Administrivia: DeepSec Mailing Lists and last Call for our CfPs

Solar Orbiter’s first images reveal ‘campfires’ on the Sun, source: https://www.esa.int/Science_Exploration/Space_Science/Solar_Orbiter/Solar_Orbiter_s_first_images_reveal_campfires_on_the_SunSummer is always a bad time for getting things done. Usually people are on holiday, sweat, relax, or travel for recreation. Things are different due to the Covid-19 precautions. Unfortunately our Call for Papers ends on 31 July 2020. This means we have to remind you about the deadline. We plan to publish the schedule in mid-August, so we don’t have much choice to ask you again for research results, insights, incidents, weaknesses, helpful hints for defence, and more.. Tell us about your research. Keep our reviewers busy!

We have some additional information. We added a mailing list system to our infrastructure. The server is run by our event partners, the Crowes. So you can get news by raven, not only figuratively. The mailing lists we created are a tool to keep you informed. You email address will not be used for any other purpose than to inform you about all things DeepSec and DeepINTEL. The public lists are:

All lists are low frequency / high content, so you don’t run into the typical information overload which other distribution channels feature. When subscribing you will have to confirm your email address.

Press Release: Digital Infrastructure should integrate Malware

The German government wants to force Internet providers to install malicious software and intercept network traffic.

MYK-78 "Clipper chip" Package Markings, photographed by Travis Goodspeed.Since the 1990s, there has been a constant struggle between authorities and security experts. One side wants to make digital infrastructure, especially data transport and communication, as secure as possible for business and society. The other side constantly strives for back doors to intercept data and correspondence. The fight for access to secure data transmissions, originally titled “Crypto Wars” is entering the next round. The German federal government has created a draft law that is intended to legally force Internet providers and companies with related activities to distribute malware and manipulate network traffic. In future, the installation of apps on smartphones or automatic software updates can compromise computer systems. This destroys the basis of digitalisation – with far-reaching consequences for society and the economy.

The Oil of the 21st Century stirs up Greed

According to highly simplified slogans from politicians, data is the oil of the 21st century. The comparison limps, because no energy can be obtained from data; instead data just uses energy. However, the German draft law is not about economic benefits. The opposite is the case. On the surface it is being discussed that investigative authorities need access to communication between people and data stored on local devices. The documentation of government measures for espionage by Edward Snowden has led to far-reaching improvements in information technology in the past 7 years. The encryption of your own data has been retrofitted in many products. In addition, companies and private individuals have increasingly switched their correspondence and communication to encrypted channels. The most critical point in the implementation is the so-called end-to-end encryption (“E2E Encryption”). Cryptographic methods are only really secure if there is no back door – in the form of a duplicate/recoverable key – or no way of guessing the key (s).

Based on Snowden’s revelations, the manufacturers of smartphone operating systems, software development methods and the Internet Engineering Task Force (IETF) have incorporated many improvements in protocols and algorithms. For example, against strong opposition from lobbyists when specifying the new Transport Layer Security (TLS) Version 1.3, the IETF made sure that no more unsafe methods are allowed. TLS is the basis for encrypted websites (recognizable by the HTTPS prefix). It is the basis of telebanking, web shops, communication with authorities, all kinds of portals, e-mail traffic, video streaming, teleconferencing, and much more. All modern systems now support end-to-end encryption. This is exactly the motivation for the legislative proposal to call for back doors for all these areas of application.

Worldwide Attack against E2E

Germany is not alone when it comes to attacks against secure systems. In the United States, Republican Senator Lindsey Graham has introduced a law that prohibits secure encryption in chat systems and messengers. The prohibition, as is so often the case, is only expressed indirectly. Third-party access to the transmitted and stored data is required. This wording does not change the purpose. Both a digital attack and the provision of data according to official requests are technically the same procedure. One actually weakens information security with these laws in general. The German draft law, for example, stipulates that malicious software is delivered to end devices via manipulated software updates. Apart from the technical aspects, there are unresolved legal consequences. Who is liable for damage caused by federal malicious software? Who bears responsibility if this mechanism is exploited by criminals? These predetermined breaking points of security would then apply to all areas – from hospitals to companies to private households. Information security is being eliminated nationally.

Infrastructure, be it digital or analogue, will always be part of legal and illegal activities. Motorways are used both by emergency services and for the transport of stolen goods. The same applies to power supply, the Internet, water supply, traffic, transportation, food supply, banking and telephony. Nevertheless, communication networks are in the spotlight. The current bills show how little understanding there is of the history of surveillance and the analog world. The US government legally and technically implemented the monitoring of cellular networks in the 1990s. The reason was the action against organized crime, above all drug smuggling. The effect was that organized crime switched to alternative communication methods. The damage remains to those who cannot protect themselves and have protection needs. In this specific case, it will affect its own citizens and companies, which the state must actually protect by law.

Gateway to Industrial Espionage

The systematic installation of back doors and the dismantling of security measures has far more far-reaching consequences. The longstanding discussion about the upcoming 5G technology shows it clearly. The company Huawei is accused by the USA of delivering its 5G products with undocumented access to the mobile phone networks. The focus is on the accusation of espionage. At the same time, Western governments are drafting laws to weaken their own digital infrastructure and allow third parties unrestricted access to the data. Even the Austrian federal government has the examination of the use of state malware for monitoring in the government program. And it doesn’t stop at national efforts. A confidential document from the EU Council of Ministers dated 8 May 2020 describes the strategy for Europe. Encrypted data carriers, end-to-end encryption, cross-platform encryption, self-developed software and encrypted Internet protocols are listed as critical barriers for government investigations. Exactly these components are the foundation of an implemented information security. The absence of basic technologies to secure data and correspondence is based on the mathematical methods of cryptography. They are an integral part of modern IT infrastructure – both for authorities and companies.

Return to Reality

People need privacy, so they have a legal right to it. Companies need legal certainty for their projects, products and services. This includes all communication. Remote work and teleconferencing systems have become critical tools through Covid-19 safeguards. Also data center operators must not be forced to install back doors in systems. Legally mandated prying out of security standards also endangers Europe as a technology location. British and Australian laws have already made it impossible for software products developed in these countries to be used safely due to legally required access by third parties.

The discussion in no way addresses an important aspect that law enforcement officers and security experts share. Information security must also defend itself against attacks and find evidence of compromised systems. Nevertheless, companies rely on strong encryption. This is not a contradiction. In November, at this year’s DeepSec In-Depth Security Conference, approaches will be discussed again and experiences exchanged. Cryptography is a fundamental issue and must remain part of secure infrastructure without back doors.

Spicy detail on the side: The German state of Schleswig-Holstein and the German Armed Forces want to use the Free Software Matrix for their communication. The latter would like to use Matrix explicitly for messages that are classified as confidential. This raises the legitimate question of how the concerted attack on IT security by other authorities fits into the picture.

Programs and Booking

The DeepSec 2020 conference days are on November 19th and 20th.

The DeepSec trainings take place on the previous two days, November 17th and 18th.

The DeepINTEL Security Intelligence Conference will take place on November 18.

The venue for the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can order tickets for the DeepSec conference itself and the training sessions at any time under the link https://deepsec.net/register.html.

Please note that due to planning security we are dependent on timely ticket orders.

Translated Article: EU Council of Ministers discusses Back Doors in Encryption again

EU-Ministerrat diskutiert wieder Hintertüren in Verschlüsselung by Erich Moechel for fm4.ORF.at

Gilles de Kerchove, EU’s anti-terror coordinator, is once again working against secure encryption per se. Since these new demands by law enforcement officials on the EU Council of Ministers are nowhere openly accessible, this confidential Council document is published in full by FM4.

The corona virus pandemic has led to a surge in teleworking worldwide. Instead of behind firewalls in secure corporate networks, millions of employees worldwide work from insecure home offices. The only real protection is the end-to-end encryption (E2E) of the data traffic.

In the middle of this scenario, the “Five Eyes” secret service alliance is starting the next phase of its global campaign against secure encryption. Again, police law enforcement is used as a vehicle. After the United States, the European protagonist Gilles de Kerchove, the Union’s counterterrorism coordinator, is on the move again. His new initiative is already being discussed behind the upholstered doors of the EU Council of Ministers, and his basic paper from May 8 was leaked to ORF.at.

Newspeak about “Front Doors”

The paper, classified as “limite” – access for a restricted group of people – is the technical addendum to de Kerchoves letter to the member states, which was published on Thursday by Netzpolitik.org. De Kerchove is bluntly calling for European laws against E2E encryption based on the model of the American EARN IT Act, which was brought into the US Senate in March. Essentially, providers should be forced to offer encrypted services only if they also produce duplicate keys for all of these communications, which they can hand over to law enforcement officers if necessary.

De Kerchove calls this in the tried-and-tested manner of newspeak “front doors”, because secret “back doors” should be rejected since they could be misused, it says in his urgent letter to the governments of the Union. All access would be strictly according to the law, namely authorized by the decision of an ordinary court. What is consistently concealed is the fact that these “front doors” can only work if the existing security routines are systematically broken by such duplicate keys. In this case, one speaks of a “backdoor”, ie a back door that not only compromises the “legally monitored” but all users of the respective web service.

How the Lever is used in the United States

In its current form, the upcoming US law EARN IT holds a tremendous leverage that is intended to force Internet companies to undermine the security of their services in favor of monitoring. As in Europe, IT corporations that offer web space, communication services etc. for a broad public are generally exempt from liability for the content generated by their users. In the USA, this principle has been in effect since the “Communications Decency Act” of 1996, and the EARN IT Act is intended to abolish this liability.

That’s what some would like for Europe too. Based on the hierarchy in the technical explanations, access to the content of encrypted smartphones apparently remains a priority for law enforcement officers, although the EU Commission has already provided five million euros to Europol’s European Cybercrime Center to purchase forensic toolkits, in addition to an extensive catalogue of measures . According to the paper, this is not enough, especially since more and more smartphones are being encrypted.

The Document in full

However, it is not mentioned that a growing proportion of logins on smartphones does not happen via passwords, but via fingerprint and face recognition. If the law enforcement officers already have the smartphone in custody, they will most likely also have its owner and thus fingerprints and face. While these demands are still understandable in themselves because they do not endanger the security of everyone’s communication, all four of the following points do.

Then it goes head-on against E2E encryption as offered by WhatsApp, Signal and all other securely encrypted services. This is the main goal of the campaign, which was launched via EUROPOL 2016 and has already been successful to a certain extent in Australia and the USA. It is argued that extending WhatsApp’s E2E encryption to the entire Facebook group would jeopardize its own measures against “child pornography” and terrorism (point 3). The encryption of data at the protocol level – the most important security measure against cybercriminals – is only dealt with from the point of view of police monitorability. Nothing is weighed against each other in de Kerchoves entire bundle; the security of users by encrypting their data traffic is not an issue at all. Rather, “security” is equated with “monitorability by the police”. All protocols and security mechanisms of the Internet are evaluated solely in terms of their monitorability by the authorities.

Since the document classified as “confidential” is currently not available anywhere, FM4 publishes it here. Only by reading the entire text the whole arrogance of this approach does become visible.

Token Hijacking via PDF – Dawid Czagan

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it?

In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack.

Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; 17/18 November)

 

Tags:

Translated Article: US bill against Secure Encryption of Chats

US-Gesetzesentwurf gegen sichere Verschlüsselung von Chats by Erich Moechel for fm4.ORF.at

A new US law on “Access by law enforcement officers to encrypted data” is intended to force chat providers such as Signal or WhatsApp to incorporate back doors into their security architectures.

In the United States, a bill is on its way to the Senate that has stunned the IT industry. The planned law on “Access by law enforcement officers to encrypted data” turns upside down all the rules that have been in force on the WWW for 25 years. Encrypted chats and data backup for a wide audience should therefore only be offered if the provider has duplicate keys. That would be the end of end-to-end encryption (E2E) from Signal, WhatsApp and others.

The same applies to hardware manufacturers who have to provide access for law enforcement officers – i.e. back doors. This is primarily aimed at iPhones. This bill, supported by three Republican hardliners, is not a US solo effort. Gilles de Kerchhove, the EU coordinator against terror, Europol and conservatives in the EU Council of Ministers, have been calling for the same thing since May.

Worldwide Campaign against E2E

The targets of intelligence agencies and law enforcement officers are the same on both sides of the Atlantic. Large providers such as Facebook should be urged not to offer any actually end-to-end encrypted services. “End-to-end” means that the encryption process is negotiated between the users’ end devices. Because the service provider does not play a role in this, it does not have any keys that could be handed over to the prosecutors if necessary.

To prevent such a scenario, intelligence agencies and law enforcement officers run alternated campaigns since 2015 to encourage governments to change the law. These campaigns had started in the Anglo-Saxon world. Via Europol, de Kerchove and, above all, the British, demands came to the European Union to take steps against offers of E2E encryption on large social networks or of chat providers and make new laws.

Legislative Change back to 1995

In the United States, this manifests itself in necessary changes to laws, in particular the Communications Assistance Law Enforcement Act (CALEA). Since 1995, the telecoms have been obliged to set up surveillance interfaces in the then new digital mobile radio networks and to transmit data to the authorities for investigations unencrypted. The latter, however, only if they had the necessary keys, because a general ban on using secure encryption was not enforceable even then.

The CALEA Act has ensured clear conditions since 1995, but that is now set to change, because the relevant passages are to be deleted. Instead of “encryption that the provider performs”, it should now read “encryption that the provider provides or enables”. As a consequence, Apple, WhatsApp, Signal, and all other providers of encrypted chats would have to build back doors for law enforcement officers into their systems in order to comply with the law.

Liability as a Lever against Providers

And then there’s the EARN IT Act, which has been going through the Senate committees since March. This bill goes in exactly the same direction. To put it in a nutshell: Communication providers that offer E2E-encrypted services to a wide audience should be liable if they cannot deliver the material unencrypted on submission of a search warrant for so-called “child pornography”. As in Europe, IT corporations that offer web space, communication services etc. for a broad public are generally exempt from liability for the content generated by their users. This principle has been in force in the USA since the “Communications Decency Act” of 1996 – in Europe through the E-Commerce Directive of 2000 – through the EARN IT Act this liability exemption would be abolished.

The Back Door of the Front Door

In the United States, two new legal levers are being prepared to undermine the security of communication services in favour of their controllability. One would like to have the same thing in Europe if it works according to the will of de Kerchoves and other hardliners. His list of obstacles to law enforcement through encryption looks like the list of US desires in the new bill as if they were copied from each other. What is completely missing in all relevant legislative projects is an assessment of the consequences if the security architecture of the providers is undermined. Regardless of whether the interfaces for monitoring are called “back doors” or “front doors”, they can only function if the existing security routines are systematically broken. This compromises not only the data security of “lawfully monitored” suspects, but all users of the respective web service.

Press Release: Digitalisation without Information Security has no Future

DeepSec conference warns of unsafe software and insufficient knowledge of professionals.

The months in which we had to learn to deal with the effects of various quarantine measures on our everyday lives have decisively emphasized the importance of information technology. Although the Internet has long been an integral part of work and everyday life in many industries, the physical restrictions due to the Covid-19 pandemic could have been significantly more drastic for public authorities, the economy and society without modern telecommunications. Audio, video and chat platforms have prevented things getting worse. The call for more digitalisation, however, lacks the most important ingredient – information security.

