3007, 2015

Last Reminder – the DeepSec 2015 Call for Papers closes today!

René Pfeiffer/ July 30, 2015/ Call for Papers, Conference

Take advantage of our Call for Papers! We can’t believe that all the devices, networks, services, and shiny things around us are completely secure. Once it got Wi-Fi, a SIM card, memory, or a processor there is bound to be an accident. It’s not just hunting rifles, jeeps, currencies, experts, and airplanes that can be hacked. There is more. Tell us! Don’t let the IT crowd of today repeat the mistakes of our ancestors. Submit a two-day training and help to save some souls! We are especially interested in secure application development, intrusion detection/prevention, penetration testing, crypto & secure communication, mobiles devices, the Internet of Things, security intelligence, wireless hacking (Wi-Fi, mobile networks, …), forensics, and your workshop that really knocks the socks off our attendees! Drop your training submission into our CfP manager!

Read More

3007, 2015

New MJS Article: Why Anti-Virus Software Fails

René Pfeiffer/ July 30, 2015/ Security

What is your first impulse when you see a fence? Well, we can’t speak for you, but we like to look for weak spots, holes, and ways to climb it. The same is true for filters of all kinds. Let’s see what one can do to bypass them. Anti-virus software is a good example. At DeepSec 2014 Daniel Sauder explained how malware filters/detectors fail. Daniel was kind to provide an article for the special edition „In Depth Security – Proceedings of the DeepSec Conferences“: „Based on my work about antivirus evasion techniques, I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal  functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these. A result of my research are

Read More

2707, 2015

Security of Things – Dead Horses just get beaten with the Internet

René Pfeiffer/ July 27, 2015/ High Entropy, Internet, Security

What do NoSQL databases and cars have in common? You can find and freely access them by using the trusty Internet. Wired magazine has published a story about a remotely controlled Jeep Cherokee. Charlie Miller and Chris Valasek have found a way to use the properties of UConnect™ combined with (design) flaws to take full control of the vehicle . The threat is real since the car was attacked remotely by using a network connection. UConnect™ was formerly known as MyGIG™, and systems are available since 2007. It’s basically your entertainment system on steroids with added telemetry, internal commands, and network capabilities. Hacking cars by attacking the entertainment system was already discussed at DeepSec 2011. This is the next level, because cars have now their own IP addresses (and no firewall apparently). NoSQL databases are very

Read More

2906, 2015

Software Security: The Lost Art of Refactoring

René Pfeiffer/ June 29, 2015/ Development, Discussion, Security

A sysadmin, a software developer, and an infosec researcher almost walked into a bar. Unfortunately they couldn’t agree where to go together. So they died of thirst. Sounds familiar? When it comes to information technology, there is one thing that binds us all together: software. This article was written and published by software. You can read it by using (different) software. This doesn’t automagically create stalwart bands of adventurers fighting dragons (i.e. code vulnerabilities) and doing good deeds (i.e. not selling 0days). However it is a common ground where one can meet. Since all software has bugs, and we all use software, there’s also a common cause. Unfortunately this is where things go wrong. Code has a life cycle. It usually starts out as a (reasonably) good idea. Without a Big Bang. Then the implementation

Read More

2706, 2015

I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in

Read More

2406, 2015

Crypto Article: „Cornerstones of German Encryption Policy“ from 1999 are still in place

Sanna/ June 24, 2015/ Discussion, Security

We have some more translated news for you. In theory it is an article about policies and the process of law-making. In practice it concerns the use of encryption and everyone relying on service providers (mostly connected to the Internet, i.e. „cloud providers“). No matter how cool your start-up is and what its products aim to replace, information security will probably need a backdoor-free and working encryption technology as a core component. This is exactly why you cannot stay focused on the technology alone. Threats may come in the guise of new laws or regulations (think Wassenaar Arrangement). Matthias Monroy has some information about the official stance of the German government regarding the currently raging „crypto wars“. Enjoy! Federal Ministry of the Interior: The “Cornerstones of German encryption policy“ from 1999 still remain Source: netzpolitik.org Author: Matthias

Read More

2106, 2015

Dual Use Equation: Knowledge + Vulnerability = “Cyber” Nuclear Missile

René Pfeiffer/ June 21, 2015/ Discussion, High Entropy, Legal, Odd

We all rely on software every  day, one way or another. The bytes that form the (computer) code all around us are here to stay. Mobile devices connected to networks and networked computing equipment in general is a major part of our lives now. Fortunately not all systems decide between life or death in case there is a failure. The ongoing discussion about „cyber war“, „cyber terrorism“, „cyber weapons of mass destruction“, and „cyber in general“ has reached critical levels – it has entered its way into politics. Recently the Wassenaar Arrangement proposed a regulation on the publication of exploited (previously unknown) vulnerabilities in software/hardware, the so-called „0days“. The US Department of Commerce proposed to apply export controls for 0days and malicious software. While the ban is  only intended for „intrusion software“, it may

Read More

1806, 2015

Surveillance Article: Listening Posts for Wireless Communication

René Pfeiffer/ June 18, 2015/ High Entropy

Modern ways of communication and methods to obtain the transported data have raised eyebrows and interest in the past years. Information security specialists are used to digitally dig into the networked world. Once you take a look at buildings, geographic topology, and photographs of structures your world view expands. Coupled with the knowledge of ham radio operators connecting the dots can give you some new information about structures hiding in plain sight. This is why we have translated an article by Erich Moechel, Austrian journalist who is writing blog articles for the FM4 radio station. Read  this article for yourself and keep our Call for Papers for DeepSec 2015 in mind. If you have ideas how to keep an eye on the environment surrounding your information technology infrastructure let us know. Companies should know

Read More

1706, 2015

New MJS Article: Trusting Your Cloud Provider – Protecting Private Virtual Machines

René Pfeiffer/ June 17, 2015/ Report, Security

Once you live in the Cloud, you shouldn’t spent your time daydreaming about information security. Don’t cloud the future of your data. The Magdeburger Journal zur Sicherheitsforschung published a new article by Armin Simma (who talked about this topic at DeepSec 2014). The Paper titled »Trusting Your Cloud Provider: Protecting Private Virtual Machines« discusses an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders. This article proposes an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders (e.g. administrators). It is based on Mandatory Access Control and Trusted Computing technologies, namely Measured Boot, Attestation and Sealing. It gives customers strong guarantees about the provider’s host system and binds encrypted virtual machines to the previously attested host. This article

Read More

1606, 2015

DeepSec Ticket Registration: Early Worm gets to 0wn the Network

René Pfeiffer/ June 16, 2015/ Administrivia, Conference

Did you feed the cat? Did you lock the door? Did you switch off the Internet while on vacation? Did you wrap your wallet in tin foil? Did you buy this ticket to this conference you want to attend in November? How was it called? We have a foolproof way to get over this constant feeling that you forgot something. Go to our registration web site, book a ticket to DeepSec 2015, print it out, and write all the important things you have to remember on the back! Your laundry list of All Teh Important Things™ will last until November 2015. After that you will come up with a new way to help you. Looking forward to see you!

1606, 2015

Crypto Article: EU Economy needs secure Encryption

René Pfeiffer/ June 16, 2015/ Discussion, Security

Given the ongoing demonisation of cryptography we have translated an article for you, written by Erich Moechel, an ORF journalist. The use of encryption stays an important component for information security, regardless which version of the Crypto Wars is currently running. While most of the voices in news articles get the threat model wrong, there are still some sane discussions about the beneficial use of technology. The following article was published on the FM4 web site on 25 January 2015. Have a look and decide for yourself if the Crypto Wars have begun again (provided they came to an end at some point in the past). Maybe you work in this field and like to submit a presentation covering the current state of affairs. Let us know. EU Economy needs secure Encryption The EU technical bodies

Read More

2805, 2015

DeepSec 2015 – „Cyber“ Call for Papers is online!

René Pfeiffer/ May 28, 2015/ Call for Papers

The Call for Papers of DeepSec 2015 is open! We are looking for your presentation and your in-depth training to add to our schedule. There has been a lot of activity in the past six months with regards to information security. Given the cultural and political impact of vulnerable code there are ample topics to talk about and to teach. Cryptography has its place in the limelight since the high impact but with a cute logo. Getting cryptography right has been the problem of developers and academics since decades. Now everyone knows about it. So if you have some research on encryption, authentication, and secure communication in general, send us your thoughts along with your submission. Protecting your infrastructure is harder than ever before. Once upon a time only your servers and classic clients used

Read More

2705, 2015

Prepare yourself for BSidesLondon!

René Pfeiffer/ May 27, 2015/ Conference

The BSidesLondon event is taking place next week. In case you have missed the tweets and don’t surf the web, check out the schedule. The keynote will shed some light on the gap between information security and technology already being used “out there” in the real world. It’s nice to spend months on solid designs and policies, but this doesn’t help you much when your users go shopping in the meantime. Further presentations will tell you all about DarkComet, how to rob a bank, Android malware analysis, Point-of-Sale (POS) devices turning you into a billionaire, elliptic curve cryptography for the fearless, hash algorithm magic, infosec for the masses, and much more. You are really in for a treat. BSidesLondon will feature a rookie track again! Do the rookies a favour and give them a

Read More

1505, 2015

DeepINTEL 2015 – How to deal with (Industrial) Espionage

René Pfeiffer/ May 15, 2015/ Call for Papers, Security Intelligence

The DeepINTEL event in September will have a strong focus on a specific kind of intelligence. We will address the issue of espionage. Given the headlines of the past six months it is clear that companies are subject to spying. There is no need for euphemisms any more. Even with half of the information published on this matter, there is no way to deny it. Since the trading of data is a lucrative business, the issue won’t go away. So if you run a company or an organisation, then you might want to deal with risks and threats before they deal with you. DeepINTEL is focused on security intelligence. Few CISOs and CEOs have a grasp what this really means. It is much more than doing risks analysis or threat assessment. As we have

Read More

1405, 2015

Dates for DeepSec, DeepINTEL and BSidesVienna 2015

René Pfeiffer/ May 14, 2015/ Administrivia

We have been quieter than usual. We did a lot of preparations for the upcoming DeepSec events and were busy with research projects. In case you want to update your calendars, here are the dates to look out for. 17 to 20 November 2015 – DeepSec 2015 21 / 22 September 2015 – DeepINTEL 2015 21 November 2015 – BSidesVienna 2015 (still needs to be confirmed due to location) The Call for Papers for the DeepINTEL is open. Please contact us via (encrypted) email. The Calls for Papers for DeepSec and BSidesVienna will open soon.