Like the Force wireless data/infrastructure packets are all around us. Both have a light and a dark side. It all depends on your intentions. Lacking the midi-chlorians we have to rely on other sources to get a picture of the wireless forces in and around the (network) perimeter. At DeepSec 2015 Milan Gabor held a presentation about visualisation of wi-fi packets: Today visualizing Wi-Fi traffic is more or less limited to console windows and analyze different logs from an aircrack-ng toolset. There are some commercial tools, but if we want to stay in the Open/Free Source Code (FOSS) area we need to find better solutions. So we used ELK stack to gather, hold, index and visualize data and a modified version of an airodump tool for input. With this you can create amazing dashboards,
Unfortunately the Internet doesn’t follow the rules of economic theory. Unlimited growth is a myth best kept for feeding your unicorns. Of course, the Internet has grown, but the mathematics and physics behind network flows stay the same. If your pipe is full, then you are going nowhere. This is why Distributed Denial of Service (DDoS) attacks still work. You can counter or evade these attacks, but they can happen. We invited Dave Lewis of Akamai to DeepSec 2015 to hear his view on the current state of affairs where DDoS is concerned. For the record: DDoS is not hacking and no hacking attack. Spread your „cyber“ somewhere else.
The data protocols of SmartHomes are the FBI’s wet dream. Why? Because they have no security design. Take ZigBee for example. ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings or Googles OnHub are based on ZigBee. ZigBee provides also security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected?
Even if you are not running a mainframe you probably have some old applications which you still need and whose code you cannot lift into the present (technology-wise). This is something you need to address. Despite decades of security research and authentication standards there’s still a vast amount of systems with custom solutions and embedded user databases. Such systems are typically hard to securely integrate with others. We analysed an existing system of an organisation with approximately 12.000 sensitive user data sets and uncovered severe vulnerabilities in their approach. We developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider
At DeepSec 2011 Constantinos Patsakis and Kleanthis Dellios held a presentation titled “Patching Vehicle Insecurities”. They pointed out that the car is starting to resemble more to a computer with mechanical peripherals (incase you haven’t seen their talk, please do!). This is true for all types, not only the modern cars powered by electricity alone. But there is more. Modern cars are connected to networks (i.e. the Internet or the mobile phone network). This means that your method of transportation is part of the dreaded Internet of Things. Given the design flaws we have seen in talks given at DeepSec, there is no surprise that this is a breeding ground for major trouble. The Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, discovered a lapse in the communication between BMW cars and the servers
The first recording of DeepSec 2014 has finished post-processing. Just in time for the holidays we have the keynote presentation by Alex Hutton ready for you. Despite its title “The Measured CSO” the content is of interest for anyone dealing with information security. Alex raises questions and gives you lots of answers to think about. Don’t stay in the same place. Keep moving. Keep thinking.
If you haven’t been at 44CON last week, you missed a lot of good presentations. Plus you haven’t been around great speakers, an excellent crew, “gin o’clock” each day, wonderful audience, and great coffee from ANTIPØDE (where you should go when in London and in desperate need of good coffee). Everyone occasionally using wireless connections (regardless if Wi-Fi or mobile phone networks) should watch the talks on GreedyBTS and the improvements of doing Wi-Fi penetration testing by using fake alternative access points. GreedyBTS is a base transceiver station (BTS) enabling 2G/2.5G attacks by impersonating a BTS. Hacker Fantastic explained the theoretical background and demonstrated what a BTS-in-the-middle can do to Internet traffic of mobile phones. Intercepting and re-routing text messages and voice calls can be done, too. Implementing the detection of fake base stations
Although I’m new in the Bitcoin world I had a quite promising start. Earlier this month I was able to visit the Bitcoin Conference in Amsterdam and had some very good conversations with core developers from the Bitcoin Foundation and to my honor also the chance to talk to Gavin Andreesen, long-time lead developer and now chief scientist of the Bitcoin Foundation. At DeepSec our first contact with Bitcoin was in 2012 when John Matonis, now Executive Director and Board Member of the Bitcoin Foundation, talked about the evolution of e-Money. But since then we hadn’t intense contact. Tomorrow I will visit the Bitcoin Expo in Vienna and hope to meet new people in the community and discuss the latest trends and developments. The fascinating thing about Bitcoin and the global block-chain is the
Leaks are problems you don’t want in your infrastructure. While this is clear for water pipes, it is not so clear for digital data. Copying is a part of the process, and copying data is what your systems do all day. A leak comes into existence when someone without access privileges gets hold of data. The industry has coined the term data leak/loss prevention (DLP) for products trying to stop intruders from ex-filtrating your precious files. Just like other defence mechanisms DLP systems cannot be bought and switched on. You have to know where your data lives, which software you use, what data formats need to be protected, and so on. We invited Andreas Wiegenstein to talk about data loss prevention in SAP systems. His presentation was held at the DeepSec 2013 conference and
For those who were not present at the DeepSec 2013 conference (shame on you!) we have compiled a selection of photographs taken at the event. Static imagery cannot give you the full experience, but maybe you want to drop by in 2014! Credits and our big thank you go to our graphic designer and our photographer!
Controls blocking the flow of data are an important tool of defence measures. Usually you need to enforce your organisation’s set of permissions. There are even fancy gadgets available to help you cope with data loss in terms of unauthorised access. This only works in controlled environments. Fortunately the modern IT policy allows intruders to bring their own tools in order to circumvent security controls. Bring Your Own Device (BYOD) is all the fashion these days, and it really helps evading defence mechanisms. At DeepSec 2013 Georgia Weidman of Bulb Security LLC talked about what you can do with mobile devices and what you have to address when protecting your data. „…Companies are putting a lot of faith in these security mechanisms to stop the threats to mobile devices. In this talk we put
Everybody makes mistakes. It’s no surprise that this statement applies to software development, too. When you deal with information security it is easy to play the blame game and say that the application developers must take care to avoid making mistakes. But how does software development work? What are the processes? What can go wrong? Answering these questions will give you an insight into ways to avoid being bitten by bugs. Peter af Geijerstam of Factor 10 talked about security mistakes in software development in his presentation held at the DeepSec 2013 conference. We recommend his presentation for everyone dealing with information security, not just software developers.
We live in a culture where everybody can have thousands of friends. Social media can catapult your online presence into celebrity status. While your circle of true friends may be smaller than your browser might suggest, there is one thing that plays a crucial role when it comes to social interaction: trust. Did you ever forget the password to your second favourite social media site? If so, how did you recover or reset it? Did it work, and were you really the one who triggered the „lost password“ process? In a world where few online contacts can meet each other it is difficult for a social media site to verify that the person requesting a new password is really the individual who holds the account. Facebook has introduced Trusted Friends to facilitate the identity
Appliances are being sold and used as security devices. The good thing about these gadgets is an improvement of your security (usually, YMMV as the Usenet folks used to write). The bad thing about inserting an unknown amount of code into your defence system are the yet to be discovered flaws in its logic. In the old days you have to do some reverse engineering in order to find these bugs. Modern technology bring you the Magic of the „Cloud“™ – virtual appliances! Since everything runs under a hypervisor nowadays, your appliances have been turned into binary images which can be moved around and started anywhere you like. At DeepSec 2013 Stefan Viehböck of SEC Consult spoke about the advantages of virtual appliances and their benefit for security analysis. It seems the „Cloud“ has
Securing your own perimeter is the prime task IT security teams are worried about. However there is Murphy’s Law of Firewalls, too. Given a sufficient amount of time, business requirements will pierce a lot of holes in your firewall and your defences. Once you work with suppliers, you will have to deal with their perimeters as well. Your opponents will go for the weakest link, and if the links on your end are strong, then they go for your suppliers and partners. Dave Lewis of Akamai Technologies will talk about this problem in his talk at DeepSec 2013. It’s not your immediate partners you have to think about. There are trading partner networks, code developed by off shore development centres and outsourced help desks. Even if you use security products you can get into