About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

DeepSec 2011 Focus: IPv6 and Next Generation Networks

René Pfeiffer/ May 13, 2011/ Administrivia, Conference

Since 3 February 2011 the IPv4 pool is now officially and fully depleted. „Peak IPv4“ was a long time ago. IANA can no longer hand out any IPv4 address space. Everyone who needs more address space will be force to look to IPv6. What about security? Are there any benefits? Has IPv6 eliminated all the weaknesses known with IPv4? Those who attended DeepSec 2010 already know the answers to these questions. Mark Heuse conducted a workshop and held a talk about IPv6 security. There’s no doubt that IPv6 is coming to town. Due to tunnels some networks even have IPv6 connectivity, some without even knowing. Setting up a tunnel with a router in your local network is easy. The router will announce itself to local nodes which will in turn automatically grab addresses and

Read More

Have an app and share your data!

René Pfeiffer/ May 11, 2011/ Security

Apps are all the fashion. You can download them, and you can add them to web sites (such as your blog) including your favourite social network. Facebook has introduced applications back in 2007. If you want to tie an application to your account, the code needs to have proper credentials in order to connect an action with your profile. This is why most apps ask you to login before they start to work. The idea is to convert your login and password into a token that can be used to grant access, either for a limited time or indefinitely. Symantec’s Nishant Doshi reports that Facebook had a bug in its application framework exposing user access tokens to third parties. This basically means that you can do all the app can do (and possibly more)

Read More

Talks held at the Linuxwochen Wien

René Pfeiffer/ May 8, 2011/ Security, Veranstaltung

MiKa and me held three talks at the Linuxwochen Wien 2011. The scheduled talks were „VoIP Security“ and „The Wind Chill Factor of Security“. The third talk was a review of the trust models used with X.509 certificates and issued by certificate authorities. The review was a drop-in replacement talk for a speaker who did not show up. Since the talks were held in German, I’d like to present a short summary in our blog. VoIP has become a well-established technology in companies during the past years. Periodically we assess the security of VoIP protocols and implementations. The talk we gave was a review of the state-of-the-art focussing on SIP signalling and audio/video codecs. We discussed the basics, the SIP Digest Authentication Leak found by Sandro Gauci, SIP probes, the troubles of SIP gateway

Read More

Article about White and Black Hats in Wiener Zeitung

René Pfeiffer/ May 6, 2011/ Press

Christoph Rella, a journalist who has been at past DeepSec conferences made telephone interviews with MiKa and me. He explored the difference between White Hats and Black Hats along with the motivations of hackers. He was interested in getting to know the reasons why the stereotype of the nice IT guy turns criminal. We think the motivations are vastly different, money being among them. Mr. Rella published a summary in an article for the Wiener Zeitung (in German).

Zu Gast bei Taalk.at: Vorratsdatenspeicherung

René Pfeiffer/ May 3, 2011/ Discussion

Michael Kafka war am 29. April 2011 zu Gast bei einer Expertenrunde zum Thema Vorratsdatenspeicherung. Der Hintergrund ist die Speicherung von Verbindungs- und Geodaten bei Kommunikation über Internet, Telefon und andere Netzwerke. Die EU Richtlinie dazu muß in allen Mitgliedsstaaten umgesetzt werden. In Österreich wurde das Gesetz letzte Woche beschlossen und tritt am 1. Januar 2012 in Kraft. Da Netzwerke und Logdaten mit dem Thema Sicherheit verwoben sind, haben wir unsere Expertise in die Diskussion eingebracht. Im Web-Standard wurde ein Artikel publiziert. Die Videoaufzeichung läßt sich über die ichmachpolitik.at Webseite anschauen:

DeepSec 2011 Focus: Mobile Computing and Communications

René Pfeiffer/ May 2, 2011/ Conference

Our Call for Papers announcement mentioned seven topics that we are focussing on. We’d like to explain what these topics are all about in a couple of blog postings since it is not easy to squeeze everything into a few lines. We begin with mobile computing and communication. Mobile computing incorporates mobile computing devices such as smart phones, tablets, cell phones, laptops, netbooks, wrist watches, navigation devices and similar computers. Most of us are now accustomed to frequently use portable computing. We want to know what bugs and security risks we carry around. A lot of users regard these mobile computers as appliance, therefore the thought of upgrading or fixing software on them is less widespread. You don’t do firmware upgrades on your microwave oven or water boiler, do you? Maybe you should. Mobile

Read More

Data Leaks Reviewed

René Pfeiffer/ April 28, 2011/ Internet, Security

Often single incidents don’t attract much attention, but the combination does. We’re getting used to lost laptops, USB sticks, CDs/DVDs/HDs and gadgets containing data. There’s even a project trying to keep track of data loss incidents world-wide, it’s called DataLossDB. Compromised web sites are also quite common. Only figures raise eyebrows, so this week’s favourite news item is Sony and the PS3 network. Someone created unauthorised backups of database tables containing (encrypted) credit card information, user names, passwords, birth dates and home addresses of PlayStation Network users. We still don’t know the nature of the security breach, however the impact is substantial both in terms of number of stolen records and very probably financial damage. There’s been not much talk about the passwords and their data format, but we all know that few people

Read More

DeepSec 2011 – Call for Papers opened!

René Pfeiffer/ April 15, 2011/ Administrivia, Conference

For the fifth time the DeepSec In-Depth Security Conference invites security researchers and professionals to submit suggestions for talks and workshops for our conference which will take place in November 2011 in Vienna. Please visit our updated website for more details about the venue, the schedule and information about our past conferences. We’re currently migrating the old content and collect the data from the old server in order to present archives of the past conference web sites. The DeepSec offers a mix of different topics and aspects like current threats and vulnerabilities, social engineering and psychological aspects as well as security management and philosophy. Our speakers and trainers traditionally come from the security community, companies, hacker spaces and academic organisations. We’ve updated the CfP, and you can submit content for three categories: Talks for

Read More

BSidesVienna: Call For Papers

René Pfeiffer/ April 5, 2011/ Administrivia, Conference

In the wake of the 23rd annual FIRST conference there will be a B-Sides Vienna event together with the NinjaCon 11, 3rd edition. The B-Sides Vienna will be on June 18th, as will be the NinjaCon 11. The Call For Papers is now open and we ask you to submit your material! At B-Sides Vienna aka NinjaCon 11, we’re looking forward to see a selection of trainings, hands-on workshops, 50-minute presetations and 15-minute lightning talks. As we understand ourselves as an open, international event, the official conference language for all talks, trainings and workshops (as well as submitted abstracts), as always, is English. Topics of interest include (but are in no way limited to) the following: Information technology, network security, web application security, virtualisation and cloud computing, innovative attack strategies, forensics, embedded devices, physical

Read More

Hacking Transportation Devices – 0wning Cars!

René Pfeiffer/ March 17, 2011/ Security, Stories

Last Summer we published a short article about an experimental study of modern car sensors systems and their security. Researches took a modern car, connected to the internal data bus and tried to do some hacking. They were able to manipulate on-board systems up to controlling the brakes and the engines. The study shows that once you have access to the (internal) network, you can do things that were most probably never anticipated by the designers. Arguably the risks of these kind of attacks is rather low – for now. However if you think about the Internet, software working in networked environments or the plethora of devices that can be connected to computers, then the number of attack vectors increases. This is not breaking news. You can see this trend in the wonderful world

Read More

Reminder: Mind2Mind Event I/2011 – „Wir werden Sie belauschen!“

René Pfeiffer/ March 16, 2011/ Communication, Veranstaltung

This is a short reminder of our local Mind2Mind event about the technology means of espionage in companies and organisations. The talk will be held by Wolfgang K. Meister of VOXCOM (and will be in German). Mr. Meister will address eavesdropping devices, microphones, attacks on telephone communication (VoIP, ISDN, analogue, 2G/3G), peculiarities of mobile phone networks and attacks on Internet communication, local computer systems and IT infrastructure. He will also discuss countermeasures. Dies ist eine kurze Erinnerung an unseren lokalen Mind2Mind Event „Wir werden Sie belauschen!“, der die Technologie von Spionage und Lauschangriff an Unternehmen und Organisationen beleuchtet. Der am Abend stattfindende Vortrag von Herrn Wolfgang K. Meister der Firma VOXCOM beschäftigt sich mit Wanzen, Mikrofonen, Aufnahme von Körperschall, Funk, Angriffen auf Telefone (VoIP, ISDN, analog, 2G/3G), Eigenheiten von Mobilfunknetzwerken und Attacken auf IKT

Read More

DeepSec 2011 – Call for Papers out soon

René Pfeiffer/ March 14, 2011/ Administrivia, Conference

We’re currently working on the Call for Papers for DeepSec 2011. The conference will take places from 15 to 18 November 2011, so you might want to save this date and mark it in your calendar. Mobile gadgets, the wonderful world of app stores filled with mal- and software, infrastructure and information war(rez)fare are top on the list of Things To Watch Out For™. We will sum up what we’re after in the CfP published on our new web site.

Rare Catastrophic Events and Infrastructure

René Pfeiffer/ March 12, 2011/ High Entropy

Most security administrators have to deal with risks and their management. If you read the news, then you will hear about lots of things that can go wrong for a multitude of reasons. A common tactic to get the required budget for securing infrastructure is to collect some horror stories and present them to management. Basically this is a polite form of blackmail. It might work, but there’s already enough fear and uncertainty spread through various media channels and word of mouth (or both). Now if you’re really interested in more stories about the End of your Data Days, why not go for earthquakes and global warming? Asteroids will do fine, too. But seriously, there’s some real thoughts behind this idea. The Internet is not strongly bound by geographical boundaries. The data of most

Read More

The Antivirus-Virus Conundrum

René Pfeiffer/ February 15, 2011/ Security

Last week the EU’s statistics office published statistical data about the state of anti-virus protection and virus infections. According to the figures nearly a third of Europe’s PCs carry some kind of malware. Although it is difficult to assess the accuracy or methods of studies, this figure is hardly surprising. Anyone who has ever dealt with filtering messages, web content or any other data entering the perimeter of your network knows about the positives and negatives, be them false or true. The problem starts with UBE/UCE (a.k.a. spam) filtering and continues right into the domain of malware. Just as their biological counterparts a computer malware, indiscriminately called virus, changes its shape and flavour. We had a talk from Joan Calvet about the Tripoux project. They analyse malware packers. If you have seen the branch

Read More

The Networks as Tool and Target at the same time

René Pfeiffer/ February 4, 2011/ Internet, Security

Unless you have been without access to the Internet, mobile network(s) and independent media you’ve probably followed the events in Egypt. The shutdown of the Internet throughout the country was an unprecedented move. It took some people by surprise, but anyone with a decent knowledge of routing protocols knew what was going on. There was no magic involved, just simply BGP packets. The aftermath of the still ongoing demonstrations and the show of force can already be seen. The Internet is gaining relevance when it comes to infrastructure. It’s not as important as telephone networks or the power grid, but sooner or later it probably will (especially since phone and power grid services move to the Internet for messaging/transport purposes). The lack of Internet connectivity was bypassed by telephone lines. Dial-up connections with modems

Read More