1902, 2012

Five Million, quick and easy!

Mika/ February 19, 2012/ High Entropy, Odd, Security Intelligence

A good friend and former colleague of mine asked me recently, whether I could give him a tip how to make 5M quick and easy. My answer was “Nothing I could think of which doesn’t involve a lot of nasty things and imply a long stay in jail”. But that’s not what I wanted to discuss here, although it’s somehow related: We had a couple of talks at the DeepSec which shed a little light on the underground economy and I also started to take some dives into the “Deepnet” to get acquainted with jargon, topics, trends and so on. Btw: NO, no details on this: not what I have visited, not when or how I registered there, I don’t wanna get doxed (1), these guys can get nasty and we don’t need another

Read More

0112, 2011

Water Plants, Cyberwar, and Scenario Fulfillment

René Pfeiffer/ December 1, 2011/ High Entropy, Security, Stories

While we refuse to add a Cyberwar category to this blog, we want to explore this shady topic with a story. Do you recall the water plant hack a few weeks ago? According to news floating around in the Internet an US-American water plant in Illinois suffered from a security breach together with a failed water pump. Apparently attackers took the pump out by applying a well-tried IT technique called „Have you tried to turn it off and on again?“. So in theory this is a full-scale Cyberwar incident that puts all of our infrastructure at risk – plus you can add the magical acronym SCADA when talking about it, thus lowering the room temperature a few degrees and imposing the well-tried fear and awe effect on your audience. While industrial control systems remain

Read More

2210, 2011

Stealing Digital Assets with Knives

René Pfeiffer/ October 22, 2011/ Discussion, High Entropy

This article on the ElReg® web site caught my attention today. Police forces in England and Wales read the statistics stemming from crime reports more closely. They think to have found a correlation between the increase of robbery and robbery with knives and the demand for smartphones to sell on the black market. The stolen devices could now be in demand for the hardware (probably), the software (doubtful) or the identity information stored on them (what about this, then?). The protection level of personal data and identity information is quite low for most phone owners. Of course, there are „lies, damned lies and statistics“ and you have to be careful to draw conclusions from a quick glance of a news article. Then again correlations is what you are interested in when building your radar.

Read More

1110, 2011

0zapftis revisited – 0ktoberfest for Security Researchers

René Pfeiffer/ October 11, 2011/ High Entropy, Odd

The CCC analysis of the malicious software bought and used by the German government has put our blog schedule and RSS reading habits out of balance. Frankly our necks hurts because we constantly shake our heads since the PDF of the analysis was published. We have talked to journalists who showed interested in the design of the malware. It’s very hard not to go into rant or BOFH mode when talking about the design and the use of the trojan horse. You have to use quite some Zen skills to stay focused and to see what we have here. In fact the whole discovery and the avalanche of questions raining down on German officials marks a turning point for the significance of computer security. Furthermore it is a perfect example of all the problems

Read More

0610, 2011

Of Web Apps, Smartphones and Data Leaks

René Pfeiffer/ October 6, 2011/ High Entropy

Just digging through the backlog of the past days. Someone shot me a quick link to a web site showing an administrative interface. I failed to see the significance right away, because the link was sent by chat with an URL obfuscator shortener. I know discovered the corresponding blog post to this issue. Coincidentally I was talking on the phone today about AnonAustria’s latest publications. Apparently they found the addresses of Austrian police staff online. The claim is that the data was sitting on a web server and could be downloaded simply by guessing links. Yesterday the Austrian Chamber of Commerce confirmed a data leak covering more than 6.000 data sets of customers (400 of them complete with bank accounting information). The data leak looks like a web server „glitch“, too. AnonAustria referred to

Read More

0610, 2011

Talk: Armageddon Redux – The Changing Face of the Infocalypse

René Pfeiffer/ October 6, 2011/ Conference, High Entropy

DeepSec has a tradition of holding a „night talk“. This is the last talk on the first day, just before the Speaker’s Dinner. Don’t let the expectation of good Austrian food fool you. Morgan Marquis-Boire will serve you an appetiser which may be hard to digest: Armageddon Redux The talk is a follow-up on Morgan’s Fear, Uncertainty and the Digital Armageddon talk held at DeepSec 2008. During the past years security researchers have been warning about attacks on fundamental infrastructure. The ghosts and dæmons haunting SCADA systems lead to scary scenarios portraying a failing civilisation. At the time, there was significant worry about the danger that digital sabotage posed to the systems that run our everyday lives. Take a look at the recent Tōhoku earthquake and tsunami in Japan and its impact on industrial control

Read More

2108, 2011

Cargo Cult Security

René Pfeiffer/ August 21, 2011/ High Entropy, Stories

Here is a fictional story for you that bears no resemblance to any living, dead, or undead persons whatsoever. Imagine someone who is interested in establishing and maintaining a „medium“ to „high“ level of security for his or her business data. This person is a power user and uses hard disk encryption, an encrypted file server, access to internal data by VPN and GPG/PGP for communication. So far, so good. Now for the bad news: untrusted devices without security software may also access internal resources and shiny new workstations run without anti-virus protection or firewalls. Questions regarding potential risks go unnoticed, suggestions to periodically check the security measures also disappear into the vast void of email. What is wrong with this picture? Well, given that all of this is purely fictional, someone you might

Read More

0707, 2011

SecInt: Radar for Anti-Security Movement

René Pfeiffer/ July 7, 2011/ High Entropy, Press, Security

We have been talking to some journalists in the past weeks. Most questions revolved around the rise in attacks against well-known web sites and their companies (or vice versa). Jeffrey Carr has published a good source for an overview of Anti-Security groups. If you are looking what to put on your radar, his article might be a good start. Security intelligence is gathering importance. Make sure that you don’t drown in tools or gadgets, and that you don’t neglect your strategic view. Quite a lot of people are confused by the many reports of incidents, „lulz“, „LOLs“, scanty slogans when it comes to motivations of attackers, damage reports, panic and media mind disruption (always remember: anonymous ≠ Anonymous). Currently we’re working on material to put the threats into perspective. It’s hard to distinguish the

Read More

1203, 2011

Rare Catastrophic Events and Infrastructure

René Pfeiffer/ March 12, 2011/ High Entropy

Most security administrators have to deal with risks and their management. If you read the news, then you will hear about lots of things that can go wrong for a multitude of reasons. A common tactic to get the required budget for securing infrastructure is to collect some horror stories and present them to management. Basically this is a polite form of blackmail. It might work, but there’s already enough fear and uncertainty spread through various media channels and word of mouth (or both). Now if you’re really interested in more stories about the End of your Data Days, why not go for earthquakes and global warming? Asteroids will do fine, too. But seriously, there’s some real thoughts behind this idea. The Internet is not strongly bound by geographical boundaries. The data of most

Read More

2708, 2010

Are Hackers Speeding on the Information Highway?

Mika/ August 27, 2010/ High Entropy

(or “Has our Security Crashed?”) I just came back from a discussion with our national CERT and took some thoughts back home: (TL;DR section at the end) I have the impression, that some of our security mechanisms, which seemed so sturdy and and healthy until recently, are turning soft and weak in our hands. The developments in the last few years were definitely on the fast lane, breaking all speed limits and no data-highway patrol was there to stop them from speeding. The traditional approach to define security mechanisms (let’s call them technical controls) doesn’t really seem right to me any more: Raise the bar to a level, where the remaining risk is acceptable for the next “X” years, assuming that technology advances at a certain rate. (Use a reasonable number of years for

Read More