0511, 2013

DeepSec 2013 Talk: Trusted Friend Attack – Guardian Angels Strike

René Pfeiffer/ November 5, 2013/ Conference, Security, Stories

Have you ever forgotten a password? It’s a safe bet to assume a yes. Sometimes we forget things. When it comes to logins there is usually a procedure to restore access and change the forgotten password to a known new one. This Forgot Your Password functionality is built into many applications. The mechanism is to rely on other ways to restore trust. There is a risk that unauthorised persons gain access to an account by exploiting the process. Ashar Javed has explored the password recovery function of 50 popular social networking sites. In his talk at DeepSec 2013 he will present the findings of his survey. The attack vector is called Trusted Friend Attack, because once you forgot your credentials you have to rely on trusted friends to recover them. Apart from automatic systems

Read More

0411, 2013

DeepSec 2013 Talk: Auditing Virtual Appliances – An Untapped Source Of 0-days

René Pfeiffer/ November 4, 2013/ Conference, Security

System administrators and information security researcher often have to deal with appliances. Almost every organisation and company has a couple of magical black boxes sitting around. Usually they are connected to the network, and they do important stuff (such as filtering things, checking content, and the like). In the old days testing these appliances for their security record was hard. You had to open it, do a lot of tedious reverse engineering in order to understand how it works, and then conduct your tests to do your analysis. Fortunately the future is here, and so is a new form factor: virtual appliances! At DeepSec 2013 Stefan Viehböck of SEC Consult will talk about the advantages of having a virtual appliance to deconstruct. Virtual appliances aren’t very different from their embedded cousins, judged from the

Read More

0311, 2013

DeepSec 2013 Talk: Cracking And Analyzing Apple iCloud Protocols: iCloud Backups, Find My iPhone, Document Storage

René Pfeiffer/ November 3, 2013/ Conference

The „Cloud“ technology is a wonderful construct to hide anything, because the „Cloud“ itself is no technology. Instead it is constructed out of a variety of different protocols, storage systems, applications, virtualisation and more. So „Clouds“ provide a good cover. Ask any fighter pilot. They will also confirm that the „Cloud“ is a great hunting ground. A lot of companies and individuals store their data there. A security flaw, stolen access credentials, compromised servers/clients, or bugs in the implementation can do harm. Information security researchers have long since explored the „Cloud“ infrastructure. The task is difficult for few providers have a fully open infrastructure; some do, some don’t. Plus you don’t know what’s going on between data centres. At DeepSec 2013 Vladimir Katalov will shed some light on the internals of the iCloud. He

Read More

0211, 2013

DeepSec 2013 Talk: Hack The Gibson – Exploiting Supercomputers

René Pfeiffer/ November 2, 2013/ Conference

Compromising and controlling a large number of computers is a big advantage for attackers. The best example are the botnets consisting of hundreds, thousands or millions of systems infected by malicious software. These herds of compromised nodes receive commands from Command & Control (C&C) servers. In a sense this is massive parallel computing, but unfortunately it isn’t used for scientific purposes. Instead these nodes send unsolicited e-mails (a.k.a. spam), perform Distributed Denial of Service (DDoS) attacks, or do other tasks for their masters. The infection process is highly automated. Scripts looks for promising targets, attack them, install the botnet software, and add them to the herd’s network. Great. But what about infecting whole networks of nodes instead of nodes one by one? Modern supercomputers are based on a multi-node architecture. Individual nodes are part

Read More

0111, 2013

DeepSec 2013 Talk: Prism Break – The Value Of Online Identities

René Pfeiffer/ November 1, 2013/ Conference, Internet

We all have identities. We use them on a daily basis in our off-line world. Colleagues greet us at work, because they know who we are. Of course our family members know who we are. When it comes to the digital life-style our identity becomes a lot more complex and diverse. Web shops know what we like and suggest products we do not yet have. Social media sites suggest contacts that might match our interest (as do dating web sites). Frequently used search terms are processed to refine the results our favourite search engine presents us. Customisation and targeting is the key. Everything you do and communicate is processed like ore and the Big Data server farms refine your daily trails through the Internet and produce your online identity – which is a good

Read More