3110, 2012

Zombies at the Hospital

René Pfeiffer/ October 31, 2012/ High Entropy, Security

It’s 31 October, so we have to talk about these zombies. You know them from the horror films. Dead, evil, and always hungry for brains (the latter also being true for any self-respecting HR department). Security researchers know a different kind of zombie. A zombie computer is a machine or device infected by a computer virus. It is considered compromised and contains additional features such as information retrieval, remote access or anything else you can put into code. Usually this is undesirable and fought with anti-virus software or (even better) strict security procedures. Now let’s combine the two types of zombies and add a spiffy virus outbreak into the mix. To go even further cinematic we use a hospital as the stage. Too unrealistic? On the contrary, hospitals do have a virus and zombie

2010, 2012

Groundhog Day (Not a Film Review)

Mika/ October 20, 2012/ High Entropy, Security

Recently there was a re-run of the movie “Groundhog Day” on German TV and after a while I felt a familiar feeling: Our security efforts are a lot like the story. The protagonist is caught in something like a time-loop until he gets everything right. A previously cynical, disrespecting, arrogant and selfish news reporter wakes up every morning to the same scene: The alarm clock switches to 6:00 in the morning, the radio plays “I got you babe” and the same day repeats over and over again. During the first iterations he doesn’t change his behavior, being quite a discomforting guy until he realizes that slight changes can make a big difference. He is only relieved from this situation after he gets everything right: Being nice to his former school schoolmate, changing the tires

1110, 2012

High Availability is not Redundancy

Mika/ October 11, 2012/ High Entropy, Odd

This is about the “A” in the CIA triad of security: Confidentiality, Integrity, Availability Just recently I was a witness of an incident where the failure of a perceived redundant system caused an outage of more than 5 hours of the central IT services of a multinational/intercontinental enterprise. Vital services like VoIP calls and conference bridges (which were interrupted with high profile customers) , SAP, e-mail, central file services, CAD, order processing, printing of delivery notes and therefore loading of trucks, processing of EDIFACT-based orders and invoices, etc. were unavailable for most of the 20.000 employees and customers worldwide during this black-out. What happened? Some when in the morning we noticed a lot of commotion in the department (open plan office) and quite soon it was obvious that all network based services were out

3008, 2012

Security in Serious Fun

René Pfeiffer/ August 30, 2012/ Discussion, High Entropy, Security

In case you keep track of our tweets, you may have noticed that we approach the topic of security humorously sometimes, and because there is a lot of potential for misunderstanding we’d like to explain why we do this. It’s not all about who scores the best puns. It has a serious background, and it helps to keep a minimum distance to problems you are dealing with. Security has a strong link to the agenda of a person, a group, a company or a nation. Consider a fatal flaw in a major software package. The typical actors connected to this bug are the group/person who found it, the group/person who published it (not necessarily the same as the discoverers), the developers of the software (could be a community or a company or both), the

1806, 2012

A „Cool War“ is not cool

René Pfeiffer/ June 18, 2012/ Discussion, High Entropy

The term „Cyberwar“ carries a dark fascination. Most people think of it as „war lite“. You get all the benefits of a real war, but the casualties are limited to bits, bytes and maybe pixels. No one dies, only the targets get destroyed. This sounds too clean to be true. There is even an article called „Cool War“ that glorifies the concept of digital battles even further. The author suggests that a cool war could prevent a „real“ armed conflict by digital preemptive strikes. The good news is that a preemptive cyber attack on the military command-and-control systems of two countries getting ready to fight a “real war” might give each side pause before going into the fight. In this instance, the hackers mounting such attacks should probably publicize their actions — perhaps even

0806, 2012

Collateral Damage in Cyberspace

René Pfeiffer/ June 8, 2012/ High Entropy, Security

„In cyberspace, no one can hear you scream.“ System administrators know this already for a long time, as do security researchers. Everybody is talking about „cyberwar“ these days (elections are coming). No one is talking about the (digital) fallout from „cyberwar“ operations. Unless you solely rely on passive methods, there’s not much that can happen. As soon as you employ „offensive security“, which is just an euphemism for „breaking things“, there will be damage in terms of service disruption, compromised systems, modified/erased data, inserted attack code and possibly more. Attack tools such as Stuxnet, Duqu and now Flame have been discussed for years by security researchers. Especially anti-virus vendors have repeatedly promised to include malware of any origin in their databases. In theory this includes these „cyberweapons“ as well. In real life these weapons

2505, 2012

Bring Your Own Spy – BYOD gone wrong

René Pfeiffer/ May 25, 2012/ Discussion, High Entropy, Security

It is reasonably safe to assume that anyone doing business has meetings from time to time. Meeting people and talking to them (or listening) is part of many company’s culture. What do you bring for your meeting? A computer? Maybe. Paper and pencils? Old school but why not. Your cell phone? Most probably! Unfortunately this also means that you might invite some spies to the conference. We have already bashed described talked about the BYOD conundrum challenge. Combining the BYOD approach with information security is hard bordering on the impossible. There are some strategies out there for securing your device(s) (in this case from Software Advice, but others have check lists, too). You can also use the Might of Security Policies™ against the threat (we all know that all users follow any written policy

0605, 2012

Unlearn to Hack?

René Pfeiffer/ May 6, 2012/ Discussion, High Entropy, Security

Security is heavily influenced by the inner workings of the (human) mind. We all know about social engineering and tricks used by con men. The game of smoke and mirrors now hits the „uncontrolled spread of hacking tools“. We have already pointed out that the European Union is preparing a proposal for „banning“ „hacking tools“. There is now a case on-line where a print magazine was allegedly removed from the shelves of Barnes & Noble. Apparently the cover story was too dangerous, because it announced how to „teach you to break into networks, exploit services running remotely, beat encryption techniques, crack passwords, and more.“ The real dark side of this story is that these skills are discussed at most self-respecting security conferences. These skills are even part of a very basic job description in

0505, 2012

Security in the Light of Emergency Situations

René Pfeiffer/ May 5, 2012/ High Entropy, Security

Let’s assume you have put proper security measures into place and you have spiced them up with proper policies so that everyone always knows what to do in certain situations. So far, so good. Now let’s combine this solid security framework with something out of the ordinary. Catastrophic storage failures are a very good example. Imagine your shared storage array goes AWOL (including the disk images of your precious virtualised servers). In this case your operating status has gone from „all green“ to „full red alert“. Your staff can’t restart the storage array, so you have to rely on experts in the field of data rescue. Due to the critical nature of the data you yank out the disks, label them and send your storage components by messenger to a laboratory. Since time is

1704, 2012

Let’s talk about War

René Pfeiffer/ April 17, 2012/ Discussion, High Entropy, Stories

Extreme situations, entropy eruptions and unforeseen problems caused by complex interactions between a plethora of components are prime story material. You can use it in (science) fiction, you can use for breaking news, you can use it for scaring your children, you can use it for advertising and you can use it when talking about information security. Maybe this is why talking about „cyberwar“ is all the fashion these days. Let’s follow the trend and introduce the issue with style: No boom today. Boom tomorrow. There’s always a boom tomorrow. What? Look, somebody’s got to have some damn perspective around here! Boom. Sooner or later. BOOM! — Lt. Cmdr. Susan Ivanova, Babylon 5 This statement from a fictional character pretty much sums up the issue (plus it contains exactly the required amount of sources

1504, 2012

Pattern, Matching and IT Folklore

René Pfeiffer/ April 15, 2012/ Discussion, High Entropy, Security

Every once in a while there is a lively discussion about the efficiency of pattern-based security measures. Usually you see these discussions in the wake of security software tests. Mostly it concerns intrusion detection, malware filter or spam filter tools. As soon as you are trying to implement filters or detection, you will need some criteria to base decisions on. It doesn’t matter if you apply whitelisting, blacklisting or a mixture of both. Even if you add some intricate algorithms ranging from good ideas to artificial intelligence you still need to base the decision on something. Patterns and signatures is still the way to go. So why do these discussion about „all methods using patterns/signatures are snake oil“ stem from? Let’s take another pattern-based defence mechanism as an example – our immune systems. It

0104, 2012

DeepSec Announces DeepSec 365 Conference Track

René Pfeiffer/ April 1, 2012/ Administrivia, Conference, High Entropy

IT security has grown into a cornerstone of our modern society. We rely on data integrity, availability, and we do not wish our personal or business data to be mirrored on pastebin.com or other web sites. 2011 has been full of high-profile security-related incidents. 2012 will most certainly continue in this fashion. This cannot go on forever. Therefore we decided to address the lack of IT security conferences and boost their number considerably. Starting with 1 January 2013 we start the DeepSec 365 Conference Track – 365 DeepSec security conferences in 2013, one every day! We are currently finalising the deal with our conference venue. Even the tourism industry has acknowledged that there really is nothing besides hosting IT security events. Forget skiing, spas, clubbing, museums, sightseeing and all that, you want to see

1803, 2012

It’s the Smart Meters that matter – or is it?

René Pfeiffer/ March 18, 2012/ Communication, High Entropy, Security

Wired’s Danger Room has an article about how ubiquitous computing and smart homes are eagerly awaited by the CIA to turn your networked environment into a gigantic spy tool. CIA Director David Petraeus very much likes the „Internet of things” as an information gathering tool. Security researchers can’t wait, too. However they have a very practical approach by pointing out the missing security design. Smart homes might be very dumb after all, and they might not be a „home“. If your home turns against you and breaches your privacy, it’s not a home any more. Plus the next „digital Pearl Harbor“ (whatever this means) might start in your refrigerator. Who knows? This is a very simplistic view on the „Internet of things”. If things automatically turn into sensors and report useful information once they

0703, 2012

Disinfect your Information Environment

René Pfeiffer/ March 7, 2012/ High Entropy, Security, Stories

Since information technology relies heavily on analogies (as does lot of other „cyber“ things), we have a question for you. What do an intercepted phone call, infectious diseases and nuclear waste spilling into the environment have in common? Faulty containment. The Naked Security blog explains in an article how Anonymous was able to record the FBI phone call whose audio file was published in January 2012. Apparently „an Irish Garda police officer who was invited to attend the conference call about ongoing hacking investigations forwarded the message to a personal email account“. This personal e-mail account was compromised, and the information about the conference call was used to participate and to record the audio stream. This teaches a couple of lessons. Conference calls can be attended by having the correct string of characters (i.e.

2402, 2012

About the fineprint in Software patents (Motorola vs. Apple)

Mika/ February 24, 2012/ High Entropy, Internet

Recently Motorola sued Apple because of Patent EP0847654 and Apple deactivated the push function for e-mails. Only on mobile platforms. Only for iCloud and MobileMe. Only within the borders of Germany. See http://support.apple.com/kb/TS4208. What happened? While everyone in the blogosphere is ranting about e-mail pushing being patented etc. I dared to search for the original patent text and was a little bit surprised: The Patent goes back to 1996 The title is “Multiple Pager Status Synchronisation System and Method” In my opinion it describes something unrelated to modern e-mail systems. The patent describes a trivial three-message exchange over radio communication to ensure that multiple pagers in a group reflect the same status whether a message has already been read. Nothing about e-mail in general can be found. This is the reason for affecting only

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: