2901, 2012

Getting your Perception right – Security and Collaboration

René Pfeiffer/ January 29, 2012/ Discussion, Security

If all security-related events were not connected and could be analysed with a closed system in mind, getting security measures right would be much easier. Technicians will probably yawn at this fact, but networks connect a lot of different stuff (think „series of tubes“ and many points between them). In turn this means that you can use this for your own advantage and talk to others on the network, too! This surprising conclusion is often forgotten despite the use of the term „Internet community“ and developers working together on intrusion detection signatures, malware analysis and other projects. Stefan Schumacher talked about cooperative efforts to establish an international cyber defence strategy at DeepSec 2011. Securing infrastructure and implementing a proper defence in depth doesn’t rely on technical solutions alone. You need to establish procedures for

Read More

2201, 2012

Interaction between Security and Hierarchies

René Pfeiffer/ January 22, 2012/ Security

You all know hierarchies. You use them, you work within them and you are probably part of one. This is also true for IT staffers or even freelancers dealing with security issues. Usually there is a team/project leader, a CEO, a CIO and all kinds of specialists from other departments (if the company or organisation is bigger). While the „chain of command“ may not be important during daily routine, it is tremendously critical when incidents happen or when the infrastructure is prepared against compromise. More often than not security-aware admins and developers experience the „override by pointy haired boss“ effect. Checks and balances are great, the budget might confirm this, but once you deviate from routine there’s the nasty blame game. That’s when hierarchies turn to bite you in the back. Time spent on

Read More

0112, 2011

Water Plants, Cyberwar, and Scenario Fulfillment

René Pfeiffer/ December 1, 2011/ High Entropy, Security, Stories

While we refuse to add a Cyberwar category to this blog, we want to explore this shady topic with a story. Do you recall the water plant hack a few weeks ago? According to news floating around in the Internet an US-American water plant in Illinois suffered from a security breach together with a failed water pump. Apparently attackers took the pump out by applying a well-tried IT technique called „Have you tried to turn it off and on again?“. So in theory this is a full-scale Cyberwar incident that puts all of our infrastructure at risk – plus you can add the magical acronym SCADA when talking about it, thus lowering the room temperature a few degrees and imposing the well-tried fear and awe effect on your audience. While industrial control systems remain

Read More

2411, 2011

DeepSec 2011 Conference Network Observations

René Pfeiffer/ November 24, 2011/ Security, Stories

All of you who attended DeepSec 2011 know that we had a Wall of Sheep at the conference. We set it up by copying packets via the Netfilter TEE target from the router to the Wall of Sheep box (note to self: never ever mirror broadcast or multicast packets). We only displayed logins and the number of characters of the password, all data was processed and stored in RAM. The display was only accessible from the conference network. On the first day of the conference we did not announced the Wall, we only encouraged everyone to use secure protocols and not to use services that send sensitive data unprotected. We even set up posters and flyers warning to use the conference network (the reason were other events at the venue taking place in parallel).

Read More

3110, 2011

Lessons in Trust and Malicious Code from the Staatstrojaner

René Pfeiffer/ October 31, 2011/ Security

Since it is Halloween we will beat an undead horse in our blog today. Zombies are all the fashion both in literature and on your computer. The question is: Are all zombies alike? Are there good and bad zombies, or only bad ones? How can you distinguish between good and evil intentions if all you got is a compromised system? It all boils down to trust, and the zombie in question is (again) the German Federal Trojan („Staatstrojaner“). The German magazine Telepolis published an article that compares the statement of Jörg Ziercke, the head of the German Federal Criminal Police Office (Bundeskriminalamt or BKA), to the words of Rudyard Kipling’s python Kaa. The basis for this analogue are Mr. Ziercke’s claims stem from leaked notes of his speech in the commission of the German

Read More

3110, 2011

Defending against the Hype of Advanced Persistent Threat (APT)

René Pfeiffer/ October 31, 2011/ Security

Many articles like to mention Advanced Persistent Threat (APT), point out that 0-day attacks are extremely dangerous, and that anyone and your neighbour might already be compromised, but doesn’t know about it. So APT casts a long shadow even when not having arrived yet. This is exactly why we used the word „hype“ in the title. If you are not feeling very well and you look up symptoms in popular search engines, then you suddenly end up with lots of diseases that might fit. Doing this won’t change anything, you still got the symptoms and you still got no idea what’s going on. Reading information on security breaches alone won’t alone won’t get you anywhere (currently you can find some news on the RSA hack online). Exchanging ideas and hearing about stories is fine,

Read More

2410, 2011

Dissection of Malware and Legality

René Pfeiffer/ October 24, 2011/ Discussion, Security

You have probably seen the articles about the 0zapftis (a.k.a. the German Federal Trojan) malware used by the German police for investigation. There’s a lot going on in Germany and the German parliament, so we’d like to point out the issue of dissecting governmental malware and its relation to common sense and the law. The politician Patrick Sensburg accused the Chaos Computer Club to have thwarted investigations and thus the punishment of potential perpetrators. This violates German law (§ 258 Strafvereitelung, to be exact, description is in German). So is it legal to analyse malicious software or is it illegal? Mr. Sensburg has already answered three questions regarding his statements in parliament. He clarified his message. He criticises that the code had been published on the Internet instead of contacting the appropriate government agencies.

Read More

2010, 2011

Security Intelligence, two different Approaches

Mika/ October 20, 2011/ Internet, Report, Security

We are monitoring activities around Security Intelligence since a while and found quite different understandings and approaches. Security Intelligence is one the newest disciplines in the area of Information Security and the goals seems to be quite vague. Different organizations seem to have totally different understandings of what Security Intelligence should be about. To illustrate this I would like to compare two of the leading IT vendors and what they publish as “Security Intelligence”: Cisco Security Intelligence Operations http://tools.cisco.com/security/center/home.x Cisco lists on the Security Intelligence Portal mainly security advisories, alerts, responses and information about Cisco product updates, signature updates, mitigation bulletins virus watch and similar topics. To provide this kind of information is in my humble opinion the task of a CERT (Computer Emergency Response Team) or a PSIRT (Product Security Incident Response Team).

Read More

1310, 2011

Mobile Phone Calls as Security Risk

René Pfeiffer/ October 13, 2011/ Conference, Security

Do you rely on your mobile phone? Do you frequently call someone or get called? Do you transmit messages or data across mobile phone networks? Maybe you shouldn’t unless you use additional security layers since mobile phone networks must be regarded as a security risk. Karsten Nohl of Security Research Labs has taken a look at Austrian mobile networks. The result is a wake-up call for companies and individuals alike. According to Nohl the local Austrian providers A1/Mobilkom, T-Mobile Österreich und Orange have not updated their networks as other operators in Europe have already. He explained that there is no sign of any additional hardening. The transmissions of mobile phone network clients can be intercepted and decrypted with very little technical effort. The networks still use the A5/1 encryption standard which has been repeatedly

Read More

0910, 2011

Analysis of Governmental Malware

René Pfeiffer/ October 9, 2011/ Odd, Security, Stories

There is a ongoing discussion about the use of malicious software for criminal investigations. German and Austrian agencies use the term „Online-Durchsuchung“ (online search) or „Quellen-Telekommunikationsüberwachung“ (source telecommunications surveillance) for investigative measures that cover the source of telecommunication messages (which is usually a suspect’s computer or telephone). In context with malicious software used for this purpose the unofficial term „Bundestrojaner“ (federal trojan horse) was coined. On 27 Februar 2008 the German Federal Constitutional Court ruled that the online search and Internet surveillance rules violate the German constitution and have to be reviewed (you can read the explanation of the Court in German here). Yesterday the Chaos Computer Club (CCC) published a detailed analysis of a „lawful interception malware“. The results have a profound impact on security since the design of the malware allows attackers

Read More

2509, 2011

The BEAST SSL Attack and the postponed Digital Apocalypse

René Pfeiffer/ September 25, 2011/ Security

When it comes to security flaws of SSL/TLS (either in theory or in implementation), then a lot of people get very nervous. The past days have been full of media coverage of the BEAST SSL Attack. Since Juliano Rizzo and Thai Duong have published their results the level of speculation has dropped. Let’s replace panic by analysis of facts. Starting with the name of the BEAST, Browser Exploit Against SSL/TLS Tool, it is clear that a browser and a web site is involved. If you take a look at the description of the attack, you can infer that the impact doesn’t affect all SSL/TLS deployments. The following text is taken from Bruce Schneier’s blog entry on BEAST. The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text

Read More

2109, 2011

Talk: Intelligent Bluetooth fuzzing – Why bother?

René Pfeiffer/ September 21, 2011/ Conference, Security

Bluetooth devices and software implementations have been a fruitful playground for security researchers for years. You probably remember the PoC code from the trinifite.group and other bugs dragged out into the open. Riding public transport often led to Bluetooth scanning with tools such as Blooover. But that’s all past and gone. Software has evolved. Developers have learned. Modern quality assurance won’t let this happen again. Sadly this is fiction. Tommi Mäkilä has some stories to share about the state of Bluetooth: „Bluetooth robustness is wretched, no surprise there. Bluetooth test results from plugfests show 80% failure rate, eight out of ten tests end with a crash. It is not pretty, it is sad and frustrating. For a moment, few years back, there seemed to be light at the end of the tunnel: the failures

Read More

2008, 2011

Discussion about Data Protection and the Game Industry at GamesCon

René Pfeiffer/ August 20, 2011/ Report, Security

The GamesCon is taking place in Cologne. We were present at the first day in order to participate in a discussion about data protection in online games. Discussion partners were Konstantin Ewald, a lawyer and blogger (Online. Spiele. Recht) and Ulrich Lepper, North Rhine-Westphalia’s Commissioner for Data Protection and Freedom of Information. Online gaming is tied to user accounts and personal data. It is linked with targeted advertising. Since the Sownage series of attacks the issue has arrived in the mainstream media. There is no need to name Sony or any other company as a culprit, or to shift the blame around. Just as web applications, the world of online games is complex by itself. Hardening your infrastructure is fine, but this is only a part of the story. There are other components such

Read More

1407, 2011

Subverting Femto Cells – Infrastructure at Risk

René Pfeiffer/ July 14, 2011/ Security

The past DeepSec conferences featured talks about mobile telecommunication networks. Security researchers had to turn mobile phones into base stations or create their own from hardware and software. Yesterday The Hacker’s Choice have published a security analysis of Vodafone’s Femto Cells. These cells are small routers used for boosting the 3G signal. They cost about 160£ and can be purchased through the Vodafone store. Reverse engineering turns these little routers into full-blown 3G/UMTC/WCDMA interception devices. You can catch IMSIs and retrieve the secret subscriber information by requesting it from the core network. By using this secret key material you can decrypt intercepted phone calls and data transmissions. The reverse engineering process even produced the root password of the device (it’s ceolyx, but you need to decrypt it; other blogs feature the full plaintext password). This

Read More

0707, 2011

SecInt: Radar for Anti-Security Movement

René Pfeiffer/ July 7, 2011/ High Entropy, Press, Security

We have been talking to some journalists in the past weeks. Most questions revolved around the rise in attacks against well-known web sites and their companies (or vice versa). Jeffrey Carr has published a good source for an overview of Anti-Security groups. If you are looking what to put on your radar, his article might be a good start. Security intelligence is gathering importance. Make sure that you don’t drown in tools or gadgets, and that you don’t neglect your strategic view. Quite a lot of people are confused by the many reports of incidents, „lulz“, „LOLs“, scanty slogans when it comes to motivations of attackers, damage reports, panic and media mind disruption (always remember: anonymous ≠ Anonymous). Currently we’re working on material to put the threats into perspective. It’s hard to distinguish the

Read More