0502, 2014

DeepSec 2013 Video: Auditing Virtual Appliances – An Untapped Source Of 0-days

René Pfeiffer/ February 5, 2014/ Conference, Security, Stories

Appliances are being sold and used as security devices. The good thing about these gadgets is an improvement of your security (usually, YMMV as the Usenet folks used to write). The bad thing about inserting an unknown amount of code into your defence system are the yet to be discovered flaws in its logic. In the old days you have to do some reverse engineering in order to find these bugs. Modern technology bring you the Magic of the „Cloud“™ – virtual appliances! Since everything runs under a hypervisor nowadays, your appliances have been turned into binary images which can be moved around and started anywhere you like. At DeepSec 2013 Stefan Viehböck of SEC Consult spoke about the advantages of virtual appliances and their benefit for security analysis. It seems the „Cloud“ has

Read More

1511, 2013

DeepSec 2013 Talk: Supply Chain – The Exposed Flank

René Pfeiffer/ November 15, 2013/ Conference, Security, Stories

Securing your own perimeter is the prime task IT security teams are worried about. However there is Murphy’s Law of Firewalls, too. Given a sufficient amount of time, business requirements will pierce a lot of holes in your firewall and your defences. Once you work with suppliers, you will have to deal with their perimeters as well. Your opponents will go for the weakest link, and if the links on your end are strong, then they go for your suppliers and partners. Dave Lewis of Akamai Technologies will talk about this problem in his talk at DeepSec 2013. It’s not your immediate partners you have to think about. There are trading partner networks, code developed by off shore development centres and outsourced help desks. Even if you use security products you can get into

Read More

0611, 2013

DeepSec 2013 Talk: Risk Assessment For External Vendors

René Pfeiffer/ November 6, 2013/ Conference, Security, Stories

No man is an island. If this is true for every single one of us, then it is also true for companies. Modern enterprises have business to business (B2B) relations. They are at the centre of a network of suppliers and other vendors. Information flows between the players since they need to exchange data. What do you do if you deal with confidential or regulated data which mustn’t flow freely? How do you assess the risks? How do you determine what security measures work best? How do you deal with the situation of not enforcing security because every player runs its own policies? Luciano Ferrari has prepared a presentation for you and talks about his experience. The first issue is physical proximity. Once you are linked with business entities several thousands of miles away

Read More

0511, 2013

DeepSec 2013 Talk: Trusted Friend Attack – Guardian Angels Strike

René Pfeiffer/ November 5, 2013/ Conference, Security, Stories

Have you ever forgotten a password? It’s a safe bet to assume a yes. Sometimes we forget things. When it comes to logins there is usually a procedure to restore access and change the forgotten password to a known new one. This Forgot Your Password functionality is built into many applications. The mechanism is to rely on other ways to restore trust. There is a risk that unauthorised persons gain access to an account by exploiting the process. Ashar Javed has explored the password recovery function of 50 popular social networking sites. In his talk at DeepSec 2013 he will present the findings of his survey. The attack vector is called Trusted Friend Attack, because once you forgot your credentials you have to rely on trusted friends to recover them. Apart from automatic systems

Read More

3110, 2013

DeepSec 2013 Talk: Easy Ways To Bypass Anti-Virus Systems

René Pfeiffer/ October 31, 2013/ Conference, Security, Stories

The Joys of Detecting Malicious Software Malicious software is all around us. It permeates the Internet by riding on data transmissions. Once you communicate, you risk getting in touch with malware (another name for malicious software). This is why every single one of us, be it individual, company or organisation, runs anti-virus software. The idea is to have specialised software detect malware, so all the bad things are kept out of your network and away from your end-points. So much for the theory. In practice any self-respecting attacker can evade anti-virus filters by a variety of means, depending on their skills and resources. Security researchers know about this fact. Stuxnet and Flame were a proof for sceptics (and a failure of the whole anti-virus industry). How can this be? Well, Attila Marosi (GovCERT Hungary)

Read More

2110, 2013

DeepSec 2013 Workshop: Hands On Exploit Development (Part 2)

René Pfeiffer/ October 21, 2013/ Conference, Stories

Unless you buy ready-made exploits or do security research (you know, the tedious task of testing systems and code, findings bugs and assessing their impact) you may wonder where they come from. To show you how to exploit a vulnerability and how to get to an exploit, we have asked Georgia Weidman for an example. She will be conducting the Hands On Exploit Development training. Early in my infosec education I took a class with a lab portion systems with known vulnerabilities. One system that I had difficulty exploiting was a Windows 7 host with HP Power Manager 4.2.6 which is subject to CVE-2009-2685. There is no Metasploit Module for this issue, but I was able to find some public exploit code on Exploit-db. The exploit calls out explicitly that it has been tested

Read More

1910, 2013

DeepSec 2013 Talk: Finux’s Historical Tour Of IDS Evasion, Insertions, and Other Oddities

René Pfeiffer/ October 19, 2013/ Conference, Security, Stories

The SANS Institute offers the article The History and Evolution of Intrusion Detection in its Reading Room. The article was published in 2001. It starts with the phrase „during the past five years…“. We now have 2013. Why is it important to examine the history of a technology which certainly is well established and widely deployed in information security? Well, first of all even to this day many people have a problem with what intrusion detection really is. Detecting an intrusion is not the same as intrusion detection. Secondly not everything marketed as intrusion detection system really detects intrusions. How can this be? The answer can be found by attending Arron „Finux“ Finnon‘s Historical Tour Of IDS Evasion, Insertions, and Other Oddities at DeepSec 2013. He will address the history of intrusion detection along the lines

Read More

0511, 2012

Alien Technology in our Datacenters

Mika/ November 5, 2012/ High Entropy, Security, Stories

Sometimes when I watch administrators at work, especially when I start to ask questions, I get an uneasy feeling: “this is not right”. As it turns out many of the people who maintain, manage and configure IT or communication equipment don’t understand the technology they are using. At least not in depth. Mostly they have a rough idea what it’s all about but cannot explain in detail how it works and cannot predict what will happen if a few changes are made to the setup. Although I couldn’t put my finger on it I had a familiar feeling, something like a déjà-vu. Just recently when I browsed through my bookshelves it suddenly became clear: I reached for a science fiction classic, “Gateway” by Frederic Pohl which describes an alien race, the “Heechee”, which have

Read More

2008, 2012

Wireless (Wi-Fi) Security Interview

René Pfeiffer/ August 20, 2012/ Discussion, Press, Security, Stories

Today we had a visit from an Austrian television crew to answer some short questions about wireless security. It’s too bad that journalists always look for „hackers“ who „hack something“. While we had no idea what they were talking about, we delivered a short summary of wireless security. For most of you this is old news, but for a broad audience in front of TV sets it’s still a mystery. Usually no one really know what the difference between WPA and WPA2 is. In addition you have WEP and WPS, in-depth you have TKIP and AES, too. All of this sounds pretty intimidating. If you add some cinematic scenes, you can imagine the hero (or evil villain) discovering a wireless network, pressing some keys and gaining access mere seconds later. Defences have been breached,

Read More

2504, 2012

What is a Hacker Tool and how do you ban it?

René Pfeiffer/ April 25, 2012/ Discussion, Internet, Stories

What exactly is a hacker tool? The answer to this question depends on who you ask. To McGyver it would probably everything, to a hacker it would be any suitable tool and to a politician it would be anything that cannot be easily understood. The English Wikipedia has no entry on hacker tool. So what is it and why should we care? Care comes first. We have to care because the European Union is working on banning hacking tools. This is no news for some parts of Europe. Germany has tried to address the nebulous hacking tools issue in 2007. The law has drawn a lot of critic from security researchers. Some even moved their research abroad to avoid operating in a grey area of the law. There’s an open letter to the German

Read More

1704, 2012

Let’s talk about War

René Pfeiffer/ April 17, 2012/ Discussion, High Entropy, Stories

Extreme situations, entropy eruptions and unforeseen problems caused by complex interactions between a plethora of components are prime story material. You can use it in (science) fiction, you can use for breaking news, you can use it for scaring your children, you can use it for advertising and you can use it when talking about information security. Maybe this is why talking about „cyberwar“ is all the fashion these days. Let’s follow the trend and introduce the issue with style: No boom today. Boom tomorrow. There’s always a boom tomorrow. What? Look, somebody’s got to have some damn perspective around here! Boom. Sooner or later. BOOM! — Lt. Cmdr. Susan Ivanova, Babylon 5 This statement from a fictional character pretty much sums up the issue (plus it contains exactly the required amount of sources

Read More

0304, 2012

Simple Questions, Security Design, Details and Assumptions

René Pfeiffer/ April 3, 2012/ Security, Stories

A few days ago we received a call from a journalist who was researching for an article about a system about parking place management. Motorists have a hard time finding a place to park in busy urban areas. This is why Austrian researchers thought of fitting street lamps with cameras that monitor parking areas. The cameras report the images to a system that identifies free parking sites and reports available spots to drivers by means of their satnav. The journalist wanted to know how safe this is and if there might be a threat to privacy. The answer is not that easy. In this context it typically resolves to the style of Radio Yerevan and starts with „In principle yes, but …“. In our case it depends on the details of the implementation. Brevity

Read More

0204, 2012

DeepSec 365 Conference Track and Disinformation

René Pfeiffer/ April 2, 2012/ Misc, Stories

We admit. We could not resist. Bazinga! Writing articles to be published on 1 April is fun, and you probably should not read any news on this day (or blog articles or anything, don’t even talk to people until 2 April). If you consider the disinformation practised on All Fools’ Day and connect it to security the fun stops. You rely on information and its accuracy to counter threats. So in turn disinformation can be regarded as a hacker tool. Social engineering people probably know this already. Since our CfPs for DeepINTEL and DeepSec 2012 are open: If you explore disinformation as a hacker tool and can show its impact on the security routine of potential targets/defenders, why not turn your findings into a presentation and send it to us? We want to know

Read More

0703, 2012

Disinfect your Information Environment

René Pfeiffer/ March 7, 2012/ High Entropy, Security, Stories

Since information technology relies heavily on analogies (as does lot of other „cyber“ things), we have a question for you. What do an intercepted phone call, infectious diseases and nuclear waste spilling into the environment have in common? Faulty containment. The Naked Security blog explains in an article how Anonymous was able to record the FBI phone call whose audio file was published in January 2012. Apparently „an Irish Garda police officer who was invited to attend the conference call about ongoing hacking investigations forwarded the message to a personal email account“. This personal e-mail account was compromised, and the information about the conference call was used to participate and to record the audio stream. This teaches a couple of lessons. Conference calls can be attended by having the correct string of characters (i.e.

Read More

2702, 2012

Security in the Trenches (or how to get dirty and stay clean)

Mika/ February 27, 2012/ Security, Stories

Sometimes you have to get dirty, sometimes it’s fun to get dirty. No it’s not what might come to mind, it’s about the dirty business of information security: you have to break things to see if they are secure enough and to learn about weak points. But what to break? Your own systems? Someone else’s systems? Best is to stay clean when selecting your target for the dirty business (we talked about offensive security recently). Most fun are “Capture the Flags” challenges, also known as war-games, which are frequently offered to the security community to test abilities and learn new stuff. I recently found a CtF challenge that looked quite fun and we started a 2-day session at the Metalab, the Hackerspace in Vienna with a group of 6 or 7 people with different

Read More