0309, 2015

The Enemy Within: Industrial Espionage and Your Network at DeepSec 2015

Sanna/ September 3, 2015/ Conference, High Entropy, Security

Networking is vital to aquire jobs in the business world, manage projects, and develop products. It all started with the World Wide Web, now we also interact via various clouds and social media platforms with our staff, clients, and customers. Data gets outsourced to third parties, and business letters are airily send by Instant Messenger (due to the lack of messenger ravens, sadly). But the thoughtless embrace of networks invites threats, previously known only from the silver screen – spies. And, unfortunately, in today’s digital environment, it is no longer enough to just close the door to protect yourself from prying eyes. There is much more to be considered. We’re here to help. DeepSec does not want to leave your company out in the cold: Attend our next conference which takes place in Vienna on

Read More

2707, 2015

Security of Things – Dead Horses just get beaten with the Internet

René Pfeiffer/ July 27, 2015/ High Entropy, Internet, Security

What do NoSQL databases and cars have in common? You can find and freely access them by using the trusty Internet. Wired magazine has published a story about a remotely controlled Jeep Cherokee. Charlie Miller and Chris Valasek have found a way to use the properties of UConnect™ combined with (design) flaws to take full control of the vehicle . The threat is real since the car was attacked remotely by using a network connection. UConnect™ was formerly known as MyGIG™, and systems are available since 2007. It’s basically your entertainment system on steroids with added telemetry, internal commands, and network capabilities. Hacking cars by attacking the entertainment system was already discussed at DeepSec 2011. This is the next level, because cars have now their own IP addresses (and no firewall apparently). NoSQL databases are very

Read More

2706, 2015

I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in

Read More

2106, 2015

Dual Use Equation: Knowledge + Vulnerability = “Cyber” Nuclear Missile

René Pfeiffer/ June 21, 2015/ Discussion, High Entropy, Legal, Odd

We all rely on software every  day, one way or another. The bytes that form the (computer) code all around us are here to stay. Mobile devices connected to networks and networked computing equipment in general is a major part of our lives now. Fortunately not all systems decide between life or death in case there is a failure. The ongoing discussion about „cyber war“, „cyber terrorism“, „cyber weapons of mass destruction“, and „cyber in general“ has reached critical levels – it has entered its way into politics. Recently the Wassenaar Arrangement proposed a regulation on the publication of exploited (previously unknown) vulnerabilities in software/hardware, the so-called „0days“. The US Department of Commerce proposed to apply export controls for 0days and malicious software. While the ban is  only intended for „intrusion software“, it may

Read More

1806, 2015

Surveillance Article: Listening Posts for Wireless Communication

René Pfeiffer/ June 18, 2015/ High Entropy

Modern ways of communication and methods to obtain the transported data have raised eyebrows and interest in the past years. Information security specialists are used to digitally dig into the networked world. Once you take a look at buildings, geographic topology, and photographs of structures your world view expands. Coupled with the knowledge of ham radio operators connecting the dots can give you some new information about structures hiding in plain sight. This is why we have translated an article by Erich Moechel, Austrian journalist who is writing blog articles for the FM4 radio station. Read  this article for yourself and keep our Call for Papers for DeepSec 2015 in mind. If you have ideas how to keep an eye on the environment surrounding your information technology infrastructure let us know. Companies should know

Read More

2011, 2014

DeepSec 2014 Opening – Would you like to know more?

René Pfeiffer/ November 20, 2014/ Conference, High Entropy

DeepSec 2014 is open. Right now we start the two tracks with all the presentations found in our schedule. It was hard to find a selection, because we received a lot of submissions with top quality content. We hope that the talks you attend give you some new perspectives, fresh information, and new ideas how to protect your data better. Every DeepSec has its own motto. For 2014 we settled for a quote from the science-fiction film Starship Troopers. The question Would you like to know more? is found in the news sections portrayed in the film. It captures the need to know about vulnerabilities and how to mitigate their impact on your data and infrastructure. Of course, we want to know more! This is why we gather at conferences and talk to each

Read More

2011, 2014

BIOS-based Hypervisor Threats

René Pfeiffer/ November 20, 2014/ Discussion, High Entropy, Security

The DeepSec 2014 schedule features a presentation about (hidden) hypervisors in server BIOS environments. The research is based on a Russian analysis of a Malicious BIOS Loaded Hypervisor (conducted between 2007 and 2010) and studies published by the University of Michigan in 2005/2006 as well as 2012/2013. The latter publications discuss the capabilities of a Virtual-Machine Based Rootkits and Intelligent Platform Management Interface (IPMI) / Baseboard Management Controller (BMC) vulnerabilities. Out-of-band management is sensitive to attacks when not properly protected. In the case of IPMI and BMC the management components also play a role on the system itself since they can access the server hardware, being capable to control system resources. Combining out-of-band components with a hypervisor offers ways to watch any operating system running on the server hardware. Or worse. It’s definitely something

Read More

1511, 2014

DeepSec 2014 Talk: Why IT Security Is ████ed Up And What We Can Do About It

René Pfeiffer/ November 15, 2014/ Conference, High Entropy

Given the many colourful vulnerabilities published (with or without logo) and attacks seen in the past 12 months, one wonders if IT Security works at all. Of course, 100% of all statistics are fake, and only looking at the things that went wrong gives a biased impression. So what’s ████ed up with IT Security? Are we on course? Can we improve? Is it still possible to defend the IT infrastructure? Stefan Schumacher, director of the Magdeburger Institut für Sicherheitsforschung (MIS), will tell you what is wrong with information security and what you (or we) can do about it. He writes about his presentation in his own words: Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014 This was one tweet about my talk

