0510, 2011

Talk: Alerting, Reminding, Reminding, Reminding and Releasing Vulnerability

René Pfeiffer/ October 5, 2011/ Conference

Some of you have first-hand experience with the discussions around full disclosure. Enumerating Bugtraq moderated by Aleph One, SecurityFocus and the full-disclosure mailing list is a heavily condensed view of the problem. The term full disclosure actually originates from the problems locksmiths had with weaknesses of locks. The discussion is over a hundred years old and opinion is still divided on the matter, not only among the Internet security community. So if full disclosure and its cryptographic cousin, the Kerckhoffs’s principle, was „discovered“ in the 19th century why are we still arguing about it? Thomas Mackenzie will talk about how to deal with exposing vulnerabilities in his talk at DeepSec 2011. When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and

0410, 2011

Talk: Ground BeEF – Cutting, devouring and digesting the legs off a Browser

René Pfeiffer/ October 4, 2011/ Conference

Web browsers have turned into industrial standard software. There’s no office, no company, no network, no client any more that does not use web browsers for at least one task. Any attacker can safely assume that browser software will be present in most target networks. Sadly browser security has not kept up with the spread of web browsing software. Browser security is still one of the trickiest challenges to afford nowadays. A lot of efforts has been spent on mitigating browser exploitation from heap and stack overflows, pointers dereference and other memory corruption bugs. On the other hand there is still an almost unexplored landscape. X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing are good starting points to mitigate the XSS plague, but they are still not widely implemented. An explorer willing to look for

0110, 2011

Talk: Patching Vehicle Insecurity

René Pfeiffer/ October 1, 2011/ Conference

The good old car has turned into a high-tech computing device. Researchers of the Freie Universität Berlin have recently tested a car without a driver. Scientists sat in the back seat while the car travelled 80 km in total on roads through Berlin and Brandenburg. An advertisement of a car company proudly touts: The road is not exactly a place of intelligence.…This is why we engineered a car that analyzes real-time information, reads your handwriting, and makes 2,000 decisions every second. With 2,000 decisions per second there’s no way a human can cancel or correct decisions in time. Modern cars heavily rely on self-contained embedded controllers interfacing with an array of sensors. These controllers are connected to diagnostic systems, throttle, transmission, brakes, speedometer, climate and lighting controls, external lights, entertainment systems, navigation subsystem, and

2909, 2011

Talk: Why the Software we use is designed to violate our Privacy

René Pfeiffer/ September 29, 2011/ Conference

Most of us are used to take advantage of the fruits of the Web 2.0. There is web e-mail, online backups, social networking, blogs, media sharing portals (for audio/video), games, instant messaging and more – available for private and corporate users. A lot of sites offer their services for free (meaning without charging anything), thus increasing the number of accounts created. Nevertheless you pay something. You are being mined for information and data. Some of these products collect our data directly. In such cases, the exchange of user data for free services is well known, at least to many savvy users. However, many other products do not collect our private data. Instead, they quietly facilitate and enable data collection by other parties. It all depends on the business model. Of course most portals and

2509, 2011

The BEAST SSL Attack and the postponed Digital Apocalypse

René Pfeiffer/ September 25, 2011/ Security

When it comes to security flaws of SSL/TLS (either in theory or in implementation), then a lot of people get very nervous. The past days have been full of media coverage of the BEAST SSL Attack. Since Juliano Rizzo and Thai Duong have published their results the level of speculation has dropped. Let’s replace panic by analysis of facts. Starting with the name of the BEAST, Browser Exploit Against SSL/TLS Tool, it is clear that a browser and a web site is involved. If you take a look at the description of the attack, you can infer that the impact doesn’t affect all SSL/TLS deployments. The following text is taken from Bruce Schneier’s blog entry on BEAST. The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text

2309, 2011

Workshop: Web Hacking – Attacks, Exploits and Defence

René Pfeiffer/ September 23, 2011/ Conference

In 2011 we have seen a lot of articles about „cyber“ attacks in the media. Judging from the media echo it looks as if a lot of servers were suddenly compromised and exploited for intruding into networks. While attacks usually take advantage of weaknesses in software, servers do not develop vulnerabilities over night. Most are on-board by design, by accident or by a series of mistakes. The first line of defence are web applications. Every modern company has a web site or uses web portals. Attackers know this and look for suitable attack vectors. If you want to improve your security, you have to start right at this first line. This is why we recommend the workshop Web Hacking – Attacks, Exploits and Defence by Shreeraj Shah & Vimal Patel of Blueinfy Solutions. As

2209, 2011

Press Release: How Terrorists encrypt, tenuous Security Situations concerning GSM Networks and IPv6 under Attack

René Pfeiffer/ September 22, 2011/ Press

Press release: From the 15th until the 18th of November international IT-security experts and hackers will meet again in Vienna, Austria, to discuss strategic security topics. The schedule is confirmed: At this year’s international IT-security conference DeepSec, the main focus lies on strategic security topics. DeepSec 2011 takes place from the 15th-18th of November, it’ll be the 5th time that world’s elite in network-security and hacking comes together. Encryption techniques used by terrorists, secure use of mobile devices and the security awareness of their users as well as future security-infrastructures are main topics of this year’s DeepSec. “As in the years before we want to present exciting and controversial topics which concern not only experts, but most of us directly or indirectly in 7 workshops and 34 talks.” says René Pfeiffer, organiser of DeepSec.

2109, 2011

Talk: Intelligent Bluetooth fuzzing – Why bother?

René Pfeiffer/ September 21, 2011/ Conference, Security

Bluetooth devices and software implementations have been a fruitful playground for security researchers for years. You probably remember the PoC code from the trinifite.group and other bugs dragged out into the open. Riding public transport often led to Bluetooth scanning with tools such as Blooover. But that’s all past and gone. Software has evolved. Developers have learned. Modern quality assurance won’t let this happen again. Sadly this is fiction. Tommi Mäkilä has some stories to share about the state of Bluetooth: „Bluetooth robustness is wretched, no surprise there. Bluetooth test results from plugfests show 80% failure rate, eight out of ten tests end with a crash. It is not pretty, it is sad and frustrating. For a moment, few years back, there seemed to be light at the end of the tunnel: the failures

2009, 2011

Talk: IT Security Compliance Management can be done right

René Pfeiffer/ September 20, 2011/ Conference

Your IT infrastructure needs more than hardware or software. If your IT landscape is big enough you already know that. The question how to tackle compliance management remains. What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture? First of all, you need to know whats in your environment, what assets your organisation consists of. How do you want to protect something if you don’t know it exists? Also make sure you know where it is. Charting the access paths to data is not a trivial task. Then you need to know the risk appetite of your company. How much risk are you

1909, 2011

Talk: Windows Pwn 7 OEM – Owned Every Mobile?

René Pfeiffer/ September 19, 2011/ Conference

Windows Phone is an operating system for mobile phones. Similar to other operating systems it has security features such as sandboxing applications, APIs for exchanging data across applications and isolation of storage built in. It also offer methods for encrypting data on the phone itself. There’s more documentation out in the Internet or directly available at Microsoft’s web site. So, this is good, right? In theory, yes. In practice currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices. This does not refer to the documentation. It’s all about assessing risks, and risk assessment can’t be done by looking at APIs. Alex Plaskett will talk about WP7 security in-depth. He will address the ever increasing challenges and stages of exploitation an

1809, 2011

Talk: How To Rob An Online Bank And Get Away With It

René Pfeiffer/ September 18, 2011/ Conference

We’ve all heard of – or have even been a victim of – attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules’ accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims’ accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult. From the attacker’s point of view this is very undesirable. These factors create incentive for criminals to focus on online banking servers. Incidentally, that’s where – as famous bank robber Willie Sutton might say – all the money is. Now, Mr. Sutton lived in the times of physical currency and had

1509, 2011

When Blackholes backfire…

Mika/ September 15, 2011/ Internet, Odd, Stories

According to our current scientific folklore nothing will ever come out of a black hole, no matter or particles, no light, no information. But black holes in networking can backfire from time to time. Of course I’m talking about “black-holing” Internet traffic, a strategy often used on backbones to defend against attacks, specifically flooding, DDoS and the like. Here is a little story about black hole routing that actually happened, the involved ISP and the victim will not be disclosed for hopefully obvious reasons: Black Hole Routing The specific case I want to talk about is not the common black hole routing explained nicely by Jeremy Stretch on Packetlife which drops traffic to a victim of a DDoS attack. Instead I focus on the “advanced” version of this: RFC 5635: Remote Triggered Black Hole

1509, 2011

Talk: Reassemble or GTFO! – IDS Evasion Strategies

René Pfeiffer/ September 15, 2011/ Conference

Ever since network intrusion technology was introduced, attackers have tried to evade detection. The tactics for evasion changed over time, but there really was no point in the past when evasion was not discussed. This is especially true for all things HTTP, because web applications transmit a rich set of data between server and client (and vice versa). The aim of evasion is to confuse the sensor and to thwart the inspection process itself. Designers have come up with ways to normalise data by reassembly of packets or rewriting content to establish matching with a baseline in terms of data formatting. Attackers usually supply data to an IDS that will never be factored in at the receiving end (evasion by insertion), or by confusing an IDS’s very process of reconstructing the data stream. The attacks

1409, 2011

Talk: An online Game Trojan Framework from China Underground Market

René Pfeiffer/ September 14, 2011/ Conference

Malware infecting computers always serves a purpose. Zombies, as infected systems are called, usually connect to a Command & Control channel and receive their orders from the owners of the zombie herd. Malicious software can also be used as a tool for retrieving information. Some of these tools are specialised and look for specific data such as login credentials. At DeepSec 2011 Hermes Li will explain how a trojan horse designed for stealing user information is installed, how it works and give a short introduction into the Chinese underground market. The talk will also discuss parts of the code, DLL injection and the packer encryption. There is a market for most stolen data. When it comes to games there is even real money in data trafficking. In-game goods (items, currencies, …) can be sold,

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: