About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

2504, 2017

Applied Crypto Hardening Project is looking for Help

René Pfeiffer/ April 25, 2017/ High Entropy, Internet

Hopefully many of you know the Applied Crypto Hardening (ACH) project, also known as BetterCrypto.org. The project was announced at DeepSec 2013. The idea was (and is) to compile hands-on advice for system administrators, dev ops, developers, and others when it comes to selecting the right crypto configuration for an application. The BetterCrypto.org document covers far more protocols than HTTPS. OpenSSH, OpenVPN, IPsec, and more topics are described in the PDF guide. The project is run by volunteers. This is where you come in. The ACH project needs more volunteers to keep going. New GNU/Linux distributions are around the corner (the apt store never sleeps). Some vendors really do upgrade their code base. Libraries change and bleed less. Algorithms get tested, improved, and re-evaluated. The field of cryptography is moving forward, as it should.

Read More

0104, 2017

SS8 – Replacement for Insecure Signalling System No. 7 (SS7) Protocol revealed

René Pfeiffer/ April 1, 2017/ High Entropy

The ageing SS7 protocol has reached it’s end of life. Security experts around the world have criticised vulnerabilities a long time ago. SS7 even facilitated unsolicited surveillance attacks. What’s more, it has its own talks at the annual Chaos Communication Congress – which is a clear sign of fail if there is more than one presentation dealing with inherent design failures. It’s time to put SS7 to rest. Since the 1970s the requirements for signalling have clearly changed. It’s not only about telephones any more. SS8, its successor, features a brand new design and fixes the many shortcomings of SS7. New technologies such as blockchain, artificial intelligence, crowd routing, social signalling, full “tapping”, and deep state connections are now part of the core functions. Furthermore, SS8 is completely in harmony with Big Data, because it offers a

Read More

2703, 2017

DeepINTEL / DeepSec News for 2017 and Call for Papers

René Pfeiffer/ March 27, 2017/ Administrivia, Call for Papers, Conference

Changing code, layout or designs have something in common – deadlines. But you cannot rush creativity, and so the new design of the DeepSec web site took some time. The old design has served us well. We basically did not change much and used it since 2007. The new design follows the stickers we use for decoration at our conferences, the book cover of the DeepSec chronicles, and many other details we publish via documents – all thanks to the creative mind of fx. So thanks a lot fx! The content of our conference has also slightly changed. DeepSec 2017 will feature additional content, because we will introduce a third track filled with presentations from academic research. Given the fact-free discussions of information security and security in general, we would like to (re)introduce the scientific

Read More

1403, 2017

Submit your Talk – Call for Papers for BSidesLondon

René Pfeiffer/ March 14, 2017/ Call for Papers

The Call for Papers for BSidesLondon is still running! If you haven’t submitted your talk yet, please do! The deadline is 27 March 2017. Don’t miss it! The Wonderful World of Cyber is full of stuff to talk about. There is broken software all over the Internet (of Things). 0days await. Infrastructure is ready to be defended or attacked. Let others know about your ideas. If you have never presented at a conference before, then you should consider a submission for the rookie track. You have to start somewhere or somewhen, so why not at BSidesLondon? Looking forward to listen to your presentation at BSidesLondon!

2701, 2017

Putting the Science into Security – Infosec with Style

René Pfeiffer/ January 27, 2017/ Discussion, Security

The world of information security is full of publications. It’s like being in a maze of twisted little documents, all of them alike. Sometimes these works of art lack structure, deep analysis, or simply reproducibility. Others are perfectly researched, contain (a defence of) arguments, proofs of concept, and solid code or documentation to make a point. Information security is a mixture of different disciplines such as mathematics, physics, computer science, psychology, sociology, linguistics, or history. It’s not about computers and networks alone. There is interaction between components. Protocols are involved. Even the simple act of logging in and staying in an active session requires in some parts to talk to each other. And then there are rituals. Scepticism is widespread in information security. Questioning your environment is the way to go, but you need to

Read More

2601, 2017

The Sound of „Cyber“ of Zero Days in the Wild – don’t forget the Facts

René Pfeiffer/ January 26, 2017/ Discussion, High Entropy

The information security world is full of buzzwords. This fact is partly due to the relationship with information technology. No trend goes without the right amount of acronyms and leetspeaktechnobabble. For many decades this was not a problem. A while ago the Internet entered mainstream. Everyone is online. The digital world is highly connected. Terms such as cyber, exploit, (D)DoS, or encryption are used freely in news items. Unfortunately they get mixed up with words from earlier decades leading to cyber war(fare), crypto ransom(ware), dual use, or digital assets. Some phrases are here to stay. So let’s talk about the infamous cyber again. In case you have not seen Zero Days by Alex Gibney, then go and watch it. It is a comprehensive documentary about the Stuxnet malware and elements of modern warfare (i.e.

Read More

2101, 2017

Putting the Context into the Crypto of Secure Messengers

René Pfeiffer/ January 21, 2017/ Communication, Discussion, Internet

Every once in a while the world of encrypted/secure/authenticated messaging hits the wall of usability. In the case for email Pretty Good Privacy (PGP) is an ancient piece of software. These days we have modern tools such as GnuPG, but the concept of creating keys, verifying identities (i.e. determining who is to trust), synchronising trust/keys with communication partners, and handling the software in case something goes wrong is quite a challenge. Plus things might change. People revoke their keys, devices get lost, data gets deleted, people create new keys or even (digital) identities, or do lots of things that is either anticipated by the software developers or not. Communication is not static. There are moving parts involved, especially the communication partners might move a lot. So crypto is hard, we know this. Discussing secure

Read More

2001, 2017

DeepSec Administrivia for 2017, the Year of the Cyber

René Pfeiffer/ January 20, 2017/ Administrivia, Conference

2017 is in full swing, and it didn’t wait long. December was full of „hacking“ news. It seems digital war(e)fare knows no break. We will address some of the issues in a series of blog articles. Also we have uploaded the DeepSec 2016 videos to Vimeo. Attendees and speaker will get access before we publish the videos for everyone. This is our review in case someone doesn’t like a video or needs to adapt the description. The date for DeepSec will be published soon, along with the date. We look to the fourth quarter of the year, as usual. The Call for Papers will be online in February. If you got some ideas, write them to us. We have plenty of topics to address. The most pressing problem was raised at the 33C3. Go

Read More

3011, 2016

Scanning for TR-069 is neither Cyber nor War

René Pfeiffer/ November 30, 2016/ Discussion, High Entropy, Internet

The Deutsche Telekom was in the news. The reason was a major malfunction of routers at the end of the last mile. Or something like that. As always theories and wild assumptions are the first wave. Apparently a modified Mirai botnet tried to gain access to routers in order to install malicious software. The attacks lasted from Sunday to Monday and affected over 900,000 customers. These routers often are the first point of contact when it comes to a leased line. Firewalls and other security equipment usually comes after the first contact with the router. There are even management ports available, provided the ISP has no filters in place. The TR-069 (Technical Report 069) specification is one management interface, and it has its security risks. Now that the dust has settled the Deutsche Telekom

Read More

1711, 2016

Disclosures, Jenkins, Conferences, and the Joys of 0Days

René Pfeiffer/ November 17, 2016/ Conference, Discussion, High Entropy

DeepSec 2016 was great. We have slightly recovered and deal with the aftermath in terms of administrivia. As announced on Twitter, we would like to publish a few thoughts on the remote code execution issue found by Matthias Kaiser. He mentioned the possibility in this presentation titled Java Deserialization Vulnerabilities – The Forgotten Bug Class. First let’s explain some things about how DeepSec runs the Call for Papers, the submissions, and the conference. During the Call for Papers process our speakers send us title, abstract, and mostly an in-depth description of the presentation’s content. This means that we usually know what’s going to happen, except for the things that are actually said and shown during the presentation slot. Since we do not offer any live video streams and publish all presentation slides after we

Read More

1011, 2016

DeepSec 2016 – expect 48 Hours of Failures and Fixes in Information Security

René Pfeiffer/ November 10, 2016/ Conference, Discussion

The conference part of DeepSec 2016 has officially started. During the workshops we already discussed a lot of challenges (to phrase it lightly) for infrastructure and all kinds of software alike. The Internet of Things (IoT) has only delivered major flaws and gigantic Distributed Denial of Service attacks so far. There is even a worm for LEDs these days. And we haven started the conference preparations yet. So we have plenty of reasons to talk about what went wrong, what will go wrong, and what we can do about it. The world of information security is not always about good news. Something has to break, before it can be repaired – usually. Systems administrators know this, for some it’s their daily routine. Nevertheless we hope everyone at DeepSec gets some new insights, fresh ideas,

Read More

0911, 2016

Screening of “A Good American” in Vienna with Bill Binney

René Pfeiffer/ November 9, 2016/ Discussion, High Entropy, Security Intelligence

There will be a screening of the documentary A Good American in Vienna tomorrow. We highly recommend watching this film, even if you are not directly connected to information security. Threat intelligence has far-reaching consequences, and in the case of the world’s biggest intelligence agency it also affects you. A Good American will be shown at 1000, Village Cinema Wien Mitte, and at 1600, Audimax of the Technische Universität Wien (you need to send an email with a RSVP to attend). All of this takes place in the course of a lecture about the topic. Markus Huber and Martin Schmiedecker have kindly organised everything. Bill Binney will be present, too. So you can directly talk to him and ask him questions. We highly recommend not to miss this opportunity.

0311, 2016

IT-SeCX 2016: Talk about Relationship between Software Development and IT Security

René Pfeiffer/ November 3, 2016/ Discussion, Veranstaltung

The IT-SeCX 2016 event takes place on 4 November at the St. Pölten University of Applied Sciences LLC. It’s a night of security talks, held by various speakers from the industry, academic world, and other institutions. We will give a presentation exploring the relationship between the fine art of software development and the dark art of information security. We all know about bugs, glitches, error conditions, and flat failures of software design. There are links between the development cycle and the work of information security experts (or sysadmins who always have to deal with things that break). If you deal with any of these professions mentioned, you should drop by and attend the talk. IT-Security Community Exchange 2016, 4 November 2016, at 1915 – Wechselwirkungen zwischen Softwareentwicklung und IT Security FH St. Pölten Matthias

Read More

0211, 2016

Why you should attend DeepSec 2016 – Last Call

René Pfeiffer/ November 2, 2016/ Conference

There are many reasons to go to DeepSec this year. It doesn’t matter if you worked on your presentation slides on the way to work, got hacked by a nation state, own a smart device, defused cyber weapons, or simply fight the T-Virus in a hospital. The DeepSec conference is the place to be for exchanging war stories (hey, everyone is at cyber war with someone these days) or talking about ideas to do the next project right. Plus we have to celebrate 10 years of DeepSec conferences! Tickets are still available via our online booking service. In case you have problems booking online, please get in contact with us. We can work something out. Looking forward to see all of you in Vienna next week!