1802, 2016

DeepSec Video: Not so Smart – On Smart TV Apps

René Pfeiffer/ February 18, 2016/ Conference, Security

„Smart“ follows the footsteps of „cyber“. Everything is smart nowadays. The problem is that using smart in this context just means a combination of „Turing complete“ and „connected to the Internet“. That’s it. This is a pretty low barrier for calling something „smart“. t DeepSec 2015 Markus Niemietz held a presentation about the state of affairs concerning SmartTVs where security is concerned: One of the main characteristics of Smart TVs are apps. Apps extend the Smart TVs menu with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise the question of new attack scenarios and the general security of Smart TV apps. We investigate attack models for Smart TVs and their

1702, 2016

DeepSec Video: Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library

René Pfeiffer/ February 17, 2016/ Conference, Stories

Even if you are not running a mainframe you probably have some old applications which you still need and whose code you cannot lift into the present (technology-wise). This is something you need to address. Despite decades of security research and authentication standards there’s still a vast amount of systems with custom solutions and embedded user databases. Such systems are typically hard to securely integrate with others. We analysed an existing system of an organisation with approximately 12.000 sensitive user data sets and uncovered severe vulnerabilities in their approach. We developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider

1602, 2016

DeepSec Video: Legal Responses Against Cyber Incidents

René Pfeiffer/ February 16, 2016/ Conference, Legal

Despite current efforts to adapt existing legal instruments to regulate hostile activities in cyber space, there is uncertainty about the legal situation of actors affected by these actions. Part of this uncertainty is due to the fact that the cyber domain is technically complex; there is a strong need for collaboration between technical and legal subject matter experts, collaboration which is difficult to achieve. This talk summarizes the current legal status of Cyber Attacks. It defines a taxonomy of possible cyber-incidents, and analyses the predictable consequences of each type of cyber-incident with the purpose of mapping cyber-incidents to different legal frameworks. Oscar Serrano held a presentation at DeepSec 2015 about legal issues with digital attacks.

1502, 2016

Go dark with us! Submit a presentation to DeepINTEL 2016!

René Pfeiffer/ February 15, 2016/ Call for Papers, Conference, Security Intelligence

Information security without intelligence is less than half the fun. That’s why we organise the DeepINTEL 2016 conference. The focus is entirely on the intelligence side of security. Given the events in the recent months it’s about time that you get your focus right and turn your radar on. Flying blind will get you into trouble. The DeepINTEL is a single track / two day event that addresses mainly critical infrastructure, state organizations (administrative and law enforcement), accredited CERTs, finance organizations and trusted parties and organizations with a strong relation or partnership to the aforementioned. Due to the sensitive topics and the nature of the participants and speakers we will have a vetting process for participants. We’d like to know our audience, so that we all can talk freely and openly during the event.

1502, 2016

DeepSec Video: illusoryTLS – Nobody But Us. Impersonate,Tamper and Exploit

René Pfeiffer/ February 15, 2016/ Conference, Internet, Security

Cryptographic backdoors are a timely topic often debated as a government matter to legislate on. At the same time, they define a space that some entities might have practically explored for intelligence purposes, regardless of the policy framework. The Web Public Key Infrastructure (PKI) we daily rely on provides an appealing target for attack. The entire X.509 PKI security architecture falls apart if a single CA certificate with a secretly embedded backdoor enters the certificate store of trusting parties. Do we have sufficient assurance that this has not happened already? Alfonso De Gregorio presented at DeepSec 2015 his findings and introduced illusoryTLS. Aptly named illusoryTLS, the entry is an instance of the Young and Yung elliptic curve asymmetric backdoor in the RSA key generation. The backdoor targets a Certification Authority public-key certificate, imported in

1302, 2016

DeepSec Video: Measuring the TOR Network

René Pfeiffer/ February 13, 2016/ Conference, Internet, Security

A lot of people use TOR for protecting themselves and others. Fortunately the TOR network is almost all around us. But what does it do? How can you get access to metrics? TOR is an anonymisation network and by design doesn’t know anything about its users. However, the question about the structure of the user base often arises. Some people are just interested in the size of the network while others want details about the diversity of its users and relays. Furthermore, TOR is used as a circumvention tool. It is interesting to automatically detect censorship events and to see how the number of users changes in those countries. TOR’s measurement team tries to give answer to those (and more) questions. At DeepSec 2015 Jens Kubieziel explained the collection of different data and how

1202, 2016

DeepSec Video: Cryptographic Enforcement of Segregation of Duty within Work-Flows

René Pfeiffer/ February 12, 2016/ Conference, Security

Calling for encryption and implementing it may be easy at a first glance. The problem starts when you have to grant access to data including a segregation of duty. Workflows with Segregation-of-Duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations. At DeepSec 2015 Thomas Maus held a presentation explaining the problems and possible solutions.

1102, 2016

DeepSec Video: Agile Security – The Good, The Bad, and mostly the Ugly

René Pfeiffer/ February 11, 2016/ Conference, Security

How do you manage your technical and operational security? Do you follow a model? If so, what’s the flavour? Do you borrow concepts from software development? In case you do or you plan to do, then Daniel Liber might have some ideas for you. At DeepSec 2015 he held a presentation about Agile and a possible relation to information security. Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a ‘high level’ talk, or, sometimes, as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This talk will help security engineers,

1002, 2016

DeepSec Video: How to Break XML Encryption – Automatically

René Pfeiffer/ February 10, 2016/ Conference, Security

XML is often the way to go when exchanging information between (business) entities. Since it is older than the widespread adoption of SSL/TLS, there is a special standard called XML Encryption Syntax and Processing. You can use XML encryption to encrypt any kind of data. So far, so good. But In recent years, XML Encryption became a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order to protect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard. Juraj Somorovsky (Ruhr University Bochum) held a presentation at DeepSec 2015 explaining what these attacks look like. .

0902, 2016

DeepSec Video: Hacking Cookies in Modern Web Applications and Browsers

René Pfeiffer/ February 9, 2016/ Conference, Internet, Security

Cookies are solid gold when it comes to security. Once you have logged in, your session is the ticket to enter any web application. This is why most web sites use HTTPS these days. The problem is that your browser and the web applications needs to store these bits of information. Enter cookie hacking. A lot has changed since 1994, and Dawid Czagan of Silesia Security Lab held presentation at DeepSec 2015 about what you can and cannot do with cookies in modern web applications and browsers. Learn about user impersonation, remote cookie tampering, XSS and more. .

0602, 2016

DeepSec Video: File Format Fuzzing in Android – Giving a Stagefright to the Android Installer

René Pfeiffer/ February 6, 2016/ Conference, Security

The Stagefright exploit haunts the Android platform. The vulnerability was published in Summer 2015. It gives attackers a way to infect Android smartphones by using multimedia files such as pictures, text, and videos. This is a perfect vector since most people will look at media instantly. Dr. Aleksandr Yampolskiy gave a presentation at DeepSec 2010 about malicious software hidden in multimedia (the talk was aptly titled Malware goes to the Movies). So what if there are more bugs like this in the Android platform? Enter fuzzing technology. Alexandru Blanda spoke at DeepSec2015 about fuzzing on the Android platform. This approach can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. Since these vulnerabilities affect critical components of the Android system, the impact of the results will

0502, 2016

DeepSec 2015 in Pictures: Very photograph. Many pixel. Wow.

Sanna/ February 5, 2016/ Administrivia, Conference, Pictures

„Documentation, or it did not happen!“ This is probably the unofficial motto of information technologists (and security/audit people around the globe). For your convenience we put some images from DeepSec 2015 online. Have a look! https://www.flickr.com/photos/deepsec/sets/72157661411334744 Thanks to Joanna Pianka for the great pictures!

0502, 2016

DeepSec Video: Cryptography Tools, Identity Vectors for “Djihadists”

René Pfeiffer/ February 5, 2016/ Conference, Discussion, High Entropy, Internet

Wherever and whenever terrorism, „cyber“, and cryptography (i.e. mathematics) meet, then there is a lot of confusion. The Crypto Wars 2.0 are raging as you read this article. Cryptography is usually the perfect scapegoat for a failure in intelligence. What about the facts? At DeepSec 2015 Julie Gommes talked about results of the studies done by the Middle East Media Research Institute (MEMRI). The Internet is the method of choice for communication: the number of sites calling for a “jihad” rose from 28 in 1997 to over 5,000 in 2005. The basic use of these sites for the purpose of basic classical communication began in the 2000s. It was replaced by that of social networks, allowing almost instant mass communication. Julie’s talk give you an overview about the tools used according to the study.

0402, 2016

DeepSec Video: Chw00t: How To Break Out from Various Chroot Solutions

René Pfeiffer/ February 4, 2016/ Conference, Security

Information security borrows a lot of tools from the analogue world. Keys, locks, bars, doors, walls, or simply jails (to use a combination). Most operating systems support isolation of applications in various levels. You may call it change root (or chroot) or even jails environment. The containment is not perfect, but it helps to separate applications and to have a better control of the access to resources. Breaking out of chroots is possible, and there are various ways to do this. So preparing a tight configuration is the key. At DeepSec 2015 Balazs Bucsay held a presentation about how to create a reasonably “secure” chroot environment or how to breakout from a misconfigured one. If you a considering to use chroots/jails as a way to build compartments, make sure you know what you are

0302, 2016

DeepSec Video: Building a Better Honeypot Network

René Pfeiffer/ February 3, 2016/ Conference, Security

„It’s a trap!“ is a well-known quote from a very well-known piece of science fiction. In information security you can use bait to attract malicious minds. The bait is called honeypot or honeynet (if you have a lot of honeypots tied together with network protocols). A honeypot allows you to study what your adversaries do with an exposed system. The idea has been around for over a decade. There’s even a guide on how to start. Josh Pyorre has some ideas how you can extend your basic honeypot in order to boost the knowledge gain. At DeepSec 2015 he showed the audience how to process attack-related data, to automate analysis and create actionable intelligence. Why else would you run a honeypot? So go forth and multiply the output of your honeynet!

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: