#efail, Crypto, HTML, PDF, and other complex Topics

You probably have noticed the #efail hashtag that came with the claim that the crypto world of PGP/GPG and S/MIME is about to end. Apocalyptic announcements were made. The real news is due for 15 May 2018 (i.e. the publication with all the facts). There was even the advice to stop using encryption until more information is known. The authors of the bug claimed that responsible disclosure was being followed. Well, it seems that this is not the case. Judging from the Internet response, the bug depends on the content of the encrypted message, not on the protocol of the encryption or the encryption tools. Lessons learned so far:

  • It is a bug in some mail user client software.
  • It’s all about the content of the message and how it gets interpreted.
  • Responsible disclosure was not followed.
  • Do not use HTML in emails.
  • Use authenticated encryption.

You may note that these recommendations are heavily on the side of the protocol/data format designers, not on the user’s part or the user interface. It’s hard to point fingers into the right direction, but the vulnerability is all about the content and they way software handles it. That’s not shifting the blame. HTML content (or any active content) in emails have long been the source of heated discussions. There is a reason why a lot of phishing uses HTML. Bashing PGP/GPG or S/MIME for its complex data format is also no excuse. Have you ever taken a look at the PDF standard or the many office document standards? Why is there no recommendation to stop sending documents via emails?

The DeepSec conference in 2017 had the motto „Science first!“. We didn’t go for this slogan because of the first academic ROOTS workshop. We know that information security can do a lot better with a healthy dose of the scientific method. Your work doesn’t count and has no impact, if you can’t base it on solid facts. The claim that „There are currently no reliable fixes for the vulnerability.“ is plain wrong.

So please continue to write encrypted emails to us. We do not read HTML message in conversation.

Reminder: DeepINTEL and DeepSec Call for Papers are still open

We have been a bit radio silent. We have to deal with the General Data Protection Regulation (GDPR), and we are moving our infrastructure across the Internet. The blog is already moved. Further services wait for their transport. The reason is simple maintenance work and hosting our data a bit more privacy-friendly. For example our new ticket portal features privacy by design.

Since the threats to information security don’t have to deal with boring stuff such as privacy and upgrades, we would like to remind you that the call for papers for both DeepINTEL and DeepSec is still open.

Manufacturers integrate Blockchain into Processors to counter Spectre and Meltdown

The Spectre and Meltdown security vulnerabilities gathered a lot of attention in January. Processor manufacturers have rushed to fix the design of the chips and to patch products already in production. The vulnerabilities show that secure design is critical to our modern infrastructure. Computing has become ubiquitous, so has networking. The current fixes change the microcode on the chips. Altering the flow of assembler instructions is bound to have a detrimental impact on performance. There is not much you can do about this – but there is hope. Future generations of processors will have a defence against unknown security vulnerabilities – the blockchain!

The past decade in information security has taught us that a pro-active holistic approach to IT defence is not enough. To counter unknown threats you have to go below 0(day). The blockchain offers a perfect solution to the problem of weaknesses at the processor level. The key is consensus. Since all modern processors have multiple cores, the components act as peers that don’t trust each other. Instructions are regarded as transactions. Every core verifies every transaction by its own ledger containing a history of known good instructions. The consensus protocol between all cores guarantees that instructions are verified and can be trusted. Storage for the ledger is provided by the firmware, ensuring that the ledger cannot leave the system. Hidden storage without a published documentation has been an important key ingredient for secure systems for many decades. It adds another protective layer. Storage can be extended by Cloud services (with military-grade encryption) in case the systems runs longer or is subject to high processor load. You cannot work without being connected to the Internet anyway. Thus any performance impact can be regarded as negligible.

The first blockchain-based processors are expected for November 2018. Since you will have to use the new chipsets as well, the manufacturers have conveniently changed the socket again (one socket specification per manufacturer, so multiply your choices by the number of competitors).

If you have read this far, then you should already have some doubts on „modern technology“. The big problem with 1 April and satire in general is that reality has caught up. Given the density of buzzwords and hypes in information technology, it’s next to impossible to separate the hard facts from the (marketing) agenda. Information security is no exception. Most events centre around products. They create needs you do not have, and they provide solutions to problems that aren’t yours. Taking a step back and re-evaluating your current and future situation is the key. We have seen a lot of technological cul-de-sac designs when it comes to information security. We still pursue quite some questionable approaches to solving problems we do not have. Blockchain speaks for itself once you analyse what it is about. Your information security defence strategy should not get distracted by fashion trends.

DeepSec and DeepINTEL were created to help you seeing through all the distractions you are exposed to throughout the year. Let’s keep in touch.

Metrics, Measurement, and Information Security

Metric is a great word. Depending how you use it, it changes its meaning. The metric of a network path is quite different from the metric system. When it comes to measuring something, the might be an agreement. Why bother? Because we have heard of the term security metrics being used for something which should better be called security statistics.

In mathematics a metric is a function which tells you the distance between each pair of elements in a set. While this does not necessarily have to do something with distance, it is a fitting analogy. It also connects metric to physics. Measuring how far two points are apart gives you usually a distance (either a straight line or a sum of straight lines). In essence measuring something boils down to comparing your object of interest with a reference. The International System of Units (Système International d’unités) is a good example. The unit, which you are using to express the result of your measurement, has a definition. For example the metre we all (well, almost all of us) are using is defined by the speed of light in vacuum (which is a natural constant). Devices that measure length or distance use this definition. Once you measure something in the real world, it is always a comparison to something else (references are really old). This is true in physics, and it should be true in computer science, too.

Counting is also a form of measurement. Again you use comparisons (your fingers, a herd of cats, collections of stones, visualisations of numbers). Often the number will be bigger than anything you can imagine, but counting is a basic task, so we are used to it. The nice thing about counting is that you can count anything. For example you could count the number of red cars driving past your office, the number of cobblestones on the way to the supermarket, the number of exclamation marks in your Twitter feed, and much more. The problem is that not everything you can count has meaning. Sadly, this is where statistics comes into play. Statistics is really an important branch of mathematics. The methods are as scientific as they can get, and statistical methods work without the real world (which is good, this way they can’t introduce a bias). The problem is the application of these principles. You can calculate a lot, just as you can count a lot. Think Big Data. Plus visualisation gives you pretty pictures – but it doesn’t give you neither context nor meaning. This has to come before you start your analysis. That’s what I meant by the terms security metrics in the beginning. Picking something you can count and extracting meaning from it can be very hard in information security. We are used to being exposed to all kinds of data. Timestamps, word counts, length of (pass)words follow us throughout our digital lives. Context is the key. Ask anyone who deals with intrusion detection/prevention (called data loss prevention these days).

Back to metrics itself. Be careful with metrics being used to derive a statement about security. We all know the endless benchmarks and performance tests for hardware, software, and everything that is a part of a computer (or a network). It gets a lot worse and a lot more crucial in information security. The number of dropped packets does not equal the number of attacks stopped. The security appliance with the highest throughput might have its reasons for beating the competition. It gets worse when incidents happen.

Don’t get caught in the security metrics hype! There is a lot of consulting going on. Databases are being filled. White papers are produced. Cloud(s) cover the sky. Time is wasted. Start with the context. Everything else is bound to fail sooner or later.

If you have some thoughts to share on this matter, please let us know.

Advanced and In-Depth Persistent Defence

Two-dimensional space depicted in three-dimensional spacetime.The attribution problem in digital attacks is one of these problems that get solved over and over again. Of course, there are forensics methods, analysis of code samples, false flags, mistakes, and plenty of information to get things wrong. This is nothing new. Covering tracks is being done for thousands of years. Why should the digital world be any different? Attribution policy tactics, APT, is part of the arsenal and thus part of the threats you are facing. It has less impact though, because it is only of interest when your defence is breached – and this means you have something else to worry about.

Attribution is not useful for defending against threats. While you can use to to „hack back“, this will most probably not help you at all. The main problem with attribution is, that it is not your first priority. The Internet is not the ocean, and your servers aren’t line ships that exchange broadsides. So you should be a lot more worried about intrusion detection and prevention. IDS/IPS have been around for some time. It’s the best place to start for improving your defence. Switch the radar on, tune in to reduce the noise, observe, and learn. Attacks won’t come through walls. Adversaries usually use open doors. Just as in physics, interactions are the key. That’s what you should focus on.

Speaking on interactions: DeepINTEL 2018 will focus on sophisticated threats, how they work, what traces these incidents leave, how defence can match well-prepared attacks, and what you can do in order to not get distracted. The call for papers is still open. Let us hear your thoughts.

Upgrade to HTTP2

We are busy with a little housekeeping. Among other things we have changed the way you can access our blog. It is now using HTTP2. We also added encryption and redirect all HTTP requests to HTTPS. Search engines should update their caches as soon as they refresh the pages. Hopefully this does not break anything. If so, please let us know.

The DeepSec blog has been long using HTTP only. This was due to infrastructure constraints. Since future versions of web browsers will give you a warning when surfing to a HTTP site, we decided to change the blog configuration. You might want to do the same before June 2018. Otherwise you might get some enquiries about the security warning.

Next stop: TLS 1.3.

The Grotesqueness of the “Federal Hack” of the German Government Network

[Editor’s note: This article was originally published on the web site of the FM4 radio channel of the Austrian Broadcasting Corporation. We have translated the text in order to make the content accessible for our English-speaking audience. We will follow-up on it with an article of our own about attribution, digital warfare, security intelligence, and the DeepINTEL conference.]

A friendly secret service knew more about espionage against the German government network than the German counterintelligence. Three months after the hack was discovered, the attackers are still somewhere in this huge federal network.

By Erich Möchel for fm4.orf.at

One week after the announcement of the attack on the security network of the German Federal Government details only leak slowly. The first official statement on Friday claiming that the alleged Russian Trojan suite was already under control was a blatant misinformation and had to be denied afterwards. According to official information, the German Government was tipped off in mid-December by a friendly intelligence service. That a secret service of a third state apparently knew more about espionage Trojans in the German government network than the German counterintelligence is an embarrassment beyond compare. The authorities can not even say now when this “federal hack” began, although they reportedly already knew about it three months ago. Not least because of this, a news blackout was imposed.

Tips among Friends

The attacked “Informationsverbund Berlin – Bonn” (IVBB) “is a huge, historically grown data network under the aegis of the German Interior Ministry, to which the German Bundestag, the Federal Council, the Federal Chancellery, the Federal Ministries and the Federal Court of Audit are connected as well as ” various security authorities ” from Berlin, Bonn and other locations. Who, apart from the the Federal Office for Information Security, these “various security authorities” might be can be counted on the fingers of one hand using only three fingers:

The Federal Bureau of Investigation, the secret services of the Federal Office for the Protection of the Constitution and the BND. The latter must also have been tipped off by the “friendly secret service” that attackers had infiltrated the information network of the German Federal Government. Further it was said that  allegedly the invasion of the IVBB was part of a worldwide attack of supposedly Russian “hackers” against allies of the West, already going on since 2017. What’s more: The German authorities were already informed since December 19th.

A Question of Time

So the German authorities had three months to discover the intact parts of the malware and the artifacts of already deleted code and to stay on track of the attackers. This led to the actual target, namely the German Foreign Ministry, where a dozen or more contaminated computers were discovered. Assuming that the statement of the government is correct not much more is known yet, but of course, this can’t be verified. As for the duration of the attack it was said quite early on that the attackers could have already penetrated the network in early 2017, later on that it could have happened even earlier in 2016.

This has been the case for every comparable attack in the last ten years: each time the attackers were already much longer in the attacked network, as was initially suspected. And it is even more difficult to get rid of them, which is why such a high-level military cyber attack is also referred to as “Advanced Persistent Threat” (APT). It is a permanent threat because the malware consists of many small modules. If even one is overlooked by the defenders while cleaning up, the next attack will start soon. From the Equation Group (NSA) to Russian and Chinese Cyber Troops to the North Korean Lazarus Group, all major players use largely identical methods of attack.

Operational Sequence of a State Attack

First, one scouts the target network looking for points of attack, then, in several places, one smuggles in tiny programs, which are completely unremarkable on their own – the NSA calls them “Implants” or “Beacons”. Their only function is not to attract attention internally for as long as possible, but to react to network scans from the outside with a “sign of life”. As soon as the actual attack starts, further software modules are smuggled in at these marked locations in the target network. All of them are encrypted and just merge into a Trojan suite behind the firewalls. To counter such an attack is a purely Sisyphean task as long as the hidden implants of the attackers are still hidden somewhere in the net, because as soon as a network segment has been cleaned and control regained, the attack starts all over again in another segment.

The Hack of the German Bundestag in 2015

Exactly the same had happened in 2015 in the network of the German Bundestag. After the discovery of the attack in early May a weeks-long game of cat and mouse began, until, after three months, the Federal Office for Security (BSI) threw in the towel. It was decided to exchange all the hardware, which involved a total of 20,000 PCs. If they also thought of changing the routers, switches, printers or firewalls is not known. A few kilobytes of space on any device and a network connection is sufficient for the implant to continue its work – Namely by doing nothing, only sending a short ping to a command / control server somewhere on the Internet at a programmed time. Finding something like this in a huge network that was originally made up of mainframe computers and Windows 95 PCs and grew wild in all directions for two decades, is hardly feasible. Here everything is cross-linked and a segment of the network is the German Bundestag. So it is quite possible that some implants of the unknown attackers have survived the great clean-up of the Bundestag in 2015 unscathed.

Open Questions

From the first day on it was rumoured again that “the Russians” were responsible, first supposedly APT 28 (“Fancy Bear”), and then there was talk of APT 29 (“Cozy Bear”). This is not unlikely, because just a handful of nation states could pull off something like that. The infamous APT 28, to which the attacks during the US election campaign were attributed, has already been blamed for the hack of the Bundestag in 2015. This Cyber unit is the counterpart of the CIA coders, its task is operational and often includes psychological operations, thus influencing the public and politics.

APT 29, on the other hand, is comparable to the NSA Equation Group, involving the best programmers and therefore the most sophisticated software with the best camouflage. Of course, one does not want to squander these in propaganda operations – this is all about espionage at the highest level.

Regarding the question who tipped of the German BND, there are three possible answers: Either the British GCHQ or the NSA – but also the French intelligence service can not be ruled out.

Support for BSidesLondon’s Rookie Track

We are proud to support the Rookie Track at BSidesLondon in 2018 again. This means that one of us will be present at the Rookie Track and that the winner will get to attend DeepSec in November. It’s hard to get a start, so we like to help the rookies with that. We also like to encourage everyone to share ideas, thoughts, code, and insights either at the Rookie Track or on the main stage. If you have never presented before, get a mentor and work on your presentation. Don’t be afraid. We like to hear your thoughts on infosec and related topics.

The same is true for our U21 presentation slot. We encourage young researchers to submit a presentation to DeepSec. We also offer mentoring and help you to get your content on stage. You just have to submit. ☻

Change of Ticket System for DeepSec and DeepINTEL

We have made some changes behind the scenes, as always when preparing the new events for the year. This time we decided to change the ticket shop for both DeepINTEL and DeepSec. The reason for the new shop is its focus on privacy and security. Most shops are part of a social media network or collect too much information (can be both, depends on the interaction and the platform). It doesn’t matter if the collected information is being protected by privacy procedures or not. Our intent was to streamline the process. For you this means that you can buy your tickets as easy as before. We still have vouchers, too. Ask our sponsors. Furthermore the payment is done directly to us, so we can manage your visit to DeepSec and DeepINTEL more efficiently. Also the new shop offers some more payment methods.

In case you need anything, have special requests, or need support with buying tickets via the ticket shops, then please let us know. Keep in mind that we still offer different rates. The earlier you book, the less money you spend!

DeepSec 2018 calls for Trainings and Content – Focus Mobility

The DeepSec 2018 Call for Papers is open. The focus for this year is mobility. Mobile networks and mobile devices have established themselves firmly in our society. And mobility doesn’t end here. Transport is transforming into new technologies by incorporating access to data networks (yes, that’s the „Cloud“), the power grid (think electric vehicles), drones, new propulsion systems, artificial intelligent (sometimes even both!) personal assistants and algorithms (mathematics has become mainstream). The ever growing number of dependencies between components are a fertile breeding ground for cascading errors that impact more than your new car or your latest order from your favourite online shop. Information security must become as mobile as home deliveries of goods and electric power. And it must become common. Infosec isn’t optional any more. Since bug logos have captured the minds of news readers, the message of information security should do this, too. Sadly the products we use and rely on don’t seem to catch up.

We are looking for content to address this aspect of our modern society. Mobility is the red line to guide you, but of course we are interested in anything that you are researching. We have become much more interconnected since the days of the first DeepSec conference. Let’s have a look at the consequences. There are many perfect tens out there, especially when you connect All teh Things.

We start early, because we want to get your submissions for trainings first! Since DeepSec is in the last week of November, we like to inform potential trainees as early as possible in order to facilitate the booking of tickets. Please send us your ideas! Don’t waste time!

Secret Router Security Discussion in Germany

Routers are the main component when it comes to connect sites, homes, and businesses. They often „just“ take care of the access to the Internet. The firewall comes after this access device. The German Telekom suffered an attack on their routers on 2016. The German Federal Office for Information Security now tries to create a policy for securing these critical systems. In theory this should add a set of documents on how to securely operate a router for the last mile access. Information security basically runs on checklists and policies. The trouble starts with the firmware. In Germany these is a discussion about using alternative devices as access components, enabling customers and organisations to use products of their own choice. Since firmware is the worst code on this planet, changing models and code is a good idea. The Association of German Cable Operators (ANGA) strictly opposes changes of software on modems. The working group discussion the new policy has held meetings in Bonn, but it’s complicated. Furthermore participants discuss the topic with a non-disclosure agreement.

Security and secrecy don’t play well together. In this case there is the question of supporting customer-operated software on access devices, but this can be solved. All companies already use software tailored to their needs. Few applications or devices are used off-the-shelf. A lot of IT departments bring devices and other components into a given state by applying patches and changes to the configuration. Surely the access to the Internet must not remain a mystery. Protocols are documented, the technology is not based on a need-to-know basis. Why not address this weak link by giving sysadmins the tools to take care of the network boundary? Especially in times of home offices and interconnected (business) applications this link must be taken into account when designing security.

Golem.de has an article describing the process in depth (and in German).

Save the Dates for DeepSec 2018 and DeepINTEL 2018

While everyone was busy with the holidays, Meltdown and Spectre, we did some updates behind the scenes. DeepSec 2018 will be held from 27 to 30 November 2018. We tried not to collide with Thanksgiving, so that you can come to Vienna after being with your family. As always, the first two days will be the trainings followed by two days of conference. DeepINTEL 2018 will be on 17 / 18 September 2018. We have a topical focus for both events and will present each of them in a separate article. There still some details to work out. Wordsmithing and administrivia are the equivalence of dependencies and patches in software development – necessary, but they take time. It’s worth it, you will see for yourself.

We have a special message for anyone who intends to conduct a training at DeepSec 2018: Please let us know as soon as possible! This year’s DeepSec is later than usual, and we try to inform interested parties, companies, and individuals in time about the topics. So if you have something in your mind, if you work on cutting edge content and want to share, let us know. The Call for Papers manager is the easiest way, but of course you can drop us an email as well.

In addition the videos of DeepSec 2017 have been published on Vimeo. Since the video platform abolished its tip jar for donations, we will free the videos in June for everyone. All attendees and speakers enjoy them already. The slides from the presentations are online as well. Plus we have published In Depth Security Vol. II: Proceedings of the DeepSec Conferences for you to read on your mobile device or in print. Volume I is available, too. Volume III is on its way.

Meltdown & Spectre – Processors are Critical Infrastructure too

Information security researchers like to talk about and to analyse critical infrastructure. The power grid belongs to this kind of infrastructure, so does the Internet (or networks in general). Basically everything we use has components. Software developers rely on libraries. Usually you don’t want to solve a problem multiple times. Computer systems are built with many components. Even a System on a Chip (SoC) has components, albeit smaller and close to each other. 2018 begins with critical bugs in critical infrastructure of processors. Meltdown and Spectre haunt the majority of our computing infrastructure, be it the Cloud, local systems, servers, telephones, laptops, tablets, and many more. Information security relies on the weakest link. Once your core components have flaws, then the whole platform may be in jeopardy. In 2017 malicious hypervisors in terms of bugs/backdoors in the Intel® Management Engine (for example, AMD™ has a similar technology) came to light. Coreboot is one way to replace the attack surface of your BIOS/UEFI firmware. These approaches can’t do much once the processor is affected.

Hindsight doesn’t help, but bugs in the processor core or its microcode have been happened before. There is the famous FDIV bug, F00F, and other CPU bugs have been around for decades. The reason is sometimes the security-performance trade-off, it may be due to an architectural design error, or just simple oversight. Debugging is hard, hence hardware. If you are lucky, you run a platform that is not vulnerable. The Raspberry Pi ARM core is not affected by Meltdown or Spectre. So if you run on Raspberrys, then you are fine. Building a cloud platform is tricky (we tried to install OpenStack on a number of Raspberry Pis, it almost worked, but 1 GB memory is barely enough for the controller node).

We haven’t even mentioned embedded devices and the notorious Internet of Things (IoT). The history of bugs is huge. Back in 2014 there was an article on how hard/impossible it is to fix this ecosystem. The recent DeepSec conference featured a talk about the Mirai botnet and possible successors. There is not much you can do about it unless you can change the design. Once upon a time there were approaches to have reduced instruction sets on processors. Inspecting all the feature sets of modern CPUs looks like a higher level language. Of course we want our code to run as fast as possible. Who wants to wait? However there are designs that take security into account, and when it comes to critical infrastructure we will have the patience. Otherwise we will have to say goodbye to the idea of a secure platform.

Let’s see how many bugs in hardware 2018 brings. If you find some, please let us know and submit a presentation. Submissions for trainings are welcome as well. The Call for Papers for DeepSec 2018 and DeepINTEL 2018 open soon.

DeepSec 2017 Presentation Slides

While the videos are on their way to the rendering farm, the presentation slides for DeepSec 2017 can already be downloaded. We put them online as soon as we get the final version from our speakers. If you do some guessing URL-wise you can also find the presentations of past conferences at the very same spot. Since we collect the final slides after the conference and not ask speakers to put USB sticks into their computers during the conference, the download repository will fill in time. Unfortunately we cannot speed up this process. So bear with us, we are as curious as you (especially since some of us never get the see any presentation at DeepSec because there is too much to do).

As for the videos, all speakers and attendees will also get a direct link with early access to the content within the next few days. You don’t have to reload our blog or Twitter feed. 😉

DeepSec 2017 thanks you and DeepSec 2018 is almost ready

We caught up on sleep and are right in the middle of post-processing DeepSec 2017. Thanks to you all for attending, presenting, sending feedback, and being part of a great event. The slides will be online soon. The videos are being converted. We will upload them as bandwidth permits. All speakers and attendees will get a code to access them early.

Thanks for your feedback as well! We listen, and we have some plans to address the issues you reported. 2018 will see a lot of improvements.

We will announce the dates for DeepSec and DeepINTEL 2018 soon. The events will stay in November and September. We just need to coordinate with the venue and will let you know as soon as possible. The Calls for Papers open early in 2018, as does the new ticket shop system.

Looking forward to see you (again) in 2018!

Tags: , ,
Posted in Administrivia Conference Mission Statement. Comments Off on DeepSec 2017 thanks you and DeepSec 2018 is almost ready