Published software is safe, isn’t it?

In the world of software development, there is an unofficial saying that a product is ready when you can install it. The rest will all work itself out during use. That may not be the rule – some industries do take quality assurance very serious. Often popularity is the enemy of quality. The distribution of software is unfortunately not a suitable metric for the content. In the case of the teleconferencing platform Zoom, it was also easy to see that this product was actually intended for a completely different purpose or a different target group. In addition, errors are common in software and can only be eliminated with careful tests, processes for detecting malfunctions and feedback loops back to the code. This path takes time that start-ups don’t necessarily have. As a result, the state of security in published or available software is at best unknown.

Before a program can be available, there must be design, prototypes and finally an implementation. The first requirement is the so-called secure design. If fundamental mistakes are made at the beginning, the later implementation cannot change anything about this anymore. Metaphorically speaking, a car with a bamboo body can never meet certain challenges. It’s the same with software. The second requirement is secure coding, i.e. programming with methods that minimize errors in the software. That’s the theory. The practice looks different.

Secure Design and Coding are not optional

Secure design / coding are not features that can be easily switched on or off. They have either been taken into account or are missing. There is no middle ground. In addition, secure software does not offer any immediate advantages over a similar, faster developed, more popular and cheaper solution. The code works in both cases. The difference only comes to light in exceptional situations. Advantages that you never see in normal operation are very difficult to promote psychologically. In the case of Zoom, it was easy to point out the failures in the area of secure implementation, but the weaknesses were previously used daily in all installations worldwide without critical questioning. Too few questions were asked. The same problem can often be found in living rooms and offices worldwide. Entire industries rely on products that are very complex, interact through networks, and may never have been designed for the tasks they perform today. Document creation and processing is another common and widespread example.

Call for “Digitalisation!” and support Training!

In order to provide digitalisation with information security, one runs into a didactic dilemma. You can only learn methods of secure software development and secure design if you have a basic understanding of how computers work, common programming languages (plural, i.e. more than one), network protocols and operating systems. The basic principles cannot be grasped without prior knowledge. For this reason, IT security topics are almost exclusively electives that are taken after basic training. Practice in companies confirms this. According to recruiters from major Silicon Valley tech companies, security specialists must have worked in at least three different areas for several years to be considered for an information security job. This approach is completely diametrical to the direction of many training centers. The much-cited shortage of skilled workers in the field of digitization often results in trained people who have learned little in record time – from a security standpoint.

Successful digitalisation therefore requires solid and sustainable training for programmers and all other specialists in the software development process. Constantly mentioning bits and bytes, using the Internet or constantly summoning the omnipotence of apps is not enough for a secure future. Superficiality is not a virtue in IT security.

DeepSec 2020 in the Name of Science

This year’s DeepSec In-Depth Security Conference wants to make its contribution to information-secure digitalisation. There will be lectures, trainings and exchanges of experts. The purpose is the further training of specialists in information technology in order to make the existing hardware and software secure in the future. The offer is aimed at the areas of activity of product development, software development, management, system administration, research and teaching. In addition, an Internet of Things (IoT) hacking village will be built together with partners. You can talk to experts directly and see that many smart systems are anything but secure.

Programs and bookings

The DeepSec 2020 conference days are on November 19th and 20th.
The DeepSec trainings take place on the previous two days, November 17th and 18th.

The DeepINTEL Security Intelligence Conference will take place on November 18.

The venue for the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can order tickets for the DeepSec conference itself and the training sessions at any time under the link https://deepsec.net/register.html.

Please note that due to planning security we are dependent on timely ticket reservations.

Administrivia: DeepSec/DeepINTEL/ROOTS Speaker Benefits extended to 2021

Source: https://en.wikipedia.org/wiki/File:Letter_of_Synesius_to_Hypatia_b2.jpgThe Call for Papers of DeepSec, DeepINTEL, and ROOTS have a deadline. DeepSec and DeepINTEL have set he first deadline to 31 July 2020. We will accept submissions after this date, but everyone who submitted before the deadline will be reviewed first. Since all speakers are entitled to benefits which depend on their presence at the conference we decided to extend these offers. If you submit your presentation for the 2020 events and cannot attend, then all benefits such as entry to the conference, travel cost reimbursement, our famous speaker’s dinner, your stay at the hotel, and everything else will stay valid until DeepSec 2021. The only condition is that your content must be presented (either virtually or by proxy).

The offer is valid for DeepSec and ROOTS. DeepINTEL is a special case, because our security intelligence event relies on direct conversation. You will still get some of the benefits if you submit. We intend to address any difficulties for speakers getting to Vienna in November.

So if you are worried about travel and attending the conference, we hope to give you something in return. We have similar plans for attendees and will publish them as soon as we have worked out the details. Meanwhile don’t forget about submitting content. If you have research results, please submit them. The same goes for your idea that needs collaboration with others. Use our CfP manager form and submit your presentation.

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge.

In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers.

Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

Exploiting Race Conditions – Dawid Czagan

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading.  As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. If you develop or use software connected to a network, then this is for you.

In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how this attack works and tell you how to prevent this attack from happening.

Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; mind the date 17/18 November 2020)

 

 

Lectures on Information Security

The Feynman Lectures on Physics, https://en.wikipedia.org/wiki/The_Feynman_Lectures_on_Physics#Six_Easy_Pieces_(1994)It’s time for an editorial to end our premature Covid-19 induced Summer break. We (as in the staff behind DeepSec/DeepINTEL) were busy with projects, preparations, following the news about the pandemic, and collecting information for our event(s) in November. Personally I have been involved in teaching for decades. The past months have shifted the focus heavily on virtual presences in the form of teleconferences. Keeping hundreds of students busy while explaining how operating systems work and how secure code looks tends to take up some of your time. Good network connections and decent hardware helped a lot, but there are a couple of problems with conveying content, concepts, and ideas. Let me show you what I mean.

Getting good tutorials is hard. The new agile way of computer science is to ditch good documentation in favour of quickly created code, or so it seems after wading through endless piles of markup/-down, incomplete README files, forum discussions, and fragments of manuals. Since my background is physics I started with published lectures in the library. Lecture in written form, ideally as published books, take a lot of knowledge and a lot of work. It has a lot to do with security/penetration testing where you retrace your steps, review the documentation of the attacks and scans, put everything into a sensible form, and write summaries of what has been seen and what should be done about it. The process is similar to teaching. Going back to the wonderful world of apps and source repositories the picture turns into dependency hell, bad examples, unfinished projects, and, again, missing tutorials on how to do things right. If you spent more time tormenting search engines than thinking about problems and implementations, then something is wrong.

A couple of years ago we started to collect articles for the DeepSec Chronicles. Stefan Schumacher and me wanted to address the problem of unstructured content. Good presentations are helpful, but the typical talk with slides depends on the spoken word, the gestures, the facial expressions, and interaction with the audience. If you ever watched recorded presentations you will notice that something is missing. Thus we collect articles for the DeepSec Chronicles. The intention is to have information in a form that is meant to be consumed after the conference. This is radically different from putting a video of the talk online and converting the slides to PDF. An article is more difficult to produce, because you cannot explain anything to the reader. There is no voice over. Furthermore you have to prepare the examples in more detail. Reading requires more information in higher quality. Every time I research a question of code, use of a tool, constructs of a programming language, or security controls and end up in forums discussions and badly written „torturials“ I see a confirmation of why collecting well-written articles (and helping other to create them) is something we should do more often.

This brings me to our still open Call for Papers for DeepSec, DeepINTEL, and ROOTS 2020. It is not a Call for Presentations. It’s definitely a Call for Content. We have had a lot of highly talented speakers in the past year (right to the first DeepSec in 2007). If you are working on something and want to get the word out, we would like to help you. Year by year we have taken steps increase the value of the research presented at DeepSec. The DeepSec Chronicles are one step further, as is the Reversing and Offensive-oriented Trends Symposium (ROOTS). Our scholarship program to support researchers is another piece of the puzzle. Mentoring to actively help creating solid results is our project for the future.

So if you have some interesting stuff you want to talk about, let’s hear it. You are encouraged to submit your research to the DeepSec Chronicles. The Internet does not need more broken links and buggy example code.

Administrivia Update: Regulations, Ticket Shop, and DeepSec

Quill icon from The Noun Project. Source: https://commons.wikimedia.org/wiki/File:Quill_icon_-_Noun_Project_13454.svgClear guidelines for events and conferences slowly emerge here in Austria. We have some news on how DeepSec, DeepINTEL, and ROOTS will look like in November. We will compile the set of regulations in a separate document and publish it on our web site. The constraints set by the authorities contain no show-stoppers for the event and the trainings. We will carefully work out a concept which we will use in November for everything that is going on on site in Vienna. 😷 We have the full support of our conference hotel, and we are confident that we can increase health protection and decrease risks for everyone attending.

In addition we found some bug in the ticket shop system. The tickets for DeepINTEL, DeepSec conference / training, and ROOTS can be bought via the Pretix ticket portal. During creation of the ticket categories we used the REST API (with some Julia code 🤓), which in turn led to some funny behaviour in the web display. We fixed some bugs with the data sets, the style sheets, and the preloading mechanism. The ticket shop is online and ready for your bookings.

Please remember that we cannot make DeepSec or DeepINTEL happen if you book late. We can cope with the usual chaos during the preparation phase. However we have a hard time with late bookings, especially given the physically distanced start into 2020.

Update and Reminder – DeepSec/DeepINTEL Call for Papers is still open

We have added another training to the schedule. Irene Michlin (IBM) will teach you about threat modelling and how to integrate threats into your software development life cycle. Further details will be published in our blog. Speaking of content – the call for papers for both DeepSec and DeepINTEL are still open. We are looking for your contribution.

And then there is the inevitable update on DeepSec and the current pandemic situation. A lot of countries discuss how to proceed in terms of regulations, health protection, and logistics such as travel. We would very much link to official information on travel, accommodation, additional procedures during our event, and how DeepSec will look like in November. Sadly we cannot do this yet. The facts are that the Austrian hotels open on 29 May 2020 again. Restaurants already opened two weeks ago. Travel restrictions are still in place and are currently under negotiation. Given that DeepSec and DeepINTEL are international events we rely on you being here in Vienna. The chances are very good that this will happen. This is not idle talk. We used the past two months to develop ways to handle the extra measures and procedures. The reality is that not everything can be solved by technology. This has always been the case in information security. Few other areas of interest and research have to deal with ever changing environments and threats. Just as in infosec we handle the organisation of DeepSec step by step, ask a lot of questions, and proceed carefully.

