It’s April Fool’s Day – 7/24 and 365 Days of the Year

Illustration of conventional comedy and tragedy theatrical masks. Source: https://commons.wikimedia.org/wiki/File:Comedy_and_tragedy_masks_without_background.svgThe first day of April is typically the time where you hide well-written pieces of misinformation to trick people into believing something that isn’t true. We published our share of April Fool’s Day articles in the past. While this was and still is fun we believe that it is time to break with this tradition. Hiding something that isn’t true within a stream of informative articles or news items has become a major way of influencing opinion. Good comedy does the same, but the outcome is different. Satirical news are a means to criticise by exaggerating or focussing on an issue. The typical audience of comedy expects this. The distinction between satire and reality have almost disappeared in the past decade. So if you are looking for entertainment there are plenty of other sources which probably work a lot better.

The other motivation is the discussion about facts and figures we had in the past weeks. Unless you have been living in a cave for the past months (which might not a bad idea after all) you probably heard of Sars-Cov-2 and the Covid-19 disease. The current countermeasures put the society and the economy on a big strain. Lacking things to do people put a lot of effort into the analysis of infected persons, cured persons, patient deaths, and more widely available data. Even if you have the source of the data you are working with you still need to figure out how the measurement was done. Just because the unit fits you don’t have data sets that can be compared. You can still do a qualitative analysis, but you cannot predict the future with it. The Internet is full of epidemiological models with varying degrees of relations to reality. Getting scientific research is hard. Getting scientific sound results with severe time constraints is even harder. While most businesses run fine without academic research, the decisions in their are are often less critical than in health care (or climate research to mention a wildly unpopular topic). The companies running critical infrastructure are excluded to some extent. However event logs and history is full of decisions which might have been better informed if time travel was real.

So to give you some kind of summary: Yes, we still like humour, and we still actively support (information security) researchers trying to point out critical flaws in code and design. No, we don’t want to say that things are difficult. They are, but that’s how we wanted it. We just skip making fun of stuff just because the calendar says so. Our calendar says that the call for paper is still open, so please consider submitting your research results for DeepINTEL and DeepSec.

The most important point is our reference on proper (data) science. Measurements only have meaning if you know how the data was obtained, what the error rates are, and how big your sample sizes were. No system administrator will consider your request if you claim that once upon a time in the past the latency between two points in the network was 623 milliseconds and the packet loss was about 23%. Keep this in mind when you read articles drawing highly complex conclusions from a couple of highly doubtful (or error prone) figures. That’s great for gaining followers. Reality just doesn’t work this way.

Status Update with regard to the current Sars-Cov-2 / Covid-19 Emergency

We wrote in an earlier blog article about the current Sars-Cov-2 / Covid-19 emergency. Mathematics and biology didn’t stop, so you (hopefully) live in an area with restrictions regarding crowds and place where people can’t keep a safe distance. We, the organisation team of DeepSec, are in close contact with peers, members of the community, and reliable sources of information regarding countermeasures by the Austrian government.

Given the current state of affairs the November dates of our events are still in the far future. This means that nothing has changed for our plans. Our calls for papers are still open. The only change will be no marketing messages and advertising for DeepSec and DeepINTEL. We don’t think that a crisis should be used for one’s own advantage. Please stick to facts and verified sources – regardless what message you want to publish or which information you like to relay. Disinformation will cost lives, now and in the future. All event and conference organisers have to follow regulations, so everything that happens to current or future events is up to the regulations and the state of your health (and your national health care system).

Please stay healthy, stay sane, and we hope to see all of you as soon as possible!

Translated Article: Coup de grace beat Attackers of the Austrian Federal Ministry for European and International Affairs

Cyberhusarenstück schlug Angreifer im Außenministerium for fm4 by Erich Moechel

[We translated this article, because DeepSec actively supports young talents and students. We are looking for organisation and companies that would like to help us in our support. Furthermore, we like to make Erich’s well-researched and well-written articles available for a wider audience.]

It was young Technicians who fended off the dreaded cyber Troop Turla. After a short Time they cracked the tricky Encryption of the Turla Trojan.

The National Security Council, which the NEOS party convened to discuss the cyberattack on the Federal Ministry for European and International Affairs, meets on Friday. NEOS criticize the cumbersome structures in cyber defence and, above all, that it is not ready to work properly. The quick defence of the notorious cyber troop (APT) Turla is rather not due to the solid defence structures in Austria.

This first cyber attack on Austria the defence relied on improvisation and technical skill. A diverse team of technicians from three ministries had this super-class APT under control after only 10 days. This emerges from new information available to ORF.at. The deciding factor was the coup de grace of young technicians of the Federal Ministry of the Interior who are more hackers than police officers.

Attackers’ Encryption hacked

A very young “Blue Team” from the battered BVT (Office for the Protection of the Constitution and Counter-Terrorism) of all places managed to break the encryption of the data traffic between the Turla Trojan on the Federal Ministry for European and International Affairs network and the command control servers on the Internet just two days after the burglary was discovered. This is an astonishing achievement, because the Turla Group is known for constantly changing the algorithms used for encryption and for doing so in an extremely tricky way.

The first challenge was to recognize which encryption method was being used. This allowed the defenders to read the data traffic between the elements of the malware and identify all new modules of the malware that were being reloaded. The match was overturned after a few days, because from then on the attackers were on the defensive. The Turla team did try to reload another rootkit, but was unable to activate it.

What the Federal Ministry of the Interior does (not) say

Such upper-class attacks are only partially automated, so that “Red Team” and “Blue Team” actually faced each other directly in the Federal Ministry for European and International Affairs. All of this has already taken place around the turn of the year or in the first week of the new year. Subsequently, the Federal Ministry of the Interior was asked for more information about this technical team of the BVT. “We ask for your understanding that, for operational reasons, no further details about the personnel and investigations will be disclosed,” was the answer, of course, because the news embargo on technical information is still in effect.

However, it also said in addition: “With regard to your request, we may inform you that the staff employed in the BVT’s cyber security area are generally not being recruited from within the police force, but from universities or universities of applied sciences as well as in competitions like this ‘Cyber Security Challenge’. ”According to information available to ORF.at, even the majority of these BVT technicians had completed the Cyber Security Challenge of the Bundesheer, BKA and Cybersecurity Austria, and among the army technicians who joined them, were graduates of this competition as well.

Where did the Defenders come from?

This international talent competition, which Austrian teams have won several times, has been around for ten years. Every year the participants are around twenty years, mostly from HTLs (Höhere Technische Lehranstalt) and comparable schools or at the beginning of a technical degree. This means that the BVT security technicians and all other graduates were mostly under thirty. The matches of this challenge are all of the type of “Capture the Flag” or “Blue Team” (defender) versus “Read Team” (attacker), which is particularly popular with hackers. At the Ministry of Foreign Affairs more or less the same match has been going on, but for real.

The Federal Ministry for European and International Affairs’ network was scanned thoroughly in the five weeks after the Turla group was temporarily neutralized. Artifacts and other traces of Turla were apparently only found on the mail servers, because the attackers had not yet tried to penetrate the internal network of the Ministry of Foreign Affairs. In order to ensure that no further hacked email accounts had been overlooked, the decision was made to reset all passwords in the entire mail system of the Federal Ministry for European and International Affairs. In addition to all embassies, this network also connects all other diplomatic institutions of the Republic.

Strategic Conclusions

One of the most dangerous cyber troops worldwide was neutralized in record time, and much faster than in Germany in 2017. The Austrian cyber strategy has worked perfectly.

It would be a fine thing if this had been the case.

In fact, the Republic was extremely lucky. As shown in the first two parts, a few very favourable circumstances came together from the rapid discovery onwards. As a result, the Turla group was unable to display its dreaded penetrating power. And it was the gentlemen from Turla who battled the defenders with updates for weeks, but are known for not destroying anything on purpose.

The attack has tied up a large part of all state cyber defences available and hit a large, but only one, network. If the clients behind the attack had actually wanted to frighten the Republic for some reason, they would not have sent Turla. In 2015, APT 28 alias Fancy Bear had contaminated the IT of the German Bundestag to such an extent that in the end 20,000 PCs had to be replaced.

While the attack on the Ministry of Foreign Affairs was ongoing, ELAK, the nationwide system of electronic file processing and more than 300 other large networks in Austria were open for weeks due to a fatal security vulnerability. A single, nicely packaged encryption Trojan would have been enough to paralyse the offices and authorities connected to the ELAK in one fell swoop. If attackers would have wanted it, half the republic’s IT would have been on fire.

War Dialing Video Conference Systems

IBM PCMCIA modem, source: https://commons.wikimedia.org/wiki/File:IBM_PCMCIA_Data-Fax_Modem_V.34_FRU_42H4326-8920.jpgDo you remember the Golden Age of Wardialing? The idea back then was to try calling phone numbers and to see if a computer systems answers. This methods still works, because you can wardial any system with a suitable addressing scheme. VoIP wardialing is a lot easier since you do not need a modem. You just need to send signalling messages. Video conferencing systems are no exception. They have to do signalling, too. Furthermore, participants of a meeting need to join and leave. For joining there must be a process that authenticates participants. Usually you get a conference identification number and maybe a PIN code. Other systems require an account, so that you have to log in first. Finding conference rooms gets real easy if you just need an URL.

The Bavarian Ministry of the Interior uses a conference system that uses URLs. The scheme of finding a conference or a room is very easy to figure out. It uses https://video.top.url/path/roomnumber where path is a combination of a few letters and roomnumber consists of six digits. This gives you the address space of the virtual conference rooms. Physical rooms have their counterpart in the addressing scheme, and the system is configured to provide permanent discussion slots. The problem was  that the authentication was missing (the system now requires a PIN). The German IT magazine c’t has discovered that it was easy to join existing conferences (article is in German) and to listen without being invited.

Due to the current coronavirus outbreak many of us have to rely on remote conferencing systems and similar ways of communication. Even without wardialing or missing authentication, the PIN and conference codes are sensitive data. Some systems allow multiple joins of participants. Members of Anonymous used the credentials of a conference call to „intercept“ a discussion between the Federal Bureau of Investigation (FBI) and Scotland Yard. So please be careful when sharing call appointments. Make sure you use a trusted communication channel. In turn verify your call peers. Having video helps, but sometimes video information is not what it seems. In turn please be very careful when receiving links to conference calls. You might be lured into a fake call by a phishing campaign.

When? Where? What? Introducing https://deepsec.events/

Observer in special relativity, source: https://commons.wikimedia.org/wiki/File:Observer_in_special_relativity.svgReading the calendar gets difficult given the many places people – including us – post dates. Furthermore, we have a habit of not detecting typos and not putting our dates in proper variables and rendering them out to the web consistently. So we create a little jump page called DeepSec Events. On this web site you will find all the most important facts about everything DeepSec. Our graphic designer went a bit overboard, but we hope the design is pleasing to your eyes.

Complexity of Dependencies in Multidimensional Systems – Corona Virus

Illustration created at the Centers for Disease Control and Prevention (CDC). Source: https://en.wikipedia.org/wiki/File:2019-nCoV-CDC-23312_without_background.pngThis blog is often silent. Our policy is to publish if there is real information to send out. DeepSec is all about facts. We don’t do speculation. Sometimes it is hard to idly watch „news“ being published, revised, withdrawn, altered, commented, and even deleted. We, to the best of our abilities, try not to publish something which doesn’t hold. But we read and watch a lot or articles, opinion, and other sources. For the rare cases where we need to publish our opinion we have created the High Entropy category in this blog. This category is all about the things we like to discuss. This time it’s about biology, containment, and IT security defence. Let’s have a look at the current coronavirus.

We are in touch with various partners in different countries. You may have noticed that we plan the DeepSec 2020 and DeepINTEL 2020 events in November. The planning phase usually starts after our break in December. Given our policy you won’t notice much of it yet, because we publish when we have something to say. The facts are that DeepSec and DeepINTEL will be on 17/18/19/20 November 2020 as scheduled. Our call for papers is open. You can buy tickets in our tickets shops (one for every event) or by requesting an offer and receiving an invoice for your purchase order. That’s the plan. The current events around the spread of SARS-CoV-2 is out of our hands. We can’t do much about what measures which individual government puts into place. We can’t say if the long chain of dependencies our conferences rely on gets interrupted – and there are a lot of ifs to check until November. Don’t forget: The influenza viruses no one talks about are dangerous too. If you are prepared for influenza viruses, then you are also prepared for SARS-CoV-2.

