Supporting BSidesLondon “My Machine is not Learning” 2019

This year’s BSidesLondon is pondering the most important question of machine learning. What is my machine doing and learning? Well, it might be that “My Machine is not Learning” at all. Sounds a lot like the intelligence we all know from living beings. So, armed with this new motto, BSidesLondon is turning 9, and we will support the Rookie Track again. The winner gets a trip to Vienna and free entry to DeepSec 2019. Get going and get started with your presentation! It’s worth it, and we love to welcome you in Vienna! Ask @5w0rdFish about it.

If you are looking for research topics, please drop us a line. We have some ideas about good questions and things to explore.

See you in London!

Save the Date for DeepINTEL and DeepSec 2019

We did some clean-up and dealt with the administrative issues of past and future events. Finally we can announce the dates for DeepINTEL 2019 and DeepSec 2019. Grab or calendars or log into them:

  • DeepSec 2019 Trainings – 26/27 November 2019
  • DeepSec 2019 Conference – 28/29 November 2019
  • DeepINTEL 2019 – 27 November 2019

The conference hotel is the same as for every DeepSec. We haven’t changed our location. As for the date, yes, we announced at the closing ceremony that we won’t collide with thanksgiving. We tried hard to avoid this, but given the popularity of Vienna as a conference and event city we had no choice. For 2020 and consecutive years we will do early reservations in order to avoid the week of Thanksgiving.

The call for papers opens soon, as does our ticket shop. For the latter we have made some changes to the payment options. We will explain them in a separate article. The topical focus of the call for papers will follow current technology, but not trends. Connected systems in production are focus of attacks, not buzzwords. Unless they are connected to the Internet, of course.

So mark the dates in your calendar. Hope to see you in Vienna!

Translated Article: Campaign of the Spy Alliance “Five Eyes” against WhatsApp and Co

Feldzug der Spionageallianz „Five Eyes“ gegen WhatsApp und Co for fm4 by Erich Moechel

The current scattered news and reports on “encryption” belong together. The military secret services of the “Five Eyes” conduct a global campaign; in Australia they’ve already reached their first milestone.

Every two years, around the same time, a campaign of the espionage alliance “Five Eyes” against encryption programs takes place. Unlike in 2016, the new campaign has reached its first goal in a flash. In early December, a bill was passed in the Australian Parliament obliging Internet companies to break up encrypted communications.

The providers of Whatsapp, Snapchat, and Co are hereby required to build surveillance interfaces into their apps to give hidden access to the Australian law enforcement. In a parliamentary coup – without discussion or amendments – the “Assistance and Access Act” created a global precedent. The campaign is orchestrated by the British GCHQ, which had published a programmatic plea for backdoors a few days before the coup took place.

Moderate Proposal for Conference Calls

It was written by Ian Levy, the director of the British National Cyber Security Center, which belongs to the military intelligence service GCHQ. The essay, which was published in late November on the prestigious “Lawfare” blog, was very moderately titled “Principles for a More Informed Exceptional Access Debate”. This holds true for the first two thirds of the text, which is about “necessary transparency”, “privacy and security”, and about all things planed for monitoring. To enable these “exceptions”, providers of messaging services such as Apple, Facebook, Snapchat, et al. should be required to install surveillance interfaces in the same way as telecoms providers.

In a chat of two or more people a hidden account should be added secretly – that’s the core message of the GCHQ. It refers to conference calls that were used by analog telephony until the early days of mobile networks for monitoring purposes, ie before there were standardized, specialized monitoring interfaces. This was done to meet the legal requirements for the monitoring of all networks.

Cloak and Dagger Operation in Down under

Just a few days after these moderate proposals of the GCHQ, a law was passed by the Parliament of Australia through a covert operation of the two major parties. Because of 171 amendments of the Labour party one had prepared for a lengthy debate but, quite unexpectedly, the Social Democrats had withdrawn all applications last week. This cleared the way and the “Assistance and Access Act” was passed with a large majority, and the vague promise that objections would be considered later on.

