About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

0806, 2012

Collateral Damage in Cyberspace

René Pfeiffer/ June 8, 2012/ High Entropy, Security

„In cyberspace, no one can hear you scream.“ System administrators know this already for a long time, as do security researchers. Everybody is talking about „cyberwar“ these days (elections are coming). No one is talking about the (digital) fallout from „cyberwar“ operations. Unless you solely rely on passive methods, there’s not much that can happen. As soon as you employ „offensive security“, which is just an euphemism for „breaking things“, there will be damage in terms of service disruption, compromised systems, modified/erased data, inserted attack code and possibly more. Attack tools such as Stuxnet, Duqu and now Flame have been discussed for years by security researchers. Especially anti-virus vendors have repeatedly promised to include malware of any origin in their databases. In theory this includes these „cyberweapons“ as well. In real life these weapons

Read More

3105, 2012

Securing Walled Gardens

René Pfeiffer/ May 31, 2012/ Discussion, Security

Setting up walled gardens around fancy mobile devices (and probably other computers) is very fashionable among vendors. In theory there is a controlled environment where malicious software is virtually unknown. The vendor can implement a strict quality assurance and can tether any aberrant developers to policies. Since a wall is a fundamental security device the vendor gets the psychological bonus of users feeling protected. So with all security issues solved there is no need to break out of the walled garden, right? How do you explain this tweet about the newly released Absinthe jailbreak then? @chronicdevteam: Some stats since release of #Absinthe – 211,401 jailbroken iPad3’s and 973,086 devices newly jailbroken! If walled gardens are so perfect, why do millions of users want to break out? Paul Ducklin has explored this phenomenon in an

Read More

2505, 2012

Bring Your Own Spy – BYOD gone wrong

René Pfeiffer/ May 25, 2012/ Discussion, High Entropy, Security

It is reasonably safe to assume that anyone doing business has meetings from time to time. Meeting people and talking to them (or listening) is part of many company’s culture. What do you bring for your meeting? A computer? Maybe. Paper and pencils? Old school but why not. Your cell phone? Most probably! Unfortunately this also means that you might invite some spies to the conference. We have already bashed described talked about the BYOD conundrum challenge. Combining the BYOD approach with information security is hard bordering on the impossible. There are some strategies out there for securing your device(s) (in this case from Software Advice, but others have check lists, too). You can also use the Might of Security Policies™ against the threat (we all know that all users follow any written policy

Read More

2305, 2012

Coding Skills and Security Competence

René Pfeiffer/ May 23, 2012/ Discussion, Security

Occasionally we get questions regarding the technical level of presentations at DeepSec. Some are worried about talks at DeepSec being too „in-depth“ for their level of knowledge. You are either a coder turned security researcher hacking bits and bytes, or you are someone dealing with hierarchies and the organisational aspects of information security. It seems there is no middle ground. Well, there should be and here’s why. Information security covers a very broad spectrum of components and technologies. You can start at the physical level and work your way up, just like the OSI model of networking. The OSI layers end where the human interaction starts, and while the network engineers and software developers go to rest, security administrators still have problems to address (they always have „issues“, their psychotherapists will confirm). In other

Read More

1505, 2012

Cloud Security Promises out of thin Air

René Pfeiffer/ May 15, 2012/ Discussion, Security

The „Cloud“ is a wonderful link between the BYOD disaster, data loss and broken security promises. Yet users of all kinds are lured into the web interfaces with eye candy. The German IT magazine Golem.de has published an article about the cloud security study of the Fraunhofer Institute for Secure Information Technology SIT. Researchers have put Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala under scrutiny. The results should be a wake-up call for businesses who blissfully shove all kinds of data out into the thin air of the „Cloud“. The quintessence of the study is that none of the listed „Cloud“ services can provide a basic security or even sensible encryption technology. Some registration forms do not verify the e-mail addresses entered. Some platforms do not use SSL/TLS. Some use their own

Read More

1405, 2012

Data Loss Prevention

René Pfeiffer/ May 14, 2012/ Discussion, Security

None of us likes to lose data. Usually data loss is tied to defects of storage media. You can counter physical data loss by having sufficient and recent copies of your data. This is where the logical data loss kicks in – unauthorised copies. Espionage thrives on these copies, and since information can be sold so does crime. Establishing a proper data loss prevention strategy and implementing it, requires a combination throughout all branches of information security. First you need to define some classifications for all your data. Public, private and confidential is common. Then you must find all places where your data is stored. You noticed the small word „all“. Yes, that’s right, all places and every single bit of your data. If you start getting sloppy at this stage, your defence against

Read More

0705, 2012

BYOD Madness

René Pfeiffer/ May 7, 2012/ Discussion, Security

When it comes to computing we all like convenience, just like in other areas of personal or business life. It’s nice to use familiar tools. Provisioning is much easier for your IT department if your users bring their own hardware. So, let’s sprinkle this idyllic setting with some security in terms of malware protection, data loss prevention and policies. This is a recipe for a lot of fun and sleepless nights at the same time. The laisser-faire bring your own device (BYOD) approach is all the fashion these days. Since your users really like to do serious business on electronics and software designed for entertainment, why not combine both ends of the spectrum and create a worse starting point than with using either one technology. While being able to view, edit and create confidential

Read More

0605, 2012

Unlearn to Hack?

René Pfeiffer/ May 6, 2012/ Discussion, High Entropy, Security

Security is heavily influenced by the inner workings of the (human) mind. We all know about social engineering and tricks used by con men. The game of smoke and mirrors now hits the „uncontrolled spread of hacking tools“. We have already pointed out that the European Union is preparing a proposal for „banning“ „hacking tools“. There is now a case on-line where a print magazine was allegedly removed from the shelves of Barnes & Noble. Apparently the cover story was too dangerous, because it announced how to „teach you to break into networks, exploit services running remotely, beat encryption techniques, crack passwords, and more.“ The real dark side of this story is that these skills are discussed at most self-respecting security conferences. These skills are even part of a very basic job description in

Read More

0505, 2012

Security in the Light of Emergency Situations

René Pfeiffer/ May 5, 2012/ High Entropy, Security

Let’s assume you have put proper security measures into place and you have spiced them up with proper policies so that everyone always knows what to do in certain situations. So far, so good. Now let’s combine this solid security framework with something out of the ordinary. Catastrophic storage failures are a very good example. Imagine your shared storage array goes AWOL (including the disk images of your precious virtualised servers). In this case your operating status has gone from „all green“ to „full red alert“. Your staff can’t restart the storage array, so you have to rely on experts in the field of data rescue. Due to the critical nature of the data you yank out the disks, label them and send your storage components by messenger to a laboratory. Since time is

Read More

2504, 2012

What is a Hacker Tool and how do you ban it?

René Pfeiffer/ April 25, 2012/ Discussion, Internet, Stories

What exactly is a hacker tool? The answer to this question depends on who you ask. To McGyver it would probably everything, to a hacker it would be any suitable tool and to a politician it would be anything that cannot be easily understood. The English Wikipedia has no entry on hacker tool. So what is it and why should we care? Care comes first. We have to care because the European Union is working on banning hacking tools. This is no news for some parts of Europe. Germany has tried to address the nebulous hacking tools issue in 2007. The law has drawn a lot of critic from security researchers. Some even moved their research abroad to avoid operating in a grey area of the law. There’s an open letter to the German

Read More

1704, 2012

Let’s talk about War

René Pfeiffer/ April 17, 2012/ Discussion, High Entropy, Stories

Extreme situations, entropy eruptions and unforeseen problems caused by complex interactions between a plethora of components are prime story material. You can use it in (science) fiction, you can use for breaking news, you can use it for scaring your children, you can use it for advertising and you can use it when talking about information security. Maybe this is why talking about „cyberwar“ is all the fashion these days. Let’s follow the trend and introduce the issue with style: No boom today. Boom tomorrow. There’s always a boom tomorrow. What? Look, somebody’s got to have some damn perspective around here! Boom. Sooner or later. BOOM! — Lt. Cmdr. Susan Ivanova, Babylon 5 This statement from a fictional character pretty much sums up the issue (plus it contains exactly the required amount of sources

Read More

1504, 2012

Pattern, Matching and IT Folklore

René Pfeiffer/ April 15, 2012/ Discussion, High Entropy, Security

Every once in a while there is a lively discussion about the efficiency of pattern-based security measures. Usually you see these discussions in the wake of security software tests. Mostly it concerns intrusion detection, malware filter or spam filter tools. As soon as you are trying to implement filters or detection, you will need some criteria to base decisions on. It doesn’t matter if you apply whitelisting, blacklisting or a mixture of both. Even if you add some intricate algorithms ranging from good ideas to artificial intelligence you still need to base the decision on something. Patterns and signatures is still the way to go. So why do these discussion about „all methods using patterns/signatures are snake oil“ stem from? Let’s take another pattern-based defence mechanism as an example – our immune systems. It

Read More

0304, 2012

Simple Questions, Security Design, Details and Assumptions

René Pfeiffer/ April 3, 2012/ Security, Stories

A few days ago we received a call from a journalist who was researching for an article about a system about parking place management. Motorists have a hard time finding a place to park in busy urban areas. This is why Austrian researchers thought of fitting street lamps with cameras that monitor parking areas. The cameras report the images to a system that identifies free parking sites and reports available spots to drivers by means of their satnav. The journalist wanted to know how safe this is and if there might be a threat to privacy. The answer is not that easy. In this context it typically resolves to the style of Radio Yerevan and starts with „In principle yes, but …“. In our case it depends on the details of the implementation. Brevity

Read More

0204, 2012

DeepSec 365 Conference Track and Disinformation

René Pfeiffer/ April 2, 2012/ Misc, Stories

We admit. We could not resist. Bazinga! Writing articles to be published on 1 April is fun, and you probably should not read any news on this day (or blog articles or anything, don’t even talk to people until 2 April). If you consider the disinformation practised on All Fools’ Day and connect it to security the fun stops. You rely on information and its accuracy to counter threats. So in turn disinformation can be regarded as a hacker tool. Social engineering people probably know this already. Since our CfPs for DeepINTEL and DeepSec 2012 are open: If you explore disinformation as a hacker tool and can show its impact on the security routine of potential targets/defenders, why not turn your findings into a presentation and send it to us? We want to know

Read More

0104, 2012

DeepSec Announces DeepSec 365 Conference Track

René Pfeiffer/ April 1, 2012/ Administrivia, Conference, High Entropy

IT security has grown into a cornerstone of our modern society. We rely on data integrity, availability, and we do not wish our personal or business data to be mirrored on pastebin.com or other web sites. 2011 has been full of high-profile security-related incidents. 2012 will most certainly continue in this fashion. This cannot go on forever. Therefore we decided to address the lack of IT security conferences and boost their number considerably. Starting with 1 January 2013 we start the DeepSec 365 Conference Track – 365 DeepSec security conferences in 2013, one every day! We are currently finalising the deal with our conference venue. Even the tourism industry has acknowledged that there really is nothing besides hosting IT security events. Forget skiing, spas, clubbing, museums, sightseeing and all that, you want to see

Read More