Sticking to the facts is actually the bright side. We created all the facts necessary to plan and to announce DeepSec and DeepINTEL 2020. Since 2007 no DeepSec conference was ever cancelled. We had a close shave with the Lehman Brothers Holdings Inc. crash (which will repeat sooner or later, because nothing has changed structurally in our economy), the eruption of Eyjafjallajökull (we could also talk about future eruptions of other volcanoes which are overdue), and with some efforts by unnamed third parties to make life hard for smaller IT security  events (no conspiracy here, just a collision of plans, apparently). Bear in mind that the global and local economy is not designed to handle failures well. In the context of IT security this is a weakness, but the systems are too big to fix.

So we will keep you updated. However keep your sanity, don’t panic, and stick to the facts. There are a lot of far worse threats out there. Chemistry, biology, and physics will keep trying to make our lives miserable. That’s part of a blue team‘s daily grind.

Continuous Integration Ticket Shop for Conference Tickets is now open – book often, book early!

Schiffsglocke der Danmark, source: https://commons.wikimedia.org/wiki/File:Schiffsglocke_Danmark.JPGRunning an event is a highly dynamic operation. This is especially true for (information security) conferences, even more so for trainings. We have seen our share of sad faces when the training of your choice didn’t happen, because people booked the ticket too late. In order to avoid great disappointments, the ticket shops for DeepSec and DeepINTEL are now open. Spread the word! And put some SDL into your tickets – book early, book often!

DeepSec 2020 Call for Papers is open!

A curious raccoon in the Florida Everglades approaches a group of humans, hoping to be fed. Source: https://commons.wikimedia.org/wiki/File:Curious_Raccoon.jpgWe are looking for presentations and trainings for the next DeepSec In-Depth Security Conference. DeepSec 2020 will explore the focus masquerade. Attribution is hard. To make matters worse for everyone connected to information security – masquerade is ubiquitously present in hardware and software. You might also call some of it disinformation, which was the world of the year 2019. Security-wise many things hide behind a façade. Disinformation is the tool of the trade these days. So DeepSec 2020 has chosen the motto “Masquerade” for this year. Tell us where the veils are, what camouflages are used, and expose the real threats!

You can submit your content via our call for papers page on our web site. We have also a special email address for content submissions. You can either use cfp [at] deepsec [dot] net (or just deepsec [at] deepsec [dot] net, because this email address is tied to a GPG key).

Not quite coincidentally DeepINTEL 2020 has also an open call for papers. Please submit your content by email to us. You are encouraged to (always) use (end-to-end) encryption when communicating with us.

BSidesLondon – Mentors wanted!

Meme "How To Draw an Owl"You may have heard of the BSides London Rookie Track. It’s the track with the 15 minutes presentation slots where people who have never presented at a security conference before can give it a try. Take me word for it, preparing these 15 minutes is hard work. Even if you had your share of presentations you still have to put some thought into the structure, the material, and the way you want to make your point(s). It’s easier for veterans. It’s hell for rookies. Even with a moderately cleaned pile of information the first drafts of your presentation take ages. In addition you probably make all the mistakes we all made before. This is where the mentors come in. Mentors are experts in their field and have presented before. And mentors we want!

Why mentors? Well, Niels Bohr put it nicely: „An expert is a man who has made all the mistakes which can be made, in a narrow field.“ Rookies need some guidance to get on track. While you have experience, they are still gaining it. So if you have some time to spare and want to help someone, rush to the registration site and get involved! Don’t worry! It’s called BSides London Mentor Application 2020, not BSides London Mental Application 2020. You are safe.

Rookie Track Registration BSidesLondon – don’t miss the deadlines!

Photograph of presentation at DeepSec 2018, © 2018 Joanna Pianka, http://www.300dpi.at/BSidesLondon has opened the Rookie Track registration. Submit your project ideas. Get a chance to present at an information security event. Let mentors guide you to the stage. We are pretty sure that you have something to share with us.

This won’t be the last reminder. Deadlines are closer than you think, quite similar to objects in the rear view mirror. We enjoyed many Rookie presentations at BSidesLondon, and your content is valuable to the audience. The fact that seats get scarce very quickly is a good indicator that your contribution should be submitted to the Rookie Track registration before the call for presentation closes.

The best two rookies will get the opportunity to travel to Vienna in November and attend DeepSec 2020. The first rookie can relax and enjoy our conference. The second place requires a bit more work, because we offer to present your content in a full presentation slot (that’s 45 minutes). As for the Rookie Track we also offer support and guidance. Don’t be intimidated! Everything has to start somewhere. So grab your calendar, mark the deadline, and submit to the Rookie Track registration!

DeepSec 2020 Scholar Program – Call for Applications

ACOD LogoDeepSec 2020 wants to support your project. We have teamed up with partners to foster research in information security. We already support the BSidesLondon Rookie Track, support the Reversing and Offensive-oriented Trends Symposium (ROOTS), publish the DeepSec Chronicles, and support individuals in their research. Now we want to go one step further.

Purpose: To encourage research by young professionals and academics on new and emerging cyber security issues, information security, new ways to use technology, defence, offence, and weaknesses in hardware/software/designs.

Suggested Topics: Vulnerabilities in mobile devices, vulnerabilities in the Internet of Things (IoT), advances in polymorphic code, software attacks on hardware wallets, side channel attacks, hacking industrial control systems and smart cities, quantum and post quantum computing, penetration testing – defining what it means and standardization, and related topics. Let your creativity run free.

Application Requirements:

  • Submit a proposal with a unique cybersecurity related topic in paragraph or outline form
  • CV / Resume
  • One paragraph on how your research will advance or contribute to the research and understanding of your topic and your own professional interests
  • Confirmed availability to attend and speak at the DeepSec Conference in November; talk slots are 45 minutes + 5 minutes of Q&A so plan accordingly
  • Applications must be received by 31 January 2020 to scholars@deepsec.net

Scholar Benefits:

  • Work will be published in DeepSec Journal “In Depth Security: Proceedings of the DeepSec Conferences”; Published works for this section of the journal are expected to be more raw, cutting edge research ideas, as a precursor to a future peer reviewed work. The published work will be guided by the Scholar Mentors but not subject to full peer review.
  • Opportunity to present at DeepSec Conference
  • Six months of mentorship and assistance in research from DeepSec Scholar Mentors
  • Full admission ticket including lodging for DeepSec Conference held in Vienna, Austria
  • EURO 5.000 for travel and research costs. Half paid 31 July, second half paid week of DeepSec Conference
  • Mentors will work with Scholars on a defined time-line for mentorship sessions, research drafts any in person meetings or discussions and final paper submission dates

We will follow-up the call for applications here in this blog with introductions of your potential mentors.

Secure Design – Combining Information Security with Software Development

Amateurs' rocket bursts, taken from https://commons.wikimedia.org/wiki/File:Rocket_Firefall.jpgInformation security researchers usually see software fail. Sometimes they try to make software fail on purpose. The result is a bug description, also called vulnerability report in case the bug has a security impact. The the best case scenario this information reaches the software developers who in turn fix the problem. Then the cycle continues. This process is fun for the first iterations. After a while it gets boring. Even a while after that you ask yourself why integer overflow, injection attacks, and basic cross-anything is still an issue. Some bug classes are well over 40 years old. Polio is far older, and yet we got rid of it (mostly). What’s different in the field of software creation?

The answers are simple, endless, and change depending on the current trend. Just as computing changed from the first mainframes to personal computing and back again the methods in software development have their mix of temporary fashion and solid implementation choices. Additionally you have more programming languages now than decades before – the agony of choice. Who wants to Rust before you go Go? Of course, we are wiser now and have invented skills such as secure coding. The problems seem to stay the same (take a look at the yearly top n CVE entries).

If you take a look behind the scenes of some software projects and unveil the core design of the application, sometimes the reason for security defects become more obvious. Software projects have a history. Code usually was for to solve a set of problems or perform certain tasks. The early design choices follow the production code. Mistakes in the design can lead to implementations that will never be more secure or suffer from vulnerability classes for all eternity. Getting the design right is critical. The credo of „ship early, ship often“ or „ra(p|b)id prototyping“ can lead to the point where working code is favoured over a sound design that doesn’t tip over easily. Secure Design is a nice thing to have. Where do you find it? This is where the soon-to-be-announced DeepSec 2020 Call for Papers comes in. We would like to take a stab at software development. If you teach/develop/test/implement secure design or secure coding, then we want to hear about it. Presentations are welcome. In case you have a training in mind, please drop us an email.

DeepSec Support for BSidesLondon Rookie Track 2020

Union Jack with Brexit, © 2020 Florian Stocker, fs@fx.co.atWe will support the BSidesLondon 2020 Rookie Track again. Talents need our support, and information security research knows no borders and no perimeter (ask the pentesters!). So we would like to keep up the tradition of lending a hand, hopefully beyond 2020. The best rookies will get the chance to attend DeepSec and to hold a presentation there. If you want to be one of the rookies, then head to the Rookie Track CFP 2020. Submit your idea! Present your project!

In case you have a lot of experience and want to share this treasure with others, consider becoming a mentor for the rookies. The BSidesLondon Mentor Application 2020 is open. Presenting must be practised. However practice without proper training is quite difficult. This is where the mentors come in. To quote from the mentor application form: As a Mentor, you will be there to help the a Rookie take their initial idea from concept into a full 15 minute presentation. You are not there to write it for them but to help with things like presentation style (not 100 words per page at 8pt comic sans) and general support in things like how to practice before hand and what to do when they get on stage.

Mentorship is very rewarding, because you get to work with people who bring their own perspective into the play. Nothing is more dangerous for an open mind than stewing in your own grease. Being a mentor will give you an edge to fight the daily routine. It’s not just for boosting the rookie’s confidence.

In case you want to present, both the normal Call for Papers and the Rookie Track CFP are open. Looking forward to see you in London!

DeepSec, DeepINTEL, and ROOTS in 2020

The CERN datacenter with World Wide Web and Mail servers.We took some time off to deal with the administrative side of running the DeepSec conference. Additionally some of us were engaged in project work. 2020 started early this time. There is a lot to do behind the scenes, especially in times where reading the news doesn’t help you to navigate the rest of the year. We also finished the travel plans for the year, so we will have some information where and when to connect to DeepSec.

The most important information for you: There will be a DeepSec & DeepINTEL conference in 2020. There will also be a Reversing and Offensive-oriented Trends Symposium (ROOTS) again in 2020. The call for papers are in preparation and will open in two weeks. The dates are as follows:

  • DeepSec Trainings 17/18 November 2020
  • DeepINTEL Conference 18 November 2020
  • DeepSec Conference 19/20 November 2020
  • Reversing and Offensive-oriented Trends Symposium (ROOTS) 19/20 November 2020

We picked an earlier week not to clash with Thanksgiving again. This will also be the case for 2021, so you can enjoy your family dinner without having to think about information security (at least it won’t be our fault).

As for the calls for papers and our ongoing support of researchers: There will be a Call for Applications for our DeepSec Scholar Program. If you have an idea for a research project or an interesting approach for a topic related to information security, then let us know. Applicants will be supported financially, get an opportunity to speak at DeepSec, and will be included in the “In Depth Security: Proceedings of the DeepSec Conferences” journal.

You can send us your submissions for the DeepSec training sessions right away by email, if you like. We intend to publish the trainings slots as early as possible to give our company attendees some room to manoeuvre. Unfortunately getting the green light to attend a training takes some weeks or months for some of us.

Save the date: DeepINTEL / DeepSec 2020 – 17 to 20 November

Hex dump from /boot/vmlinuz-5.4.3We fixed the dates for DeepINTEL and DeepSec 2020. As promised there will be no collision with Thanksgiving. DeepINTEL 2020 will be on 18 November 2020. The DeepSec trainings will be on 17/18 November 2020. The DeepSec conference will be on 19/20 November 2020.

The Calls for Papers will open in February 2020.

Have a rest and enjoy the holidays! We are looking forward to see you in Vienna (again)!