DeepSec 2013 Talk: Easy Ways To Bypass Anti-Virus Systems

René Pfeiffer/ October 31, 2013/ Conference, Security, Stories

The Joys of Detecting Malicious Software Malicious software is all around us. It permeates the Internet by riding on data transmissions. Once you communicate, you risk getting in touch with malware (another name for malicious software). This is why every single one of us, be it individual, company or organisation, runs anti-virus software. The idea is to have specialised software detect malware, so all the bad things are kept out of your network and away from your end-points. So much for the theory. In practice any self-respecting attacker can evade anti-virus filters by a variety of means, depending on their skills and resources. Security researchers know about this fact. Stuxnet and Flame were a proof for sceptics (and a failure of the whole anti-virus industry). How can this be? Well, Attila Marosi (GovCERT Hungary)

Read More

DeepSec 2013 Talk: Uncovering your Trails – Privacy issues of Bluetooth Devices

René Pfeiffer/ October 30, 2013/ Conference, Security

Bluetooth has been around for a while. Hackers and security researchers (such as and others) immediately investigated the weaknesses of protocol and implementations – The specifications have evolved, but so has the proliferation of Bluetooth-capable devices. Smartphones, dumb phones, computers, bulletin boards, media players, tablets, game consoles, headsets, and many more support Bluetooth wireless communication. Even though bugs of the past were fixed, the widespread capabilities of devices allow for a lot of creative use by adversaries. At DeepSec 2013 Verónica Valeros and Garcia Sebastian will give you an update about Bluetooth hacking and your exposure to attackers. When we think about our own privacy, we usually think of our private data, passwords, personal stuff, web pages we have accessed or phone calls we have made. Information about our behaviour in real life (where

Read More

DeepSec 2013 Workshop: Effective IDS/IPS Auditing And Testing With Finux

René Pfeiffer/ October 26, 2013/ Conference, Security, Training

A major part of information security is to deal with intrusions. It doesn’t matter if you have to anticipate them, detect them, or desperately wish to avoid them. They are a part of your infosec life. This is why gentle software developers, security researchers, and vendors have created intrusion detection/preventi0n systems. It’s all there for your benefit. The trouble is that once you buy and deploy and IDS/IPS system, its dashboard looks a lot like the one from the space shuttle or a fighter jet. You can do a lot, you can combine a lot more, and you see all kinds of blinking lights when you turn everything on. That’s probably not what you want. But there is help. Arron ‘Finux’ Finnon of Alba13 Research Labs will conduct a training on effective IDS/IPS auditing

Read More

DeepSec 2013 Talk: Hacking Medical Devices

René Pfeiffer/ October 25, 2013/ Conference, Security

Modern information technology has already entered the field of medical technology. Few hospitals can operate without power and network connectivity. This is why information security has followed the deployment of hardware and software. Next to the infrastructure present there exists a multitude of communication protocols that increase the attack surface. Hospitals and other medical facilities have to address this issue. News of compromised systems are bad for the administration and the patients. Securing systems enters a new dimension once you consider equipment such as medical pumps, diagnostic systems and anaesthesia machines which directly interact with the patient. Tampering with the dosage of the medication can result in very serious consequences, regardless if on purpose or by accident. Dick Cheney had the wireless capabilities of his pacemaker disabled in 2007 for fears of attacks against his

Read More

DeepSec 2013 Talk: Psychology of Security – a Research Programme

René Pfeiffer/ October 23, 2013/ Conference

Have you ever considered the impact of the human mind on information security? Since our brain also deals with information,it should be an integral part of defence. Let’s take a look at psychology:  At DeepSec 2013 Stefan Schumacher will give you an introduction into the psychology of security and why we need to improve scientific research in this particular field. Most research about security is done in Computer Science, Electrical Engineering and Mathematics and is about technology, algorithms and computability. However, all security issues can be traced back to human behaviour. Be it Social Engineering, the choice of weak passwords, users leaving the password on a note-it attached to the TFT, admins using MD5 as a password hash or developers ignoring testing regulations. Humans are making decisions, not computers. Therefore, security is defined by

Read More

DeepSec 2013 Workshop: Hands On Exploit Development (Part 2)

René Pfeiffer/ October 21, 2013/ Conference, Stories

Unless you buy ready-made exploits or do security research (you know, the tedious task of testing systems and code, findings bugs and assessing their impact) you may wonder where they come from. To show you how to exploit a vulnerability and how to get to an exploit, we have asked Georgia Weidman for an example. She will be conducting the Hands On Exploit Development training. Early in my infosec education I took a class with a lab portion systems with known vulnerabilities. One system that I had difficulty exploiting was a Windows 7 host with HP Power Manager 4.2.6 which is subject to CVE-2009-2685. There is no Metasploit Module for this issue, but I was able to find some public exploit code on Exploit-db. The exploit calls out explicitly that it has been tested

Read More

DeepSec 2013 Workshop: Hands On Exploit Development (Part 1)

René Pfeiffer/ October 20, 2013/ Conference, Training

Software bugs evolve, just like their animal counterparts. Lesser bugs impact usability or are simple malfunctions. Once a bug impacts the security it is called a vulnerability. This means that something major is broken and that the internal logic can be manipulated to produce undesirable effects. Vulnerabilities can be exploited to create deterministic effects such as bypassing security checks, elevating privileges or other things. Exploits are the biggest bugs around. They have to work every time (at least with the software version affected by the bug/vulnerability), they need to insert specific code with a given purpose, and they should not compromise the functionality of the software (since you don’t want to be noticed) – So there is software development involved. Georgia Weidman will teach you how to get from a bug via a vulnerability

Read More

DeepSec 2013 Talk: Finux’s Historical Tour Of IDS Evasion, Insertions, and Other Oddities

René Pfeiffer/ October 19, 2013/ Conference, Security, Stories

The SANS Institute offers the article The History and Evolution of Intrusion Detection in its Reading Room. The article was published in 2001. It starts with the phrase „during the past five years…“. We now have 2013. Why is it important to examine the history of a technology which certainly is well established and widely deployed in information security? Well, first of all even to this day many people have a problem with what intrusion detection really is. Detecting an intrusion is not the same as intrusion detection. Secondly not everything marketed as intrusion detection system really detects intrusions. How can this be? The answer can be found by attending Arron „Finux“ Finnon‘s Historical Tour Of IDS Evasion, Insertions, and Other Oddities at DeepSec 2013. He will address the history of intrusion detection along the lines

Read More

DeepSec 2013 Talk: Pivoting In Amazon Clouds

René Pfeiffer/ October 17, 2013/ Conference, Internet

The „cloud“ infrastructure is a crucial part of information technology. Many companies take advantage of outsourced computing and storage resources. Due to many vendors offering a multitude of services, the term „cloud“ is often ill-defined and misunderstood. This is a problem if your IT security staff needs to inspect and configure your „cloud“ deployment with regards to security. Of course, virtualisation technology can be hardened, too. However the „cloud“ infrastructure brings its own features into the game. This is where things get interesting and where you have to broaden your horizon. Andres Riancho will show you in his talk Pivoting In Amazon Clouds what pitfalls you can expect when deploying code and data in the Amazon Cloud. Classical security tests won’t be enough. The Amazon Elastic Compute Cloud (EC2) is more than just virtual

Read More

DeepSec 2013 Talk: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

René Pfeiffer/ October 16, 2013/ Conference, Security

The „Cloud“ doesn’t stop when it comes to government data. Once government authorities play with outsourcing a lot more regulations need to be reviewed. Mikhail Utin talks about new results and a continuation of his last presentation at DeepSec conference: Our second presentation at DeepSec on so named “Cloud Computing” (CC) and associated services (CCS) considers practical implementation of the “concept” by US government in its FedRAMP program, which is expected to convert all the government IT services into “cloud” based ones. Our first (DeepSec 2012) presentation considered whether such “concept” is useful to protect privacy and implement such regulation as EU General Data Protection Regulation (GDPR) proposal. In fact, we have shown that CC is a misleading terminology, providing a confusing name to describe well-known IT infrastructure, which is little more than a

Read More

DeepSec 2013 Talk: The Economics Of False Positives

René Pfeiffer/ October 15, 2013/ Conference

Ever since networks got attacked the victims have thought of ways to detect and prevent attacks. Packet filters were the first idea. Closing a port meant to worry less about applications listening on them. So the trouble of protecting moved to the services that were still exposed. Filtering got more complex, protocols were inspected, signatures were introduced, intrusion detection systems were born. Great – but the attacks didn’t disappear. Instead you got alerts, a lot of them. Some were caused by real attacks, some were false alerts. Enter false positives. Setting off false alarms is a tried and true military tactic. After a couple of false alarms the sentries will probably be less alert. Translated to information security this means that alerts (and log files) will be ignored after a couple of false alerts.

Read More

DeepSec 2013 Workshop: Exploiting Web Applications Protected By $WAFs

René Pfeiffer/ October 11, 2013/ Conference, Security, Training

We all use web applications on a daily basis. Search engines, portals, web sites, blogs, information pages and various other content accessible by web browsers accompany us every day. This means that web server are the first exposed systems you will have to protect when deploying web applications. Usually you would add filters to your network that inspect access to the software and block any malicious requests. Packet filters were the tool of choice. Now we have application level firewalls to deal with content and protocols used. In the case of web applications the market has introduced a new kind of device: the web application firewall (WAF). In theory WAFs understand HTTP and know how a web browser talks to a web server. In practice no two web applications are alike, because they may

Read More

Changes to the DeepSec 2013 Schedule – two new Talks

René Pfeiffer/ October 10, 2013/ Administrivia, Conference

We had to change the schedule for the DeepSec 2013 conference slightly. Unfortunately two talks were cancelled, because the speakers could not confirm their presence. We are sorry to hear that, but every one of us know Real Life Interference™ can bust the best of plans. We have replaced the talk slots with submissions by other speakers. We will hear about Uncovering your trails – Privacy issues of Bluetooth Devices by Verónica Valeros & Garcia Sebastian. Bluetooth capabilities are pretty widespread and can be found in devices all over the world – and your workplace, of course. To quote Sheldon Cooper: „Everything is better with Bluetooth.“ And so is attacking devices and leaking information about users and devices. The second talk is pending a description and will be announced in short on our Twitter

Read More

DeepSec 2013 Talk: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

René Pfeiffer/ October 10, 2013/ Conference, Security

In past centuries attackers used battering rams to break down doors and siege artillery to blast holes into solid fortification walls. These were very tedious undertakings, so using alternate routes – possibly back-doors – were always highly regarded. Nowadays wonderful World of „Cyber“™ is no exception. The modern web-obsessed infrastructure has seen web browsers in local networks being compromised to access web-based back-end systems (through DNS rebinding attacks for example). Management consoles are a prime target, because once you gain access you probably can make the most out of elevated privileges. What about turning the back-end around and attack applications by it? Shay Chen has explored this attack vector and will present details in his talk at DeepSec 2013. Applications security mechanisms, secure software development processes, web application firewalls – collections of countermeasures that turn hacking

Read More

DeepSec 2013 Workshop: Attacks On GSM Networks

René Pfeiffer/ October 4, 2013/ Conference, Security, Training

Mobile phone networks have penetrated even the most remote areas of the Earth. You can send a tweet from Mount Everest if you like, the cell service is already there. In addition mobile phone networks feature 6 billion subscribers all over the world. Communication by mobile devices has entered the routine of daily life. It’s not all about talking. Smartphone, laptops, tablets and modems access the Internet by mobile phone networks. And as every security specialist knows: If there’s a network, then there are protocols, and these protocols can be attacked. True, it’s not as easy as TCP/IP since mobile phone networks feature sets of more complex protocols. Nevertheless these networks can be accessed, and you cannot block it. This is why you should get in touch with the threats to your organisation. DeepSec

Read More