1110, 2011

0zapftis revisited – 0ktoberfest for Security Researchers

René Pfeiffer/ October 11, 2011/ High Entropy, Odd

The CCC analysis of the malicious software bought and used by the German government has put our blog schedule and RSS reading habits out of balance. Frankly our necks hurts because we constantly shake our heads since the PDF of the analysis was published. We have talked to journalists who showed interested in the design of the malware. It’s very hard not to go into rant or BOFH mode when talking about the design and the use of the trojan horse. You have to use quite some Zen skills to stay focused and to see what we have here. In fact the whole discovery and the avalanche of questions raining down on German officials marks a turning point for the significance of computer security. Furthermore it is a perfect example of all the problems

1010, 2011

Talk: Identity X.0 – Securing the Insecure

René Pfeiffer/ October 10, 2011/ Conference

Identities are important. You might already know this, but in the times of heavily meshed web applications and users moving between different web sites keeping track of a client’s identity can be difficult. Moreover it’s not just about identities but also about transporting account/user attributes by various protocols and standards between various applications. You might remember Microsoft Wallet/Passport which is now Windows Live ID. OpenID defines an open standard about authenticating an user by using a decentralized architecture. OAuth is another open standard, handling authorization and it is widely used by small and large organizations such as Yahoo! and Twitter. So where’s the security? How resilient are these protocols against attacks? Khash Kiani will address these questions in his presentation titled Identity X.0 – Securing the Insecure. His talk focuses on some of these

0910, 2011

Analysis of Governmental Malware

René Pfeiffer/ October 9, 2011/ Odd, Security, Stories

There is a ongoing discussion about the use of malicious software for criminal investigations. German and Austrian agencies use the term „Online-Durchsuchung“ (online search) or „Quellen-Telekommunikationsüberwachung“ (source telecommunications surveillance) for investigative measures that cover the source of telecommunication messages (which is usually a suspect’s computer or telephone). In context with malicious software used for this purpose the unofficial term „Bundestrojaner“ (federal trojan horse) was coined. On 27 Februar 2008 the German Federal Constitutional Court ruled that the online search and Internet surveillance rules violate the German constitution and have to be reviewed (you can read the explanation of the Court in German here). Yesterday the Chaos Computer Club (CCC) published a detailed analysis of a „lawful interception malware“. The results have a profound impact on security since the design of the malware allows attackers

0710, 2011

Talk: Human Factors Engineering for IT Security

René Pfeiffer/ October 7, 2011/ Conference

Members of IT staff love acronyms such as RTFM, PEBKAC, PICNIC and ID-10T error. These will often be mentioned when human factors are playing a key role. If you dig deeper and analyse typical situations where human errors are involved, then you will have to deal with user interfaces (UIs) and technical documentation. It’s easy to blame operators (it doesn’t matter if you look at end user, power users or IT staff) even if UIs or manuals have failed before the human erred. This is exactly why the talk Human Factors Engineering for IT Security of Peter Wolkerstorfer (Center of Usability Research and Engineering, CURE) will focus on the human factor in the context of operating security tools by UI. The user is often the weakest link in the chain and this fact has to

0610, 2011

Of Web Apps, Smartphones and Data Leaks

René Pfeiffer/ October 6, 2011/ High Entropy

Just digging through the backlog of the past days. Someone shot me a quick link to a web site showing an administrative interface. I failed to see the significance right away, because the link was sent by chat with an URL obfuscator shortener. I know discovered the corresponding blog post to this issue. Coincidentally I was talking on the phone today about AnonAustria’s latest publications. Apparently they found the addresses of Austrian police staff online. The claim is that the data was sitting on a web server and could be downloaded simply by guessing links. Yesterday the Austrian Chamber of Commerce confirmed a data leak covering more than 6.000 data sets of customers (400 of them complete with bank accounting information). The data leak looks like a web server „glitch“, too. AnonAustria referred to

0610, 2011

Talk: Armageddon Redux – The Changing Face of the Infocalypse

René Pfeiffer/ October 6, 2011/ Conference, High Entropy

DeepSec has a tradition of holding a „night talk“. This is the last talk on the first day, just before the Speaker’s Dinner. Don’t let the expectation of good Austrian food fool you. Morgan Marquis-Boire will serve you an appetiser which may be hard to digest: Armageddon Redux The talk is a follow-up on Morgan’s Fear, Uncertainty and the Digital Armageddon talk held at DeepSec 2008. During the past years security researchers have been warning about attacks on fundamental infrastructure. The ghosts and dæmons haunting SCADA systems lead to scary scenarios portraying a failing civilisation. At the time, there was significant worry about the danger that digital sabotage posed to the systems that run our everyday lives. Take a look at the recent Tōhoku earthquake and tsunami in Japan and its impact on industrial control

0510, 2011

Talk: Alerting, Reminding, Reminding, Reminding and Releasing Vulnerability

René Pfeiffer/ October 5, 2011/ Conference

Some of you have first-hand experience with the discussions around full disclosure. Enumerating Bugtraq moderated by Aleph One, SecurityFocus and the full-disclosure mailing list is a heavily condensed view of the problem. The term full disclosure actually originates from the problems locksmiths had with weaknesses of locks. The discussion is over a hundred years old and opinion is still divided on the matter, not only among the Internet security community. So if full disclosure and its cryptographic cousin, the Kerckhoffs’s principle, was „discovered“ in the 19th century why are we still arguing about it? Thomas Mackenzie will talk about how to deal with exposing vulnerabilities in his talk at DeepSec 2011. When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and

0410, 2011

Talk: Ground BeEF – Cutting, devouring and digesting the legs off a Browser

René Pfeiffer/ October 4, 2011/ Conference

Web browsers have turned into industrial standard software. There’s no office, no company, no network, no client any more that does not use web browsers for at least one task. Any attacker can safely assume that browser software will be present in most target networks. Sadly browser security has not kept up with the spread of web browsing software. Browser security is still one of the trickiest challenges to afford nowadays. A lot of efforts has been spent on mitigating browser exploitation from heap and stack overflows, pointers dereference and other memory corruption bugs. On the other hand there is still an almost unexplored landscape. X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing are good starting points to mitigate the XSS plague, but they are still not widely implemented. An explorer willing to look for

0110, 2011

Talk: Patching Vehicle Insecurity

René Pfeiffer/ October 1, 2011/ Conference

The good old car has turned into a high-tech computing device. Researchers of the Freie Universität Berlin have recently tested a car without a driver. Scientists sat in the back seat while the car travelled 80 km in total on roads through Berlin and Brandenburg. An advertisement of a car company proudly touts: The road is not exactly a place of intelligence.…This is why we engineered a car that analyzes real-time information, reads your handwriting, and makes 2,000 decisions every second. With 2,000 decisions per second there’s no way a human can cancel or correct decisions in time. Modern cars heavily rely on self-contained embedded controllers interfacing with an array of sensors. These controllers are connected to diagnostic systems, throttle, transmission, brakes, speedometer, climate and lighting controls, external lights, entertainment systems, navigation subsystem, and

2909, 2011

Talk: Why the Software we use is designed to violate our Privacy

René Pfeiffer/ September 29, 2011/ Conference

Most of us are used to take advantage of the fruits of the Web 2.0. There is web e-mail, online backups, social networking, blogs, media sharing portals (for audio/video), games, instant messaging and more – available for private and corporate users. A lot of sites offer their services for free (meaning without charging anything), thus increasing the number of accounts created. Nevertheless you pay something. You are being mined for information and data. Some of these products collect our data directly. In such cases, the exchange of user data for free services is well known, at least to many savvy users. However, many other products do not collect our private data. Instead, they quietly facilitate and enable data collection by other parties. It all depends on the business model. Of course most portals and

2509, 2011

The BEAST SSL Attack and the postponed Digital Apocalypse

René Pfeiffer/ September 25, 2011/ Security

When it comes to security flaws of SSL/TLS (either in theory or in implementation), then a lot of people get very nervous. The past days have been full of media coverage of the BEAST SSL Attack. Since Juliano Rizzo and Thai Duong have published their results the level of speculation has dropped. Let’s replace panic by analysis of facts. Starting with the name of the BEAST, Browser Exploit Against SSL/TLS Tool, it is clear that a browser and a web site is involved. If you take a look at the description of the attack, you can infer that the impact doesn’t affect all SSL/TLS deployments. The following text is taken from Bruce Schneier’s blog entry on BEAST. The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text

2309, 2011

Workshop: Web Hacking – Attacks, Exploits and Defence

René Pfeiffer/ September 23, 2011/ Conference

In 2011 we have seen a lot of articles about „cyber“ attacks in the media. Judging from the media echo it looks as if a lot of servers were suddenly compromised and exploited for intruding into networks. While attacks usually take advantage of weaknesses in software, servers do not develop vulnerabilities over night. Most are on-board by design, by accident or by a series of mistakes. The first line of defence are web applications. Every modern company has a web site or uses web portals. Attackers know this and look for suitable attack vectors. If you want to improve your security, you have to start right at this first line. This is why we recommend the workshop Web Hacking – Attacks, Exploits and Defence by Shreeraj Shah & Vimal Patel of Blueinfy Solutions. As

2209, 2011

Press Release: How Terrorists encrypt, tenuous Security Situations concerning GSM Networks and IPv6 under Attack

René Pfeiffer/ September 22, 2011/ Press

Press release: From the 15th until the 18th of November international IT-security experts and hackers will meet again in Vienna, Austria, to discuss strategic security topics. The schedule is confirmed: At this year’s international IT-security conference DeepSec, the main focus lies on strategic security topics. DeepSec 2011 takes place from the 15th-18th of November, it’ll be the 5th time that world’s elite in network-security and hacking comes together. Encryption techniques used by terrorists, secure use of mobile devices and the security awareness of their users as well as future security-infrastructures are main topics of this year’s DeepSec. “As in the years before we want to present exciting and controversial topics which concern not only experts, but most of us directly or indirectly in 7 workshops and 34 talks.” says René Pfeiffer, organiser of DeepSec.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: