2710, 2011

Talk: The Security of non-executable Files

René Pfeiffer/ October 27, 2011/ Conference

Recent security incidents push the imagination of some people to the limits. On today’s menu are U.S. Government satellites (done before albeit with a different vector), insulin pumps, automatic teller machines, smartphones linked to cars, and even vending machines in wilderness resort parks. What’s next? Executing code by the use of postcards or printed newspapers? Exactly! You probably recognise this phrase: „This is a data file, it can never be executed as code.“ It’s nice to think of bits and bytes neatly separated into code and data. In fact some security models encourage this approach. In practice data tells a different story. You have very elaborate document and data formats with thousands of pages of specification. PDF, rich media and office documents are way more complex than you might think. This is why Daniel

Read More

2610, 2011

Talk: FakeAntiVirus – Journey from Trojan to a Persisent Threat

René Pfeiffer/ October 26, 2011/ Conference

You run the latest software defending you against malicious code. You have your best filters deployed. Your firewalls are tight as granite. Your crypto is flawless. Your authentication is watertight. But you’re still being attacked and have probably been compromised. What happened? There’s always the attack vector through social engineering. Combine this with a web site or a dialogue box that warns your staff about a potential security breach and tricks them into installing code manually, most commonly by disguising as Anti Virus software (hence the name FakeAntiVirus). Infection can be done by browser plug-in / add-on (think toolbars or other convenient items) or more complex means. Once the tool is installed, it takes control of your system(s), phones home or does other tasks as told by its new owner. Provided the cover is

Read More

1710, 2011

Talk: Behavioral Security: 10 steps forward 5 steps backward

René Pfeiffer/ October 17, 2011/ Conference

How do you distinguish good from evil? Have you ever asked yourself this question? In order to avoid diving into philosophy let’s translate evil to harmful and good to harmless. What’s your strategy to find out if something is harmful or harmless? When it comes to food maybe you try a small bit and gradually increase the dose. This strategy fails for software since you cannot install a bit of code and install more if everything looks ok. Analysing the behaviour is the next analogy in line. Behavioural analysis is well-known to anthropologists, psychologists and most human resources departments. Does is work for code, too? If you look at your security tools you will probably find tools that use a rule-based approach; then there are signatures and some tools offer to detect/decide based on

Read More

1610, 2011

Talk: Extending Scapy by a GSM Air Interface

René Pfeiffer/ October 16, 2011/ Conference

Scapy is the „Swiss Army tool“ among security software. Scapy is a powerful interactive packet manipulation program. It is used for scanning, probing, testing software implementations, tracing network packets, network discovery, injecting frames, and other tasks. So it’s a security power tool useful for a lot of tasks in security research. Wouldn’t it be nice to add some capabilities on layer 3 of the Global System for Mobile Communications (GSM) protocol? This layer covers the UM interface that connects mobile network clients over the air interface to the base stations. Capturing packets on this link alone would be a great benefit to security researchers. Laurent ‘kabel’ Weber of the Ruhr-Universität Bochum will talk about „Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks“ at DeepSec 2011. Laurent’s talk describes the enhancement

Read More

1410, 2011

Talk: Design and Implementation of a Secure Encryption-Layer for Skype Voice-Calls

René Pfeiffer/ October 14, 2011/ Conference

You probably use communication tools that transport the voice/messaging data over the Internet. We’re not speaking about e-mail, but about recent software of the information age – Skype. Skype is widely used for audio/video chats around the world. Its security is shrouded in proprietary mystery and many urban legends exist. In 2006 Philippe Biondi and Fabrice Desclaux analysed the Skype network and its security in their talk „Silver Needle in the Skype“. Since end users can neither create their own cryptographic keys nor see the ones that are actually used, the network has always the capability of eavesdropping on calls. It is not clear if this capability is used or abused at all, but the risk is present. As with eavesdropping in mobile phone networks the communication partners will be totally oblivious, and neither

Read More

1310, 2011

Mobile Phone Calls as Security Risk

René Pfeiffer/ October 13, 2011/ Conference, Security

Do you rely on your mobile phone? Do you frequently call someone or get called? Do you transmit messages or data across mobile phone networks? Maybe you shouldn’t unless you use additional security layers since mobile phone networks must be regarded as a security risk. Karsten Nohl of Security Research Labs has taken a look at Austrian mobile networks. The result is a wake-up call for companies and individuals alike. According to Nohl the local Austrian providers A1/Mobilkom, T-Mobile Österreich und Orange have not updated their networks as other operators in Europe have already. He explained that there is no sign of any additional hardening. The transmissions of mobile phone network clients can be intercepted and decrypted with very little technical effort. The networks still use the A5/1 encryption standard which has been repeatedly

Read More

1210, 2011

Workshop: Social Engineering for IT Security Professionals

René Pfeiffer/ October 12, 2011/ Conference

Social Engineering has been around for a long time and predates the Internet. The method of the Nigerian scams today dates back to the 16th century. It is much more widespread today. Social networking sites supply attackers with a rich source of information. They may even get hold of confidential information without any effort (as the Robin Sage experiment has shown). Directed attacks such as spear-phishing can have a high impact. The use of deception or impersonation to gain unauthorised access to sensitive information or facilities is a persistent threat to your company or organisation, provided you communicate with the outside world. Since computer security is becoming more sophisticated, hackers are combining their technical expertise with social engineering to gain access to sensitive information or valuable resources in your organisation. Social engineering attacks can

Read More

1010, 2011

Talk: Identity X.0 – Securing the Insecure

René Pfeiffer/ October 10, 2011/ Conference

Identities are important. You might already know this, but in the times of heavily meshed web applications and users moving between different web sites keeping track of a client’s identity can be difficult. Moreover it’s not just about identities but also about transporting account/user attributes by various protocols and standards between various applications. You might remember Microsoft Wallet/Passport which is now Windows Live ID. OpenID defines an open standard about authenticating an user by using a decentralized architecture. OAuth is another open standard, handling authorization and it is widely used by small and large organizations such as Yahoo! and Twitter. So where’s the security? How resilient are these protocols against attacks? Khash Kiani will address these questions in his presentation titled Identity X.0 – Securing the Insecure. His talk focuses on some of these

Read More

0710, 2011

Talk: Human Factors Engineering for IT Security

René Pfeiffer/ October 7, 2011/ Conference

Members of IT staff love acronyms such as RTFM, PEBKAC, PICNIC and ID-10T error. These will often be mentioned when human factors are playing a key role. If you dig deeper and analyse typical situations where human errors are involved, then you will have to deal with user interfaces (UIs) and technical documentation. It’s easy to blame operators (it doesn’t matter if you look at end user, power users or IT staff) even if UIs or manuals have failed before the human erred. This is exactly why the talk Human Factors Engineering for IT Security of Peter Wolkerstorfer (Center of Usability Research and Engineering, CURE) will focus on the human factor in the context of operating security tools by UI. The user is often the weakest link in the chain and this fact has to

Read More

0610, 2011

Talk: Armageddon Redux – The Changing Face of the Infocalypse

René Pfeiffer/ October 6, 2011/ Conference, High Entropy

DeepSec has a tradition of holding a „night talk“. This is the last talk on the first day, just before the Speaker’s Dinner. Don’t let the expectation of good Austrian food fool you. Morgan Marquis-Boire will serve you an appetiser which may be hard to digest: Armageddon Redux The talk is a follow-up on Morgan’s Fear, Uncertainty and the Digital Armageddon talk held at DeepSec 2008. During the past years security researchers have been warning about attacks on fundamental infrastructure. The ghosts and dæmons haunting SCADA systems lead to scary scenarios portraying a failing civilisation. At the time, there was significant worry about the danger that digital sabotage posed to the systems that run our everyday lives. Take a look at the recent Tōhoku earthquake and tsunami in Japan and its impact on industrial control

Read More

0510, 2011

Talk: Alerting, Reminding, Reminding, Reminding and Releasing Vulnerability

René Pfeiffer/ October 5, 2011/ Conference

Some of you have first-hand experience with the discussions around full disclosure. Enumerating Bugtraq moderated by Aleph One, SecurityFocus and the full-disclosure mailing list is a heavily condensed view of the problem. The term full disclosure actually originates from the problems locksmiths had with weaknesses of locks. The discussion is over a hundred years old and opinion is still divided on the matter, not only among the Internet security community. So if full disclosure and its cryptographic cousin, the Kerckhoffs’s principle, was „discovered“ in the 19th century why are we still arguing about it? Thomas Mackenzie will talk about how to deal with exposing vulnerabilities in his talk at DeepSec 2011. When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and

Read More

0410, 2011

Talk: Ground BeEF – Cutting, devouring and digesting the legs off a Browser

René Pfeiffer/ October 4, 2011/ Conference

Web browsers have turned into industrial standard software. There’s no office, no company, no network, no client any more that does not use web browsers for at least one task. Any attacker can safely assume that browser software will be present in most target networks. Sadly browser security has not kept up with the spread of web browsing software. Browser security is still one of the trickiest challenges to afford nowadays. A lot of efforts has been spent on mitigating browser exploitation from heap and stack overflows, pointers dereference and other memory corruption bugs. On the other hand there is still an almost unexplored landscape. X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing are good starting points to mitigate the XSS plague, but they are still not widely implemented. An explorer willing to look for

Read More

0110, 2011

Talk: Patching Vehicle Insecurity

René Pfeiffer/ October 1, 2011/ Conference

The good old car has turned into a high-tech computing device. Researchers of the Freie Universität Berlin have recently tested a car without a driver. Scientists sat in the back seat while the car travelled 80 km in total on roads through Berlin and Brandenburg. An advertisement of a car company proudly touts: The road is not exactly a place of intelligence.…This is why we engineered a car that analyzes real-time information, reads your handwriting, and makes 2,000 decisions every second. With 2,000 decisions per second there’s no way a human can cancel or correct decisions in time. Modern cars heavily rely on self-contained embedded controllers interfacing with an array of sensors. These controllers are connected to diagnostic systems, throttle, transmission, brakes, speedometer, climate and lighting controls, external lights, entertainment systems, navigation subsystem, and

Read More

2909, 2011

Talk: Why the Software we use is designed to violate our Privacy

René Pfeiffer/ September 29, 2011/ Conference

Most of us are used to take advantage of  the fruits of the Web 2.0. There is web e-mail, online backups, social networking, blogs, media sharing portals (for audio/video), games, instant messaging and more – available for private and corporate users. A lot of sites offer their services for free (meaning without charging anything), thus increasing the number of accounts created. Nevertheless you pay something. You are being mined for information and data. Some of these products collect our data directly. In such cases, the exchange of user data for free services is well known, at least to many savvy users. However, many other products do not collect our private data. Instead, they quietly facilitate and enable data collection by other parties. It all depends on the business model. Of course most portals and

Read More

2809, 2011

Workshop: Social Engineering for IT Security Professionals

René Pfeiffer/ September 28, 2011/ Conference

Social Engineering engagements can appear to be easy, especially to someone who already has experience in the Information Security industry.  All InfoSec consultants have experienced situations where they’ve been let into a meeting or to perform an onsite engagement without the correct paperwork or permission, and we’ve all heard the stories of successful Social Engineering assignments.  Combined with frequent news stories on the success of spear phishing and „blagging“ it can seem as though the simplest of attacks will inevitably compromise a target. However selling, scoping, executing and reporting on regular Social Engineering engagements requires a thorough understanding of the processes, techniques and risks involved, as well as the concepts and issues around Social Engineering in general.  With that understanding you can ensure that you have those stories to tell to your peers, and

Read More