About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

0807, 2021

2021 – The Year of the Supply Chain

René Pfeiffer/ July 8, 2021/ Conference

Logistics and supplies are the fuel that keeps modern society rolling. The COVID-19 pandemic has shown that delivery of goods, medical supplies, and work place administration is a part of our daily lives. The container ship Ever Given blocking the Suez Canal serves as an illustration of how important these lifelines are. Even the digital world is based on supply chains. The computer you use receives updates regularly. Chances are high that you even have some data in online platforms (a.k.a. The Cloud™) somewhere. Thinking in terms of information security, these dependencies are a natural target for attackers. Swedish supermarket customers currently suffer from a digital attack on the US-American company Kaseya. The company develops software for managing IT infrastructure. The REvil malware hit them and disabled clients using the VSA remote managing software

0607, 2021

Reminder: DeepSec and DeepINTEL 2021 Call for Papers is still open!

René Pfeiffer/ July 6, 2021/ Conference

The year 2021 features some milestone anniversaries. Some of these anniversaries are tragedies. Others are milestones for change. A lot of them affect the world of information security. Technologies come and go, because more often than not we find better solutions. Implementations mature. Some don’t. So let’s take the anniversary of the RSA SecureID faux pas and combine it with the deleted tweet suggesting to replace TCP/IP with Something Based On Blockchain™. In order to grow and develop better applications, we should strife to improve how we approach the challenges of information security. Here is how we will do this. Read on. The DeepSec and DeepINTEL 2021 call for papers are still open. If you have in-depth content or have some observations to share, please submit your ideas! DeepSec is a 100% blockchain-free zone,

1806, 2021

Deadline for Scholarship Program extended until 31 July 2021

René Pfeiffer/ June 18, 2021/ Conference

Being curious is the first step of answering a question. DeepSec has a long history of pushing the results of research on a public stage. Information security is a branch of computer science. Therefore, the scientific approach is the best way to tackle digital security. Past conferences have featured presentations about the work of dedicated groups of curious people. Now it’s your turn to get some extra support for your project. We have extended the deadline for the DeepSec scholarship program until the end of July 2021. We felt that having some extra time is never a bad idea. So if you have an idea for a research project, please let us know. Drop us an email or a message in a bottle.

1205, 2021

First DeepSec 2021 Trainings published

René Pfeiffer/ May 12, 2021/ Conference, Training

We dug through the submissions and selected trainings for the preliminary schedule. It’s just the trainings, and the intention is to give you some information for planning the rest of the year. We intend the trainings to be on site at the conference hotel. We will also explore ways to offer a virtual training or to attend the course virtually. The topics range from attacking modern desktop applications, in-depth network security (mobile networks and traffic analysis), penetration testing industrial control systems over to how to break and secure single-sign on systems. The entire collection of content aims to educate your IT department and your development team regarding the current state of affairs in companies with employees connected in home office. All technologies and tools are vital parts of the workplace. We included attacking industrial

1005, 2021

ROOTS 2021 – Call for Papers

René Pfeiffer/ May 10, 2021/ Conference

The Reversing and Offensive-oriented Trends Symposium, an academic workshop, is again co-located with the DeepSec conference in its fifth year. ROOTS solicits contributions that focus on theorems and root shells: In security, two things you absolutely cannot argue with. Security is hard to define. Most often, security is defined by its absence. For scientists, this is particularly unsatisfactory. A lack of definition increases the difficulty to find suitable quantitive and qualitative models. Even though the overall landscape is blurry at best; exploitation, reverse engineering, and offensive techniques have their place. ROOTS aims to explore this territory. The first European symposium of its kind, ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques, or effective

0105, 2021

Export of Blog Articles on Medium

René Pfeiffer/ May 1, 2021/ Administrivia

The Internet was invented for sharing information. Publishing articles and raw data is still the main use case for networks. We use our blog for publishing articles covering topics of information security. It is the primary source of information. Article publications will be announced on our Twitter feed once the text is online. A while ago we started to publish our blog articles on Medium in parallel. The publication pipeline broken when Medium stopped supporting the plugin for our blog application. Re-publishing has since been done manually (hence the backlog on Medium). We occasionally update our Medium channel. Now this channel has a new link. If you prefer to read our articles on Medium, please use https://deepsec.medium.com/. Keep in mind that our blog articles published here will never hide behind a paywall or a

2104, 2021

Project Covert Operations and Zero Days – Controlled Compromise of Infrastructure and Code

René Pfeiffer/ April 21, 2021/ Discussion, High Entropy, Security

Once you collect information, you will eventually have to decide on when to use which part for what reason. This is the dilemma of intercepting intelligence from an adversary and using it for defence (or offence). Once you act on your the knowledge no one else is supposed to have, then you will also disclose your capabilities. The digital world is full of these scenarios. The most recent case is a disclosure of Google’s Project Zero. The publication covered vulnerabilities dating back to the first half of 2020. As it turned out the discovery comprised 11 powerful weaknesses used to compromise iOS, Android and Microsoft® Windows devices. By publishing these vulnerabilities Project Zero essentially shut down a nine-month digital hacking operation by a Western government. Bugs in software have no labels. They may be

1904, 2021

DeepSec, ROOTS and DeepINTEL Update – Call for Papers open

René Pfeiffer/ April 19, 2021/ Administrivia, Call for Papers, Conference, DeepIntel

Planning events is still challenging. The COVID-19 pandemic celebrated its first birthday. Despite efforts not to have the second birthday of the pandemic, the ever changing regulations and statues updates regarding the infections make preparations for conferences very hard. We know you want to plan as well, therefore we have an update for you. DeepSec, ROOTS, and DeepINTEL will happen on-site here in Vienna. We closely coordinate with our conference hotel. Their staff is eager to reopen. Everything depends on the rate of vaccination and the regulations issued by the European and Austrian authorities. There is not much we can influence. Given our health protection measure we worked out last year, we are well prepared to handle everything short of a total lockdown. We don’t do any forecasts at the moment. The next months

0804, 2021

Software Architecture, Code, and Information Security

René Pfeiffer/ April 8, 2021/ Conference

Information security is tightly linked with the code running on platforms and decisions made during the software architecture planning phase. One can trace a lot of results in penetration tests to workarounds caused by inadequate tools, bad design choices, trends in software development, legacy applications, and too optimistic testing strategies. Let’s visit some of the accident sites by example. Implementing the basic principles of information security can be hard. The dreaded undefined behaviour or the lack of graceful failures in error conditions happens frequently. A recent presentation about autonomous systems illustrates what we expected from your code – it must be completely self-reliant. Doing n restarts and halting is not the best way of dealing with unexpected situations. Rejecting dangerous states and input is always an option, but sysadmins frequently need to bash applications

3103, 2021

All your Content are belong to Us – how the Crypto Wars continue

René Pfeiffer/ March 31, 2021/ Discussion, High Entropy, Internet, Legal

Encryption is one of our favourite topics. This blog and our events feature discussions, tools, and content regarding cryptography. The first DeepSec conference in 2007 even had a presentation about a practical attack on GSM’s A5/1 algorithm. Subsequent conferences followed up on this, for example, the state of affairs of mobile network security in 2010. We use encryption and high levels of privacy in our own communication. Certain published documents emphasize the importance of using uncompromised and modern encryption algorithms. In the meantime, users have moved to messengers using TCP/IP on top of the mobile network transmissions. This enables full end-to-end encryption and privacy. The problems are still the same as in the 1990s. Enter the continuation of the Crypto Wars. On 23 March the Oberlandesgericht (Higher Regional Court) Rostock in Germany argued that

2403, 2021

Call for IoT Trainings: Secure Development for embedded Devices

René Pfeiffer/ March 24, 2021/ Discussion, Training

The world is much easier to handle without limits. If you have all your frameworks freely available and have the luxury of running your code with a multi-MB (or -GB) runtime environment, then you are in paradise. The world of embedded devices and the Internet of Things looks different. Saving energy is the prime directive. The power supply might be a battery or the connector pin of another device. Multiple cores are rare, memory is even rarer. If you are acquainted with the container and cloud lifestyle, then embedded systems will be a culture shock. Think kilo instead of mega or giga. Small devices run code, too. So this is where security comes into play. What can you do to design your embedded code to be small and secure? Secure design and coding have

1903, 2021

Secure Operation of IT Systems requires Skills, no Shortcuts

René Pfeiffer/ March 19, 2021/ Discussion, High Entropy

The recent vulnerability in the Microsoft® Exchange server application has sparked many discussions. One of the topics is connected to the skills of IT departments responsible for patching systems in time. How can n weeks or months pass until upgrades are rolled out and in place? Well, the answer is easy. Some upgrades do not work flawlessly. In anticipation of problems during the change, IT departments need a copy of the live system and time to test the updates. This takes time, even if you have the budget to run additional copies of your systems. Furthermore, sometimes upgrades go wrong. Theoretically, these changes should just eliminate security problems and enable the application to work as before. IT departments bitten by the “this should not have happened but it did anyway” situation will hesitate to

1503, 2021

Bug Disclosure Policies and the Eternal Discussion about Security ♨

René Pfeiffer/ March 15, 2021/ Discussion, High Entropy, Security

In theory, there is the evolution from bug over to weakness, vulnerability and finally the exploit. Errors in code and application behaviour are interesting for any serious developer. Security researchers also look for bugs and ways to make code do something it wasn’t designed for. In the absence of critical failures in applications, the process of reporting bugs and getting them fixed everything is smooth and less prone to heated discussions (YMMV, some software projects feature persons with very strong opinions). All of this changes when the code can be remotely exploited. Enter the recent CVEs regarding the Microsoft® Exchange server. CVE-2021-26855 is as bad as it sounds. It is a remote code execution with low complexity requiring no user interaction and no privileges. Disclosure of bugs impacting security has a long history. Knowing

0103, 2021

DeepSec 2021 – Call for Papers is open

René Pfeiffer/ March 1, 2021/ Call for Papers, Conference

DeepSec 2021 is looking for your ideas, solutions, incident reports, insights, and expertise. The call for papers is open. You can submit your contribution via our call for papers manager online. If you have questions or want to submit additional material, please use the online form and send an email to us. DeepSec has always presented a mix of attack and defence presentations. The motto for 2021 connects both approaches. Studying how adversaries work, what tools they employ, how they plan their attack, and what they do once they get access is vital to your defence. IT infrastructure has grown over the years. Defence has a lot to take care of. If you have any ideas how to help the defenders, please let us know. Topics covering attacks should always contain some advice on

2802, 2021

Management Console Access – Obscurity by Security and vice versa

René Pfeiffer/ February 28, 2021/ Discussion, Security

Every discussion about security sooner or later connects to the wonderful word obscurity. Mentioning security by obscurity is a guaranteed way of losing sight of the facts. It is vital to actually fix weaknesses and introduce strong separation of systems when implementing security. Furthermore, the leakage of useful information to potential adversaries should be eliminated. That’s the theory. Enter the discussions we have witnessed in real life and in the Internet. A common tactic is to strip information from communication protocols that is not needed for transporting the message. Version numbers, host names, addresses, and other pieces of data are often removed when a server answers requests. Especially web applications send a ton of useful information to clients. You can see the structure of the web space, components used for rendering, server systems involved,

About René Pfeiffer

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: