1209, 2011

Workshop: The Art of Exploiting Injection Flaws

René Pfeiffer/ September 12, 2011/ Conference

If you have ever developed a web application you know that attackers try to exploit requests to the web server in order to inject commands sent to a database server. This attack is called SQL injection. It is done by modifying data sent through web forms or parameters that are part of a request to a web server. In theory web developers learn to avoid mistakes leading to SQL injection. In practice not every developer has the skill or the tools to prevent SQL injection due to lack of knowledge. Validating data can be hard if the data is badly defined or if the building blocks of the web application do not offer ways to normalise or sanitise data. Most developers might not even know if the frameworks they are using protects them or

Read More

1009, 2011

Workshop: Attacks on GSM Networks

René Pfeiffer/ September 10, 2011/ Conference

The topic of GSM networks has been discussed at past DeepSec conferences right from the very first event in 2007. Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been demonstrated and exploited, several GPRS networks in Europe have been shown to be insecure, and an ever-growing number of Open Source projects in the area of GSM and GPRS are gaining significant attraction. Despite the availability of attack methods, the tools are often hard to use for security professionals due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks. This is exactly why DeepSec 2011 offers a two-day training on attacking GSM networks. Attendees will spend about half the time re-visiting the key aspects of GSM’s

Read More

0809, 2011

Talk: SMS Fuzzing – SIM Toolkit Attack

René Pfeiffer/ September 8, 2011/ Conference

We’re pretty sure that you own a mobile phone and that you send and receive text messages. Do you feel at risk or somehow threatened? If not, then you might want to reconsider your opinion. Cell phones, no matter if dumb or smart, are always connected to the mobile phone network. This means that they can receive messages and commands from the network. The security of GSM has already been explored in past DeepSec conferences. There’s a chance that you are prone to attacks. Let’s stick to text messages. At DeepSec 2011 we will show how to make a phone send an SMS message without the user’s consent and how to make the phone not to receive any message. The method used works on any phone, no matter if it’s a smartphone or not

Read More

0709, 2011

Talk: Insight Into the Russian Black Market

René Pfeiffer/ September 7, 2011/ Conference

You have all heard the term cybercrime, and you have heard about all things cybercrime – stolen credentials, data theft, fraud, blackmail and more. You may have heard the there are markets for goods connected to computer crime. You may have heard that there’s a lot of money in it (enough to pay off the national debts of most states including the USA, if you total all reports on damages by cybercrime). As usual the problems lie in connecting the dots. What are the mechanisms behind these black markets? What are the goods? Who pays for them and by which means? Surely you cannot just walk into a chat room, drop your credit card number and part with the digital loot, or can you? What if you end up being a trade object yourself?

Read More

0609, 2011

Talk/Workshop: IPv6 Security In-Depth

René Pfeiffer/ September 6, 2011/ Conference

The tale of two protocol suites has been being written for some time now. The IPv4 Internet has run out of fresh addresses. The IPv6 deployment has begun, but it will take some time before IPv4 is completely phased out (if ever). The work on the IPv6 protocol started in the early 1990s with the temporary IP Next Generation Working Group, collecting proposals. In theory IPv6 addresses many shortcomings of IPv4 and consists of a thoroughly well-designed protocol suite with security in mind. In practice you will neither just switch to IPv6 nor skip the step where you consider the security implications. There is no zero conf mechanism when it comes to security. All businesses need to know what the security impact of IPv6 really is. Some networks have already deployed IPv6, others think

Read More

0509, 2011

Talk: The Management of IT Threats. European Digital Agenda’s Weakness

René Pfeiffer/ September 5, 2011/ Conference

In case you haven’t heard about it, there is a digital agenda for the coming decade, developed by the European Commission. Cited from the web site: Europe 2020 is the EU’s growth strategy for the coming decade. In a changing world, we want the EU to become a smart, sustainable and inclusive economy. These three mutually reinforcing priorities should help the EU and the Member States deliver high levels of employment, productivity and social cohesion. Concretely, the Union has set five ambitious objectives – on employment, innovation, education, social inclusion and climate/energy – to be reached by 2020. Each Member State has adopted its own national targets in each of these areas. Concrete actions at EU and national levels underpin the strategy. The strategy includes a strong coordination between public and private institutions, located

Read More

0409, 2011

Encrypted Communication with DeepSec

René Pfeiffer/ September 4, 2011/ Administrivia

For all of you who do not pay close attention to our contact section on our web site, we offer various way to communicate via encrypted messages. We have published two GPG keys, one for our role account (key 0x22860969)  and one for a person from our organisation team (key 0x6E4037AF). Use PGP/MIME format if possible (ASCII armour is so old school ☺). We have set up an e-mail forwarding service via privacybox.de. You can use a standard web form, a form suited for mobile clients and a form reachable via a TOR hidden service. While we have no idea how privacybox.de handle their own security, it’s a nice service. You can always double- or triple-encrypt if in doubt. When on IRC (channel #deepsec on irc.freenode.net, usually most active prior to and shortly after

Read More

0109, 2011

Talk (U21): Solving Social Engineering Attacks

René Pfeiffer/ September 1, 2011/ Conference

You’ve heard about social engineering. You know your weakest links. You have the task of defending your network against intruders. You know how to do this with your web applications, networks, clients and servers. All these things have neat classifications of attacks, best practice lists and lots of other resources. What about social engineering? How do you keep the wrong people out and your critical information in? How do you classify the attacks? Toby Foster of the University of York, student of Computer Science and intern at First Defence Information Security, tries to address this problem by talking about modelling and categorising and solving the attacks: „There are many definitions of social engineering; almost every book or website on the subject has a different definition. Probably the only consistent point is that it relies

