Security in the Trenches (or how to get dirty and stay clean)

Mika/ February 27, 2012/ Security, Stories

Sometimes you have to get dirty, sometimes it’s fun to get dirty. No it’s not what might come to mind, it’s about the dirty business of information security: you have to break things to see if they are secure enough and to learn about weak points. But what to break? Your own systems? Someone else’s systems? Best is to stay clean when selecting your target for the dirty business (we talked about offensive security recently). Most fun are “Capture the Flags” challenges, also known as war-games, which are frequently offered to the security community to test abilities and learn new stuff. I recently found a CtF challenge that looked quite fun and we started a 2-day session at the Metalab, the Hackerspace in Vienna with a group of 6 or 7 people with different

Read More

About the fineprint in Software patents (Motorola vs. Apple)

Mika/ February 24, 2012/ High Entropy, Internet

Recently Motorola sued Apple because of Patent EP0847654 and Apple deactivated the push function for e-mails. Only on mobile platforms. Only for iCloud and MobileMe. Only within the borders of Germany. See What happened? While everyone in the blogosphere is ranting about e-mail pushing being patented etc. I dared to search for the original patent text and was a little bit surprised: The Patent goes back to 1996 The title is “Multiple Pager Status Synchronisation System and Method” In my opinion it describes something unrelated to modern e-mail systems. The patent describes a trivial three-message exchange over radio communication to ensure that multiple pagers in a group reflect the same status whether a message has already been read. Nothing about e-mail in general can be found. This is the reason for affecting only

Read More

Five Million, quick and easy!

Mika/ February 19, 2012/ High Entropy, Odd, Security Intelligence

A good friend and former colleague of mine asked me recently, whether I could give him a tip how to make 5M quick and easy. My answer was “Nothing I could think of which doesn’t involve a lot of nasty things and imply a long stay in jail”. But that’s not what I wanted to discuss here, although it’s somehow related: We had a couple of talks at the DeepSec which shed a little light on the underground economy and I also started to take some dives into the “Deepnet” to get acquainted with jargon, topics, trends and so on. Btw: NO, no details on this: not what I have visited, not when or how I registered there, I don’t wanna get doxed (1), these guys can get nasty and we don’t need another

Read More

DeepINTEL 2012 – Security Intelligence Call for Papers

René Pfeiffer/ February 17, 2012/ Administrivia, Security Intelligence

We already gave some hints on our security intelligence event we are planning for end of Summer. We now have a date and a venue: DeepINTEL will be held on September 3rd and 4th near Salzburg in Austria. This single track two day event addresses mainly critical infrastructure, state organizations (administrative and law enforcement), accredited CERTs, finance organizations and trusted parties and organizations with a strong relation or partnership to the aforementioned. Due to the sensitive topics and the nature of the participants and speakers we will have a vetting process for participants. We’d like to know our audience, so that we all can talk freely and openly during the event. If you have questions on this, please contact us directly via or the contact information given on our web site. Here is

Read More

Of CAs, DLP, CSRs, MITM, inspection and compliance

René Pfeiffer/ February 16, 2012/ Discussion, Security

Writing about certificate authorities is slowly turning into beating dead horses. We have seen a couple of security breaches at CAs in the past. We have witnessed security researchers turning to SSL/TLS. Fairly recently researchers have put RSA keys to the test and found common prime factors in thousands of keys. Now we have a discussion about compliance. The Mozilla team has given CAs a stern warning sparked by the issue of a signing certificate by the Trustwave CA to a customer using a data loss prevention (DLP) device. According to a report the signing root certificate was used inside a Hardware Security Module for the purpose of dynamically creating fake certificates in order to inspect encrypted web traffic. While there was an audit at the customer’s site, this incident has sparked a heated

Read More

Thoughts about “Offensive Security Research”

René Pfeiffer/ February 11, 2012/ Discussion, Security

Ever since information relevant for security was published, there have been discussions about how to handle this information. Many remember the full/no/responsible disclosure battles that frequently erupt. There is a new term on stage. Its name is „offensive security research“. The word „offensive“ apparently refers to the intent to attack IT systems. „Security“ marks the connection, and „research” covers anyone being too curious. This is nothing new, this is just the old discussion about disclosure in camouflage. So there should be nothing to worry about, right? Let’s look at statements from Adobe’s security chief Brad Arkin. At a security analyst summit Mr. Arkin claimed that his goal is not to find and fix every security bug. Instead his strategy is to „drive up the cost of writing exploits“ he explained. According to his keynote

Read More

DeepSec 2012 – Call for Papers

René Pfeiffer/ February 10, 2012/ Administrivia, Conference

The Finux Tech Weekly episode containing an interview with MiKa and me beats our announcement of the Call for Papers by 4 hours, but here’s the text. Enjoy! DeepSec 2012 “Sector 6” – Call for Papers We are looking for talks and trainings for the DeepSec In-Depth Security Conference 2012 (“Sector 6”). We invite researchers, developers, auditors and everyone else dealing with information security to submit their work. We offer slots for talks and workshops, and we encourage everyone working on projects to present their results and findings. Please visit our updated website for more details about the venue, the schedule and information about our past conferences: The DeepSec offers a mix of different topics and aspects like current threats and vulnerabilities, social engineering and psychological aspects as well as security management and

Read More