Export of Blog Articles on Medium

René Pfeiffer/ May 1, 2021/ Administrivia/ 0 comments

The Internet was invented for sharing information. Publishing articles and raw data is still the main use case for networks. We use our blog for publishing articles covering topics of information security. It is the primary source of information. Article publications will be announced on our Twitter feed once the text is online. A while ago we started to publish our blog articles on Medium in parallel. The publication pipeline broken when Medium stopped supporting the plugin for our blog application. Re-publishing has since been done manually (hence the backlog on Medium). We occasionally update our Medium channel. Now this channel has a new link. If you prefer to read our articles on Medium, please use https://deepsec.medium.com/. Keep in mind that our blog articles published here will never hide behind a paywall or a

Read More

Murder Blog Series: Chapter 2 – Investigations

Sanna/ April 30, 2021/ Stories/ 0 comments

Letters as Windows to the World When young people discover the world, they are often happy to receive mail. Who doesn’t like it when others think of you? Once the love letters from the crush have undergone the metamorphosis into heartless letters with windows, we realize: Money rules their content, just like in this story. Leon has a habit. When walking back from the mailbox, he likes to feel the meaning of the contents of letters with his fingers. Here, it’s the letter from the credit card bill. And it has grown to several meaty millimeters. Leon hopes for a change in the terms and conditions. However, after opening it, it turns out that, unfortunately; it is a list of payments. He can barely remember the individual items. There are just too many—and most

Read More

Project Covert Operations and Zero Days – Controlled Compromise of Infrastructure and Code

René Pfeiffer/ April 21, 2021/ Discussion, High Entropy, Security/ 0 comments

Once you collect information, you will eventually have to decide on when to use which part for what reason. This is the dilemma of intercepting intelligence from an adversary and using it for defence (or offence). Once you act on your the knowledge no one else is supposed to have, then you will also disclose your capabilities. The digital world is full of these scenarios. The most recent case is a disclosure of Google’s Project Zero. The publication covered vulnerabilities dating back to the first half of 2020. As it turned out the discovery comprised 11 powerful weaknesses used to compromise iOS, Android and Microsoft® Windows devices. By publishing these vulnerabilities Project Zero essentially shut down a nine-month digital hacking operation by a Western government. Bugs in software have no labels. They may be

Read More

DeepSec 2021: A lack of software security paralyzes the economy in times of crisis – visit DeepSec 2021 to train your developers

Sanna/ April 20, 2021/ Development, Press, Training/ 0 comments

In every crisis, one’s own infrastructure and logistics are put to serious tests. The COVID-19 pandemic illustrates this particularly drastically through the many structural failures in the past 12 months. They try to solve biological problems with smartphones, favor dead-end technologies such as blockchain, discover the lack of network expansion in recent decades and then panic and publish software applications that are only subjected to serious tests after they have been published. All these quick fixes are snapshots of a lack of sustainability. But the economy is dependent on stable solutions based on many years of experience, especially now. In November 2021, the DeepSec conference would like to give support to everyone who works with software through trainings and the transfer of experience from security researchers. Code rules the World The word digitization is

Read More

DeepSec, ROOTS and DeepINTEL Update – Call for Papers open

René Pfeiffer/ April 19, 2021/ Administrivia, Call for Papers, Conference, DeepIntel/ 0 comments

Planning events is still challenging. The COVID-19 pandemic celebrated its first birthday. Despite efforts not to have the second birthday of the pandemic, the ever changing regulations and statues updates regarding the infections make preparations for conferences very hard. We know you want to plan as well, therefore we have an update for you. DeepSec, ROOTS, and DeepINTEL will happen on-site here in Vienna. We closely coordinate with our conference hotel. Their staff is eager to reopen. Everything depends on the rate of vaccination and the regulations issued by the European and Austrian authorities. There is not much we can influence. Given our health protection measure we worked out last year, we are well prepared to handle everything short of a total lockdown. We don’t do any forecasts at the moment. The next months

Read More

Murder Board Blog Series: Prequel

Sanna/ April 16, 2021/ Security, Stories/ 0 comments

[This is the first part of a five-part article series describing analogies between the world of IT security and research in other fields. Analogies are often used to deflect and conceal missing arguments. Didactics uses analogies as a powerful tool to explore your own understanding and to help you use your knowledge from other fields. Please use the articles of the Murderboard series (our name for the five-part article) for educating IT-affine people about information security. It’s never bad to have allies who understand what to look for in time of trouble.] It was a warm summer day when I got a call from an acquaintance who wanted to hire me for data protection coaching with one of his clients. Besides crime writing, I also work in data protection, helping self-employed people and small

Read More

Software Architecture, Code, and Information Security

René Pfeiffer/ April 8, 2021/ Conference/ 0 comments

Information security is tightly linked with the code running on platforms and decisions made during the software architecture planning phase. One can trace a lot of results in penetration tests to workarounds caused by inadequate tools, bad design choices, trends in software development, legacy applications, and too optimistic testing strategies. Let’s visit some of the accident sites by example. Implementing the basic principles of information security can be hard. The dreaded undefined behaviour or the lack of graceful failures in error conditions happens frequently. A recent presentation about autonomous systems illustrates what we expected from your code – it must be completely self-reliant. Doing n restarts and halting is not the best way of dealing with unexpected situations. Rejecting dangerous states and input is always an option, but sysadmins frequently need to bash applications

Read More

Translated Article: EU-US Summit Against Secure Encryption

Sanna/ March 31, 2021/ Legal, Stories/ 0 comments

Gipfel EU-USA gegen sichere Verschlüsselung by Erich Moechel for fm4.ORF.at The agenda of the virtual meeting at a high-ranking official level in two weeks features pretty much all data protection-related topics that are currently controversial in Europe. Joe Biden’s appearance before the EU Council of Ministers will be followed by a two-day video conference on April 14th at the top level of officials in the field of justice and homeland security between the EU and the USA. Practically all currently controversial issues around data protection are on the agenda, from cross-border data access for law enforcement officers to joint action against secure encryption. This is also the case with the “fight against child abuse”, which is once again being instrumentalized for these general surveillance projects. Ylyva Johansson, EU Commissioner for Home Affairs and Justice, commissioned a

Read More

All your Content are belong to Us – how the Crypto Wars continue

René Pfeiffer/ March 31, 2021/ Discussion, High Entropy, Internet, Legal/ 0 comments

Encryption is one of our favourite topics. This blog and our events feature discussions, tools, and content regarding cryptography. The first DeepSec conference in 2007 even had a presentation about a practical attack on GSM’s A5/1 algorithm. Subsequent conferences followed up on this, for example, the state of affairs of mobile network security in 2010. We use encryption and high levels of privacy in our own communication. Certain published documents emphasize the importance of using uncompromised and modern encryption algorithms. In the meantime, users have moved to messengers using TCP/IP on top of the mobile network transmissions. This enables full end-to-end encryption and privacy. The problems are still the same as in the 1990s. Enter the continuation of the Crypto Wars. On 23 March the Oberlandesgericht (Higher Regional Court) Rostock in Germany argued that

Read More

Translated Article: Further Wrangling in the Council of Ministers over Competences for Europol

Sanna/ March 30, 2021/ Discussion, High Entropy, Legal, Stories/ 0 comments

Weiter Gerangel im Ministerrat um Kompetenzen für Europol by Erich Moechel for fm4.ORF.at A majority led by Germany and France does not even want to give Europol the power to initiate transnational investigations itself in the event of a major cyber attack. On Monday the EU Council of Ministers decided on an approach for a new cybersecurity strategy. A network of “Security Operation Centers” across Europe will form an early warning system against attacks, and a new “Joint Cyber Unit” will be responsible for crisis management. In addition, they want to promote strong encryption methods together – but with back doors for law enforcement officers. Whether this collection of buzzwords will actually become an EU-wide implemented strategy is very much in question. The ongoing discussions in the Council of Ministers about the planned new powers of

Read More

Translated Article: E-Privacy Regulation allows retained Data and duplicate Keys

Sanna/ March 29, 2021/ Discussion, Internet, Legal, Stories/ 0 comments

E-Privacy-Verordnung erlaubt Vorratsdaten und Nachschlüssel by Erich Moechel for fm4.ORF.at The most important EU regulation for the protection of privacy contains a license for data processing of all kinds without the consent of the user and allows political parties to spread spam mail. For four years the e-privacy regulation has been stuck in the EU Council of Ministers, but under the Portuguese presidency, it was possible to agree on a version for the first time. However, this version of the “Ordinance on the Respect of Privacy and the Protection of Personal Data” has been designed in such a way that Germany’s top data protection officer, Ulrich Kelber, sees “several red lines crossed at the same time”. In addition to the reference to data retention, which was rejected by the EU Court of Justice for the third

Read More

Call for IoT Trainings: Secure Development for embedded Devices

René Pfeiffer/ March 24, 2021/ Discussion, Training/ 0 comments

The world is much easier to handle without limits. If you have all your frameworks freely available and have the luxury of running your code with a multi-MB (or -GB) runtime environment, then you are in paradise. The world of embedded devices and the Internet of Things looks different. Saving energy is the prime directive. The power supply might be a battery or the connector pin of another device. Multiple cores are rare, memory is even rarer. If you are acquainted with the container and cloud lifestyle, then embedded systems will be a culture shock. Think kilo instead of mega or giga. Small devices run code, too. So this is where security comes into play. What can you do to design your embedded code to be small and secure? Secure design and coding have

Read More

Secure Operation of IT Systems requires Skills, no Shortcuts

René Pfeiffer/ March 19, 2021/ Discussion, High Entropy/ 0 comments

The recent vulnerability in the Microsoft® Exchange server application has sparked many discussions. One of the topics is connected to the skills of IT departments responsible for patching systems in time. How can n weeks or months pass until upgrades are rolled out and in place? Well, the answer is easy. Some upgrades do not work flawlessly. In anticipation of problems during the change, IT departments need a copy of the live system and time to test the updates. This takes time, even if you have the budget to run additional copies of your systems. Furthermore, sometimes upgrades go wrong. Theoretically, these changes should just eliminate security problems and enable the application to work as before. IT departments bitten by the “this should not have happened but it did anyway” situation will hesitate to

Read More

Bug Disclosure Policies and the Eternal Discussion about Security ♨

René Pfeiffer/ March 15, 2021/ Discussion, High Entropy, Security/ 0 comments

In theory, there is the evolution from bug over to weakness, vulnerability and finally the exploit. Errors in code and application behaviour are interesting for any serious developer. Security researchers also look for bugs and ways to make code do something it wasn’t designed for. In the absence of critical failures in applications, the process of reporting bugs and getting them fixed everything is smooth and less prone to heated discussions (YMMV, some software projects feature persons with very strong opinions). All of this changes when the code can be remotely exploited. Enter the recent CVEs regarding the Microsoft® Exchange server. CVE-2021-26855 is as bad as it sounds. It is a remote code execution with low complexity requiring no user interaction and no privileges. Disclosure of bugs impacting security has a long history. Knowing

Read More