3103, 2014

Talk about Cryptography and the NSA’s Capabilities

René Pfeiffer/ March 31, 2014/ Discussion, Security, Veranstaltung

The published documents about the NSA’s capabilities have led to a review of cryptographic tools. Mastering SSL/TLS by itself can be tricky. This is especially true if you have to deal with clients that do not take advantage of the latest TLS protocols. System administrators and developers are well advised to keep an eye on the capabilities of libraries and the algorithms available for securing network communication. We recommend to have a look at the publication of the Applied Crypto Hardening project in case you wish to review your crypto deployment. The standardisation of cryptographic methods has been criticised as well. Apart from the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) there is a lot of discussion going on where the practices of standardisation are being questioned. Given the design problem in

0402, 2014

DeepSec 2013 Video: The Economics Of False Positives

René Pfeiffer/ February 4, 2014/ Conference, Discussion, Security

Once you set up alarm systems, you will have to deal with false alarms. This is true for your whole infrastructure, be it digital or otherwise. When it comes to intrusion detection systems (IDS) you will have to deal with false positives. Since you want to be notified of any anomalies, you cannot ignore alarms. Investigating false alarms creates costs and forces you to divert efforts from other tasks of your IT infrastructure. In turn attackers can use false positives against you, if they know how to trigger them and use them in heaps. Where do you draw the line? In his presentation at DeepSec 2013 Gavin ‘Jac0byterebel’ Ewan (of Alba13 Research Labs) introduced an interesting approach to deal with false positives: „…Taking false positive figures from a number of real business entities ranging

0310, 2013

DeepSec 2013 Keynote: Geopolitics and the Internet – the Meaning of “Hegemony”

René Pfeiffer/ October 3, 2013/ Conference, Discussion, Internet

Most of us think of the Internet as a place where the world virtually gathers and communicates without boundaries. It is regarded as a „virtual“ space where the confinement by borders of nation states is blurred by digital connectivity. People from all over the globe communicate with each other and form a truly cosmopolitan community. The trouble in paradise starts when countries switch off access to the Internet or prosecute whistle-blowers. Given the ever present notion of „cyber“ war we need to discuss geopolitics. It seems that the USA heavily dominates the Internet and regards it as its territory. Marcus Ranum will address the idea of hegemony and the USA with regards to the Internet in his keynote for the DeepSec 2013 conference: So, the topic is “the meaning of hegemony” – what does

1707, 2013

Musings about PRISM and the Like, or an Appeal to Reasoning

Mika/ July 17, 2013/ Discussion, Mission Statement, Security Intelligence

Spying and Distrust are not new, Full Stop. We are old enough to have witnessed many large spying programs in “real time”, starting in the 90ies and continuing until now. Everybody spies on everybody else, everybody tries to use every resource available to gain any kind of intelligence useful for the very own benefit. Alliances, treaties and promises (or vows if you take it more seriously) only have secondary value when it’s about the own advantage. This is true for most aspects of our life, be it private, business or international political affairs. Spouses (sometimes) distrust each other. Business partners (sometimes) negotiate with most detailed contracts to leave as little room as possible to deviate from the expectations, trusting in legal frameworks, lawyers and neutral judges to enforce the expectations. In international affairs (sometimes)

0507, 2013

„Cyber Cyber Cyber“ revisited – Information Warfare

René Pfeiffer/ July 5, 2013/ Discussion, Security

So far we haven’t commented on the ongoing season of the Game of Spooks miniseries. We wait for the break after the last episode – provided there is one. However we have written about information warfare and espionage in this blog. Enter secrets. During DeepSec 2012 the concept of „cyber war“ was heavily explored. Eventually it led to the phrase „cyber cyber cyber“ due to the sheer popularity of this very word. „Cyber“ and „war“ hide the fact that information is the prime good that is being accessed or copied and put to a fresh use¹. Take a look at the published articles in the past weeks to see misplaced information at work. A couple of misplaced presentation slides can cause more uproar than a data leak of medical records of a nation –

0407, 2013

Products, Vendors, Security, and Bias

René Pfeiffer/ July 4, 2013/ Discussion, Mission Statement, Security

The DeepSec conference is meant to be a neutral event where security related topics can be discussed without bias. Periodically we have discussions with companies about this issue. Our web site states that DeepSec is a non-product, non-vendor-biased conference event. In short this simply means that the topics discussed at DeepSec are all about facts not ads. We are looking for honest talks about security: If something breaks, tell us about it. If you can repair it, tell us about it. If you discovered something, tell us about it. That’s our goal. The DeepSec conference is not a trade fair – but it’s a place to mention what you have researched or what you have created. We are all about information security and want everyone to talk about it. We invite everyone to share results of

0906, 2013

Protect your Metadata

René Pfeiffer/ June 9, 2013/ Discussion

In the light of the recent news about the collection of call detail records (CDR) the term metadata has come up. Unfortunately the words cyber, virtual, and meta are used quite often – even as a disguise to hide information when not being used in a technical context. We have heard about all things cyber at the last DeepSec conference. The word virtual is your steady companion when it comes to All Things Cloud™. Now we have a case for meta. Actually metadata is what forensic experts look for – a lot. Metadata usually lives in transaction logs or is part of a data collection. It describes the data it accompanies. Frequently you cannot make sense out of or use the data without the corresponding metadata. A well-stocked library seems like a labyrinth if

0606, 2013

How to defend against “Cyber” Espionage

René Pfeiffer/ June 6, 2013/ Discussion, Security

When it comes to defence and protection, don’t forget how your organisation treats data. The mindset plays an important role. This can be illustrated by a simple correlation. Organizations which take the protection of data privacy seriously have an edge when it comes to implementing IT security measures. We talked about this relation in an interview with ORF journalist Erich Moechel (article is in German, Google translation). The findings are not surprising. Auditors and penetration testers can tell if your IT staff takes the role of protecting digital assets seriously. The correlation is easily explained : Once you establish data protection guidelines, you also create a motivation to implement defensive procedures and measures against intrusion. Directly linking operational aspects to a reason makes sure that everyone understands why defence is important. Bear in mind

2904, 2013

Support your local CryptoParty

René Pfeiffer/ April 29, 2013/ Communication, Discussion, Training

Since September 2012 there are CryptoParty events all over the world. The idea is to bring a group together and have each other teach the basics of cryptography and how to use the various tools that enable you to encrypt and protect information. Of course, encryption by itself cannot guarantee security, but it’s a part of the equation. Since cryptography is hard, most tools using it require a certain amount of knowledge to understand what’s going on and how to properly use them. The CryptoParty helps – in theory and most often in practice, too. If a CryptoParty is near you and you have some knowledge to spare, please take part and share what you know with others. DeepSec supports the local CryptoParty events in Austria, too. Finding a CryptoParty can be easily done

1204, 2013

BSidesLondon and the Rookie Track

René Pfeiffer/ April 12, 2013/ Conference, Discussion

DeepSec is actively supporting the BSidesLondon conference this month. We are joining the panel of mentors of the rookie track, and we’re looking forward to see a lot of interesting talks. In March we talked about our motivation to support the rookie track idea with Finux on the Rookie Track Podcast. DeepSec has been supporting young security researchers for years. Some of them were given an opportunity to speak at past DeepSec conferences in order to present their work. We think that this is a good idea, and here is why: Speaking publicly in front of an audience can be hard. It is even harder if you have never done this before. It gets a lot harder if you talk about IT security, because there’s a chance you found something that probably broke, is

2403, 2013

The Risk of faulty Metrics and Statistics

René Pfeiffer/ March 24, 2013/ Discussion, Security

It’s never a bad idea to see what the outside world looks like. If you intend to go for a walk, you will probably consult the weather report in advance. If you plan to invest money (either for fun or for savings), you will most certainly gather information about the risks involved. There are a lot of reports out there about the IT security landscape, too. While there is nothing wrong with reading reports, you must know what you read, how the data was procured and how it was processed. Not everything that talks percentages or numbers has anything to do with statistics. Let’s talk about metrics by using an example. Imagine an Internet service provider introduced a „real-time map of Cyber attacks“. The map would show attacks to their „honeypot“ systems at 90

1411, 2012

DeepSec 2012 Talk: A Non-Attribution-Dilemma and its Impact on legal Regulation of Cyberwar

René Pfeiffer/ November 14, 2012/ Conference, Discussion

We asked Michael Niekamp and Florian Grunert to give an outlook on their presentation titled A Non-Attribution-Dilemma and its Impact on Legal Regulation of Cyberwar: A general challenge of cyberwar lies in the field of legal regulation under conditions of non-attribution. The optimistic view emphasizes that our international law and its underlying standards are sufficient (in principle and de facto) to solve all emerging problems. A more sceptical view postulates “the impossibility of global regulation”. Although we lean towards the sceptical view, we’ll provide a different and new line of reasoning for the impossibility of a rational legal regulation by formulating a non-attribution-dilemma. In contrast to some prominent arguments, we do not overestimate the suggestive power of the non-attribution-problem concerning the question of rational “deterrence through a threat of retaliation” (DTR for short), but

1311, 2012

DeepSec 2012 Showcase: Cuteforce Analyzer

René Pfeiffer/ November 13, 2012/ Discussion, Security

The University of Applied Sciences Upper Austria will be showing the Cuteforce Analyzer at DeepSec 2012. This beast is a massively parallel computing cluster for cryptographic applications. The goals of this project was to develop a cluster framework and to evaluate suitable hardware. The cluster itself utilises two different types of co-processors, namely the well-known graphics processing units (GPUs) also used in super-computing, and field-programmable gate arrays (FPGAs). Both types of processors have their strength and weaknesses, both depending on the algorithm being executed on the hardware. The cluster framework connects both hardware platforms, and assigns computing tasks according to the advantages of the co-processor. Thus you get to use all the advantages; in addition the framework software makes sure that you can use the different hardware processors as a whole. The research team

3008, 2012

Security in Serious Fun

René Pfeiffer/ August 30, 2012/ Discussion, High Entropy, Security

In case you keep track of our tweets, you may have noticed that we approach the topic of security humorously sometimes, and because there is a lot of potential for misunderstanding we’d like to explain why we do this. It’s not all about who scores the best puns. It has a serious background, and it helps to keep a minimum distance to problems you are dealing with. Security has a strong link to the agenda of a person, a group, a company or a nation. Consider a fatal flaw in a major software package. The typical actors connected to this bug are the group/person who found it, the group/person who published it (not necessarily the same as the discoverers), the developers of the software (could be a community or a company or both), the

2708, 2012

Take-Away Security Tools Probably Aren’t

René Pfeiffer/ August 27, 2012/ Discussion, Security

You have probably read one of the many reviews of security tools published in the depths of the Internet. A lot of magazines feature articles with the headline „Top n Tools for $TASK“. While reviews are a nice way of being introduced to new things, especially tools and software, you have to be careful when it comes to reviewing the security aspects of code or your new favourite tool. First of all you cannot analyse the security design and possible flaws by reading the FAQ section of the project web site or the user manual. You have to evaluate the code and the components it uses. Don’t be fooled or distracted by encryption for it doesn’t necessarily secure anything. Getting a security design right is very hard, and sprinkling cryptography over serious design flaws

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: