Sometimes your endpoint is a server (or a couple thereof). Very often your server is a web server. A lot of interesting, dangerous, and odd code resides on web servers these days. In case you have ever security-tested web applications, you know that these beasts are full of surprises. Plus the servers get lots of requests, some trying to figure out where the weaknesses are. This is how web application firewalls (WAF) come into play. Firewalls have come a long way from inspecting layer 3/4 traffic up to all the peculiarities of layer 7 protocols. Once your firewall turns ALG and more, things get complicated. Since security researchers love complexity Ashar Javed has taken a look at WAF systems. Here is his presentation held at DeepSec 2015. He found 50 ways to bypass the
Endpoint security is where it all starts. The client is the target most attackers go after. Once you have access there (let’s say by emailing cute cat videos), you are in. Compromised systems are the daily routine of information security. Even without contact with the outside world, you have to think about what happens next. Thomas Fischer has thought a lot about scenarios concerning the endpoint, and he presented his findings at the DeepSec 2015 conference. To quote from the talk: This presentation will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that living as close as possible to Ring 0 makes it possible to see how a malicious process or party is acting and the information being touched. There you go. Have a look!
The word cyber has entered the information security circus a couple of years ago. It should have been long gone according to its creator William Gibson. Meanwhile everything has developed into something being cyber – CSI, war, politics, security, homes, cars, telephones, and more. Inventing new words helps to distract. Distraction is what Raoul Chiesa has seen in the last five years, while training various military units in different countries. He held a presentation at DeepSec 2015 about his experiences. While we don’t use the word cyber when talking about (information) security, others sadly do. So think of Information Warfare or Information Offensive Operations when hearing cyber and don’t let yourself be distracted by the fog of war.
Data protection and information security are often seen as different species. Why? Where is the difference between protection, defence, security, and offence? There are a lot of relations between the terms. Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) gave a presentation at DeepSec 2015 on how to link privacy with security: „Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. This presentation will also show how it can be used to further IT security especially in the SME sector. This mostly refers to
If you have no money but some time to spare, you should head over to the RuhrSec ticket shop and get yourself some freshly issued Early Bird tickets! Our friends in Bochum have a decent schedule for you. Inevitably the Internet of Things gets broken (again), you hear more about TLS v1.3, caches get a thorough Rowhammer beating, Eve pays a visit to your WebTRC talk, and more security wait for you. RuhSec takes place on 28 and 29 April 2016. The location is the Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum. Google has a map for you as well.
The information technology world is full of fancy words that re-invent well-known and well-understood terms. Everyone is talking about the endpoint these days. Endpoint is the trusty old client in disguise. Plus the end in endpoint doesn’t means that something ends there. From the information security point of view all your troubles actually start there. So the client is the start of all your endpoint problems. Why? Because attacks start at the endpoint, regardless how you call it. At DeepSec 2015 Matthias Deeg held a presentation on how malicious software (a.k.a. malware, the good old virus/trojan horse/worm) can deactivate endpoint protection software (a.k.a. anti-virus software) in order to turn your endpoint into a startpoint. Enjoy!
Isolation is a prime ingredient of information security. The air-gap is the best way to isolate systems. Only wireless communication can transport data across these gaps. Apart from Wi-Fi the signals of mobile radio communication are very common. At DeepSec we have seen a lot of hacking when it comes to mobile phones and their networks. Mordechai Guri and Yisroel Mirsky (both of Ben-Gurion University of the Negev) held a talk about how to overcome the air-gap barrier by means of cellular frequencies. Their presentation addresses the way of exfiltrating data across the air-gap: „Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this talk we present GSMem, a malware that can exfiltrate data through an air-gap over
Once you got software, you most probably got yourself some decent bugs. Software vulnerabilities are everywhere. They come with the code. Managing patches and changes is they way of handling these weaknesses. At DeepSec 2015 Mitja Kolsek spoke about a new way of addressing vulnerabilities: „Software vulnerabilities are likely the biggest problem of information security, fuelling a rapidly growing market for “0days”, “1days” and exploits alike. It can be highly intellectually challenging to find a vulnerability and create an exploit for it, and super entertaining to reveal it all to the bug-hungry crowds (preferably along with a logo and a catchy name, courtesy of the marketing department). As a result, there’s been a lot of innovation and progress on the offensive side of information security, and a corresponding defensive industry is thriving providing quasi-solutions
Application whitelisting is a method where you create a baseline selection of software on a system. You then freeze the state, and after this point any code not being part of your original „white list“ is considered dangerous and blocked from execution. In theory this should prevent the execution of malware and therefore protect against the pesky advanced persistent threat (APT) attacks everyone is talking about. What does this mean for your daily business? René Freingruber of SEC Consult talked about a case study at DeepSec 2015. This should save you some time and pain. Theory is not always the same when deployed in the field. René’s presentation even contains vendor names, so you can talk to the sales executive of your favourite brand of security products. This presentation is also a prime example
In politics it is en vogue to create new words by connecting them. The words „cyber“ and „lawful“ come to mind. You can add „crime“ and „intercept(ion)“, and then you got something. Actually you can combine both of the latter words with the first two. Either combination makes sense if you take a look at the Athens Affair. More than ten years ago the lawful interception modules of Vodaphone Greece were used to eavesdrop on the Greek government. Kostas Tsalikidis (Κώστας Τσαλικίδης) , Vodaphone’s network planning manager, was found dead in his apartment. At DeepSec 2015 James Bamford talked about what the Athens Affair really was and shed light on the many uses of the lawful intercept systems which are mandatory for most telecommunications equipment. We don’t know how many Athens Affairs are still
As you may have noticed, we have sorted out the problems with the DeepSec 2015 recordings. Handling heavy multimedia files isn’t for the faint of heart – especially if one forgets to turn off the Twitter notifications while uploading broken video files. We have fixed this. Apparently the new uploader code took us (and our browser settings) by surprise. Now everything is whitelisted sorted out. The show can go on! We will accompany most videos with a short blog posting to put the content into perspective. Due to many publications in December it’s good to connect the dots. The Big Picture beats Big Data every time.
The new year is a couple of weeks old. Not much has changed from the perspective of information security. The word „cyber“ is still alive and kicking (just as the „cloud“ is, despite Safe Harbour not being safe any more). Crypto is being used as a scapegoat for major intelligence failures – again and again. Blaming mathematics is really easy, because few understand how cryptography protects the infrastructures all around us. Big Data and collecting intel is still going strong. In fact Signals Intelligence (SIGINT) is now part of our society; some say it’s even a part of our culture. Want to know what SIGINT in big scale looks like? Well, Duncan Campbell explained the SIGINT monster in depth at the DeepSec conference in 2015. Have a look at the video recording. 2016 promises