The Grotesqueness of the “Federal Hack” of the German Government Network

[Editor’s note: This article was originally published on the web site of the FM4 radio channel of the Austrian Broadcasting Corporation. We have translated the text in order to make the content accessible for our English-speaking audience. We will follow-up on it with an article of our own about attribution, digital warfare, security intelligence, and the DeepINTEL conference.]

A friendly secret service knew more about espionage against the German government network than the German counterintelligence. Three months after the hack was discovered, the attackers are still somewhere in this huge federal network.

By Erich Möchel for fm4.orf.at

One week after the announcement of the attack on the security network of the German Federal Government details only leak slowly. The first official statement on Friday claiming that the alleged Russian Trojan suite was already under control was a blatant misinformation and had to be denied afterwards. According to official information, the German Government was tipped off in mid-December by a friendly intelligence service. That a secret service of a third state apparently knew more about espionage Trojans in the German government network than the German counterintelligence is an embarrassment beyond compare. The authorities can not even say now when this “federal hack” began, although they reportedly already knew about it three months ago. Not least because of this, a news blackout was imposed.

Tips among Friends

The attacked “Informationsverbund Berlin – Bonn” (IVBB) “is a huge, historically grown data network under the aegis of the German Interior Ministry, to which the German Bundestag, the Federal Council, the Federal Chancellery, the Federal Ministries and the Federal Court of Audit are connected as well as ” various security authorities ” from Berlin, Bonn and other locations. Who, apart from the the Federal Office for Information Security, these “various security authorities” might be can be counted on the fingers of one hand using only three fingers:

The Federal Bureau of Investigation, the secret services of the Federal Office for the Protection of the Constitution and the BND. The latter must also have been tipped off by the “friendly secret service” that attackers had infiltrated the information network of the German Federal Government. Further it was said that  allegedly the invasion of the IVBB was part of a worldwide attack of supposedly Russian “hackers” against allies of the West, already going on since 2017. What’s more: The German authorities were already informed since December 19th.

A Question of Time

So the German authorities had three months to discover the intact parts of the malware and the artifacts of already deleted code and to stay on track of the attackers. This led to the actual target, namely the German Foreign Ministry, where a dozen or more contaminated computers were discovered. Assuming that the statement of the government is correct not much more is known yet, but of course, this can’t be verified. As for the duration of the attack it was said quite early on that the attackers could have already penetrated the network in early 2017, later on that it could have happened even earlier in 2016.

This has been the case for every comparable attack in the last ten years: each time the attackers were already much longer in the attacked network, as was initially suspected. And it is even more difficult to get rid of them, which is why such a high-level military cyber attack is also referred to as “Advanced Persistent Threat” (APT). It is a permanent threat because the malware consists of many small modules. If even one is overlooked by the defenders while cleaning up, the next attack will start soon. From the Equation Group (NSA) to Russian and Chinese Cyber Troops to the North Korean Lazarus Group, all major players use largely identical methods of attack.

Operational Sequence of a State Attack

First, one scouts the target network looking for points of attack, then, in several places, one smuggles in tiny programs, which are completely unremarkable on their own – the NSA calls them “Implants” or “Beacons”. Their only function is not to attract attention internally for as long as possible, but to react to network scans from the outside with a “sign of life”. As soon as the actual attack starts, further software modules are smuggled in at these marked locations in the target network. All of them are encrypted and just merge into a Trojan suite behind the firewalls. To counter such an attack is a purely Sisyphean task as long as the hidden implants of the attackers are still hidden somewhere in the net, because as soon as a network segment has been cleaned and control regained, the attack starts all over again in another segment.

The Hack of the German Bundestag in 2015

Exactly the same had happened in 2015 in the network of the German Bundestag. After the discovery of the attack in early May a weeks-long game of cat and mouse began, until, after three months, the Federal Office for Security (BSI) threw in the towel. It was decided to exchange all the hardware, which involved a total of 20,000 PCs. If they also thought of changing the routers, switches, printers or firewalls is not known. A few kilobytes of space on any device and a network connection is sufficient for the implant to continue its work – Namely by doing nothing, only sending a short ping to a command / control server somewhere on the Internet at a programmed time. Finding something like this in a huge network that was originally made up of mainframe computers and Windows 95 PCs and grew wild in all directions for two decades, is hardly feasible. Here everything is cross-linked and a segment of the network is the German Bundestag. So it is quite possible that some implants of the unknown attackers have survived the great clean-up of the Bundestag in 2015 unscathed.

Open Questions

From the first day on it was rumoured again that “the Russians” were responsible, first supposedly APT 28 (“Fancy Bear”), and then there was talk of APT 29 (“Cozy Bear”). This is not unlikely, because just a handful of nation states could pull off something like that. The infamous APT 28, to which the attacks during the US election campaign were attributed, has already been blamed for the hack of the Bundestag in 2015. This Cyber unit is the counterpart of the CIA coders, its task is operational and often includes psychological operations, thus influencing the public and politics.

APT 29, on the other hand, is comparable to the NSA Equation Group, involving the best programmers and therefore the most sophisticated software with the best camouflage. Of course, one does not want to squander these in propaganda operations – this is all about espionage at the highest level.

Regarding the question who tipped of the German BND, there are three possible answers: Either the British GCHQ or the NSA – but also the French intelligence service can not be ruled out.

Support for BSidesLondon’s Rookie Track

We are proud to support the Rookie Track at BSidesLondon in 2018 again. This means that one of us will be present at the Rookie Track and that the winner will get to attend DeepSec in November. It’s hard to get a start, so we like to help the rookies with that. We also like to encourage everyone to share ideas, thoughts, code, and insights either at the Rookie Track or on the main stage. If you have never presented before, get a mentor and work on your presentation. Don’t be afraid. We like to hear your thoughts on infosec and related topics.

The same is true for our U21 presentation slot. We encourage young researchers to submit a presentation to DeepSec. We also offer mentoring and help you to get your content on stage. You just have to submit. ☻

Change of Ticket System for DeepSec and DeepINTEL

We have made some changes behind the scenes, as always when preparing the new events for the year. This time we decided to change the ticket shop for both DeepINTEL and DeepSec. The reason for the new shop is its focus on privacy and security. Most shops are part of a social media network or collect too much information (can be both, depends on the interaction and the platform). It doesn’t matter if the collected information is being protected by privacy procedures or not. Our intent was to streamline the process. For you this means that you can buy your tickets as easy as before. We still have vouchers, too. Ask our sponsors. Furthermore the payment is done directly to us, so we can manage your visit to DeepSec and DeepINTEL more efficiently. Also the new shop offers some more payment methods.

In case you need anything, have special requests, or need support with buying tickets via the ticket shops, then please let us know. Keep in mind that we still offer different rates. The earlier you book, the less money you spend!

DeepSec 2018 calls for Trainings and Content – Focus Mobility

The DeepSec 2018 Call for Papers is open. The focus for this year is mobility. Mobile networks and mobile devices have established themselves firmly in our society. And mobility doesn’t end here. Transport is transforming into new technologies by incorporating access to data networks (yes, that’s the „Cloud“), the power grid (think electric vehicles), drones, new propulsion systems, artificial intelligent (sometimes even both!) personal assistants and algorithms (mathematics has become mainstream). The ever growing number of dependencies between components are a fertile breeding ground for cascading errors that impact more than your new car or your latest order from your favourite online shop. Information security must become as mobile as home deliveries of goods and electric power. And it must become common. Infosec isn’t optional any more. Since bug logos have captured the minds of news readers, the message of information security should do this, too. Sadly the products we use and rely on don’t seem to catch up.

We are looking for content to address this aspect of our modern society. Mobility is the red line to guide you, but of course we are interested in anything that you are researching. We have become much more interconnected since the days of the first DeepSec conference. Let’s have a look at the consequences. There are many perfect tens out there, especially when you connect All teh Things.

We start early, because we want to get your submissions for trainings first! Since DeepSec is in the last week of November, we like to inform potential trainees as early as possible in order to facilitate the booking of tickets. Please send us your ideas! Don’t waste time!

Secret Router Security Discussion in Germany

Routers are the main component when it comes to connect sites, homes, and businesses. They often „just“ take care of the access to the Internet. The firewall comes after this access device. The German Telekom suffered an attack on their routers on 2016. The German Federal Office for Information Security now tries to create a policy for securing these critical systems. In theory this should add a set of documents on how to securely operate a router for the last mile access. Information security basically runs on checklists and policies. The trouble starts with the firmware. In Germany these is a discussion about using alternative devices as access components, enabling customers and organisations to use products of their own choice. Since firmware is the worst code on this planet, changing models and code is a good idea. The Association of German Cable Operators (ANGA) strictly opposes changes of software on modems. The working group discussion the new policy has held meetings in Bonn, but it’s complicated. Furthermore participants discuss the topic with a non-disclosure agreement.

Security and secrecy don’t play well together. In this case there is the question of supporting customer-operated software on access devices, but this can be solved. All companies already use software tailored to their needs. Few applications or devices are used off-the-shelf. A lot of IT departments bring devices and other components into a given state by applying patches and changes to the configuration. Surely the access to the Internet must not remain a mystery. Protocols are documented, the technology is not based on a need-to-know basis. Why not address this weak link by giving sysadmins the tools to take care of the network boundary? Especially in times of home offices and interconnected (business) applications this link must be taken into account when designing security.

Golem.de has an article describing the process in depth (and in German).

Save the Dates for DeepSec 2018 and DeepINTEL 2018

While everyone was busy with the holidays, Meltdown and Spectre, we did some updates behind the scenes. DeepSec 2018 will be held from 27 to 30 November 2018. We tried not to collide with Thanksgiving, so that you can come to Vienna after being with your family. As always, the first two days will be the trainings followed by two days of conference. DeepINTEL 2018 will be on 17 / 18 September 2018. We have a topical focus for both events and will present each of them in a separate article. There still some details to work out. Wordsmithing and administrivia are the equivalence of dependencies and patches in software development – necessary, but they take time. It’s worth it, you will see for yourself.

We have a special message for anyone who intends to conduct a training at DeepSec 2018: Please let us know as soon as possible! This year’s DeepSec is later than usual, and we try to inform interested parties, companies, and individuals in time about the topics. So if you have something in your mind, if you work on cutting edge content and want to share, let us know. The Call for Papers manager is the easiest way, but of course you can drop us an email as well.

In addition the videos of DeepSec 2017 have been published on Vimeo. Since the video platform abolished its tip jar for donations, we will free the videos in June for everyone. All attendees and speakers enjoy them already. The slides from the presentations are online as well. Plus we have published In Depth Security Vol. II: Proceedings of the DeepSec Conferences for you to read on your mobile device or in print. Volume I is available, too. Volume III is on its way.

Meltdown & Spectre – Processors are Critical Infrastructure too

Information security researchers like to talk about and to analyse critical infrastructure. The power grid belongs to this kind of infrastructure, so does the Internet (or networks in general). Basically everything we use has components. Software developers rely on libraries. Usually you don’t want to solve a problem multiple times. Computer systems are built with many components. Even a System on a Chip (SoC) has components, albeit smaller and close to each other. 2018 begins with critical bugs in critical infrastructure of processors. Meltdown and Spectre haunt the majority of our computing infrastructure, be it the Cloud, local systems, servers, telephones, laptops, tablets, and many more. Information security relies on the weakest link. Once your core components have flaws, then the whole platform may be in jeopardy. In 2017 malicious hypervisors in terms of bugs/backdoors in the Intel® Management Engine (for example, AMD™ has a similar technology) came to light. Coreboot is one way to replace the attack surface of your BIOS/UEFI firmware. These approaches can’t do much once the processor is affected.

Hindsight doesn’t help, but bugs in the processor core or its microcode have been happened before. There is the famous FDIV bug, F00F, and other CPU bugs have been around for decades. The reason is sometimes the security-performance trade-off, it may be due to an architectural design error, or just simple oversight. Debugging is hard, hence hardware. If you are lucky, you run a platform that is not vulnerable. The Raspberry Pi ARM core is not affected by Meltdown or Spectre. So if you run on Raspberrys, then you are fine. Building a cloud platform is tricky (we tried to install OpenStack on a number of Raspberry Pis, it almost worked, but 1 GB memory is barely enough for the controller node).

We haven’t even mentioned embedded devices and the notorious Internet of Things (IoT). The history of bugs is huge. Back in 2014 there was an article on how hard/impossible it is to fix this ecosystem. The recent DeepSec conference featured a talk about the Mirai botnet and possible successors. There is not much you can do about it unless you can change the design. Once upon a time there were approaches to have reduced instruction sets on processors. Inspecting all the feature sets of modern CPUs looks like a higher level language. Of course we want our code to run as fast as possible. Who wants to wait? However there are designs that take security into account, and when it comes to critical infrastructure we will have the patience. Otherwise we will have to say goodbye to the idea of a secure platform.

Let’s see how many bugs in hardware 2018 brings. If you find some, please let us know and submit a presentation. Submissions for trainings are welcome as well. The Call for Papers for DeepSec 2018 and DeepINTEL 2018 open soon.

Tags: , ,
Posted in Discussion High Entropy. Comments Off on Meltdown & Spectre – Processors are Critical Infrastructure too

DeepSec 2017 Presentation Slides

While the videos are on their way to the rendering farm, the presentation slides for DeepSec 2017 can already be downloaded. We put them online as soon as we get the final version from our speakers. If you do some guessing URL-wise you can also find the presentations of past conferences at the very same spot. Since we collect the final slides after the conference and not ask speakers to put USB sticks into their computers during the conference, the download repository will fill in time. Unfortunately we cannot speed up this process. So bear with us, we are as curious as you (especially since some of us never get the see any presentation at DeepSec because there is too much to do).

As for the videos, all speakers and attendees will also get a direct link with early access to the content within the next few days. You don’t have to reload our blog or Twitter feed. 😉

Tags: ,
Posted in Administrivia Conference. Comments Off on DeepSec 2017 Presentation Slides

DeepSec 2017 thanks you and DeepSec 2018 is almost ready

We caught up on sleep and are right in the middle of post-processing DeepSec 2017. Thanks to you all for attending, presenting, sending feedback, and being part of a great event. The slides will be online soon. The videos are being converted. We will upload them as bandwidth permits. All speakers and attendees will get a code to access them early.

Thanks for your feedback as well! We listen, and we have some plans to address the issues you reported. 2018 will see a lot of improvements.

We will announce the dates for DeepSec and DeepINTEL 2018 soon. The events will stay in November and September. We just need to coordinate with the venue and will let you know as soon as possible. The Calls for Papers open early in 2018, as does the new ticket shop system.

Looking forward to see you (again) in 2018!

Tags: , ,
Posted in Administrivia Conference Mission Statement. Comments Off on DeepSec 2017 thanks you and DeepSec 2018 is almost ready

DeepSec2017 U21 Talk: Lessons Learned: How To (Not) Design Your Own Protocol – Nicolai Davidsson

“One of the first lessons of cryptography is “don’t roll your own crypto” but we were bold enough to ignore it”, says Nicolai. “Single Sign-On is so 2016 which is why we’d like to introduce its replacement, Forever Alone Sign-On – FASO. This talk will discuss one of the ugliest SSO solutions you’ll ever see, its updated, slightly less ugly, iteration, and, ultimately, FASO.

