Talk: How Terrorists Encrypt

René Pfeiffer/ August 31, 2011/ Conference

Encryption technology has always been regarded as a weapon, due to its uses in wars and espionage. Software used for encryption was banned for export to other countries in the US. The export regulations for strong cryptography were relaxed in 1996. Some countries still consider cryptographic software as a threat. Recently there have been discussions in the USA again about controlling access to encrypted communication channels. The United Arab Emirates, Indonesia, India, and Saudi-Arabia legally attacked the BlackBerry’s strong encryption of the BlackBerry Messenger Service. Encrypted messaging was discussed in UK after the riots in August. Pakistan has banned all encryption and requires users to apply for a permit. Usually the proponents of regulations claim that terrorists and cybercrime are heavy users of strong cryptography. So how do terrorists really encrypt? Are there software

Read More

Talk/Workshop: SAP Security In-Depth

René Pfeiffer/ August 31, 2011/ Conference

No two SAP deployments are the same. If you run an SAP environment, then you will most certainly use customisations and a multi-tier architecture. You will have tied your SAP deployment to your assets. The typical setup features Development, Quality Assurance and Production (which is the minimal amount of tiers, you may have more). While the development and IT staff mainly interacts with Development and Quality Assurance environments, the organisation’s end-user only connects to the Production systems in order to undertake the required business processes. As soon as security considerations come into play you will probably audit your infrastructure. Since auditors cost money most SAP deployments won’t be scrutinised completely. And then you are in trouble despite passing tests with flying colours. Using short-cuts is the best way to run into trouble. Consider your multi-tier

Read More

DeepSec 2011 Schedule and Description of Talks/Workshops

René Pfeiffer/ August 23, 2011/ Conference

We’ve already published the preliminary schedule for DeepSec 2011. Most of the speakers have already confirmed their presence at the conference, but we are still waiting for e-mail. While preparing the schedule we’ve asked for more descriptions, and we will describe the talks and workshops in slightly more detail in the blog. We know that some of the titles deserve a closer look, especially since we got very interesting topics to talk about. During the next weeks we will dedicate a whole blog article to each and every slot in our schedule. Stay tuned! Please make sure that you don’t miss the early-bird rates. Tickets at reduced prices are still available until mid-September 2011!

Cargo Cult Security

René Pfeiffer/ August 21, 2011/ High Entropy, Stories

Here is a fictional story for you that bear no resemble to any living, dead or undead persons whatsoever. Imagine someone who is interested in establishing and maintaining a „medium“ to „high“ level of security for his or her business data. This person is a power user and uses harddisk encryption, an encrypted file server, access to internal data by VPN and GPG/PGP for communication. So far so good. Now for the bad news: untrusted devices without security software may also access internal resources and shiny new workstations run without anti-virus protection or firewalls. Questions about potential risks are ignored, suggestions to periodically check the security measures vanish into the big e-mail void, too. What is wrong with this picture? Well, given that all of this is purely fictional, some one you might recognise

Read More

Discussion about Data Protection and the Game Industry at GamesCon

René Pfeiffer/ August 20, 2011/ Report, Security

The GamesCon is taking place in Cologne. We were present at the first day in order to participate in a discussion about data protection in online games. Discussion partners were Konstantin Ewald, a lawyer and blogger (Online. Spiele. Recht) and Ulrich Lepper, North Rhine-Westphalia’s Commissioner for Data Protection and Freedom of Information. Online gaming is tied to user accounts and personal data. It is linked with targeted advertising. Since the Sownage series of attacks the issue has arrived in the mainstream media. There is no need to name Sony or any other company as a culprit, or to shift the blame around. Just as web applications, the world of online games is complex by itself. Hardening your infrastructure is fine, but this is only a part of the story. There are other components such

Read More

Preliminary Schedule of DeepSec 2011 published

René Pfeiffer/ August 19, 2011/ Administrivia, Conference

Finally we have reviewed all your submissions, and we have published a preliminary schedule on our web site. We have not filled all workshop slots, because some of the workshop submissions are still under review and some submitters have been asked for further material. We wish to express our deepest thanks for your submissions! We received much more than we possibly can squeeze into the conference schedule, most of the material being absolutely new and of high interest. We had a hard time rejecting talks, so don’t be sad if you couldn’t make it this time. So, to everyone whose submission was rejected: We will contact you again. The topics range from encryption, attacking mobile devices, IT compliance management, SAP weaknesses (yes, SAP deployments can be attacked, really), cyber-peace (we’re curious as well), insights

Read More

Explaining Security to non-technical Audiences

René Pfeiffer/ August 7, 2011/ Discussion, Report

A few days ago we had the opportunity to present a review of vulnerabilities in mobile phone networks and typical attack vectors to a non-technical audience (we announced the event in a previous blog posting, the event language was German). The background of the attendees was a spectrum of social sciences, political sciences, different technical science (but not information science), governmental agencies (again non-technical) and journalists. We adapted the slides in order to reduce the complexity and the technical details. The reaction was positive, but most of the questions were aimed at how to defend against the risks. Thus our reduction only lasted until the QA section. If you really want to defend yourself, you have to deal with the details. If you don’t dive into the details, you can give superficial answers at

Read More