About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

1502, 2016

DeepSec Video: illusoryTLS – Nobody But Us. Impersonate,Tamper and Exploit

René Pfeiffer/ February 15, 2016/ Conference, Internet, Security

Cryptographic backdoors are a timely topic often debated as a government matter to legislate on. At the same time, they define a space that some entities might have practically explored for intelligence purposes, regardless of the policy framework. The Web Public Key Infrastructure (PKI) we daily rely on provides an appealing target for attack. The entire X.509 PKI security architecture falls apart if a single CA certificate with a secretly embedded backdoor enters the certificate store of trusting parties. Do we have sufficient assurance that this has not happened already? Alfonso De Gregorio presented at DeepSec 2015 his findings and introduced illusoryTLS. Aptly named illusoryTLS, the entry is an instance of the Young and Yung elliptic curve asymmetric backdoor in the RSA key generation. The backdoor targets a Certification Authority public-key certificate, imported in

Read More

1302, 2016

DeepSec Video: Measuring the TOR Network

René Pfeiffer/ February 13, 2016/ Conference, Internet, Security

A lot of people use TOR for protecting themselves and others. Fortunately the TOR network is almost all around us. But what does it do? How can you get access to metrics? TOR is an anonymisation network and by design doesn’t know anything about its users. However, the question about the structure of the user base often arises. Some people are just interested in the size of the network while others want details about the diversity of its users and relays. Furthermore, TOR is used as a circumvention tool. It is interesting to automatically detect censorship events and to see how the number of users changes in those countries. TOR’s measurement team tries to give answer to those (and more) questions. At DeepSec 2015 Jens Kubieziel explained the collection of different data and how

Read More

1202, 2016

DeepSec Video: Cryptographic Enforcement of Segregation of Duty within Work-Flows

René Pfeiffer/ February 12, 2016/ Conference, Security

Calling for encryption and implementing it may be easy at a first glance. The problem starts  when you have to grant access to data including a segregation of duty. Workflows with Segregation-of-Duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations. At DeepSec 2015 Thomas Maus held a presentation explaining the problems and possible solutions.

1102, 2016

DeepSec Video: Agile Security – The Good, The Bad, and mostly the Ugly

René Pfeiffer/ February 11, 2016/ Conference, Security

How do you manage your technical and operational security? Do you follow a model? If so, what’s the flavour? Do you borrow concepts from software development? In case you do or you plan to do, then Daniel Liber might have some ideas for you. At DeepSec 2015 he held a presentation about Agile and a possible relation to information security. Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a ‘high level’ talk, or, sometimes, as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This talk will help security engineers,

Read More

1002, 2016

DeepSec Video: How to Break XML Encryption – Automatically

René Pfeiffer/ February 10, 2016/ Conference, Security

XML is often the way to go when exchanging information between (business) entities. Since it is older than the widespread adoption of SSL/TLS, there is a special standard called XML Encryption Syntax and Processing. You can use XML encryption to encrypt any kind of data. So far, so good. But In recent years, XML Encryption became a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order to protect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard. Juraj Somorovsky (Ruhr University Bochum) held a presentation at DeepSec 2015 explaining what these attacks look like. .

0902, 2016

DeepSec Video: Hacking Cookies in Modern Web Applications and Browsers

René Pfeiffer/ February 9, 2016/ Conference, Internet, Security

Cookies are solid gold when it comes to security. Once you have logged in, your session is the ticket to enter any web application. This is why most web sites use HTTPS these days. The problem is that your browser and the web applications needs to store these bits of information. Enter cookie hacking. A lot has changed since 1994,  and Dawid Czagan of Silesia Security Lab held  presentation at DeepSec 2015 about what you can and cannot do with cookies in modern web applications and browsers. Learn about user impersonation, remote cookie tampering, XSS and more. .

0602, 2016

DeepSec Video: File Format Fuzzing in Android – Giving a Stagefright to the Android Installer

René Pfeiffer/ February 6, 2016/ Conference, Security

The Stagefright exploit haunts the Android platform. The vulnerability was published in Summer 2015. It gives attackers a way to infect Android smartphones by using multimedia files such as pictures, text, and videos. This is a perfect vector since most people will look at media instantly. Dr. Aleksandr Yampolskiy gave a presentation at DeepSec 2010 about malicious software hidden in multimedia (the talk was aptly titled Malware goes to the Movies). So what if there are more bugs like this in the Android platform? Enter fuzzing technology. Alexandru Blanda spoke at DeepSec2015 about fuzzing on the Android platform. This approach can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. Since these vulnerabilities affect critical components of the Android system, the impact of the results will

Read More

0502, 2016

DeepSec Video: Cryptography Tools, Identity Vectors for “Djihadists”

René Pfeiffer/ February 5, 2016/ Conference, Discussion, High Entropy, Internet

Wherever and whenever terrorism, „cyber“, and cryptography (i.e. mathematics) meet, then there is a lot of confusion. The Crypto Wars 2.0 are raging as you read this article. Cryptography is usually the perfect scapegoat for a failure in intelligence. What about the facts? At DeepSec 2015 Julie Gommes talked about results of the studies done by the Middle East Media Research Institute (MEMRI). The Internet is the method of choice for communication: the number of sites calling for a “jihad” rose from 28 in 1997 to over 5,000 in 2005. The basic use of these sites for the purpose of basic classical communication began in the 2000s. It was replaced by that of social networks, allowing almost instant mass communication. Julie’s talk give you an overview about the tools used according to the study.

