2009, 2011

Talk: IT Security Compliance Management can be done right

René Pfeiffer/ September 20, 2011/ Conference

Your IT infrastructure needs more than hardware or software. If your IT landscape is big enough you already know that. The question how to tackle compliance management remains. What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture? First of all, you need to know whats in your environment, what assets your organisation consists of. How do you want to protect something if you don’t know it exists? Also make sure you know where it is. Charting the access paths to data is not a trivial task. Then you need to know the risk appetite of your company. How much risk are you

Read More

1909, 2011

Talk: Windows Pwn 7 OEM – Owned Every Mobile?

René Pfeiffer/ September 19, 2011/ Conference

Windows Phone is an operating system for mobile phones. Similar to other operating systems it has security features such as sandboxing applications, APIs for exchanging data across applications and isolation of storage built in. It also offer methods for encrypting data on the phone itself. There’s more documentation out in the Internet or directly available at Microsoft’s web site. So, this is good, right? In theory, yes. In practice currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices. This does not refer to the documentation. It’s all about assessing risks, and risk assessment can’t be done by looking at APIs. Alex Plaskett will talk about WP7 security in-depth. He will address the ever increasing challenges and stages of exploitation an

Read More

1809, 2011

Talk: How To Rob An Online Bank And Get Away With It

René Pfeiffer/ September 18, 2011/ Conference

We’ve all heard of – or have even been a victim of – attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules’ accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims’ accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult. From the attacker’s point of view this is very undesirable. These factors create incentive for criminals to focus on online banking servers. Incidentally, that’s where – as famous bank robber Willie Sutton might say – all the money is. Now, Mr. Sutton lived in the times of physical currency and had

Read More

1509, 2011

Talk: Reassemble or GTFO! – IDS Evasion Strategies

René Pfeiffer/ September 15, 2011/ Conference

Ever since network intrusion technology was introduced, attackers have tried to evade detection. The tactics for evasion changed over time, but there really was no point in the past when evasion was not discussed. This is especially true for all things HTTP, because web applications transmit a rich set of data between server and client (and vice versa). The aim of evasion is to confuse the sensor and to thwart the inspection process itself. Designers have come up with ways to normalise data by reassembly of packets or rewriting content to establish matching with a baseline in terms of data formatting. Attackers usually supply data to an IDS that will never be factored in at the receiving end (evasion by insertion), or by confusing an IDS’s very process of reconstructing the data stream. The attacks

Read More

1409, 2011

Talk: An online Game Trojan Framework from China Underground Market

René Pfeiffer/ September 14, 2011/ Conference

Malware infecting computers always serves a purpose. Zombies, as infected systems are called, usually connect to a Command & Control channel and receive their orders from the owners of the zombie herd. Malicious software can also be used as a tool for retrieving information. Some of these tools are specialised and look for specific data such as login credentials. At DeepSec 2011 Hermes Li will explain how a trojan horse designed for stealing user information is installed, how it works and give a short introduction into the Chinese underground market. The talk will also discuss parts of the code, DLL injection and the packer encryption. There is a market for most stolen data. When it comes to games there is even real money in data trafficking. In-game goods (items, currencies, …) can be sold,

Read More

1309, 2011

Talk: Do They Deliver – Practical Security and Load Testing of Cloud Service Providers

René Pfeiffer/ September 13, 2011/ Conference

No technology has produced more hot air and confusion than All Things Cloud™. This is not meant to be the introduction for yet another rant. It serves to illustrate what happens when you talk about complex infrastructure and use too much simplification. The Cloud infrastructure is no off-the-shelf gadget you can buy by the dozen, (virtually) connect and put on-line. It may be bigger, it may handle more load that your own infrastructure, and it may be more secure. The problem is how do you do find out? What metric tells you this? How do you compare and evaluate? This is where you might need some new tools. Matthias Luft, a security consultant at ERNW, will address this problem in his talk. …To provide a toolset for measuring potential profits for performing this shift,

Read More

1209, 2011

Workshop: The Art of Exploiting Injection Flaws

René Pfeiffer/ September 12, 2011/ Conference

If you have ever developed a web application you know that attackers try to exploit requests to the web server in order to inject commands sent to a database server. This attack is called SQL injection. It is done by modifying data sent through web forms or parameters that are part of a request to a web server. In theory web developers learn to avoid mistakes leading to SQL injection. In practice not every developer has the skill or the tools to prevent SQL injection due to lack of knowledge. Validating data can be hard if the data is badly defined or if the building blocks of the web application do not offer ways to normalise or sanitise data. Most developers might not even know if the frameworks they are using protects them or

Read More

1009, 2011

Workshop: Attacks on GSM Networks

René Pfeiffer/ September 10, 2011/ Conference

The topic of GSM networks has been discussed at past DeepSec conferences right from the very first event in 2007. Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been demonstrated and exploited, several GPRS networks in Europe have been shown to be insecure, and an ever-growing number of Open Source projects in the area of GSM and GPRS are gaining significant attraction. Despite the availability of attack methods, the tools are often hard to use for security professionals due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks. This is exactly why DeepSec 2011 offers a two-day training on attacking GSM networks. Attendees will spend about half the time re-visiting the key aspects of GSM’s

Read More

0809, 2011

Talk: SMS Fuzzing – SIM Toolkit Attack

René Pfeiffer/ September 8, 2011/ Conference

We’re pretty sure that you own a mobile phone and that you send and receive text messages. Do you feel at risk or somehow threatened? If not, then you might want to reconsider your opinion. Cell phones, no matter if dumb or smart, are always connected to the mobile phone network. This means that they can receive messages and commands from the network. The security of GSM has already been explored in past DeepSec conferences. There’s a chance that you are prone to attacks. Let’s stick to text messages. At DeepSec 2011 we will show how to make a phone send an SMS message without the user’s consent and how to make the phone not to receive any message. The method used works on any phone, no matter if it’s a smartphone or not

Read More

0709, 2011

Talk: Insight Into the Russian Black Market

René Pfeiffer/ September 7, 2011/ Conference

You have all heard the term cybercrime, and you have heard about all things cybercrime – stolen credentials, data theft, fraud, blackmail and more. You may have heard the there are markets for goods connected to computer crime. You may have heard that there’s a lot of money in it (enough to pay off the national debts of most states including the USA, if you total all reports on damages by cybercrime). As usual the problems lie in connecting the dots. What are the mechanisms behind these black markets? What are the goods? Who pays for them and by which means? Surely you cannot just walk into a chat room, drop your credit card number and part with the digital loot, or can you? What if you end up being a trade object yourself?

Read More

0609, 2011

Talk/Workshop: IPv6 Security In-Depth

René Pfeiffer/ September 6, 2011/ Conference

The tale of two protocol suites has been being written for some time now. The IPv4 Internet has run out of fresh addresses. The IPv6 deployment has begun, but it will take some time before IPv4 is completely phased out (if ever). The work on the IPv6 protocol started in the early 1990s with the temporary IP Next Generation Working Group, collecting proposals. In theory IPv6 addresses many shortcomings of IPv4 and consists of a thoroughly well-designed protocol suite with security in mind. In practice you will neither just switch to IPv6 nor skip the step where you consider the security implications. There is no zero conf mechanism when it comes to security. All businesses need to know what the security impact of IPv6 really is. Some networks have already deployed IPv6, others think

Read More

0509, 2011

Talk: The Management of IT Threats. European Digital Agenda’s Weakness

René Pfeiffer/ September 5, 2011/ Conference

In case you haven’t heard about it, there is a digital agenda for the coming decade, developed by the European Commission. Cited from the web site: Europe 2020 is the EU’s growth strategy for the coming decade. In a changing world, we want the EU to become a smart, sustainable and inclusive economy. These three mutually reinforcing priorities should help the EU and the Member States deliver high levels of employment, productivity and social cohesion. Concretely, the Union has set five ambitious objectives – on employment, innovation, education, social inclusion and climate/energy – to be reached by 2020. Each Member State has adopted its own national targets in each of these areas. Concrete actions at EU and national levels underpin the strategy. The strategy includes a strong coordination between public and private institutions, located

Read More

0109, 2011

Talk (U21): Solving Social Engineering Attacks

René Pfeiffer/ September 1, 2011/ Conference

You’ve heard about social engineering. You know your weakest links. You have the task of defending your network against intruders. You know how to do this with your web applications, networks, clients and servers. All these things have neat classifications of attacks, best practice lists and lots of other resources. What about social engineering? How do you keep the wrong people out and your critical information in? How do you classify the attacks? Toby Foster of the University of York, student of Computer Science and intern at First Defence Information Security, tries to address this problem by talking about modelling and categorising and solving the attacks: „There are many definitions of social engineering; almost every book or website on the subject has a different definition. Probably the only consistent point is that it relies

Read More

3108, 2011

Talk: How Terrorists Encrypt

René Pfeiffer/ August 31, 2011/ Conference

Encryption technology has always been regarded as a weapon, due to its uses in wars and espionage. Software used for encryption was banned for export to other countries in the US. The export regulations for strong cryptography were relaxed in 1996. Some countries still consider cryptographic software as a threat. Recently there have been discussions in the USA again about controlling access to encrypted communication channels. The United Arab Emirates, Indonesia, India, and Saudi-Arabia legally attacked the BlackBerry’s strong encryption of the BlackBerry Messenger Service. Encrypted messaging was discussed in UK after the riots in August. Pakistan has banned all encryption and requires users to apply for a permit. Usually the proponents of regulations claim that terrorists and cybercrime are heavy users of strong cryptography. So how do terrorists really encrypt? Are there software

Read More

3108, 2011

Talk/Workshop: SAP Security In-Depth

René Pfeiffer/ August 31, 2011/ Conference

No two SAP deployments are the same. If you run an SAP environment, then you will most certainly use customisations and a multi-tier architecture. You will have tied your SAP deployment to your assets. The typical setup features Development, Quality Assurance and Production (which is the minimal amount of tiers, you may have more). While the development and IT staff mainly interacts with Development and Quality Assurance environments, the organisation’s end-user only connects to the Production systems in order to undertake the required business processes. As soon as security considerations come into play you will probably audit your infrastructure. Since auditors cost money most SAP deployments won’t be scrutinised completely. And then you are in trouble despite passing tests with flying colours. Using short-cuts is the best way to run into trouble. Consider your multi-tier

Read More