The law does not only impose severe penalties if a provider doesn’t cooperate, even the consultation of technicians is punishable if it serves to circumvent these measures, and the consultant will be also prosecuted. First the Australian IT industry was caught off guard by this coup, then there was riot. They, of course, immediately understood what consequences this overarching law would have on its industry. Whoever operates communication channels, would have to incorporate a “trap-and-trace” for the concealed monitoring by third parties. The Australian market leader Telstra is one of the largest IT players in the South Pacific, with branches in 20 states, from the Philippines to China to Malaysia.

GCHQ Campaign Number Two

Clearly, the GCHQ’s moderate proposals for conference calls lead to serious interventions in the software of the apps themselves. In fact, options have to be built in to manipulate the display of the chat participants. In the service operator’s network, specially secured “conference servers” have to be set up to transfer these “conferences” to the prosecutors in audio, video or text format. Not surprisingly, this is not mentioned in the GCHQ’s proposals, but emphasized that these would only apply in “exceptional cases” and not expected that 100 percent of the orders could be executed.

At the same time, the GCHQ has raised a second, intertwining campaign. The GCHQ complains about the prevalence of encrypted communications, which rose to 95 percent of the data exchange. If it’s not possible to create new legal frameworks that allow for targeted monitoring of messenger services, then the GCHQ would find itself forced to significantly increase its metadata monitoring on the fibre optics. So the problem is that 95 percent of the traffic is encrypted. How this fits in with the claim that access to encrypted records shall only be required in “exceptional cases” is not explained.

The Purpose of the moderate Proposal

The same day the moderate proposals of the GCHQ were published, US Attorney General Rod Rosenstein met the press and complained about the increase of encrypted communication. This would make it more and more impossible for police authorities to do their job, said the top US prosecutor. Similar comments were also received from Canada and New Zealand, so all Five Eyes are represented. Unlike in 2016, this time, not the prosecutors, but the military intelligence services are in charge, which are now touchingly concerned with the issues of civilian prosecutors.

The reason: in the UK and the other Five Eyes states, more complex surveillance measures are carried out by the military secret services on behalf of the prosecutors. That’s the consequence of these moderate intelligence proposals, suspiciously similar to the NSA’s notorious PRISM program, where the US services had demanded access from the Internet companies to data, which they could not get in an unencrypted state at the mass tap points of the optical fibres.

What happens next

In the meantime, further traces of this campaign have been discovered in international standardization committees. The matter requires a certain amount of research, a follow-up therefore will not be published in direct succession, but can be expected to be released still in 2018. As for the term “moderate proposal”, it was coined by the Irish satirist Jonathan Swift. In view of the famine in Ireland in 1729, which killed tens of thousands, the satirist proposed, in an essay of the same name (“A Modest Proposal”), to slaughter infants at the age of one year and serve them either boiled, grilled, or as a fricassee.

Tags: , , , , , , , ,
Posted in Discussion High Entropy Security. Comments Off on Translated Article: Campaign of the Spy Alliance “Five Eyes” against WhatsApp and Co

ROOTS 2018: Library and Function Identification by Optimized Pattern Matching on Compressed Databases – Maximilian von Tschirschnitz

[Editor’s note: This article belongs to the Reversing and Offensive-oriented Trends Symposium 2018 (ROOTS). It was misplaced, so we publish it today. Maximilian’s talk was recorded and can be watched on Vimeo.]

The goal of library and function identification is to find the original library and function to a given machine-code snippet. These snippets commonly arise from penetration tests attacking a remote executable, static malware analysis or from an IP infringement investigation. While there are several tools designed to achieve this task, all of these seem to rely on varied methods of signature-based identification. In this work, the author argues that this approach is not sufficient for many cases and propose a design and implementation for a multitool called KISS. KISS uses lossless compression and highly optimized pattern matching algorithms to create a very compact but substantial database of library versions. In practice, KISS shows to achieve remarkable compression rates below 30 percent of the original database size while still allowing for extremely fast snippet identification with high success rates.

Finally, the author also argues how this approach improves the security of existing techniques as the design relies fully on complete function body verification, which prevents analysis-resilient malware from disguising as external and trusted library code. This has recently been shown to be a problem for
malware analysis with existing identification solutions.

 

Maximilian von Tschirschnitz is working as an prototype engineer and researcher for the Intel Corporation in Germany. In parallel he is currently conducting his studies of Informatics at the TU Munich. His current research topics cover IT-security and high precision positioning methods. His further professional interests include theoretical informatics, image feature recognition and computer graphics.

