0304, 2012

Simple Questions, Security Design, Details and Assumptions

René Pfeiffer/ April 3, 2012/ Security, Stories

A few days ago we received a call from a journalist who was researching for an article about a system about parking place management. Motorists have a hard time finding a place to park in busy urban areas. This is why Austrian researchers thought of fitting street lamps with cameras that monitor parking areas. The cameras report the images to a system that identifies free parking sites and reports available spots to drivers by means of their satnav. The journalist wanted to know how safe this is and if there might be a threat to privacy. The answer is not that easy. In this context it typically resolves to the style of Radio Yerevan and starts with „In principle yes, but …“. In our case it depends on the details of the implementation. Brevity

0204, 2012

DeepSec 365 Conference Track and Disinformation

René Pfeiffer/ April 2, 2012/ Misc, Stories

We admit. We could not resist. Bazinga! Writing articles to be published on 1 April is fun, and you probably should not read any news on this day (or blog articles or anything, don’t even talk to people until 2 April). If you consider the disinformation practised on All Fools’ Day and connect it to security the fun stops. You rely on information and its accuracy to counter threats. So in turn disinformation can be regarded as a hacker tool. Social engineering people probably know this already. Since our CfPs for DeepINTEL and DeepSec 2012 are open: If you explore disinformation as a hacker tool and can show its impact on the security routine of potential targets/defenders, why not turn your findings into a presentation and send it to us? We want to know

0104, 2012

DeepSec Announces DeepSec 365 Conference Track

René Pfeiffer/ April 1, 2012/ Administrivia, Conference, High Entropy

IT security has grown into a cornerstone of our modern society. We rely on data integrity, availability, and we do not wish our personal or business data to be mirrored on pastebin.com or other web sites. 2011 has been full of high-profile security-related incidents. 2012 will most certainly continue in this fashion. This cannot go on forever. Therefore we decided to address the lack of IT security conferences and boost their number considerably. Starting with 1 January 2013 we start the DeepSec 365 Conference Track – 365 DeepSec security conferences in 2013, one every day! We are currently finalising the deal with our conference venue. Even the tourism industry has acknowledged that there really is nothing besides hosting IT security events. Forget skiing, spas, clubbing, museums, sightseeing and all that, you want to see

2103, 2012

Use Key Content for your Key Notes

René Pfeiffer/ March 21, 2012/ Administrivia, Security

There is some discussion about certain key note talks in the blogosphere and on mailing lists. Apparently there has been too much mentioning of mayhem and company ads lately. We will judge about this as soon as we have watched the video recordings of these talks. Until we have done that we’d like to point out that all our key note presentations go through the same Call for Papers mechanism as the „regular“ talks. This is true for DeepINTEL and DeepSec alike. It has also been true for all past DeepSec conferences. While we don’t mind provocative content, we still like our speakers to present high quality content. Paid content on the contrary is not always of high quality. As soon as you enter the realm of sponsored talks you’ll suddenly realise that presentations

1803, 2012

It’s the Smart Meters that matter – or is it?

René Pfeiffer/ March 18, 2012/ Communication, High Entropy, Security

Wired’s Danger Room has an article about how ubiquitous computing and smart homes are eagerly awaited by the CIA to turn your networked environment into a gigantic spy tool. CIA Director David Petraeus very much likes the „Internet of things” as an information gathering tool. Security researchers can’t wait, too. However they have a very practical approach by pointing out the missing security design. Smart homes might be very dumb after all, and they might not be a „home“. If your home turns against you and breaches your privacy, it’s not a home any more. Plus the next „digital Pearl Harbor“ (whatever this means) might start in your refrigerator. Who knows? This is a very simplistic view on the „Internet of things”. If things automatically turn into sensors and report useful information once they

0703, 2012

Disinfect your Information Environment

René Pfeiffer/ March 7, 2012/ High Entropy, Security, Stories

Since information technology relies heavily on analogies (as does lot of other „cyber“ things), we have a question for you. What do an intercepted phone call, infectious diseases and nuclear waste spilling into the environment have in common? Faulty containment. The Naked Security blog explains in an article how Anonymous was able to record the FBI phone call whose audio file was published in January 2012. Apparently „an Irish Garda police officer who was invited to attend the conference call about ongoing hacking investigations forwarded the message to a personal email account“. This personal e-mail account was compromised, and the information about the conference call was used to participate and to record the audio stream. This teaches a couple of lessons. Conference calls can be attended by having the correct string of characters (i.e.

2702, 2012

Security in the Trenches (or how to get dirty and stay clean)

Mika/ February 27, 2012/ Security, Stories

Sometimes you have to get dirty, sometimes it’s fun to get dirty. No it’s not what might come to mind, it’s about the dirty business of information security: you have to break things to see if they are secure enough and to learn about weak points. But what to break? Your own systems? Someone else’s systems? Best is to stay clean when selecting your target for the dirty business (we talked about offensive security recently). Most fun are “Capture the Flags” challenges, also known as war-games, which are frequently offered to the security community to test abilities and learn new stuff. I recently found a CtF challenge that looked quite fun and we started a 2-day session at the Metalab, the Hackerspace in Vienna with a group of 6 or 7 people with different

2402, 2012

About the fineprint in Software patents (Motorola vs. Apple)

Mika/ February 24, 2012/ High Entropy, Internet

Recently Motorola sued Apple because of Patent EP0847654 and Apple deactivated the push function for e-mails. Only on mobile platforms. Only for iCloud and MobileMe. Only within the borders of Germany. See http://support.apple.com/kb/TS4208. What happened? While everyone in the blogosphere is ranting about e-mail pushing being patented etc. I dared to search for the original patent text and was a little bit surprised: The Patent goes back to 1996 The title is “Multiple Pager Status Synchronisation System and Method” In my opinion it describes something unrelated to modern e-mail systems. The patent describes a trivial three-message exchange over radio communication to ensure that multiple pagers in a group reflect the same status whether a message has already been read. Nothing about e-mail in general can be found. This is the reason for affecting only

1902, 2012

Five Million, quick and easy!

Mika/ February 19, 2012/ High Entropy, Odd, Security Intelligence

A good friend and former colleague of mine asked me recently, whether I could give him a tip how to make 5M quick and easy. My answer was “Nothing I could think of which doesn’t involve a lot of nasty things and imply a long stay in jail”. But that’s not what I wanted to discuss here, although it’s somehow related: We had a couple of talks at the DeepSec which shed a little light on the underground economy and I also started to take some dives into the “Deepnet” to get acquainted with jargon, topics, trends and so on. Btw: NO, no details on this: not what I have visited, not when or how I registered there, I don’t wanna get doxed (1), these guys can get nasty and we don’t need another

1702, 2012

DeepINTEL 2012 – Security Intelligence Call for Papers

René Pfeiffer/ February 17, 2012/ Administrivia, Security Intelligence

We already gave some hints on our security intelligence event we are planning for end of Summer. We now have a date and a venue: DeepINTEL will be held on September 3rd and 4th near Salzburg in Austria. This single track two day event addresses mainly critical infrastructure, state organizations (administrative and law enforcement), accredited CERTs, finance organizations and trusted parties and organizations with a strong relation or partnership to the aforementioned. Due to the sensitive topics and the nature of the participants and speakers we will have a vetting process for participants. We’d like to know our audience, so that we all can talk freely and openly during the event. If you have questions on this, please contact us directly via deepsec@deepsec.net or the contact information given on our web site. Here is

1602, 2012

Of CAs, DLP, CSRs, MITM, inspection and compliance

René Pfeiffer/ February 16, 2012/ Discussion, Security

Writing about certificate authorities is slowly turning into beating dead horses. We have seen a couple of security breaches at CAs in the past. We have witnessed security researchers turning to SSL/TLS. Fairly recently researchers have put RSA keys to the test and found common prime factors in thousands of keys. Now we have a discussion about compliance. The Mozilla team has given CAs a stern warning sparked by the issue of a signing certificate by the Trustwave CA to a customer using a data loss prevention (DLP) device. According to a report the signing root certificate was used inside a Hardware Security Module for the purpose of dynamically creating fake certificates in order to inspect encrypted web traffic. While there was an audit at the customer’s site, this incident has sparked a heated

1102, 2012

Thoughts about “Offensive Security Research”

René Pfeiffer/ February 11, 2012/ Discussion, Security

Ever since information relevant for security was published, there have been discussions about how to handle this information. Many remember the full/no/responsible disclosure battles that frequently erupt. There is a new term on stage. Its name is „offensive security research“. The word „offensive“ apparently refers to the intent to attack IT systems. „Security“ marks the connection, and „research” covers anyone being too curious. This is nothing new, this is just the old discussion about disclosure in camouflage. So there should be nothing to worry about, right? Let’s look at statements from Adobe’s security chief Brad Arkin. At a security analyst summit Mr. Arkin claimed that his goal is not to find and fix every security bug. Instead his strategy is to „drive up the cost of writing exploits“ he explained. According to his keynote

1002, 2012

DeepSec 2012 – Call for Papers

René Pfeiffer/ February 10, 2012/ Administrivia, Conference

The Finux Tech Weekly episode containing an interview with MiKa and me beats our announcement of the Call for Papers by 4 hours, but here’s the text. Enjoy! DeepSec 2012 “Sector 6” – Call for Papers We are looking for talks and trainings for the DeepSec In-Depth Security Conference 2012 (“Sector 6”). We invite researchers, developers, auditors and everyone else dealing with information security to submit their work. We offer slots for talks and workshops, and we encourage everyone working on projects to present their results and findings. Please visit our updated website for more details about the venue, the schedule and information about our past conferences: https://deepsec.net/ The DeepSec offers a mix of different topics and aspects like current threats and vulnerabilities, social engineering and psychological aspects as well as security management and

2901, 2012

Getting your Perception right – Security and Collaboration

René Pfeiffer/ January 29, 2012/ Discussion, Security

If all security-related events were not connected and could be analysed with a closed system in mind, getting security measures right would be much easier. Technicians will probably yawn at this fact, but networks connect a lot of different stuff (think „series of tubes“ and many points between them). In turn this means that you can use this for your own advantage and talk to others on the network, too! This surprising conclusion is often forgotten despite the use of the term „Internet community“ and developers working together on intrusion detection signatures, malware analysis and other projects. Stefan Schumacher talked about cooperative efforts to establish an international cyber defence strategy at DeepSec 2011. Securing infrastructure and implementing a proper defence in depth doesn’t rely on technical solutions alone. You need to establish procedures for

2201, 2012

Interaction between Security and Hierarchies

René Pfeiffer/ January 22, 2012/ Security

You all know hierarchies. You use them, you work within them and you are probably part of one. This is also true for IT staffers or even freelancers dealing with security issues. Usually there is a team/project leader, a CEO, a CIO and all kinds of specialists from other departments (if the company or organisation is bigger). While the „chain of command“ may not be important during daily routine, it is tremendously critical when incidents happen or when the infrastructure is prepared against compromise. More often than not security-aware admins and developers experience the „override by pointy haired boss“ effect. Checks and balances are great, the budget might confirm this, but once you deviate from routine there’s the nasty blame game. That’s when hierarchies turn to bite you in the back. Time spent on

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: