0510, 2011

Talk: Alerting, Reminding, Reminding, Reminding and Releasing Vulnerability

René Pfeiffer/ October 5, 2011/ Conference

Some of you have first-hand experience with the discussions around full disclosure. Enumerating Bugtraq moderated by Aleph One, SecurityFocus and the full-disclosure mailing list is a heavily condensed view of the problem. The term full disclosure actually originates from the problems locksmiths had with weaknesses of locks. The discussion is over a hundred years old and opinion is still divided on the matter, not only among the Internet security community. So if full disclosure and its cryptographic cousin, the Kerckhoffs’s principle, was „discovered“ in the 19th century why are we still arguing about it? Thomas Mackenzie will talk about how to deal with exposing vulnerabilities in his talk at DeepSec 2011. When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and

Read More

0410, 2011

Talk: Ground BeEF – Cutting, devouring and digesting the legs off a Browser

René Pfeiffer/ October 4, 2011/ Conference

Web browsers have turned into industrial standard software. There’s no office, no company, no network, no client any more that does not use web browsers for at least one task. Any attacker can safely assume that browser software will be present in most target networks. Sadly browser security has not kept up with the spread of web browsing software. Browser security is still one of the trickiest challenges to afford nowadays. A lot of efforts has been spent on mitigating browser exploitation from heap and stack overflows, pointers dereference and other memory corruption bugs. On the other hand there is still an almost unexplored landscape. X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing are good starting points to mitigate the XSS plague, but they are still not widely implemented. An explorer willing to look for

Read More

0110, 2011

Talk: Patching Vehicle Insecurity

René Pfeiffer/ October 1, 2011/ Conference

The good old car has turned into a high-tech computing device. Researchers of the Freie Universität Berlin have recently tested a car without a driver. Scientists sat in the back seat while the car travelled 80 km in total on roads through Berlin and Brandenburg. An advertisement of a car company proudly touts: The road is not exactly a place of intelligence.…This is why we engineered a car that analyzes real-time information, reads your handwriting, and makes 2,000 decisions every second. With 2,000 decisions per second there’s no way a human can cancel or correct decisions in time. Modern cars heavily rely on self-contained embedded controllers interfacing with an array of sensors. These controllers are connected to diagnostic systems, throttle, transmission, brakes, speedometer, climate and lighting controls, external lights, entertainment systems, navigation subsystem, and

Read More

2909, 2011

Talk: Why the Software we use is designed to violate our Privacy

René Pfeiffer/ September 29, 2011/ Conference

Most of us are used to take advantage of  the fruits of the Web 2.0. There is web e-mail, online backups, social networking, blogs, media sharing portals (for audio/video), games, instant messaging and more – available for private and corporate users. A lot of sites offer their services for free (meaning without charging anything), thus increasing the number of accounts created. Nevertheless you pay something. You are being mined for information and data. Some of these products collect our data directly. In such cases, the exchange of user data for free services is well known, at least to many savvy users. However, many other products do not collect our private data. Instead, they quietly facilitate and enable data collection by other parties. It all depends on the business model. Of course most portals and

Read More

2809, 2011

Workshop: Social Engineering for IT Security Professionals

René Pfeiffer/ September 28, 2011/ Conference

Social Engineering engagements can appear to be easy, especially to someone who already has experience in the Information Security industry.  All InfoSec consultants have experienced situations where they’ve been let into a meeting or to perform an onsite engagement without the correct paperwork or permission, and we’ve all heard the stories of successful Social Engineering assignments.  Combined with frequent news stories on the success of spear phishing and „blagging“ it can seem as though the simplest of attacks will inevitably compromise a target. However selling, scoping, executing and reporting on regular Social Engineering engagements requires a thorough understanding of the processes, techniques and risks involved, as well as the concepts and issues around Social Engineering in general.  With that understanding you can ensure that you have those stories to tell to your peers, and

Read More

2309, 2011

Workshop: Web Hacking – Attacks, Exploits and Defence

René Pfeiffer/ September 23, 2011/ Conference

In 2011 we have seen a lot of articles about „cyber“ attacks in the media. Judging from the media echo it looks as if a lot of servers were suddenly compromised and exploited for intruding into networks. While attacks usually take advantage of weaknesses in software, servers do not develop vulnerabilities over night. Most are on-board by design, by accident or by a series of mistakes. The first line of defence are web applications. Every modern company has a web site or uses web portals. Attackers know this and look for suitable attack vectors. If you want to improve your security, you have to start right at this first line. This is why we recommend the workshop Web Hacking – Attacks, Exploits and Defence by Shreeraj Shah & Vimal Patel of Blueinfy Solutions. As

Read More

2109, 2011

Talk: Intelligent Bluetooth fuzzing – Why bother?

