2108, 2016

Transforming Secure Coding into Secure Design

René Pfeiffer/ August 21, 2016/ Discussion, High Entropy, Security

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late. Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart

2107, 2016

A Perspective on Code and Components – assert(), don’t assume()

René Pfeiffer/ July 21, 2016/ Development, Discussion, High Entropy

Have you ever looked closely at the tools you use on a daily basis? Taking things apart and putting them back together is an integral part of understanding the universe. Scientists do it all of the time (well, at least some do, there are things that can’t be put together easily once taken apart). So lets focus on components and how they interact. ASN.1 and libraries that deal with it are popular components. Few people get a kick out of ASN.1, so they use code that does it. It’s just an example for parts that handle data being sent to and received from other systems. We live in a networked world, so communication is a crucial part of modern software. So to use business lingo: Most software works by delegating tasks to third-party code.

2107, 2016

Intelligence on the Silver Screen: A Good American Kickstarter Campaign

René Pfeiffer/ July 21, 2016/ Discussion, High Entropy, Security Intelligence

Surveillance has a bad reputation. No one likes to be watched. Yet infosec researchers, sysadmins, and developers talk a lot about log files. We need to watch stuff for various reasons. You got your mail logs, diagnostic messages, performance metrics, network addresses, and more painstakingly sorted by timestamps and maybe geolocation. Log data is part of information technology. It gets interesting once you store, process and mine this data. Some people like to collect it all and do all kinds of Big Data stuff with it. Others filter out the relevant bits of information and work with that. Opinion is divided, results may vary. Enter A Good American, the documentary which was screened in Vienna during the DeepSec 2015 conference. It has been shown all over the world. The film itself is fully funded,

1106, 2016

BSidesLND2016 Rookie Track Review

René Pfeiffer/ June 11, 2016/ Discussion, Security, Stories

Sitting through the Rookie Track at BSidesLondon is something we really enjoy. This year the quality of the presentations was amazing. Of course, the rookie’s mentors take a part of the blame for that. Good training gives you always a head start. Nevertheless someone has to stand in front of the crowd and fill the 15 minutes slot with content. All rookies did a good job. It was hard to pick a clear winner. The jury took more than three iterations to find a conclusion. Locard made it, and we welcome him to DeepSec 2016 in November. Honourable mentions go to @Shlibness, @Oxana_Sereda and @callygarr. For you we have some thoughts on the presentations we saw and on the methods being used. Think of your presentation as code. Make it lean and mean. It’s

2005, 2016

BSidesLondon 2016 – Rookie Track Edition

René Pfeiffer/ May 20, 2016/ Conference, Discussion

The Security BSides London 2016 is coming up. Next month you will have the chance to see presentations all around topics in information security. The schedule will be published soon. Gathering from the talks of past events you will not be disappointed. We will be present to watch over the Rookie Track. Young talents in terms of presentation experience will tell you about selected subjects covering security issues on software, administration, policies, hardware, or social interaction. The Rookie Track is unique among InfoSec events. It is a stage where the presenters can tell their ideas to an audience. They are supported by mentors who guide the content and the presenter from idea to the 15 minutes on stage. The Rookie Track was born out of the fact that a lot of people in information

1805, 2016

The Didactic Side of Information Security

René Pfeiffer/ May 18, 2016/ Discussion, High Entropy

Explaining complicated topics with a lot of dependencies is hard. Even the operation of devices such as computers, telephones, or cloud(ed) applications can’t be described in a few sentences. Well, you can, if you use the tried and true lie-to-children method coined by Jack Cohen and Ian Stewart. If you really want to dive into a subject, you need a good start and a tour guide who knows where the terrain gets rough and helps you through it. Information technology and its security is hard to learn. The basics are surprisingly simple. Once you get to the implementation and the actual parts that need to be touched, it gets a lot more complicated. Modern IT combines various technologies, most taken from computer science, others taken from other fields of research. The starting point defines

0104, 2016

FBI, NSA, DoD and CDC join forces to combat Cyber Pathogens

René Pfeiffer/ April 1, 2016/ Discussion, High Entropy

The world economy is threatened by a new strain of microorganisms. These so-called cyber pathogens spread via networks and the touch of digital devices. They can also lie dormant for days and months, only to spring to life when the victim’s immune system is at its weakest point. It is widely believed that cyber pathogens can infect the population of a whole country and wipe it completely off the grid of the Earth. Current antidotes can only treat the symptoms. The best way to get rid off the pathogens is to resort to physical means and destroy every surface it can cling to. Amputation of infected tissue also works. Unless security researchers will find a suitable vaccination soon, every single one of us is at risk. The cyber pathogen threat is the reason for

1103, 2016

“A Good American” opens next Week in Austrian Theatres

René Pfeiffer/ March 11, 2016/ Administrivia, Discussion, High Entropy, Security, Security Intelligence

For everyone attending DeepSec 2015 we organised a private screening of the film “A Good American”. Everyone else now gets the chance to see this film in theatres beginning on 18 March 2016. Next week there will be the premiere in Vienna, Linz, and Innsbruck here in Austria. Bill Binney will be present himself, and he will answer questions from the audience. We highly recommend “A Good American” to everyone dealing with information security, regardless of the level. Full take and Big Data is not always the answer to your security challenges. Every gadget around is turning smart, and so should you. We hope to see you at the premiere here in Vienna next week!

2002, 2016

DeepSec Video: HackingTeam – How They Infected Your Android Device By 0days

René Pfeiffer/ February 20, 2016/ Conference, Discussion, High Entropy, Security

Backdoors are very popular these days. Not only cybercrime likes extra access, governments like it too. There’s even a lucrative market for insecurity. You can buy everything your IT team defends against legally. Hacking Team is/was one of the companies supplying 0days along with intrusive software to take over client systems. Attila Marosi explained at DeepSec 2015 how products of Hacking Team were used to attack and compromise Android clients. There is no need to make a long introduction when speaking about the famous Remote Control System (RCS), the product of the Italian company Hacking Team. The huge amount – 400 GB – of leaked data gives rise to lengthy discussion and is extremely concerning for every part of the professionally, politically or even those superficially interested only. Enjoy Attila’s presentation. Be careful about

0502, 2016

DeepSec Video: Cryptography Tools, Identity Vectors for “Djihadists”

René Pfeiffer/ February 5, 2016/ Conference, Discussion, High Entropy, Internet

Wherever and whenever terrorism, „cyber“, and cryptography (i.e. mathematics) meet, then there is a lot of confusion. The Crypto Wars 2.0 are raging as you read this article. Cryptography is usually the perfect scapegoat for a failure in intelligence. What about the facts? At DeepSec 2015 Julie Gommes talked about results of the studies done by the Middle East Media Research Institute (MEMRI). The Internet is the method of choice for communication: the number of sites calling for a “jihad” rose from 28 in 1997 to over 5,000 in 2005. The basic use of these sites for the purpose of basic classical communication began in the 2000s. It was replaced by that of social networks, allowing almost instant mass communication. Julie’s talk give you an overview about the tools used according to the study.

2701, 2016

DeepSec Video: The German Data Privacy Laws and IT Security

René Pfeiffer/ January 27, 2016/ Conference, Discussion, Legal, Schedule

Data protection and information security are often seen as different species. Why? Where is the difference between protection, defence, security, and offence? There are a lot of relations between the terms. Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) gave a presentation at DeepSec 2015 on how to link privacy with security: „Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. This presentation will also show how it can be used to further IT security especially in the SME sector. This mostly refers to

2101, 2016

DeepSec Video: A Case Study on the Security of Application Whitelisting

René Pfeiffer/ January 21, 2016/ Conference, Discussion, Security

Application whitelisting is a method where you create a baseline selection of software on a system. You then freeze the state, and after this point any code not being part of your original „white list“ is considered dangerous and blocked from execution. In theory this should prevent the execution of malware and therefore protect against the pesky advanced persistent threat (APT) attacks everyone is talking about. What does this mean for your daily business? René Freingruber of SEC Consult talked about a case study at DeepSec 2015. This should save you some time and pain. Theory is not always the same when deployed in the field. René’s presentation even contains vendor names, so you can talk to the sales executive of your favourite brand of security products. This presentation is also a prime example

2001, 2016

DeepSec Video: A Death in Athens – The inherent Vulnerability of “Lawful Intercept” Programs

René Pfeiffer/ January 20, 2016/ Conference, Discussion

In politics it is en vogue to create new words by connecting them. The words „cyber“ and „lawful“ come to mind. You can add „crime“ and „intercept(ion)“, and then you got something. Actually you can combine both of the latter words with the first two. Either combination makes sense if you take a look at the Athens Affair. More than ten years ago the lawful interception modules of Vodaphone Greece were used to eavesdrop on the Greek government. Kostas Tsalikidis (Κώστας Τσαλικίδης) , Vodaphone’s network planning manager, was found dead in his apartment. At DeepSec 2015 James Bamford talked about what the Athens Affair really was and shed light on the many uses of the lawful intercept systems which are mandatory for most telecommunications equipment. We don’t know how many Athens Affairs are still

1811, 2015

Terrorism – No Time for Backdoors

René Pfeiffer/ November 18, 2015/ Communication, Discussion, High Entropy, Security

Every successful project needs proper planning and a good project management. You know this from your business life, probably. Projects can’t be done without tools for communication. We all use these day by day. Email, telephone, collaboration platforms, social media, instant messengers, and more software is readily available. Access to communication tools has spread. Exchanging messages has also evolved a lot since the 1990s. Given the diversity of the Internet, messages are now encrypted (hopefully). It is a very basic defence against any third parties, or Eve, both being unable to eavesdrop on the conversation. Especially when you do business and talk money, encryption is your closest friend. Why else would you meet indoors and control the access of persons to your office space? Why not discuss business internals while riding public transport? Some

0611, 2015

Endangered Species: Full Disclosure in Information Security

Sanna/ November 6, 2015/ Discussion, High Entropy, Legal, Security

History, fictive or real, is full of situations where doubts meet claims. Nearly every invention, every product will be eyed critically, analysed, and tested. There are even whole magazines fully dedicated to this sport, be it for example, consumer protection, reviews of computer games or the car of the year. When it comes to testing the sector of information security is particularly sensitive. Depending on the hard- or software concerned, testing is not only about comfort or in search of a particularly good storyline, but about incidents, which can cause real damage in the real world. How should one deal with the knowledge of a design flaw affecting the security of a system? Locks In 1851 the American lock-smith Alfred Charles Hobbs visited the Great Exhibition in London. He was the first to pick

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: