2601, 2017

The Sound of „Cyber“ of Zero Days in the Wild – don’t forget the Facts

René Pfeiffer/ January 26, 2017/ Discussion, High Entropy

The information security world is full of buzzwords. This fact is partly due to the relationship with information technology. No trend goes without the right amount of acronyms and leetspeaktechnobabble. For many decades this was not a problem. A while ago the Internet entered mainstream. Everyone is online. The digital world is highly connected. Terms such as cyber, exploit, (D)DoS, or encryption are used freely in news items. Unfortunately they get mixed up with words from earlier decades leading to cyber war(fare), crypto ransom(ware), dual use, or digital assets. Some phrases are here to stay. So let’s talk about the infamous cyber again. In case you have not seen Zero Days by Alex Gibney, then go and watch it. It is a comprehensive documentary about the Stuxnet malware and elements of modern warfare (i.e.

Read More

2101, 2017

Putting the Context into the Crypto of Secure Messengers

René Pfeiffer/ January 21, 2017/ Communication, Discussion, Internet

Every once in a while the world of encrypted/secure/authenticated messaging hits the wall of usability. In the case for email Pretty Good Privacy (PGP) is an ancient piece of software. These days we have modern tools such as GnuPG, but the concept of creating keys, verifying identities (i.e. determining who is to trust), synchronising trust/keys with communication partners, and handling the software in case something goes wrong is quite a challenge. Plus things might change. People revoke their keys, devices get lost, data gets deleted, people create new keys or even (digital) identities, or do lots of things that is either anticipated by the software developers or not. Communication is not static. There are moving parts involved, especially the communication partners might move a lot. So crypto is hard, we know this. Discussing secure

Read More

2001, 2017

DeepSec Administrivia for 2017, the Year of the Cyber

René Pfeiffer/ January 20, 2017/ Administrivia, Conference

2017 is in full swing, and it didn’t wait long. December was full of „hacking“ news. It seems digital war(e)fare knows no break. We will address some of the issues in a series of blog articles. Also we have uploaded the DeepSec 2016 videos to Vimeo. Attendees and speaker will get access before we publish the videos for everyone. This is our review in case someone doesn’t like a video or needs to adapt the description. The date for DeepSec will be published soon, along with the date. We look to the fourth quarter of the year, as usual. The Call for Papers will be online in February. If you got some ideas, write them to us. We have plenty of topics to address. The most pressing problem was raised at the 33C3. Go

Read More

3011, 2016

Scanning for TR-069 is neither Cyber nor War

René Pfeiffer/ November 30, 2016/ Discussion, High Entropy, Internet

The Deutsche Telekom was in the news. The reason was a major malfunction of routers at the end of the last mile. Or something like that. As always theories and wild assumptions are the first wave. Apparently a modified Mirai botnet tried to gain access to routers in order to install malicious software. The attacks lasted from Sunday to Monday and affected over 900,000 customers. These routers often are the first point of contact when it comes to a leased line. Firewalls and other security equipment usually comes after the first contact with the router. There are even management ports available, provided the ISP has no filters in place. The TR-069 (Technical Report 069) specification is one management interface, and it has its security risks. Now that the dust has settled the Deutsche Telekom

Read More

1711, 2016

Disclosures, Jenkins, Conferences, and the Joys of 0Days

René Pfeiffer/ November 17, 2016/ Conference, Discussion, High Entropy

DeepSec 2016 was great. We have slightly recovered and deal with the aftermath in terms of administrivia. As announced on Twitter, we would like to publish a few thoughts on the remote code execution issue found by Matthias Kaiser. He mentioned the possibility in this presentation titled Java Deserialization Vulnerabilities – The Forgotten Bug Class. First let’s explain some things about how DeepSec runs the Call for Papers, the submissions, and the conference. During the Call for Papers process our speakers send us title, abstract, and mostly an in-depth description of the presentation’s content. This means that we usually know what’s going to happen, except for the things that are actually said and shown during the presentation slot. Since we do not offer any live video streams and publish all presentation slides after we

Read More

1011, 2016

DeepSec 2016 – expect 48 Hours of Failures and Fixes in Information Security

René Pfeiffer/ November 10, 2016/ Conference, Discussion

The conference part of DeepSec 2016 has officially started. During the workshops we already discussed a lot of challenges (to phrase it lightly) for infrastructure and all kinds of software alike. The Internet of Things (IoT) has only delivered major flaws and gigantic Distributed Denial of Service attacks so far. There is even a worm for LEDs these days. And we haven started the conference preparations yet. So we have plenty of reasons to talk about what went wrong, what will go wrong, and what we can do about it. The world of information security is not always about good news. Something has to break, before it can be repaired – usually. Systems administrators know this, for some it’s their daily routine. Nevertheless we hope everyone at DeepSec gets some new insights, fresh ideas,

Read More

0911, 2016

Screening of “A Good American” in Vienna with Bill Binney

René Pfeiffer/ November 9, 2016/ Discussion, High Entropy, Security Intelligence

There will be a screening of the documentary A Good American in Vienna tomorrow. We highly recommend watching this film, even if you are not directly connected to information security. Threat intelligence has far-reaching consequences, and in the case of the world’s biggest intelligence agency it also affects you. A Good American will be shown at 1000, Village Cinema Wien Mitte, and at 1600, Audimax of the Technische Universität Wien (you need to send an email with a RSVP to attend). All of this takes place in the course of a lecture about the topic. Markus Huber and Martin Schmiedecker have kindly organised everything. Bill Binney will be present, too. So you can directly talk to him and ask him questions. We highly recommend not to miss this opportunity.

0911, 2016

DeepSec 2016 Talk: Obfuscated Financial Fraud Android Malware: Detection And Behavior Tracking – Inseung Yang

Sanna/ November 9, 2016/ Conference, Development, Internet, Report, Security

In Korea in particular, hackers have distributed sophisticated and complex financial fraud android malware through various means of distribution, such as SMS phishing, Google play, compromised web servers and home routers (IoT). In some cases, both smartphone and PC users are targeted simultaneously. Inseung Yang and his team collect mobile android malware via an automated analysis system, detect obfuscations and malicious packer apps. In his presentation Inseung Yang will describe trends of malicious android apps and obfuscated mobile malware in Korea. He’ll explain the policy methods for Korean mobile banking and the attack methods used by hackers, f.ex. the stealing of certifications, fake banking apps that require the  security numbers issued to users when they open their accounts, Automatic Response Service(ARS) phishing attacks in conjunction with Call Forwarding, and the requesting of the One Time Password(OTP) number. But

Read More

0811, 2016

DeepSec 2016 Keynote: Security in my Rear-View Mirror – Marcus J. Ranum

Sanna/ November 8, 2016/ Conference, Discussion, Security, Stories

Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. At this year’s DeepSec conference the keynote will be given by Marcus Ranum, who set up the first email server for whitehouse.gov. He will reflect upon over 30 years of IT security and make a few wild guesses for where this all may wind up. Spoiler alert: Security will not be a “solved” problem. Marcus answered a few questions beforehand: Please tell us the Top 5 facts about your talk. I’ll be talking about how the security market evolves from here. I’ll be talking about the relationship between security and management It’s going to be depressing. I have

Read More

0811, 2016

DeepSec 2016 Talk: Systematic Fuzzing and Testing of TLS Libraries – Juraj Somorovsky

Sanna/ November 8, 2016/ Conference, Development, Security

In his talk Juraj Somorovsky presents TLS-Attacker, a novel framework for evaluating the security of TLS libraries. Using a simple interface, TLS-Attacker allows security engineers to create custom TLS message flows and arbitrarily modify TLS message contents in order to test the behavior of their TLS libraries. Based on TLS-Attacker, he and his team first developed a two-stage TLS fuzzing approach. This approach automatically searches for cryptographic failures and boundary violation vulnerabilities. It allowed him to find unusual padding oracle vulnerabilities and overflows/overreads in widely used TLS libraries, including OpenSSL, Botan, and MatrixSSL. Juraj’s findings encouraged the use of comprehensive test suites for the evaluation of TLS libraries, including positive as well as negative tests. He and his team used TLS-Attacker to create such a test suite framework, which finds further problems in TLS libraries. TLS-Attacker is an open source tool, and is currently being deployed for internal

Read More

0411, 2016

DeepSec2016 Talk: Smart Sheriff, Dumb Idea: The Wild West of Government Assisted Parenting – Abraham Aranguren & Fabian Fäßler

Sanna/ November 4, 2016/ Conference, Legal, Security, Stories

Would you want to let your kids discover the darker corners of the Internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the “Smart Sheriff” app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team!

Read More

0311, 2016

DeepSec 2016: Social Engineering remains the most dangerous Threat to Companies – DeepSec offers a Workshop on the Defence of social Manipulation as part of IT

Sanna/ November 3, 2016/ Conference, Press, Schedule, Training

If you follow the news on information security, you see superlative after superlative. Millions of passwords were stolen. Hundreds of thousands of cameras suddenly became tools for blackmail. Countless data got copied unauthorized. Often, after a few paragraphs, your read about technical solutions that should put a stop to these burglaries. Therefore one forgets that nowadays hermetically locked doors can be easily opened just by a telephone call or an e-mail message. According to a publication of the British Federation of Small Businesses, almost 50% of attacks are social engineering attacks, which means attacks through social manipulation.Thus, investments in technical defense measures remain completely ineffective. Mere security awareness does not help anymore In the past approaches to defend against attacks on the weak spot human being have focused on awareness trainings. But in our

Read More

0311, 2016

IT-SeCX 2016: Talk about Relationship between Software Development and IT Security

René Pfeiffer/ November 3, 2016/ Discussion, Veranstaltung

The IT-SeCX 2016 event takes place on 4 November at the St. Pölten University of Applied Sciences LLC. It’s a night of security talks, held by various speakers from the industry, academic world, and other institutions. We will give a presentation exploring the relationship between the fine art of software development and the dark art of information security. We all know about bugs, glitches, error conditions, and flat failures of software design. There are links between the development cycle and the work of information security experts (or sysadmins who always have to deal with things that break). If you deal with any of these professions mentioned, you should drop by and attend the talk. IT-Security Community Exchange 2016, 4 November 2016, at 1915 – Wechselwirkungen zwischen Softwareentwicklung und IT Security FH St. Pölten Matthias

Read More

0311, 2016

DeepSec2016 Talk: Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets – Gerhard Klostermeier

Sanna/ November 3, 2016/ Conference, Internet, Security

Wireless desktop sets have become more popular and more widespread in the last couple of years. From an attacker’s perspective, these radio-based devices represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords. Wireless transmissions offer attackers a big advantage: you don’t have to be around to attack something or someone. Plus the victims often don’t know what it happening. At DeepSec 2016 Gerhard Klostermeier will present the results of research on the matter of wireless mouse/keyboard attacks. Furthermore you he will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities. We recommend this talk to anyone still using old-fashioned input devices for creating content. Gerhard is interested in all things

Read More