Read More

3108, 2011

Talk: How Terrorists Encrypt

René Pfeiffer/ August 31, 2011/ Conference

Encryption technology has always been regarded as a weapon, due to its uses in wars and espionage. Software used for encryption was banned for export to other countries in the US. The export regulations for strong cryptography were relaxed in 1996. Some countries still consider cryptographic software as a threat. Recently there have been discussions in the USA again about controlling access to encrypted communication channels. The United Arab Emirates, Indonesia, India, and Saudi-Arabia legally attacked the BlackBerry’s strong encryption of the BlackBerry Messenger Service. Encrypted messaging was discussed in UK after the riots in August. Pakistan has banned all encryption and requires users to apply for a permit. Usually the proponents of regulations claim that terrorists and cybercrime are heavy users of strong cryptography. So how do terrorists really encrypt? Are there software

Read More

3108, 2011

Talk/Workshop: SAP Security In-Depth

René Pfeiffer/ August 31, 2011/ Conference

No two SAP deployments are the same. If you run an SAP environment, then you will most certainly use customisations and a multi-tier architecture. You will have tied your SAP deployment to your assets. The typical setup features Development, Quality Assurance and Production (which is the minimal amount of tiers, you may have more). While the development and IT staff mainly interacts with Development and Quality Assurance environments, the organisation’s end-user only connects to the Production systems in order to undertake the required business processes. As soon as security considerations come into play you will probably audit your infrastructure. Since auditors cost money most SAP deployments won’t be scrutinised completely. And then you are in trouble despite passing tests with flying colours. Using short-cuts is the best way to run into trouble. Consider your multi-tier

Read More

2308, 2011

DeepSec 2011 Schedule and Description of Talks/Workshops

René Pfeiffer/ August 23, 2011/ Conference

We’ve already published the preliminary schedule for DeepSec 2011. Most of the speakers have already confirmed their presence at the conference, but we are still waiting for e-mail. While preparing the schedule we’ve asked for more descriptions, and we will describe the talks and workshops in slightly more detail in the blog. We know that some of the titles deserve a closer look, especially since we got very interesting topics to talk about. During the next weeks we will dedicate a whole blog article to each and every slot in our schedule. Stay tuned! Please make sure that you don’t miss the early-bird rates. Tickets at reduced prices are still available until mid-September 2011!

2108, 2011

Cargo Cult Security

René Pfeiffer/ August 21, 2011/ High Entropy, Stories

Here is a fictional story for you that bears no resemblance to any living, dead, or undead persons whatsoever. Imagine someone who is interested in establishing and maintaining a „medium“ to „high“ level of security for his or her business data. This person is a power user and uses hard disk encryption, an encrypted file server, access to internal data by VPN and GPG/PGP for communication. So far, so good. Now for the bad news: untrusted devices without security software may also access internal resources and shiny new workstations run without anti-virus protection or firewalls. Questions regarding potential risks go unnoticed, suggestions to periodically check the security measures also disappear into the vast void of email. What is wrong with this picture? Well, given that all of this is purely fictional, someone you might

Read More

2008, 2011

Discussion about Data Protection and the Game Industry at GamesCon

René Pfeiffer/ August 20, 2011/ Report, Security

The GamesCon is taking place in Cologne. We were present at the first day in order to participate in a discussion about data protection in online games. Discussion partners were Konstantin Ewald, a lawyer and blogger (Online. Spiele. Recht) and Ulrich Lepper, North Rhine-Westphalia’s Commissioner for Data Protection and Freedom of Information. Online gaming is tied to user accounts and personal data. It is linked with targeted advertising. Since the Sownage series of attacks the issue has arrived in the mainstream media. There is no need to name Sony or any other company as a culprit, or to shift the blame around. Just as web applications, the world of online games is complex by itself. Hardening your infrastructure is fine, but this is only a part of the story. There are other components such

Read More

1908, 2011

Preliminary Schedule of DeepSec 2011 published

René Pfeiffer/ August 19, 2011/ Administrivia, Conference

Finally we have reviewed all your submissions, and we have published a preliminary schedule on our web site. We have not filled all workshop slots, because some of the workshop submissions are still under review and some submitters have been asked for further material. We wish to express our deepest thanks for your submissions! We received much more than we possibly can squeeze into the conference schedule, most of the material being absolutely new and of high interest. We had a hard time rejecting talks, so don’t be sad if you couldn’t make it this time. So, to everyone whose submission was rejected: We will contact you again. The topics range from encryption, attacking mobile devices, IT compliance management, SAP weaknesses (yes, SAP deployments can be attacked, really), cyber-peace (we’re curious as well), insights

Read More

0708, 2011

Explaining Security to non-technical Audiences

René Pfeiffer/ August 7, 2011/ Discussion, Report

A few days ago we had the opportunity to present a review of vulnerabilities in mobile phone networks and typical attack vectors to a non-technical audience (we announced the event in a previous blog posting, the event language was German). The background of the attendees was a spectrum of social sciences, political sciences, different technical science (but not information science), governmental agencies (again non-technical) and journalists. We adapted the slides in order to reduce the complexity and the technical details. The reaction was positive, but most of the questions were aimed at how to defend against the risks. Thus our reduction only lasted until the QA section. If you really want to defend yourself, you have to deal with the details. If you don’t dive into the details, you can give superficial answers at

Read More