We’ve put some photographs from B Sides Vienna / Ninjacon online. You can view them at our Flickr page. The event was very cool, the security was tight(ly hacked), everyone had a lot of fun. We have not photographed the creative „Kinderhacks“, maybe someone else has some pictures.
Iftach Ian Amit discusses infiltration of networks and exfiltration of data. Imagine you have completed the infiltration, data targeting and acquisition phase. You have secured the data you were looking for. Now what? How do you get to „your“ data out of highly secured environments? You need to avoid data loss protection (DLP) tools, avoid IPS/IDS, avoid updating your payload frequently, need to design a control channel that can handle disconnected operation. The data itself needs to be protected from filters or pattern matching sensors. SSL/TLS comes to mind, but some infrastructures terminate SSL at proxies and inspect content. End-to-end encryption is a better method if combined with content obfuscation (there are patter matches for GPG/PGP and other ways, too). Transport needs to use a covert or back channel. This can be a talk page of
Most firewall admins are quite allergic to Universal Plug and Play (UPnP). This is why it is usually turned off. Arron „Finux“ Finnon explains what UPnP can do. Its intended use is to facilitate data transmissions of UPnP-capable devices, meaning that these devices and software can use UPnP to poke holes into NAT devices and firewalls. Enabling UPnP a spare router with a free Wi-Fi network enables you to learn a lot about your neighbours. You can do device enumerating and identify devices requesting. And this is just the beginning. UPnP solved their security problems by not implying any security It’s a bit like Bonjour, a bit like mDNS, a bit like this and that. From the security point of view it’s a nightmare. There’s no authentication and no authorisation. UPnP will happily do
We just listened to the talk by Franz Lehner about „Hacking Digital Measuring Devices“. Smart meters are ubiquitous. A lot of measuring devices have turned digital and are composed of a small CPU with some memory and connections to sensors or data outlets. Calibration is always involved when you measure something. Having access to the calibration mode/commands of a smart meter can change your bills, supply false readings to operators and can even be ramped up to be a security risk. Think vapour/liquid pressure, temperature, speed, humidity, power, etc. Usually you rely on the output of sensors, right? Smart meters is something to watch very closely. Again there’s a link to cars (which use smart meters for measuring the speed and other parameters), then there’s a link to the power grid, and there a
On June 18th the Ninjacon 2011 and the B Sides Vienna will take place. We will be present, help with the organisation, watch as many talks as possible and blog about it (at least we’ll send some tweets). If you got some time to spare, drop by (make sure you get a ticket first) or come to the party afterwards!
We published some press releases in the past that dealt with networked subsystems in cars. Security researchers connected to the Controller-Area Network (CAN) and tried to inject commands (which worked scarily well). We claimed that automobile manufacturer were way behind in security compared to everyone who has to secure systems in the Internet. The claim was half-part fact and half-part conjecture. Now it’s time to correct our claim. Cars can now leak information and push it to the Internet: Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver’s location, speed and destination to websites accessed through the vehicle’s built in RSS reader, a security blogger has found. … “All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn’t
A few days ago we uploaded the keynote speech held by Matt Watchinski at DeepSec 2009. The title was: „Technology Won’t Save You, Only People Will“ This statement can be turned into the opposite: Technology won’t threaten you, people will. We’re not talking about threats from insiders turned rogue. We are talking about holes in your defence because of badly configured or mishandled security devices and software. This has nothing to do with being Bastard Operator from Hell and putting the blame on the users or colleagues. A modern company infrastructure has to deal with a lot of complexity all by itself. Adding security won’t reduce this complexity. Adding badly designed user interfaces (for security devices and options), confusing status/error messages and hardly comprehensible settings will most certainly increase the risk of security incidents.
We’ve been through four DeepSec conferences already, and MiKa and me have talked in person at other events. Given the feedback we received about past DeepSec speakers, the video recordings and our own experience, we’d like to give everyone who is thinking about submitting a talk some advise. It really doesn’t matter if you are going to speak at DeepSec (though we prefer this option) or anywhere else. If you have something to say, then make sure your message is delivered in an appropriate wrapping. Try to address your audience and make them listen to you. There are ways to do this, and most of them can be practised and learnt. Structure : Most talks have an outline of what the audience can expect. Take some extra time and think about the agenda. If
The registration for DeepSec 2011 is now officially open. You can register for the conference, workshops or both. We offer three booking phases: Early Bird, Regular and Last Minute. Please keep in mind that the Early Bird tickets are the cheapest. The longer you wait, the more you have to pay. Since the Call for Papers is still running the workshop slots are empty, but you can buy workshop or conference+workshop tickets now and decide which workshop you want later (when we publish the schedule). If you have any questions, drop us a few lines.
Wir, Chris John Riley und René Pfeiffer, waren bei Radio Netwatcher zu Gast um etwas über Sicherheit, Datenpannen und die zunehmende Präsenz der eigenen Daten im Internet zu reden. Anlaß waren die Ereignisse der letzten Wochen in Sonys Playstation Netzwerk, bei den Auth Tokens der Facebook Apps sowie bei Googles Android Betriebssystem und vieles mehr. Hersteller und Behörden versprechen sehr viel, aber wenn man einige der vergangenen Katastrophen als Vergleich nimmt, dann fragt man sich zu Recht nach der Sicherheit. Wie sicher ist man im Internet? Das hängt davon ab, wie üblich, aber wir haben versucht einige Antworten zu geben (und da wir das Internet täglich benutzen, gibt es vielleicht etwas Hoffnung). Die Sendung ist auf Radio Orange am Freitag um 13:00 Uhr zu hören. Darüber hinaus möchten wir auf die bevorstehende BSidesVienna |
Finally we found some time to sort through the video recording legacy of past DeepSec conferences. We’ve been asked for video material repeatedly since we record all talks held at DeepSec (except those where the speaker does not want to be published on video). Let me explain what the state of our video archive is. All video recordings were done by different teams consisting of video professionals, volunteers from Metalab and students of the St. Pölten University of Applied Sciences. We used different camera equipment, sound feeds due to changes with the audio system on-site and various storage media because of different digital cameras on-site. The videos of DeepSec 2007 are on Google Video since June 2008. We have re-added them to our internal archive, and we noticed that killab66661 has added the videos
Have you lost track of the risks that may or may not impact your security? How good are the facts you base your security decisions on? Does your organisation follow defined procedures in terms of deploying, monitoring or evaluating security measures? Who decides what’s next and what’s being phased out? Is there a way to get more sleep while fencing off risk factors at the same time? It’s very easy to get lost in the details and drown in the various tools of the security trade. Every day something happens. A single 0day can ruin your meticulously designed schedule. It would be nice to get a grip on the dynamics and introduce more stability. CIOs need to address the Big Picture. That’s exactly why we mentioned security management in our CfP. We’d like to
The German Federal Minister of the Interior, Hans-Peter Friedrich, has warned „that it is only a question of time until criminal gangs and terrorists have virtual bombs at their disposal“. While the term „virtual bomb“ is very vague by itself, the minister mentioned „malware“ as well. This is no surprise for security researchers. Malicious software has already been used for attacking companies. The infrastructure of whole countries has been attacked as well. Logic bombs have been used in the past, but they have never been used to wage warfare. They have been used for revenge by disgruntled employees or for blackmailing someone (as the ransomware malware also does). Tools like this are used for very specific purposes (such as espionage or targeted destruction), but never for an all-out assault. Even a (D)DoS often has
Tomorrow we will present a review talk about the state of mobile network security. The talk will be held at the Linuxwochen in Eisenstadt. We will address results discussed in the past DeepSec conferences (including work of Karsten Nohl, Harald Welte, David A. Burgess, Sylvain Munaut, Dieter Spaar, Ralph-Philipp Weinmann and others). If you understand German we recommend listening to Chaosradio Express #179 where Karsten explain to Tim Pritlove the state of GSM security over a period of 130 minutes. Slides of our talk will be available after the Linuxwochen. Update: You can download the slides here. There’s a simple audio recording available as well (MP3 or OGG).
Recently we mentioned the topic of mobile security in this blog since it keeps being addressed by security researchers. Now there’s something that can be combined by networking, defective by design and mobile security. German security researcher from the University of Ulm have explored a flaw in Google’s ClientLogin protocol. The initial idea stems from Dan Wallach, who took a closer look at the transmissions of an Android smartphone. The authentication token is sent via unencrypted HTTP which means it can be seen by attackers on the same network. Since the token is your key to online services and is probably used by apps dealing with your calendar, contacts or private pictures, an attacker has full access to this data (or any other data an app deals with via the network). Reading, manipulating or