Lessons in Trust and Malicious Code from the Staatstrojaner

René Pfeiffer/ October 31, 2011/ Security

Since it is Halloween we will beat an undead horse in our blog today. Zombies are all the fashion both in literature and on your computer. The question is: Are all zombies alike? Are there good and bad zombies, or only bad ones? How can you distinguish between good and evil intentions if all you got is a compromised system? It all boils down to trust, and the zombie in question is (again) the German Federal Trojan („Staatstrojaner“). The German magazine Telepolis published an article that compares the statement of Jörg Ziercke, the head of the German Federal Criminal Police Office (Bundeskriminalamt or BKA), to the words of Rudyard Kipling’s python Kaa. The basis for this analogue are Mr. Ziercke’s claims stem from leaked notes of his speech in the commission of the German

Read More

Defending against the Hype of Advanced Persistent Threat (APT)

René Pfeiffer/ October 31, 2011/ Security

Many articles like to mention Advanced Persistent Threat (APT), point out that 0-day attacks are extremely dangerous, and that anyone and your neighbour might already be compromised, but doesn’t know about it. So APT casts a long shadow even when not having arrived yet. This is exactly why we used the word „hype“ in the title. If you are not feeling very well and you look up symptoms in popular search engines, then you suddenly end up with lots of diseases that might fit. Doing this won’t change anything, you still got the symptoms and you still got no idea what’s going on. Reading information on security breaches alone won’t alone won’t get you anywhere (currently you can find some news on the RSA hack online). Exchanging ideas and hearing about stories is fine,

Read More

Talk: Bond Tech – I Want More Than Movie Props

René Pfeiffer/ October 30, 2011/ Conference

I watched „Bolt“ with my daughter yesterday. She’s still young and needed some time to distinguish fiction from reality, just like Bolt himself. If you regularly use (security) tools, then you might get a bit jealous about all these super-science skills and gadgets. This is especially true when it comes to the toys of James Bond. These questions arise: Does your software think it has super-powers, and when do we get these cineastic power tools on steroids just like in the films? Kizz MyAnthia of Halock Security Labs will address both questions in his talk at DeepSec 2011. There’s no doubt about it, you want these super-tools. We all do. So when do we get them? Well, soon or maybe never, but if you deal with information security (or vice versa) you have to

Read More

Talk: The Security of non-executable Files

René Pfeiffer/ October 27, 2011/ Conference

Recent security incidents push the imagination of some people to the limits. On today’s menu are U.S. Government satellites (done before albeit with a different vector), insulin pumps, automatic teller machines, smartphones linked to cars, and even vending machines in wilderness resort parks. What’s next? Executing code by the use of postcards or printed newspapers? Exactly! You probably recognise this phrase: „This is a data file, it can never be executed as code.“ It’s nice to think of bits and bytes neatly separated into code and data. In fact some security models encourage this approach. In practice data tells a different story. You have very elaborate document and data formats with thousands of pages of specification. PDF, rich media and office documents are way more complex than you might think. This is why Daniel

Read More

Talk: FakeAntiVirus – Journey from Trojan to a Persisent Threat

René Pfeiffer/ October 26, 2011/ Conference

You run the latest software defending you against malicious code. You have your best filters deployed. Your firewalls are tight as granite. Your crypto is flawless. Your authentication is watertight. But you’re still being attacked and have probably been compromised. What happened? There’s always the attack vector through social engineering. Combine this with a web site or a dialogue box that warns your staff about a potential security breach and tricks them into installing code manually, most commonly by disguising as Anti Virus software (hence the name FakeAntiVirus). Infection can be done by browser plug-in / add-on (think toolbars or other convenient items) or more complex means. Once the tool is installed, it takes control of your system(s), phones home or does other tasks as told by its new owner. Provided the cover is

Read More

Dissection of Malware and Legality

René Pfeiffer/ October 24, 2011/ Discussion, Security

You have probably seen the articles about the 0zapftis (a.k.a. the German Federal Trojan) malware used by the German police for investigation. There’s a lot going on in Germany and the German parliament, so we’d like to point out the issue of dissecting governmental malware and its relation to common sense and the law. The politician Patrick Sensburg accused the Chaos Computer Club to have thwarted investigations and thus the punishment of potential perpetrators. This violates German law (§ 258 Strafvereitelung, to be exact, description is in German). So is it legal to analyse malicious software or is it illegal? Mr. Sensburg has already answered three questions regarding his statements in parliament. He clarified his message. He criticises that the code had been published on the Internet instead of contacting the appropriate government agencies.

Read More

Stealing Digital Assets with Knives

René Pfeiffer/ October 22, 2011/ Discussion, High Entropy

This article on the ElReg® web site caught my attention today. Police forces in England and Wales read the statistics stemming from crime reports more closely. They think to have found a correlation between the increase of robbery and robbery with knives and the demand for smartphones to sell on the black market. The stolen devices could now be in demand for the hardware (probably), the software (doubtful) or the identity information stored on them (what about this, then?). The protection level of personal data and identity information is quite low for most phone owners. Of course, there are „lies, damned lies and statistics“ and you have to be careful to draw conclusions from a quick glance of a news article. Then again correlations is what you are interested in when building your radar.

Read More

DeepSec auf Radio Netwatcher am 25. Oktober 2011

René Pfeiffer/ October 22, 2011/ Communication

We did an interview with Radio Netwatcher. You can listen to it on 25 October 2011 at 1800 CEST on radio ORANGE 94.0 (Austria and other countries where the content is syndicated). The interview is in German. It covers the 0zapftis trojan horse, malware in general, security (of course), DeepSec 2011 and the Austrian Big Brother Awards. Wir haben Radio Netwatcher ein Interview gegeben. Man kann es am 25. Oktober 2011 um 1800 (CEST) auf Radio ORANGE 94,0 hören (hier in Österreich und in anderen Ländern, wo der Inhalt auch ausgestrahlt wird). Der Interview wurde in deutscher Sprache gegeben. Es umfaßt den 0zapftis Staatstrojaner, Schadsoftware im Allgemeinen, Sicherheit (natürlich!), die DeepSec 2011 und die österreichischen Big Brother Awards.

Security Intelligence, two different Approaches

Mika/ October 20, 2011/ Internet, Report, Security

We are monitoring activities around Security Intelligence since a while and found quite different understandings and approaches. Security Intelligence is one the newest disciplines in the area of Information Security and the goals seems to be quite vague. Different organizations seem to have totally different understandings of what Security Intelligence should be about. To illustrate this I would like to compare two of the leading IT vendors and what they publish as “Security Intelligence”: Cisco Security Intelligence Operations http://tools.cisco.com/security/center/home.x Cisco lists on the Security Intelligence Portal mainly security advisories, alerts, responses and information about Cisco product updates, signature updates, mitigation bulletins virus watch and similar topics. To provide this kind of information is in my humble opinion the task of a CERT (Computer Emergency Response Team) or a PSIRT (Product Security Incident Response Team).

Read More

Press Release: From Car to „Zombie“ – Data-driven Attacks on Automobiles

DeepSec Organisation/ October 19, 2011/ Press

Data-driven Attacks on Automobiles Security conference DeepSec broaches the issue of automobile security  Vienna – Hacking attacks on cars sound like something out of a Hollywood blockbuster. However, they’re possible today and pose a real threat for individuals and the automotive industry. The international security conference DeepSec, which takes place between the 15th and 18th of November 2011 chose the security of mobile phones, cars and their users as central topics for this year’s conference. „As in the years before we want to present exciting and controversial topics which concern not only experts, but most of us directly or indirectly in 7 workshops and 34 talks.The liability of modern cars to attacks is on of our topics.” says René Pfeiffer, organiser of DeepSec. “DeepSec acts as neutral platform to connect the hacker-community with IT

Read More

Talk: Behavioral Security: 10 steps forward 5 steps backward

René Pfeiffer/ October 17, 2011/ Conference

How do you distinguish good from evil? Have you ever asked yourself this question? In order to avoid diving into philosophy let’s translate evil to harmful and good to harmless. What’s your strategy to find out if something is harmful or harmless? When it comes to food maybe you try a small bit and gradually increase the dose. This strategy fails for software since you cannot install a bit of code and install more if everything looks ok. Analysing the behaviour is the next analogy in line. Behavioural analysis is well-known to anthropologists, psychologists and most human resources departments. Does is work for code, too? If you look at your security tools you will probably find tools that use a rule-based approach; then there are signatures and some tools offer to detect/decide based on

Read More

Talk: Extending Scapy by a GSM Air Interface

René Pfeiffer/ October 16, 2011/ Conference

Scapy is the „Swiss Army tool“ among security software. Scapy is a powerful interactive packet manipulation program. It is used for scanning, probing, testing software implementations, tracing network packets, network discovery, injecting frames, and other tasks. So it’s a security power tool useful for a lot of tasks in security research. Wouldn’t it be nice to add some capabilities on layer 3 of the Global System for Mobile Communications (GSM) protocol? This layer covers the UM interface that connects mobile network clients over the air interface to the base stations. Capturing packets on this link alone would be a great benefit to security researchers. Laurent ‘kabel’ Weber of the Ruhr-Universität Bochum will talk about „Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks“ at DeepSec 2011. Laurent’s talk describes the enhancement

Read More

Talk: Design and Implementation of a Secure Encryption-Layer for Skype Voice-Calls

René Pfeiffer/ October 14, 2011/ Conference

You probably use communication tools that transport the voice/messaging data over the Internet. We’re not speaking about e-mail, but about recent software of the information age – Skype. Skype is widely used for audio/video chats around the world. Its security is shrouded in proprietary mystery and many urban legends exist. In 2006 Philippe Biondi and Fabrice Desclaux analysed the Skype network and its security in their talk „Silver Needle in the Skype“. Since end users can neither create their own cryptographic keys nor see the ones that are actually used, the network has always the capability of eavesdropping on calls. It is not clear if this capability is used or abused at all, but the risk is present. As with eavesdropping in mobile phone networks the communication partners will be totally oblivious, and neither

Read More

Mobile Phone Calls as Security Risk

René Pfeiffer/ October 13, 2011/ Conference, Security

Do you rely on your mobile phone? Do you frequently call someone or get called? Do you transmit messages or data across mobile phone networks? Maybe you shouldn’t unless you use additional security layers since mobile phone networks must be regarded as a security risk. Karsten Nohl of Security Research Labs has taken a look at Austrian mobile networks. The result is a wake-up call for companies and individuals alike. According to Nohl the local Austrian providers A1/Mobilkom, T-Mobile Österreich und Orange have not updated their networks as other operators in Europe have already. He explained that there is no sign of any additional hardening. The transmissions of mobile phone network clients can be intercepted and decrypted with very little technical effort. The networks still use the A5/1 encryption standard which has been repeatedly

Read More

Workshop: Social Engineering for IT Security Professionals

René Pfeiffer/ October 12, 2011/ Conference

Social Engineering has been around for a long time and predates the Internet. The method of the Nigerian scams today dates back to the 16th century. It is much more widespread today. Social networking sites supply attackers with a rich source of information. They may even get hold of confidential information without any effort (as the Robin Sage experiment has shown). Directed attacks such as spear-phishing can have a high impact. The use of deception or impersonation to gain unauthorised access to sensitive information or facilities is a persistent threat to your company or organisation, provided you communicate with the outside world. Since computer security is becoming more sophisticated, hackers are combining their technical expertise with social engineering to gain access to sensitive information or valuable resources in your organisation. Social engineering attacks can

Read More