0708, 2011

Explaining Security to non-technical Audiences

René Pfeiffer/ August 7, 2011/ Discussion, Report

A few days ago we had the opportunity to present a review of vulnerabilities in mobile phone networks and typical attack vectors to a non-technical audience (we announced the event in a previous blog posting, the event language was German). The background of the attendees was a spectrum of social sciences, political sciences, different technical science (but not information science), governmental agencies (again non-technical) and journalists. We adapted the slides in order to reduce the complexity and the technical details. The reaction was positive, but most of the questions were aimed at how to defend against the risks. Thus our reduction only lasted until the QA section. If you really want to defend yourself, you have to deal with the details. If you don’t dive into the details, you can give superficial answers at

Read More

3107, 2011

Evaluating your CfP submissions for DeepSec 2010

René Pfeiffer/ July 31, 2011/ Administrivia

We’ve been busy attending the 1. Sicherheitspolitische Aufbauakademie des Bundesverbandes Sicherheitspolitik an Hochschulen in the past days, so we will not comment the submission for DeepSec 2011 immediately. Gathering from the summaries and descriptions so far we are every impressed. DeepSec 2011 will feature some serious talks and new content. Thanks for taking your time and considering to hold a talk at our conference! We will need some time to sort through all submissions and rank them. We may come back to you for questions, but you will get a notice on the state of your submission as soon as possible. Stay tuned! In case you want to submit a talk late, please drop it into our mailbox or use the Call for Papers manager. You will be ranked after the submission that we

Read More

1707, 2011

Last Call for DeepSec 2011 – Reminder – Call for Papers!

René Pfeiffer/ July 17, 2011/ Administrivia, Conference

Come on, get your submissions in order and send them to us! The past weeks were full of vulnerabilities, exploits in action and illustrated security very well. Let’s recall what we are looking for. Mobile computing and communications (the protocols and the gadgets) IPv6 (again protocols and the gadgets) Security management and IT governance (a.k.a. “The Big Picture”) Cloud computing and virtualisation (a.k.a. infrastructure 2.0) Security intelligence (few have it) Psychological aspect of security (social engineering, usable security, …) Topics that have a high impact on IT security (or your/our life in general) Design flaws (“defective by design”, the bugs are out there…) We’re looking for workshops, talks and submissions from young talents (U21). Updates and reviews are welcome provided they are still a threat (the web never gets boring for example). New uses

Read More

1407, 2011

Subverting Femto Cells – Infrastructure at Risk

René Pfeiffer/ July 14, 2011/ Security

The past DeepSec conferences featured talks about mobile telecommunication networks. Security researchers had to turn mobile phones into base stations or create their own from hardware and software. Yesterday The Hacker’s Choice have published a security analysis of Vodafone’s Femto Cells. These cells are small routers used for boosting the 3G signal. They cost about 160£ and can be purchased through the Vodafone store. Reverse engineering turns these little routers into full-blown 3G/UMTC/WCDMA interception devices. You can catch IMSIs and retrieve the secret subscriber information by requesting it from the core network. By using this secret key material you can decrypt intercepted phone calls and data transmissions. The reverse engineering process even produced the root password of the device (it’s ceolyx, but you need to decrypt it; other blogs feature the full plaintext password). This

Read More

0707, 2011

SecInt: Radar for Anti-Security Movement

René Pfeiffer/ July 7, 2011/ High Entropy, Press, Security

We have been talking to some journalists in the past weeks. Most questions revolved around the rise in attacks against well-known web sites and their companies (or vice versa). Jeffrey Carr has published a good source for an overview of Anti-Security groups. If you are looking what to put on your radar, his article might be a good start. Security intelligence is gathering importance. Make sure that you don’t drown in tools or gadgets, and that you don’t neglect your strategic view. Quite a lot of people are confused by the many reports of incidents, „lulz“, „LOLs“, scanty slogans when it comes to motivations of attackers, damage reports, panic and media mind disruption (always remember: anonymous ≠ Anonymous). Currently we’re working on material to put the threats into perspective. It’s hard to distinguish the

