About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

DeepSec 2012 Workshop: Attacks on GSM Networks

René Pfeiffer/ September 20, 2012/ Conference

We are proud to follow the tradition of breaking hardware, software, code, ciphers or protocols. When it comes to mobile phone networks, you can break a lot. The workshop on Attacks on GSM Networks will show you the current state of affairs and some new tricks and developments. The attacks that will be discussed during the training are not theoretical, they are feasible and can be exploited to be used against you. Knowing about the capabilities of your adversaries is absolutely important since virtually no organisation or business runs without the use of mobile networks. What do you have to expect? Well, attendees will spend about half the time re-visiting the key aspects of GSM’s security features and their publicly known weaknesses. During the other half, attention is being paid to the hands-on practical

Read More

DeepSec 2012 Schedule – In-Depth

René Pfeiffer/ September 19, 2012/ Administrivia, Conference

The schedule for DeepSec 2012 has now been online since August. The last two workshop slots have been filled with two superb training by McAfee/Foundstone. There are still some minor blind spots, but Your Favourite Editors work on this. We will start to describe every workshop in-depth with its own blog article, and we will do the same with every presentation. We will try to set every piece of DeepSec 2012’s content into perspective and context. We are really looking forward to the trainings and presentations of DeepSec 2012!

DeepINTEL 2012 Review Articles

René Pfeiffer/ September 16, 2012/ Conference, Security Intelligence

The first DeepINTEL was very successful, and we enjoyed the presentations given and the many discussion that followed. While we will not disclose details or publish the slides of the talks, we would like to point you to reviews others have written. DeepINTEL 2012 by c-APT-ure DeepIntel 2012 – An Intelligent Security Conference DeepINTEL – Day one DeepINTEL – Day two Cybercrime – Who are the offenders? (Slides) Ergebnisse der IT-Sicherheitstagung DEEPINTEL am 3.3.2012 in Fuschl am See (in German) We definitely have some more ideas of how to tackle big data, how to identify and defend (in this order) digital assets, what „Cyberwar“ looks like, how to deal with threats and how to aquire information for analysing who’s after your data. Some of the topics with be described in more detail on our

Read More

Security in Serious Fun

René Pfeiffer/ August 30, 2012/ Discussion, High Entropy, Security

In case you keep track of our tweets, you may have noticed that we approach the topic of security humorously sometimes, and because there is a lot of potential for misunderstanding we’d like to explain why we do this. It’s not all about who scores the best puns. It has a serious background, and it helps to keep a minimum distance to problems you are dealing with. Security has a strong link to the agenda of a person, a group, a company or a nation. Consider a fatal flaw in a major software package. The typical actors connected to this bug are the group/person who found it, the group/person who published it (not necessarily the same as the discoverers), the developers of the software (could be a community or a company or both), the

Read More

DeepSec 2012 Schedule

René Pfeiffer/ August 28, 2012/ Administrivia, Conference

The schedule for DeepSec 2012 is mostly stable (YMMV applies). We are still working on some content and will update the description. So this is the right time for you to take advantage of the early bird rates. We will describe every single workshop and presentation in our blog with an article because we want to give you more information on why we think the content is relevant and why you need to listen to the speaker. We have also contacted other security researchers for comments on the talks and will add their opinion and answer to the articles as well. Hope to see you all at DeepSec 2012!

Take-Away Security Tools Probably Aren’t

René Pfeiffer/ August 27, 2012/ Discussion, Security

You have probably read one of the many reviews of security tools published in the depths of the Internet. A lot of magazines feature articles with the headline „Top n Tools for $TASK“. While reviews are a nice way of being introduced to new things, especially tools and software, you have to be careful when it comes to reviewing the security aspects of code or your new favourite tool. First of all you cannot analyse the security design and possible flaws by reading the FAQ section of the project web site or the user manual. You have to evaluate the code and the components it uses. Don’t be fooled or distracted by encryption for it doesn’t necessarily secure anything. Getting a security design right is very hard, and sprinkling cryptography over serious design flaws

Read More

Wireless (Wi-Fi) Security Interview

René Pfeiffer/ August 20, 2012/ Discussion, Press, Security, Stories

Today we had a visit from an Austrian television crew to answer some short questions about wireless security. It’s too bad that journalists always look for „hackers“ who „hack something“. While we had no idea what they were talking about, we delivered a short summary of wireless security. For most of you this is old news, but for a broad audience in front of TV sets it’s still a mystery. Usually no one really know what the difference between WPA and WPA2 is. In addition you have WEP and WPS, in-depth you have TKIP and AES, too. All of this sounds pretty intimidating. If you add some cinematic scenes, you can imagine the hero (or evil villain) discovering a wireless network, pressing some keys and gaining access mere seconds later. Defences have been breached,

Read More

A Word about Conference Conduct

René Pfeiffer/ August 7, 2012/ Administrivia, Conference, Discussion

You have probably been to conferences, and might even have seen hackers in the wild attending events. When it comes to events where IT security is discussed, everyone needs a friendly atmosphere so you can trust the people you meet. The DeepSec conference aims to be a place where these criteria are met. We want you to be able to talk to anyone about anything. Judging from the feedback we got this goal was met. We’d like to introduce a statement published on our web site to emphasise our mission. It’s a policy to express our intention to provide a friendly and safe environment for everyone talking at and attending DeepSec events (the policy covers all DeepSec activities). Before any of you jump to conclusions, let me explain why we added the policy as

Read More

All Your Clouds are to Belong to Whom?

René Pfeiffer/ August 5, 2012/ Discussion, Security

There are probably less than 5 persons on this planet who know what cloud computing really means. The figure might be exaggerated, but while enterprises, consultants and vendors try to figure out the best cloud for their business model the attackers already take advantage of cloud infrastructure. Let’s disregard climate dependencies and extraordinary political environments for a moment (if you say yes to cloud computing, then you have this already taken into account and under control, right?). Let’s focus on on the security implications for the moment. There’s an example of a string of unintended consequences by a successful social engineering attack. The target was a „cloud account“ linked to storage and three personal devices (a phone, a tablet and a laptop). The attacker gained access by means of tech support and bypassing security

Read More

How to register for DeepINTEL

René Pfeiffer/ July 10, 2012/ Administrivia

The link to the online registration for DeepINTEL tickets has been activated. We’ve added a shiny IFRAME and a direct link on the DeepINTEL site. Since DeepINTEL is a bit different from DeepSec, here are the steps to your ticket. Contact us by sending your name and your affiliation. We start the vetting process and might ask for additional information. You get the code for your ticket. You register, get your ticket and send us your itinerary so we can take care of accommodation and your arrival. That’s about all you need. We already explained that the DeepINTEL event contains information and knowledge exchange which will not be reflected in public. This is why we provide a little exercise in data loss prevention (difficulty level easy ☺). Any presentation materials provided by the speakers

Read More

DeepINTEL 2012 – Preliminary Schedule

René Pfeiffer/ July 3, 2012/ Administrivia, Schedule

This is the preliminary schedule of the first DeepINTEL seminar taking place in September 2012. We have more talks in the pipeline and the final decision won’t be long. Bear in mind that we will receive some additional information for some of the abstracts soon. The registration for DeepINTEL is online, too. If you are interested in attending DeepINTEL, please get in touch with us (you know, the vetting process and such). Please note that all further updates will be published at the main DeepINTEL web site. You will also find the speaker’s biographies there. Preventing and Detecting Mass-Malware and Advanced Threats (Tom “c-APT-ure” Ueltschi) Your organization has firewalls, network IDS/IPS, anti-virus on multiple layers, maybe even HIPS, hardening and patching done and feels pretty safe and secure. But lots of companies and organisations

Read More

A „Cool War“ is not cool

René Pfeiffer/ June 18, 2012/ Discussion, High Entropy

The term „Cyberwar“ carries a dark fascination. Most people think of it as „war lite“. You get all the benefits of a real war, but the casualties are limited to bits, bytes and maybe pixels. No one dies, only the targets get destroyed. This sounds too clean to be true. There is even an article called „Cool War“ that glorifies the concept of digital battles even further. The author suggests that a cool war could prevent a „real“ armed conflict by digital preemptive strikes. The good news is that a preemptive cyber attack on the military command-and-control systems of two countries getting ready to fight a “real war” might give each side pause before going into the fight. In this instance, the hackers mounting such attacks should probably publicize their actions — perhaps even

Read More

Software Development and Security Training

René Pfeiffer/ June 11, 2012/ Security, Training

Prior to every DeepSec conference we offer two-day trainings, and we regularly advertise trainings on secure software development. Attending security-centric workshops is really not meant as a humiliation. Modern (and not so modern) software development deals with a lot of code and dependencies. Even if your code is clean and well-written there’s a chance that something you rely on isn’t. This happens a lot with library functions (think DLLs) and thus can happen in high level programming languages, too. A training focussing on security will sharpen your „spider sense“ and you will be able to detect sections of code that can go wrong more easily. This is also true for reading documentation. Take a look at CVE-2012-2122. In essence you can get access to some MySQL database servers by repeatedly trying to access an

Read More

Collateral Damage in Cyberspace

René Pfeiffer/ June 8, 2012/ High Entropy, Security

„In cyberspace, no one can hear you scream.“ System administrators know this already for a long time, as do security researchers. Everybody is talking about „cyberwar“ these days (elections are coming). No one is talking about the (digital) fallout from „cyberwar“ operations. Unless you solely rely on passive methods, there’s not much that can happen. As soon as you employ „offensive security“, which is just an euphemism for „breaking things“, there will be damage in terms of service disruption, compromised systems, modified/erased data, inserted attack code and possibly more. Attack tools such as Stuxnet, Duqu and now Flame have been discussed for years by security researchers. Especially anti-virus vendors have repeatedly promised to include malware of any origin in their databases. In theory this includes these „cyberweapons“ as well. In real life these weapons

Read More

Securing Walled Gardens

René Pfeiffer/ May 31, 2012/ Discussion, Security

Setting up walled gardens around fancy mobile devices (and probably other computers) is very fashionable among vendors. In theory there is a controlled environment where malicious software is virtually unknown. The vendor can implement a strict quality assurance and can tether any aberrant developers to policies. Since a wall is a fundamental security device the vendor gets the psychological bonus of users feeling protected. So with all security issues solved there is no need to break out of the walled garden, right? How do you explain this tweet about the newly released Absinthe jailbreak then? @chronicdevteam: Some stats since release of #Absinthe – 211,401 jailbroken iPad3’s and 973,086 devices newly jailbroken! If walled gardens are so perfect, why do millions of users want to break out? Paul Ducklin has explored this phenomenon in an

Read More