2708, 2012

Take-Away Security Tools Probably Aren’t

René Pfeiffer/ August 27, 2012/ Discussion, Security

You have probably read one of the many reviews of security tools published in the depths of the Internet. A lot of magazines feature articles with the headline „Top n Tools for $TASK“. While reviews are a nice way of being introduced to new things, especially tools and software, you have to be careful when it comes to reviewing the security aspects of code or your new favourite tool. First of all you cannot analyse the security design and possible flaws by reading the FAQ section of the project web site or the user manual. You have to evaluate the code and the components it uses. Don’t be fooled or distracted by encryption for it doesn’t necessarily secure anything. Getting a security design right is very hard, and sprinkling cryptography over serious design flaws

Read More

2008, 2012

Wireless (Wi-Fi) Security Interview

René Pfeiffer/ August 20, 2012/ Discussion, Press, Security, Stories

Today we had a visit from an Austrian television crew to answer some short questions about wireless security. It’s too bad that journalists always look for „hackers“ who „hack something“. While we had no idea what they were talking about, we delivered a short summary of wireless security. For most of you this is old news, but for a broad audience in front of TV sets it’s still a mystery. Usually no one really know what the difference between WPA and WPA2 is. In addition you have WEP and WPS, in-depth you have TKIP and AES, too. All of this sounds pretty intimidating. If you add some cinematic scenes, you can imagine the hero (or evil villain) discovering a wireless network, pressing some keys and gaining access mere seconds later. Defences have been breached,

Read More

0708, 2012

A Word about Conference Conduct

René Pfeiffer/ August 7, 2012/ Administrivia, Conference, Discussion

You have probably been to conferences, and might even have seen hackers in the wild attending events. When it comes to events where IT security is discussed, everyone needs a friendly atmosphere so you can trust the people you meet. The DeepSec conference aims to be a place where these criteria are met. We want you to be able to talk to anyone about anything. Judging from the feedback we got this goal was met. We’d like to introduce a statement published on our web site to emphasise our mission. It’s a policy to express our intention to provide a friendly and safe environment for everyone talking at and attending DeepSec events (the policy covers all DeepSec activities). Before any of you jump to conclusions, let me explain why we added the policy as

Read More

0508, 2012

All Your Clouds are to Belong to Whom?

René Pfeiffer/ August 5, 2012/ Discussion, Security

There are probably less than 5 persons on this planet who know what cloud computing really means. The figure might be exaggerated, but while enterprises, consultants and vendors try to figure out the best cloud for their business model the attackers already take advantage of cloud infrastructure. Let’s disregard climate dependencies and extraordinary political environments for a moment (if you say yes to cloud computing, then you have this already taken into account and under control, right?). Let’s focus on on the security implications for the moment. There’s an example of a string of unintended consequences by a successful social engineering attack. The target was a „cloud account“ linked to storage and three personal devices (a phone, a tablet and a laptop). The attacker gained access by means of tech support and bypassing security

Read More

1007, 2012

How to register for DeepINTEL

René Pfeiffer/ July 10, 2012/ Administrivia

The link to the online registration for DeepINTEL tickets has been activated. We’ve added a shiny IFRAME and a direct link on the DeepINTEL site. Since DeepINTEL is a bit different from DeepSec, here are the steps to your ticket. Contact us by sending your name and your affiliation. We start the vetting process and might ask for additional information. You get the code for your ticket. You register, get your ticket and send us your itinerary so we can take care of accommodation and your arrival. That’s about all you need. We already explained that the DeepINTEL event contains information and knowledge exchange which will not be reflected in public. This is why we provide a little exercise in data loss prevention (difficulty level easy ☺). Any presentation materials provided by the speakers

Read More

0307, 2012

DeepINTEL 2012 – Preliminary Schedule

René Pfeiffer/ July 3, 2012/ Administrivia, Schedule

This is the preliminary schedule of the first DeepINTEL seminar taking place in September 2012. We have more talks in the pipeline and the final decision won’t be long. Bear in mind that we will receive some additional information for some of the abstracts soon. The registration for DeepINTEL is online, too. If you are interested in attending DeepINTEL, please get in touch with us (you know, the vetting process and such). Please note that all further updates will be published at the main DeepINTEL web site. You will also find the speaker’s biographies there. Preventing and Detecting Mass-Malware and Advanced Threats (Tom “c-APT-ure” Ueltschi) Your organization has firewalls, network IDS/IPS, anti-virus on multiple layers, maybe even HIPS, hardening and patching done and feels pretty safe and secure. But lots of companies and organisations

Read More

2706, 2012

“The early bird gets the worm” or “Can you be faster than FUD?”

Mika/ June 27, 2012/ Conference, Security Intelligence

This is an old saying and like most old sayings it bears some truth: the first one to notice an opportunity does indeed have an advantage. But I don’t want to philosophize about “ancient wisdom” or something the like but I want to address a quite up-to-date topic: 0-day prevention, early warning systems, heuristic detection and how fast you have to be to catch worms and 0-day exploits. A lot of security vendors and open source security projects provide a very fast response to emerging threats. New worms and malware are detected quickly after appearance in the wild and signature patterns are updated a couple of times daily. So you should be safe. Really? How much of your resources would you spend on 0-day prevention and how effective is it? We have learned from

Read More

1806, 2012

A „Cool War“ is not cool

René Pfeiffer/ June 18, 2012/ Discussion, High Entropy

The term „Cyberwar“ carries a dark fascination. Most people think of it as „war lite“. You get all the benefits of a real war, but the casualties are limited to bits, bytes and maybe pixels. No one dies, only the targets get destroyed. This sounds too clean to be true. There is even an article called „Cool War“ that glorifies the concept of digital battles even further. The author suggests that a cool war could prevent a „real“ armed conflict by digital preemptive strikes. The good news is that a preemptive cyber attack on the military command-and-control systems of two countries getting ready to fight a “real war” might give each side pause before going into the fight. In this instance, the hackers mounting such attacks should probably publicize their actions — perhaps even

Read More

1106, 2012

Software Development and Security Training

René Pfeiffer/ June 11, 2012/ Security, Training

Prior to every DeepSec conference we offer two-day trainings, and we regularly advertise trainings on secure software development. Attending security-centric workshops is really not meant as a humiliation. Modern (and not so modern) software development deals with a lot of code and dependencies. Even if your code is clean and well-written there’s a chance that something you rely on isn’t. This happens a lot with library functions (think DLLs) and thus can happen in high level programming languages, too. A training focussing on security will sharpen your „spider sense“ and you will be able to detect sections of code that can go wrong more easily. This is also true for reading documentation. Take a look at CVE-2012-2122. In essence you can get access to some MySQL database servers by repeatedly trying to access an

Read More

1006, 2012

The Internet: Agora or Boudoir?

Mika/ June 10, 2012/ Discussion, Internet

Some people believe the Internet is like the Agora of ancient Greek cities where everybody meets and everything happens in public and open sight while others regard it is as their boudoir where they can pursue their private business without anyone peeping through the keyhole. The challenge is that the Internet is both and this calls for rules, which will satisfy both expectations. If you didn’t guess it already: I’m talking about telecommunications data retention and the recent act in the European Union which requires service providers to log details about communications on the Internet and retain the data for a minimum of six months. But why do I bring up this topic? Because I believe this discussion affects the security and privacy (also known as confidentiality) of organizations and private persons. The European

Read More

0806, 2012

Collateral Damage in Cyberspace

René Pfeiffer/ June 8, 2012/ High Entropy, Security

„In cyberspace, no one can hear you scream.“ System administrators know this already for a long time, as do security researchers. Everybody is talking about „cyberwar“ these days (elections are coming). No one is talking about the (digital) fallout from „cyberwar“ operations. Unless you solely rely on passive methods, there’s not much that can happen. As soon as you employ „offensive security“, which is just an euphemism for „breaking things“, there will be damage in terms of service disruption, compromised systems, modified/erased data, inserted attack code and possibly more. Attack tools such as Stuxnet, Duqu and now Flame have been discussed for years by security researchers. Especially anti-virus vendors have repeatedly promised to include malware of any origin in their databases. In theory this includes these „cyberweapons“ as well. In real life these weapons

Read More

3105, 2012

What to expect from DeepINTEL

Mika/ May 31, 2012/ Conference, Security Intelligence

Preliminary schedule soon (CFP is still open) DeepINTEL will be a conference about security intelligence on September 3rd and 4th 2012 in the heart of Europe. We have prepared this project for a long time and we were monitoring the security intelligence landscape for quite a while. During the last year we had many chances to discuss different approaches and talk to many people involved in security intelligence, either on the provider, research or customer side. Our vision is now clear and here are some details which might have been covered here and here or which might be new: Our understanding of security intelligence We know quite well that security intelligence isn’t defined very clearly. Methods and tools differ as wildly as expectations and goals do. We find almost as many approaches as we

Read More

3105, 2012

Securing Walled Gardens

René Pfeiffer/ May 31, 2012/ Discussion, Security

Setting up walled gardens around fancy mobile devices (and probably other computers) is very fashionable among vendors. In theory there is a controlled environment where malicious software is virtually unknown. The vendor can implement a strict quality assurance and can tether any aberrant developers to policies. Since a wall is a fundamental security device the vendor gets the psychological bonus of users feeling protected. So with all security issues solved there is no need to break out of the walled garden, right? How do you explain this tweet about the newly released Absinthe jailbreak then? @chronicdevteam: Some stats since release of #Absinthe – 211,401 jailbroken iPad3’s and 973,086 devices newly jailbroken! If walled gardens are so perfect, why do millions of users want to break out? Paul Ducklin has explored this phenomenon in an

Read More

2505, 2012

Bring Your Own Spy – BYOD gone wrong

René Pfeiffer/ May 25, 2012/ Discussion, High Entropy, Security

It is reasonably safe to assume that anyone doing business has meetings from time to time. Meeting people and talking to them (or listening) is part of many company’s culture. What do you bring for your meeting? A computer? Maybe. Paper and pencils? Old school but why not. Your cell phone? Most probably! Unfortunately this also means that you might invite some spies to the conference. We have already bashed described talked about the BYOD conundrum challenge. Combining the BYOD approach with information security is hard bordering on the impossible. There are some strategies out there for securing your device(s) (in this case from Software Advice, but others have check lists, too). You can also use the Might of Security Policies™ against the threat (we all know that all users follow any written policy

Read More

2305, 2012

Coding Skills and Security Competence

René Pfeiffer/ May 23, 2012/ Discussion, Security

Occasionally we get questions regarding the technical level of presentations at DeepSec. Some are worried about talks at DeepSec being too „in-depth“ for their level of knowledge. You are either a coder turned security researcher hacking bits and bytes, or you are someone dealing with hierarchies and the organisational aspects of information security. It seems there is no middle ground. Well, there should be and here’s why. Information security covers a very broad spectrum of components and technologies. You can start at the physical level and work your way up, just like the OSI model of networking. The OSI layers end where the human interaction starts, and while the network engineers and software developers go to rest, security administrators still have problems to address (they always have „issues“, their psychotherapists will confirm). In other

Read More