Read More

0402, 2016

DeepSec Video: Chw00t: How To Break Out from Various Chroot Solutions

René Pfeiffer/ February 4, 2016/ Conference, Security

Information security borrows a lot of tools from the analogue world. Keys, locks, bars, doors, walls, or simply jails (to use a combination). Most operating systems support isolation of applications in various levels. You may call it change root (or chroot) or even jails environment. The containment is not perfect, but it helps to separate applications and to have a better control of the access to resources. Breaking out of chroots is possible, and there are various ways to do this. So preparing a tight configuration is the key. At DeepSec 2015 Balazs Bucsay held a presentation about how to create a reasonably “secure” chroot environment or how to breakout from a misconfigured one. If you a considering to use chroots/jails as a way to build compartments, make sure you know what you are

Read More

0302, 2016

DeepSec Video: Building a Better Honeypot Network

René Pfeiffer/ February 3, 2016/ Conference, Security

„It’s a trap!“ is a well-known quote from a very well-known piece of science fiction. In information security you can use bait to attract malicious minds. The bait is called honeypot or honeynet (if you have a lot of honeypots tied together with network protocols). A honeypot allows you to study what your adversaries do with an exposed system. The idea has been around for over a decade. There’s even a guide on how to start. Josh Pyorre has some ideas how you can extend your basic honeypot in order to boost the knowledge gain. At DeepSec 2015 he showed the audience how to process attack-related data, to automate analysis and create actionable intelligence. Why else would you run a honeypot? So go forth and multiply the output of your honeynet!

0202, 2016

DeepSec Video: Advanced SOHO Router Exploitation

René Pfeiffer/ February 2, 2016/ Conference, Internet, Security

Routers are everywhere. They hold the networks together, Internet or not. Most small office/home office (SOHO) infrastructure features routers these days. Given the development cycles and rigorous QA cycles there have to be bugs in the firmware (apart from the vendor supplied backdoors). Lyon Yang (Vantage Point Security) held a presentation about a series of 0-day vulnerabilities that can be used to hack into tens of thousands of SOHO Routers. Even though the corporate „cloud“ might be „super secure“ against „cyber attacks“, the lonely office router most probably isn’t. Weak links sink ships, or something. We recorded the presentation at DeepSec 2015, and you can watch it online. It’s worth learning MIPS and ARM shell code. x86 (and x86_64) is sooooo 1990s. Happy hacking!

3001, 2016

DeepSec Video: 50 Shades of WAF – Exemplified at Barracuda and Sucuri

René Pfeiffer/ January 30, 2016/ Conference, Security

Sometimes your endpoint is a server (or a couple thereof). Very often your server is a web server. A lot of interesting, dangerous, and odd code resides on web servers these days. In case you have ever security-tested web applications, you know that these beasts are full of surprises. Plus the servers get lots of requests, some trying to figure out where the weaknesses are. This is how web application firewalls (WAF) come into play. Firewalls have come a long way from inspecting layer 3/4 traffic up to all the peculiarities of layer 7 protocols. Once your firewall turns ALG and more, things get complicated. Since security researchers love complexity Ashar Javed has taken a look at WAF systems. Here is his presentation held at DeepSec 2015. He found 50 ways to bypass the

Read More

2901, 2016

DeepSec Video: Temet Nosce – Know thy Endpoint Through and Through; Processes to Data

René Pfeiffer/ January 29, 2016/ Conference

Endpoint security is where it all starts. The client is the target most attackers go after. Once you have access there (let’s say by emailing cute cat videos), you are in. Compromised systems are the daily routine of information security. Even without contact  with the outside world, you have to think about what happens next. Thomas Fischer has thought a lot about scenarios concerning the endpoint, and he presented his findings at the DeepSec 2015 conference. To quote from the talk: This presentation will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that living as close as possible to Ring 0 makes it possible to see how a malicious process or party is acting and the information being touched. There you go. Have a look!

2801, 2016

DeepSec Video: Cyber Cyber Cyber Warfare: Mistakes from the MoDs

René Pfeiffer/ January 28, 2016/ Conference, Internet, Security

The  word cyber has entered the information security circus a couple of years ago. It should have been long gone according to its creator William Gibson. Meanwhile everything has developed into something being cyber – CSI, war, politics, security, homes, cars, telephones, and more. Inventing new words helps to distract. Distraction is what Raoul Chiesa has seen in the last five years, while training various military units in different countries. He held a presentation at DeepSec 2015 about his experiences. While we don’t use the word cyber when talking about (information) security, others sadly do. So think of Information Warfare or Information Offensive Operations when hearing cyber and don’t let yourself be distracted by the fog of war.

2701, 2016

DeepSec Video: The German Data Privacy Laws and IT Security

René Pfeiffer/ January 27, 2016/ Conference, Discussion, Legal, Schedule

Data protection and information security are often seen as different species. Why? Where is the difference between protection, defence, security, and offence? There are a lot of relations between the terms. Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) gave a presentation at DeepSec 2015 on how to link privacy with security: „Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. This presentation will also show how it can be used to further IT security especially in the SME sector. This mostly refers to

Read More