Project Covert Operations and Zero Days – Controlled Compromise of Infrastructure and Code

René Pfeiffer/ April 21, 2021/ Discussion, High Entropy, Security/ 0 comments

Once you collect information, you will eventually have to decide on when to use which part for what reason. This is the dilemma of intercepting intelligence from an adversary and using it for defence (or offence). Once you act on your the knowledge no one else is supposed to have, then you will also disclose your capabilities. The digital world is full of these scenarios. The most recent case is a disclosure of Google’s Project Zero. The publication covered vulnerabilities dating back to the first half of 2020. As it turned out the discovery comprised 11 powerful weaknesses used to compromise iOS, Android and Microsoft® Windows devices. By publishing these vulnerabilities Project Zero essentially shut down a nine-month digital hacking operation by a Western government. Bugs in software have no labels. They may be

Read More

Murder Board Blog Series: Prequel

Sanna/ April 16, 2021/ Security, Stories/ 0 comments

[This is the first part of a five-part article series describing analogies between the world of IT security and research in other fields. Analogies are often used to deflect and conceal missing arguments. Didactics uses analogies as a powerful tool to explore your own understanding and to help you use your knowledge from other fields. Please use the articles of the Murderboard series (our name for the five-part article) for educating IT-affine people about information security. It’s never bad to have allies who understand what to look for in time of trouble.] It was a warm summer day when I got a call from an acquaintance who wanted to hire me for data protection coaching with one of his clients. Besides crime writing, I also work in data protection, helping self-employed people and small

Read More

Bug Disclosure Policies and the Eternal Discussion about Security ♨

René Pfeiffer/ March 15, 2021/ Discussion, High Entropy, Security/ 0 comments

In theory, there is the evolution from bug over to weakness, vulnerability and finally the exploit. Errors in code and application behaviour are interesting for any serious developer. Security researchers also look for bugs and ways to make code do something it wasn’t designed for. In the absence of critical failures in applications, the process of reporting bugs and getting them fixed everything is smooth and less prone to heated discussions (YMMV, some software projects feature persons with very strong opinions). All of this changes when the code can be remotely exploited. Enter the recent CVEs regarding the Microsoft® Exchange server. CVE-2021-26855 is as bad as it sounds. It is a remote code execution with low complexity requiring no user interaction and no privileges. Disclosure of bugs impacting security has a long history. Knowing

Read More

Management Console Access – Obscurity by Security and vice versa

René Pfeiffer/ February 28, 2021/ Discussion, Security/ 0 comments

Every discussion about security sooner or later connects to the wonderful word obscurity. Mentioning security by obscurity is a guaranteed way of losing sight of the facts. It is vital to actually fix weaknesses and introduce strong separation of systems when implementing security. Furthermore, the leakage of useful information to potential adversaries should be eliminated. That’s the theory. Enter the discussions we have witnessed in real life and in the Internet. A common tactic is to strip information from communication protocols that is not needed for transporting the message. Version numbers, host names, addresses, and other pieces of data are often removed when a server answers requests. Especially web applications send a ton of useful information to clients. You can see the structure of the web space, components used for rendering, server systems involved,

Read More

The Art of testing Code

René Pfeiffer/ February 4, 2021/ Discussion, High Entropy, Security/ 0 comments

The Twitterverse, various blogs, and some news portals published discussions about a bug in libgcrypt. The code contained a loop which could read past the end of a buffer. The error condition was found by using a test suite. Given the C code base of libgcrypt cases like this can often be found by using the static code analysing features of modern compilers. If you read the ticket concerning the particular overrun bug, then you will notice that it contains more than just the error description. The reason for emotional discussion around bugs are the many ways to find them. Modern compilers contain a lot of helpful tools to audit your code. Even if the compiler lacks auditing/testing features, you can resort to other tools such as Valgrind (which turned 20 years of age

Read More

Translated Article: EU Directive for “High-Class Cybersecurity” with Duplicate Keys

Sanna/ December 29, 2020/ Conference, Security, Stories/ 1 comments

EU-Richtlinie für „hochklassige Cybersicherheit“ mit Nachschlüsseln by Erich Moechel for fm4.ORF.at. The key message of the Council of Ministers’ resolution against secure encryption has already arrived in a first draft directive. For this reason here’s a historical outline of the new Crypto Wars since 2014. The resolution of the EU Council of Ministers against secure encryption, which resulted in so much criticism, has already appeared in a first draft directive. A corresponding passage can be found in the new draft directive on “Measures for high-quality cybersecurity in the Union”. The date of December 16 of the document shows that it was already drawn up before the Council resolution was passed (on December 19). Here, too, it is claimed that secure end-to-end encryption remains intact if duplicate keys are generated for third parties. Meanwhile the EU

Read More

Press Release: Digital Infrastructure should integrate Malware

Sanna/ July 22, 2020/ Conference, Press, Security

The German government wants to force Internet providers to install malicious software and intercept network traffic. Since the 1990s, there has been a constant struggle between authorities and security experts. One side wants to make digital infrastructure, especially data transport and communication, as secure as possible for business and society. The other side constantly strives for back doors to intercept data and correspondence. The fight for access to secure data transmissions, originally titled “Crypto Wars” is entering the next round. The German federal government has created a draft law that is intended to legally force Internet providers and companies with related activities to distribute malware and manipulate network traffic. In future, the installation of apps on smartphones or automatic software updates can compromise computer systems. This destroys the basis of digitalisation – with far-reaching

Read More

Translated Article: EU Council of Ministers discusses Back Doors in Encryption again