Read More

0210, 2014

RandomPic XSA-108

Mika/ October 2, 2014/ High Entropy, RandomPic

What a couple of Infosec people thought about XSA-108. Apparently some were a little bit disappointed that XSA-108 affects “only” HVM. Sorry, not another catastrophy, not another heartbleed, Shellshock or something in this class. Only a vulnerability which potentially allows access to other VMs. Anyway, time for an update! (Idea shamelessly stolen from aloria)

2409, 2014

DeepSec 2014 Talk: A Myth or Reality – BIOS-based Hypervisor Threat

René Pfeiffer/ September 24, 2014/ Conference, High Entropy

Backdoors are devious. Usually you have to look for them since someone has hidden or „forgotten“ them. Plus backdoors are very fashionable these days. You should definitely get one or more. Software is (very) easy to inspect for any rear entrances. Even if you don’t have access to the source code, you can deconstruct the bytes and eventually look for suspicious parts of the code. When it comes to hardware, things might get complicated. Accessing code stored in hardware can be complex. Besides it isn’t always clear which one of the little black chips holds the real code you are looking for. Since all of our devices we use every days runs on little black chips (the colour doesn’t matter, really), everyone with trust issues should make sure that control of these devices is

Read More

2109, 2014

Back from 44CON – Conference Impressions

René Pfeiffer/ September 21, 2014/ High Entropy, Security, Stories

If you haven’t been at 44CON last week, you missed a lot of good presentations. Plus you haven’t been around great speakers, an excellent crew, “gin o’clock” each day, wonderful audience, and great coffee from ANTIPØDE (where you should go when in London and in desperate need of good coffee). Everyone occasionally using wireless connections (regardless if Wi-Fi or mobile phone networks) should watch the talks on GreedyBTS and the improvements of doing Wi-Fi penetration testing by using fake alternative access points. GreedyBTS is a base transceiver station (BTS) enabling 2G/2.5G attacks by impersonating a BTS. Hacker Fantastic explained the theoretical background and demonstrated what a BTS-in-the-middle can do to Internet traffic of mobile phones. Intercepting and re-routing text messages and voice calls can be done, too. Implementing the detection of fake base stations

Read More

1509, 2013

Crypto Wars by Black Boxes and Standards

René Pfeiffer/ September 15, 2013/ High Entropy, Security

Intelligence services go after cryptography. That’s the news you have probably read in the past weeks. That’s no surprise. They have been doing this for centuries. If your job is to intercept and analyse communication, then cryptography gets in your way (provided the target uses it properly). Intelligence services have been dealing with creating and breaking ciphers since their existence. How do you break cryptography? What can you do to attack encrypted communication? There are multiple ways to obtain messages in clear text. Attack the encrypted data! This is widely known as cryptanalysis. Basically you intercept the encrypted message and try to deduce the plain text. Given sufficient failures in the history of cipher designs, this is pretty hard with most modern ciphers. Algorithms used today are developed and tested to withstand attacks like

Read More

2506, 2013

Timeless elegance: DeepSec T-Shirts 2011

Sanna/ June 25, 2013/ Administrivia, High Entropy

Somewhere it’s still 2011. In another dimension it’s probably always Monday. ANYWAY — for those of you who want to wear a garment of timeless elegance we have the very T-Shirt: DeepSec T-Shirt 2011 proudly presented by our favourite model, Mme Cyberduck.     Wow, look at this imprint   – neat, isn’t it? T- Shirt can be ordered either via e-mail Price: 25€ (VAT excluded) + shipping costs Payment: Prepay, either via Paypal or Credit Card or you can get them at our next conference, DeepSec 2013. C u!  

0203, 2013

Post-Crypto in a Pre-APT World

René Pfeiffer/ March 2, 2013/ High Entropy, Security Intelligence

There was a Cryptographers’ Panel session at the RSA Conference with Adi Shamir of the Weizmann Institute of Science, Ron Rivest of MIT, Dan Boneh of Stanford University, Whitfield Diffie of ICANN and Ari Juels of RSA Labs. You have probably read Adi Shamir’s statement about implementing (IT) security in a „post-crypto“ world. He claimed that cryptography would become less important for defending computer systems and that security experts have to rethink how to protect valuable information in the light of sophisticated Advanced Persistent Threats (APTs). „Highly secured“ Infrastructure has been compromised despite „state of the art” defence mechanisms. So what does rethinking really mean? Do we have to start from scratch? Should we abandon everything we use today and come up with a magic bullet (or a vest more appropriately)? Our first implication

Read More

0511, 2012

Alien Technology in our Datacenters

Mika/ November 5, 2012/ High Entropy, Security, Stories

Sometimes when I watch administrators at work, especially when I start to ask questions, I get an uneasy feeling: “this is not right”. As it turns out many of the people who maintain, manage and configure IT or communication equipment don’t understand the technology they are using. At least not in depth. Mostly they have a rough idea what it’s all about but cannot explain in detail how it works and cannot predict what will happen if a few changes are made to the setup. Although I couldn’t put my finger on it I had a familiar feeling, something like a déjà-vu. Just recently when I browsed through my bookshelves it suddenly became clear: I reached for a science fiction classic, “Gateway” by Frederic Pohl which describes an alien race, the “Heechee”, which have

Read More