Thoughts on Geopolitics and Information Security

Eurasian Geopolitical map, source: https://commons.wikimedia.org/wiki/File:Eurasiageopolitical.jpgGeopolitics is a rather small word for very complex interactions, strategies, tactics, and the planning (of lack thereof) of events. Reading about topics connected to it is probably familiar to you. Few news articles can do without touching geopolitic aspects. Since politics has less technological content for most people, the connection to information security may not be obvious. Malicious software such as Stuxnet/WannaCry has changed this. Due to the events connected to their outbreak (or attack) the motivations of national agendas on the international stage have created awareness. There is a lot more to explore which is not on the radar of most experts, even in the field of information security.

The current trade wars have a major impact on technology and ultimately information security. When it comes to vendors there is a bias in buyers of security tools. The same is true for infrastructure such as mobile phone network components. It’s not just about Huawei, there are a lot of decisions going on when it comes to the question where the hardware and software your economy is build on should come from. The Edward Snowden publications in 2013 briefly raised public questions. The momentum of the disclosed content has subsided. The gadgets and networked appliances of Silicon Valley and like-minded start-ups have made data collection mainstream. CIOs have a hard time closing the daily data leaks caused by „telemetry“ data and constant monitoring.

Then there are the Crypto Wars. Gaining access to information is a process that has been around for thousands of years. Information gathering is not the exclusive domain of the military. Government, businesses, and individuals want the same. The problem is that the calls for weakening cryptography have never security in mind. The agendas are quite different from securing communication and systems. This is a well-known fact among information security experts.

So why bother? Well, geopolitics has become an important aspect of everyone defending networks, systems, and data. Your adversaries might be connected to issues well beyond the security event might suggest. WannaCry is a prime example. This is why we would like to discuss the interactions between geopolitics and information security at DeepINTEL 2019. If you have some ideas, observations, insights, and information regarding this aspect, please let us know. Send your abstract and your ideas by email to use – and present them at DeepINTEL!

Training Teaser: Black Belt Pentesting a.k.a. Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

Source: https://commons.wikimedia.org/wiki/File:Spiderweb_with_frost.jpgModern web applications consist of far more components than HTML content and a few scripts. In turn properly attacking web applications requires a diverse set of skills. You need to know how the back-end and the front-end works. This includes all of the scripting languages, data storage technologies, user interface peculiarities, frameworks, hosting technologies, and many more layers. DeepSec 2019 will feature a full-stack web exploitation dojo enabling you to understand the security of web applications, how to break them, and how to protect them. The training will be hosted by Dawid Czagan, expert in the field. He will guide you through every technology and attack method relevant to information security of web applications such as:

  • REST API hacking
  • AngularJS-based application hacking
  • DOM-based exploitation
  • Bypassing Content Security Policy (CSP)
  • Server-side request forgery
  • Browser-dependent exploitation
  • Database truncation attack
  • NoSQL injection
  • Type confusion vulnerability
  • Exploiting race conditions
  • Path-relative stylesheet import vulnerability
  • Reflected file download vulnerability
  • Subdomain takeover

The list is not complete. It serves to illustrate the meaning of full-stack. We have come a long way from simple HTML tags and simple script libraries. The use of web technology on mobile devices, all kinds of gadgets, even auto-mobiles have far reaching consequences for the security of these endpoints. Once you know how to use the full-stack to your advantage, then you can reach a lot more systems than a few web sites or clients.

Dawid will host the training at DeepSec 2019. All attendees will get six extra online courses:

  • Start Hacking and Making Money Today at HackerOne
  • Keep Hacking and Making Money at HackerOne
  • Case Studies of Award-Winning XSS Attacks: Part 1
  • Case Studies of Award-Winning XSS Attacks: Part 2
  • Double Your Web Hacking Rewards with Fuzzing
  • How Web Hackers Make Big Money: Remote Code Execution

The course is intended to be used for defence and offence alike. You will get the latest examples covering modern and widespread technology in use. In addition all training materials will be interactive so you can practice on actual deployed web applications.

Translated Article: Reporters Without Borders protest against planned Criminalization of Tor Servers

Reporter ohne Grenzen protestiert gegen geplante Kriminalisierung von Tor-Servern for netzpolitik.org by Markus Reuter

[Note: netzpolitik.org is a German news portal covering the impact of a networked world on society and digital rights. They rely on donations and welcome your support. We translated this article for them, because we both like their work and use Tor on a daily basis.]

Tor Project logo https://commons.wikimedia.org/wiki/File:Tor-logo-2011-flat.svgWith the new IT security law Interior Minister Horst Seehofer wants to criminalize the Tor network. That hurts the freedom of the press and the protection of sources. Opposition and Reporters Without Borders protest sharply against the plan.

With the IT Security Act 2.0 the Federal Ministry of the Interior is planning to criminalize the operation of Tor servers. According to the draft, the person who “offers an internet-based service whose access and accessibility is limited by special technical precautions and whose purpose or activity is geared towards facilitating or encouraging the commission of [certain] illegal acts shall in future be liable to prosecution”. But this definition is very broad and jeopardizes anonymizing infrastructures in general.

“An internet-based service then provides, for example, who operates a node of the Tor network,” says Prof. Dr. Matthias Bäcker, Professor of Public Law and Information Law at the Johannes Gutenberg University Mainz. He criticizes the bill as a dangerously broad regulation whose practical use is doubtful.

It is also important to note that Tor makes socially desirable activities, such as journalism, possible, said Bäcker in a guest article on netzpolitik.org.

Important for journalism

Now Reporters Without Borders is also protesting against the planned criminalization of infrastructures that allow anonymisation. “We defend ourself against the criminalization of our campaign for anonymity on the Internet. Just because we operate Tor nodes, we are not criminal, ” says Christian Mihr, CEO of the Press Freedom Organization.

Reporters Without Borders supports the Tor network with two servers to allow journalists to circumvent censorship.

“In our digital security training sessions, we see daily how important a VPN or the Tor Browser has become for the work of journalists. In the age of increasing surveillance such offers should be strengthened rather than criminalized.”

One third of the traffic goes through Germany

In the case of the Tor network it’s particularly critical that about 30 percent of network traffic is run on German servers and about 1,300 nodes are registered. Thus the anonymization network is heavily dependent on German legislation and could be weakened by the tightening in its entirety.

According to Reporters Without Borders, numerous operators inside the Tor infrastructure are already anxious. In addition, the new law also allows investigation against revelation platforms such as Wikileaks.

Reporters Without Borders, together with the association Zwiebelfreunde, one of the largest operators of anonymisation infrastructures worldwide, has published a statement on the topic. The authors of the opinion recommend rejecting both the plans of the Ministry of the Interior and the Federal Council immediately, especially as the alleged loopholes in penal law would not exist anyway.

Instead, the authors recommend a personal and technical increase in police for effective prosecution, especially in the area of trained IT professionals. To this end, the existing cybercrime law enforcement agencies should also be strengthened.

Heavy attack on press freedom

Katja Kipping, leader of the Left Party, also emphasizes to netzpolitik.org Germany’s important role in the worldwide Tor network: “If Seehofer’s initiative attacks this commitment, this would have serious consequences for the anonymisation network. That, in turn, would be a serious attack on press relations in many regions of the world where journalists lives are in constant danger.”

Besides protecting one’s own life, protecting sources is an essential part of the work of journalists throughout the world. “An attack on the anonymization network is thus an attack on press freedom. That also whistleblowers come under heavy pressure again, must hardly be mentioned at this point.

Green interior and network expert Konstantin von Notz says, “We certainly need to make law enforcement more effective, but criminalizing Tor servers and rejecting anonymity is definitely the wrong way!”

Reminder – Call for Papers DeepSec & DeepINTEL – Send your submissions!

We have been a bit radio silent since BSidesLondon. This is due to the hot weather in Austria, the preparations for the next DeepSec Chronicles book, some interesting features for DeepSec, and of course because of the submissions we received so far. We have a shortlist for the trainings which we will publish in the next few days. The Call for Papers still runs until 31 July 2019. So if you have some idea of how to fix the SKS keyserver infrastructure, know something about nation state hacking, broke a couple of things, have angered software developers by putting their code to the test, or have some general and very specific information to share, then send us your submission!

The focus of DeepINTEL 2019 will be on the geopolitical aspects of information security. This issue came to life after we proposed it due to the ongoing trade wars and the impact of „cyber“ war (i.e. information warfare) entering the mainstream arsenal of nations and organisations alike. If you have something to say, send us your your presentation ideas by email. The collected GPG/PGP keys are online in case you want to write an encrypted email.

Translated Article: EU Prosecutors call for Security Holes in 5G Standards

EU-Strafverfolger fordern Sicherheitslücken in 5G-Standards for fm4 by Erich Moechel

The telecoms are to be forced to align the technical design of their 5G networks with the monitoring needs of the police authorities. In addition, security holes in the 5G protocols are required to enable monitoring by IMSI catchers.

Gilles de Kerchove, EU counter-terrorism coordinator, warns against the planned security standards for the new 5G mobile networks. The reason for this are neither network components of the Chinese manufacturer Huawei, nor technical defects. De Kerchove’s warnings are directed against the planned high degree of network security, according to an internal document of the EU Council of Ministers, available to ORF.at.

These measures to protect against criminals as well as the planned 5G network architecture stand in the way of the installation of backdoors for police and secret services. The telecoms should therefore build their networks in a way that meets the requirements of the prosecutors, demanded de Kerchove. Similarly, the 5G security protocols should also provide vulnerabilities for so-called IMSI catchers.

„Surveillance as a Service“

These demands can be found in a document from the Council of Ministers on the 6th of May, addressed to the usual addressees, namely to working groups of police and security authorities and to the delegations of the Member States. The telecoms could be forced by national legislation “to meet other requirements than those prescribed in the standards,” it says. However, it would be preferable “to implement these requirements already in the standards.”

In fact this means that the required security gaps – including access mechanisms for the prosecutors – should be anchored so deeply in the 5G security standards themselves that all individual security measures of the telecoms would not affect the network’s ability to be monitored. Thus, they require nothing less than “Surveillance as a Service”, ie a separate cloud service of the 5G operator for the prosecutors, which should have priority over the services of the network operator.

“Fragmented” is the new “decentralized”

On the one hand, the problem with encryption in the 5G networks will worsen in the medium term, de Kerchoves’ text continues. The main problem, however, is “5G’s fragmented and virtual architecture,” but especially the “network slicing” technology. What is called “fragmented” from the perspective of the authorities is an element of the decentrally organized 5G cloud called “multi-access edge computing”. To achieve latencies of less than one millisecond, as formalised in the 5G specification, in 5G networks as many functions as possible are outsourced to the peripherals.

The data gets also already processed in the segment in which a smartphone has logged in, and only a part of it ends up at the headquarters of the telecoms. To date all monitoring interfaces from GSM to LTE are installed there. In addition, instead of dealing with a handful of telecoms per member state, one now has to deal with a large number of virtual providers, and then there is the further possibility that parts of these services can be outsourced to other EU countries. De Kerchove’s assumption is quite realistic, as all three mobile operators in Austria are part of multinational corporations. Where the data is actually processed does not matter in a cloud network.

How the 5G Operators should build their Networks

The somewhat less realistic conclusion of de Kerchove: “A basic requirement for 5G providers (…) should be that they can meet the needs of prosecutors, even if they have to involve their partner companies abroad.” Since it might not be possibly to deliver “the normally available metadata” completely – due to the described security measures and the network architecture – they would have to “structure their network in a way that the geographical data is always available”.

Here, telecoms are required to align the architecture of upcoming 5G clouds with law enforcement needs, while operators’ priorities are low latency, security, and data transmission efficiency. And another security measure of the 5G networks is a thorn in the side of the prosecutors, namely the “strict authentication processes”. This refers to the automatic authentication of 5G base stations to smartphones with each login process.

The bad old IMSI catchers

Since the beginning mobile radio protocols have had a security hole by design, which has existed since the introduction of GSM. The base station does not need to identify itself as a legitimate network component to a logging in cell phone. This gap has since been exploited by so-called IMSI catchers, which are nothing more than false base stations that attract smartphones in the vicinity to, for example, disable their encryption. Police authorities use IMSI catchers for shading suspects in order to locate their smartphones on an ongoing basis.

However, IMSI catchers are also the most popular espionage devices, part of the standard inventory of every secret service. During the last ten years, the problem had become endemic, especially around international conferences, so all major manufacturers of mobile equipment released devices for identifying and neutralizing “false base stations”. Against these “IMSI catcher-catchers” this longstanding monitoring method is without chance.

Use Handshake Data to create TLS Fingerprints

https://commons.wikimedia.org/wiki/File:Fingerprint_picture.svgWhile the whole world busily works on the next round of the Crypto Wars, the smart people work on actual information security. TLS has always been in the focus of inspection. Using on-the-fly generated certificates to look inside is a features of many gadgets and filter applications. Peeking at the data is moot if you control either the server or the client. If you have to break TLS on purpose (hopefully) inside your own network, you probably have to deal with software or system you cannot control. In this case TLS is the least of your security problems. Dealing with a lot of network traffic often uses a metadata approach in order not to process gigantic amounts of data. Enter TLS fingerprinting.

The TLS handshake contains a lot of parameters such as version numbers, cipher suites, extensions, elliptic curve options, and their order. Additionally you can look at messages sizes and timestamps. Measuring this data and hashing it makes for a nice identification metric. This technique called TLS fingerprinting. There exist some publications describing implementations and ways to obtain fingerprint data sets from either live traffic or captured data. Examples are JA3/JA3S, TLS Fingerprinting by Lee Brotherston, research by Cisco, or using the fingerprints in applications. There are databases published with known fingerprint values. You can also use the JA3 web site to see the hash your TLS client produces.

The Secure Linux Administration Conference (SLAC) 2019 will feature a presentation about this topic held by René Pfeiffer. In case you attend SLAC, have a look. Otherwise you should play with the implementations. The JA3 GitHub page has a list of them.

Getting ready for BSidesLondon – Support the Rookie Track!

BSidesLondon 2019 logoDeadlines are great. They serve as a great syscall. Everything must be ready and be written to disk. The schedule of BSidesLondon was already stored and forwarded. Have a look! It’s worth it! The titles sound great. We recommend having some IPv6 as a starter (IPv4 is really getting scarce these days). The main dish should have some pieces of cloud platforms, RF hacking, SOCs, and power grid. Emotet, GPUs, and Windows Event Log forensics.

Don’t forget to support the rookies by attending their presentations. They put a lot of effort into the preparation, and they have lots of interesting topics ready for you. The 15 minute slots are great to get an in-depth introduction into the topic. In addition the rookies rely on the feedback of everyone of you, especially the exploit-hardened veterans among you. Show them that you care by showing up!

Eth(er)ical Hacking – Hacker Defined Radio and analysing Signals

Bluetooth signal behind wireless LAN signal. Source: https://en.wikipedia.org/wiki/File:Bluetooth_signal_behind_wireless_lan_signal.png, Source: https://en.wikipedia.org/wiki/File:Bluetooth_signal_behind_wireless_lan_signal.pngThere is a lot going on in the wireless world. 5G is all the fashion, because frequencies are being auctioned. This is only the tip of the iceberg. Wireless protocols have become ubiquitous. The IEEE 802.11 family is one widespread example. Bluetooth, mobile networks, ZigBee, Z-Wave, and other wireless transmissions are widely used. If you go looking for signals, your first stop are usually industrial, scientific and medical (ISM) radio bands. But there is much more. It’s well worth to passively scan what’s all around you.

The equipment is often the main obstacle preventing hacker from doing something. When it comes to radio waves you need a suitable antenna (or a couple thereof) plus the hardware to drive it. Even if you limit yourself to passive operation you still need something to catch, amplify, and convert the signals to something meaningful a computer can use. The cost has dropped in the past years. Conversely the availability has increased. The catch-phrase is software-defined radio (SDR). The technology is present in ordinary devices such as a DVB-T USB dongles or USB-to-VGA converters. Gadgets like the HackRF One also allow for some decent first steps in exploring the wireless world. If you have more money to spend, you can go for more options in terms of hardware capabilities.

Why do this? What’s the deal with wireless stuff anyway? Well, back in the early days of Wi-Fi the war driving folks didn’t ask this question. Going around and peeking at 802.11 installations is still very fruitful when it comes to penetration testing and information security defence. The Internet of Things (IoT) ecosystem heavily relies on wireless transmissions. In addition a lot of protocols don’t take security very serious. If few people bother to buy SDR receivers, why bother? Right? The list of devices has grown in the past years. Nowadays pace makers, remote-controlled vehicles (think drones!), wireless (car) keys, door openers, sensors, mobile phones, payment terminals, and the Global Positioning System (GPS) are just a small selection of wireless targets for both passive detection and active attacks.

If you have content regarding wireless detection of threats, attack vectors, training material, or interesting findings, please consider submitting them to DeepSec or DeepINTEL.

BSidesLondon Rookie Track – Personalities, Stories, Presentations

Logo of BSidesLondon 2019, https://www.securitybsides.org.uk/In past articles we have written about the BSidesLondon Rookie Track. We also spread to call for mentors a while ago. Let’s talk about the people who will present at the Rookie Track and who haven’t spoken at conferences yet. While there exist a lot of helpful advice out there on how to speak, how to prepare, how to structure your presentation, there is one thing that can’t be created from scratch – your personality. It defines a lot of what you will be doing on the stage. It will also be a key component of your talk, so you should spend some time to think about this important factor.

Social media, blogs, and discussions sometimes mention the term infosec rock star. This label carries a lot of different meanings. More often than not it describes the negative effects of seeing a show on stage with less content than anticipated. Presenting a topic to an audience is related to the performance of actors. Courses teaching didactics and how to speak to students are frequently held by acting instructors. There is a reason for that. The human mind has its ways of communicating. While technology has made gigantic leaps, there are still humans sitting at the keyboard, in front of screens, and in the auditorium. Good teachers know about the constraints of how to talk to human beings. BSidesLondon captures this fact in the motto for 2019 – the machines are not learning. But people do learn – provided you know how to communicate adequately. Enter your personality.

Watching presentations and seeing how others do it can be a helpful resource. However you cannot copy everything. You can learn methods, ways of speaking, facts, and how to use illustrations. You will always be confined to your personality though. This is not a disadvantage. The first thing you have to do is to find out what type of personality you are. There are some frameworks to characterise the types, for example the coach, the inventor, the researcher, the storyteller, the counsellor, the teacher, and more classifications. All types have strengths and weaknesses. The most important issue is to know about this. Know your limits, and know what you can really do well.

Once you know your personality, or at least its classification, then you can deal with the second most important part of your presentation – the story. Think of all that you have learned. Do you know what all the facts and skills have in common? Most were taught to you by using a story. Storytelling is what gives the facts you want to deliver the red line that ties everything together. If you act as a guide in a story leading your audience from a gentle introduction to the revelation in the third chapter, then you did a good job.

Ongoing DeepSec Call for Workshops – Trainers welcome!

Science First! rat. © 2017 Florian StockerThe Call for Workshops for the DeepSec conference in November 2019 is still open. If you have something to teach, let us know as soon as possible! We intend to inform potential trainees in the beginning of May about their options. This allows for a better planning and preparation, because we receive early requests for workshop content every year. So if you have something to teach, please let us know! You don’t need to use the Call for Papers manager in case you have content ready in a different format or just want to send us teaser materials.

Topics we are looking for include (applied) cryptography, secure software development & design, helpful in-depth hints for penetration testers, sensible guides for combining machine learning/artificial intelligence with information security, in-depth network knowledge, threat hunting, and strategic information security. Please do not submit hype content or buzzword trainings. DeepSec is all about information that is useful and has a strong connection to the real world. If your work is tied to a research project, then we are especially welcoming your contribution.