Sanna/ July 21, 2020/ Security, Stories

EU-Ministerrat diskutiert wieder Hintertüren in Verschlüsselung by Erich Moechel for fm4.ORF.at Gilles de Kerchove, EU’s anti-terror coordinator, is once again working against secure encryption per se. Since these new demands by law enforcement officials on the EU Council of Ministers are nowhere openly accessible, this confidential Council document is published in full by FM4. The corona virus pandemic has led to a surge in teleworking worldwide. Instead of behind firewalls in secure corporate networks, millions of employees worldwide work from insecure home offices. The only real protection is the end-to-end encryption (E2E) of the data traffic. In the middle of this scenario, the “Five Eyes” secret service alliance is starting the next phase of its global campaign against secure encryption. Again, police law enforcement is used as a vehicle. After the United States, the European protagonist

Read More

Translated Article: US bill against Secure Encryption of Chats

Sanna/ July 17, 2020/ Internet, Security, Stories

US-Gesetzesentwurf gegen sichere Verschlüsselung von Chats by Erich Moechel for fm4.ORF.at A new US law on “Access by law enforcement officers to encrypted data” is intended to force chat providers such as Signal or WhatsApp to incorporate back doors into their security architectures. In the United States, a bill is on its way to the Senate that has stunned the IT industry. The planned law on “Access by law enforcement officers to encrypted data” turns upside down all the rules that have been in force on the WWW for 25 years. Encrypted chats and data backup for a wide audience should therefore only be offered if the provider has duplicate keys. That would be the end of end-to-end encryption (E2E) from Signal, WhatsApp and others. The same applies to hardware manufacturers who have to provide access

Read More

Translated Article: Ten EU Countries already rely on decentralized Corona Virus Apps

Sanna/ May 12, 2020/ Security, Stories

Schon zehn EU-Staaten setzen auf dezentrale Coronavirus-Apps by Erich Moechel for fm4.orf.at Apple and Google also support the privacy-friendly, decentralized protocol DP-3T. Without technical support in the operating systems of these two groups, no app with Bluetooth tracing can deliver useful results. The decision by Austria and Switzerland to use a corona virus app with decentralized data storage (DP-3T) triggered a chain reaction. By Friday, ten EU countries had already left the large-scale “Pan-European Project for Data Protection-Compliant Person Tracing” (PEPP-PT). The centralized data collection of PEPP-PT leaves all possibilities for data mining open, a deanonymisation of the data is also included. Apple and Google, which support the DP-3T standard, are constantly publishing new specifications for the necessary app interfaces in Android and IOS. Without the support of these two companies, whose operating systems

Read More

Translated Article: Coup de grace beat Attackers of the Austrian Federal Ministry for European and International Affairs

Sanna/ March 12, 2020/ Security, Stories

Cyberhusarenstück schlug Angreifer im Außenministerium for fm4 by Erich Moechel [We translated this article, because DeepSec actively supports young talents and students. We are looking for organisation and companies that would like to help us in our support. Furthermore, we like to make Erich’s well-researched and well-written articles available for a wider audience.] It was young Technicians who fended off the dreaded cyber Troop Turla. After a short Time they cracked the tricky Encryption of the Turla Trojan. The National Security Council, which the NEOS party convened to discuss the cyberattack on the Federal Ministry for European and International Affairs, meets on Friday. NEOS criticize the cumbersome structures in cyber defence and, above all, that it is not ready to work properly. The quick defence of the notorious cyber troop (APT) Turla is rather

Read More

War Dialing Video Conference Systems

René Pfeiffer/ March 11, 2020/ Security

Do you remember the Golden Age of Wardialing? The idea back then was to try calling phone numbers and to see if a computer systems answers. This methods still works, because you can wardial any system with a suitable addressing scheme. VoIP wardialing is a lot easier since you do not need a modem. You just need to send signalling messages. Video conferencing systems are no exception. They have to do signalling, too. Furthermore, participants of a meeting need to join and leave. For joining there must be a process that authenticates participants. Usually you get a conference identification number and maybe a PIN code. Other systems require an account, so that you have to log in first. Finding conference rooms gets real easy if you just need an URL. The Bavarian Ministry of

Read More

DeepSec 2019 Talk: Abusing Google Play Billing for Fun and Unlimited Credits! – Guillaume Lopes

Sanna/ November 22, 2019/ Conference, Security

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it’s possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.). We asked Guillaume a few more questions about his talk. Please tell us the top 5 facts about your talk. The vulnerability presented is really easy to exploit Client side issues are not dead in 2019! It seems nobody cares about losing money in the game industry… Very few vendors fixed their implementation Real vulnerable applications will

Read More

DeepSec 2019 Talk: S.C.A.R.E. – Static Code Analysis Recognition Evasion – Andreas Wiegenstein

Sanna/ November 11, 2019/ Conference, Security

Andreas Wiegenstein has expert advise for software security: Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results? The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found? This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algorithms. On a technical level, the following concepts are covered covert data flow deep call stacks circular calls source mining counter-encoding data laundering Based on this, I will provide some code snippets as proof of concept for the audience to

Read More

DeepSec 2019 Talk: Security Analytics and Zero Trust – How Do We Tackle That? – Holger Arends

Sanna/ November 8, 2019/ Conference, Security

For many years we’ve all been in an arms race, fighting daily against new malware varieties and new attack techniques that malicious actors use to fool us and compromise our systems. Many of us rely on state of the art safeguards and have invested tremendous amounts in defending our systems and networks, yet even so, important data is still leaked or important systems are compromised. Firewalls, IDS, IPS or SIEM systems are often unable to prevent or detect attacks. Questions are often raised: “why?” and “how?” is it possible these attacks stay undetected for long periods of time, considering the significant investments into cyber security. And so it seems obvious to say that with the introduction of IoT devices, unmanaged BYOD, combined with legacy systems and end to end encryption, the future will be

Read More