Leaks are problems you don’t want in your infrastructure. While this is clear for water pipes, it is not so clear for digital data. Copying is a part of the process, and copying data is what your systems do all day. A leak comes into existence when someone without access privileges gets hold of data. The industry has coined the term data leak/loss prevention (DLP) for products trying to stop intruders from ex-filtrating your precious files. Just like other defence mechanisms DLP systems cannot be bought and switched on. You have to know where your data lives, which software you use, what data formats need to be protected, and so on. We invited Andreas Wiegenstein to talk about data loss prevention in SAP systems. His presentation was held at the DeepSec 2013 conference and
Your iOS or Android smartphone can do a lot. „There’s an app for that!“ is also true for information security. So what can you do? We have seen smartphones used as an attack platform for penetration testing. You can use them for wardriving, and, of course, for running malicious software (next to „normal“ software which can do a lot too). At DeepSec 2013 Andre Gironda unlocked some of the mysteries of the iDevice and Android-device memory intrinsics, filesystem/process sandboxes, and the OO runtime by walking through the techniques, including common obfuscations. His talk is recommended to anyone interested in the capabilities of modern smartphones.
Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes of the botnet consist of virtually unsecured IPv4 devices – modems and other network equipment. Point of entry where mostly Telnet management interfaces exposed to the Internet. Analysing the devices that were part of the Carna Botnet is well worth the effort. This is why we invited Parth Shukla (Australian Computer Emergency Response Team, AusCERT) to present his findings about the Carna Botnet at DeepSec 2013. „A complete list of compromised devices that formed part of the Carna Botnet
Predicting the future is very hard when it comes to information technology. However in terms of security analysis it is vital to keep your head up and try to anticipate what attackers might try next. You have to be as creative as your adversaries when designing a good defence. This is why we invited Konstantinos Karagiannis (BT) to DeepSec 2013. Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.
The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At DeepSec 2013 Andrés Riancho showed what attackers can do once they get access to the company Amazon’s root account. There is more to it than a simple login. You have to deal with EC2, SQS, IAM, RDS, meta-data, user-data, Celery, etc. His talk follows a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user. Regardless of how your
Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems running the same software. If you manage to break into one node, the chances are good that you have access to all nodes. That’s pretty neat. At DeepSec 2013 John Fitzpatrick and Luke Jennings of MWR InfoSecurity talked about their tests with supercomputers. Their presentation covers the research and demonstrates some of the most interesting and significant vulnerabilities they have uncovered so far. They also demonstrated exploits and previously undocumented attack techniques live so you can see how to
Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It
For those who were not present at the DeepSec 2013 conference (shame on you!) we have compiled a selection of photographs taken at the event. Static imagery cannot give you the full experience, but maybe you want to drop by in 2014! Credits and our big thank you go to our graphic designer and our photographer!
CIOs don’t like words like „third party“ and „external vendor“. Essentially this means „we have to exchange data and possibly code with organisation that handle security differently“. Since all attackers go for the seams between objects, this is where you have to be very careful. The fun really starts once you have to deal with confidential or regulated data. So how do you cope with doing this and still keeping an eye open for risk, compliance, and efficiency? Good question. At DeepSec 2013 Luciano Ferrari (Kimberly-Clark Corporation) addressed these issues in his presentation. He has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. However: Data security can only be achieved if all units of an organization cooperate – and with a change
DeepSec 2013 Video: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program
The „Cloud“ is the Fiddler’s Green of information technology. It’s a perpetual paradise built high above the ground where mortal servers and software dwell. Everyone strives to move there eventually, because once you are in digital paradise, then all your sorrows end. So much for the theory. The reality check tell a different story. This is why we invited Mikhail A. Utin (Rubos, Inc.) to DeepSec 2013. He presented an in-depth analysis of the US government’s FedRAMP programme. „…However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a “cloud”. As we identified, all “cloud” misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will
Penetration testing is much more than trying a couple of attacks and be done with it. The results matter, and you have to prepare them in a fashion they can be used afterwards. Putting defences to the test is not a matter of „yes, it works“ or „no, it doesn’t“. There are expectations of the customer. Furthermore you will run into situations which might not have been anticipated. Then there is the Art of Communication™. Missing means of communication or misuse of known means is widespread. At his presentation at DeepSec 2013 Alexey Kachalin put reporting and penetration testing into perspective. Listen to his talk and let himexplain you what’s hot and what’s not.
While Cross Site Request Forgery (CSRF) is an attack that is primarily targeted at the end user, it still affects web sites. Some developers try to avoid it by using secret cookies or restricting clients to HTTP POST requests, but this won’t work. The usual defence is to implement unique tokens in web forms. CSRF is often underestimated, because their presence is more common than anticipated. At DeepSec 2013 Paul Amar introduced his Cross Site Request Forgeries Toolkit (CSRFT). The toolkit helps you to study and prototype CSRF interaction with web servers. Paul’s talk was one of the U21 submissions accepted at DeepSec 2013.
Controls blocking the flow of data are an important tool of defence measures. Usually you need to enforce your organisation’s set of permissions. There are even fancy gadgets available to help you cope with data loss in terms of unauthorised access. This only works in controlled environments. Fortunately the modern IT policy allows intruders to bring their own tools in order to circumvent security controls. Bring Your Own Device (BYOD) is all the fashion these days, and it really helps evading defence mechanisms. At DeepSec 2013 Georgia Weidman of Bulb Security LLC talked about what you can do with mobile devices and what you have to address when protecting your data. „…Companies are putting a lot of faith in these security mechanisms to stop the threats to mobile devices. In this talk we put
Attacking fortified positions head on looks good on the silver screen. Real life attackers have no sense for drama and special effects. Battering closed doors will get you nowhere fast. Instead modern adversaries take a good look at open doors and exploit them to get what they want. Security specialists know about the dangers of management interfaces (also known as backends). This is one main focus of denying unauthorised access. Once a backend is exposed, the consequences can be very fatal to your digital assets. At the DeepSec 2013 conference Shay Chen (Hacktics ASC, Ernst & Young) explained how attacks originating from backends look like and what attackers can do once they gained foothold.
Everybody makes mistakes. It’s no surprise that this statement applies to software development, too. When you deal with information security it is easy to play the blame game and say that the application developers must take care to avoid making mistakes. But how does software development work? What are the processes? What can go wrong? Answering these questions will give you an insight into ways to avoid being bitten by bugs. Peter af Geijerstam of Factor 10 talked about security mistakes in software development in his presentation held at the DeepSec 2013 conference. We recommend his presentation for everyone dealing with information security, not just software developers.