Getting ready for BSidesLondon – Support the Rookie Track!

BSidesLondon 2019 logoDeadlines are great. They serve as a great syscall. Everything must be ready and be written to disk. The schedule of BSidesLondon was already stored and forwarded. Have a look! It’s worth it! The titles sound great. We recommend having some IPv6 as a starter (IPv4 is really getting scarce these days). The main dish should have some pieces of cloud platforms, RF hacking, SOCs, and power grid. Emotet, GPUs, and Windows Event Log forensics.

Don’t forget to support the rookies by attending their presentations. They put a lot of effort into the preparation, and they have lots of interesting topics ready for you. The 15 minute slots are great to get an in-depth introduction into the topic. In addition the rookies rely on the feedback of everyone of you, especially the exploit-hardened veterans among you. Show them that you care by showing up!

Eth(er)ical Hacking – Hacker Defined Radio and analysing Signals

Bluetooth signal behind wireless LAN signal. Source: https://en.wikipedia.org/wiki/File:Bluetooth_signal_behind_wireless_lan_signal.png, Source: https://en.wikipedia.org/wiki/File:Bluetooth_signal_behind_wireless_lan_signal.pngThere is a lot going on in the wireless world. 5G is all the fashion, because frequencies are being auctioned. This is only the tip of the iceberg. Wireless protocols have become ubiquitous. The IEEE 802.11 family is one widespread example. Bluetooth, mobile networks, ZigBee, Z-Wave, and other wireless transmissions are widely used. If you go looking for signals, your first stop are usually industrial, scientific and medical (ISM) radio bands. But there is much more. It’s well worth to passively scan what’s all around you.

The equipment is often the main obstacle preventing hacker from doing something. When it comes to radio waves you need a suitable antenna (or a couple thereof) plus the hardware to drive it. Even if you limit yourself to passive operation you still need something to catch, amplify, and convert the signals to something meaningful a computer can use. The cost has dropped in the past years. Conversely the availability has increased. The catch-phrase is software-defined radio (SDR). The technology is present in ordinary devices such as a DVB-T USB dongles or USB-to-VGA converters. Gadgets like the HackRF One also allow for some decent first steps in exploring the wireless world. If you have more money to spend, you can go for more options in terms of hardware capabilities.

Why do this? What’s the deal with wireless stuff anyway? Well, back in the early days of Wi-Fi the war driving folks didn’t ask this question. Going around and peeking at 802.11 installations is still very fruitful when it comes to penetration testing and information security defence. The Internet of Things (IoT) ecosystem heavily relies on wireless transmissions. In addition a lot of protocols don’t take security very serious. If few people bother to buy SDR receivers, why bother? Right? The list of devices has grown in the past years. Nowadays pace makers, remote-controlled vehicles (think drones!), wireless (car) keys, door openers, sensors, mobile phones, payment terminals, and the Global Positioning System (GPS) are just a small selection of wireless targets for both passive detection and active attacks.

If you have content regarding wireless detection of threats, attack vectors, training material, or interesting findings, please consider submitting them to DeepSec or DeepINTEL.

BSidesLondon Rookie Track – Personalities, Stories, Presentations

Logo of BSidesLondon 2019, https://www.securitybsides.org.uk/In past articles we have written about the BSidesLondon Rookie Track. We also spread to call for mentors a while ago. Let’s talk about the people who will present at the Rookie Track and who haven’t spoken at conferences yet. While there exist a lot of helpful advice out there on how to speak, how to prepare, how to structure your presentation, there is one thing that can’t be created from scratch – your personality. It defines a lot of what you will be doing on the stage. It will also be a key component of your talk, so you should spend some time to think about this important factor.

Social media, blogs, and discussions sometimes mention the term infosec rock star. This label carries a lot of different meanings. More often than not it describes the negative effects of seeing a show on stage with less content than anticipated. Presenting a topic to an audience is related to the performance of actors. Courses teaching didactics and how to speak to students are frequently held by acting instructors. There is a reason for that. The human mind has its ways of communicating. While technology has made gigantic leaps, there are still humans sitting at the keyboard, in front of screens, and in the auditorium. Good teachers know about the constraints of how to talk to human beings. BSidesLondon captures this fact in the motto for 2019 – the machines are not learning. But people do learn – provided you know how to communicate adequately. Enter your personality.

Watching presentations and seeing how others do it can be a helpful resource. However you cannot copy everything. You can learn methods, ways of speaking, facts, and how to use illustrations. You will always be confined to your personality though. This is not a disadvantage. The first thing you have to do is to find out what type of personality you are. There are some frameworks to characterise the types, for example the coach, the inventor, the researcher, the storyteller, the counsellor, the teacher, and more classifications. All types have strengths and weaknesses. The most important issue is to know about this. Know your limits, and know what you can really do well.

Once you know your personality, or at least its classification, then you can deal with the second most important part of your presentation – the story. Think of all that you have learned. Do you know what all the facts and skills have in common? Most were taught to you by using a story. Storytelling is what gives the facts you want to deliver the red line that ties everything together. If you act as a guide in a story leading your audience from a gentle introduction to the revelation in the third chapter, then you did a good job.

Ongoing DeepSec Call for Workshops – Trainers welcome!

Science First! rat. © 2017 Florian StockerThe Call for Workshops for the DeepSec conference in November 2019 is still open. If you have something to teach, let us know as soon as possible! We intend to inform potential trainees in the beginning of May about their options. This allows for a better planning and preparation, because we receive early requests for workshop content every year. So if you have something to teach, please let us know! You don’t need to use the Call for Papers manager in case you have content ready in a different format or just want to send us teaser materials.

Topics we are looking for include (applied) cryptography, secure software development & design, helpful in-depth hints for penetration testers, sensible guides for combining machine learning/artificial intelligence with information security, in-depth network knowledge, threat hunting, and strategic information security. Please do not submit hype content or buzzword trainings. DeepSec is all about information that is useful and has a strong connection to the real world. If your work is tied to a research project, then we are especially welcoming your contribution.

Network Security right from the Beginning – Introducing DHCP-over-TLS (DoT)

A generic description of the Request For Comments (RFC), fragement from presentation slide.Every security researcher knows: If you want to secure a system, do it as early as possible. This is why Trusted Computing, Secure Boot, Trusted Execution Technology, and many more technologies were invented – to get the operating system safely off the ground right at boot time. After the booting process additional components have to be initialised. Dependencies are common in this stage. The second most important resource next to the local machine is the network. Most modern programming languages highly rely on network connection to get any work done. Local storage and memory is merely a big cache for temporary data to them. So how do you create a trusted boot process beyond the initial network configuration? The answer is easy. You just combine two highly mature and reliable protocols – Dynamic Host Configuration Protocol (DHCP) and Transport Layer Security (TLS). Everything is done via TLS these days, because encryption is the answer to every single security problem.

DHCP-over-TLS (DoT) clients carry a list of trustworthy certificate authorities (TCAs). These authorities are strictly controlled and adhere to the highest security standards. The DHCP discovery phase itself is not different from the classic protocol. The client will still get an answer from a DoT-enable DHCP server, but the offer packet will include additional DHCP options indicating that a TLS handshake is required. Both client and server then engage in a TLS connection where the DHCP offer packet is repeated (for security reasons, always transmit sensitive data twice), followed by the normal request, acknowledgement, inform, or release packets. DoT servers can opt to deny access to clients without a valid certificate. In turn DoT clients can be fitted with a custom list of certificate authorities to allow configuration of restricted networks.

Overall it is a good compromise between SeND and 802.11X. It is the best of all worlds, so to speak. DoT bound to revolutionise the IoT world, and it will probably come with a free blockchain, too.

Remembering Mike Kemp (@clappymonkey)

https://twitter.com/clappymonkeyThis blog post has no tags, because we cannot come up with any. Mike Kemp, also known as @clappymonkey on Twitter, has died. He spoke at the DeepSec conference back in 2012. We regularly saw him at other events and kept in touch. We have lost a great colleague. It is impossible to express what he was to you, us, and his family and friends. Our sympathies are with all of you who lost him as partner, friend, companion, mentor, and relative. We will miss him dearly.

The fine Art of Mentorship

South Indian Filter Coffee; source: https://commons.wikimedia.org/wiki/File:South_Indian_Filter_Coffee.jpgWe will support the Rookie Track at BSidesLondon in 2019 again. This is a perfect way for rookies to get started on presenting at a conference. However it is much more – the stages before the presentation is held. Preparing for 15 minutes of talk will keep you busy for ten or twenty times the amount you spend presenting. It depends on the research you have to do, the illustrations you have to create, the code samples, the tests, and a lot more things that need to be sorted out. That’s not an easy task. But you do not have to do it alone.

BSidesLondon is looking for rookies and mentors. If you have experience in IT security, being on stage for presentations, research, and preparing materials for workshops and talks, then you should consider applying as mentor for the rookie track. Call for mentors has started on 15 February. Rookies are already working on their topics, so help them present it. They will learn from your experience. You will learn from their questions and their perspective of approaching topics you might know inside out. Questioning yourself won’t give you any new insights. Let others do this, and help them to benefit from your experience.

Since we also have presentations slots for young researcher, let us know if your are interested in being a mentor in general. We are planning to extend our rookie programme for the DeepSec 2019 and beyond. More details will follow.

 

Translated Press Release: IT Security is increasingly dominated by Geopolitics

DeepSec and DeepINTEL conference open call for papers – submission for lectures and trainings are in demand.Anyone who reads the technology part of their favourite magazine can hardly escape the promises of future network technologies. Your own car becomes a smartphone. The talking fridge becomes a therapist. 5G mobile networks promise high-speed fibre optic streaming of data on the speed-limited electric scooter. The second reading reveals the meaning of the letter G in 5G – it stands for geopolitics. As part of the network expansion, there are discussions about hidden killswitches for emergency shutdowns, entire networks and backdoors to eavesdrop on customers. In November, the DeepSec In-Depth Security Conference addresses the technical challenges of the Internet of Things, emerging network technologies, and geopolitical constraints dictated by key events of the last 6 years.

5G as a continuation of the Trade Wars

There are very few mobile network technology providers worldwide. The name Huawei has been mentioned quite often in recent months in the news coverage. The benefits of the offered products or the actual implementations of the new mobile radio standard 5G are seldom discussed. Instead, it is about the charge of secretly built emergency shutdowns that can paralyze the entire mobile network of an operator in one fell swoop. And about accusations of supposedly hidden code that allows remote access and copying of data from the network. Equipped with many allegations without concrete evidence, an exclusion of Chinese telecommunications equipment is currently being discussed in certain Western countries. The worries are justified, nevertheless they are familiar to security researchers. Almost all computers used in Europe and elsewhere seldom come from the countries where they actually do their work. The chips, the firmware and many other hardware and software ingredients are being built elsewhere. Since in the last decades one had systematically refrained from questioning,, let alone understand, the content of the box behind the keyboard or touchscreen, the allegations are driven by imagination.

IT security research can only counter this with facts and solid research. Robert Hannigan, former head of the British intelligence service GCHQ, has confirmed that the National Cyber Security Center (NCSC) has spent many years concerning themselves with components from Chinese supply chains. So far, according to his statement, there has been no evidence of government-mandated covert attacks by Huawei hardware. Since 2010 NCSC has access to the source code of the products with the help of the Huawei Security Evaluation Center (HSEC). The purpose behind this is certification by the NCSC before technology can be used in sensitive areas. Herewith, Robert Hannigan directly contradicts the allegations from the US and the assessment of Gerhard Schindler, the former president of the German Federal Intelligence Service (BND). In addition, critics are ignoring the legal surveillance interfaces already required in Europe, standardized by the European Telecommunications Standards Institute (ETSI). Incidentally, these specifications apply to all providers who want to build networks in Europe.

Intranet instead of Internet

The current news situation therefore illustrates very well what you should pay attention to in information security. Securing your own data has long ceased to be done with individual isolated considerations. Also, the DeepSec conference has a long history of mobile security research, from the first public release of vulnerabilities in the A5/1 encryption algorithm (between phone and cell) to security issues with smartphones. This area is just one example, and has gained immense importance due to the rapid spread of mobile technology. To revisit the discussed Killswitch in networks: The idea to control information networks in a national emergency is not new. President Franklin D. Roosevelt has already implemented this in the Communications Act of 1934. At that time it was about media. In the proposed Protecting Cyberspace as a National Asset Act of 2010, one wanted to do the same for the Internet, with the difference of a shutdown rather than control. The proposed law of 2010 fell without getting votes, because the technical implementation was not clear and still is not. The idea to paralyze communication networks at will with a simple switch  worked well on the movie screen or on TV in the past – unfortunately, now information is streamed via the Internet.The alternative is a strictly national network. The Iranian government is working on an Iranian intranet, spurred on by the protests in 2009. The Chinese firewall is trying to do something similar, albeit through rigorous filters driven by newsrooms. Russia is currently also testing to disconnect from the Internet. The communication networks will still work then, but they plan to separate them from the rest of the world. De facto, this is the low-fat variant of the Killswitches. Both approaches demonstrate how enormously important the Internet has become – it can not be ignored anymore. This is even more true for companies than for countries.

Digital Realism

Realistically, it makes little sense to make the own population and the state first dependent on a network, and then to turn it off again. The longing for local networks proves that. In companies it is no different. Data must be exchanged and communication must take place. Serious information security must therefore investigate how the integrity of the infrastructure and data can be maintained even in adverse circumstances. The most important point is the secure design of applications right from the start. At the past DeepSec conferences there were plenty of lectures and training courses for developers and planners. IT Security has the reputation of being sort of a stumbling block. In fact, the opposite is true. Past security incidents and published documents about organized vulnerabilities such as those revealed by Edward Snowden are and have been essential building blocks for improving security in our everyday lives. The prerequisite for this is, paradoxically, a free exchange between security researchers. A national intranet, bans on cryptographic algorithms, filters on published content or similar restrictions are therefore the most uncertain counterpoint to the necessary security in the digital world.Therefore, the DeepSec conference explicitly does not only want to address security experts. The penetration of digital networks requires the involvement of companies, developers, the hacker community, authorities, users, infrastructure managers, designers and interdisciplinary scientists for a sensible further development of IT security measures. People in advisory capacity are expressly invited to participate in the exchange of experiences and ideas in Vienna in November.

Contributions wanted – Call for Papers

The DeepSec conference plans to focus this year on the link between geopolitics and information security. Therefore, until July 31 2019, we are looking for lectures on technologies that affect both worlds. Specifically, the challenges for industrial and control systems, the Internet of Things, all mobile communication technology (from car to telephone), the use of algorithms and modern data management. We are currently experiencing an accelerated mixing of new and existing methods. Security researchers are in demand who creatively deal with the current possibilities and point out weaknesses. Risks can only be managed if you know them. The program committee is therefore looking forward to as many submissions as possible, which scrutinize trends and so-called future technologies under the digital microscope.The two-day trainings before the DeepSec conference are also part of the call for papers. Trainers who want to share their knowledge are welcome to submit courses. Accepted courses are announced ahead of time to help participants plan their bookings.

Programs and booking

The DeepSec 2019 conference takes place on the 28th and 29th of November.

At the same time, the ROOTS 2019 lectures will be held in a separate room next to the DeepSec conference. The DeepSec trainings will take place on the two preceding days, 26th and 27th of November.

The DeepINTEL conference will take place on November 27th.
Upon request to deepsec@deepsec.net we’ll be glad to send you the program.
Tickets are available on the website https://deepintel.net/.

The venue for DeepSec, DeepINTEL and ROOTS 2019 is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Submissions can be made at https://deepsec.net/cfp.html. The current program of events will be announced after the submission deadlines.

Tickets for the DeepSec conference as well as ROOTS 2019 and DeepSec trainings can be ordered at any time at https://deepsec.net/register.html.

DeepSec 2019 – Call for Papers – Security Research Results wanted!

An OpenWebRX screenshot of http://sdr.dy.fi 1386 kHz Sitkunai, LithuaniaThe DeepSec 2019 In-Depth Security Conference is calling for presentations and trainings. We are interested in your information security research. Since 2007 DeepSec has aimed to provide in-depth analysis of design flaws, vulnerabilities, bugs, failures, and ways to improve our existing IT ecosystem. We need more high quality reviews of code and concepts we rely on every day. Digital processing power and network connections have become ubiquitous. So the focus of this year’s DeepSec will be on the Internet of Things (IoT), processing/moving data (small and big), infrastructure (critical and convenient), the statistics of data analysis (also called machine learning), real artificial intelligence (not statistics or clever use of Markov chains), and the current state and future of information security research.

Due to past and current geopolitical events affecting information technology and the security thereof the unofficial motto of the DeepSec 2019 Call for Papers will be  “Internet of Facts and Fears”. Disinformation is part of warfare, and the information domain in the digital age has been a battleground for decades. We do not know if peak information war has been reached yet. However we do know that information security research has become a target in itself. A long time ago there was the discussion about full/responsible/no disclosure of security vulnerabilities. We have moved on, but issues of the past, such as the Crypto Wars, have caught up. The upcoming 5G networks raise the same discussions as their predecessors, albeit earlier than the roll-out is scheduled. If you have any input on these issues, please consider submitting your content.

The Reversing and Offensive-oriented Trends Symposium (ROOTS) 2019 will be co-hosted with DeepSec 2019 again. We still believe that sensible information security must be done scientifically. In addition we will provide a platform for research teams to present their ongoing work. Last year Mathias Zeppelzauer gave an overview about the work of the Sonicontrol team. We hope to give more research projects an opportunity to talk about their research goals.

Head to our CfP section and submit your presentation or training!

Supporting BSidesLondon “My Machine is not Learning” 2019

This year’s BSidesLondon is pondering the most important question of machine learning. What is my machine doing and learning? Well, it might be that “My Machine is not Learning” at all. Sounds a lot like the intelligence we all know from living beings. So, armed with this new motto, BSidesLondon is turning 9, and we will support the Rookie Track again. The winner gets a trip to Vienna and free entry to DeepSec 2019. Get going and get started with your presentation! It’s worth it, and we love to welcome you in Vienna! Ask @5w0rdFish about it.

If you are looking for research topics, please drop us a line. We have some ideas about good questions and things to explore.

See you in London!

Save the Date for DeepINTEL and DeepSec 2019

We did some clean-up and dealt with the administrative issues of past and future events. Finally we can announce the dates for DeepINTEL 2019 and DeepSec 2019. Grab or calendars or log into them:

  • DeepSec 2019 Trainings – 26/27 November 2019
  • DeepSec 2019 Conference – 28/29 November 2019
  • DeepINTEL 2019 – 27 November 2019

The conference hotel is the same as for every DeepSec. We haven’t changed our location. As for the date, yes, we announced at the closing ceremony that we won’t collide with thanksgiving. We tried hard to avoid this, but given the popularity of Vienna as a conference and event city we had no choice. For 2020 and consecutive years we will do early reservations in order to avoid the week of Thanksgiving.

The call for papers opens soon, as does our ticket shop. For the latter we have made some changes to the payment options. We will explain them in a separate article. The topical focus of the call for papers will follow current technology, but not trends. Connected systems in production are focus of attacks, not buzzwords. Unless they are connected to the Internet, of course.

So mark the dates in your calendar. Hope to see you in Vienna!

Translated Article: Campaign of the Spy Alliance “Five Eyes” against WhatsApp and Co

Feldzug der Spionageallianz „Five Eyes“ gegen WhatsApp und Co for fm4 by Erich Moechel

The current scattered news and reports on “encryption” belong together. The military secret services of the “Five Eyes” conduct a global campaign; in Australia they’ve already reached their first milestone.

Every two years, around the same time, a campaign of the espionage alliance “Five Eyes” against encryption programs takes place. Unlike in 2016, the new campaign has reached its first goal in a flash. In early December, a bill was passed in the Australian Parliament obliging Internet companies to break up encrypted communications.

The providers of Whatsapp, Snapchat, and Co are hereby required to build surveillance interfaces into their apps to give hidden access to the Australian law enforcement. In a parliamentary coup – without discussion or amendments – the “Assistance and Access Act” created a global precedent. The campaign is orchestrated by the British GCHQ, which had published a programmatic plea for backdoors a few days before the coup took place.

Moderate Proposal for Conference Calls

It was written by Ian Levy, the director of the British National Cyber Security Center, which belongs to the military intelligence service GCHQ. The essay, which was published in late November on the prestigious “Lawfare” blog, was very moderately titled “Principles for a More Informed Exceptional Access Debate”. This holds true for the first two thirds of the text, which is about “necessary transparency”, “privacy and security”, and about all things planed for monitoring. To enable these “exceptions”, providers of messaging services such as Apple, Facebook, Snapchat, et al. should be required to install surveillance interfaces in the same way as telecoms providers.

In a chat of two or more people a hidden account should be added secretly – that’s the core message of the GCHQ. It refers to conference calls that were used by analog telephony until the early days of mobile networks for monitoring purposes, ie before there were standardized, specialized monitoring interfaces. This was done to meet the legal requirements for the monitoring of all networks.

Cloak and Dagger Operation in Down under

Just a few days after these moderate proposals of the GCHQ, a law was passed by the Parliament of Australia through a covert operation of the two major parties. Because of 171 amendments of the Labour party one had prepared for a lengthy debate but, quite unexpectedly, the Social Democrats had withdrawn all applications last week. This cleared the way and the “Assistance and Access Act” was passed with a large majority, and the vague promise that objections would be considered later on.

The law does not only impose severe penalties if a provider doesn’t cooperate, even the consultation of technicians is punishable if it serves to circumvent these measures, and the consultant will be also prosecuted. First the Australian IT industry was caught off guard by this coup, then there was riot. They, of course, immediately understood what consequences this overarching law would have on its industry. Whoever operates communication channels, would have to incorporate a “trap-and-trace” for the concealed monitoring by third parties. The Australian market leader Telstra is one of the largest IT players in the South Pacific, with branches in 20 states, from the Philippines to China to Malaysia.

GCHQ Campaign Number Two

Clearly, the GCHQ’s moderate proposals for conference calls lead to serious interventions in the software of the apps themselves. In fact, options have to be built in to manipulate the display of the chat participants. In the service operator’s network, specially secured “conference servers” have to be set up to transfer these “conferences” to the prosecutors in audio, video or text format. Not surprisingly, this is not mentioned in the GCHQ’s proposals, but emphasized that these would only apply in “exceptional cases” and not expected that 100 percent of the orders could be executed.

At the same time, the GCHQ has raised a second, intertwining campaign. The GCHQ complains about the prevalence of encrypted communications, which rose to 95 percent of the data exchange. If it’s not possible to create new legal frameworks that allow for targeted monitoring of messenger services, then the GCHQ would find itself forced to significantly increase its metadata monitoring on the fibre optics. So the problem is that 95 percent of the traffic is encrypted. How this fits in with the claim that access to encrypted records shall only be required in “exceptional cases” is not explained.

The Purpose of the moderate Proposal

The same day the moderate proposals of the GCHQ were published, US Attorney General Rod Rosenstein met the press and complained about the increase of encrypted communication. This would make it more and more impossible for police authorities to do their job, said the top US prosecutor. Similar comments were also received from Canada and New Zealand, so all Five Eyes are represented. Unlike in 2016, this time, not the prosecutors, but the military intelligence services are in charge, which are now touchingly concerned with the issues of civilian prosecutors.

The reason: in the UK and the other Five Eyes states, more complex surveillance measures are carried out by the military secret services on behalf of the prosecutors. That’s the consequence of these moderate intelligence proposals, suspiciously similar to the NSA’s notorious PRISM program, where the US services had demanded access from the Internet companies to data, which they could not get in an unencrypted state at the mass tap points of the optical fibres.

What happens next

In the meantime, further traces of this campaign have been discovered in international standardization committees. The matter requires a certain amount of research, a follow-up therefore will not be published in direct succession, but can be expected to be released still in 2018. As for the term “moderate proposal”, it was coined by the Irish satirist Jonathan Swift. In view of the famine in Ireland in 1729, which killed tens of thousands, the satirist proposed, in an essay of the same name (“A Modest Proposal”), to slaughter infants at the age of one year and serve them either boiled, grilled, or as a fricassee.

ROOTS 2018: Library and Function Identification by Optimized Pattern Matching on Compressed Databases – Maximilian von Tschirschnitz

[Editor’s note: This article belongs to the Reversing and Offensive-oriented Trends Symposium 2018 (ROOTS). It was misplaced, so we publish it today. Maximilian’s talk was recorded and can be watched on Vimeo.]

The goal of library and function identification is to find the original library and function to a given machine-code snippet. These snippets commonly arise from penetration tests attacking a remote executable, static malware analysis or from an IP infringement investigation. While there are several tools designed to achieve this task, all of these seem to rely on varied methods of signature-based identification. In this work, the author argues that this approach is not sufficient for many cases and propose a design and implementation for a multitool called KISS. KISS uses lossless compression and highly optimized pattern matching algorithms to create a very compact but substantial database of library versions. In practice, KISS shows to achieve remarkable compression rates below 30 percent of the original database size while still allowing for extremely fast snippet identification with high success rates.

Finally, the author also argues how this approach improves the security of existing techniques as the design relies fully on complete function body verification, which prevents analysis-resilient malware from disguising as external and trusted library code. This has recently been shown to be a problem for
malware analysis with existing identification solutions.

 

Maximilian von Tschirschnitz is working as an prototype engineer and researcher for the Intel Corporation in Germany. In parallel he is currently conducting his studies of Informatics at the TU Munich. His current research topics cover IT-security and high precision positioning methods. His further professional interests include theoretical informatics, image feature recognition and computer graphics.

Analysing Data Leaks and avoiding early Attribution

Hex dump of compressed Linux 4.20 kernel image.The new year starts with the same old issues we are dealing with for years. German politicians, journalists, and other prominent figures were (are) affected by a data leak. A Twitter account started tweeting bits from the leaked data on 1 December 2018 in the fashion of an Advent calendar. The account was closed today. You will find articles describing single parts of what may have happened along with tiny bits of information. Speculation is running high at the moment. So we would like to give you some ideas on how to deal with incomplete information about a security event floating around in the Internet and elsewhere.

Attributing data leaks of this kind is very difficult. Without thoroughly understanding and investigating the situation, proper attribution is next to impossible. Given the method of disclosure the leak is not published completely. While the links published on the Twitter account led to a data sharing platform, there is no way of knowing how much data was really copied from where. Analysing where the data came from is only possible with the help of the owners. The type of dumped data varies. There were mobile phone numbers, addresses, internal political party communications, photographs of ID cards, letters, emails, invoices, chat transcripts, mobile phone numbers, and credit card information. This selection points to a communication device such as an email client or a smartphone. Personal communication is often governed by the need to access data when being mobile. Again this is speculation. Given the variety of data owners there are probably more accounts compromised. Which kind of account exactly is guesswork. You would have to see a more complete picture of the data dumped.

The leaked bits of data also do not pose a complete picture in terms of chronological information. Some data was commented as already being copied months ago. Leaked data usually gets post-processed into collections. These collections are being refined and verified in order to increase the value of the data. Apparently this wasn’t important to whoever put the data online.

It’s always a good idea to go for the agenda. Look at the way the data is leaked, and ask who benefits from this. Just dumping data somewhere is not very smart. Using the data without publishing it has a lot more advantages. Publicity is a sign for the dreaded manipulation of the mind – information warfare. Advertising works the same way. Publish something that sticks to your thoughts. Works almost all of the time, especially in all kinds cyber. But again, this is speculation.

If you read about issues like this, there is a simple rule: Do not read any articles with a question mark (this „?“) in titles or subtitles. The „?“ is usually a sign for speculation. No offence, but you do not get anywhere in an analysis by asking your audience questions. The audience wants to know your facts, not your questions.

Merry XSSmas and a successful new mktime() Syscall

Macro-photography of snowflake. Source: https://commons.wikimedia.org/wiki/File:Snowflake_macro_photography_2.jpgThe holidays are coming, next to Winter (hopefully). Thank you all for attending and contributing to DeepSec and DeepINTEL 2018! All slides we got are online. The videos have almost left post-production (except one recording which is being fixed audio-wise) and are on the way to the content distribution network. The ROOTS videos will be first. You will find all videos in their albums. Make sure you look for collections, too. We will set-up a tip jar for our video team again, so if you want to leave a small thank you for the crew, please do so.

We are going to deal with infrastructure and upkeep of our to-dos. Plus we will spend some time off-line. Or maybe just in local networks to do some well-deserved hacking. The dates for DeepSec and DeepINTEL 2019 are being fixed, and we will publish them probably next week or in the first week of 2019. It’s better to announce stuff if it is really tightly sealed. Furthermore we did read your feedback and have planned some improvements for next year. We will let you know about the details. Don’t wait. Off you go! Enjoy the holidays!