2210, 2011

DeepSec auf Radio Netwatcher am 25. Oktober 2011

René Pfeiffer/ October 22, 2011/ Communication

We did an interview with Radio Netwatcher. You can listen to it on 25 October 2011 at 1800 CEST on radio ORANGE 94.0 (Austria and other countries where the content is syndicated). The interview is in German. It covers the 0zapftis trojan horse, malware in general, security (of course), DeepSec 2011 and the Austrian Big Brother Awards. Wir haben Radio Netwatcher ein Interview gegeben. Man kann es am 25. Oktober 2011 um 1800 (CEST) auf Radio ORANGE 94,0 hören (hier in Österreich und in anderen Ländern, wo der Inhalt auch ausgestrahlt wird). Der Interview wurde in deutscher Sprache gegeben. Es umfaßt den 0zapftis Staatstrojaner, Schadsoftware im Allgemeinen, Sicherheit (natürlich!), die DeepSec 2011 und die österreichischen Big Brother Awards.

2010, 2011

Security Intelligence, two different Approaches

Mika/ October 20, 2011/ Internet, Report, Security

We are monitoring activities around Security Intelligence since a while and found quite different understandings and approaches. Security Intelligence is one the newest disciplines in the area of Information Security and the goals seems to be quite vague. Different organizations seem to have totally different understandings of what Security Intelligence should be about. To illustrate this I would like to compare two of the leading IT vendors and what they publish as “Security Intelligence”: Cisco Security Intelligence Operations http://tools.cisco.com/security/center/home.x Cisco lists on the Security Intelligence Portal mainly security advisories, alerts, responses and information about Cisco product updates, signature updates, mitigation bulletins virus watch and similar topics. To provide this kind of information is in my humble opinion the task of a CERT (Computer Emergency Response Team) or a PSIRT (Product Security Incident Response Team).

1910, 2011

Press Release: From Car to „Zombie“ – Data-driven Attacks on Automobiles

DeepSec Organisation/ October 19, 2011/ Press

Data-driven Attacks on Automobiles Security conference DeepSec broaches the issue of automobile security Vienna – Hacking attacks on cars sound like something out of a Hollywood blockbuster. However, they’re possible today and pose a real threat for individuals and the automotive industry. The international security conference DeepSec, which takes place between the 15th and 18th of November 2011 chose the security of mobile phones, cars and their users as central topics for this year’s conference. „As in the years before we want to present exciting and controversial topics which concern not only experts, but most of us directly or indirectly in 7 workshops and 34 talks.The liability of modern cars to attacks is on of our topics.” says René Pfeiffer, organiser of DeepSec. “DeepSec acts as neutral platform to connect the hacker-community with IT

1710, 2011

Talk: Behavioral Security: 10 steps forward 5 steps backward

René Pfeiffer/ October 17, 2011/ Conference

How do you distinguish good from evil? Have you ever asked yourself this question? In order to avoid diving into philosophy let’s translate evil to harmful and good to harmless. What’s your strategy to find out if something is harmful or harmless? When it comes to food maybe you try a small bit and gradually increase the dose. This strategy fails for software since you cannot install a bit of code and install more if everything looks ok. Analysing the behaviour is the next analogy in line. Behavioural analysis is well-known to anthropologists, psychologists and most human resources departments. Does is work for code, too? If you look at your security tools you will probably find tools that use a rule-based approach; then there are signatures and some tools offer to detect/decide based on

1610, 2011

Talk: Extending Scapy by a GSM Air Interface

René Pfeiffer/ October 16, 2011/ Conference

Scapy is the „Swiss Army tool“ among security software. Scapy is a powerful interactive packet manipulation program. It is used for scanning, probing, testing software implementations, tracing network packets, network discovery, injecting frames, and other tasks. So it’s a security power tool useful for a lot of tasks in security research. Wouldn’t it be nice to add some capabilities on layer 3 of the Global System for Mobile Communications (GSM) protocol? This layer covers the UM interface that connects mobile network clients over the air interface to the base stations. Capturing packets on this link alone would be a great benefit to security researchers. Laurent ‘kabel’ Weber of the Ruhr-Universität Bochum will talk about „Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks“ at DeepSec 2011. Laurent’s talk describes the enhancement

1410, 2011

Talk: Design and Implementation of a Secure Encryption-Layer for Skype Voice-Calls

René Pfeiffer/ October 14, 2011/ Conference

You probably use communication tools that transport the voice/messaging data over the Internet. We’re not speaking about e-mail, but about recent software of the information age – Skype. Skype is widely used for audio/video chats around the world. Its security is shrouded in proprietary mystery and many urban legends exist. In 2006 Philippe Biondi and Fabrice Desclaux analysed the Skype network and its security in their talk „Silver Needle in the Skype“. Since end users can neither create their own cryptographic keys nor see the ones that are actually used, the network has always the capability of eavesdropping on calls. It is not clear if this capability is used or abused at all, but the risk is present. As with eavesdropping in mobile phone networks the communication partners will be totally oblivious, and neither

1310, 2011

Mobile Phone Calls as Security Risk

René Pfeiffer/ October 13, 2011/ Conference, Security

Do you rely on your mobile phone? Do you frequently call someone or get called? Do you transmit messages or data across mobile phone networks? Maybe you shouldn’t unless you use additional security layers since mobile phone networks must be regarded as a security risk. Karsten Nohl of Security Research Labs has taken a look at Austrian mobile networks. The result is a wake-up call for companies and individuals alike. According to Nohl the local Austrian providers A1/Mobilkom, T-Mobile Österreich und Orange have not updated their networks as other operators in Europe have already. He explained that there is no sign of any additional hardening. The transmissions of mobile phone network clients can be intercepted and decrypted with very little technical effort. The networks still use the A5/1 encryption standard which has been repeatedly

1110, 2011

0zapftis revisited – 0ktoberfest for Security Researchers

René Pfeiffer/ October 11, 2011/ High Entropy, Odd

The CCC analysis of the malicious software bought and used by the German government has put our blog schedule and RSS reading habits out of balance. Frankly our necks hurts because we constantly shake our heads since the PDF of the analysis was published. We have talked to journalists who showed interested in the design of the malware. It’s very hard not to go into rant or BOFH mode when talking about the design and the use of the trojan horse. You have to use quite some Zen skills to stay focused and to see what we have here. In fact the whole discovery and the avalanche of questions raining down on German officials marks a turning point for the significance of computer security. Furthermore it is a perfect example of all the problems

1010, 2011

Talk: Identity X.0 – Securing the Insecure

René Pfeiffer/ October 10, 2011/ Conference

Identities are important. You might already know this, but in the times of heavily meshed web applications and users moving between different web sites keeping track of a client’s identity can be difficult. Moreover it’s not just about identities but also about transporting account/user attributes by various protocols and standards between various applications. You might remember Microsoft Wallet/Passport which is now Windows Live ID. OpenID defines an open standard about authenticating an user by using a decentralized architecture. OAuth is another open standard, handling authorization and it is widely used by small and large organizations such as Yahoo! and Twitter. So where’s the security? How resilient are these protocols against attacks? Khash Kiani will address these questions in his presentation titled Identity X.0 – Securing the Insecure. His talk focuses on some of these

0910, 2011

Analysis of Governmental Malware

René Pfeiffer/ October 9, 2011/ Odd, Security, Stories

There is a ongoing discussion about the use of malicious software for criminal investigations. German and Austrian agencies use the term „Online-Durchsuchung“ (online search) or „Quellen-Telekommunikationsüberwachung“ (source telecommunications surveillance) for investigative measures that cover the source of telecommunication messages (which is usually a suspect’s computer or telephone). In context with malicious software used for this purpose the unofficial term „Bundestrojaner“ (federal trojan horse) was coined. On 27 Februar 2008 the German Federal Constitutional Court ruled that the online search and Internet surveillance rules violate the German constitution and have to be reviewed (you can read the explanation of the Court in German here). Yesterday the Chaos Computer Club (CCC) published a detailed analysis of a „lawful interception malware“. The results have a profound impact on security since the design of the malware allows attackers

0710, 2011

Talk: Human Factors Engineering for IT Security

René Pfeiffer/ October 7, 2011/ Conference

Members of IT staff love acronyms such as RTFM, PEBKAC, PICNIC and ID-10T error. These will often be mentioned when human factors are playing a key role. If you dig deeper and analyse typical situations where human errors are involved, then you will have to deal with user interfaces (UIs) and technical documentation. It’s easy to blame operators (it doesn’t matter if you look at end user, power users or IT staff) even if UIs or manuals have failed before the human erred. This is exactly why the talk Human Factors Engineering for IT Security of Peter Wolkerstorfer (Center of Usability Research and Engineering, CURE) will focus on the human factor in the context of operating security tools by UI. The user is often the weakest link in the chain and this fact has to

0610, 2011

Of Web Apps, Smartphones and Data Leaks

René Pfeiffer/ October 6, 2011/ High Entropy

Just digging through the backlog of the past days. Someone shot me a quick link to a web site showing an administrative interface. I failed to see the significance right away, because the link was sent by chat with an URL obfuscator shortener. I know discovered the corresponding blog post to this issue. Coincidentally I was talking on the phone today about AnonAustria’s latest publications. Apparently they found the addresses of Austrian police staff online. The claim is that the data was sitting on a web server and could be downloaded simply by guessing links. Yesterday the Austrian Chamber of Commerce confirmed a data leak covering more than 6.000 data sets of customers (400 of them complete with bank accounting information). The data leak looks like a web server „glitch“, too. AnonAustria referred to

0610, 2011

Talk: Armageddon Redux – The Changing Face of the Infocalypse

René Pfeiffer/ October 6, 2011/ Conference, High Entropy

DeepSec has a tradition of holding a „night talk“. This is the last talk on the first day, just before the Speaker’s Dinner. Don’t let the expectation of good Austrian food fool you. Morgan Marquis-Boire will serve you an appetiser which may be hard to digest: Armageddon Redux The talk is a follow-up on Morgan’s Fear, Uncertainty and the Digital Armageddon talk held at DeepSec 2008. During the past years security researchers have been warning about attacks on fundamental infrastructure. The ghosts and dæmons haunting SCADA systems lead to scary scenarios portraying a failing civilisation. At the time, there was significant worry about the danger that digital sabotage posed to the systems that run our everyday lives. Take a look at the recent Tōhoku earthquake and tsunami in Japan and its impact on industrial control

0510, 2011

Talk: Alerting, Reminding, Reminding, Reminding and Releasing Vulnerability

René Pfeiffer/ October 5, 2011/ Conference

Some of you have first-hand experience with the discussions around full disclosure. Enumerating Bugtraq moderated by Aleph One, SecurityFocus and the full-disclosure mailing list is a heavily condensed view of the problem. The term full disclosure actually originates from the problems locksmiths had with weaknesses of locks. The discussion is over a hundred years old and opinion is still divided on the matter, not only among the Internet security community. So if full disclosure and its cryptographic cousin, the Kerckhoffs’s principle, was „discovered“ in the 19th century why are we still arguing about it? Thomas Mackenzie will talk about how to deal with exposing vulnerabilities in his talk at DeepSec 2011. When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: