Of CAs, DLP, CSRs, MITM, inspection and compliance

René Pfeiffer/ February 16, 2012/ Discussion, Security

Writing about certificate authorities is slowly turning into beating dead horses. We have seen a couple of security breaches at CAs in the past. We have witnessed security researchers turning to SSL/TLS. Fairly recently researchers have put RSA keys to the test and found common prime factors in thousands of keys. Now we have a discussion about compliance. The Mozilla team has given CAs a stern warning sparked by the issue of a signing certificate by the Trustwave CA to a customer using a data loss prevention (DLP) device. According to a report the signing root certificate was used inside a Hardware Security Module for the purpose of dynamically creating fake certificates in order to inspect encrypted web traffic. While there was an audit at the customer’s site, this incident has sparked a heated

Read More

Thoughts about “Offensive Security Research”

René Pfeiffer/ February 11, 2012/ Discussion, Security

Ever since information relevant for security was published, there have been discussions about how to handle this information. Many remember the full/no/responsible disclosure battles that frequently erupt. There is a new term on stage. Its name is „offensive security research“. The word „offensive“ apparently refers to the intent to attack IT systems. „Security“ marks the connection, and „research” covers anyone being too curious. This is nothing new, this is just the old discussion about disclosure in camouflage. So there should be nothing to worry about, right? Let’s look at statements from Adobe’s security chief Brad Arkin. At a security analyst summit Mr. Arkin claimed that his goal is not to find and fix every security bug. Instead his strategy is to „drive up the cost of writing exploits“ he explained. According to his keynote

Read More

Getting your Perception right – Security and Collaboration

René Pfeiffer/ January 29, 2012/ Discussion, Security

If all security-related events were not connected and could be analysed with a closed system in mind, getting security measures right would be much easier. Technicians will probably yawn at this fact, but networks connect a lot of different stuff (think „series of tubes“ and many points between them). In turn this means that you can use this for your own advantage and talk to others on the network, too! This surprising conclusion is often forgotten despite the use of the term „Internet community“ and developers working together on intrusion detection signatures, malware analysis and other projects. Stefan Schumacher talked about cooperative efforts to establish an international cyber defence strategy at DeepSec 2011. Securing infrastructure and implementing a proper defence in depth doesn’t rely on technical solutions alone. You need to establish procedures for

Read More

Dissection of Malware and Legality

René Pfeiffer/ October 24, 2011/ Discussion, Security

You have probably seen the articles about the 0zapftis (a.k.a. the German Federal Trojan) malware used by the German police for investigation. There’s a lot going on in Germany and the German parliament, so we’d like to point out the issue of dissecting governmental malware and its relation to common sense and the law. The politician Patrick Sensburg accused the Chaos Computer Club to have thwarted investigations and thus the punishment of potential perpetrators. This violates German law (§ 258 Strafvereitelung, to be exact, description is in German). So is it legal to analyse malicious software or is it illegal? Mr. Sensburg has already answered three questions regarding his statements in parliament. He clarified his message. He criticises that the code had been published on the Internet instead of contacting the appropriate government agencies.

Read More

Stealing Digital Assets with Knives

René Pfeiffer/ October 22, 2011/ Discussion, High Entropy

This article on the ElReg® web site caught my attention today. Police forces in England and Wales read the statistics stemming from crime reports more closely. They think to have found a correlation between the increase of robbery and robbery with knives and the demand for smartphones to sell on the black market. The stolen devices could now be in demand for the hardware (probably), the software (doubtful) or the identity information stored on them (what about this, then?). The protection level of personal data and identity information is quite low for most phone owners. Of course, there are „lies, damned lies and statistics“ and you have to be careful to draw conclusions from a quick glance of a news article. Then again correlations is what you are interested in when building your radar.

Read More

Explaining Security to non-technical Audiences

René Pfeiffer/ August 7, 2011/ Discussion, Report

A few days ago we had the opportunity to present a review of vulnerabilities in mobile phone networks and typical attack vectors to a non-technical audience (we announced the event in a previous blog posting, the event language was German). The background of the attendees was a spectrum of social sciences, political sciences, different technical science (but not information science), governmental agencies (again non-technical) and journalists. We adapted the slides in order to reduce the complexity and the technical details. The reaction was positive, but most of the questions were aimed at how to defend against the risks. Thus our reduction only lasted until the QA section. If you really want to defend yourself, you have to deal with the details. If you don’t dive into the details, you can give superficial answers at

Read More

Tips for Conference Speakers

René Pfeiffer/ June 5, 2011/ Discussion

We’ve been through four DeepSec conferences already, and MiKa and me have talked in person at other events. Given the feedback we received about past DeepSec speakers, the video recordings and our own experience, we’d like to give everyone who is thinking about submitting a talk some advise. It really doesn’t matter if you are going to speak at DeepSec (though we prefer this option) or anywhere else. If you have something to say, then make sure your message is delivered in an appropriate wrapping. Try to address your audience and make them listen to you. There are ways to do this, and most of them can be practised and learnt. Structure : Most talks have an outline of what the audience can expect. Take some extra time and think about the agenda. If

Read More

Zu Gast bei Taalk.at: Vorratsdatenspeicherung

René Pfeiffer/ May 3, 2011/ Discussion

Michael Kafka war am 29. April 2011 zu Gast bei einer Expertenrunde zum Thema Vorratsdatenspeicherung. Der Hintergrund ist die Speicherung von Verbindungs- und Geodaten bei Kommunikation über Internet, Telefon und andere Netzwerke. Die EU Richtlinie dazu muß in allen Mitgliedsstaaten umgesetzt werden. In Österreich wurde das Gesetz letzte Woche beschlossen und tritt am 1. Januar 2012 in Kraft. Da Netzwerke und Logdaten mit dem Thema Sicherheit verwoben sind, haben wir unsere Expertise in die Diskussion eingebracht. Im Web-Standard wurde ein Artikel publiziert. Die Videoaufzeichung läßt sich über die ichmachpolitik.at Webseite anschauen: