It’s tiem*) again: NAT66

Mika/ August 29, 2010/ Internet, Security

ITT *) : NAT66 (picture unrelated) In this thread we discuss NAT Maybe the picture is related. We all want to have our communications as safe as possible and we choose appropriate security mechanisms to achieve this goal. We follow “Best Current Practices”, recommendations from security experts and we follow traditions in our own organization. And there is an old tradition, maybe too old to get it out of our heads: NAT will add to security. It will not. Full stop. No Discussion. The topic has been closed long ago and there is no need to microwave it and serve it as a quick midnight-snack just because you feel a little bit hungry, just because you have the feeling there is something missing. We are living on a new diet in the IPv6 world.

Read More

Are Hackers Speeding on the Information Highway?

Mika/ August 27, 2010/ High Entropy

(or “Has our Security Crashed?”) I just came back from a discussion with our national CERT and took some thoughts back home: (TL;DR section at the end) I have the impression, that some of our security mechanisms, which seemed so sturdy and and healthy until recently, are turning soft and weak in our hands. The developments in the last few years were definitely on the fast lane, breaking all speed limits and no data-highway patrol was there to stop them from speeding. The traditional approach to define security mechanisms (let’s call them technical controls) doesn’t really seem right to me any more: Raise the bar to a level, where the remaining risk is acceptable for the next “X” years, assuming that technology advances at a certain rate. (Use a reasonable number of years for

Read More

Schedule for DeepSec 2010 published

René Pfeiffer/ August 20, 2010/ Schedule

Reviewing the submissions took us a while longer than anticipated. The reason was the high-quality content you submitted. We had to make some tough decisions and could have easily filled three or four days of In-Depth security talks and many more workshops. We hope that the schedule we published yesterday satisfies your interest and gives some CIOs something to think about. We tackle the security of the GSM network (which is failing, as was reported at DeepSec 2009 already). We also show you how to probe the security of GSM networks (there’s a whole two-day workshop if you want to dive into the gory details). Watch out for remote binary planting! Just yesterday Mitja Kolsek reveiled that about 200 Microsoft Windows applications are vulnerable to remote code execution. We deal with SAP security by

Read More

CfP revision is almost done

René Pfeiffer/ August 11, 2010/ Administrivia, Schedule

We’re almost finished with the review of presentations and trainings submitted via the Call for Papers form. Everyone will get a notification during the next couple of days. You really sent us a lot of high-quality content, and we are proud to set the stage for your research results. Some vendors might not be as happy as we, but let’s see what happens. Expect the preliminary schedule soon.

Sneak Preview – your cellphone can be tapped

René Pfeiffer/ August 2, 2010/ Schedule, Security

You probably have a cellphone. Your company might even provide an additional one. Your boss most certainly uses a cellphone. What do you use it for? Do you share details about your private life via phone conversations? Did you ever talk to a business partner about confidential offers? Do you rely on cellphone when it comes to important messages? If so you might be interested in hearing some news about the state of security of mobile networks. Most of them are broken, outdated or both when it comes to security. Details of the security issues have been presented at DeepSec 2009 by Karsten Nohl. During Defcon18 in Las Vegas a security researcher successfully faked several attendees’ cell phones into connecting to his phony GSM base station during a live demonstration that had initially raised

Read More

Hole196 debunked?

Mika/ August 1, 2010/ Security

(Warning: some technical details, not suited for the TL;DR type of audience) “WPA2 vulnerability discovered” was a headline that caught my attention for several reasons: Someone detected a security flaw in 802.11 RSNA (vulgo “WPA2”) that slipped Chuck Norris’ attention for 3 years (replace the name with any respected security researcher). It’s from a Best-of-breed, Award-winning, World-market-leader etc… company. Reminds me of the CfP submission we received from Ligatt Security. But maybe (hopefully) I’m wrong. Virtually all results of the search engine you prefer point to a copy&paste of the press release without any details (as of Jul 28th). Is this just a result of our copy&paste journalism? I have the impression, that nobody verified the possibility in detail. For example JJ from “Security Uncorked” writes (although expressing clear doubt about the impact): “Without

Read More