National-Security-in-the-Middle Attack – the Crypto Wars continue

René Pfeiffer/ December 3, 2015/ High Entropy, Internet, Odd

National security has officially reached the SSL/TLS infrastructure – at least in Kazakhstan. The Google cache features an article published by the Kazakhtelecom JSC where the introduction of a so-called national security certificate for Internet users was proudly announced. We show you some parts of the original text for educational purposes, because we have never seen the announcement of a backdoor to communication channels in this glorious manner. From 1 January 2016 pursuant to the Law of the Republic of Kazakhstan «On communication» Committee on Communication, Informatization and Information, Ministry for investments and development of the Republic of Kazakhstan introduces the national security certificate for Internet users. According to the Law telecom operators are obliged to perform traffic pass with using protocols, that support coding using security certificate, except traffic, coded by means of cryptographic information protection

Read More

Social Engineering: Cold Call Warning (EHS, EHM)

René Pfeiffer/ September 8, 2015/ Administrivia, Odd

While we have a workshop on social engineering for you at DeepSec 2015, we do not do any trainings or exercises before the DeepSec event starts. A speaker alerted us that he got a cold call from a company offering cheap rates for accommodation. In case you have received any call from Exhibition Housing Management (EHM) and Exhibitors Housing Services (EHS), you can safely hang up. Both organisations have been used for scams in the past. Apparently they are alive and kicking. We thank EHS/EHM for providing exercise material and contact data for use during the conference.

Dual Use Equation: Knowledge + Vulnerability = “Cyber” Nuclear Missile

René Pfeiffer/ June 21, 2015/ Discussion, High Entropy, Legal, Odd

We all rely on software every  day, one way or another. The bytes that form the (computer) code all around us are here to stay. Mobile devices connected to networks and networked computing equipment in general is a major part of our lives now. Fortunately not all systems decide between life or death in case there is a failure. The ongoing discussion about „cyber war“, „cyber terrorism“, „cyber weapons of mass destruction“, and „cyber in general“ has reached critical levels – it has entered its way into politics. Recently the Wassenaar Arrangement proposed a regulation on the publication of exploited (previously unknown) vulnerabilities in software/hardware, the so-called „0days“. The US Department of Commerce proposed to apply export controls for 0days and malicious software. While the ban is  only intended for „intrusion software“, it may

Read More

High Availability is not Redundancy

Mika/ October 11, 2012/ High Entropy, Odd

This is about the “A” in the CIA triad of security: Confidentiality, Integrity, Availability Just recently I was a witness of an incident where the failure of a perceived redundant system caused an outage of more than 5 hours of the central IT services of a multinational/intercontinental enterprise. Vital services like VoIP calls and conference bridges (which were interrupted with high profile customers) , SAP, e-mail, central file services, CAD, order processing, printing of delivery notes and therefore loading of trucks, processing of EDIFACT-based orders and invoices, etc. were unavailable for most of the 20.000 employees and customers worldwide during this black-out. What happened? Some when in the morning we noticed a lot of commotion in the department (open plan office) and quite soon it was obvious that all network based services were out

Read More

Five Million, quick and easy!

Mika/ February 19, 2012/ High Entropy, Odd, Security Intelligence

A good friend and former colleague of mine asked me recently, whether I could give him a tip how to make 5M quick and easy. My answer was “Nothing I could think of which doesn’t involve a lot of nasty things and imply a long stay in jail”. But that’s not what I wanted to discuss here, although it’s somehow related: We had a couple of talks at the DeepSec which shed a little light on the underground economy and I also started to take some dives into the “Deepnet” to get acquainted with jargon, topics, trends and so on. Btw: NO, no details on this: not what I have visited, not when or how I registered there, I don’t wanna get doxed (1), these guys can get nasty and we don’t need another

Read More

0zapftis revisited – 0ktoberfest for Security Researchers

René Pfeiffer/ October 11, 2011/ High Entropy, Odd

The CCC analysis of the malicious software bought and used by the German government has put our blog schedule and RSS reading habits out of balance. Frankly our necks hurts because we constantly shake our heads since the PDF of the analysis was published. We have talked to journalists who showed interested in the design of the malware. It’s very hard not to go into rant or BOFH mode when talking about the design and the use of the trojan horse. You have to use quite some Zen skills to stay focused and to see what we have here. In fact the whole discovery and the avalanche of questions raining down on German officials marks a turning point for the significance of computer security. Furthermore it is a perfect example of all the problems

Read More

Analysis of Governmental Malware

René Pfeiffer/ October 9, 2011/ Odd, Security, Stories

There is a ongoing discussion about the use of malicious software for criminal investigations. German and Austrian agencies use the term „Online-Durchsuchung“ (online search) or „Quellen-Telekommunikationsüberwachung“ (source telecommunications surveillance) for investigative measures that cover the source of telecommunication messages (which is usually a suspect’s computer or telephone). In context with malicious software used for this purpose the unofficial term „Bundestrojaner“ (federal trojan horse) was coined. On 27 Februar 2008 the German Federal Constitutional Court ruled that the online search and Internet surveillance rules violate the German constitution and have to be reviewed (you can read the explanation of the Court in German here). Yesterday the Chaos Computer Club (CCC) published a detailed analysis of a „lawful interception malware“. The results have a profound impact on security since the design of the malware allows attackers

Read More

When Blackholes backfire…

Mika/ September 15, 2011/ Internet, Odd, Stories

According to our current scientific folklore nothing will ever come out of a black hole, no matter or particles, no light, no information. But black holes in networking  can backfire from time to time. Of course I’m talking about “black-holing” Internet traffic, a strategy often used on backbones to defend against attacks, specifically flooding, DDoS and the like. Here is a little story about black hole routing that actually happened, the involved ISP and the victim will not be disclosed for hopefully obvious reasons: Black Hole Routing The specific case I want to talk about is not the common black hole routing explained nicely by Jeremy Stretch on Packetlife which drops traffic to a victim of a DDoS attack. Instead I focus on the “advanced” version of this: RFC 5635: Remote Triggered Black Hole

Read More