1311, 2012

DeepSec 2012 Showcase: Cuteforce Analyzer

René Pfeiffer/ November 13, 2012/ Discussion, Security

The University of Applied Sciences Upper Austria will be showing the Cuteforce Analyzer at DeepSec 2012. This beast is a massively parallel computing cluster for cryptographic applications. The goals of this project was to develop a cluster framework and to evaluate suitable hardware. The cluster itself utilises two different types of co-processors, namely the well-known graphics processing units (GPUs) also used in super-computing, and field-programmable gate arrays (FPGAs). Both types of processors have their strength and weaknesses, both depending on the algorithm being executed on the hardware. The cluster framework connects both hardware platforms, and assigns computing tasks according to the advantages of the co-processor. Thus you get to use all the advantages; in addition the framework software makes sure that you can use the different hardware processors as a whole. The research team

Read More

0811, 2012

DeepSec 2012 Talk: Pentesting iOS Apps – Runtime Analysis and Manipulation

René Pfeiffer/ November 8, 2012/ Conference, Security

Since one of the focus topics of DeepSec 2012 deals with mobile computing and devices, we asked Andreas Kurtz to elaborate on his presentation about pentesting iOS apps: „Apple’s iPhone and iPad are quite trendy consumer devices, and have become increasingly popular even in enterprises nowadays. Apps, downloaded from the AppStore or developed in-house, are supposed to completely change and optimize the way of work. Suddenly, managers have access to business intelligence information, data warehouses and financial charts on their mobile devices: Apps are used as front ends to executive information systems and, thus, are carrying around loads of sensitive data. At a first glance it seems, that there’s nothing new on it. Indeed, it is quite common to remotely access critical business data. However, the popularity of mobile devices, combined with the sensitive

Read More

0511, 2012

Alien Technology in our Datacenters

Mika/ November 5, 2012/ High Entropy, Security, Stories

Sometimes when I watch administrators at work, especially when I start to ask questions, I get an uneasy feeling: “this is not right”. As it turns out many of the people who maintain, manage and configure IT or communication equipment don’t understand the technology they are using. At least not in depth. Mostly they have a rough idea what it’s all about but cannot explain in detail how it works and cannot predict what will happen if a few changes are made to the setup. Although I couldn’t put my finger on it I had a familiar feeling, something like a déjà-vu. Just recently when I browsed through my bookshelves it suddenly became clear: I reached for a science fiction classic, “Gateway” by Frederic Pohl which describes an alien race, the “Heechee”, which have

Read More

0511, 2012

Talk about Data Loss Prevention

René Pfeiffer/ November 5, 2012/ Security

We will be presenting a talk about data loss prevention (DLP) on 9 November 2012 at the IT-Security Community Xchange 2012 (IT-SecX 2012) in St. Pölten, Lower Austria. DLP is a good example for measuring the security of your IT infrastructure. Keeping data in is as important as keeping attackers out these days. The tricky part is to know what data you have and where it lives. We will discuss how to approach DLP in terms of preparation, planning and implementation. In case you are in Austria you can meet us at the IT-SecX 2012. The event is organised by the University of Applied Sciences St. Pölten.

0211, 2012

DeepSec 2012 Training: SAP Security In-Depth

René Pfeiffer/ November 2, 2012/ Security, Training

Your SAP installation is probably the most critical system in your company’s infrastructure. At the same time the informations accessed and processed by SAP systems origin from many sources. Securing infrastructure with this complexity is not an easy task, and testing your security measures requires a great deal of knowledge and training. In addition your will probably run web services talking to your SAP system – which is quite handy for attackers. In case you are short on knowledge about your own SAP deployment, there’s help. There will be an SAP security workshop at DeepSec 2012! The SAP Security In-Depth training will show you how to find out if your SAP infrastructure is secured. Knowing about segregation of duties and securing roles and profiles is fine in theory, but you have to make sure

Read More

3110, 2012

Zombies at the Hospital

René Pfeiffer/ October 31, 2012/ High Entropy, Security

It’s 31 October, so we have to talk about these zombies. You know them from the horror films. Dead, evil, and always hungry for brains (the latter also being true for any self-respecting HR department). Security researchers know a different kind of zombie. A zombie computer is a machine or device infected by a computer virus. It is considered compromised and contains additional features such as information retrieval, remote access or anything else you can put into code. Usually this is undesirable and fought with anti-virus software or (even better) strict security procedures. Now let’s combine the two types of zombies and add a spiffy virus outbreak into the mix. To go even further cinematic we use a hospital as the stage. Too unrealistic? On the contrary, hospitals do have a virus and zombie

Read More

2010, 2012

Groundhog Day (Not a Film Review)

Mika/ October 20, 2012/ High Entropy, Security

Recently there was a re-run of the movie “Groundhog Day” on German TV and after a while I felt a familiar feeling: Our security efforts are a lot like the story. The protagonist is caught in something like a time-loop until he gets everything right. A previously cynical, disrespecting, arrogant and selfish news reporter wakes up every morning to the same scene: The alarm clock switches to 6:00 in the morning, the radio plays “I got you babe” and the same day repeats over and over again. During the first iterations he doesn’t change his behavior, being quite a discomforting guy until he realizes that slight changes can make a big difference. He is only relieved from this situation after he gets everything right: Being nice to his former school schoolmate, changing the tires

Read More

2709, 2012

DeepSec 2012 Talk: Breaking SAP Portal

René Pfeiffer/ September 27, 2012/ Conference, Security

SAP products are very widespread in the corporate world. A lot of enterprises run SAP software for a whole variety of purposes. Since enterprises feature many levels of interconnection, there is also a great deal of exposing going on. Usually you do this by means of using portals. The term „portal“ is a trigger for penetration testers, because portals are the gateways to curiosity – and probably compromises. This may give an attacker access to systems that store all informations about your company and process all critical business transactions. You now have compelling reasons to attend DeepSec 2012 for we have a collection of SAP security talks and a workshop for you. Alexander Polyakov talks about how to attack SAP Portal. It is usually connected to the Internet. In turn the Internet is connected

Read More

3008, 2012

Security in Serious Fun

René Pfeiffer/ August 30, 2012/ Discussion, High Entropy, Security

In case you keep track of our tweets, you may have noticed that we approach the topic of security humorously sometimes, and because there is a lot of potential for misunderstanding we’d like to explain why we do this. It’s not all about who scores the best puns. It has a serious background, and it helps to keep a minimum distance to problems you are dealing with. Security has a strong link to the agenda of a person, a group, a company or a nation. Consider a fatal flaw in a major software package. The typical actors connected to this bug are the group/person who found it, the group/person who published it (not necessarily the same as the discoverers), the developers of the software (could be a community or a company or both), the

Read More

2708, 2012

Take-Away Security Tools Probably Aren’t

René Pfeiffer/ August 27, 2012/ Discussion, Security

You have probably read one of the many reviews of security tools published in the depths of the Internet. A lot of magazines feature articles with the headline „Top n Tools for $TASK“. While reviews are a nice way of being introduced to new things, especially tools and software, you have to be careful when it comes to reviewing the security aspects of code or your new favourite tool. First of all you cannot analyse the security design and possible flaws by reading the FAQ section of the project web site or the user manual. You have to evaluate the code and the components it uses. Don’t be fooled or distracted by encryption for it doesn’t necessarily secure anything. Getting a security design right is very hard, and sprinkling cryptography over serious design flaws

Read More

2008, 2012

Wireless (Wi-Fi) Security Interview

René Pfeiffer/ August 20, 2012/ Discussion, Press, Security, Stories

Today we had a visit from an Austrian television crew to answer some short questions about wireless security. It’s too bad that journalists always look for „hackers“ who „hack something“. While we had no idea what they were talking about, we delivered a short summary of wireless security. For most of you this is old news, but for a broad audience in front of TV sets it’s still a mystery. Usually no one really know what the difference between WPA and WPA2 is. In addition you have WEP and WPS, in-depth you have TKIP and AES, too. All of this sounds pretty intimidating. If you add some cinematic scenes, you can imagine the hero (or evil villain) discovering a wireless network, pressing some keys and gaining access mere seconds later. Defences have been breached,

Read More

0508, 2012

All Your Clouds are to Belong to Whom?

René Pfeiffer/ August 5, 2012/ Discussion, Security

There are probably less than 5 persons on this planet who know what cloud computing really means. The figure might be exaggerated, but while enterprises, consultants and vendors try to figure out the best cloud for their business model the attackers already take advantage of cloud infrastructure. Let’s disregard climate dependencies and extraordinary political environments for a moment (if you say yes to cloud computing, then you have this already taken into account and under control, right?). Let’s focus on on the security implications for the moment. There’s an example of a string of unintended consequences by a successful social engineering attack. The target was a „cloud account“ linked to storage and three personal devices (a phone, a tablet and a laptop). The attacker gained access by means of tech support and bypassing security

Read More

1106, 2012

Software Development and Security Training

René Pfeiffer/ June 11, 2012/ Security, Training

Prior to every DeepSec conference we offer two-day trainings, and we regularly advertise trainings on secure software development. Attending security-centric workshops is really not meant as a humiliation. Modern (and not so modern) software development deals with a lot of code and dependencies. Even if your code is clean and well-written there’s a chance that something you rely on isn’t. This happens a lot with library functions (think DLLs) and thus can happen in high level programming languages, too. A training focussing on security will sharpen your „spider sense“ and you will be able to detect sections of code that can go wrong more easily. This is also true for reading documentation. Take a look at CVE-2012-2122. In essence you can get access to some MySQL database servers by repeatedly trying to access an

Read More

0806, 2012

Collateral Damage in Cyberspace

René Pfeiffer/ June 8, 2012/ High Entropy, Security

„In cyberspace, no one can hear you scream.“ System administrators know this already for a long time, as do security researchers. Everybody is talking about „cyberwar“ these days (elections are coming). No one is talking about the (digital) fallout from „cyberwar“ operations. Unless you solely rely on passive methods, there’s not much that can happen. As soon as you employ „offensive security“, which is just an euphemism for „breaking things“, there will be damage in terms of service disruption, compromised systems, modified/erased data, inserted attack code and possibly more. Attack tools such as Stuxnet, Duqu and now Flame have been discussed for years by security researchers. Especially anti-virus vendors have repeatedly promised to include malware of any origin in their databases. In theory this includes these „cyberweapons“ as well. In real life these weapons

Read More

3105, 2012

Securing Walled Gardens

René Pfeiffer/ May 31, 2012/ Discussion, Security

Setting up walled gardens around fancy mobile devices (and probably other computers) is very fashionable among vendors. In theory there is a controlled environment where malicious software is virtually unknown. The vendor can implement a strict quality assurance and can tether any aberrant developers to policies. Since a wall is a fundamental security device the vendor gets the psychological bonus of users feeling protected. So with all security issues solved there is no need to break out of the walled garden, right? How do you explain this tweet about the newly released Absinthe jailbreak then? @chronicdevteam: Some stats since release of #Absinthe – 211,401 jailbroken iPad3’s and 973,086 devices newly jailbroken! If walled gardens are so perfect, why do millions of users want to break out? Paul Ducklin has explored this phenomenon in an

Read More