Tags: , , ,
Posted in ROOTS. Comments Off on ROOTS 2018: Library and Function Identification by Optimized Pattern Matching on Compressed Databases – Maximilian von Tschirschnitz

Analysing Data Leaks and avoiding early Attribution

Hex dump of compressed Linux 4.20 kernel image.The new year starts with the same old issues we are dealing with for years. German politicians, journalists, and other prominent figures were (are) affected by a data leak. A Twitter account started tweeting bits from the leaked data on 1 December 2018 in the fashion of an Advent calendar. The account was closed today. You will find articles describing single parts of what may have happened along with tiny bits of information. Speculation is running high at the moment. So we would like to give you some ideas on how to deal with incomplete information about a security event floating around in the Internet and elsewhere.

Attributing data leaks of this kind is very difficult. Without thoroughly understanding and investigating the situation, proper attribution is next to impossible. Given the method of disclosure the leak is not published completely. While the links published on the Twitter account led to a data sharing platform, there is no way of knowing how much data was really copied from where. Analysing where the data came from is only possible with the help of the owners. The type of dumped data varies. There were mobile phone numbers, addresses, internal political party communications, photographs of ID cards, letters, emails, invoices, chat transcripts, mobile phone numbers, and credit card information. This selection points to a communication device such as an email client or a smartphone. Personal communication is often governed by the need to access data when being mobile. Again this is speculation. Given the variety of data owners there are probably more accounts compromised. Which kind of account exactly is guesswork. You would have to see a more complete picture of the data dumped.

The leaked bits of data also do not pose a complete picture in terms of chronological information. Some data was commented as already being copied months ago. Leaked data usually gets post-processed into collections. These collections are being refined and verified in order to increase the value of the data. Apparently this wasn’t important to whoever put the data online.

It’s always a good idea to go for the agenda. Look at the way the data is leaked, and ask who benefits from this. Just dumping data somewhere is not very smart. Using the data without publishing it has a lot more advantages. Publicity is a sign for the dreaded manipulation of the mind – information warfare. Advertising works the same way. Publish something that sticks to your thoughts. Works almost all of the time, especially in all kinds cyber. But again, this is speculation.

If you read about issues like this, there is a simple rule: Do not read any articles with a question mark (this „?“) in titles or subtitles. The „?“ is usually a sign for speculation. No offence, but you do not get anywhere in an analysis by asking your audience questions. The audience wants to know your facts, not your questions.

Tags: ,
Posted in High Entropy. Comments Off on Analysing Data Leaks and avoiding early Attribution

Merry XSSmas and a successful new mktime() Syscall

Macro-photography of snowflake. Source: https://commons.wikimedia.org/wiki/File:Snowflake_macro_photography_2.jpgThe holidays are coming, next to Winter (hopefully). Thank you all for attending and contributing to DeepSec and DeepINTEL 2018! All slides we got are online. The videos have almost left post-production (except one recording which is being fixed audio-wise) and are on the way to the content distribution network. The ROOTS videos will be first. You will find all videos in their albums. Make sure you look for collections, too. We will set-up a tip jar for our video team again, so if you want to leave a small thank you for the crew, please do so.

We are going to deal with infrastructure and upkeep of our to-dos. Plus we will spend some time off-line. Or maybe just in local networks to do some well-deserved hacking. The dates for DeepSec and DeepINTEL 2019 are being fixed, and we will publish them probably next week or in the first week of 2019. It’s better to announce stuff if it is really tightly sealed. Furthermore we did read your feedback and have planned some improvements for next year. We will let you know about the details. Don’t wait. Off you go! Enjoy the holidays!

Tags:
Posted in Administrivia High Entropy. Comments Off on Merry XSSmas and a successful new mktime() Syscall

Encryption, Ghosts, Backdoors, Interception, and Information Security

Source: https://commons.wikimedia.org/wiki/File:Al-kindi_cryptographic.pngWhile talking about mobile network security we had a little chat about the things to come and to think about. Compromise of communication is a long time favourite. Hats of all colours need to examine metadata and data of messages. Communication is still king when it comes to threat analysis and intrusion detection. That’s nothing new. So someone pointed into the direction of an published article. Some of you may have read the article titled Principles for a More Informed Exceptional Access Debate written by GCHQ’s Ian Levy and Crispin Robinson. They describe GCHQs plan for getting into communication channels. Of course, “crypto for the masses” (yes, that’s crypto for cryptography, because you cannot pay your coffee with it) or “commodity, end-to-end encrypted services” are also mentioned. They explicitly claim that the goal is not to weaken encryption or defeat the end-to-end nature of the service. Instead they propose to take advantage of existing weaknesses in the implementation. This can either be done by using an exploit, or it can be accomplished by the lack of identity verification, for example in (large) groups such as chats. This is not a new idea. Basically this technique was and is being used throughout the ages, with or without the Internet.

Matthew Green has written a comment on these ghost users or ghost devices. The key point is not to be distracted by the amicable style of GCHQs proposal. It boils down to changes which will weaken the security of the system, or to using communication infrastructure which is less secure, because it allows either backdoors or has no end-to-end encryption. The discussion can be seen as a preparation for adopting legislative measures such as Australia’s Assistance and Access Bill 2018. This bill has drawn a lot of criticism. If One Eye does it, why shouldn’t the remaining Four Eyes? We recommend Matthew’s article to anyone who relies on secure communication.

In case you had not time following the news regarding interception of communication – nothing has changed. Either you have a secure system (of which end-to-end encryption is a key component), or you don’t. It doesn’t matter if you rephrase the idea of having escrow keys, backdoors, or strategic weak points in a communication architecture. The principles are the same. The worst case scenario is the fact that we keep collecting extra 0day exploits for legal reasons. That’s not information security, it’s something radically different.

Tags: , ,
Posted in Discussion High Entropy. Comments Off on Encryption, Ghosts, Backdoors, Interception, and Information Security

Need something to read? – First Batch of DeepSec 2018 Presentation Slides online

PDF document symbol.Do you fear reading the news? Fancy some facts? Well, we have something different for you to read. We have collected presentation slides from DeepSec 2018 and put the first batch online. You can find them in this rather nostalgic directory listing. We have renamed the files with their title and the name of the presenters. They are mostly PDF, but two presentations consist of a HTML slideshow. We have created a PDF document containing the link to the original presentation for your convenience. The directory will be filled with the remaining documents as soon as we get them.

Tags: ,
Posted in Administrivia Conference. Comments Off on Need something to read? – First Batch of DeepSec 2018 Presentation Slides online

Thank you all for attending and speaking at DeepSec 2018!

Stickers at the DeepSec registration desk, courtesy of Florian Stocker <fs@fx.co.at>.

At the registration desk.

DeepSec 2018 is over. Thank you for attending and presenting at our conference! Without your interest and your configuration there would be no talks, no workshops, and no one else present.We had a great time, and we hope you enjoyed everything. We are now dealing with the administrative backlog, the metric ton of receipts, the post-processing of the video recordings, and lots of other things. Among the tasks is the feedback you gave us. We will try to improve, so the next DeepSec conference will feature some or all of your suggestions.

Dates for DeepSec and DeepINTEL 2019 will be available soon. We will publish this information on Twitter, on our web site, and on our blog.

As for the video recordings, please give us some time. The post-production has to deal with the lighting conditions at the hotel (which will improve for the next conference, promised).

Tags: ,
Posted in Conference Security. Comments Off on Thank you all for attending and speaking at DeepSec 2018!

Opening & Keynote – DeepSec 2018 has started

So, now is the opening and the keynote presentation by the magnificent Peter Zinn. This means that DeepSec 2018 has officially started. Since we do not live stream the talks, we will be away from the blog and mostly from Twitter until the end of the conference. Communication in meatspace has full priority. In case of urgent messages, use the contact information on our web site. We still use telephones, you know.

In case you are at DeepSec and wish to comment on content, discussions, or summarise a presentation, please do. Post it on Twitter and mention us (or use a meaningful hashtag), we will retweet and pick up your thoughts later on the blog.

Enjoy the conference!

Tags: ,
Posted in Administrivia Conference. Comments Off on Opening & Keynote – DeepSec 2018 has started

Discussing Threat Intelligence in the City of Spies – DeepINTEL 2018 has started

Le cabinet noir ou: les pantins du 19eme siècle; source: https://en.wikipedia.org/wiki/File:Bodleian_Libraries,_Le_cabinet_noir_ou-_les_pantins_du_19eme_si%C3%A8cle.jpg

1815 caricature of the cabinet noir, Bodleian Libraries.

What’s the best place to discuss security and threat intelligence? Well, according to Austrian investigative journalist Emil Bobi there are over 7,000 spies living and working in Vienna. To quote the article: „Austria has been an international spy hub since the late 19th Century, when people from all parts of the Austro-Hungarian empire flocked to the city.“ Basically it’s ancient tradition going back to the 19th century. During DeepINTEL we will discuss modern threats – advanced, persistent, networked, or otherwise. The focus will be on indicators of suspicious behaviour, the human component of information security, challenges by drone technology, and how to protect sources of information.

 

Tags: , , ,
Posted in Conference DeepIntel. Comments Off on Discussing Threat Intelligence in the City of Spies – DeepINTEL 2018 has started

ROOTS 2018 Talk: Kernel-Assisted Debugging of Linux Applications – Tobias Holl, Philipp Klocke, Fabian Franzen

On Linux, most—if not all—debuggers use the ptrace debugging API to control their target processes. However, ptrace proves unsatisfactory for many malware analysis and reverse engineering tasks: So-called split-personality malware often adapts its behavior in the presence of a debugger, yet ptrace makes no attempt to hide from a target process. Furthermore, ptrace enforces a strict one-to-many relation meaning that while each tracer can trace many tracees, each tracee can only be controlled by at most one tracer. Simultaneously, the complex API and signal-based communications provide opportunities for erroneous usage.

Previous works have identified the newer uprobes tracing API as a candidate for building a replacement for ptrace, but ultimately rejected it due to lack of practical use and documentation. Building upon uprobes, we introduce plutonium-dbg, a Linux kernel module providing debugging facilities independent of the limitations of ptrace alongside a GDB-compatible interface. Our approach aims to mitigate some of the design flaws of ptrace that make it both hard to use and easy to detect by malicious software.

We show how plutonium-dbg’s design and implementation remove many of the most frequently named issues with ptrace, and that our method improves on traditional ptrace-based debuggers (GDB and LLDB) when evaluated on software samples that attempt to detect the presence of a debugger.

We asked Tobias, Philipp and Fabian a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  • We implemented a debugger using existing linux kernel infrastructure
  • Alternative to ptrace API (the usual debugging interface), which has several design flaws
  • Use of modern kernel features (uprobes, kprobes, etc.)
  • Resists most approaches to detect debuggers
  • Compatible to existing Debugger frontends (GDB) and their plugins (pwndbg)

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We encountered a program which ptraced itself, to detect the presence of a debugger. To allow for dynamic analysis, we asked ourselves if we could avoid this well-known mechanism.

Why do you think this is an important topic?

Some Malware also uses this trick to avoid analysis by security researchers and analysis tools in general. Thus, we aim for minimal interference with the target process, which also allows for other kinds of debugging. For example, we can investigate so-called Heisenbugs (bugs that occur in production only, not in debugging).

Is there something you want everybody to know – some good advice for our readers maybe?

Ptrace has major drawbacks, the biggest is that every target can be debugged by only one debugger. Others include the destruction of process order, poor performance in accessing memory and a non-intuitive API.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Our approach removes obvious detection possibilities in what we believe to be an arms race of debugger detection and debugger stealthiness. Therefore we expect malware authors to develop new evasion techniques, which we will counter, as we think our capabilities are not maxed out yet.

 

Tobias Holl is a computer science student at TUM with a passion for reverse engineering and IT security. By day, he develops high-performance parallel software in C++, with a focus on computer vision and machine learning.

 

 

 

 

 

 

Philipp Klocke is a hacker, nerd and tech-enthusiast. He occasionally plays CTF and pursues a B.Sc. at the Technical University of Munich.

 

 

 

 

 

 

 

 

Since 2018 Fabian Franzen is a PhD student and researcher at the Chair of IT-Security of the Technical University of Munich (TUM). When he is not trying to teach his students the foundations of IT security, he is interested in various research topics. More specifically, these are reverse engineering, binary exploitation, Android security and improving systems security by introducing additional features to the Linux Kernel.

Tags: , , , , ,
Posted in Conference ROOTS. Comments Off on ROOTS 2018 Talk: Kernel-Assisted Debugging of Linux Applications – Tobias Holl, Philipp Klocke, Fabian Franzen

DeepSec 2018 Talk: Attacks on Mobile Operators – Aleksandr Kolchanov

I’d like to talk about telecom security. My research contains information about security of mobile operators: classic and new (or very rare) attack vectors and vulnerabilities. This presentation will consist of three main parts:

First, I will share information on the security of mobile operators in general. I’ll tell you a little bit about why it is important (usually, phone numbers are used as a key to social networks, messengers, bank accounts, etc). So, if an attacker can hack a mobile operator, he can gain access to a big amount of user data and money. Also, in this part, I will tell you about typical SS7 attacks (how to intercept SMS or send fake ones).

During the second part, I will tell you about different vulnerabilities and security issues. All of the problems I will refer to were found in systems of mobile operators from Russia and the Ukraine. I will speak about the classical vulnerabilities I found (XXS, CSRF and HTTPS issues) that allow attackers to gain access to subscribe accounts through a mobile operators site or an application.
Also, I will talk about authorisation issues (SMS codes, bruteforce, etc). Then I will tell you about new attack vectors (or very rare ones): attacks via IVR (at call centers), problems in operator services, that allow to send SMS from user numbers, and problems in operator applications (which allow attackers to intercept calls and SMS). I also will speak about attacks on SIM-card change systems (how I can gain access to information that I can use to change SIM-cards and gain access to calls and SMS). Of course, I will show demos and PoC (images, video or real-time demonstration) of some attacks.

In the final part of the talk I will talk about post-exploitation. The main idea of this part is to show how I can use the vulnerabilities, addressed in the second part of my talk, to gain access to private data (including SMS-content), intercept calls and SMS, send fake SMS, gain access to email, messenger, and social networks accounts (using restore via SMS), to steal money from bank accounts (using account restore or SMS banking) and for some other ideas.

We asked Aleksandr a few more questions about his talk.

Please tell us the top 5 facts about your talk.

I think, that these facts are most interesting:

  • Mobile operators are interesting targets for hackers. If somebody hacks them, he will be able to easily hack many other services.
  • I will tell you about simple attacks. Any hacker can use these attacks without special equipment and knowledge.
  • I researched mobile operators from Russia and Ukraine and discovered that they are not protected against simple attacks.
  • In some cases, a simple call will be enough for an attacker to hack victims accounts. Do you want to know more? Just come and listen.
  • Some simple attacks are effective against IoT devices and devices for children.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Usually you read about cutting edge researches and attacks (like attacks on modern networks, 5G and LTE), but it is necessary to realize that for most people these researches are not very relevant (these attacks require special equipment and knowledge). Of course, these studies are extremely important, and the attacks they’re examine are dangerous. But I became interested in attacks that do not require special devices or special knowledge. And I realized that these attacks are also dangerous, and, what’s more, almost anyone can carry them out.

Why do you think this is an important topic?

Nowadays mobile operators are not protected enough, so even simple attacks are very effective. I want to draw the attention of the community and mobile operators to this problem to improve the situation.

Is there something you want everybody to know – some good advice for our readers maybe?

If you are interested in the security of the mobile operator that you use, I would advise you to look for information about the available services. Mostly I will talk about the security of IVR systems, personal accounts, SMS and call forwarding.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I think, that in the future hackers will still attack mobile operators and customers. Different services, like email, messengers and social networks become more and more secure, but mobile operators are not so protected. Usually it is more easy to hack an operator and use intercepted code to restore an e-mail account than to directly hack the e-mail account.

 

Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs – PayPal, Facebook, Yahoo, Coinbase, Protonmail, Telegram, etc., and holds the first place the Privatbank bug bounty program (one of biggest banks in the Ukraine). Aleksandr also won the “Hack Internet-Bank” competition of PromSvazBank, Russia. 
He’s interested in uncommon security issues, telecom problems, airline security and social engineering.

(Almost) (Pretty) Final ROOTS 2018 Schedule (last beta version) published!

Science First! rat. © 2017 Florian StockerWe have rearranged the ROOTS 2018 schedule to its final form. You may have noticed that it is more condensed. We thought it would be easier to connect, to discuss, and to exchange ideas without the stretch over two days. Furthermore it is easier to have sessions with a specific focus when there is more unallocated time to use. ROOTS 2018 will get its own keynote presentation, too. We are currently sorting out the details.

You may wonder why there are so many empty slots. The reason is simple. ROOTS is an academic workshop. All presentations must be submitted formally correct. Then they are reviewed by the programme committee. The submitted content is graded according to the scientific methods used, research topic, evaluation of the results, the conclusion, and so on. After that there is a vote from members of the committee. All submissions which pass with a sufficient number of „accepted“ votes get, well, accepted. If the submitted research does not get enough supporters among the reviewers, then it is declined. There were some pretty interesting submissions among the ones that didn’t make it. So to all of you out there working in really interesting stuff: Please, please do it properly! Life is too short for reading the documentation of sloppy work. Make sure that yours is good. If you have doubts or like to get some feedback from the world of academic research, then do not hesitate to reach out to us. The ROOTS chair is happy to point you into the right direction. Time constraints do not allow for mentorship, but you don’t get anywhere if you don’t ask questions.

Tags: , ,
Posted in Administrivia ROOTS. Comments Off on (Almost) (Pretty) Final ROOTS 2018 Schedule (last beta version) published!

DeepINTEL 2018 Talk: Framing HUMINT as an information gathering technique – Ulrike Hugl

NATO defines human intelligence (HUMINT) or hyoo-mint as “a category of intelligence derived from information collected and provided by human sources” (NATO Glossary of terms and definitions, APP-6, 2004) focusing on different kinds of information, for example data on things related to a human, information about a human’s specific knowledge of a situation, and other issues.

HUMINT is differentiated into several categories like clandestine and overt collection.
And: It is one of several other traditional intelligence collection disciplines, so called INTs; examples are SIGINT (signals intelligence), OSINT (open source intelligence), MASINT (measurements and signatures intelligence), GEOINT (geospatial intelligence), TECHINT (technical intelligence), SOMINT (social media intelligence), FININT (financial intellicence, gathered from analysis of monetary transactions), as well as CYBINT/DNINT (cyber intelligence/digital network intelligence, gathered from cyberspace).

Intelligence Services deal with the analysis and collection of traces left everywhere by relevant target groups. For this purpose, HUMINT generally focuses on the gathering of political or military intelligence through secret agents (operations officers), whereby intelligence can be defined as the analysis of reliable and accurate information in the context of the military and government as well as business affairs. As one of the basic HUMINT operations human source screening builds the starting point, involving the selection of persons who may be sources of meaningful HUMINT (e.g.based on a potential level of cooperation and knowledgeability). Screening is followed by the (positively) identification of selected targets (e.g. by biometrical data like fingerprints, iris scans, etc.), as well as the conduction of interviews of diverse types (from pure information seeking to other forms of dialogue). Interviews are an intimate act and, often, they have the dynamic of a psychotherapeutic relationship (concept of transference and countertransference), and, for example, insights from argumentation theory are used. Anyhow, different types of human targets will share information involuntarily or voluntarily. An interrogator builds up a relationship with the target person. Such a relationship can be based on fear, trust, friendship, or other emotions – hence, principles and methods of questioning will vary.

Beside already mentioned aspects of HUMINT, this presentation will address the Scharff technique as a non-coercive and non-invasive interview approach based on the establishment of an interpersonal connection with the target. Finally, the talk will highlight some snapshots regarding the relevance of HUMINT in the business context.

Professor Ulrike Hugl is a senior scientist and lecturer at the University of Innsbruck (School of Management), Department of Accounting, Auditing and Taxation. She is member of various scientific committees of international conferences and reviewer of several journals. Her research mainly focuses on new technologies with impact on information security and data protection of organizations, as well as on occupational/corporate crime (especially insider threat) and industrial espionage issues.

 

Tags: , , , ,
Posted in DeepIntel Security Intelligence. Comments Off on DeepINTEL 2018 Talk: Framing HUMINT as an information gathering technique – Ulrike Hugl