Murder Blog Series: Chapter 2 – Investigations

Sanna/ April 30, 2021/ Stories/ 0 comments

Letters as Windows to the World When young people discover the world, they are often happy to receive mail. Who doesn’t like it when others think of you? Once the love letters from the crush have undergone the metamorphosis into heartless letters with windows, we realize: Money rules their content, just like in this story. Leon has a habit. When walking back from the mailbox, he likes to feel the meaning of the contents of letters with his fingers. Here, it’s the letter from the credit card bill. And it has grown to several meaty millimeters. Leon hopes for a change in the terms and conditions. However, after opening it, it turns out that, unfortunately; it is a list of payments. He can barely remember the individual items. There are just too many—and most

Read More

DeepSec 2021: A lack of software security paralyzes the economy in times of crisis – visit DeepSec 2021 to train your developers

Sanna/ April 20, 2021/ Development, Press, Training/ 0 comments

In every crisis, one’s own infrastructure and logistics are put to serious tests. The COVID-19 pandemic illustrates this particularly drastically through the many structural failures in the past 12 months. They try to solve biological problems with smartphones, favor dead-end technologies such as blockchain, discover the lack of network expansion in recent decades and then panic and publish software applications that are only subjected to serious tests after they have been published. All these quick fixes are snapshots of a lack of sustainability. But the economy is dependent on stable solutions based on many years of experience, especially now. In November 2021, the DeepSec conference would like to give support to everyone who works with software through trainings and the transfer of experience from security researchers. Code rules the World The word digitization is

Read More

Murder Board Blog Series: Prequel

Sanna/ April 16, 2021/ Security, Stories/ 0 comments

[This is the first part of a five-part article series describing analogies between the world of IT security and research in other fields. Analogies are often used to deflect and conceal missing arguments. Didactics uses analogies as a powerful tool to explore your own understanding and to help you use your knowledge from other fields. Please use the articles of the Murderboard series (our name for the five-part article) for educating IT-affine people about information security. It’s never bad to have allies who understand what to look for in time of trouble.] It was a warm summer day when I got a call from an acquaintance who wanted to hire me for data protection coaching with one of his clients. Besides crime writing, I also work in data protection, helping self-employed people and small

Read More

Translated Article: EU-US Summit Against Secure Encryption

Sanna/ March 31, 2021/ Legal, Stories/ 0 comments

Gipfel EU-USA gegen sichere Verschlüsselung by Erich Moechel for fm4.ORF.at The agenda of the virtual meeting at a high-ranking official level in two weeks features pretty much all data protection-related topics that are currently controversial in Europe. Joe Biden’s appearance before the EU Council of Ministers will be followed by a two-day video conference on April 14th at the top level of officials in the field of justice and homeland security between the EU and the USA. Practically all currently controversial issues around data protection are on the agenda, from cross-border data access for law enforcement officers to joint action against secure encryption. This is also the case with the “fight against child abuse”, which is once again being instrumentalized for these general surveillance projects. Ylyva Johansson, EU Commissioner for Home Affairs and Justice, commissioned a

Read More

Translated Article: Further Wrangling in the Council of Ministers over Competences for Europol

Sanna/ March 30, 2021/ Discussion, High Entropy, Legal, Stories/ 0 comments

Weiter Gerangel im Ministerrat um Kompetenzen für Europol by Erich Moechel for fm4.ORF.at A majority led by Germany and France does not even want to give Europol the power to initiate transnational investigations itself in the event of a major cyber attack. On Monday the EU Council of Ministers decided on an approach for a new cybersecurity strategy. A network of “Security Operation Centers” across Europe will form an early warning system against attacks, and a new “Joint Cyber Unit” will be responsible for crisis management. In addition, they want to promote strong encryption methods together – but with back doors for law enforcement officers. Whether this collection of buzzwords will actually become an EU-wide implemented strategy is very much in question. The ongoing discussions in the Council of Ministers about the planned new powers of

Read More

Translated Article: E-Privacy Regulation allows retained Data and duplicate Keys

Sanna/ March 29, 2021/ Discussion, Internet, Legal, Stories/ 0 comments

E-Privacy-Verordnung erlaubt Vorratsdaten und Nachschlüssel by Erich Moechel for fm4.ORF.at The most important EU regulation for the protection of privacy contains a license for data processing of all kinds without the consent of the user and allows political parties to spread spam mail. For four years the e-privacy regulation has been stuck in the EU Council of Ministers, but under the Portuguese presidency, it was possible to agree on a version for the first time. However, this version of the “Ordinance on the Respect of Privacy and the Protection of Personal Data” has been designed in such a way that Germany’s top data protection officer, Ulrich Kelber, sees “several red lines crossed at the same time”. In addition to the reference to data retention, which was rejected by the EU Court of Justice for the third

Read More

Translated Article: EU Decryption Plans apparently “Done Deal”

Sanna/ December 30, 2020/ Stories/ 0 comments

EU-Entschlüsselungspläne offenbar „beschlossene Sache“ by Erich Moechel for fm4.ORF.at Even without an official mandate from the Council for such a regulation, the Commission has already started to anchor a decryption requirement in other regulation projects. Chronicle of the second Cyberwars from 2014 to today, Part II. You can find part one here. The controversial resolution of the Council of Ministers against secure encryption was anchored in the new draft guidelines for “high-class cyber security” of December 16. Since resolutions are not binding per se, this indicates a “Fait Accompli”, an informally already decided matter. From data retention (until 2006) to the currently adopted regulation against online terrorist propaganda (start in 2016) , all major EU surveillance projects have started in this way. So much more than the public information available so far should have already

Read More

Translated Article: EU Directive for “High-Class Cybersecurity” with Duplicate Keys

Sanna/ December 29, 2020/ Conference, Security, Stories/ 1 comments

EU-Richtlinie für „hochklassige Cybersicherheit“ mit Nachschlüsseln by Erich Moechel for fm4.ORF.at. The key message of the Council of Ministers’ resolution against secure encryption has already arrived in a first draft directive. For this reason here’s a historical outline of the new Crypto Wars since 2014. The resolution of the EU Council of Ministers against secure encryption, which resulted in so much criticism, has already appeared in a first draft directive. A corresponding passage can be found in the new draft directive on “Measures for high-quality cybersecurity in the Union”. The date of December 16 of the document shows that it was already drawn up before the Council resolution was passed (on December 19). Here, too, it is claimed that secure end-to-end encryption remains intact if duplicate keys are generated for third parties. Meanwhile the EU

Read More

ROOTs 2020: A survey on practical adversarial examples for malware classifiers – Daniel Park

Sanna/ November 18, 2020/ ROOTS/ 0 comments

Machine learning based models have proven to be effective in a variety of problem spaces, especially in malware detection and classification. However, with the discovery of deep learning models’ vulnerability to adversarial perturbations, a new attack has been developed against these models. The first attacks based on adversarial example research focused on generating feature vectors, but more recent research shows it is possible to generate evasive malware samples. In this talk, I will discuss several attacks that have been developed against machine learning based malware classifiers that leverage adversarial perturbations to develop an adversarial malware example. Adversarial malware examples differ from adversarial examples in the natural image domain in that they must retain the original malicious program logic in addition to evading detection or classification. Adversarial machine learning has become increasingly popular and is

Read More

ROOTs 2020: Exploiting Interfaces of Secure Encrypted Virtual Machines – Martin Radev

Sanna/ November 18, 2020/ ROOTS/ 0 comments

Cloud computing is a convenient model for processing data remotely. However, users must trust their cloud provider with the confidentiality and integrity of the stored and processed data. To increase the protection of virtual machines, AMD introduced SEV, a hardware feature which aims to protect code and data in a virtual machine. This allows to store and process sensitive data in cloud environments without the need to trust the cloud provider or the underlying software. However, the virtual machine still depends on the hypervisor for performing certain activities, such as the emulation of special CPU instructions, or the emulation of devices. Yet, most code that runs in virtual machines was not written with an attacker model which considers the hypervisor as malicious. In this work, we introduce a new class of attacks in which

Read More

DeepSec 2020 Talk: Old Pareto had a Chart: How to achieve 80% of Threat Modelling Benefits with 20% of the Efforts – Irene Michlin

Sanna/ November 18, 2020/ Conference/ 0 comments

The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. However, it is often perceived by the organisations as too expensive to introduce, or too slow to fit modern lifecycles, be it Agile, Lean, or DevOps. This talk will show how to fit threat modelling in fast-paced software development, without requiring every developer to become an expert. The outcomes should be immediately applicable, hopefully empowering you to try it at work the day after the conference. We asked Irene a few more questions about his talk. Please tell us the top 5 facts about your talk. Based on my experience introducing threat modeling

Read More

ROOTs 2020: No Need to Teach New Tricks to Old Malware: Winning an Evasion Challenge with XOR-based Adversarial – Fabrício Ceschin

Sanna/ November 12, 2020/ ROOTS/ 0 comments

Adversarial machine learning is so popular nowadays that Machine Learning (ML) based security solutions became the target of many attacks and, as a consequence, they need to adapt to them to be effective. In our talk, we explore attacks in different ML-models used to detect malware, as part of our experience in the Machine Learning Security Evasion Competition (MLSEC) 2020, sponsored by Microsoft and CUJO AI’s Vulnerability Research Lab, in which we managed to finish in first and second positions in the attacker’ and defender challenge, respectively. During the contest’s first edition (2019), participating teams were challenged to bypass three ML models in a white box manner. Our team bypassed all three of them and reported interesting insights about the models’ weaknesses. This year, the challenge evolved into an attack-and-defense model: the teams should either propose

Read More

Press Release: Presenting new Ways in Information Security

Sanna/ November 11, 2020/ Conference/ 0 comments

Like every year, DeepSec and DeepINTEL get to the bottom of the current state of information security. So far, 2020 has shown that surprises and critical events are always to be expected. Information security still knows no break. On the contrary: weak points in software, hardware, legislature and infrastructure are a permanent threat to digital information. So that those affected still have better chances against constant attacks, the DeepSec and DeepINTEL conferences will take place this year completely digitally via the Internet. Security can only be achieved through joint efforts. Therefore, this November, as every year, there will be an exchange between experts, users, software developers, administrators and those responsible! Solving problems instead of postponing them Hardly any other area is constantly inventing new terms like information technology. Unfortunately, misunderstandings and obscuring their meaning

Read More

Press Release: IT Security Sabotage threatens the domestic Economy

Sanna/ November 10, 2020/ Conference, Discussion, Press/ 0 comments

Effective end-to-end encryption is a critical component in everyday and business life. Over 300 years ago, cryptanalysis, i.e. the method for decrypting secret codes, had its heyday in Europe. In so-called black chambers or black cabinets (also known as cabinet noir) in post offices all letters from certain people were secretly opened, viewed, copied and closed again. The letters intercepted in this way were then delivered. The purpose was to find dangerous or harmful news for the regents of the time. The most active and efficient chamber in Europe was the Secret Cabinet Chancellery in Vienna. This early form of wiretapping was only ended in the 19th century. And this scenario of the imperial and royal courts is now facing all European companies and individuals. End-to-end encryption is to be provided with back doors

Read More