About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

2706, 2015

I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in

Read More

2106, 2015

Dual Use Equation: Knowledge + Vulnerability = “Cyber” Nuclear Missile

René Pfeiffer/ June 21, 2015/ Discussion, High Entropy, Legal, Odd

We all rely on software every  day, one way or another. The bytes that form the (computer) code all around us are here to stay. Mobile devices connected to networks and networked computing equipment in general is a major part of our lives now. Fortunately not all systems decide between life or death in case there is a failure. The ongoing discussion about „cyber war“, „cyber terrorism“, „cyber weapons of mass destruction“, and „cyber in general“ has reached critical levels – it has entered its way into politics. Recently the Wassenaar Arrangement proposed a regulation on the publication of exploited (previously unknown) vulnerabilities in software/hardware, the so-called „0days“. The US Department of Commerce proposed to apply export controls for 0days and malicious software. While the ban is  only intended for „intrusion software“, it may

Read More

1806, 2015

Surveillance Article: Listening Posts for Wireless Communication

René Pfeiffer/ June 18, 2015/ High Entropy

Modern ways of communication and methods to obtain the transported data have raised eyebrows and interest in the past years. Information security specialists are used to digitally dig into the networked world. Once you take a look at buildings, geographic topology, and photographs of structures your world view expands. Coupled with the knowledge of ham radio operators connecting the dots can give you some new information about structures hiding in plain sight. This is why we have translated an article by Erich Moechel, Austrian journalist who is writing blog articles for the FM4 radio station. Read  this article for yourself and keep our Call for Papers for DeepSec 2015 in mind. If you have ideas how to keep an eye on the environment surrounding your information technology infrastructure let us know. Companies should know

Read More

1706, 2015

New MJS Article: Trusting Your Cloud Provider – Protecting Private Virtual Machines

René Pfeiffer/ June 17, 2015/ Report, Security

Once you live in the Cloud, you shouldn’t spent your time daydreaming about information security. Don’t cloud the future of your data. The Magdeburger Journal zur Sicherheitsforschung published a new article by Armin Simma (who talked about this topic at DeepSec 2014). The Paper titled »Trusting Your Cloud Provider: Protecting Private Virtual Machines« discusses an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders. This article proposes an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders (e.g. administrators). It is based on Mandatory Access Control and Trusted Computing technologies, namely Measured Boot, Attestation and Sealing. It gives customers strong guarantees about the provider’s host system and binds encrypted virtual machines to the previously attested host. This article

Read More

1606, 2015

DeepSec Ticket Registration: Early Worm gets to 0wn the Network

René Pfeiffer/ June 16, 2015/ Administrivia, Conference

Did you feed the cat? Did you lock the door? Did you switch off the Internet while on vacation? Did you wrap your wallet in tin foil? Did you buy this ticket to this conference you want to attend in November? How was it called? We have a foolproof way to get over this constant feeling that you forgot something. Go to our registration web site, book a ticket to DeepSec 2015, print it out, and write all the important things you have to remember on the back! Your laundry list of All Teh Important Things™ will last until November 2015. After that you will come up with a new way to help you. Looking forward to see you!

1606, 2015

Crypto Article: EU Economy needs secure Encryption

René Pfeiffer/ June 16, 2015/ Discussion, Security

Given the ongoing demonisation of cryptography we have translated an article for you, written by Erich Moechel, an ORF journalist. The use of encryption stays an important component for information security, regardless which version of the Crypto Wars is currently running. While most of the voices in news articles get the threat model wrong, there are still some sane discussions about the beneficial use of technology. The following article was published on the FM4 web site on 25 January 2015. Have a look and decide for yourself if the Crypto Wars have begun again (provided they came to an end at some point in the past). Maybe you work in this field and like to submit a presentation covering the current state of affairs. Let us know. EU Economy needs secure Encryption The EU technical bodies

Read More

2805, 2015

DeepSec 2015 – „Cyber“ Call for Papers is online!

René Pfeiffer/ May 28, 2015/ Call for Papers

The Call for Papers of DeepSec 2015 is open! We are looking for your presentation and your in-depth training to add to our schedule. There has been a lot of activity in the past six months with regards to information security. Given the cultural and political impact of vulnerable code there are ample topics to talk about and to teach. Cryptography has its place in the limelight since the high impact but with a cute logo. Getting cryptography right has been the problem of developers and academics since decades. Now everyone knows about it. So if you have some research on encryption, authentication, and secure communication in general, send us your thoughts along with your submission. Protecting your infrastructure is harder than ever before. Once upon a time only your servers and classic clients used

Read More

2705, 2015

Prepare yourself for BSidesLondon!

René Pfeiffer/ May 27, 2015/ Conference

The BSidesLondon event is taking place next week. In case you have missed the tweets and don’t surf the web, check out the schedule. The keynote will shed some light on the gap between information security and technology already being used “out there” in the real world. It’s nice to spend months on solid designs and policies, but this doesn’t help you much when your users go shopping in the meantime. Further presentations will tell you all about DarkComet, how to rob a bank, Android malware analysis, Point-of-Sale (POS) devices turning you into a billionaire, elliptic curve cryptography for the fearless, hash algorithm magic, infosec for the masses, and much more. You are really in for a treat. BSidesLondon will feature a rookie track again! Do the rookies a favour and give them a

Read More

1505, 2015

DeepINTEL 2015 – How to deal with (Industrial) Espionage

René Pfeiffer/ May 15, 2015/ Call for Papers, Security Intelligence

The DeepINTEL event in September will have a strong focus on a specific kind of intelligence. We will address the issue of espionage. Given the headlines of the past six months it is clear that companies are subject to spying. There is no need for euphemisms any more. Even with half of the information published on this matter, there is no way to deny it. Since the trading of data is a lucrative business, the issue won’t go away. So if you run a company or an organisation, then you might want to deal with risks and threats before they deal with you. DeepINTEL is focused on security intelligence. Few CISOs and CEOs have a grasp what this really means. It is much more than doing risks analysis or threat assessment. As we have

Read More

1405, 2015

Dates for DeepSec, DeepINTEL and BSidesVienna 2015

René Pfeiffer/ May 14, 2015/ Administrivia

We have been quieter than usual. We did a lot of preparations for the upcoming DeepSec events and were busy with research projects. In case you want to update your calendars, here are the dates to look out for. 17 to 20 November 2015 – DeepSec 2015 21 / 22 September 2015 – DeepINTEL 2015 21 November 2015 – BSidesVienna 2015 (still needs to be confirmed due to location) The Call for Papers for the DeepINTEL is open. Please contact us via (encrypted) email. The Calls for Papers for DeepSec and BSidesVienna will open soon.

0302, 2015

Internet Protocol version 6 (IPv6) and its Security

René Pfeiffer/ February 3, 2015/ Internet, Security

Internet Protocol version 6 (IPv6) is not new. Its history goes back to 1992 when several proposals for expanding the address scheme of the Internet were discussed (then know by the name of IP Next Generation or IPng). A lot has happened since RFC 1883 has been published in 1996. Due to the deployment of IPv6 we see now implications for information security. Several vulnerabilities in the protocol suite have already been discussed. DeepSec 2014 features a whole training session and three presentations about the future protocol of the Internet. First Johanna Ullrich talked about a publication called IPv6 Security: Attacks and Countermeasures in a Nutshell. The paper gives you a very good view on the state of affairs regarding security and privacy weaknesses. It is strongly recommended for anyone dealing with the deployment

Read More

0202, 2015

Encrypted Messaging, Secure by Design – RedPhone and TextSecure for iOS

René Pfeiffer/ February 2, 2015/ Communication, Security

Encrypted communication is periodically in the news. A few weeks ago politicians asked companies and individuals all over the world to break the design of all secure communication. Demanding less security in an age where digital threats are increasing is a tremendously bad idea. Cryptographic algorithms are a basic component of information security. Encryption is used to protect data while being transported or stored on devices. Strong authentication is a part of this as well. If you don’t know who or what talks to you, then you are easy prey for frauds. Should you be interested in ways to improve the security of your messaging and phone calls, we recommend watching the presentation of Dr. Christine Corbett Moran. She is the lead developer of the iOS team at Open WhisperSystems. She talks about bringing

Read More

0202, 2015

Encryption – A brand new „Feature“ for Cars

René Pfeiffer/ February 2, 2015/ Internet, Security, Stories

At DeepSec 2011 Constantinos Patsakis and Kleanthis Dellios held a presentation titled “Patching Vehicle Insecurities”. They pointed out that the car is starting to resemble more to a computer with mechanical peripherals (incase you haven’t seen their talk,  please do!). This is true for all types, not only the modern cars powered by electricity alone. But there is more. Modern cars are connected to networks (i.e. the Internet or the mobile phone network). This means that your method of transportation is part of the dreaded Internet of Things. Given the design flaws we have seen in talks given at DeepSec, there is no surprise that this is a  breeding ground for major trouble. The Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, discovered a lapse in the communication between BMW cars and the servers

Read More

0102, 2015

Reminder for the DeepINTEL Call for Papers

René Pfeiffer/ February 1, 2015/ Administrivia, Call for Papers

At the opening of DeepSec 2014 we announced the next DeepINTEL to be in Spring 2015. We have now finalised the date. DeepINTEL 2015 will take place on 11 / 12 May 2015, and it will be held in Vienna. The call for papers, already announced at the opening of last year’s DeepSec, is still open. We are looking for your submissions. Since we want to address security intelligence, we like to know everything about threats, risk assessment, metrics that give you an idea what you really see, forensics, and improvements on the way to detect and defend. We are definitely not interested in presentations about the cyber hype. We want to hear about real sabotage, real compromised systems; you know, reality and all that. Please make sure to send your ideas to cfp

Read More

3101, 2015

DeepSec 2015 is coming – save the Date!

René Pfeiffer/ January 31, 2015/ Administrivia, Conference, Mission Statement

We are back from our break. We have been busy behind the scenes. The video recordings of DeepSec 2014 have been fully post-processed. The video files are currently on their way to our Vimeo account. The same goes for the many photographs that were taken by our photographer at the conference. We are preparing a selection to publish some impressions from the event. The dates for DeepSec 2015 and DeepINTEL 2015 have been finalised. DeepSec will be on 17 to 20 November 2015. DeepINTEL will be on 11 and 12 May 2015. The Call for Papers for DeepSec will be open soon. You can send your submissions for DeepINTEL by email to us (use either cfp at deepsec dot net or deepsec at deepsec dot net, the latter has a public key for encrypted

Read More