2102, 2014

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

René Pfeiffer/ February 21, 2014/ Conference, Internet

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It

Read More

1902, 2014

DeepSec 2013 Video: Risk Assessment For External Vendors

René Pfeiffer/ February 19, 2014/ Conference

CIOs don’t like words like „third party“ and „external vendor“. Essentially this means „we have to exchange data and possibly code with organisation that handle security differently“. Since all attackers go for the seams between objects, this is where you have to be very careful. The fun really starts once you have to deal with confidential or regulated data. So how do you cope with doing this and still keeping an eye open for risk, compliance, and efficiency? Good question. At DeepSec 2013 Luciano Ferrari (Kimberly-Clark Corporation) addressed these issues in his presentation. He has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. However: Data security can only be achieved if all units of an organization cooperate – and with a change

Read More

1802, 2014

DeepSec 2013 Video: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

René Pfeiffer/ February 18, 2014/ Conference, Security

The „Cloud“ is the Fiddler’s Green of information technology. It’s a perpetual paradise built high above the ground where mortal servers and software dwell. Everyone strives to move there eventually, because once you are in digital paradise, then all your sorrows end. So much for the theory. The reality check tell a different story. This is why we invited Mikhail A. Utin (Rubos, Inc.) to DeepSec 2013. He presented an in-depth analysis of the US government’s FedRAMP programme. „…However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a “cloud”. As we identified, all “cloud” misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will

Read More

1702, 2014

DeepSec 2013 Video: Hackanalytics – What’s hot, what’s not

René Pfeiffer/ February 17, 2014/ Conference

Penetration testing is much more than trying a couple of attacks and be done with it. The results matter, and you have to prepare them in a fashion they can be used afterwards. Putting defences to the test is not a matter of „yes, it works“ or „no, it doesn’t“. There are expectations of the customer. Furthermore you will run into situations which might not have been anticipated. Then there is the Art of Communication™. Missing means of communication or misuse of known means is widespread. At his presentation at DeepSec 2013 Alexey Kachalin put reporting and penetration testing into perspective. Listen to his talk and let himexplain you what’s hot and what’s not.

1402, 2014

DeepSec 2013 Video: CSRFT – A Cross Site Request Forgeries Toolkit

René Pfeiffer/ February 14, 2014/ Conference

While Cross Site Request Forgery (CSRF) is an attack that is primarily targeted at the end user, it still affects web sites. Some developers try to avoid it by using secret cookies or restricting clients to HTTP POST requests, but this won’t work. The usual defence is to implement unique tokens in web forms. CSRF is often underestimated, because their presence is more common than anticipated. At DeepSec 2013 Paul Amar introduced his Cross Site Request Forgeries Toolkit (CSRFT). The toolkit helps you to study and prototype CSRF interaction with web servers. Paul’s talk was one of the U21 submissions accepted at DeepSec 2013.

1102, 2014

DeepSec 2013 Video: Bypassing Security Controls With Mobile Devices

René Pfeiffer/ February 11, 2014/ Conference, Security, Stories

Controls blocking the flow of data are an important tool of defence measures. Usually you need to enforce your organisation’s set of permissions. There are even fancy gadgets available to help you cope with data loss in terms of unauthorised access. This only works in controlled environments. Fortunately the modern IT policy allows intruders to bring their own tools in order to circumvent security controls. Bring Your Own Device (BYOD) is all the fashion these days, and it really helps evading defence mechanisms. At DeepSec 2013 Georgia Weidman of Bulb Security LLC talked about what you can do with mobile devices and what you have to address when protecting your data. „…Companies are putting a lot of faith in these security mechanisms to stop the threats to mobile devices. In this talk we put

Read More

0902, 2014

DeepSec 2013 Video: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

René Pfeiffer/ February 9, 2014/ Conference, Security

Attacking fortified positions head on looks good on the silver screen. Real life attackers have no sense for drama and special effects. Battering closed doors will get you nowhere fast. Instead modern adversaries take a good look at open doors and exploit them to get what they want. Security specialists know about the dangers of management interfaces (also known as backends). This is one main focus of denying unauthorised access. Once a backend is exposed, the consequences can be very fatal to your digital assets. At the DeepSec 2013 conference Shay Chen (Hacktics ASC, Ernst & Young) explained how attacks originating from backends look like and what attackers can do once they gained foothold.

0802, 2014

DeepSec 2013 Video: Top 10 Security Mistakes In Software (Development)

René Pfeiffer/ February 8, 2014/ Conference, Security, Stories

Everybody makes mistakes. It’s no surprise that this statement applies to software development, too. When you deal with information security it is easy to play the blame game and say that the application developers must take care to avoid making mistakes. But how does software development work? What are the processes? What can go wrong? Answering these questions will give you an insight into ways to avoid being bitten by bugs. Peter af Geijerstam of Factor 10 talked about security mistakes in software development in his presentation held at the DeepSec 2013 conference. We recommend his presentation for everyone dealing with information security, not just software developers.

0702, 2014

DeepSec 2013 Video: Malware Datamining And Attribution

René Pfeiffer/ February 7, 2014/ Conference, Security

Popular culture totally loves forensics (judging by the number of TV shows revolving around the topic). When it comes to software a detailed analysis can be very insightful. Most malicious software isn’t written from scratch. Some components are being reused, some are slightly modified (to get past the pesky anti-virus filters). This means that (your) malware has distinct features which can be used for attribution and further analysis. In his talk at DeepSec 2013 Michael Boman explained what you do with malicious software in order to extract information about its origins. Use the traces of its authors to attribute malware to a a individual or a group of individuals. It gives you an idea about the threats you are exposed to and is a good supplement to your risk assessment.

0602, 2014

DeepSec 2013 Video: Trusted Friend Attack – (When) Guardian Angels Strike

René Pfeiffer/ February 6, 2014/ Conference, Internet, Security, Stories

We live in a culture where everybody can have thousands of friends. Social media can catapult your online presence into celebrity status. While your circle of true friends may be smaller than your browser might suggest, there is one thing that plays a crucial role when it comes to social interaction: trust. Did you ever forget the password to your second favourite social media site? If so, how did you recover or reset it? Did it work, and were you really the one who triggered the „lost password“ process? In a world where few online contacts can meet each other it is difficult for a social media site to verify that the person requesting a new password is really the individual who holds the account. Facebook has introduced Trusted Friends to facilitate the identity

Read More

0502, 2014

DeepSec 2013 Video: Auditing Virtual Appliances – An Untapped Source Of 0-days

René Pfeiffer/ February 5, 2014/ Conference, Security, Stories

Appliances are being sold and used as security devices. The good thing about these gadgets is an improvement of your security (usually, YMMV as the Usenet folks used to write). The bad thing about inserting an unknown amount of code into your defence system are the yet to be discovered flaws in its logic. In the old days you have to do some reverse engineering in order to find these bugs. Modern technology bring you the Magic of the „Cloud“™ – virtual appliances! Since everything runs under a hypervisor nowadays, your appliances have been turned into binary images which can be moved around and started anywhere you like. At DeepSec 2013 Stefan Viehböck of SEC Consult spoke about the advantages of virtual appliances and their benefit for security analysis. It seems the „Cloud“ has

Read More

0402, 2014

DeepSec 2013 Video: The Economics Of False Positives

René Pfeiffer/ February 4, 2014/ Conference, Discussion, Security

Once you set up alarm systems, you will have to deal with false alarms. This is true for your whole infrastructure, be it digital or otherwise. When it comes to intrusion detection systems (IDS) you will have to deal with false positives. Since you want to be notified of any anomalies, you cannot ignore alarms. Investigating false alarms creates costs and forces you to divert efforts from other tasks of your IT infrastructure. In turn attackers can use false positives against you, if they know how to trigger them and use them in heaps. Where do you draw the line? In his presentation at DeepSec 2013 Gavin ‘Jac0byterebel’ Ewan (of Alba13 Research Labs) introduced an interesting approach to deal with false positives: „…Taking false positive figures from a number of real business entities ranging

Read More

0302, 2014

DeepSec 2013 Video: Uncovering your Trails – Privacy Issues of Bluetooth Devices

René Pfeiffer/ February 3, 2014/ Conference, Security

Devices with Bluetooth capabilities are all around us. We have all gotten used to it. Smartphones, laptops, entertainment electronics, gaming equipment, cars, headsets and many more systems are capable of using Bluetooth. Where security is concerned Bluetooth was subject to hacking and security analysis right from the start. Bluedriving, Bluejacking, cracking PIN codes, and doing more stuff severely strained the security record. Either people have forgotten Bluetooth’s past, ignore it, or have it turned off. At DeepSec 2013 Verónica Valeros and Sebastián García held a presentation which revisits the information Bluetooth devices transmit into their environment. They developed a suite to do Bluedriving more efficiently and shared their findings with the DeepSec audience. If you think Bluetooth is not a problem any more, you should take a look at their talk.

3001, 2014

DeepSec 2013 Video: Effective IDS Testing – The OSNIF’s Top 5

René Pfeiffer/ January 30, 2014/ Conference, Security

Intrusion detection systems can be a valuable defence mechanism – provided you deploy them correctly. While there are some considerations to your deployment process, these devices or software installations require some more thought before you choose a specific implementation. Testing might be a good idea. If you want to detect intruders, then it would be nice if your IDS can do the job. How do you find out? Well, in theory you could use the specifications of the IDS systems as published by the vendors/developers. In practice this information lacks the most important figure: How many intrusions can you detect in a given time frame? True, you have to deal with specific signatures of attacks, so comparing isn’t easy provided you take different sets of rules. Then again some IDS engines have their own

Read More