I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in

Read More

Crypto Article: „Cornerstones of German Encryption Policy“ from 1999 are still in place

Sanna/ June 24, 2015/ Discussion, Security

We have some more translated news for you. In theory it is an article about policies and the process of law-making. In practice it concerns the use of encryption and everyone relying on service providers (mostly connected to the Internet, i.e. „cloud providers“). No matter how cool your start-up is and what its products aim to replace, information security will probably need a backdoor-free and working encryption technology as a core component. This is exactly why you cannot stay focused on the technology alone. Threats may come in the guise of new laws or regulations (think Wassenaar Arrangement). Matthias Monroy has some information about the official stance of the German government regarding the currently raging „crypto wars“. Enjoy! Federal Ministry of the Interior: The “Cornerstones of German encryption policy“ from 1999 still remain Source: netzpolitik.org Author: Matthias

Read More

New MJS Article: Trusting Your Cloud Provider – Protecting Private Virtual Machines

René Pfeiffer/ June 17, 2015/ Report, Security

Once you live in the Cloud, you shouldn’t spent your time daydreaming about information security. Don’t cloud the future of your data. The Magdeburger Journal zur Sicherheitsforschung published a new article by Armin Simma (who talked about this topic at DeepSec 2014). The Paper titled »Trusting Your Cloud Provider: Protecting Private Virtual Machines« discusses an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders. This article proposes an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders (e.g. administrators). It is based on Mandatory Access Control and Trusted Computing technologies, namely Measured Boot, Attestation and Sealing. It gives customers strong guarantees about the provider’s host system and binds encrypted virtual machines to the previously attested host. This article

Read More

Crypto Article: EU Economy needs secure Encryption

René Pfeiffer/ June 16, 2015/ Discussion, Security

Given the ongoing demonisation of cryptography we have translated an article for you, written by Erich Moechel, an ORF journalist. The use of encryption stays an important component for information security, regardless which version of the Crypto Wars is currently running. While most of the voices in news articles get the threat model wrong, there are still some sane discussions about the beneficial use of technology. The following article was published on the FM4 web site on 25 January 2015. Have a look and decide for yourself if the Crypto Wars have begun again (provided they came to an end at some point in the past). Maybe you work in this field and like to submit a presentation covering the current state of affairs. Let us know. EU Economy needs secure Encryption The EU technical bodies

Read More

Internet Protocol version 6 (IPv6) and its Security

René Pfeiffer/ February 3, 2015/ Internet, Security

Internet Protocol version 6 (IPv6) is not new. Its history goes back to 1992 when several proposals for expanding the address scheme of the Internet were discussed (then know by the name of IP Next Generation or IPng). A lot has happened since RFC 1883 has been published in 1996. Due to the deployment of IPv6 we see now implications for information security. Several vulnerabilities in the protocol suite have already been discussed. DeepSec 2014 features a whole training session and three presentations about the future protocol of the Internet. First Johanna Ullrich talked about a publication called IPv6 Security: Attacks and Countermeasures in a Nutshell. The paper gives you a very good view on the state of affairs regarding security and privacy weaknesses. It is strongly recommended for anyone dealing with the deployment

Read More

Encrypted Messaging, Secure by Design – RedPhone and TextSecure for iOS

René Pfeiffer/ February 2, 2015/ Communication, Security

Encrypted communication is periodically in the news. A few weeks ago politicians asked companies and individuals all over the world to break the design of all secure communication. Demanding less security in an age where digital threats are increasing is a tremendously bad idea. Cryptographic algorithms are a basic component of information security. Encryption is used to protect data while being transported or stored on devices. Strong authentication is a part of this as well. If you don’t know who or what talks to you, then you are easy prey for frauds. Should you be interested in ways to improve the security of your messaging and phone calls, we recommend watching the presentation of Dr. Christine Corbett Moran. She is the lead developer of the iOS team at Open WhisperSystems. She talks about bringing

Read More

Encryption – A brand new „Feature“ for Cars

René Pfeiffer/ February 2, 2015/ Internet, Security, Stories

At DeepSec 2011 Constantinos Patsakis and Kleanthis Dellios held a presentation titled “Patching Vehicle Insecurities”. They pointed out that the car is starting to resemble more to a computer with mechanical peripherals (incase you haven’t seen their talk,  please do!). This is true for all types, not only the modern cars powered by electricity alone. But there is more. Modern cars are connected to networks (i.e. the Internet or the mobile phone network). This means that your method of transportation is part of the dreaded Internet of Things. Given the design flaws we have seen in talks given at DeepSec, there is no surprise that this is a  breeding ground for major trouble. The Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, discovered a lapse in the communication between BMW cars and the servers

Read More

BIOS-based Hypervisor Threats

René Pfeiffer/ November 20, 2014/ Discussion, High Entropy, Security

The DeepSec 2014 schedule features a presentation about (hidden) hypervisors in server BIOS environments. The research is based on a Russian analysis of a Malicious BIOS Loaded Hypervisor (conducted between 2007 and 2010) and studies published by the University of Michigan in 2005/2006 as well as 2012/2013. The latter publications discuss the capabilities of a Virtual-Machine Based Rootkits and Intelligent Platform Management Interface (IPMI) / Baseboard Management Controller (BMC) vulnerabilities. Out-of-band management is sensitive to attacks when not properly protected. In the case of IPMI and BMC the management components also play a role on the system itself since they can access the server hardware, being capable to control system resources. Combining out-of-band components with a hypervisor offers ways to watch any operating system running on the server hardware. Or worse. It’s definitely something

Read More

New Article for the DeepSec Proceedings Publication

René Pfeiffer/ November 15, 2014/ Conference, Security

In cooperation with the Magdeburger Institut für Sicherheitsforschung (MIS) we publish selected articles covering topics of past DeepSec conferences. The publication offers an in-depth description which extend the conference presentation and includes a follow-up with updated information. Latest addition is Marco Lancini’s article titled Social Authentication: Vulnerabilities, Mitigations, and Redesign. High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust

Read More

Back from 44CON – Conference Impressions

René Pfeiffer/ September 21, 2014/ High Entropy, Security, Stories

If you haven’t been at 44CON last week, you missed a lot of good presentations. Plus you haven’t been around great speakers, an excellent crew, “gin o’clock” each day, wonderful audience, and great coffee from ANTIPØDE (where you should go when in London and in desperate need of good coffee). Everyone occasionally using wireless connections (regardless if Wi-Fi or mobile phone networks) should watch the talks on GreedyBTS and the improvements of doing Wi-Fi penetration testing by using fake alternative access points. GreedyBTS is a base transceiver station (BTS) enabling 2G/2.5G attacks by impersonating a BTS. Hacker Fantastic explained the theoretical background and demonstrated what a BTS-in-the-middle can do to Internet traffic of mobile phones. Intercepting and re-routing text messages and voice calls can be done, too. Implementing the detection of fake base stations

Read More

New Use Cases for Bitcoin

Mika/ May 30, 2014/ Security, Stories

Although I’m new in the Bitcoin world I had a quite promising start. Earlier this month I was able to visit the Bitcoin Conference in Amsterdam and had some very good conversations with core developers from the Bitcoin Foundation and to my honor also the chance to talk to Gavin Andreesen, long-time lead developer and now chief scientist of the Bitcoin Foundation. At DeepSec our first contact with Bitcoin was in 2012 when John Matonis, now Executive Director and Board Member of the Bitcoin Foundation, talked about the evolution of e-Money.  But since then we hadn’t intense contact. Tomorrow I will visit the Bitcoin Expo in Vienna and hope to meet new people in the community and discuss the latest trends and developments. The fascinating thing about Bitcoin and the global block-chain is the

Read More

Talk about Cryptography and the NSA’s Capabilities

René Pfeiffer/ March 31, 2014/ Discussion, Security, Veranstaltung

The published documents about the NSA’s capabilities have led to a review of cryptographic tools. Mastering SSL/TLS by itself can be tricky. This is especially true if you have to deal with clients that do not take advantage of the latest TLS protocols. System administrators and developers are well advised to keep an eye on the capabilities of libraries and the algorithms available for securing network communication. We recommend to have a look at the publication of the Applied Crypto Hardening project in case you wish to review your crypto deployment. The standardisation of cryptographic methods has been criticised as well. Apart from the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) there is a lot of discussion going on where the practices of standardisation are being questioned. Given the design problem in

Read More

DeepSec 2013 Video: Europe In The Carna Botnet

René Pfeiffer/ February 25, 2014/ Conference, Security

Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes of the botnet consist of virtually unsecured IPv4 devices – modems and other network equipment. Point of entry where mostly Telnet management interfaces exposed to the Internet. Analysing the devices that were part of the Carna Botnet is well worth the effort. This is why we invited Parth Shukla (Australian Computer Emergency Response Team, AusCERT) to present his findings about the Carna Botnet at DeepSec 2013. „A complete list of compromised devices that formed part of the Carna Botnet

Read More

DeepSec 2013 Video: Future Banking And Financial Attacks

René Pfeiffer/ February 24, 2014/ Conference, Security

Predicting the future is very hard when it comes to information technology. However in terms of security analysis it is vital to keep your head up and try to anticipate what attackers might try next. You have to be as creative as your adversaries when designing a good defence. This is why we invited Konstantinos Karagiannis (BT) to DeepSec 2013.  Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.

DeepSec 2013 Video: Hack The Gibson – Exploiting Supercomputers

René Pfeiffer/ February 22, 2014/ Conference, Security

Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems running the same software. If you manage to break into one node, the chances are good that you have access to all nodes. That’s pretty neat. At DeepSec 2013 John Fitzpatrick and Luke Jennings of MWR InfoSecurity talked about their tests with supercomputers. Their presentation covers the research and demonstrates some of the most interesting and significant vulnerabilities they have uncovered so far. They also demonstrated exploits and previously undocumented attack techniques live so you can see how to

Read More