Network Security right from the Beginning – Introducing DHCP-over-TLS (DoT)

A generic description of the Request For Comments (RFC), fragement from presentation slide.Every security researcher knows: If you want to secure a system, do it as early as possible. This is why Trusted Computing, Secure Boot, Trusted Execution Technology, and many more technologies were invented – to get the operating system safely off the ground right at boot time. After the booting process additional components have to be initialised. Dependencies are common in this stage. The second most important resource next to the local machine is the network. Most modern programming languages highly rely on network connection to get any work done. Local storage and memory is merely a big cache for temporary data to them. So how do you create a trusted boot process beyond the initial network configuration? The answer is easy. You just combine two highly mature and reliable protocols – Dynamic Host Configuration Protocol (DHCP) and Transport Layer Security (TLS). Everything is done via TLS these days, because encryption is the answer to every single security problem.

DHCP-over-TLS (DoT) clients carry a list of trustworthy certificate authorities (TCAs). These authorities are strictly controlled and adhere to the highest security standards. The DHCP discovery phase itself is not different from the classic protocol. The client will still get an answer from a DoT-enable DHCP server, but the offer packet will include additional DHCP options indicating that a TLS handshake is required. Both client and server then engage in a TLS connection where the DHCP offer packet is repeated (for security reasons, always transmit sensitive data twice), followed by the normal request, acknowledgement, inform, or release packets. DoT servers can opt to deny access to clients without a valid certificate. In turn DoT clients can be fitted with a custom list of certificate authorities to allow configuration of restricted networks.

Overall it is a good compromise between SeND and 802.11X. It is the best of all worlds, so to speak. DoT bound to revolutionise the IoT world, and it will probably come with a free blockchain, too.

Remembering Mike Kemp (@clappymonkey)

https://twitter.com/clappymonkeyThis blog post has no tags, because we cannot come up with any. Mike Kemp, also known as @clappymonkey on Twitter, has died. He spoke at the DeepSec conference back in 2012. We regularly saw him at other events and kept in touch. We have lost a great colleague. It is impossible to express what he was to you, us, and his family and friends. Our sympathies are with all of you who lost him as partner, friend, companion, mentor, and relative. We will miss him dearly.

The fine Art of Mentorship

South Indian Filter Coffee; source: https://commons.wikimedia.org/wiki/File:South_Indian_Filter_Coffee.jpgWe will support the Rookie Track at BSidesLondon in 2019 again. This is a perfect way for rookies to get started on presenting at a conference. However it is much more – the stages before the presentation is held. Preparing for 15 minutes of talk will keep you busy for ten or twenty times the amount you spend presenting. It depends on the research you have to do, the illustrations you have to create, the code samples, the tests, and a lot more things that need to be sorted out. That’s not an easy task. But you do not have to do it alone.

BSidesLondon is looking for rookies and mentors. If you have experience in IT security, being on stage for presentations, research, and preparing materials for workshops and talks, then you should consider applying as mentor for the rookie track. Call for mentors has started on 15 February. Rookies are already working on their topics, so help them present it. They will learn from your experience. You will learn from their questions and their perspective of approaching topics you might know inside out. Questioning yourself won’t give you any new insights. Let others do this, and help them to benefit from your experience.

Since we also have presentations slots for young researcher, let us know if your are interested in being a mentor in general. We are planning to extend our rookie programme for the DeepSec 2019 and beyond. More details will follow.

 

Translated Press Release: IT Security is increasingly dominated by Geopolitics

DeepSec and DeepINTEL conference open call for papers – submission for lectures and trainings are in demand.Anyone who reads the technology part of their favourite magazine can hardly escape the promises of future network technologies. Your own car becomes a smartphone. The talking fridge becomes a therapist. 5G mobile networks promise high-speed fibre optic streaming of data on the speed-limited electric scooter. The second reading reveals the meaning of the letter G in 5G – it stands for geopolitics. As part of the network expansion, there are discussions about hidden killswitches for emergency shutdowns, entire networks and backdoors to eavesdrop on customers. In November, the DeepSec In-Depth Security Conference addresses the technical challenges of the Internet of Things, emerging network technologies, and geopolitical constraints dictated by key events of the last 6 years.

5G as a continuation of the Trade Wars

There are very few mobile network technology providers worldwide. The name Huawei has been mentioned quite often in recent months in the news coverage. The benefits of the offered products or the actual implementations of the new mobile radio standard 5G are seldom discussed. Instead, it is about the charge of secretly built emergency shutdowns that can paralyze the entire mobile network of an operator in one fell swoop. And about accusations of supposedly hidden code that allows remote access and copying of data from the network. Equipped with many allegations without concrete evidence, an exclusion of Chinese telecommunications equipment is currently being discussed in certain Western countries. The worries are justified, nevertheless they are familiar to security researchers. Almost all computers used in Europe and elsewhere seldom come from the countries where they actually do their work. The chips, the firmware and many other hardware and software ingredients are being built elsewhere. Since in the last decades one had systematically refrained from questioning,, let alone understand, the content of the box behind the keyboard or touchscreen, the allegations are driven by imagination.

IT security research can only counter this with facts and solid research. Robert Hannigan, former head of the British intelligence service GCHQ, has confirmed that the National Cyber Security Center (NCSC) has spent many years concerning themselves with components from Chinese supply chains. So far, according to his statement, there has been no evidence of government-mandated covert attacks by Huawei hardware. Since 2010 NCSC has access to the source code of the products with the help of the Huawei Security Evaluation Center (HSEC). The purpose behind this is certification by the NCSC before technology can be used in sensitive areas. Herewith, Robert Hannigan directly contradicts the allegations from the US and the assessment of Gerhard Schindler, the former president of the German Federal Intelligence Service (BND). In addition, critics are ignoring the legal surveillance interfaces already required in Europe, standardized by the European Telecommunications Standards Institute (ETSI). Incidentally, these specifications apply to all providers who want to build networks in Europe.

Intranet instead of Internet

The current news situation therefore illustrates very well what you should pay attention to in information security. Securing your own data has long ceased to be done with individual isolated considerations. Also, the DeepSec conference has a long history of mobile security research, from the first public release of vulnerabilities in the A5/1 encryption algorithm (between phone and cell) to security issues with smartphones. This area is just one example, and has gained immense importance due to the rapid spread of mobile technology. To revisit the discussed Killswitch in networks: The idea to control information networks in a national emergency is not new. President Franklin D. Roosevelt has already implemented this in the Communications Act of 1934. At that time it was about media. In the proposed Protecting Cyberspace as a National Asset Act of 2010, one wanted to do the same for the Internet, with the difference of a shutdown rather than control. The proposed law of 2010 fell without getting votes, because the technical implementation was not clear and still is not. The idea to paralyze communication networks at will with a simple switch  worked well on the movie screen or on TV in the past – unfortunately, now information is streamed via the Internet.The alternative is a strictly national network. The Iranian government is working on an Iranian intranet, spurred on by the protests in 2009. The Chinese firewall is trying to do something similar, albeit through rigorous filters driven by newsrooms. Russia is currently also testing to disconnect from the Internet. The communication networks will still work then, but they plan to separate them from the rest of the world. De facto, this is the low-fat variant of the Killswitches. Both approaches demonstrate how enormously important the Internet has become – it can not be ignored anymore. This is even more true for companies than for countries.

Digital Realism

Realistically, it makes little sense to make the own population and the state first dependent on a network, and then to turn it off again. The longing for local networks proves that. In companies it is no different. Data must be exchanged and communication must take place. Serious information security must therefore investigate how the integrity of the infrastructure and data can be maintained even in adverse circumstances. The most important point is the secure design of applications right from the start. At the past DeepSec conferences there were plenty of lectures and training courses for developers and planners. IT Security has the reputation of being sort of a stumbling block. In fact, the opposite is true. Past security incidents and published documents about organized vulnerabilities such as those revealed by Edward Snowden are and have been essential building blocks for improving security in our everyday lives. The prerequisite for this is, paradoxically, a free exchange between security researchers. A national intranet, bans on cryptographic algorithms, filters on published content or similar restrictions are therefore the most uncertain counterpoint to the necessary security in the digital world.Therefore, the DeepSec conference explicitly does not only want to address security experts. The penetration of digital networks requires the involvement of companies, developers, the hacker community, authorities, users, infrastructure managers, designers and interdisciplinary scientists for a sensible further development of IT security measures. People in advisory capacity are expressly invited to participate in the exchange of experiences and ideas in Vienna in November.

Contributions wanted – Call for Papers

The DeepSec conference plans to focus this year on the link between geopolitics and information security. Therefore, until July 31 2019, we are looking for lectures on technologies that affect both worlds. Specifically, the challenges for industrial and control systems, the Internet of Things, all mobile communication technology (from car to telephone), the use of algorithms and modern data management. We are currently experiencing an accelerated mixing of new and existing methods. Security researchers are in demand who creatively deal with the current possibilities and point out weaknesses. Risks can only be managed if you know them. The program committee is therefore looking forward to as many submissions as possible, which scrutinize trends and so-called future technologies under the digital microscope.The two-day trainings before the DeepSec conference are also part of the call for papers. Trainers who want to share their knowledge are welcome to submit courses. Accepted courses are announced ahead of time to help participants plan their bookings.

Programs and booking

The DeepSec 2019 conference takes place on the 28th and 29th of November.

At the same time, the ROOTS 2019 lectures will be held in a separate room next to the DeepSec conference. The DeepSec trainings will take place on the two preceding days, 26th and 27th of November.

The DeepINTEL conference will take place on November 27th.
Upon request to deepsec@deepsec.net we’ll be glad to send you the program.
Tickets are available on the website https://deepintel.net/.

The venue for DeepSec, DeepINTEL and ROOTS 2019 is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Submissions can be made at https://deepsec.net/cfp.html. The current program of events will be announced after the submission deadlines.

Tickets for the DeepSec conference as well as ROOTS 2019 and DeepSec trainings can be ordered at any time at https://deepsec.net/register.html.

DeepSec 2019 – Call for Papers – Security Research Results wanted!

An OpenWebRX screenshot of http://sdr.dy.fi 1386 kHz Sitkunai, LithuaniaThe DeepSec 2019 In-Depth Security Conference is calling for presentations and trainings. We are interested in your information security research. Since 2007 DeepSec has aimed to provide in-depth analysis of design flaws, vulnerabilities, bugs, failures, and ways to improve our existing IT ecosystem. We need more high quality reviews of code and concepts we rely on every day. Digital processing power and network connections have become ubiquitous. So the focus of this year’s DeepSec will be on the Internet of Things (IoT), processing/moving data (small and big), infrastructure (critical and convenient), the statistics of data analysis (also called machine learning), real artificial intelligence (not statistics or clever use of Markov chains), and the current state and future of information security research.

Due to past and current geopolitical events affecting information technology and the security thereof the unofficial motto of the DeepSec 2019 Call for Papers will be  “Internet of Facts and Fears”. Disinformation is part of warfare, and the information domain in the digital age has been a battleground for decades. We do not know if peak information war has been reached yet. However we do know that information security research has become a target in itself. A long time ago there was the discussion about full/responsible/no disclosure of security vulnerabilities. We have moved on, but issues of the past, such as the Crypto Wars, have caught up. The upcoming 5G networks raise the same discussions as their predecessors, albeit earlier than the roll-out is scheduled. If you have any input on these issues, please consider submitting your content.

The Reversing and Offensive-oriented Trends Symposium (ROOTS) 2019 will be co-hosted with DeepSec 2019 again. We still believe that sensible information security must be done scientifically. In addition we will provide a platform for research teams to present their ongoing work. Last year Mathias Zeppelzauer gave an overview about the work of the Sonicontrol team. We hope to give more research projects an opportunity to talk about their research goals.

Head to our CfP section and submit your presentation or training!