Wir, Chris John Riley und René Pfeiffer, waren bei Radio Netwatcher zu Gast um etwas über Sicherheit, Datenpannen und die zunehmende Präsenz der eigenen Daten im Internet zu reden. Anlaß waren die Ereignisse der letzten Wochen in Sonys Playstation Netzwerk, bei den Auth Tokens der Facebook Apps sowie bei Googles Android Betriebssystem und vieles mehr. Hersteller und Behörden versprechen sehr viel, aber wenn man einige der vergangenen Katastrophen als Vergleich nimmt, dann fragt man sich zu Recht nach der Sicherheit. Wie sicher ist man im Internet? Das hängt davon ab, wie üblich, aber wir haben versucht einige Antworten zu geben (und da wir das Internet täglich benutzen, gibt es vielleicht etwas Hoffnung). Die Sendung ist auf Radio Orange am Freitag um 13:00 Uhr zu hören. Darüber hinaus möchten wir auf die bevorstehende BSidesVienna |
Finally we found some time to sort through the video recording legacy of past DeepSec conferences. We’ve been asked for video material repeatedly since we record all talks held at DeepSec (except those where the speaker does not want to be published on video). Let me explain what the state of our video archive is. All video recordings were done by different teams consisting of video professionals, volunteers from Metalab and students of the St. Pölten University of Applied Sciences. We used different camera equipment, sound feeds due to changes with the audio system on-site and various storage media because of different digital cameras on-site. The videos of DeepSec 2007 are on Google Video since June 2008. We have re-added them to our internal archive, and we noticed that killab66661 has added the videos
Have you lost track of the risks that may or may not impact your security? How good are the facts you base your security decisions on? Does your organisation follow defined procedures in terms of deploying, monitoring or evaluating security measures? Who decides what’s next and what’s being phased out? Is there a way to get more sleep while fencing off risk factors at the same time? It’s very easy to get lost in the details and drown in the various tools of the security trade. Every day something happens. A single 0day can ruin your meticulously designed schedule. It would be nice to get a grip on the dynamics and introduce more stability. CIOs need to address the Big Picture. That’s exactly why we mentioned security management in our CfP. We’d like to
The German Federal Minister of the Interior, Hans-Peter Friedrich, has warned „that it is only a question of time until criminal gangs and terrorists have virtual bombs at their disposal“. While the term „virtual bomb“ is very vague by itself, the minister mentioned „malware“ as well. This is no surprise for security researchers. Malicious software has already been used for attacking companies. The infrastructure of whole countries has been attacked as well. Logic bombs have been used in the past, but they have never been used to wage warfare. They have been used for revenge by disgruntled employees or for blackmailing someone (as the ransomware malware also does). Tools like this are used for very specific purposes (such as espionage or targeted destruction), but never for an all-out assault. Even a (D)DoS often has
Tomorrow we will present a review talk about the state of mobile network security. The talk will be held at the Linuxwochen in Eisenstadt. We will address results discussed in the past DeepSec conferences (including work of Karsten Nohl, Harald Welte, David A. Burgess, Sylvain Munaut, Dieter Spaar, Ralph-Philipp Weinmann and others). If you understand German we recommend listening to Chaosradio Express #179 where Karsten explain to Tim Pritlove the state of GSM security over a period of 130 minutes. Slides of our talk will be available after the Linuxwochen. Update: You can download the slides here. There’s a simple audio recording available as well (MP3 or OGG).
Recently we mentioned the topic of mobile security in this blog since it keeps being addressed by security researchers. Now there’s something that can be combined by networking, defective by design and mobile security. German security researcher from the University of Ulm have explored a flaw in Google’s ClientLogin protocol. The initial idea stems from Dan Wallach, who took a closer look at the transmissions of an Android smartphone. The authentication token is sent via unencrypted HTTP which means it can be seen by attackers on the same network. Since the token is your key to online services and is probably used by apps dealing with your calendar, contacts or private pictures, an attacker has full access to this data (or any other data an app deals with via the network). Reading, manipulating or
Since 3 February 2011 the IPv4 pool is now officially and fully depleted. „Peak IPv4“ was a long time ago. IANA can no longer hand out any IPv4 address space. Everyone who needs more address space will be force to look to IPv6. What about security? Are there any benefits? Has IPv6 eliminated all the weaknesses known with IPv4? Those who attended DeepSec 2010 already know the answers to these questions. Mark Heuse conducted a workshop and held a talk about IPv6 security. There’s no doubt that IPv6 is coming to town. Due to tunnels some networks even have IPv6 connectivity, some without even knowing. Setting up a tunnel with a router in your local network is easy. The router will announce itself to local nodes which will in turn automatically grab addresses and
Apps are all the fashion. You can download them, and you can add them to web sites (such as your blog) including your favourite social network. Facebook has introduced applications back in 2007. If you want to tie an application to your account, the code needs to have proper credentials in order to connect an action with your profile. This is why most apps ask you to login before they start to work. The idea is to convert your login and password into a token that can be used to grant access, either for a limited time or indefinitely. Symantec’s Nishant Doshi reports that Facebook had a bug in its application framework exposing user access tokens to third parties. This basically means that you can do all the app can do (and possibly more)
MiKa and me held three talks at the Linuxwochen Wien 2011. The scheduled talks were „VoIP Security“ and „The Wind Chill Factor of Security“. The third talk was a review of the trust models used with X.509 certificates and issued by certificate authorities. The review was a drop-in replacement talk for a speaker who did not show up. Since the talks were held in German, I’d like to present a short summary in our blog. VoIP has become a well-established technology in companies during the past years. Periodically we assess the security of VoIP protocols and implementations. The talk we gave was a review of the state-of-the-art focussing on SIP signalling and audio/video codecs. We discussed the basics, the SIP Digest Authentication Leak found by Sandro Gauci, SIP probes, the troubles of SIP gateway
Christoph Rella, a journalist who has been at past DeepSec conferences made telephone interviews with MiKa and me. He explored the difference between White Hats and Black Hats along with the motivations of hackers. He was interested in getting to know the reasons why the stereotype of the nice IT guy turns criminal. We think the motivations are vastly different, money being among them. Mr. Rella published a summary in an article for the Wiener Zeitung (in German).
Michael Kafka war am 29. April 2011 zu Gast bei einer Expertenrunde zum Thema Vorratsdatenspeicherung. Der Hintergrund ist die Speicherung von Verbindungs- und Geodaten bei Kommunikation über Internet, Telefon und andere Netzwerke. Die EU Richtlinie dazu muß in allen Mitgliedsstaaten umgesetzt werden. In Österreich wurde das Gesetz letzte Woche beschlossen und tritt am 1. Januar 2012 in Kraft. Da Netzwerke und Logdaten mit dem Thema Sicherheit verwoben sind, haben wir unsere Expertise in die Diskussion eingebracht. Im Web-Standard wurde ein Artikel publiziert. Die Videoaufzeichung läßt sich über die ichmachpolitik.at Webseite anschauen:
Our Call for Papers announcement mentioned seven topics that we are focussing on. We’d like to explain what these topics are all about in a couple of blog postings since it is not easy to squeeze everything into a few lines. We begin with mobile computing and communication. Mobile computing incorporates mobile computing devices such as smart phones, tablets, cell phones, laptops, netbooks, wrist watches, navigation devices and similar computers. Most of us are now accustomed to frequently use portable computing. We want to know what bugs and security risks we carry around. A lot of users regard these mobile computers as appliance, therefore the thought of upgrading or fixing software on them is less widespread. You don’t do firmware upgrades on your microwave oven or water boiler, do you? Maybe you should. Mobile