Administrivia Update: Regulations, Ticket Shop, and DeepSec

Quill icon from The Noun Project. Source: https://commons.wikimedia.org/wiki/File:Quill_icon_-_Noun_Project_13454.svgClear guidelines for events and conferences slowly emerge here in Austria. We have some news on how DeepSec, DeepINTEL, and ROOTS will look like in November. We will compile the set of regulations in a separate document and publish it on our web site. The constraints set by the authorities contain no show-stoppers for the event and the trainings. We will carefully work out a concept which we will use in November for everything that is going on on site in Vienna. 😷 We have the full support of our conference hotel, and we are confident that we can increase health protection and decrease risks for everyone attending.

In addition we found some bug in the ticket shop system. The tickets for DeepINTEL, DeepSec conference / training, and ROOTS can be bought via the Pretix ticket portal. During creation of the ticket categories we used the REST API (with some Julia code 🤓), which in turn led to some funny behaviour in the web display. We fixed some bugs with the data sets, the style sheets, and the preloading mechanism. The ticket shop is online and ready for your bookings.

Please remember that we cannot make DeepSec or DeepINTEL happen if you book late. We can cope with the usual chaos during the preparation phase. However we have a hard time with late bookings, especially given the physically distanced start into 2020.

Update and Reminder – DeepSec/DeepINTEL Call for Papers is still open

We have added another training to the schedule. Irene Michlin (IBM) will teach you about threat modelling and how to integrate threats into your software development life cycle. Further details will be published in our blog. Speaking of content – the call for papers for both DeepSec and DeepINTEL are still open. We are looking for your contribution.

And then there is the inevitable update on DeepSec and the current pandemic situation. A lot of countries discuss how to proceed in terms of regulations, health protection, and logistics such as travel. We would very much link to official information on travel, accommodation, additional procedures during our event, and how DeepSec will look like in November. Sadly we cannot do this yet. The facts are that the Austrian hotels open on 29 May 2020 again. Restaurants already opened two weeks ago. Travel restrictions are still in place and are currently under negotiation. Given that DeepSec and DeepINTEL are international events we rely on you being here in Vienna. The chances are very good that this will happen. This is not idle talk. We used the past two months to develop ways to handle the extra measures and procedures. The reality is that not everything can be solved by technology. This has always been the case in information security. Few other areas of interest and research have to deal with ever changing environments and threats. Just as in infosec we handle the organisation of DeepSec step by step, ask a lot of questions, and proceed carefully.

Of course we will have further updates on how DeepSec and DeepINTEL will look like as soon as we have source material from the authorities. In the meantime consider submitting your content. The call for papers are open until 31 July 2020.

Administrivia for DeepSec, DeepINTEL, and trainings

Jorolemon curbside mailbox with red semaphore flag. File source: //commons.wikimedia.org/wiki/File:IceStorm08.jpg

We cleared some administrative obstacles in the past weeks. The conference hotel has confirmed that DeepSec and DeepINTEL can happen in November. Of course, we cannot look into the future, but technically everything is in place. We still don’t know how the regulations for events will look like, but we definitely plan to have a traditional conference in November. DeepSec and especially DeepINTEL cannot be moved easily into a virtual venue. We rely on face-to-face communication, having groups of people chat in our lounge areas, and random encounters in the foyer. One way or another we are convinced that this can happen. We will let you know about any changes, but we will carefully proceed.

In order to improve the way you can learn new things and practice your security skills we made some changes to the trainings. The call for trainings is still running. Some slots are already published. We decide on the remaining slots in May. Since not everyone wants or can be mobile in November, we will ask all trainers if the sessions can take place in a virtual form. This can be a mixed class with some people attending on site and some being present via the Internet. It can also be a fully virtual training session. We will provide some of the infrastructure needed (such as audio/video equipment at the training sessions). The schedule will hold all information on how you can participate.

The first confirmed fully virtual training will be Dawid Czagan’s Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation session. Participation details will be provided to everyone attending after registration. This also means that Dawid’s workshop will be unaffected by any travel regulations, so bug hunting is a safe bet for you. 😉 As for the conference, we will keep you updated in case something changes.

Stay healthy, stay sane, and be cautious!

Communiqué de presse traduit: Les applis COVID-19 dévoilent leur logiciel pendant la crise

En novembre, la conférence sur la sécurité DeepSec mettra en lumière la mascarade des logiciels.

On dit souvent, « il y a forcément une appli pour ça ! ». Cette formule toute faite est souvent prise à la légère, même en dehors du secteur informatique. La crise actuelle du COVID-19 a de nouveau désigné le code informatique comme solution universelle aux problèmes qui ne sont pas strictement liés à la technologie de l’information. La numérisation générique semble être la réponse à tous nos problèmes. Bien sûr, le traitement des données peut aider. À condition toutefois de posséder des données réelles, vérifiables et recueillies soigneusement. C’est là qu’échouent de nombreux projets.

Téléphones magiques à l’intelligence infinie

La demande d’applis n’a fait qu’augmenter ces dernières années. Ces visions n’ont rien à envier aux idées créatives des scénarios de films et de séries. Le logiciel intégré à nos petits téléphones portables doit résoudre les tâches les plus complexes et délivrer des résultats qui demandaient autrefois de longues années de travail, le tout en un simple glissement de doigts. En réalité, la plupart des applications ne font qu’effleurer la surface. On oublie volontiers un petit détail : sans connexion Internet à de gigantesques fermes de serveurs et bases de données, invisibles sur l’écran tactile, à quoi sert le code ? Les applications ne font que repousser la réalité. Si le smartphone ne chauffe pas et que la batterie tient très longtemps, la magie est alors ailleurs. L’intelligence ne représente presque rien sur l’appareil, à cause d’un manque de puissance disponible.

Il s’agit de la complexité de la construction d’une infrastructure derrière l’application que l’on voit vraiment. Sans interaction avec leurs grandes soeurs dans les centres de données, les applications sur notre téléphone diminuent rapidement. Dans ce cas de figure, les données sont non seulement le pétrole brut, mais aussi le carburant de la numérisation. L’entraînement ne fonctionne toutefois pas comme on le pense. Les utilisateurs finaux sont la source de l’or numérique. Ils ne sont pas au volant, mais plutôt au niveau de l’extraction.

Conception défectueuse en matière de sécurité

Un code moderne n’arrive pas de nulle part. Lors du développement d’applications, soit on se base sur un code existant, soit on crée ses propres bibliothèques. Même lors d’une conception mixte, il s’écoule au moins quelques mois avant de parvenir à un design testé. Si la pression est importante, le développement de logiciel emprunte volontiers des raccourcis. Pour aggraver les choses, la conception commence avec les questions du problème à résoudre et se concentre sur les fonctions dès le début. L’implémentation d’un code et d’un design sûrs est souvent laissée de côté. On voit très souvent ce genre de développements dans le domaine des appareils pour la maison connectée.

Un argument souvent avancé est celui de la publication contrôlée des applications sur les App Stores des fabricants. Naturellement, les applis y sont soumises à des tests, mais une check-list vérifiée en moins d’une minute peut difficilement déceler l’intégralité des failles de sécurité et défauts de conception. Au vu du nombre de programmes disponibles sur les stores virtuels, certaines choses passeront forcément entre les mailles du filet. La recherche de failles et de menaces prend beaucoup plus de temps. On demande souvent aux experts en sécurité si un produit en particulier est sûr. Et on attend une réponse immédiate. Ce n’est pas réaliste et cela ne fonctionne ainsi que dans les scénarios mentionnés plus tôt.

Mascarade de logiciels

En matière de numérisation, les promesses et la réalité ne se recoupent pas souvent. Ces dernières semaines, on a notamment beaucoup parlé de l’application autrichienne de traçage du coronavirus. Les débats portaient majoritairement sur la protection des données et la sûreté de l’application. En prenant du recul et en remettant en question la qualité des données que cette application est censée recueillir, le tableau change du tout au tout. Ross Anderson, un informaticien britannique de l’université de Cambridge, a analysé la précision de la plateforme smartphone dans un article intitulé « Contact Tracing in the Real World » (publié sur le blog Light Blue Touchpaper de l’institut d’informatique). Il conclut que le développement d’une application mobilise plus de ressources que ce qu’une telle application pourrait entraîner comme avantages. Bruce Schneier, un expert américain en cryptographie et en sécurité informatique, évoque sur son blog les effets des faux positifs et des faux négatifs d’une application pour le coronavirus. La seule considération de cet aspect disqualifie d’ores et déjà l’application pour une utilisation dans le monde réel. Et ceci, sans même prendre en compte la sécurité et la protection des données. L’article de Schneier « Me on COVID-19 Contact Tracing Apps » est disponible en ligne.

En outre, un smartphone est un outil probablement inadapté en cas de maladies contagieuses. Comme le GPS est trop inexact, on essaie d’utiliser le Bluetooth pour mesurer la présence et la distance. Les appareils utilisent souvent le Bluetooth LE (à basse consommation) afin de prolonger la vie de la batterie. Mais la mesure de l’intensité du signal avec le Bluetooth LE convient tout au plus à une résolution passable lorsque les personnes sont séparées par des structures massives, en béton armé par exemple. Les matériaux comme le bois, le plâtre ou la pierre mince sont perméables à la mesure. On se heurte en plus aux réflexions qui faussent la direction et la portée. D’après les fiches techniques des fabricants de puces, la puissance de réception réelle peut être 100 fois inférieure ou supérieure à la puissance prévue. Par ailleurs, le Bluetooth LE est un système à antenne unique. Cela signifie que la direction du signal ne peut pas être établie. Pour ce faire, plusieurs antennes sont nécessaires. Les gens tiennent en outre leur smartphone de différentes façons, ce qui entraîne encore plus d’approximation. Les erreurs de localisation sont déjà si nombreuses en laboratoire que cette technologie est éliminée d’entrée. Les scénarios comprenant les transports en commun, les magasins ou les restaurants n’ont même pas été pris en considération, sans parler de la circulation dans la rue ou dans des cages d’escalier étroites (où des signaux Bluetooth LE peuvent être captés derrière toutes les portes). Les porte-clés déjà évoqués officiellement ne devraient pas non plus apporter d’amélioration significative à la situation. La physique est impitoyable sur ce point.

C’est à présent très clair. Les logiciels ne servent plus uniquement à résoudre des problèmes. On les utilise volontiers pour camoufler les questions ouvertes et pour simuler une solution. C’est une véritable mascarade que l’on retrouve à plusieurs niveaux de la société contemporaine. La tâche des expertes et experts en sécurité est de percer à jour cette mascarade. Au début de l’année, le thème « Mascarade » a donc été choisi pour la conférence DeepSec In-Depth Security de novembre – avant même la propagation du Sars-Cov-2. En matière de sécurité informatique, il s’agit toujours de jeter un oeil en coulisses. Il faut déconstruire et analyser les codes. Il faut remettre en question l’architecture des logiciels. Il faut déceler les défauts de conception.

Numérisation désillusionnée comme chantier d’amélioration

Les arguments et démarches présentés ici ne visent pas à renchérir la numérisation. L’objectif affirmé de la conférence DeepSec est de réunir les personnes en charge de différents aspects de la technologie de l’information moderne et de les inciter à échanger. Les projets évoqués d’une application de traçage coronavirus ne sont qu’un exemple. Les expertes et experts en sécurité rappellent régulièrement qu’une conception solide (sécurisée) est incontournable pour les applications. Il serait donc judicieux de consulter les spécialistes avant de s’engager dans une impasse.

Si l’approche qui la motive est réfléchie avec précision, la numérisation ne peut être que positive. N’importe quelle visite au cinéma l’illustre facilement : un film au mauvais scénario ne s’améliore pas si on le projette en haute définition ou en 3D. On ne voit alors qu’un fiasco à gros budget – c’est pareil pour le développement de logiciels. En dépit de sa thématique, la conférence DeepSec ne souhaite pas devenir une mascarade, mais plutôt donner à tous et à toutes la chance d’échanger avec des spécialistes. Il s’agit de soulever ce masque et d’examiner ce qui se cache réellement derrière une technologie. À cette fin, nous proposerons aussi des formations qui offriront sur deux jours un concentré de

connaissances à manipuler et à appliquer. Les premières séances de formation sont déjà ouvertes à la réservation en ligne.

Saisissez cette opportunité pour éviter à votre produit d’échouer avant sa commercialisation. Nous tenons à préciser que cette phrase est tout particulièrement destinée aux décideurs extérieurs au marché qui souhaitent numériser les entreprises et les citoyens à d’autres niveaux. Écrire et répéter continuellement le mot numérisation ne suffit pas.

Programme et réservation

La conférence DeepSec 2020 aura lieu les 19 et 20 novembre. Les formations DeepSec auront lieu les deux jours précédents, les 17 et 18 novembre.

L’évènement DeepSec aura lieu à l’hôtel Imperial Riding School Renaissance Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienne.

Vous pouvez commander vos tickets pour la conférence DeepSec et pour les formations DeepSec sur https://deepsec.net/register.html.

Sources des articles cités par Ross Anderson et Bruce Schneier:

https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/

https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html

 

Translated Article: Ten EU Countries already rely on decentralized Corona Virus Apps

Schon zehn EU-Staaten setzen auf dezentrale Coronavirus-Apps by Erich Moechel for fm4.orf.at

Apple and Google also support the privacy-friendly, decentralized protocol DP-3T. Without technical support in the operating systems of these two groups, no app with Bluetooth tracing can deliver useful results.

The decision by Austria and Switzerland to use a corona virus app with decentralized data storage (DP-3T) triggered a chain reaction. By Friday, ten EU countries had already left the large-scale “Pan-European Project for Data Protection-Compliant Person Tracing” (PEPP-PT). The centralized data collection of PEPP-PT leaves all possibilities for data mining open, a deanonymisation of the data is also included.

Apple and Google, which support the DP-3T standard, are constantly publishing new specifications for the necessary app interfaces in Android and IOS. Without the support of these two companies, whose operating systems control the global smartphone market, not a single corona virus app can deliver useful results through Bluetooth tracing.

The current status in Europe

Already when the third country, after Austria and Switzerland, announced the switch to DP-3T, the alarm bells should have rung for the competing PEPP-PT project. Because this country was Estonia, which is seen in the EU as a digitized model country. As a result, things started to happen, the Netherlands announced that it would discard its already developed apps and start from scratch with DP-3T.

With Italy and, after fierce internal discussions, Germany, two EU heavyweights joined the ranks. Ireland turned around on Friday, and now there are already ten EU countries that have rejected their original big data plans and are now opting for a solution that actually complies with data protection regulations. Of the other European countries, only France and England are currently aggressively advocating the centralized approach.

Clarification on terms

Because the technical issues and terms have been mixed up in the media recently, here is a little clarification. DP-3T does not become a corona virus app; rather, it is the generic term for the protocols used for Bluetooth tracing and for communication with an external server. Google and Apple also do not code a corona virus app, rather they install interfaces (APIs) in Android and IOS, to which the apps can dock on to.

In addition, additional functions are set up in both operating systems so that the apps can run in the background but still send out Bluetooth beacons. For security reasons (danger of stalking), such hidden functions for apps have so far been blocked by Apple at the operating system level. Google released the first additional functions for Android on Friday, which can also be used by all docked apps.

Bluetooth problems that only Google can solve

The most important function, namely the successful exchange of Bluetooth IDs, on which all concepts are based, has so far been the only criterion for possible close contact with an infected person. Of course this is not yet an exact measurement of the distance between two smartphones, but at best a rough estimate. Google has therefore introduced the received signal strength and the duration of contact of the smartphones as additional criteria, which makes the assessment somewhat more precise.

The telephones must have been in constant contact via Bluetooth for at least five minutes, which also helps to further reduce false hits. The spread of microwave radio in the range of 2.4 GHZ – Bluetooth – depends largely on environmental factors. If there are smooth, reflective surfaces, the range can occasionally increase enormously due to reflections. If the smartphone is held to the ear for phone calls, the Bluetooth range also increases. Another factor is the positioning of the Bluetooth antenna, which is embedded in the housing, because these spiral or quad antennas have a significant directional effect.

Using the example of a train journey

Here is an example from everyday life. A half-hour train journey in a sparsely populated open-top wagon can produce completely different results. Anyone who spends most of the time on the phone, possibly even standing, will end up collecting the Bluetooth identifiers of almost all smartphones in the wagon, although only one or two people actually came into critical proximity.

If the smartphone stays in your jacket pocket, that’s not just far fewer contacts, but, what’s more, the Bluetooth IDS of the two people who were in critical proximity could be missing. If these people have keychains or other metallic objects in their jacket pocket next to their smartphone, this can block Bluetooth contacts.

Preliminary conclusion and a mystery

It won’t stop with these ten countries, that’s pretty clear now. Any centralized solution, perhaps combined with obligations and coercive measures, will fail in two ways. First, technically on the smartphone operating systems, since Google and Apple have now decided on a decentralized solution. The second factor is smartphone owners, who will not entrust information about their health and their private tracks to any technical solution, who will run big data analyzes on it and who may have it carried out by private companies.

It still remains a mystery why a prototypical “data octopus” like Google is working for a solution in which there is practically no metadata for the corporations to gain. The reason for this can only be hinted at at this point in time, it has to do with corporate interests and strategies that are far above the daily business of collecting data. The outbreak of the corona virus has turned many things upside down, in this case the corporations were suddenly given a trump card against the EU Commission.

Translated Press Release: Covid-19 Apps show Software Development in Crisis

In November, the DeepSec security conference will highlight the software masquerade.

In everyday language there is the saying “There’s an app for that!”. The phrase is often used as a joke, even outside the IT industry. The current Covid-19 crisis has once again addressed computer code as a universal solution to problems that are not exclusively related to information technology. Generic digitization seems to be the answer to all problems. Of course, data processing can help. The prerequisite for this, however, is the existence of real data that has also been collected in a comprehensible and careful manner. This is exactly why many projects fail.

Magical phones with infinite Intelligence

The call for apps has been repeated again and again in recent years. The visions are in no way inferior to the creative ideas in scripts for feature films and series. Software that runs on small portable phones is said to solve the most complex tasks and, with a simple swipe of your fingers, deliver results that could only be achieved through years of work in the past. In fact, most applications only scratch the surface. One tiny detail is often forgotten: What does the code do without an Internet connection to huge server farms and databases that you can’t even see on the touchscreen? Apps are just a shift in the facts. If the smartphone stays cool and the battery lasts a long time, the magic actually happens somewhere else. Almost nothing on the end device is smart, due to the lack of available performance.

It’s about the complexity of building an infrastructure behind the actual app you see. Without interaction with the big siblings in data centers, the applications on the phone in hand are reduced very quickly. In this scenario, data is not just crude oil, it is also the fuel of digitization. However, the drive does not work as you think. End users are the source of digital gold. You are not at the wheel, but deep in the borehole.

Lack of Security Design

Modern code does not come from nowhere. When developing applications, you either have to build on existing code or create libraries yourself. Even with a mixed construction, at least months pass to halfway achieve a tested design. When there is a lot of pressure on completion, software development likes to take shortcuts. To make matters worse, the design begins with the questions of the problem to be solved and focuses on features right from the start. The implementation of secure code and secure design is usually left behind. Such developments are very common in the field of smart home devices.

A frequently used argument is the controlled publication of applications via the manufacturers’ app stores. Of course, tests run there, but a checklist that runs in less than a minute can hardly detect any security weaknesses or even design errors. In view of the large number of programs available in the virtual stores, something will inevitably slip through inconspicuously. Finding gaps and threats is much more time consuming. Security experts are often asked whether a certain product is safe. An immediate response is expected. This is not realistic and only works in the movie scripts mentioned at the beginning.

Software as a Masquerade

Promise and reality are rarely close to each other in digitization. There has been a lot of discussion about the Austrian Corona Tracing app in the past few weeks. It was primarily about privacy and app security concerns. If you go back several steps and question the quality of the data that this app is supposed to collect, the result shows a completely different picture. Ross Anderson, a British computer scientist at the University of Cambridge, analyzed the accuracy of the smartphone platform in an article entitled “Contact Tracing in the Real World” (published in the Light Blue Touchpaper blog of the computer science institute). His conclusion: The development of an app ties up more resources than the benefits of such an application can outweigh. Bruce Schneier, an American expert in cryptography and computer security, writes on his blog about the effects of positive and negative false reports from a Corona app. Looking at this aspect alone disqualifies the app for use in the real world. Security and data protection have not yet been considered in this analysis. Schneier’s article “Me on COVID-19 Contact Tracing Apps” can be read online.

Furthermore, a smartphone is an unsuitable platform for infectious diseases. Since GPS is too imprecise, one tries to use Bluetooth for the measurement of presence and distance. Bluetooth LE (Low Energy) is often used on the devices to extend the battery life. However, the measurement of the signal strength with Bluetooth LE is only suitable for a passable resolution if people are separated by massive structural measures, such as reinforced concrete. Materials such as wood, plaster or thin stone are permeable to the measurement. In addition, you have to fight with reflections that distort direction and range. According to data sheets from the chip manufacturers, the reception power fluctuates in some cases by a factor of 100. Furthermore, Bluetooth LE is designed as a system with a single antenna. This means that the direction of the signal cannot actually be determined. This requires several antennas. On top of that, people like to hold their smartphone in different positions, which introduces another blur. Even in the laboratory the localization errors are so high that this technology is eliminated. Scenarios such as local public transport, shops or restaurants were not considered at all, let alone walking on the street or in narrow stairwells (where Bluetooth LE signals can be measured behind every door). The key rings already mentioned publicly should not give the situation any significant improvement. Physics is very ruthless here.

The excursion makes it clear: Unfortunately, software is no longer only used to solve problems. It is often used to mask open questions and to fake solutions. This is a masquerade that we find in many areas of modern society. The task of security experts is to see through this masquerade. Without the distribution of Sars-Cov-2, “Masquerade” was therefore chosen as the motto for the DeepSec In-Depth Security Conference taking place in November. Information security is always about a look behind the scenes. Code needs to be de-constructed and analysed. Software architecture has to be questioned. Weaknesses in design have to be identified.

Disenchanted Digitization as a Blueprint for Improvement

The arguments and approaches given here are not a blueprint for the price increase in digitization. The declared aim of the DeepSec conference is to bring people who are entrusted with various aspects of modern information technology to one table and to get them to exchange ideas. The approaches mentioned for a corona tracing app are just a striking example. Security experts regularly warn that a solid – secure – design is essential for applications. One is therefore well advised to consult the experts before talking yourself into a dead end.

Digitization can only bring progress if the underlying approach is carefully thought out. Every trip to the cinema can easily illustrate this: No film with a bad script gets better if you show it to the audience in high resolution or even 3D. You then unfortunately only see an expensively produced fiasco – as sometimes in software development. Despite its motto, the DeepSec conference therefore does not want to offer a masquerade, but rather to give all participants the opportunity to exchange ideas with experts. It is about looking behind the mask and evaluating what is really behind a technology. For this purpose, trainings are also offered that offer highly concentrated hands-on, usable knowledge in two days. The first training units are already online and can be booked.

Take the opportunity before your product fails even before it is on the market. It should be noted that this sentence applies particularly to decision-makers outside the market who want to digitize companies and citizens at another level. Writing down digitization as a word and constantly repeating it all by itself is not enough.

Programs and Booking

The DeepSec 2020 conference days are November 19th and 20th.

The DeepSec trainings take place on the previous two days, November 17th and 18th.

DeepSec is located at the hotel The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can order tickets for the DeepSec conference itself and the training sessions at any time under the link https://deepsec.net/register.html.

Sources of the quoted articles by Ross Anderson and Bruce Schneier:

https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/

https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html

Update on DeepSec / DeepINTEL / ROOTS 2020 with regards to Covid-19

Bio reactor, source: https://commons.wikimedia.org/wiki/File:Bioreaktor_quer2.jpgLacking time travel we have no way to know what will happen in November 2020. That’s not news to us. We closely follow the development of the current Covid-19 crisis, and we constantly evaluate our plans for DeepSec, DeepINTEL, and ROOTS 2020. Given the current state of affairs and the experiments in various countries (including Austria) with lowering the restrictions for business and public life, we believe that our conferences can take place in November. There may be restrictions still present in November with regard to travel and protection measures at our venue. We have developed a schedule for keeping you informed. Additionally we have plans for changing the schedule in order to guarantee the minimum level of content required by our call for papers process. Updates regarding the state of our events in November will be published on our blog on a monthly basis.

Most of our content does not work via remote access, teleconferencing, or video/audio streams. Nevertheless we plan to create infrastructure for relaying content and conducting video/audio conferencing via the Internet. We intend to offer teleconferencing methods to our trainers, so that trainings can be done with a mixture of on-site and remote attendees. If and to which extent a training can make use of the additional infrastructure is decided by our trainers.

Our monthly reminder: The call for papers are open! If you have submissions of content and presentations, please submit as early as possible. The submission form will stay open at least until 31 July 2020.

First DeepSec 2020 Trainings confirmed

Tawakkol Karman's megaphone at the Nobel Museum, source: https://commons.wikimedia.org/wiki/File:Tawakkol_Karman%27s_megaphone_at_the_Nobel_Museum_(51980).jpgWe haven’t been idle in the past weeks. The Austrian government is reducing the lock-down rules to see how normal business and private life can go on. We take this as an opportunity to announce the first three confirmed trainings for DeepSec 2020. The preliminary descriptions can be found on our schedule web site.

Early Bird tickets are available. Given the unusual start into 2020 we ask you to consider buying Early Bird tickets (especially for the trainings). We are exploring special attendee tickets for remote attendance of the trainings. A more detailed description of the content of the trainings will follow in separate articles.

Contact Tracing and the Security of Things

Logo of the Bell Telephone Company between 1889 and 1900, source: https://commons.wikimedia.org/wiki/File:Bell_System_hires_1889_logo.PNGThe spread of Sars-Cov-2 keeps everyone on their toes. Given the emotional state after weeks and months of physical distancing (which we recommend; social distancing has been the norm for decades). We have closed our office in March and heavily rely on telecommunication. Fortunately we did not need to reinvent the Internet. Many of you have probably done the same. We hope that you manage to stay healthy until things can get back to “normal”. Speaking of communication and normality, there are some aspects of the current situation we like to point out.

Every security conference features presentations shedding light on important tools, libraries, applications, or protocols people rely on. Humans like to communicate. The degree varies, but essentially few can do without talking, writing, hearing, or seeing stuff (i.e. messages). This is even more true for companies, governments, health care, the military, and other organisations. The spread of Covid-19 has sparked a massive interest in all things tele, remote,  and networked. Suddenly the meetings need to be virtual. Applications and infrastructure for audio/video conferences and screen sharing has existed before. You have a long list of companies that offer services in this area. Then there is WebRTC (Web Real-Time Communication), an open standard for real-time communication defining a set of application programming interfaces (APIs). Additionally we have a plethora of messengers, communications systems for gamers, and web platforms integrating their share of communication. Not surprisingly the rush on all of these solutions has sparked interest in the security. A few months ago we were fairly confident that a private meeting wouldn’t leave the room. Now the room is gone. What does this mean?

First of all it means that not every platform held its promises. Getting end-to-end encryption right for a group chat is hard. Doing the same for real-time communication is even harder. Signalling is the next problem. How do you connect all participants? How do you make sure that only the right people are „in the room“? There are some answers to these problems, but a fair share of the conference applications suffer from a bad security design, badly maintained code, or other issues.
Secondly, the Crypto Wars come back to haunt us. The Signal developers pointed out the dangers of the US EARN IT bill. Securing communication is under attack by laws making protection impossible. The EARN IT bill is not the only example. China, Russia, Turkey, and Australia have banned end-to-end encryption. UK has similar laws. It’s not a good idea to turn the clock back in time with regards to secure communication.

Lastly, there is talk about contact tracing to get things faster to “normal” again. Of course, „There’s an app for that!“ Ross Anderson thinks differently, so we recommend his article about how this works in the real world.

Well, time for the good news. The calls for paper for DeepSec 2020 and DeepINTEL 2020 are still open! If you have some time and quiet to think about your research or your ongoing projects, let us know! We already got some submissions. Current reviews look good, so we might publish the first trainings for November next week! Looking forward to hear from you! Stay healthy!

It’s April Fool’s Day – 7/24 and 365 Days of the Year

Illustration of conventional comedy and tragedy theatrical masks. Source: https://commons.wikimedia.org/wiki/File:Comedy_and_tragedy_masks_without_background.svgThe first day of April is typically the time where you hide well-written pieces of misinformation to trick people into believing something that isn’t true. We published our share of April Fool’s Day articles in the past. While this was and still is fun we believe that it is time to break with this tradition. Hiding something that isn’t true within a stream of informative articles or news items has become a major way of influencing opinion. Good comedy does the same, but the outcome is different. Satirical news are a means to criticise by exaggerating or focussing on an issue. The typical audience of comedy expects this. The distinction between satire and reality have almost disappeared in the past decade. So if you are looking for entertainment there are plenty of other sources which probably work a lot better.

The other motivation is the discussion about facts and figures we had in the past weeks. Unless you have been living in a cave for the past months (which might not a bad idea after all) you probably heard of Sars-Cov-2 and the Covid-19 disease. The current countermeasures put the society and the economy on a big strain. Lacking things to do people put a lot of effort into the analysis of infected persons, cured persons, patient deaths, and more widely available data. Even if you have the source of the data you are working with you still need to figure out how the measurement was done. Just because the unit fits you don’t have data sets that can be compared. You can still do a qualitative analysis, but you cannot predict the future with it. The Internet is full of epidemiological models with varying degrees of relations to reality. Getting scientific research is hard. Getting scientific sound results with severe time constraints is even harder. While most businesses run fine without academic research, the decisions in their are are often less critical than in health care (or climate research to mention a wildly unpopular topic). The companies running critical infrastructure are excluded to some extent. However event logs and history is full of decisions which might have been better informed if time travel was real.

So to give you some kind of summary: Yes, we still like humour, and we still actively support (information security) researchers trying to point out critical flaws in code and design. No, we don’t want to say that things are difficult. They are, but that’s how we wanted it. We just skip making fun of stuff just because the calendar says so. Our calendar says that the call for paper is still open, so please consider submitting your research results for DeepINTEL and DeepSec.

The most important point is our reference on proper (data) science. Measurements only have meaning if you know how the data was obtained, what the error rates are, and how big your sample sizes were. No system administrator will consider your request if you claim that once upon a time in the past the latency between two points in the network was 623 milliseconds and the packet loss was about 23%. Keep this in mind when you read articles drawing highly complex conclusions from a couple of highly doubtful (or error prone) figures. That’s great for gaining followers. Reality just doesn’t work this way.

Status Update with regard to the current Sars-Cov-2 / Covid-19 Emergency

We wrote in an earlier blog article about the current Sars-Cov-2 / Covid-19 emergency. Mathematics and biology didn’t stop, so you (hopefully) live in an area with restrictions regarding crowds and place where people can’t keep a safe distance. We, the organisation team of DeepSec, are in close contact with peers, members of the community, and reliable sources of information regarding countermeasures by the Austrian government.

Given the current state of affairs the November dates of our events are still in the far future. This means that nothing has changed for our plans. Our calls for papers are still open. The only change will be no marketing messages and advertising for DeepSec and DeepINTEL. We don’t think that a crisis should be used for one’s own advantage. Please stick to facts and verified sources – regardless what message you want to publish or which information you like to relay. Disinformation will cost lives, now and in the future. All event and conference organisers have to follow regulations, so everything that happens to current or future events is up to the regulations and the state of your health (and your national health care system).

Please stay healthy, stay sane, and we hope to see all of you as soon as possible!

Translated Article: Coup de grace beat Attackers of the Austrian Federal Ministry for European and International Affairs

Cyberhusarenstück schlug Angreifer im Außenministerium for fm4 by Erich Moechel

[We translated this article, because DeepSec actively supports young talents and students. We are looking for organisation and companies that would like to help us in our support. Furthermore, we like to make Erich’s well-researched and well-written articles available for a wider audience.]

It was young Technicians who fended off the dreaded cyber Troop Turla. After a short Time they cracked the tricky Encryption of the Turla Trojan.

The National Security Council, which the NEOS party convened to discuss the cyberattack on the Federal Ministry for European and International Affairs, meets on Friday. NEOS criticize the cumbersome structures in cyber defence and, above all, that it is not ready to work properly. The quick defence of the notorious cyber troop (APT) Turla is rather not due to the solid defence structures in Austria.

This first cyber attack on Austria the defence relied on improvisation and technical skill. A diverse team of technicians from three ministries had this super-class APT under control after only 10 days. This emerges from new information available to ORF.at. The deciding factor was the coup de grace of young technicians of the Federal Ministry of the Interior who are more hackers than police officers.

Attackers’ Encryption hacked

A very young “Blue Team” from the battered BVT (Office for the Protection of the Constitution and Counter-Terrorism) of all places managed to break the encryption of the data traffic between the Turla Trojan on the Federal Ministry for European and International Affairs network and the command control servers on the Internet just two days after the burglary was discovered. This is an astonishing achievement, because the Turla Group is known for constantly changing the algorithms used for encryption and for doing so in an extremely tricky way.

The first challenge was to recognize which encryption method was being used. This allowed the defenders to read the data traffic between the elements of the malware and identify all new modules of the malware that were being reloaded. The match was overturned after a few days, because from then on the attackers were on the defensive. The Turla team did try to reload another rootkit, but was unable to activate it.

What the Federal Ministry of the Interior does (not) say

Such upper-class attacks are only partially automated, so that “Red Team” and “Blue Team” actually faced each other directly in the Federal Ministry for European and International Affairs. All of this has already taken place around the turn of the year or in the first week of the new year. Subsequently, the Federal Ministry of the Interior was asked for more information about this technical team of the BVT. “We ask for your understanding that, for operational reasons, no further details about the personnel and investigations will be disclosed,” was the answer, of course, because the news embargo on technical information is still in effect.

However, it also said in addition: “With regard to your request, we may inform you that the staff employed in the BVT’s cyber security area are generally not being recruited from within the police force, but from universities or universities of applied sciences as well as in competitions like this ‘Cyber Security Challenge’. ”According to information available to ORF.at, even the majority of these BVT technicians had completed the Cyber Security Challenge of the Bundesheer, BKA and Cybersecurity Austria, and among the army technicians who joined them, were graduates of this competition as well.

Where did the Defenders come from?

This international talent competition, which Austrian teams have won several times, has been around for ten years. Every year the participants are around twenty years, mostly from HTLs (Höhere Technische Lehranstalt) and comparable schools or at the beginning of a technical degree. This means that the BVT security technicians and all other graduates were mostly under thirty. The matches of this challenge are all of the type of “Capture the Flag” or “Blue Team” (defender) versus “Read Team” (attacker), which is particularly popular with hackers. At the Ministry of Foreign Affairs more or less the same match has been going on, but for real.

The Federal Ministry for European and International Affairs’ network was scanned thoroughly in the five weeks after the Turla group was temporarily neutralized. Artifacts and other traces of Turla were apparently only found on the mail servers, because the attackers had not yet tried to penetrate the internal network of the Ministry of Foreign Affairs. In order to ensure that no further hacked email accounts had been overlooked, the decision was made to reset all passwords in the entire mail system of the Federal Ministry for European and International Affairs. In addition to all embassies, this network also connects all other diplomatic institutions of the Republic.

Strategic Conclusions

One of the most dangerous cyber troops worldwide was neutralized in record time, and much faster than in Germany in 2017. The Austrian cyber strategy has worked perfectly.

It would be a fine thing if this had been the case.

In fact, the Republic was extremely lucky. As shown in the first two parts, a few very favourable circumstances came together from the rapid discovery onwards. As a result, the Turla group was unable to display its dreaded penetrating power. And it was the gentlemen from Turla who battled the defenders with updates for weeks, but are known for not destroying anything on purpose.

The attack has tied up a large part of all state cyber defences available and hit a large, but only one, network. If the clients behind the attack had actually wanted to frighten the Republic for some reason, they would not have sent Turla. In 2015, APT 28 alias Fancy Bear had contaminated the IT of the German Bundestag to such an extent that in the end 20,000 PCs had to be replaced.

While the attack on the Ministry of Foreign Affairs was ongoing, ELAK, the nationwide system of electronic file processing and more than 300 other large networks in Austria were open for weeks due to a fatal security vulnerability. A single, nicely packaged encryption Trojan would have been enough to paralyse the offices and authorities connected to the ELAK in one fell swoop. If attackers would have wanted it, half the republic’s IT would have been on fire.

War Dialing Video Conference Systems

IBM PCMCIA modem, source: https://commons.wikimedia.org/wiki/File:IBM_PCMCIA_Data-Fax_Modem_V.34_FRU_42H4326-8920.jpgDo you remember the Golden Age of Wardialing? The idea back then was to try calling phone numbers and to see if a computer systems answers. This methods still works, because you can wardial any system with a suitable addressing scheme. VoIP wardialing is a lot easier since you do not need a modem. You just need to send signalling messages. Video conferencing systems are no exception. They have to do signalling, too. Furthermore, participants of a meeting need to join and leave. For joining there must be a process that authenticates participants. Usually you get a conference identification number and maybe a PIN code. Other systems require an account, so that you have to log in first. Finding conference rooms gets real easy if you just need an URL.

The Bavarian Ministry of the Interior uses a conference system that uses URLs. The scheme of finding a conference or a room is very easy to figure out. It uses https://video.top.url/path/roomnumber where path is a combination of a few letters and roomnumber consists of six digits. This gives you the address space of the virtual conference rooms. Physical rooms have their counterpart in the addressing scheme, and the system is configured to provide permanent discussion slots. The problem was  that the authentication was missing (the system now requires a PIN). The German IT magazine c’t has discovered that it was easy to join existing conferences (article is in German) and to listen without being invited.

Due to the current coronavirus outbreak many of us have to rely on remote conferencing systems and similar ways of communication. Even without wardialing or missing authentication, the PIN and conference codes are sensitive data. Some systems allow multiple joins of participants. Members of Anonymous used the credentials of a conference call to „intercept“ a discussion between the Federal Bureau of Investigation (FBI) and Scotland Yard. So please be careful when sharing call appointments. Make sure you use a trusted communication channel. In turn verify your call peers. Having video helps, but sometimes video information is not what it seems. In turn please be very careful when receiving links to conference calls. You might be lured into a fake call by a phishing campaign.

When? Where? What? Introducing https://deepsec.events/

Observer in special relativity, source: https://commons.wikimedia.org/wiki/File:Observer_in_special_relativity.svgReading the calendar gets difficult given the many places people – including us – post dates. Furthermore, we have a habit of not detecting typos and not putting our dates in proper variables and rendering them out to the web consistently. So we create a little jump page called DeepSec Events. On this web site you will find all the most important facts about everything DeepSec. Our graphic designer went a bit overboard, but we hope the design is pleasing to your eyes.

Complexity of Dependencies in Multidimensional Systems – Corona Virus

Illustration created at the Centers for Disease Control and Prevention (CDC). Source: https://en.wikipedia.org/wiki/File:2019-nCoV-CDC-23312_without_background.pngThis blog is often silent. Our policy is to publish if there is real information to send out. DeepSec is all about facts. We don’t do speculation. Sometimes it is hard to idly watch „news“ being published, revised, withdrawn, altered, commented, and even deleted. We, to the best of our abilities, try not to publish something which doesn’t hold. But we read and watch a lot or articles, opinion, and other sources. For the rare cases where we need to publish our opinion we have created the High Entropy category in this blog. This category is all about the things we like to discuss. This time it’s about biology, containment, and IT security defence. Let’s have a look at the current coronavirus.

We are in touch with various partners in different countries. You may have noticed that we plan the DeepSec 2020 and DeepINTEL 2020 events in November. The planning phase usually starts after our break in December. Given our policy you won’t notice much of it yet, because we publish when we have something to say. The facts are that DeepSec and DeepINTEL will be on 17/18/19/20 November 2020 as scheduled. Our call for papers is open. You can buy tickets in our tickets shops (one for every event) or by requesting an offer and receiving an invoice for your purchase order. That’s the plan. The current events around the spread of SARS-CoV-2 is out of our hands. We can’t do much about what measures which individual government puts into place. We can’t say if the long chain of dependencies our conferences rely on gets interrupted – and there are a lot of ifs to check until November. Don’t forget: The influenza viruses no one talks about are dangerous too. If you are prepared for influenza viruses, then you are also prepared for SARS-CoV-2.

Sticking to the facts is actually the bright side. We created all the facts necessary to plan and to announce DeepSec and DeepINTEL 2020. Since 2007 no DeepSec conference was ever cancelled. We had a close shave with the Lehman Brothers Holdings Inc. crash (which will repeat sooner or later, because nothing has changed structurally in our economy), the eruption of Eyjafjallajökull (we could also talk about future eruptions of other volcanoes which are overdue), and with some efforts by unnamed third parties to make life hard for smaller IT security  events (no conspiracy here, just a collision of plans, apparently). Bear in mind that the global and local economy is not designed to handle failures well. In the context of IT security this is a weakness, but the systems are too big to fix.

So we will keep you updated. However keep your sanity, don’t panic, and stick to the facts. There are a lot of far worse threats out there. Chemistry, biology, and physics will keep trying to make our lives miserable. That’s part of a blue team‘s daily grind.