DeepSec Video: A Case Study on the Security of Application Whitelisting

René Pfeiffer/ January 21, 2016/ Conference, Discussion, Security

Application whitelisting is a method where you create a baseline selection of software on a system. You then freeze the state, and after this point any code not being part of your original „white list“ is considered dangerous and blocked from execution. In theory this should prevent the execution of malware and therefore protect against the pesky advanced persistent threat (APT) attacks everyone is talking about. What does this mean for your daily business? René Freingruber of SEC Consult talked about a case study at DeepSec 2015. This should save you some time and pain. Theory is not always the same when deployed in the field. René’s presentation even contains vendor names, so you can talk to the sales executive of your favourite brand of security products. This presentation is also a prime example

Read More

DeepSec Video: A Death in Athens – The inherent Vulnerability of “Lawful Intercept” Programs

René Pfeiffer/ January 20, 2016/ Conference, Discussion

In politics it is en vogue to create new words by connecting them. The words „cyber“ and „lawful“ come to mind. You can add „crime“ and „intercept(ion)“, and then you got something. Actually you can combine both of the latter words with the first two. Either combination makes sense if you take a look at the Athens Affair. More than ten years ago the lawful interception modules of Vodaphone Greece were used to eavesdrop on the Greek government. Kostas Tsalikidis (Κώστας Τσαλικίδης) , Vodaphone’s network planning manager, was found dead in his apartment. At DeepSec 2015 James Bamford talked about what the Athens Affair really was and shed light on the many uses of the lawful intercept systems which are mandatory for most telecommunications equipment. We don’t know how many Athens Affairs are still

Read More

DeepSec 2015 Videos are being published!

René Pfeiffer/ January 20, 2016/ Administrivia, Conference

As you may have noticed, we have sorted out the problems with the DeepSec 2015 recordings. Handling heavy multimedia files isn’t for the faint of heart – especially if one forgets to turn off the Twitter notifications while uploading broken video files. We have fixed this. Apparently the new uploader code took us (and our browser settings) by surprise. Now everything is whitelisted sorted out. The show can go on! We will accompany most videos with a short blog posting to put the content into perspective. Due to many publications in December it’s good to connect the dots. The Big Picture beats Big Data every time.

Here be Dragons – SIGINT won’t go away in 2016 (or later)

René Pfeiffer/ January 20, 2016/ Conference

The new year is a couple of weeks old. Not much has changed from the perspective of information security. The word „cyber“ is still alive and kicking (just as the „cloud“ is, despite Safe Harbour not being safe any more). Crypto is being used as a scapegoat for major intelligence failures – again and again. Blaming mathematics is really easy, because few understand how cryptography protects the infrastructures all around us. Big Data and collecting intel is still going strong. In fact Signals Intelligence (SIGINT) is now part of our society; some say it’s even a part of our culture. Want to know what SIGINT in big scale looks like? Well, Duncan Campbell explained the SIGINT monster in depth at the DeepSec conference in 2015. Have a look at the video recording. 2016 promises

Read More

National-Security-in-the-Middle Attack – the Crypto Wars continue

René Pfeiffer/ December 3, 2015/ High Entropy, Internet, Odd

National security has officially reached the SSL/TLS infrastructure – at least in Kazakhstan. The Google cache features an article published by the Kazakhtelecom JSC where the introduction of a so-called national security certificate for Internet users was proudly announced. We show you some parts of the original text for educational purposes, because we have never seen the announcement of a backdoor to communication channels in this glorious manner. From 1 January 2016 pursuant to the Law of the Republic of Kazakhstan «On communication» Committee on Communication, Informatization and Information, Ministry for investments and development of the Republic of Kazakhstan introduces the national security certificate for Internet users. According to the Law telecom operators are obliged to perform traffic pass with using protocols, that support coding using security certificate, except traffic, coded by means of cryptographic information protection

Read More

Thanks for attending DeepSec 2015!

René Pfeiffer/ November 20, 2015/ Conference, Misc

DeepSec 2015 is over. We had a fantastic time, great presentations, lots of conversations about the state of information security, and many other issues. You can do a lot more when you are not lost in a big crowd, not being able to connect to speakers, sponsors, and fellow IT security enthusiasts. A big thank you to all our speakers, attendees, trainers, supporters, staff, sponsors, partners, and the IT security community! See all of you in 2016!

Terrorism – No Time for Backdoors

René Pfeiffer/ November 18, 2015/ Communication, Discussion, High Entropy, Security

Every successful project needs proper planning and a good project management. You know this from your business life, probably. Projects can’t be done without tools for communication. We all use these day by day. Email, telephone, collaboration platforms, social media, instant messengers, and more software is readily available. Access to communication tools has spread. Exchanging messages has also evolved a lot since the 1990s. Given the diversity of the Internet, messages are now encrypted (hopefully). It is a very basic defence against any third parties, or Eve, both being unable to eavesdrop on the conversation. Especially when you do business and talk money, encryption is your closest friend. Why else would you meet indoors and control the access of persons to your office space? Why not discuss business internals while riding public transport? Some

Read More

Thanks to SEC Consult for sponsoring DeepSec 2015!

René Pfeiffer/ November 9, 2015/ Conference

The Austrian SEC Consult is an international leader in application security services and information security consultancy. SEC Consult’s competence in improving the application security of enterprise applications supports major international banks, government organizations and global software vendors. When it comes to information security, it doesn’t get any more in-depth than that. SEC Consult has supported DeepSec ever since the first conference in 2007. We are very grateful for their contribution, and we appreciate their serious attitude when it comes to finding vulnerabilities or educating IT staff how to avoid making mistakes. Sec Consult staff will be at the conference. Make sure to drop by their booth and have a chat with them. They don’t avoid questions, and they always listen when you speak your mind. Don’t miss this opportunity!

Endangered Species: Full Disclosure in Information Security

Sanna/ November 6, 2015/ Discussion, High Entropy, Legal, Security

History, fictive or real, is full of situations where doubts meet claims. Nearly every invention, every product will be eyed critically, analysed, and tested. There are even whole magazines fully dedicated to this sport, be it for example, consumer protection, reviews of computer games or the car of the year. When it comes to testing the sector of information security is particularly sensitive. Depending on the hard- or software concerned, testing is not only about comfort or in search of a particularly good storyline, but about incidents, which can cause real damage in the real world. How should one deal with the knowledge of a design flaw affecting the security of a system? Locks In 1851 the American lock-smith Alfred Charles Hobbs visited the Great Exhibition in London. He was the first to pick

Read More

Debugging Information Security: Self Defence for Entrepreneurs

Sanna/ November 5, 2015/ Conference, High Entropy, Internet, Security, Security Intelligence

In our economy data leaks are a constant companion. That’s the impression one gets when reading the news. Customer portals, online shops, digital communications, plans of products, personnel data, and more can be found in department stores throughout the shadow economy. Blind faith in global networks has indeed suffered in recent years, but companies and individuals still have a partially carefree attitude when it comes to the imminent risk their data is exposed to. “Who cares about our data?”, is often said. This year’s DeepSec IT Security Conference has some very specific answers to this question. Duncan Campbell and James Bamford open IT Security Conference in Vienna Duncan Campbell is a freelance British journalist, author, and television producer. Since 1975 he has specialized in intelligence and security services, defence, policing and civil liberty rights.

Read More

DeepSec 2015 Talk: Bridging the Air-Gap: Data Exfiltration from Air-Gap Networks – Mordechai Guri & Yisroel Mirsky

Sanna/ November 4, 2015/ Conference, Internet, Security

Air does not conduct electricity, usually. Using air gaps between parts transporting electric power by high voltages is a standard method in electrical engineering. Similar strategies are used in information security. Compartmentalisation can be done by network components, logical/physical separation, solid walls, and space filled with air. The only threat you have to worry about are wireless transmissions. Since mobile phone networks permeate our private and business life, access to wireless networks is everywhere. Unless you live in a cave, literally. Mordechai Guri and Yisroel Mirsky have found a way to use cellular frequencies as a carrier in order to transport data out of an air-gapped environment. They will present their results at DeepSec 2015. Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems

Read More

MJS Article: The Compromised Devices of the Carna Botnet by Parth Shukla

René Pfeiffer/ October 29, 2015/ Internet, Report, Security

Last year we talked about publishing the proceedings of past DeepSec conferences  with a collection of articles covering presentation held in Vienna. We like to introduce Parth Shukla, who presented a report of the devices compromised by the Carna Botnet. This article will showcase the latest analysis and the progress of industry collaboration on the problem of Internet facing devices that have default credential logins through telnet. The Carna Botnet, which was used to perform the first-ever map of the Internet – Internet Census 2012 – highlighted a major information security concern with devices that allow default credential login from the Internet by default. For more information on the Internet Census 2012, please refer to the anonymous researcher’s paper. A complete list of compromised devices that formed part of the Carna Botnet was obtained

Read More

Special Screening of the Documentary “A Good American” during DeepSec 2015

René Pfeiffer/ October 28, 2015/ Conference, Discussion, High Entropy, Security Intelligence

Attendees of DeepSec 2015 will receive a special treat. We have been talking to Friedrich Moser, and he has agreed to show his documentary „A Good American“ on 20 November 2015 exclusively. The private screening will take place in Vienna. It starts at 2100 at the Burg Kino, known for showing „The Third Man“. „A Good American“ explains how to do threat intelligence in a more efficient way, according to the creator of ThinThread: „A codebreaker genius, a revolutionary surveillance program and corruption across the board of NSA. Against this backdrop unfolds the feature documentary A GOOD AMERICAN. The film tells the story of Bill Binney and his program ThinThread and how this perfect alternative to mass surveillance got ditched by NSA for money.“ After the film Friedrich Moser, Duncan Campbell, James Bamford, and

Read More

DeepSec 2015 Keynote: Can Societies manage the SIGINT Monster?

René Pfeiffer/ October 27, 2015/ Conference, Discussion

Gathering data has become very important in the past years. Everyone is talking about intelligence of all shades, few know what it actually means and how you do it properly (we got a workshop for that, if you are interested). Information security needs to anticipate threats and adapt the defences accordingly. The same is true for other areas where security plays an important role, such as national defence. There are also new threats. Surveillance systems expand steadily, and the facts about them were published after 2013. The impact effects all of us, especially companies moving data around and communicating digitally. Although is it difficult to gauge what it means for your daily business, you should not close your eyes and assume that it is somebody else’s problem. We have asked Duncan Campbell to paint

Read More

Thanks to University of Applied Sciences Upper Austria for sponsoring DeepSec 2015!

René Pfeiffer/ October 23, 2015/ Conference

Since information security experts don’t grow on trees, we maintain close relationships to academic partners. The science in computer science has to come from somewhere. So we are very happy to welcome the University of Applied Sciences Upper Austria among the supporters of DeepSec 2015. The University of Applied Sciences Upper Austria is a national leader in its field. They offer internationally recognised, practice-oriented degree programmes at four locations in the heart of Upper Austria. As part of their commitment to developing international links, they maintain contacts with some 200 partner universities around the world. How’s that for an open mind? One of their major focuses is the national economy, and their research and development centres are continually developing cutting edge products for a wide range of practical applications. This solid combination of theory and

Read More