1806, 2011

Talk: Data Exfiltration – not just for Hollywood

René Pfeiffer/ June 18, 2011/ Security

Iftach Ian Amit discusses infiltration of networks and exfiltration of data. Imagine you have completed the infiltration, data targeting and acquisition phase. You have secured the data you were looking for. Now what? How do you get to „your“ data out of highly secured environments? You need to avoid data loss protection (DLP) tools, avoid IPS/IDS, avoid updating your payload frequently, need to design a control channel that can handle disconnected operation. The data itself needs to be protected from filters or pattern matching sensors. SSL/TLS comes to mind, but some infrastructures terminate SSL at proxies and inspect content. End-to-end encryption is a better method if combined with content obfuscation (there are patter matches for GPG/PGP and other ways, too). Transport needs to use a covert or back channel. This can be a talk page of

Read More

1806, 2011

Talk: Attack UPnP – The Useful plug and pwn protocols

René Pfeiffer/ June 18, 2011/ Security

Most firewall admins are quite allergic to Universal Plug and Play (UPnP). This is why it is usually turned off. Arron „Finux“ Finnon explains what UPnP can do. Its intended use is to facilitate data transmissions of UPnP-capable devices, meaning that these devices and software can use UPnP to poke holes into NAT devices and firewalls. Enabling UPnP a spare router with a free Wi-Fi network enables you to learn a lot about your neighbours. You can do device enumerating and identify devices requesting. And this is just the beginning. UPnP solved their security problems by not implying any security It’s a bit like Bonjour, a bit like mDNS, a bit like this and that. From the security point of view it’s a nightmare. There’s no authentication and no authorisation. UPnP will happily do

Read More

1806, 2011

Talk: Hacking Digital Measuring Devices

René Pfeiffer/ June 18, 2011/ Security

We just listened to the talk by Franz Lehner about „Hacking Digital Measuring Devices“. Smart meters are ubiquitous. A lot of measuring devices have turned digital and are composed of a small CPU with some memory and connections to sensors or data outlets. Calibration is always involved when you measure something. Having access to the calibration mode/commands of a smart meter can change your bills, supply false readings to operators and can even be ramped up to be a security risk. Think vapour/liquid pressure, temperature, speed, humidity, power, etc. Usually you rely on the output of sensors, right? Smart meters is something to watch very closely. Again there’s a link to cars (which use smart meters for measuring the speed and other parameters), then there’s a link to the power grid, and there a

Read More

1406, 2011

Is your car on the Internet?

René Pfeiffer/ June 14, 2011/ Security, Stories

We published some press releases in the past that dealt with networked subsystems in cars. Security researchers connected to the Controller-Area Network (CAN) and tried to inject commands (which worked scarily well). We claimed that automobile manufacturer were way behind in security compared to everyone who has to secure systems in the Internet. The claim was half-part fact and half-part conjecture. Now it’s time to correct our claim. Cars can now leak information and push it to the Internet: Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver’s location, speed and destination to websites accessed through the vehicle’s built in RSS reader, a security blogger has found. … “All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn’t

Read More

2205, 2011

Thoughts about Threats by „Virtual Bombs“

René Pfeiffer/ May 22, 2011/ Security

The German  Federal Minister of the Interior, Hans-Peter Friedrich, has warned „that it is only a question of time until criminal gangs and terrorists have virtual bombs at their disposal“. While the term „virtual bomb“ is very vague by itself, the minister mentioned „malware“ as well. This is no surprise for security researchers. Malicious software has already been used for attacking companies. The infrastructure of whole countries has been attacked as well. Logic bombs have been used in the past, but they have never been used to wage warfare. They have been used for revenge by disgruntled employees or for blackmailing someone (as the ransomware malware also does). Tools like this are used for very specific purposes (such as espionage or targeted destruction), but never for an all-out assault. Even a (D)DoS often has

Read More

1705, 2011

Mobile Security and authTokens

René Pfeiffer/ May 17, 2011/ Security

Recently we mentioned the topic of mobile security in this blog since it keeps being addressed by security researchers. Now there’s something that can be combined by networking, defective by design and mobile security. German security researcher from the University of Ulm have explored a flaw in Google’s ClientLogin protocol. The initial idea stems from Dan Wallach, who took a closer look at the transmissions of an Android smartphone. The authentication token is sent via unencrypted HTTP which means it can be seen by attackers on the same network. Since the token is your key to online services and is probably used by apps dealing with your calendar, contacts or private pictures, an attacker has full access to this data (or any other data an app deals with via the network). Reading, manipulating or

Read More

1105, 2011

Have an app and share your data!

René Pfeiffer/ May 11, 2011/ Security

Apps are all the fashion. You can download them, and you can add them to web sites (such as your blog) including your favourite social network. Facebook has introduced applications back in 2007. If you want to tie an application to your account, the code needs to have proper credentials in order to connect an action with your profile. This is why most apps ask you to login before they start to work. The idea is to convert your login and password into a token that can be used to grant access, either for a limited time or indefinitely. Symantec’s Nishant Doshi reports that Facebook had a bug in its application framework exposing user access tokens to third parties. This basically means that you can do all the app can do (and possibly more)

Read More

0805, 2011

Talks held at the Linuxwochen Wien

René Pfeiffer/ May 8, 2011/ Security, Veranstaltung

MiKa and me held three talks at the Linuxwochen Wien 2011. The scheduled talks were „VoIP Security“ and „The Wind Chill Factor of Security“. The third talk was a review of the trust models used with X.509 certificates and issued by certificate authorities. The review was a drop-in replacement talk for a speaker who did not show up. Since the talks were held in German, I’d like to present a short summary in our blog. VoIP has become a well-established technology in companies during the past years. Periodically we assess the security of VoIP protocols and implementations. The talk we gave was a review of the state-of-the-art focussing on SIP signalling and audio/video codecs. We discussed the basics, the SIP Digest Authentication Leak found by Sandro Gauci, SIP probes, the troubles of SIP gateway

Read More

2804, 2011

Data Leaks Reviewed

René Pfeiffer/ April 28, 2011/ Internet, Security

Often single incidents don’t attract much attention, but the combination does. We’re getting used to lost laptops, USB sticks, CDs/DVDs/HDs and gadgets containing data. There’s even a project trying to keep track of data loss incidents world-wide, it’s called DataLossDB. Compromised web sites are also quite common. Only figures raise eyebrows, so this week’s favourite news item is Sony and the PS3 network. Someone created unauthorised backups of database tables containing (encrypted) credit card information, user names, passwords, birth dates and home addresses of PlayStation Network users. We still don’t know the nature of the security breach, however the impact is substantial both in terms of number of stolen records and very probably financial damage. There’s been not much talk about the passwords and their data format, but we all know that few people

Read More

1703, 2011

Hacking Transportation Devices – 0wning Cars!

René Pfeiffer/ March 17, 2011/ Security, Stories

Last Summer we published a short article about an experimental study of modern car sensors systems and their security. Researches took a modern car, connected to the internal data bus and tried to do some hacking. They were able to manipulate on-board systems up to controlling the brakes and the engines. The study shows that once you have access to the (internal) network, you can do things that were most probably never anticipated by the designers. Arguably the risks of these kind of attacks is rather low – for now. However if you think about the Internet, software working in networked environments or the plethora of devices that can be connected to computers, then the number of attack vectors increases. This is not breaking news. You can see this trend in the wonderful world

Read More

1502, 2011

The Antivirus-Virus Conundrum

René Pfeiffer/ February 15, 2011/ Security

Last week the EU’s statistics office published statistical data about the state of anti-virus protection and virus infections. According to the figures nearly a third of Europe’s PCs carry some kind of malware. Although it is difficult to assess the accuracy or methods of studies, this figure is hardly surprising. Anyone who has ever dealt with filtering messages, web content or any other data entering the perimeter of your network knows about the positives and negatives, be them false or true. The problem starts with UBE/UCE (a.k.a. spam) filtering and continues right into the domain of malware. Just as their biological counterparts a computer malware, indiscriminately called virus, changes its shape and flavour. We had a talk from Joan Calvet about the Tripoux project. They analyse malware packers. If you have seen the branch

Read More

0402, 2011

The Networks as Tool and Target at the same time

René Pfeiffer/ February 4, 2011/ Internet, Security

Unless you have been without access to the Internet, mobile network(s) and independent media you’ve probably followed the events in Egypt. The shutdown of the Internet throughout the country was an unprecedented move. It took some people by surprise, but anyone with a decent knowledge of routing protocols knew what was going on. There was no magic involved, just simply BGP packets. The aftermath of the still ongoing demonstrations and the show of force can already be seen. The Internet is gaining relevance when it comes to infrastructure. It’s not as important as telephone networks or the power grid, but sooner or later it probably will (especially since phone and power grid services move to the Internet for messaging/transport purposes). The lack of Internet connectivity was bypassed by telephone lines. Dial-up connections with modems

Read More

2712, 2010

27C3 and Misunderstandings about Security

René Pfeiffer/ December 27, 2010/ Conference, Security

We’ve hooked a computer to the video stream of the 27C3 conference. Currently we’re listening to the keynote speech which touches a relevant topic for security issue. Are you happy or are you unhappy? It sounds a bit strange, but usually happy people have nothing to worry about. So in turn it does make sense not to worry people. The examples given in the keynote were electronic voting machines. The process of selecting a government by anonymous voting is a cornerstone of democracies. This is exactly why electronic voting must not happen through black boxes. India has already threatened (and arrested) security researchers who analyse the security of the voting machines used in the country. Electronic voting is only one example. Another one is the publication about the broken chip and PIN design of

Read More

1409, 2010

Vacation 2.0 and its Disadvantages

René Pfeiffer/ September 14, 2010/ Security

Imagine you are the CEO of a small company. You have some days off. You relax, buy a newspaper and have a coffee. After browsing through the news and financial section you stumble upon a full-page advertising of your own company. The text reads: Dear world, our office is completely deserted. No one’s working at the moment. The rooms are completely unattended. No one will pick up the phone. Only the security guards will walk by and superficially check the door handles. Although the doors are tightly locked and the windows are (probably) closed, you can be sure that no one will enter the office space until INSERT_DATE. So if you want to try picking our locks and rearranging the furniture, feel free. You can take what you want. The coffee machine is plugged

Read More