DeepSec 2018 Talk: A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter – Dr.-Ing Ashar Javed

Sanna/ October 5, 2018/ Conference, Security

Cross-Site Scripting (XSS) outbreak has started almost twenty years ago and since then it has been infecting web applications at a concerning pace. It is feared that the influx of programs and bug hunters arriving at bug bounty platforms will worsen the situation given more disclosed cases of bug(s) or public citing and viewing. According to #FakeNews Media, the outbreak engulfed One Microsoft Way in Redmond. This is where a contagious tour starts. The tour guide will convoy you through 50 award winning shattered windows in Office 365, Azure and SharePoint. All reported XSS findings spawned great riches and ended up in The Honor Roll or made their way to a simple acknowledgement entry or several CVE-plated thanks. The goal of this walking tour: an intimate look at Microsoft online or cloud services (Office

Read More

DeepSec 2018 Talk: Orchestrating Security Tools with AWS Step Functions – Jules Denardou & Justin Massey

Sanna/ September 17, 2018/ Conference

Increasingly frequent deployments make it impossible for security teams to manually review all of the code before it is released. Jules Denardou and Justin Massey wrote a Terraform-deployed application to solve this problem by tightly integrating into the developer workflow. The plugin-based application has three core components, each represented by at least one Lambda function: a trigger, processing and analysis, and output. The plugins, such as static analysis, dependency checking, github integrations, container security scanning, or secret leak detection can be written in any language supported by AWS Lambda. The underlying technology for this tool is a serverless system utilizing several AWS Services, such as API Gateways, Step Functions and Lambdas. In this talk you’ll not only learn about our tool and how to implement it in your CI/CD pipeline, but also how to

Read More

Meltdown & Spectre – Processors are Critical Infrastructure too

René Pfeiffer/ January 6, 2018/ Discussion, High Entropy

Information security researchers like to talk about and to analyse critical infrastructure. The power grid belongs to this kind of infrastructure, so does the Internet (or networks in general). Basically everything we use has components. Software developers rely on libraries. Usually you don’t want to solve a problem multiple times. Computer systems are built with many components. Even a System on a Chip (SoC) has components, albeit smaller and close to each other. 2018 begins with critical bugs in critical infrastructure of processors. Meltdown and Spectre haunt the majority of our computing infrastructure, be it the Cloud, local systems, servers, telephones, laptops, tablets, and many more. Information security relies on the weakest link. Once your core components have flaws, then the whole platform may be in jeopardy. In 2017 malicious hypervisors in terms of

Read More

Google supports DeepSec 2017

René Pfeiffer/ October 12, 2017/ Conference, Internet

You have probably heard of Google. Well, you will be hearing more from them if you come to DeepSec 2017. They have agreed to support our conference. They will be on site, and you will be able to talk to them. Every year we aim to give you opportunities for a short-cut, for exchanging ideas, and for thinking of ways to improve information security. A big part of this process is fulfilled by vendors and companies offering service in the information security industry. This includes the many good people at CERTs and the countless brave individuals in the respective security team. So we hope you take advantage of Google’s presence at DeepSec. See you in Vienna!

DeepSec 2016 Talk: Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor – Mikhail A. Utin

Sanna/ September 22, 2016/ Conference, Security

The blue/red pill analogy has been used a lot when it comes to hypervisor security and virtualisation. While there are reliable ways to determine if your code runs in a hypervisor or not, the underlying problem still persists. How do you know if the platform your code runs on watches every single move, i.e. instruction or data? Given the discussion of backdoors in hardware, this threat is real. Mikhail Utin discussed his findings at DeepSec 2014. He discovered manipulation of the BIOS in certain server systems. The hardware was probably affected, too. Two years later he presents his research covering the detection of malicious hypervisors in parts of your infrastructure where they should not be. Utilizing the definition of vulnerability as “inability to resist a threat” we want to update our consideration of three

Read More

Of Clouds & Cyber: A little Story about Wording in InfoSec

René Pfeiffer/ September 5, 2016/ Discussion, High Entropy

In case you ever received a message about our calls for papers, you may have noticed that we do not like the word cyber. Of course we know that it is used widely. Information security experts are divided if it should be used. Some do it, some reject it, some don’t know what to do about it. We use it mostly in italics or like this: „cyber“. There is a reason why, but first let’s take a look where the word comes from. The Oxford Dictionaries blog mentions the origin in the word cybernetics. This word was used in the 1940 by scientists from the fields of engineering, social sciences, and biology. Cybernetics deals with the study of communication and control systems in living beings and machines. Hence the word is derived from the

Read More

Digital Naval Warfare – European Safe Harbor Decree has been invalidated

René Pfeiffer/ October 8, 2015/ Discussion, High Entropy, Internet, Legal

The global cargo traffic on the Internet needs to revise its routes. The Court of Justice of the European Union has declared the so-called „Safe Harbor“ agreement between the European Commission (EC) and US-American companies as invalid. The agreement was a workaround to export the EU Directive 95/46/EC on the protection of personal data to non-EU countries. The ruling was a result of the ‘Europe v Facebook’ lawsuit by Austrian law student and privacy activist Max Schrems. This means that European companies might violate the EU privacy laws when storing or processing personal data on US-American servers. Among the arguments was that the rights of the European data protection supervision authorities must not be constrained and that due to the NSA PRISM program the protection of personal data according to EU directives is not

Read More

New MJS Article: Trusting Your Cloud Provider – Protecting Private Virtual Machines

René Pfeiffer/ June 17, 2015/ Report, Security

Once you live in the Cloud, you shouldn’t spent your time daydreaming about information security. Don’t cloud the future of your data. The Magdeburger Journal zur Sicherheitsforschung published a new article by Armin Simma (who talked about this topic at DeepSec 2014). The Paper titled »Trusting Your Cloud Provider: Protecting Private Virtual Machines« discusses an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders. This article proposes an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders (e.g. administrators). It is based on Mandatory Access Control and Trusted Computing technologies, namely Measured Boot, Attestation and Sealing. It gives customers strong guarantees about the provider’s host system and binds encrypted virtual machines to the previously attested host. This article

Read More

DeepSec 2014 Talk: Cloud-based Data Validation Patterns… We need a new Approach!

Sanna/ October 28, 2014/ Conference, Interview

Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. Everyone relying on these filters should know how they can fail and what it means to your flow of data. Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City. He was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development life-cycles of client organizations.  He was leading the software security initiative at a major phone

Read More

DeepSec 2014 Talk: Trusting Your Cloud Provider – Protecting Private Virtual Machines

René Pfeiffer/ September 12, 2014/ Conference

The „Cloud“ technology has been in the news recently. No matter if you use „The Cloud™“ or any other technology for outsourcing data, processes and computing, you probably don’t want to forget about trust issues. Scattering all your documents across the Internet doesn’t require a „Cloud“ provider (you only need to click on that email with the lottery winnings). Outsourcing any part of your information technology sadly requires a trust relationship. How do you solve this problem? Armin Simma of the Vorarlberg University of Applied Sciences has some ideas and will present them at DeepSec 2014. Th presentation shows a combination of technologies on how to make clouds trustworthy. One of the top inhibitors for not moving (virtual machines) to the cloud is security. Cloud customers do not fully trust cloud providers. The problem

Read More

DeepSec 2013 Video: Pivoting In Amazon Clouds

René Pfeiffer/ February 23, 2014/ Conference

The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At DeepSec 2013 Andrés Riancho showed what attackers can do once they get access to the company Amazon’s root account. There is more to it than a simple login. You have to deal with EC2, SQS, IAM, RDS, meta-data, user-data, Celery, etc. His talk follows a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user. Regardless of how your

Read More

DeepSec 2013 Video: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

René Pfeiffer/ February 18, 2014/ Conference, Security

The „Cloud“ is the Fiddler’s Green of information technology. It’s a perpetual paradise built high above the ground where mortal servers and software dwell. Everyone strives to move there eventually, because once you are in digital paradise, then all your sorrows end. So much for the theory. The reality check tell a different story. This is why we invited Mikhail A. Utin (Rubos, Inc.) to DeepSec 2013. He presented an in-depth analysis of the US government’s FedRAMP programme. „…However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a “cloud”. As we identified, all “cloud” misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will

Read More

DeepSec 2013 Video: Cracking And Analyzing Apple iCloud Protocols

René Pfeiffer/ January 17, 2014/ Conference

The „Cloud“ has been advertised as the magic bullet of data management. Basically you put all your precious eggs into one giant basket, give it to someone else, and access your data from everywhere – provided you have a decent Internet connection. Since someone else is now watching over your data, you do not always know what protocols and security measures are in place. Few „cloud“ solutions publish what they actually do. Apple’s iCloud system is no different. Vladimir Katalov (ElcomSoft Co. Ltd.) explained in his talk at DeepSec 2013 how the iCloud protocol works and how you can develop your own clients to access your own data in Apple’s „cloud“ infrastructure. His reverse-engineering work is based on publicly available information. Have a look!

DeepSec 2013 Talk: Cracking And Analyzing Apple iCloud Protocols: iCloud Backups, Find My iPhone, Document Storage

René Pfeiffer/ November 3, 2013/ Conference

The „Cloud“ technology is a wonderful construct to hide anything, because the „Cloud“ itself is no technology. Instead it is constructed out of a variety of different protocols, storage systems, applications, virtualisation and more. So „Clouds“ provide a good cover. Ask any fighter pilot. They will also confirm that the „Cloud“ is a great hunting ground. A lot of companies and individuals store their data there. A security flaw, stolen access credentials, compromised servers/clients, or bugs in the implementation can do harm. Information security researchers have long since explored the „Cloud“ infrastructure. The task is difficult for few providers have a fully open infrastructure; some do, some don’t. Plus you don’t know what’s going on between data centres. At DeepSec 2013 Vladimir Katalov will shed some light on the internals of the iCloud. He

Read More

DeepSec 2013 Talk: Pivoting In Amazon Clouds

René Pfeiffer/ October 17, 2013/ Conference, Internet

The „cloud“ infrastructure is a crucial part of information technology. Many companies take advantage of outsourced computing and storage resources. Due to many vendors offering a multitude of services, the term „cloud“ is often ill-defined and misunderstood. This is a problem if your IT security staff needs to inspect and configure your „cloud“ deployment with regards to security. Of course, virtualisation technology can be hardened, too. However the „cloud“ infrastructure brings its own features into the game. This is where things get interesting and where you have to broaden your horizon. Andres Riancho will show you in his talk Pivoting In Amazon Clouds what pitfalls you can expect when deploying code and data in the Amazon Cloud. Classical security tests won’t be enough. The Amazon Elastic Compute Cloud (EC2) is more than just virtual

Read More