Of course we will have further updates on how DeepSec and DeepINTEL will look like as soon as we have source material from the authorities. In the meantime consider submitting your content. The call for papers are open until 31 July 2020.

Administrivia for DeepSec, DeepINTEL, and trainings

Jorolemon curbside mailbox with red semaphore flag. File source: //commons.wikimedia.org/wiki/File:IceStorm08.jpg

We cleared some administrative obstacles in the past weeks. The conference hotel has confirmed that DeepSec and DeepINTEL can happen in November. Of course, we cannot look into the future, but technically everything is in place. We still don’t know how the regulations for events will look like, but we definitely plan to have a traditional conference in November. DeepSec and especially DeepINTEL cannot be moved easily into a virtual venue. We rely on face-to-face communication, having groups of people chat in our lounge areas, and random encounters in the foyer. One way or another we are convinced that this can happen. We will let you know about any changes, but we will carefully proceed.

In order to improve the way you can learn new things and practice your security skills we made some changes to the trainings. The call for trainings is still running. Some slots are already published. We decide on the remaining slots in May. Since not everyone wants or can be mobile in November, we will ask all trainers if the sessions can take place in a virtual form. This can be a mixed class with some people attending on site and some being present via the Internet. It can also be a fully virtual training session. We will provide some of the infrastructure needed (such as audio/video equipment at the training sessions). The schedule will hold all information on how you can participate.

The first confirmed fully virtual training will be Dawid Czagan’s Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation session. Participation details will be provided to everyone attending after registration. This also means that Dawid’s workshop will be unaffected by any travel regulations, so bug hunting is a safe bet for you. 😉 As for the conference, we will keep you updated in case something changes.

Stay healthy, stay sane, and be cautious!

Communiqué de presse traduit: Les applis COVID-19 dévoilent leur logiciel pendant la crise

En novembre, la conférence sur la sécurité DeepSec mettra en lumière la mascarade des logiciels.

On dit souvent, « il y a forcément une appli pour ça ! ». Cette formule toute faite est souvent prise à la légère, même en dehors du secteur informatique. La crise actuelle du COVID-19 a de nouveau désigné le code informatique comme solution universelle aux problèmes qui ne sont pas strictement liés à la technologie de l’information. La numérisation générique semble être la réponse à tous nos problèmes. Bien sûr, le traitement des données peut aider. À condition toutefois de posséder des données réelles, vérifiables et recueillies soigneusement. C’est là qu’échouent de nombreux projets.

Téléphones magiques à l’intelligence infinie

La demande d’applis n’a fait qu’augmenter ces dernières années. Ces visions n’ont rien à envier aux idées créatives des scénarios de films et de séries. Le logiciel intégré à nos petits téléphones portables doit résoudre les tâches les plus complexes et délivrer des résultats qui demandaient autrefois de longues années de travail, le tout en un simple glissement de doigts. En réalité, la plupart des applications ne font qu’effleurer la surface. On oublie volontiers un petit détail : sans connexion Internet à de gigantesques fermes de serveurs et bases de données, invisibles sur l’écran tactile, à quoi sert le code ? Les applications ne font que repousser la réalité. Si le smartphone ne chauffe pas et que la batterie tient très longtemps, la magie est alors ailleurs. L’intelligence ne représente presque rien sur l’appareil, à cause d’un manque de puissance disponible.

Il s’agit de la complexité de la construction d’une infrastructure derrière l’application que l’on voit vraiment. Sans interaction avec leurs grandes soeurs dans les centres de données, les applications sur notre téléphone diminuent rapidement. Dans ce cas de figure, les données sont non seulement le pétrole brut, mais aussi le carburant de la numérisation. L’entraînement ne fonctionne toutefois pas comme on le pense. Les utilisateurs finaux sont la source de l’or numérique. Ils ne sont pas au volant, mais plutôt au niveau de l’extraction.

Conception défectueuse en matière de sécurité

Un code moderne n’arrive pas de nulle part. Lors du développement d’applications, soit on se base sur un code existant, soit on crée ses propres bibliothèques. Même lors d’une conception mixte, il s’écoule au moins quelques mois avant de parvenir à un design testé. Si la pression est importante, le développement de logiciel emprunte volontiers des raccourcis. Pour aggraver les choses, la conception commence avec les questions du problème à résoudre et se concentre sur les fonctions dès le début. L’implémentation d’un code et d’un design sûrs est souvent laissée de côté. On voit très souvent ce genre de développements dans le domaine des appareils pour la maison connectée.

Un argument souvent avancé est celui de la publication contrôlée des applications sur les App Stores des fabricants. Naturellement, les applis y sont soumises à des tests, mais une check-list vérifiée en moins d’une minute peut difficilement déceler l’intégralité des failles de sécurité et défauts de conception. Au vu du nombre de programmes disponibles sur les stores virtuels, certaines choses passeront forcément entre les mailles du filet. La recherche de failles et de menaces prend beaucoup plus de temps. On demande souvent aux experts en sécurité si un produit en particulier est sûr. Et on attend une réponse immédiate. Ce n’est pas réaliste et cela ne fonctionne ainsi que dans les scénarios mentionnés plus tôt.

Mascarade de logiciels

En matière de numérisation, les promesses et la réalité ne se recoupent pas souvent. Ces dernières semaines, on a notamment beaucoup parlé de l’application autrichienne de traçage du coronavirus. Les débats portaient majoritairement sur la protection des données et la sûreté de l’application. En prenant du recul et en remettant en question la qualité des données que cette application est censée recueillir, le tableau change du tout au tout. Ross Anderson, un informaticien britannique de l’université de Cambridge, a analysé la précision de la plateforme smartphone dans un article intitulé « Contact Tracing in the Real World » (publié sur le blog Light Blue Touchpaper de l’institut d’informatique). Il conclut que le développement d’une application mobilise plus de ressources que ce qu’une telle application pourrait entraîner comme avantages. Bruce Schneier, un expert américain en cryptographie et en sécurité informatique, évoque sur son blog les effets des faux positifs et des faux négatifs d’une application pour le coronavirus. La seule considération de cet aspect disqualifie d’ores et déjà l’application pour une utilisation dans le monde réel. Et ceci, sans même prendre en compte la sécurité et la protection des données. L’article de Schneier « Me on COVID-19 Contact Tracing Apps » est disponible en ligne.

En outre, un smartphone est un outil probablement inadapté en cas de maladies contagieuses. Comme le GPS est trop inexact, on essaie d’utiliser le Bluetooth pour mesurer la présence et la distance. Les appareils utilisent souvent le Bluetooth LE (à basse consommation) afin de prolonger la vie de la batterie. Mais la mesure de l’intensité du signal avec le Bluetooth LE convient tout au plus à une résolution passable lorsque les personnes sont séparées par des structures massives, en béton armé par exemple. Les matériaux comme le bois, le plâtre ou la pierre mince sont perméables à la mesure. On se heurte en plus aux réflexions qui faussent la direction et la portée. D’après les fiches techniques des fabricants de puces, la puissance de réception réelle peut être 100 fois inférieure ou supérieure à la puissance prévue. Par ailleurs, le Bluetooth LE est un système à antenne unique. Cela signifie que la direction du signal ne peut pas être établie. Pour ce faire, plusieurs antennes sont nécessaires. Les gens tiennent en outre leur smartphone de différentes façons, ce qui entraîne encore plus d’approximation. Les erreurs de localisation sont déjà si nombreuses en laboratoire que cette technologie est éliminée d’entrée. Les scénarios comprenant les transports en commun, les magasins ou les restaurants n’ont même pas été pris en considération, sans parler de la circulation dans la rue ou dans des cages d’escalier étroites (où des signaux Bluetooth LE peuvent être captés derrière toutes les portes). Les porte-clés déjà évoqués officiellement ne devraient pas non plus apporter d’amélioration significative à la situation. La physique est impitoyable sur ce point.

C’est à présent très clair. Les logiciels ne servent plus uniquement à résoudre des problèmes. On les utilise volontiers pour camoufler les questions ouvertes et pour simuler une solution. C’est une véritable mascarade que l’on retrouve à plusieurs niveaux de la société contemporaine. La tâche des expertes et experts en sécurité est de percer à jour cette mascarade. Au début de l’année, le thème « Mascarade » a donc été choisi pour la conférence DeepSec In-Depth Security de novembre – avant même la propagation du Sars-Cov-2. En matière de sécurité informatique, il s’agit toujours de jeter un oeil en coulisses. Il faut déconstruire et analyser les codes. Il faut remettre en question l’architecture des logiciels. Il faut déceler les défauts de conception.

Numérisation désillusionnée comme chantier d’amélioration

Les arguments et démarches présentés ici ne visent pas à renchérir la numérisation. L’objectif affirmé de la conférence DeepSec est de réunir les personnes en charge de différents aspects de la technologie de l’information moderne et de les inciter à échanger. Les projets évoqués d’une application de traçage coronavirus ne sont qu’un exemple. Les expertes et experts en sécurité rappellent régulièrement qu’une conception solide (sécurisée) est incontournable pour les applications. Il serait donc judicieux de consulter les spécialistes avant de s’engager dans une impasse.

Si l’approche qui la motive est réfléchie avec précision, la numérisation ne peut être que positive. N’importe quelle visite au cinéma l’illustre facilement : un film au mauvais scénario ne s’améliore pas si on le projette en haute définition ou en 3D. On ne voit alors qu’un fiasco à gros budget – c’est pareil pour le développement de logiciels. En dépit de sa thématique, la conférence DeepSec ne souhaite pas devenir une mascarade, mais plutôt donner à tous et à toutes la chance d’échanger avec des spécialistes. Il s’agit de soulever ce masque et d’examiner ce qui se cache réellement derrière une technologie. À cette fin, nous proposerons aussi des formations qui offriront sur deux jours un concentré de

connaissances à manipuler et à appliquer. Les premières séances de formation sont déjà ouvertes à la réservation en ligne.