We’ll discuss the use cases, questionable decisions made during the planning process, the actual self-rolled, totally vulnerable, cryptography, and the even worse code architecture.

In all seriousness: The talk reflects on the design process of a SSO protocol and its first two iterations, going from a semi-functional workaround to an experimental OAuth-and-the-like alternative utilizing pre-shared keys, symmetric cryptography and implicit authentication.”

 

Nicolai is a security researcher at zyantific and a graduate student at Ruhr University Bochum where he’s also an avid member of the FluxFingers CTF team. He likes burgers, buffer overflows and bad crypto.

Tags: , , , ,
Posted in Conference Development Security. Comments Off on DeepSec2017 U21 Talk: Lessons Learned: How To (Not) Design Your Own Protocol – Nicolai Davidsson

ROOTS: Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications – Sophia d’Antoine

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities, inherent to systems which share hardware resources, will become increasingly attractive targets to malicious software authors. In this talk, Sophia will introduce a novel side channel across virtual machines through the detection of out-of-order execution. She and her colleagues created a simple duplex channel as well as a broadcast channel. She’ll discuss possible adversaries for this channel and proposes further work to make this channel more secure, efficient and applicable in realistic scenarios. In addition, she considers seven possible malicious applications of this channel: theft of encryption keys, program identification, environmental keying, malicious triggers, denial of service attacks, determining VM co-location, malicious data injection, and side channels.

We asked Sophia a few questions about her talk.

Please tell us the top 5 facts about your talk.

  • We introduce a novel side channel across the Pipeline using Out-of-Order execution to alter and leak co-located process state.
  • We abstract out hardware side channels and apply a model to all shared hardware elements both in virtualized environments (the cloud) and on a standard computer.
  • This talk also explains some fundamental dynamic resource allocations used in the cloud that cause resource contentions.
  • From here, we theorize that optimizations are the root cause of many side channels both in the hardware and software layers.
  • We discuse several new optimizations in the x86 and ARMv8-A spec which could possibly lead to useful side channels.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Messing around with threads in university, I started to see a recordable pattern of erroneous results depending on other applications running in the background. Digging deeper into it I started learning about Out-of-Order execution, how by using it I could force a thread to receive incorrect results and how to deterministically leak system information.

Why do you think this is an important topic?

  • Shared resources in untrusted environments are becoming increasingly common. This leads to virtual allocations of physical resources and dynamic changes to resource distribution. These dynamic changes are the result of one process and may affect another process outside of its security boundary.
  • New hardware optimizations are also being introduced.

Is there something you want everybody to know – some good advice for our readers maybe?

Nope!

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

In the future we’ll see more hardware solutions to software side channels. Case in point, recently ARM released extensions to the architecture for the purpose of mitigating cryptographic side channels in the multiply function. It is called Data Independent Timing and forces the upper bound execution time for all instructions (example: multiplications) when a specific flag is set. This means that 1×1 will take the same time as 2546483×245303. I think we will see more solutions like this to other security problems – not just side channels.

The implementation of these solutions may not be perfect however, and either may not completely solve the problem or introduce new vulnerabilities. For instance, this ARM constant time instruction flag does not enforce constant time loads and stores, depending on the memory being accessed. This could possibly be abused to bypass the solution.

 

Sophia d’Antoine is a senior security researcher at Trail of Bits in NYC and a graduate of Rensselaer Polytechnic Institute. She is a regular speaker at security conferences around the world, including RECon, HITB, and CanSecWest. Her present work includes techniques for automated software exploitation and software obfuscation using program analysis. She spends too much time playing CTF and going to noise concerts.

 

Tags: , , , ,
Posted in Conference Security. Comments Off on ROOTS: Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications – Sophia d’Antoine

DeepSec 2017 Talk: OpenDXL In Active Response Scenarios – Tarmo Randel

Automating response to cyber security incidents is the trend which is – considering increasing amount of incidents organizations handle and ever-increasing attack surface – already becoming mainstream. In this talk Tarmo explores the options of using OpenDXL in real life situation of mixed environments, legacy solutions and multiple vendors for connecting existing (and future) cyber security system components for coordinated information exchange and orchestrating incident response action.

Tarmo is a researcher at NATO Cooperative Cyber Defence Center of Excellence, various research projects and developing for large scale cyber exercises. He’s also a developer at the Estonian eHealth Foundations, “Kickstarting” in-house development team. Tarmo’s creating supporting infrastructure, preparations and execution of plans for taking over selected external vendor development projects. He’s Head of Department at CERT-EE, Running Computer Emergency Response Team, Information security expert at CERT-EE, creating new tools and implementing existing to understand what is going on in networks. Tarmo’s detecting and mitigating cyberattacks, analysing malware, planning and executing public awareness raising campaigns and supporting building trusted information security community network.

System administrator at Tele2 & Trigger Software, Converting legacy systems to modern, expandable high availability systems. Coding in PHP, C. Looking for and eliminating performance bottlenecks. Supporting development infrastructure.

 

Tags: , , ,
Posted in Conference. Comments Off on DeepSec 2017 Talk: OpenDXL In Active Response Scenarios – Tarmo Randel

ROOTS: On The (In-)Security Of JavaScript Object Signing and Encryption – Dennis Detering

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web used for application configuration, cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity, authenticity and confidentiality of sensitive data, JavaScript Object Signing and Encryption (JOSE) was created to apply cryptographic mechanisms directly in JSON messages. We investigated the security of JOSE and present different applicable attacks on several popular libraries. We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed Burp Suite extension, which automatically performs security analysis on targeted applications. JOSEPH’s automatic vulnerability detection ranges from executing simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks breaking the confidentiality of encrypted JSON messages. We found severe vulnerabilities in six popular JOSE libraries. We responsibly disclosed all weaknesses to the developers and helped them to provide fixes.

We asked Dennis a few questions about his topic of choice.

Please tell us the top 5 facts about your talk.

  • In our talk we present our research on the new JavaScript Object Signing and Encryption (JOSE) standards, which were created to apply cryptographic mechanisms directly in JSON messages to protect integrity, authenticity and confidentiality of sensitive data.
  • We investigated the applicability of known attacks ranging from simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks breaking the confidentiality of encrypted JSON messages.
  • We found severe vulnerabilities in six popular JOSE libraries. We responsibly disclosed all weaknesses to the developers and helped them to provide fixes.
  • We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed open source Burp Suite extension, which performs (semi-)automatic security checks on targeted applications and aids in manual manipulation and inspection.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

This talk summarizes the results of our research, which was conducted as a Master’s thesis at the Ruhr University in Bochum in cooperation with the CSPi GmbH. The Extensible Markup Language (XML) already enjoys great popularity and allows for cryptographic mechanisms by applying the XML Signature and XML Encryption standards. XML implementations already suffered from several practically applicable attacks and we wanted to check whether JOSE implementations are more secure.

Why do you think this is an important topic?

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web and is used for application configuration, cross- and same-origin data exchange, as well as Single Sign-On (SSO) protocols such as OpenID Connect. Thus, JOSE implementations are used for sensitive processes and data, such as authentication mechanisms, password resets, confidential storage and sensitive data transfer. If those implementations contain weaknesses that allow for any bypass, this probably results in a compromise of user accounts, personal data or full systems.

Is there something you want everybody to know – some good advice for our readers maybe?

Usually, it’s not a good idea to implement your own cryptography. Most weaknesses in the field of cryptography result from implementation issues and missing knowledge of known and possible attacks. Especially companies should invest a lot more in security analyses and audits.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

There exist more known attacks against cryptographic systems and possible pitfalls. Such attacks are, for example, adaptive chosen-ciphertext attacks on the CBC mode and invalid curve attacks. With respect to future work, the analysis of such attacks on JOSE is considered essential. Furthermore, the usage of JOSE in complex systems like JSON-based web services and protocols like OpenID Connect should be in the scope of further researches. Similar to the security analysis of XML-based services an in-depth evaluation could lead to the discovery of completely new attacks. Additionally, JOSE’s advantages of being simple, self-contained and designed for usage in space constrained environments opens future use-cases in the field of the Internet of Things and Industry 4.0.

 

Dennis has a Master’s degree of IT security from the Ruhr-University Bochum and works as a penetration tester at the CSPi GmbH in Cologne. He has an avid interest in web, network and industrial security and loves to research and hunt for bugs.

Tags: , , , , , ,
Posted in Security. Comments Off on ROOTS: On The (In-)Security Of JavaScript Object Signing and Encryption – Dennis Detering

DeepSec2017 Talk: Building Security Teams – Astera Schneeweisz

While ‘security is not a team’, you’ll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team – it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone’s concern. In this talk, Astera will review what the purposes of a security team can be, which challenges you’ll face, how you can make it scale beyond the team’s boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team or is currently distributing security demands across areas, you’ll be able to take away how to build (out) a dedicated security team and make your engineers (and, spoiler alert, other teams!) happy, healthy, and sustainable for the years to come.

 Please tell us the top 5 facts about your talk.

At a certain organizational size, you might (very likely) need a dedicated security team – but you shall never think of security as a team. You’ll need to consider the boundaries of responsibility for that team, or you won’t be able to scale. The way to get your products and users more secure, is through making security part of your company’s (engineering) culture. You want your teams across the org to work together, because they care about a common cause, and be happy doing so. There’s nothing magical-unicorn-y around security, and we should actively make people stop thinking that security engineers are more special than other people.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I often receive the same questions again and again from people (think VP of engineering more than security lead) working at other organizations, not about vulnerabilities or tools or some sort of snakeoil they might have heard of, but about how we managed to get our teams to work together as they do, and deliver the results they do. I figured I’d put the common questions (minus everything about compliance) into one handy talk.

Why do you think this is an important topic?

Because people >> technology, and we should talk more about how we meet what’s expected of us today with the teams we get to build.

Is there something you want everybody to know – some good advice for our readers maybe?

If I wanted attendees to at least remember one single thing from my talk, it would be: Hire people with empathy, not 0days.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

I’m afraid I don’t have an answer to that 😉

Astera has always been fascinated with machines and how to make them do her own bidding, working in defensive security for the past decade. More recently, she’s grown to love and prioritize the challenge of working with real humans in her life, and exciting others about this frontier. She works as the Director of Security at SoundCloud’s Berlin headquarters, overseeing the Security, User Auth, Anti-Abuse, and Corporate IT teams.

 

Tags: , , , , , ,
Posted in Conference. Comments Off on DeepSec2017 Talk: Building Security Teams – Astera Schneeweisz

Notes on the ROOTS Schedule and the Conference

We are all set for the conference on Thursday. We did some last minute changes to the schedule due to some speakers running into issues, but we can confirm almost all presentations.You may have noticed the ROOTS schedule. It’s a bit shorter than DeepSec’s, but both events are not competing. The review for ROOTS is a lot harder, because the presentation is about a scientific publication. This means your submission gets peer-reviewed and voted by the programme committee. We received some content more suitable for, let’s say, standard events. This won’t do, and this is why you see the best submissions of ROOTS published in the schedule.

All in all we are very glad to present you high quality presentations from speakers who really know information security. Enjoy!

See you at DeepSec!

Tags: ,
Posted in Administrivia Conference Discussion. Comments Off on Notes on the ROOTS Schedule and the Conference