber comes into play. Given the exclusive use of strong cryptographic algorithms by government authorities, the CipherSaber algorithm was meant to be easy enough to be memorised, and yet strong enough to protect messages from being intercepted in clear. It is based on the RC4 algorithm. According to the designer CipherSaber can be implemented in a few lines of code. Basically you have crypto to go which cannot be erased from the minds of the public, because it is readily available. That’s where the name came from. It is modelled after the light sabers found in the Star Wars

Read More

DeepSec Call for Papers Ended – Review Process – Melting Brains – Hard Facts

René Pfeiffer/ August 8, 2018/ Administrivia, Conference

Year by year it is getting harder to review the growing numbers of submissions. Thanks a lot for your contribution! It’s always a pleasure to read what you sent us. We have started to review as soon as you submit, but given the heat and the sheer number of submissions, it will take a few more days. We only have two days of trainings and two days of conference – which isn’t nearly enough. We will try to come up with a schedule that covers current events, science, and threats of tomorrow. Speaking of science, the Call for Papers for ROOTS 2018 is still running! We like to see more solid research in information security. It’s easy to get headlines or flourish on social media, but information security needs to do its homework. This

Read More

Thoughts on the Information Security Skill Set

René Pfeiffer/ July 13, 2018/ Discussion, Security

As mentioned in an earlier blog article we moved our office infrastructure to a new location. Once you use a space for more than a decade things inevitably pile up. So I had to sort through hardware, software (on optical storage hardware and floppy disks), lecture notes from a previous life, ancient project documentation, and notes on ideas for a brighter future. Most things were thrown away (i.e. responsibly recycled), some stuff could be saved by enthusiasts (for example the two old Amigas that were sitting in the basement). All of the things we had to move had a purpose once. The main purpose was to get familiar with technology, accumulate knowledge, and understand how things work. This is essentially the hacker mindset, also found among scientists. Given the many presentations at past DeepSec

Read More

BSidesLondon 2018 Rookie Track Follow-Up

René Pfeiffer/ June 8, 2018/ Conference, Discussion, High Entropy

We would like to share some impressions about the BSidesLondon 2018 Rookie Track presentations. It gets hard and harder to tell which one of the talks is the best. And picking a winner is not the right approach. We do this, because we can only invite one person to DeepSec, and because the intention is to have a motivation to work hard on the presentation. From what we have seen, we were quite impressed. The quality has much improved, also thanks to the tireless efforts of the mentors (if you see someone with a mentor badge, please buy them a drink!). Apart from the 15 minute time slot some talks were hard to distinguish from their bigger cousins in the main tracks. The topics were well-chosen. The mix was great. Every single rookie did

Read More

Big Data Analytica – What Attackers might be after

René Pfeiffer/ June 8, 2018/ Discussion, High Entropy, Security Intelligence

A while ago the Cambridge Analytica issue rocked the news and the online discussions about how personal data and profiles should be used. Frankly the surprise of data being abused comes as a surprise. The terms and conditions of most online portals, services, and platforms contains lots of rights – which you give to the owner of the platform. Once something is concentrated, cached, and accessible to digital evaluation, it will be harvested for its content and context. It’s as simple as that. This has always been the case. Penetration testers (best case) select their targets based on this criterion (among others). What has all of this to do with information security? Well, information security, just as the social media platforms, just can’t do without analysing data. The difference is how to protect and

Read More

Rookie Track – BSidesLondon 2018

René Pfeiffer/ June 5, 2018/ Conference, Security

We are looking forward to see the Rookie Track at BSidesLondon 2018! If you are curious what the rookie have to say, drop by and have a look! Presentations are meant to be heard. Do the newbies a favour and listen to them. They have put a lot of work into their 15 minute talk slot. They deserve an audience. Presenting a topic is hard. You have to understand what you are talking about. Furthermore you need to know a bit extra, because people will ask questions. Richard Feynman once said: If you want to master something, teach it. A great way to learn is to teach. If you have ever conducted a workshop, this will sound familiar. DeepSec sponsors the winner of the rookie track – a ticket to DeepSec 2018 and a

Read More

#efail, Crypto, HTML, PDF, and other complex Topics

René Pfeiffer/ May 14, 2018/ High Entropy, Security

You probably have noticed the #efail hashtag that came with the claim that the crypto world of PGP/GPG and S/MIME is about to end. Apocalyptic announcements were made. The real news is due for 15 May 2018 (i.e. the publication with all the facts). There was even the advice to stop using encryption until more information is known. The authors of the bug claimed that responsible disclosure was being followed. Well, it seems that this is not the case. Judging from the Internet response, the bug depends on the content of the encrypted message, not on the protocol of the encryption or the encryption tools. Lessons learned so far: It is a bug in some mail user client software. It’s all about the content of the message and how it gets interpreted. Responsible disclosure

Read More

Manufacturers integrate Blockchain into Processors to counter Spectre and Meltdown

René Pfeiffer/ April 1, 2018/ Discussion, High Entropy

The Spectre and Meltdown security vulnerabilities gathered a lot of attention in January. Processor manufacturers have rushed to fix the design of the chips and to patch products already in production. The vulnerabilities show that secure design is critical to our modern infrastructure. Computing has become ubiquitous, so has networking. The current fixes change the microcode on the chips. Altering the flow of assembler instructions is bound to have a detrimental impact on performance. There is not much you can do about this – but there is hope. Future generations of processors will have a defence against unknown security vulnerabilities – the blockchain! The past decade in information security has taught us that a pro-active holistic approach to IT defence is not enough. To counter unknown threats you have to go below 0(day). The

Read More

Advanced and In-Depth Persistent Defence

René Pfeiffer/ March 26, 2018/ Discussion, Security Intelligence

The attribution problem in digital attacks is one of these problems that get solved over and over again. Of course, there are forensics methods, analysis of code samples, false flags, mistakes, and plenty of information to get things wrong. This is nothing new. Covering tracks is being done for thousands of years. Why should the digital world be any different? Attribution policy tactics, APT, is part of the arsenal and thus part of the threats you are facing. It has less impact though, because it is only of interest when your defence is breached – and this means you have something else to worry about. Attribution is not useful for defending against threats. While you can use to to „hack back“, this will most probably not help you at all. The main problem with

Read More