Read More

0107, 2011

Veranstaltung zum Thema Informationstechnologie und Sicherheitspolitik

René Pfeiffer/ July 1, 2011/ Veranstaltung

Zwischen dem 28. und 31. Juli 2011 findet in Berlin die 1. Sicherheitspolitische Aufbauakademie des Bundesverbandes Sicherheitspolitik an Hochschulen statt. Sie trägt den Titel „Informationstechnologie und Sicherheitspolitik – Wird der 3. Weltkrieg im Internet ausgetragen?“. Die DeepSec Konferenz wird bei dieser Veranstaltung mit zwei Vorträgen zum Thema „Angriffe gegen Funknetze – wie verwundbar ist das GSM-Netz?“ und „Ausgewählte Angriffsvektoren — Zombies, Botnetze und dDoS-Attacken“ mitwirken. Wir versuchen damit Auszüge und Zusammenfassungen der vergangenen DeepSec Konferenzen komprimiert und auch für Nichttechniker zu vermitteln. Das volle Programm ist als PDF herunterladbar. Im Rahmen der Veranstaltung sollen die Themen Sicherheitspolitik und Informationstechnologie miteinander verbunden werden. „Cyberwar“ ist in aller Munde und hat schon Eingang in Militärdoktrine gefunden. Es stellen sich daher die Fragen: Was ist „Cyberwar“? Welche Bedrohungen sind relevant? Wie kann eine Auseinandersetzung mit Mitteln der

Read More

3006, 2011

Reminder – Call for Papers DeepSec 2011 – deadline approaching

René Pfeiffer/ June 30, 2011/ Administrivia, Conference

In case you have not yet prepared a submission for DeepSec 2011, please consider to do so. The deadline is approaching! We have already received submissions, but we have a hard time believing that everything is secure out there. That can’t be, you know it, and we know it. Submit your in-depths talks and workshops, give our programme committee some work to do, and maybe we can even have some in-depth lulz, who knows. Speaking of security and design flaws, don’t forget the ubiquitous web interfaces. Everyone and everything has a web interface – your bank, your government, your routers, your servers, your average smart meter (measuring electricity/water/gas consumption), your printers, your household appliances, your TV set, your video/audio player and possibly a lot of devices you are unaware of. Of course, feel free

Read More

2406, 2011

Some Slides from DeepSec 2009

René Pfeiffer/ June 24, 2011/ Administrivia, Conference

Some of you might already noticed the videos from the DeepSec 2009 conference on Vimeo. Sadly we don’t have all the slides for all talks, but here are some documents from our archive. #TwitterRisks: Bot C&C, Data Loss, Intel Collection & More by Ben Feinstein – Slides Dynamic Binary Instrumentation for Deobfuscation and Unpacking by Daniel Reynaud and Jean-Yves Marion – Slides Windows Secure Kernel Development by Fermin J. Serna – Slides Stoned déjà vu – again by Peter Kleissner – Slides Key Management Death Match? Competing KM Standards Technical Deep Dive by Marc Massar – Slides USB Device Drivers: A Stepping Stone into your Kernel by Moritz Jodeit and Martin Johns – Slides eKimono: Detecting Rootkits inside Virtual Machine by Nguyen Anh Quynh – Slides Ownage 2.0 by Saumil Shah – Slides

1906, 2011

Photographs from B Sides Vienna / Ninjacon

René Pfeiffer/ June 19, 2011/ Conference, Veranstaltung

We’ve put some photographs from B Sides Vienna / Ninjacon online. You can view them at our Flickr page. The event was very cool, the security was tight(ly hacked), everyone had a lot of fun. We have not photographed the creative „Kinderhacks“, maybe someone else has some pictures.

1806, 2011

Talk: Data Exfiltration – not just for Hollywood

René Pfeiffer/ June 18, 2011/ Security

Iftach Ian Amit discusses infiltration of networks and exfiltration of data. Imagine you have completed the infiltration, data targeting and acquisition phase. You have secured the data you were looking for. Now what? How do you get to „your“ data out of highly secured environments? You need to avoid data loss protection (DLP) tools, avoid IPS/IDS, avoid updating your payload frequently, need to design a control channel that can handle disconnected operation. The data itself needs to be protected from filters or pattern matching sensors. SSL/TLS comes to mind, but some infrastructures terminate SSL at proxies and inspect content. End-to-end encryption is a better method if combined with content obfuscation (there are patter matches for GPG/PGP and other ways, too). Transport needs to use a covert or back channel. This can be a talk page of

Read More

1806, 2011

Talk: Attack UPnP – The Useful plug and pwn protocols

René Pfeiffer/ June 18, 2011/ Security

Most firewall admins are quite allergic to Universal Plug and Play (UPnP). This is why it is usually turned off. Arron „Finux“ Finnon explains what UPnP can do. Its intended use is to facilitate data transmissions of UPnP-capable devices, meaning that these devices and software can use UPnP to poke holes into NAT devices and firewalls. Enabling UPnP a spare router with a free Wi-Fi network enables you to learn a lot about your neighbours. You can do device enumerating and identify devices requesting. And this is just the beginning. UPnP solved their security problems by not implying any security It’s a bit like Bonjour, a bit like mDNS, a bit like this and that. From the security point of view it’s a nightmare. There’s no authentication and no authorisation. UPnP will happily do

Read More

1806, 2011

Talk: Hacking Digital Measuring Devices

René Pfeiffer/ June 18, 2011/ Security

We just listened to the talk by Franz Lehner about „Hacking Digital Measuring Devices“. Smart meters are ubiquitous. A lot of measuring devices have turned digital and are composed of a small CPU with some memory and connections to sensors or data outlets. Calibration is always involved when you measure something. Having access to the calibration mode/commands of a smart meter can change your bills, supply false readings to operators and can even be ramped up to be a security risk. Think vapour/liquid pressure, temperature, speed, humidity, power, etc. Usually you rely on the output of sensors, right? Smart meters is something to watch very closely. Again there’s a link to cars (which use smart meters for measuring the speed and other parameters), then there’s a link to the power grid, and there a

Read More

1506, 2011

See you at Ninjacon 2011 / BSidesVienna!

René Pfeiffer/ June 15, 2011/ Conference, Security

On June 18th the Ninjacon 2011 and the B Sides Vienna will take place. We will be present, help with the organisation, watch as many talks as possible and blog about it (at least we’ll send some tweets). If you got some time to spare, drop by (make sure you get a ticket first) or come to the party afterwards!

1406, 2011

Is your car on the Internet?

René Pfeiffer/ June 14, 2011/ Security, Stories

We published some press releases in the past that dealt with networked subsystems in cars. Security researchers connected to the Controller-Area Network (CAN) and tried to inject commands (which worked scarily well). We claimed that automobile manufacturer were way behind in security compared to everyone who has to secure systems in the Internet. The claim was half-part fact and half-part conjecture. Now it’s time to correct our claim. Cars can now leak information and push it to the Internet: Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver’s location, speed and destination to websites accessed through the vehicle’s built in RSS reader, a security blogger has found. … “All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn’t

Read More

1306, 2011

DeepSec 2011 Focus: Usable Security

René Pfeiffer/ June 13, 2011/ Administrivia, Conference

A few days ago we uploaded the keynote speech held by Matt Watchinski at DeepSec 2009. The title was: „Technology Won’t Save You, Only People Will“ This statement can be turned into the opposite: Technology won’t threaten you, people will. We’re not talking about threats from insiders turned rogue. We are talking about holes in your defence because of  badly configured or mishandled security devices and software. This has nothing to do with being Bastard Operator from Hell and putting the blame on the users or colleagues. A modern company infrastructure has to deal with a lot of  complexity all by itself. Adding security won’t reduce this complexity. Adding badly designed user interfaces (for security devices and options), confusing status/error messages and hardly comprehensible settings will most certainly increase the risk of security incidents.

Read More