Saisissez cette opportunité pour éviter à votre produit d’échouer avant sa commercialisation. Nous tenons à préciser que cette phrase est tout particulièrement destinée aux décideurs extérieurs au marché qui souhaitent numériser les entreprises et les citoyens à d’autres niveaux. Écrire et répéter continuellement le mot numérisation ne suffit pas.

Programme et réservation

La conférence DeepSec 2020 aura lieu les 19 et 20 novembre. Les formations DeepSec auront lieu les deux jours précédents, les 17 et 18 novembre.

L’évènement DeepSec aura lieu à l’hôtel Imperial Riding School Renaissance Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienne.

Vous pouvez commander vos tickets pour la conférence DeepSec et pour les formations DeepSec sur https://deepsec.net/register.html.

Sources des articles cités par Ross Anderson et Bruce Schneier:

https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/

https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html

 

Translated Article: Ten EU Countries already rely on decentralized Corona Virus Apps

Schon zehn EU-Staaten setzen auf dezentrale Coronavirus-Apps by Erich Moechel for fm4.orf.at

Apple and Google also support the privacy-friendly, decentralized protocol DP-3T. Without technical support in the operating systems of these two groups, no app with Bluetooth tracing can deliver useful results.

The decision by Austria and Switzerland to use a corona virus app with decentralized data storage (DP-3T) triggered a chain reaction. By Friday, ten EU countries had already left the large-scale “Pan-European Project for Data Protection-Compliant Person Tracing” (PEPP-PT). The centralized data collection of PEPP-PT leaves all possibilities for data mining open, a deanonymisation of the data is also included.

Apple and Google, which support the DP-3T standard, are constantly publishing new specifications for the necessary app interfaces in Android and IOS. Without the support of these two companies, whose operating systems control the global smartphone market, not a single corona virus app can deliver useful results through Bluetooth tracing.

The current status in Europe

Already when the third country, after Austria and Switzerland, announced the switch to DP-3T, the alarm bells should have rung for the competing PEPP-PT project. Because this country was Estonia, which is seen in the EU as a digitized model country. As a result, things started to happen, the Netherlands announced that it would discard its already developed apps and start from scratch with DP-3T.

With Italy and, after fierce internal discussions, Germany, two EU heavyweights joined the ranks. Ireland turned around on Friday, and now there are already ten EU countries that have rejected their original big data plans and are now opting for a solution that actually complies with data protection regulations. Of the other European countries, only France and England are currently aggressively advocating the centralized approach.

Clarification on terms

Because the technical issues and terms have been mixed up in the media recently, here is a little clarification. DP-3T does not become a corona virus app; rather, it is the generic term for the protocols used for Bluetooth tracing and for communication with an external server. Google and Apple also do not code a corona virus app, rather they install interfaces (APIs) in Android and IOS, to which the apps can dock on to.

In addition, additional functions are set up in both operating systems so that the apps can run in the background but still send out Bluetooth beacons. For security reasons (danger of stalking), such hidden functions for apps have so far been blocked by Apple at the operating system level. Google released the first additional functions for Android on Friday, which can also be used by all docked apps.

Bluetooth problems that only Google can solve

The most important function, namely the successful exchange of Bluetooth IDs, on which all concepts are based, has so far been the only criterion for possible close contact with an infected person. Of course this is not yet an exact measurement of the distance between two smartphones, but at best a rough estimate. Google has therefore introduced the received signal strength and the duration of contact of the smartphones as additional criteria, which makes the assessment somewhat more precise.

The telephones must have been in constant contact via Bluetooth for at least five minutes, which also helps to further reduce false hits. The spread of microwave radio in the range of 2.4 GHZ – Bluetooth – depends largely on environmental factors. If there are smooth, reflective surfaces, the range can occasionally increase enormously due to reflections. If the smartphone is held to the ear for phone calls, the Bluetooth range also increases. Another factor is the positioning of the Bluetooth antenna, which is embedded in the housing, because these spiral or quad antennas have a significant directional effect.

Using the example of a train journey

Here is an example from everyday life. A half-hour train journey in a sparsely populated open-top wagon can produce completely different results. Anyone who spends most of the time on the phone, possibly even standing, will end up collecting the Bluetooth identifiers of almost all smartphones in the wagon, although only one or two people actually came into critical proximity.

If the smartphone stays in your jacket pocket, that’s not just far fewer contacts, but, what’s more, the Bluetooth IDS of the two people who were in critical proximity could be missing. If these people have keychains or other metallic objects in their jacket pocket next to their smartphone, this can block Bluetooth contacts.

Preliminary conclusion and a mystery

It won’t stop with these ten countries, that’s pretty clear now. Any centralized solution, perhaps combined with obligations and coercive measures, will fail in two ways. First, technically on the smartphone operating systems, since Google and Apple have now decided on a decentralized solution. The second factor is smartphone owners, who will not entrust information about their health and their private tracks to any technical solution, who will run big data analyzes on it and who may have it carried out by private companies.

It still remains a mystery why a prototypical “data octopus” like Google is working for a solution in which there is practically no metadata for the corporations to gain. The reason for this can only be hinted at at this point in time, it has to do with corporate interests and strategies that are far above the daily business of collecting data. The outbreak of the corona virus has turned many things upside down, in this case the corporations were suddenly given a trump card against the EU Commission.