2505, 2012

Bring Your Own Spy – BYOD gone wrong

René Pfeiffer/ May 25, 2012/ Discussion, High Entropy, Security

It is reasonably safe to assume that anyone doing business has meetings from time to time. Meeting people and talking to them (or listening) is part of many company’s culture. What do you bring for your meeting? A computer? Maybe. Paper and pencils? Old school but why not. Your cell phone? Most probably! Unfortunately this also means that you might invite some spies to the conference. We have already bashed described talked about the BYOD conundrum challenge. Combining the BYOD approach with information security is hard bordering on the impossible. There are some strategies out there for securing your device(s) (in this case from Software Advice, but others have check lists, too). You can also use the Might of Security Policies™ against the threat (we all know that all users follow any written policy

Read More

2305, 2012

Coding Skills and Security Competence

René Pfeiffer/ May 23, 2012/ Discussion, Security

Occasionally we get questions regarding the technical level of presentations at DeepSec. Some are worried about talks at DeepSec being too „in-depth“ for their level of knowledge. You are either a coder turned security researcher hacking bits and bytes, or you are someone dealing with hierarchies and the organisational aspects of information security. It seems there is no middle ground. Well, there should be and here’s why. Information security covers a very broad spectrum of components and technologies. You can start at the physical level and work your way up, just like the OSI model of networking. The OSI layers end where the human interaction starts, and while the network engineers and software developers go to rest, security administrators still have problems to address (they always have „issues“, their psychotherapists will confirm). In other

Read More

1505, 2012

Cloud Security Promises out of thin Air

René Pfeiffer/ May 15, 2012/ Discussion, Security

The „Cloud“ is a wonderful link between the BYOD disaster, data loss and broken security promises. Yet users of all kinds are lured into the web interfaces with eye candy. The German IT magazine Golem.de has published an article about the cloud security study of the Fraunhofer Institute for Secure Information Technology SIT. Researchers have put Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala under scrutiny. The results should be a wake-up call for businesses who blissfully shove all kinds of data out into the thin air of the „Cloud“. The quintessence of the study is that none of the listed „Cloud“ services can provide a basic security or even sensible encryption technology. Some registration forms do not verify the e-mail addresses entered. Some platforms do not use SSL/TLS. Some use their own

Read More

1405, 2012

Data Loss Prevention

René Pfeiffer/ May 14, 2012/ Discussion, Security

None of us likes to lose data. Usually data loss is tied to defects of storage media. You can counter physical data loss by having sufficient and recent copies of your data. This is where the logical data loss kicks in – unauthorised copies. Espionage thrives on these copies, and since information can be sold so does crime. Establishing a proper data loss prevention strategy and implementing it, requires a combination throughout all branches of information security. First you need to define some classifications for all your data. Public, private and confidential is common. Then you must find all places where your data is stored. You noticed the small word „all“. Yes, that’s right, all places and every single bit of your data. If you start getting sloppy at this stage, your defence against

Read More

0705, 2012

BYOD Madness

René Pfeiffer/ May 7, 2012/ Discussion, Security

When it comes to computing we all like convenience, just like in other areas of personal or business life. It’s nice to use familiar tools. Provisioning is much easier for your IT department if your users bring their own hardware. So, let’s sprinkle this idyllic setting with some security in terms of malware protection, data loss prevention and policies. This is a recipe for a lot of fun and sleepless nights at the same time. The laisser-faire bring your own device (BYOD) approach is all the fashion these days. Since your users really like to do serious business on electronics and software designed for entertainment, why not combine both ends of the spectrum and create a worse starting point than with using either one technology. While being able to view, edit and create confidential

Read More

0605, 2012

Unlearn to Hack?

René Pfeiffer/ May 6, 2012/ Discussion, High Entropy, Security

Security is heavily influenced by the inner workings of the (human) mind. We all know about social engineering and tricks used by con men. The game of smoke and mirrors now hits the „uncontrolled spread of hacking tools“. We have already pointed out that the European Union is preparing a proposal for „banning“ „hacking tools“. There is now a case on-line where a print magazine was allegedly removed from the shelves of Barnes & Noble. Apparently the cover story was too dangerous, because it announced how to „teach you to break into networks, exploit services running remotely, beat encryption techniques, crack passwords, and more.“ The real dark side of this story is that these skills are discussed at most self-respecting security conferences. These skills are even part of a very basic job description in

Read More

0505, 2012

Security in the Light of Emergency Situations

René Pfeiffer/ May 5, 2012/ High Entropy, Security

Let’s assume you have put proper security measures into place and you have spiced them up with proper policies so that everyone always knows what to do in certain situations. So far, so good. Now let’s combine this solid security framework with something out of the ordinary. Catastrophic storage failures are a very good example. Imagine your shared storage array goes AWOL (including the disk images of your precious virtualised servers). In this case your operating status has gone from „all green“ to „full red alert“. Your staff can’t restart the storage array, so you have to rely on experts in the field of data rescue. Due to the critical nature of the data you yank out the disks, label them and send your storage components by messenger to a laboratory. Since time is

Read More

1504, 2012

Pattern, Matching and IT Folklore

René Pfeiffer/ April 15, 2012/ Discussion, High Entropy, Security

Every once in a while there is a lively discussion about the efficiency of pattern-based security measures. Usually you see these discussions in the wake of security software tests. Mostly it concerns intrusion detection, malware filter or spam filter tools. As soon as you are trying to implement filters or detection, you will need some criteria to base decisions on. It doesn’t matter if you apply whitelisting, blacklisting or a mixture of both. Even if you add some intricate algorithms ranging from good ideas to artificial intelligence you still need to base the decision on something. Patterns and signatures is still the way to go. So why do these discussion about „all methods using patterns/signatures are snake oil“ stem from? Let’s take another pattern-based defence mechanism as an example – our immune systems. It

Read More

0304, 2012

Simple Questions, Security Design, Details and Assumptions

René Pfeiffer/ April 3, 2012/ Security, Stories

A few days ago we received a call from a journalist who was researching for an article about a system about parking place management. Motorists have a hard time finding a place to park in busy urban areas. This is why Austrian researchers thought of fitting street lamps with cameras that monitor parking areas. The cameras report the images to a system that identifies free parking sites and reports available spots to drivers by means of their satnav. The journalist wanted to know how safe this is and if there might be a threat to privacy. The answer is not that easy. In this context it typically resolves to the style of Radio Yerevan and starts with „In principle yes, but …“. In our case it depends on the details of the implementation. Brevity

Read More

2103, 2012

Use Key Content for your Key Notes

René Pfeiffer/ March 21, 2012/ Administrivia, Security

There is some discussion about certain key note talks in the blogosphere and on mailing lists. Apparently there has been too much mentioning of mayhem and company ads lately. We will judge about this as soon as we have watched the video recordings of these talks. Until we have done that we’d like to point out that all our key note presentations go through the same Call for Papers mechanism as the „regular“ talks. This is true for DeepINTEL and DeepSec alike. It has also been true for all past DeepSec conferences. While we don’t mind provocative content, we still like our speakers to present high quality content. Paid content on the contrary is not always of high quality. As soon as you enter the realm of sponsored talks you’ll suddenly realise that presentations

Read More

1803, 2012

It’s the Smart Meters that matter – or is it?

René Pfeiffer/ March 18, 2012/ Communication, High Entropy, Security

Wired’s Danger Room has an article about how ubiquitous computing and smart homes are eagerly awaited by the CIA to turn your networked environment into a gigantic spy tool. CIA Director David Petraeus very much likes the „Internet of things” as an information gathering tool. Security researchers can’t wait, too. However they have a very practical approach by pointing out the missing security design. Smart homes might be very dumb after all, and they might not be a „home“. If your home turns against you and breaches your privacy, it’s not a home any more. Plus the next „digital Pearl Harbor“ (whatever this means) might start in your refrigerator. Who knows? This is a very simplistic view on the „Internet of things”. If things automatically turn into sensors and report useful information once they

Read More

0703, 2012

Disinfect your Information Environment

René Pfeiffer/ March 7, 2012/ High Entropy, Security, Stories

Since information technology relies heavily on analogies (as does lot of other „cyber“ things), we have a question for you. What do an intercepted phone call, infectious diseases and nuclear waste spilling into the environment have in common? Faulty containment. The Naked Security blog explains in an article how Anonymous was able to record the FBI phone call whose audio file was published in January 2012. Apparently „an Irish Garda police officer who was invited to attend the conference call about ongoing hacking investigations forwarded the message to a personal email account“. This personal e-mail account was compromised, and the information about the conference call was used to participate and to record the audio stream. This teaches a couple of lessons. Conference calls can be attended by having the correct string of characters (i.e.

Read More

2702, 2012

Security in the Trenches (or how to get dirty and stay clean)

Mika/ February 27, 2012/ Security, Stories

Sometimes you have to get dirty, sometimes it’s fun to get dirty. No it’s not what might come to mind, it’s about the dirty business of information security: you have to break things to see if they are secure enough and to learn about weak points. But what to break? Your own systems? Someone else’s systems? Best is to stay clean when selecting your target for the dirty business (we talked about offensive security recently). Most fun are “Capture the Flags” challenges, also known as war-games, which are frequently offered to the security community to test abilities and learn new stuff. I recently found a CtF challenge that looked quite fun and we started a 2-day session at the Metalab, the Hackerspace in Vienna with a group of 6 or 7 people with different

Read More

1602, 2012

Of CAs, DLP, CSRs, MITM, inspection and compliance

René Pfeiffer/ February 16, 2012/ Discussion, Security

Writing about certificate authorities is slowly turning into beating dead horses. We have seen a couple of security breaches at CAs in the past. We have witnessed security researchers turning to SSL/TLS. Fairly recently researchers have put RSA keys to the test and found common prime factors in thousands of keys. Now we have a discussion about compliance. The Mozilla team has given CAs a stern warning sparked by the issue of a signing certificate by the Trustwave CA to a customer using a data loss prevention (DLP) device. According to a report the signing root certificate was used inside a Hardware Security Module for the purpose of dynamically creating fake certificates in order to inspect encrypted web traffic. While there was an audit at the customer’s site, this incident has sparked a heated

Read More

1102, 2012

Thoughts about “Offensive Security Research”

René Pfeiffer/ February 11, 2012/ Discussion, Security

Ever since information relevant for security was published, there have been discussions about how to handle this information. Many remember the full/no/responsible disclosure battles that frequently erupt. There is a new term on stage. Its name is „offensive security research“. The word „offensive“ apparently refers to the intent to attack IT systems. „Security“ marks the connection, and „research” covers anyone being too curious. This is nothing new, this is just the old discussion about disclosure in camouflage. So there should be nothing to worry about, right? Let’s look at statements from Adobe’s security chief Brad Arkin. At a security analyst summit Mr. Arkin claimed that his goal is not to find and fix every security bug. Instead his strategy is to „drive up the cost of writing exploits“ he explained. According to his keynote

Read More