René Pfeiffer/ September 21, 2011/ Conference, Security

Bluetooth devices and software implementations have been a fruitful playground for security researchers for years. You probably remember the PoC code from the trinifite.group and other bugs dragged out into the open. Riding public transport often led to Bluetooth scanning with tools such as Blooover. But that’s all past and gone. Software has evolved. Developers have learned. Modern quality assurance won’t let this happen again. Sadly this is fiction. Tommi Mäkilä has some stories to share about the state of Bluetooth: „Bluetooth robustness is wretched, no surprise there. Bluetooth test results from plugfests show 80% failure rate, eight out of ten tests end with a crash. It is not pretty, it is sad and frustrating. For a moment, few years back, there seemed to be light at the end of the tunnel: the failures

Read More

2009, 2011

Talk: IT Security Compliance Management can be done right

René Pfeiffer/ September 20, 2011/ Conference

Your IT infrastructure needs more than hardware or software. If your IT landscape is big enough you already know that. The question how to tackle compliance management remains. What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture? First of all, you need to know whats in your environment, what assets your organisation consists of. How do you want to protect something if you don’t know it exists? Also make sure you know where it is. Charting the access paths to data is not a trivial task. Then you need to know the risk appetite of your company. How much risk are you

Read More

1909, 2011

Talk: Windows Pwn 7 OEM – Owned Every Mobile?

René Pfeiffer/ September 19, 2011/ Conference

Windows Phone is an operating system for mobile phones. Similar to other operating systems it has security features such as sandboxing applications, APIs for exchanging data across applications and isolation of storage built in. It also offer methods for encrypting data on the phone itself. There’s more documentation out in the Internet or directly available at Microsoft’s web site. So, this is good, right? In theory, yes. In practice currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices. This does not refer to the documentation. It’s all about assessing risks, and risk assessment can’t be done by looking at APIs. Alex Plaskett will talk about WP7 security in-depth. He will address the ever increasing challenges and stages of exploitation an

Read More

1809, 2011

Talk: How To Rob An Online Bank And Get Away With It

René Pfeiffer/ September 18, 2011/ Conference

We’ve all heard of – or have even been a victim of – attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules’ accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims’ accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult. From the attacker’s point of view this is very undesirable. These factors create incentive for criminals to focus on online banking servers. Incidentally, that’s where – as famous bank robber Willie Sutton might say – all the money is. Now, Mr. Sutton lived in the times of physical currency and had

Read More

1509, 2011

Talk: Reassemble or GTFO! – IDS Evasion Strategies

René Pfeiffer/ September 15, 2011/ Conference

Ever since network intrusion technology was introduced, attackers have tried to evade detection. The tactics for evasion changed over time, but there really was no point in the past when evasion was not discussed. This is especially true for all things HTTP, because web applications transmit a rich set of data between server and client (and vice versa). The aim of evasion is to confuse the sensor and to thwart the inspection process itself. Designers have come up with ways to normalise data by reassembly of packets or rewriting content to establish matching with a baseline in terms of data formatting. Attackers usually supply data to an IDS that will never be factored in at the receiving end (evasion by insertion), or by confusing an IDS’s very process of reconstructing the data stream. The attacks

Read More

1409, 2011

Talk: An online Game Trojan Framework from China Underground Market

René Pfeiffer/ September 14, 2011/ Conference

Malware infecting computers always serves a purpose. Zombies, as infected systems are called, usually connect to a Command & Control channel and receive their orders from the owners of the zombie herd. Malicious software can also be used as a tool for retrieving information. Some of these tools are specialised and look for specific data such as login credentials. At DeepSec 2011 Hermes Li will explain how a trojan horse designed for stealing user information is installed, how it works and give a short introduction into the Chinese underground market. The talk will also discuss parts of the code, DLL injection and the packer encryption. There is a market for most stolen data. When it comes to games there is even real money in data trafficking. In-game goods (items, currencies, …) can be sold,

Read More

1309, 2011

Talk: Do They Deliver – Practical Security and Load Testing of Cloud Service Providers

René Pfeiffer/ September 13, 2011/ Conference

No technology has produced more hot air and confusion than All Things Cloud™. This is not meant to be the introduction for yet another rant. It serves to illustrate what happens when you talk about complex infrastructure and use too much simplification. The Cloud infrastructure is no off-the-shelf gadget you can buy by the dozen, (virtually) connect and put on-line. It may be bigger, it may handle more load that your own infrastructure, and it may be more secure. The problem is how do you do find out? What metric tells you this? How do you compare and evaluate? This is where you might need some new tools. Matthias Luft, a security consultant at ERNW, will address this problem in his talk. …To provide a toolset for measuring potential profits for performing this shift,

Read More

1209, 2011

Workshop: The Art of Exploiting Injection Flaws

René Pfeiffer/ September 12, 2011/ Conference

If you have ever developed a web application you know that attackers try to exploit requests to the web server in order to inject commands sent to a database server. This attack is called SQL injection. It is done by modifying data sent through web forms or parameters that are part of a request to a web server. In theory web developers learn to avoid mistakes leading to SQL injection. In practice not every developer has the skill or the tools to prevent SQL injection due to lack of knowledge. Validating data can be hard if the data is badly defined or if the building blocks of the web application do not offer ways to normalise or sanitise data. Most developers might not even know if the frameworks they are using protects them or

Read More

1009, 2011

Workshop: Attacks on GSM Networks

René Pfeiffer/ September 10, 2011/ Conference

The topic of GSM networks has been discussed at past DeepSec conferences right from the very first event in 2007. Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been demonstrated and exploited, several GPRS networks in Europe have been shown to be insecure, and an ever-growing number of Open Source projects in the area of GSM and GPRS are gaining significant attraction. Despite the availability of attack methods, the tools are often hard to use for security professionals due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks. This is exactly why DeepSec 2011 offers a two-day training on attacking GSM networks. Attendees will spend about half the time re-visiting the key aspects of GSM’s

Read More