2502, 2014

DeepSec 2013 Video: Europe In The Carna Botnet

René Pfeiffer/ February 25, 2014/ Conference, Security

Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes of the botnet consist of virtually unsecured IPv4 devices – modems and other network equipment. Point of entry where mostly Telnet management interfaces exposed to the Internet. Analysing the devices that were part of the Carna Botnet is well worth the effort. This is why we invited Parth Shukla (Australian Computer Emergency Response Team, AusCERT) to present his findings about the Carna Botnet at DeepSec 2013. „A complete list of compromised devices that formed part of the Carna Botnet

Read More

2402, 2014

DeepSec 2013 Video: Future Banking And Financial Attacks

René Pfeiffer/ February 24, 2014/ Conference, Security

Predicting the future is very hard when it comes to information technology. However in terms of security analysis it is vital to keep your head up and try to anticipate what attackers might try next. You have to be as creative as your adversaries when designing a good defence. This is why we invited Konstantinos Karagiannis (BT) to DeepSec 2013.  Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.

2302, 2014

DeepSec 2013 Video: Pivoting In Amazon Clouds

René Pfeiffer/ February 23, 2014/ Conference

The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At DeepSec 2013 Andrés Riancho showed what attackers can do once they get access to the company Amazon’s root account. There is more to it than a simple login. You have to deal with EC2, SQS, IAM, RDS, meta-data, user-data, Celery, etc. His talk follows a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user. Regardless of how your

Read More

2202, 2014

DeepSec 2013 Video: Hack The Gibson – Exploiting Supercomputers

René Pfeiffer/ February 22, 2014/ Conference, Security

Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems running the same software. If you manage to break into one node, the chances are good that you have access to all nodes. That’s pretty neat. At DeepSec 2013 John Fitzpatrick and Luke Jennings of MWR InfoSecurity talked about their tests with supercomputers. Their presentation covers the research and demonstrates some of the most interesting and significant vulnerabilities they have uncovered so far. They also demonstrated exploits and previously undocumented attack techniques live so you can see how to

Read More

2102, 2014

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

René Pfeiffer/ February 21, 2014/ Conference, Internet

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It

Read More

1902, 2014

DeepSec 2013 in Pictures

René Pfeiffer/ February 19, 2014/ Conference, Stories

For those who were not present at the DeepSec 2013 conference (shame on you!) we have compiled a selection of photographs taken at the event. Static imagery cannot give you the full experience, but maybe you want to drop by in 2014! Credits and our big thank you go to our graphic designer and our photographer!

1902, 2014

DeepSec 2013 Video: Risk Assessment For External Vendors

René Pfeiffer/ February 19, 2014/ Conference

CIOs don’t like words like „third party“ and „external vendor“. Essentially this means „we have to exchange data and possibly code with organisation that handle security differently“. Since all attackers go for the seams between objects, this is where you have to be very careful. The fun really starts once you have to deal with confidential or regulated data. So how do you cope with doing this and still keeping an eye open for risk, compliance, and efficiency? Good question. At DeepSec 2013 Luciano Ferrari (Kimberly-Clark Corporation) addressed these issues in his presentation. He has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. However: Data security can only be achieved if all units of an organization cooperate – and with a change

Read More

1802, 2014

DeepSec 2013 Video: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

René Pfeiffer/ February 18, 2014/ Conference, Security

The „Cloud“ is the Fiddler’s Green of information technology. It’s a perpetual paradise built high above the ground where mortal servers and software dwell. Everyone strives to move there eventually, because once you are in digital paradise, then all your sorrows end. So much for the theory. The reality check tell a different story. This is why we invited Mikhail A. Utin (Rubos, Inc.) to DeepSec 2013. He presented an in-depth analysis of the US government’s FedRAMP programme. „…However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a “cloud”. As we identified, all “cloud” misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will

Read More

1702, 2014

DeepSec 2013 Video: Hackanalytics – What’s hot, what’s not

René Pfeiffer/ February 17, 2014/ Conference

Penetration testing is much more than trying a couple of attacks and be done with it. The results matter, and you have to prepare them in a fashion they can be used afterwards. Putting defences to the test is not a matter of „yes, it works“ or „no, it doesn’t“. There are expectations of the customer. Furthermore you will run into situations which might not have been anticipated. Then there is the Art of Communication™. Missing means of communication or misuse of known means is widespread. At his presentation at DeepSec 2013 Alexey Kachalin put reporting and penetration testing into perspective. Listen to his talk and let himexplain you what’s hot and what’s not.

1402, 2014

DeepSec 2013 Video: CSRFT – A Cross Site Request Forgeries Toolkit

René Pfeiffer/ February 14, 2014/ Conference

While Cross Site Request Forgery (CSRF) is an attack that is primarily targeted at the end user, it still affects web sites. Some developers try to avoid it by using secret cookies or restricting clients to HTTP POST requests, but this won’t work. The usual defence is to implement unique tokens in web forms. CSRF is often underestimated, because their presence is more common than anticipated. At DeepSec 2013 Paul Amar introduced his Cross Site Request Forgeries Toolkit (CSRFT). The toolkit helps you to study and prototype CSRF interaction with web servers. Paul’s talk was one of the U21 submissions accepted at DeepSec 2013.

1102, 2014

DeepSec 2013 Video: Bypassing Security Controls With Mobile Devices

René Pfeiffer/ February 11, 2014/ Conference, Security, Stories

Controls blocking the flow of data are an important tool of defence measures. Usually you need to enforce your organisation’s set of permissions. There are even fancy gadgets available to help you cope with data loss in terms of unauthorised access. This only works in controlled environments. Fortunately the modern IT policy allows intruders to bring their own tools in order to circumvent security controls. Bring Your Own Device (BYOD) is all the fashion these days, and it really helps evading defence mechanisms. At DeepSec 2013 Georgia Weidman of Bulb Security LLC talked about what you can do with mobile devices and what you have to address when protecting your data. „…Companies are putting a lot of faith in these security mechanisms to stop the threats to mobile devices. In this talk we put

Read More

0902, 2014

DeepSec 2013 Video: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

René Pfeiffer/ February 9, 2014/ Conference, Security

Attacking fortified positions head on looks good on the silver screen. Real life attackers have no sense for drama and special effects. Battering closed doors will get you nowhere fast. Instead modern adversaries take a good look at open doors and exploit them to get what they want. Security specialists know about the dangers of management interfaces (also known as backends). This is one main focus of denying unauthorised access. Once a backend is exposed, the consequences can be very fatal to your digital assets. At the DeepSec 2013 conference Shay Chen (Hacktics ASC, Ernst & Young) explained how attacks originating from backends look like and what attackers can do once they gained foothold.

0802, 2014

DeepSec 2013 Video: Top 10 Security Mistakes In Software (Development)

René Pfeiffer/ February 8, 2014/ Conference, Security, Stories

Everybody makes mistakes. It’s no surprise that this statement applies to software development, too. When you deal with information security it is easy to play the blame game and say that the application developers must take care to avoid making mistakes. But how does software development work? What are the processes? What can go wrong? Answering these questions will give you an insight into ways to avoid being bitten by bugs. Peter af Geijerstam of Factor 10 talked about security mistakes in software development in his presentation held at the DeepSec 2013 conference. We recommend his presentation for everyone dealing with information security, not just software developers.

0702, 2014

DeepSec 2013 Video: Malware Datamining And Attribution

René Pfeiffer/ February 7, 2014/ Conference, Security

Popular culture totally loves forensics (judging by the number of TV shows revolving around the topic). When it comes to software a detailed analysis can be very insightful. Most malicious software isn’t written from scratch. Some components are being reused, some are slightly modified (to get past the pesky anti-virus filters). This means that (your) malware has distinct features which can be used for attribution and further analysis. In his talk at DeepSec 2013 Michael Boman explained what you do with malicious software in order to extract information about its origins. Use the traces of its authors to attribute malware to a a individual or a group of individuals. It gives you an idea about the threats you are exposed to and is a good supplement to your risk assessment.

0602, 2014

DeepSec 2013 Video: Trusted Friend Attack – (When) Guardian Angels Strike

René Pfeiffer/ February 6, 2014/ Conference, Internet, Security, Stories

We live in a culture where everybody can have thousands of friends. Social media can catapult your online presence into celebrity status. While your circle of true friends may be smaller than your browser might suggest, there is one thing that plays a crucial role when it comes to social interaction: trust. Did you ever forget the password to your second favourite social media site? If so, how did you recover or reset it? Did it work, and were you really the one who triggered the „lost password“ process? In a world where few online contacts can meet each other it is difficult for a social media site to verify that the person requesting a new password is really the individual who holds the account. Facebook has introduced Trusted Friends to facilitate the identity

Read More