About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

1203, 2011

Rare Catastrophic Events and Infrastructure

René Pfeiffer/ March 12, 2011/ High Entropy

Most security administrators have to deal with risks and their management. If you read the news, then you will hear about lots of things that can go wrong for a multitude of reasons. A common tactic to get the required budget for securing infrastructure is to collect some horror stories and present them to management. Basically this is a polite form of blackmail. It might work, but there’s already enough fear and uncertainty spread through various media channels and word of mouth (or both). Now if you’re really interested in more stories about the End of your Data Days, why not go for earthquakes and global warming? Asteroids will do fine, too. But seriously, there’s some real thoughts behind this idea. The Internet is not strongly bound by geographical boundaries. The data of most

Read More

1502, 2011

The Antivirus-Virus Conundrum

René Pfeiffer/ February 15, 2011/ Security

Last week the EU’s statistics office published statistical data about the state of anti-virus protection and virus infections. According to the figures nearly a third of Europe’s PCs carry some kind of malware. Although it is difficult to assess the accuracy or methods of studies, this figure is hardly surprising. Anyone who has ever dealt with filtering messages, web content or any other data entering the perimeter of your network knows about the positives and negatives, be them false or true. The problem starts with UBE/UCE (a.k.a. spam) filtering and continues right into the domain of malware. Just as their biological counterparts a computer malware, indiscriminately called virus, changes its shape and flavour. We had a talk from Joan Calvet about the Tripoux project. They analyse malware packers. If you have seen the branch

Read More

0402, 2011

The Networks as Tool and Target at the same time

René Pfeiffer/ February 4, 2011/ Internet, Security

Unless you have been without access to the Internet, mobile network(s) and independent media you’ve probably followed the events in Egypt. The shutdown of the Internet throughout the country was an unprecedented move. It took some people by surprise, but anyone with a decent knowledge of routing protocols knew what was going on. There was no magic involved, just simply BGP packets. The aftermath of the still ongoing demonstrations and the show of force can already be seen. The Internet is gaining relevance when it comes to infrastructure. It’s not as important as telephone networks or the power grid, but sooner or later it probably will (especially since phone and power grid services move to the Internet for messaging/transport purposes). The lack of Internet connectivity was bypassed by telephone lines. Dial-up connections with modems

Read More

0302, 2011

Mind2Mind Event I/2011 – „Wir werden Sie belauschen!“

René Pfeiffer/ February 3, 2011/ Veranstaltung

Wir beginnen im März mit der ersten Mind2Mind Veranstaltung. Es handelt sich dabei um lokale Events in Wien, bei der wir ein bestimmtes Thema mit Bezug auf Sicherheit miteinander und gegeneinander diskutieren möchten. Der erste Mind2Mind Vortrag handelt um alltäglichen Lauschangriff, den viele unterschätzen: Der elektronische Lauschangriff ist nicht nur ein Instrument von Behörden oder Politik. Oder etwa doch? Lassen Sie uns Fiktion und Wirklichkeit mit handfesten Fakten vergleichen. Der Experte Wolfgang K. Meister der Firma VOXCOM möchte Unternehmer, Angestellte und weitere Betroffene über die Situation fernab von Spielfilmen aufklären. Hollywood ist nicht die Realität. Jedoch sind nicht nur ehemalige Finanzminister potentielle Ziele von Abhöraktionen, es kann auch uns betreffen, wenn auch vielleicht nicht direkt. Zwei große Firmen wollen die Machenschaften des jeweils andren auspionieren? Warum nicht über eine Überwachung eines gemeinsamen Nenners? Vielleicht

Read More

1501, 2011

FIRST Conference in Vienna

René Pfeiffer/ January 15, 2011/ Conference

2011 is already in full swing. That’s why we have an announcement for you. The 23rd annual FIRST Conference will take place in Vienna, Austria. We strongly recommend to participate. IT security never sleeps, and neither should you – at least when it comes to getting new ideas and get into touch with others. We will be there, so it would be great to meet you. Make sure you drop us a line, so we know you are around. If you have material for a lightning talk, there’s still time to get a slot. You just have to contact the conference office by e-mail. The address can be found on the conference program web site.

0101, 2011

Welcome to 2011!

René Pfeiffer/ January 1, 2011/ Misc

Welcome to the new year 2011! Hopefully you have arrived safely and in the best of spirits. We wish you a happy new year! And we look forward to see if the forecast with predicted security nightmares for 2011 will turn into reality. There’s definitely a chance.

2712, 2010

27C3 and Misunderstandings about Security

René Pfeiffer/ December 27, 2010/ Conference, Security

We’ve hooked a computer to the video stream of the 27C3 conference. Currently we’re listening to the keynote speech which touches a relevant topic for security issue. Are you happy or are you unhappy? It sounds a bit strange, but usually happy people have nothing to worry about. So in turn it does make sense not to worry people. The examples given in the keynote were electronic voting machines. The process of selecting a government by anonymous voting is a cornerstone of democracies. This is exactly why electronic voting must not happen through black boxes. India has already threatened (and arrested) security researchers who analyse the security of the voting machines used in the country. Electronic voting is only one example. Another one is the publication about the broken chip and PIN design of

Read More

1612, 2010

Conference aftermath, slides and more

René Pfeiffer/ December 16, 2010/ Administrivia

We have been busy dealing with the aftermath of the conference. This has been mainly collecting the presentation materials and preparing the speaker reimbursements. We aim to get as much done as possible in December. So far there haven’t been any nasty suprises or delays. Some of you have asked for the slides of the talks. The speakers gave us more than two thirds of the material yet. We’re still collecting and reminding. We have planned to publish the whole collection (including the archives from DeepSec 2007, 2008 and 2009) in February 2011 along with our new web site. There’s too much cruft in our web tubes to handle this differently. If you really want the documents in advance, let’s say for your long and boring Winter evenings, then drop us a few lines

Read More

2711, 2010

Press Conference – Impressions and Links

René Pfeiffer/ November 27, 2010/ Press

We’ve got some news from yesterday’s press conference with Ivan Ristić (Qualys), Sharon Conheady (First Defence Information Security Ltd.) and Harald Welte (hmw-consulting) followed by a seven interviews with speakers was a great success. The spirit of DeepSec – bringing people (security experts and journalists in this case) together to talk to each other – was felt every second. Here are the first links to coverage in German media: “Unverschlüsselte Internet-Kommunikation ist fahrlässig” Deepsec 2010: Sicherheitskonferenz im Zeichen mobiler Systeme DeepSec: Faktor Mensch als Sicherheitslücke DeepSec 2010: Interview mit Sharon Conheady zum Thema Social Engineering Krieg von der Couch

2611, 2010

DeepSec Photographs – have a look!

René Pfeiffer/ November 26, 2010/ Conference

There are some people running around with digital cameras here at the conference. Check out these impressions: Tienod’s preview Sven’s pictures ChrisJohnRiley @ Flickr If you have some photographs online, drop us a note. All your images are belong to us.

2311, 2010

The workshops have started!

René Pfeiffer/ November 23, 2010/ Administrivia

We’re near the end of the first day of workshops. We got a smooth start and the mood is great. Wi-Fi is up and running, we got a radio uplink with 32 MBit/s in both directions.¹ The GSM guys have their demonstration set-up up and running. We suspect the social engineering goes well (we can’t tell, we only see smiling faces and awfully nice persons in there). Our ISP enabled Marc to set-up the 6to4 tunnel for the IPv6 security/pentesting workshop. Mariano teaches his class how to determine if their (or your) business-critical SAP implementation is secure. If you are a really late booker, we still accept registrations for the conference, either by our online ticketing service or by ¹ When on site, look for ESSIDs DeepSec2010, DeepSec2010a, DeepSec2010g and DeepSec2010N (no encryption, bring

Read More

2011, 2010

DeepSec: Mobile Radio Networks as Targets for Virtual Warfare

René Pfeiffer/ November 20, 2010/ Press

Vienna – The times when a mobile phone was used solely to make calls are long gone, now it’s all about making pictures and surfing the Internet. The groundbreaking success of the iPhone is just one example for the fact that mobile phones have long since outgrown their original use. Youths and adults use them every day  to get information about recent news, the weather or navigation for a future trip with the car. Having the new all-purpose information device by the hand has become a habit. But what happens if criminals or assassins attack the mobile phone network? Cyber War: Public Life in the Crosshairs “The GSM radio network is used by more than 200 countries and holds many spectacular flaws which we want to illustrate.”, explains René Pfeiffer, organiser of the international

Read More

1911, 2010

Schedule is stable

René Pfeiffer/ November 19, 2010/ Schedule

The schedule of DeepSec 2010 has been declared stable¹. Unfortunately three speakers had to cancel their presence because of unforeseen reasons. We have managed to fill the slots, so that we have a full schedule and lots of issues to think about. The schedule on the web will now be frozen for print. Any further changes will always be reflected on our web site. We’re looking forward to see you all! ¹ We thought it would be a good idea since declaring code stable is common in software development. ☺

1711, 2010

DeepSec: Vacance 2.0 – Risque accru de cambriolage lié aux annonces de départ en vacance sur les réseaux sociaux.

René Pfeiffer/ November 17, 2010/ Press

La conférence sur la sécurité informatique met en garde contre les risques liés aux notifications de départ. Au début des vacances de la Toussaint, beaucoup d’allemands ont parlé de leur projet de voyage sur internet , sans se rendre compte du danger d’une telle annonce. Les risques s’accentuent encore avec l’arrivée du nouveau service de localisation «facebook lieux». Les utilisateurs y indiquent, au moyen de leurs portables, le lieu où ils sont afin de tenir leurs contacts au courant. «Au moment des vacances, beaucoup d’entre eux se laissent aller à poster sur un blog, sur twitter ou Facebook. Révéler son lieu de vacance, par exemple sur Facebook Lieux, augmente d’autant les risques d’effraction chez soi» explique René Pfeiffer, organisateur de la conférence DeepSec qui aura lieu du 23 au 26 novembre 2010 à Vienne.

Read More

1511, 2010

A Brief History of GSM A5/2 and 2G/3G Security

René Pfeiffer/ November 15, 2010/ Stories

MiKa and me shared some knowledge about the design flaws and the state of security in 2G/3G networks. The idea was to present an overview. Those networks have been shrouded in NDAs for too long. It is good to see that this is changing. Given the fact that millions of people use this technology on a daily basis, there should have been more publications and a deeper analysis many years ago. GSM features four A5 encryption algorithms. They are called A5/0, A5/1, A5/2 and A5/3. A5/0 is basically plaintext, because no encryption is used. A5/1 is the original A5 algorithm used in Europe. A5/2 is a weaker encryption algorithm created for export (the weakness is a design feature). A5/3 is a strong encryption algorithm created as part of the 3rd Generation Partnership Project. The

Read More