1902, 2012

Five Million, quick and easy!

Mika/ February 19, 2012/ High Entropy, Odd, Security Intelligence

A good friend and former colleague of mine asked me recently, whether I could give him a tip how to make 5M quick and easy. My answer was “Nothing I could think of which doesn’t involve a lot of nasty things and imply a long stay in jail”. But that’s not what I wanted to discuss here, although it’s somehow related: We had a couple of talks at the DeepSec which shed a little light on the underground economy and I also started to take some dives into the “Deepnet” to get acquainted with jargon, topics, trends and so on. Btw: NO, no details on this: not what I have visited, not when or how I registered there, I don’t wanna get doxed (1), these guys can get nasty and we don’t need another

Read More

1702, 2012

DeepINTEL 2012 – Security Intelligence Call for Papers

René Pfeiffer/ February 17, 2012/ Administrivia, Security Intelligence

We already gave some hints on our security intelligence event we are planning for end of Summer. We now have a date and a venue: DeepINTEL will be held on September 3rd and 4th near Salzburg in Austria. This single track two day event addresses mainly critical infrastructure, state organizations (administrative and law enforcement), accredited CERTs, finance organizations and trusted parties and organizations with a strong relation or partnership to the aforementioned. Due to the sensitive topics and the nature of the participants and speakers we will have a vetting process for participants. We’d like to know our audience, so that we all can talk freely and openly during the event. If you have questions on this, please contact us directly via deepsec@deepsec.net or the contact information given on our web site. Here is

Read More

1602, 2012

Of CAs, DLP, CSRs, MITM, inspection and compliance

René Pfeiffer/ February 16, 2012/ Discussion, Security

Writing about certificate authorities is slowly turning into beating dead horses. We have seen a couple of security breaches at CAs in the past. We have witnessed security researchers turning to SSL/TLS. Fairly recently researchers have put RSA keys to the test and found common prime factors in thousands of keys. Now we have a discussion about compliance. The Mozilla team has given CAs a stern warning sparked by the issue of a signing certificate by the Trustwave CA to a customer using a data loss prevention (DLP) device. According to a report the signing root certificate was used inside a Hardware Security Module for the purpose of dynamically creating fake certificates in order to inspect encrypted web traffic. While there was an audit at the customer’s site, this incident has sparked a heated

Read More

1102, 2012

Thoughts about “Offensive Security Research”

René Pfeiffer/ February 11, 2012/ Discussion, Security

Ever since information relevant for security was published, there have been discussions about how to handle this information. Many remember the full/no/responsible disclosure battles that frequently erupt. There is a new term on stage. Its name is „offensive security research“. The word „offensive“ apparently refers to the intent to attack IT systems. „Security“ marks the connection, and „research” covers anyone being too curious. This is nothing new, this is just the old discussion about disclosure in camouflage. So there should be nothing to worry about, right? Let’s look at statements from Adobe’s security chief Brad Arkin. At a security analyst summit Mr. Arkin claimed that his goal is not to find and fix every security bug. Instead his strategy is to „drive up the cost of writing exploits“ he explained. According to his keynote

Read More

1002, 2012

DeepSec 2012 – Call for Papers

René Pfeiffer/ February 10, 2012/ Administrivia, Conference

The Finux Tech Weekly episode containing an interview with MiKa and me beats our announcement of the Call for Papers by 4 hours, but here’s the text. Enjoy! DeepSec 2012 “Sector 6” – Call for Papers We are looking for talks and trainings for the DeepSec In-Depth Security Conference 2012 (“Sector 6”). We invite researchers, developers, auditors and everyone else dealing with information security to submit their work. We offer slots for talks and workshops, and we encourage everyone working on projects to present their results and findings. Please visit our updated website for more details about the venue, the schedule and information about our past conferences: https://deepsec.net/ The DeepSec offers a mix of different topics and aspects like current threats and vulnerabilities, social engineering and psychological aspects as well as security management and

Read More

2901, 2012

Getting your Perception right – Security and Collaboration

René Pfeiffer/ January 29, 2012/ Discussion, Security

If all security-related events were not connected and could be analysed with a closed system in mind, getting security measures right would be much easier. Technicians will probably yawn at this fact, but networks connect a lot of different stuff (think „series of tubes“ and many points between them). In turn this means that you can use this for your own advantage and talk to others on the network, too! This surprising conclusion is often forgotten despite the use of the term „Internet community“ and developers working together on intrusion detection signatures, malware analysis and other projects. Stefan Schumacher talked about cooperative efforts to establish an international cyber defence strategy at DeepSec 2011. Securing infrastructure and implementing a proper defence in depth doesn’t rely on technical solutions alone. You need to establish procedures for

Read More

2201, 2012

Interaction between Security and Hierarchies

René Pfeiffer/ January 22, 2012/ Security

You all know hierarchies. You use them, you work within them and you are probably part of one. This is also true for IT staffers or even freelancers dealing with security issues. Usually there is a team/project leader, a CEO, a CIO and all kinds of specialists from other departments (if the company or organisation is bigger). While the „chain of command“ may not be important during daily routine, it is tremendously critical when incidents happen or when the infrastructure is prepared against compromise. More often than not security-aware admins and developers experience the „override by pointy haired boss“ effect. Checks and balances are great, the budget might confirm this, but once you deviate from routine there’s the nasty blame game. That’s when hierarchies turn to bite you in the back. Time spent on

Read More

2001, 2012

DeepINTEL: Security Intelligence Event in Late Summer 2012

Mika/ January 20, 2012/ Conference, Internet, Security Intelligence

We are currently finalizing our new event in Summer 2012, focusing on Security Intelligence. Security Intelligence is one the newest disciplines in the IT security zoo and not yet fully defined (e.g. there is no Wikipedia article or rich bibliography of works dealing with the topic). We have been monitoring the Security Intelligence scene now for more than 3 years and found many different approaches, ranging from standard security advisories and alerts to deep insight into the current threat landscape. While some organizations (mostly network equipment vendors) seem to view Security Intelligence just as a new buzz-word for marketing others do a more thorough job: Especially software and anti-virus vendors like Microsoft, McAfee, IBM, Symantec and some ISPs like Verizon and AT&T provide valuable intelligence to the community. Also voluntary groups, free-of-charge spin-offs from

Read More

1801, 2012

DeepSec.net is on Strike!

René Pfeiffer/ January 18, 2012/ Administrivia, Internet

You have probably heard of the Stop Online Piracy Act (SOPA) and its chilling effects on the Internet and all its users. „The originally proposed bill would allow the U.S. Department of Justice, as well as copyright holders,to seek court orders against websites accused of enabling or facilitating copyright infringement. “ (quote taken from the Wikipedia article)  SOPA is a major security risk for it advocates to change the DNS zones for specific domains. Blocking would be done by DNS, so the bill compromises the Internet’s infrastructure. Speaking from the view of security researchers we would like to quote the white paper written by Steve Crocker and Dan Kaminsky: From an operational standpoint, a resolution failure from a nameserver subject to a court order and from a hacked nameserver would be indistinguishable. Users running

Read More

0901, 2012

Intelligent Security and DeepSec Events in 2012

René Pfeiffer/ January 9, 2012/ Administrivia

After the Christmas break we are back and continue to plan DeepSec events for 2012. Judging from the news on Twitter and the web there’s ample demand to look behind the scenes and to question „well-established facts“ or myths. We could have skipped vacation and kept on blogging throughout Christmas and New Year’s Eve. There was the Stratfor hack, Anonymous activity, rumours about back doors in operating systems, leaked anti-virus source code and hacking military networks. 2012 starts right where 2011 left off. And we haven’t even watched most of the 28C3 videos! So we will have two major DeepSec events in 2012. There’s the DeepSec 2012 in November (we’re currently fixing the exact date) and there will be a second event in Summer. More details follow in the course of next week when

Read More

0112, 2011

Water Plants, Cyberwar, and Scenario Fulfillment

René Pfeiffer/ December 1, 2011/ High Entropy, Security, Stories

While we refuse to add a Cyberwar category to this blog, we want to explore this shady topic with a story. Do you recall the water plant hack a few weeks ago? According to news floating around in the Internet an US-American water plant in Illinois suffered from a security breach together with a failed water pump. Apparently attackers took the pump out by applying a well-tried IT technique called „Have you tried to turn it off and on again?“. So in theory this is a full-scale Cyberwar incident that puts all of our infrastructure at risk – plus you can add the magical acronym SCADA when talking about it, thus lowering the room temperature a few degrees and imposing the well-tried fear and awe effect on your audience. While industrial control systems remain

Read More

2411, 2011

DeepSec 2011 – Video Interviews

René Pfeiffer/ November 24, 2011/ Press

A video team from Golem, one of Germany’s largest IT news web sites, did some interviews at DeepSec 2011. We already mentioned the interview with Sharon Conheady and Stefan Schumacher. There’s a new video available. It’s an interview with Constantinos Patsakis about the security and the automotive industry. Modern cars rely heavily on computer systems and data buses, but they lack mechanisms to control access to different components by different users. Constantinos and Kleanthis Dellios discussed this problem in their talk at DeepSec 2011 and suggested solutions to this problem. Watch the video and listen to the interview. Video: Interview C. Patsakis Sicherheit in Autos (3:08) Harald Welte, who conducted the „Attacking GSM“ training with Dieter Spaar at DeepSec 2011, gave an interview about the state of security in the GSM network. Video: Interview Harald

Read More

2411, 2011

DeepSec 2011 Conference Network Observations

René Pfeiffer/ November 24, 2011/ Security, Stories

All of you who attended DeepSec 2011 know that we had a Wall of Sheep at the conference. We set it up by copying packets via the Netfilter TEE target from the router to the Wall of Sheep box (note to self: never ever mirror broadcast or multicast packets). We only displayed logins and the number of characters of the password, all data was processed and stored in RAM. The display was only accessible from the conference network. On the first day of the conference we did not announced the Wall, we only encouraged everyone to use secure protocols and not to use services that send sensitive data unprotected. We even set up posters and flyers warning to use the conference network (the reason were other events at the venue taking place in parallel).

Read More

2211, 2011

Articles about DeepSec 2011

René Pfeiffer/ November 22, 2011/ Conference, Press

We have some more articles for you. Apparently the talks of our speakers raised a few eyebrows. Most of the articles are in German. Dradio: Das sichere Auto ist ein Mythos Interview with Mariann Unterluggauer about impressions from DeepSec 2011 and the myth of automobile security. Dradio: Nur scheinbare Datensicherheit This is a second article published on the Deutschlandfunk web site features Duncan’s talk and bugs in security software. Ö1: Können Hacker Autos fernsteuern? „Can hackers remotely control cars?“ Well, given the current design and lack of security they probably will do so in time for DeepSec 2012. Ö1: Make Cyberpeace, not Cyberwar. Ein Bericht von der DeepSec The topic of cyber warfare is still hot. Wie Terroristen verschlüsseln – Digitale Spuren kaum verwischt The Neuer Zürcher Zeitung (NZZ) has a comment about Duncan’s

Read More

1811, 2011

DeepSec 2011 – Post-Con Party at the Metalab

René Pfeiffer/ November 18, 2011/ Administrivia, High Entropy

Since DeepSec 2011 has ended and we still want to have a chat with you, let’s meet at the party! It takes place at the Metalab, a local hacker space next to the town hall. We have music, we have stuff to drink, we got access to the Intertubes, we got lots of nice people, and even more reasons to have some fun! Don’t miss it!