1102, 2014

DeepSec 2013 Video: Bypassing Security Controls With Mobile Devices

René Pfeiffer/ February 11, 2014/ Conference, Security, Stories

Controls blocking the flow of data are an important tool of defence measures. Usually you need to enforce your organisation’s set of permissions. There are even fancy gadgets available to help you cope with data loss in terms of unauthorised access. This only works in controlled environments. Fortunately the modern IT policy allows intruders to bring their own tools in order to circumvent security controls. Bring Your Own Device (BYOD) is all the fashion these days, and it really helps evading defence mechanisms. At DeepSec 2013 Georgia Weidman of Bulb Security LLC talked about what you can do with mobile devices and what you have to address when protecting your data. „…Companies are putting a lot of faith in these security mechanisms to stop the threats to mobile devices. In this talk we put

0902, 2014

DeepSec 2013 Video: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

René Pfeiffer/ February 9, 2014/ Conference, Security

Attacking fortified positions head on looks good on the silver screen. Real life attackers have no sense for drama and special effects. Battering closed doors will get you nowhere fast. Instead modern adversaries take a good look at open doors and exploit them to get what they want. Security specialists know about the dangers of management interfaces (also known as backends). This is one main focus of denying unauthorised access. Once a backend is exposed, the consequences can be very fatal to your digital assets. At the DeepSec 2013 conference Shay Chen (Hacktics ASC, Ernst & Young) explained how attacks originating from backends look like and what attackers can do once they gained foothold.

0802, 2014

DeepSec 2013 Video: Top 10 Security Mistakes In Software (Development)

René Pfeiffer/ February 8, 2014/ Conference, Security, Stories

Everybody makes mistakes. It’s no surprise that this statement applies to software development, too. When you deal with information security it is easy to play the blame game and say that the application developers must take care to avoid making mistakes. But how does software development work? What are the processes? What can go wrong? Answering these questions will give you an insight into ways to avoid being bitten by bugs. Peter af Geijerstam of Factor 10 talked about security mistakes in software development in his presentation held at the DeepSec 2013 conference. We recommend his presentation for everyone dealing with information security, not just software developers.

0702, 2014

DeepSec 2013 Video: Malware Datamining And Attribution

René Pfeiffer/ February 7, 2014/ Conference, Security

Popular culture totally loves forensics (judging by the number of TV shows revolving around the topic). When it comes to software a detailed analysis can be very insightful. Most malicious software isn’t written from scratch. Some components are being reused, some are slightly modified (to get past the pesky anti-virus filters). This means that (your) malware has distinct features which can be used for attribution and further analysis. In his talk at DeepSec 2013 Michael Boman explained what you do with malicious software in order to extract information about its origins. Use the traces of its authors to attribute malware to a a individual or a group of individuals. It gives you an idea about the threats you are exposed to and is a good supplement to your risk assessment.

0602, 2014

DeepSec 2013 Video: Trusted Friend Attack – (When) Guardian Angels Strike

René Pfeiffer/ February 6, 2014/ Conference, Internet, Security, Stories

We live in a culture where everybody can have thousands of friends. Social media can catapult your online presence into celebrity status. While your circle of true friends may be smaller than your browser might suggest, there is one thing that plays a crucial role when it comes to social interaction: trust. Did you ever forget the password to your second favourite social media site? If so, how did you recover or reset it? Did it work, and were you really the one who triggered the „lost password“ process? In a world where few online contacts can meet each other it is difficult for a social media site to verify that the person requesting a new password is really the individual who holds the account. Facebook has introduced Trusted Friends to facilitate the identity

0502, 2014

DeepSec 2013 Video: Auditing Virtual Appliances – An Untapped Source Of 0-days

René Pfeiffer/ February 5, 2014/ Conference, Security, Stories

Appliances are being sold and used as security devices. The good thing about these gadgets is an improvement of your security (usually, YMMV as the Usenet folks used to write). The bad thing about inserting an unknown amount of code into your defence system are the yet to be discovered flaws in its logic. In the old days you have to do some reverse engineering in order to find these bugs. Modern technology bring you the Magic of the „Cloud“™ – virtual appliances! Since everything runs under a hypervisor nowadays, your appliances have been turned into binary images which can be moved around and started anywhere you like. At DeepSec 2013 Stefan Viehböck of SEC Consult spoke about the advantages of virtual appliances and their benefit for security analysis. It seems the „Cloud“ has

0402, 2014

DeepSec 2013 Video: The Economics Of False Positives

René Pfeiffer/ February 4, 2014/ Conference, Discussion, Security

Once you set up alarm systems, you will have to deal with false alarms. This is true for your whole infrastructure, be it digital or otherwise. When it comes to intrusion detection systems (IDS) you will have to deal with false positives. Since you want to be notified of any anomalies, you cannot ignore alarms. Investigating false alarms creates costs and forces you to divert efforts from other tasks of your IT infrastructure. In turn attackers can use false positives against you, if they know how to trigger them and use them in heaps. Where do you draw the line? In his presentation at DeepSec 2013 Gavin ‘Jac0byterebel’ Ewan (of Alba13 Research Labs) introduced an interesting approach to deal with false positives: „…Taking false positive figures from a number of real business entities ranging

0302, 2014

DeepSec 2013 Video: Uncovering your Trails – Privacy Issues of Bluetooth Devices

René Pfeiffer/ February 3, 2014/ Conference, Security

Devices with Bluetooth capabilities are all around us. We have all gotten used to it. Smartphones, laptops, entertainment electronics, gaming equipment, cars, headsets and many more systems are capable of using Bluetooth. Where security is concerned Bluetooth was subject to hacking and security analysis right from the start. Bluedriving, Bluejacking, cracking PIN codes, and doing more stuff severely strained the security record. Either people have forgotten Bluetooth’s past, ignore it, or have it turned off. At DeepSec 2013 Verónica Valeros and Sebastián García held a presentation which revisits the information Bluetooth devices transmit into their environment. They developed a suite to do Bluedriving more efficiently and shared their findings with the DeepSec audience. If you think Bluetooth is not a problem any more, you should take a look at their talk.

3001, 2014

DeepSec 2013 Video: Effective IDS Testing – The OSNIF’s Top 5

René Pfeiffer/ January 30, 2014/ Conference, Security

Intrusion detection systems can be a valuable defence mechanism – provided you deploy them correctly. While there are some considerations to your deployment process, these devices or software installations require some more thought before you choose a specific implementation. Testing might be a good idea. If you want to detect intruders, then it would be nice if your IDS can do the job. How do you find out? Well, in theory you could use the specifications of the IDS systems as published by the vendors/developers. In practice this information lacks the most important figure: How many intrusions can you detect in a given time frame? True, you have to deal with specific signatures of attacks, so comparing isn’t easy provided you take different sets of rules. Then again some IDS engines have their own

2901, 2014

DeepSec 2013 Video: Hacking Medical Devices

René Pfeiffer/ January 29, 2014/ Conference, Security

Modern technology expands into various areas of our lives all by its own. Medical facilities also use networks and networked devices. This makes sense since monitoring vital signs creates data you want to transport to your staff. Regardless of the technology used, once you expose the device to the outside world it needs to be hardened against tampering and abuse. The U.S. Food and Drug Administration (FDA) is aware of this issue and has published a recommendation regarding the security of medical devices. „…manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks…” At DeepSec

2701, 2014

DeepSec 2013 Video: Finux’s Historical Tour Of IDS Evasion, Insertions, and Other Oddities

René Pfeiffer/ January 27, 2014/ Conference, Security

Ever since intrusion detection systems were put into operation, attackers have found ways to evade discovery. So what can you expect from the wonderful tools that are designed to detect intrusions? If you are looking for metrics which can easily compared and have a connection to your typical production environment, then you are mistaken. There is no such thing as a magical box, ready to be installed to solve all your intrusion problems. Arron ‘Finux’ Finnon of Alba13 Labs held a presentation at DeepSec 2013 about this topic. He illustrated the evasion techniques used and discussed the history of IDS/IPS systems. If you follow the talk closely, you will understand why detection systems like IDS/IPS can work, but why they’re set to fail all at the same time.

0201, 2014

Applied Crypto Hardening (ACH) Project

René Pfeiffer/ January 2, 2014/ Communication, Security

DeepSec 2013 featured a talk about the Applied Crypto Hardening (ACH) project. In the wake of the discussion about attacks on cryptography itself and implementations of cryptographic standards almost every aspect of encrypted communication needs to be reviewed. Since system administrators, developers, and other IT staff usually has not the same expertise as crypto experts, the ACH project was formed. Its goal is to compile a reference for the best practice configuration of systems that use cryptographic components. The ACH guide covers SSL/TLS, virtual private network (VPN), algorithms, key sizes, (pseudo) random generators, and more. The advice is targeted at everyone seeking to improve the cryptographic capabilities of software and appliances. Hardening crypto is part of the basic security measures everyone should take care of. It needs to become a habit, just like everything

1511, 2013

DeepSec 2013 Talk: Bypassing Security Controls With Mobile Devices

René Pfeiffer/ November 15, 2013/ Conference, Security

How do you counter threats emerging from a new trend? Well, standard practice is to buy a new appliance, add-on, or similar magic trick. People do this currently with the trend of Bring Your Own Device (BYOD). Once you say yes to BYOD, you just gave Santa Claus (or your chief financial officer) more options for Christmas presents. There is Mobile Device Management (MDM in short), plus you can do a lot of filtering at the edge of your network(s). Still mobile devices are a threat. At DeepSec 2013 Georgia Weidman of Bulb Security LLC will show you how the threats work in real environments. Testing if your wonderful BYOD playground works for attackers can be done by taking your MDM’s promises to the limits. Let’s see if your MDM has ever heard of

1511, 2013

DeepSec 2013 Talk: Supply Chain – The Exposed Flank

René Pfeiffer/ November 15, 2013/ Conference, Security, Stories

Securing your own perimeter is the prime task IT security teams are worried about. However there is Murphy’s Law of Firewalls, too. Given a sufficient amount of time, business requirements will pierce a lot of holes in your firewall and your defences. Once you work with suppliers, you will have to deal with their perimeters as well. Your opponents will go for the weakest link, and if the links on your end are strong, then they go for your suppliers and partners. Dave Lewis of Akamai Technologies will talk about this problem in his talk at DeepSec 2013. It’s not your immediate partners you have to think about. There are trading partner networks, code developed by off shore development centres and outsourced help desks. Even if you use security products you can get into

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: