DeepSec Video: Have We Penetrated Yet??

René Pfeiffer/ February 25, 2016/ Conference, Security

Testing the defences of a network,  applications, or infrastructure can be tough. Often you spend lots of days, the results not being proportionate to the time spent. How do you assess success when doing penetration testing? How to test, what tools to use, and who should be doing the testing? Johnny Deutsch has some answers for you. He held a presentation at DeepSec 2015 about this topic. We recommend watching this presentation to everyone thinking about requesting a penetration test or, of course, everyone actually doing these tests.

DeepSec Video: Continuous Intrusion – Why CI Tools Are an Attacker’s Best Friends

René Pfeiffer/ February 24, 2016/ Conference, Security

Software development has made tremendous progress in the past decades. Tools to develop and to deploy applications have evolved. The trouble is that these tools often lack security design. Attacking software distribution channels such as update servers, package managers, and ISO downloads have been discussed widely in the past. What about the new kids on the bloc? Continuous Integration (CI) tools provide excellent attack surfaces due to no/poor security controls, the distributed build management capability and the level of access/privileges in an enterprise. At DeepSec 2015 Nikhil Mittal looked at the CI tools from an attacker’s perspective, using them as portals to get a foothold in a target’s network and for lateral movement. He showed how to execute attacks like command and script execution, credentials stealing, and privilege escalation; how to not only compromise the

Read More

DeepSec Video: HORNET – High-speed Onion Routing at the Network Layer

René Pfeiffer/ February 22, 2016/ Conference, Internet, Security

Given that reconnaissance is the first step of a successful attack, anonymity has become more important than ever. The Invisible Internet Project (I2P) and the TOR project are prominent tools to protect against prying eyes (five or more). TOR is widely used. Users of anonymity services will notice that the price for extra protection is less speed in terms of latency and probably bandwidth. Researchers have published a method to attain high-speed network performance, called HORNET. HORNET is designed as a low-latency onion routing system that operates at the network layer thus enabling a wide range of applications. Our system uses only symmetric cryptography for data forwarding yet requires no per-flow state on intermediate nodes. This design enables HORNET nodes to process anonymous traffic at over 93 Gb/s. At DeepSec 2015 Chen Chen explained

Read More

DeepSec Video: HackingTeam – How They Infected Your Android Device By 0days

René Pfeiffer/ February 20, 2016/ Conference, Discussion, High Entropy, Security

Backdoors are very popular these days. Not only cybercrime likes extra access, governments like it too. There’s even a lucrative market for insecurity. You can buy everything your IT team defends against legally. Hacking Team is/was one of the companies supplying 0days along with intrusive software to take over client systems. Attila Marosi explained at DeepSec 2015 how products of Hacking Team were used to attack and compromise Android clients. There is no need to make a long introduction when speaking about the famous Remote Control System (RCS), the product of the Italian company Hacking Team. The huge amount – 400 GB – of leaked data gives rise to lengthy discussion and is extremely concerning for every part of the professionally, politically or even those superficially interested only. Enjoy Attila’s presentation. Be careful about

Read More

DeepSec Video: ZigBee Smart Homes – A Hacker’s Open House

René Pfeiffer/ February 19, 2016/ Conference, Security, Stories

The data protocols of SmartHomes are the FBI’s wet dream. Why? Because they have no security design. Take ZigBee for example. ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings or Googles OnHub are based on ZigBee. ZigBee provides also security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected?

Read More

DeepSec Video: Not so Smart – On Smart TV Apps

René Pfeiffer/ February 18, 2016/ Conference, Security

„Smart“ follows the footsteps of „cyber“. Everything is smart nowadays. The problem is that using smart in this context just means a combination of „Turing complete“ and „connected to the Internet“. That’s it. This is a pretty low barrier for calling something „smart“. t DeepSec 2015 Markus Niemietz held a presentation about the state of affairs concerning SmartTVs where security is concerned: One of the main characteristics of Smart TVs are apps. Apps extend the Smart TVs menu with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise the question of new attack scenarios and the general security of Smart TV apps. We investigate attack models for Smart TVs and their

Read More

DeepSec Video: illusoryTLS – Nobody But Us. Impersonate,Tamper and Exploit

René Pfeiffer/ February 15, 2016/ Conference, Internet, Security

Cryptographic backdoors are a timely topic often debated as a government matter to legislate on. At the same time, they define a space that some entities might have practically explored for intelligence purposes, regardless of the policy framework. The Web Public Key Infrastructure (PKI) we daily rely on provides an appealing target for attack. The entire X.509 PKI security architecture falls apart if a single CA certificate with a secretly embedded backdoor enters the certificate store of trusting parties. Do we have sufficient assurance that this has not happened already? Alfonso De Gregorio presented at DeepSec 2015 his findings and introduced illusoryTLS. Aptly named illusoryTLS, the entry is an instance of the Young and Yung elliptic curve asymmetric backdoor in the RSA key generation. The backdoor targets a Certification Authority public-key certificate, imported in

Read More

DeepSec Video: Measuring the TOR Network

René Pfeiffer/ February 13, 2016/ Conference, Internet, Security

A lot of people use TOR for protecting themselves and others. Fortunately the TOR network is almost all around us. But what does it do? How can you get access to metrics? TOR is an anonymisation network and by design doesn’t know anything about its users. However, the question about the structure of the user base often arises. Some people are just interested in the size of the network while others want details about the diversity of its users and relays. Furthermore, TOR is used as a circumvention tool. It is interesting to automatically detect censorship events and to see how the number of users changes in those countries. TOR’s measurement team tries to give answer to those (and more) questions. At DeepSec 2015 Jens Kubieziel explained the collection of different data and how

Read More

DeepSec Video: Cryptographic Enforcement of Segregation of Duty within Work-Flows

René Pfeiffer/ February 12, 2016/ Conference, Security

Calling for encryption and implementing it may be easy at a first glance. The problem starts  when you have to grant access to data including a segregation of duty. Workflows with Segregation-of-Duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations. At DeepSec 2015 Thomas Maus held a presentation explaining the problems and possible solutions.

DeepSec Video: Agile Security – The Good, The Bad, and mostly the Ugly

René Pfeiffer/ February 11, 2016/ Conference, Security

How do you manage your technical and operational security? Do you follow a model? If so, what’s the flavour? Do you borrow concepts from software development? In case you do or you plan to do, then Daniel Liber might have some ideas for you. At DeepSec 2015 he held a presentation about Agile and a possible relation to information security. Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a ‘high level’ talk, or, sometimes, as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This talk will help security engineers,

Read More

DeepSec Video: How to Break XML Encryption – Automatically

René Pfeiffer/ February 10, 2016/ Conference, Security

XML is often the way to go when exchanging information between (business) entities. Since it is older than the widespread adoption of SSL/TLS, there is a special standard called XML Encryption Syntax and Processing. You can use XML encryption to encrypt any kind of data. So far, so good. But In recent years, XML Encryption became a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order to protect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard. Juraj Somorovsky (Ruhr University Bochum) held a presentation at DeepSec 2015 explaining what these attacks look like. .

DeepSec Video: Hacking Cookies in Modern Web Applications and Browsers

René Pfeiffer/ February 9, 2016/ Conference, Internet, Security

Cookies are solid gold when it comes to security. Once you have logged in, your session is the ticket to enter any web application. This is why most web sites use HTTPS these days. The problem is that your browser and the web applications needs to store these bits of information. Enter cookie hacking. A lot has changed since 1994,  and Dawid Czagan of Silesia Security Lab held  presentation at DeepSec 2015 about what you can and cannot do with cookies in modern web applications and browsers. Learn about user impersonation, remote cookie tampering, XSS and more. .

DeepSec Video: File Format Fuzzing in Android – Giving a Stagefright to the Android Installer

René Pfeiffer/ February 6, 2016/ Conference, Security

The Stagefright exploit haunts the Android platform. The vulnerability was published in Summer 2015. It gives attackers a way to infect Android smartphones by using multimedia files such as pictures, text, and videos. This is a perfect vector since most people will look at media instantly. Dr. Aleksandr Yampolskiy gave a presentation at DeepSec 2010 about malicious software hidden in multimedia (the talk was aptly titled Malware goes to the Movies). So what if there are more bugs like this in the Android platform? Enter fuzzing technology. Alexandru Blanda spoke at DeepSec2015 about fuzzing on the Android platform. This approach can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. Since these vulnerabilities affect critical components of the Android system, the impact of the results will

Read More

DeepSec Video: Chw00t: How To Break Out from Various Chroot Solutions

René Pfeiffer/ February 4, 2016/ Conference, Security

Information security borrows a lot of tools from the analogue world. Keys, locks, bars, doors, walls, or simply jails (to use a combination). Most operating systems support isolation of applications in various levels. You may call it change root (or chroot) or even jails environment. The containment is not perfect, but it helps to separate applications and to have a better control of the access to resources. Breaking out of chroots is possible, and there are various ways to do this. So preparing a tight configuration is the key. At DeepSec 2015 Balazs Bucsay held a presentation about how to create a reasonably “secure” chroot environment or how to breakout from a misconfigured one. If you a considering to use chroots/jails as a way to build compartments, make sure you know what you are

Read More

DeepSec Video: Building a Better Honeypot Network

René Pfeiffer/ February 3, 2016/ Conference, Security

„It’s a trap!“ is a well-known quote from a very well-known piece of science fiction. In information security you can use bait to attract malicious minds. The bait is called honeypot or honeynet (if you have a lot of honeypots tied together with network protocols). A honeypot allows you to study what your adversaries do with an exposed system. The idea has been around for over a decade. There’s even a guide on how to start. Josh Pyorre has some ideas how you can extend your basic honeypot in order to boost the knowledge gain. At DeepSec 2015 he showed the audience how to process attack-related data, to automate analysis and create actionable intelligence. Why else would you run a honeypot? So go forth and multiply the output of your honeynet!