0510, 2012

DeepSec 2012 Talk: The Vienna Programme – A Global Strategy for Cyber Security

René Pfeiffer/ October 5, 2012/ Conference

In case you ever felt frustrated by the countless ways digital systems can fail, you should consider listening to Stefan Schumacher‘s talk about a global strategy for cyber security. It’s not about silver bullets or throwing rings into volcanoes, it’s meant as a roadmap leading to an improved security level in our digital landscape. Information technology and therefore IT security play a bigger role in everyday life than 20 years ago. However, even since IT security becomes more and more important, yet we are still discussion the same old problems: rootkits, viruses and even buffer overflows. Unfortunately, IT security  still revolves about the same problems as it did 20-30 years ago. Instead of fighting the same battles again and again we have to take a look at the strategic level to coordinate efforts. This

Read More

0210, 2012

DeepSec 2012 Workshop: Social Engineering Testing for IT Security Professionals

René Pfeiffer/ October 2, 2012/ Conference, Training

Social engineering has been big in the news yet again this year.  In September, security researchers discovered an attack against Germany’s chipTAN banking system, in which bank customers were tricked into approving fraudulent transfers from their own accounts. In August, tech journalist Mat Honan had his digital life erased, as hackers social engineered Apple and Amazon call centres. In May it was reported that Czech thieves stole a 10-tonne bridge.  When challenged by police during a routine check, they showed forged documents saying they were working on a new bicycle path. In January, a fraudster obtained Microsoft co-founder Paul Allen’s credit card details by social engineering workers in Citibank call centres. In December, Wells Fargo were tricked into wiring $2.1 million to a bogus bank account in Hong Kong following a series of fraudulent

Read More

3009, 2012

DeepSec 2012 Workshop: The Exploit Laboratory – Advanced Edition

René Pfeiffer/ September 30, 2012/ Conference

Offensive security is a term often used in combination with defence, attack (obviously), understanding how systems fail and the ever popular „cyberwar“. Exploiting operating systems and applications is the best way to illustrate security weaknesses (it doesn’t matter if your opponents or pentesters illustrate this, you have a problem either way, and you should know about it). So where do exploits come from? Well, you can buy them, you can download them somewhere, or you can develop them. This is where The Exploit Laboratory comes in. Saumil Shah will teach you how exploits work – even on modern operating systems! Exploit Development is one of the hottest topics in offensive security these days. The Exploit Laboratory, in its sixth year, brings advanced topics in exploit development to Vienna this year. Arm yourself with skills

Read More

0708, 2012

A Word about Conference Conduct

René Pfeiffer/ August 7, 2012/ Administrivia, Conference, Discussion

You have probably been to conferences, and might even have seen hackers in the wild attending events. When it comes to events where IT security is discussed, everyone needs a friendly atmosphere so you can trust the people you meet. The DeepSec conference aims to be a place where these criteria are met. We want you to be able to talk to anyone about anything. Judging from the feedback we got this goal was met. We’d like to introduce a statement published on our web site to emphasise our mission. It’s a policy to express our intention to provide a friendly and safe environment for everyone talking at and attending DeepSec events (the policy covers all DeepSec activities). Before any of you jump to conclusions, let me explain why we added the policy as

Read More

0508, 2012

All Your Clouds are to Belong to Whom?

René Pfeiffer/ August 5, 2012/ Discussion, Security

There are probably less than 5 persons on this planet who know what cloud computing really means. The figure might be exaggerated, but while enterprises, consultants and vendors try to figure out the best cloud for their business model the attackers already take advantage of cloud infrastructure. Let’s disregard climate dependencies and extraordinary political environments for a moment (if you say yes to cloud computing, then you have this already taken into account and under control, right?). Let’s focus on on the security implications for the moment. There’s an example of a string of unintended consequences by a successful social engineering attack. The target was a „cloud account“ linked to storage and three personal devices (a phone, a tablet and a laptop). The attacker gained access by means of tech support and bypassing security

Read More

1405, 2012

Data Loss Prevention

René Pfeiffer/ May 14, 2012/ Discussion, Security

None of us likes to lose data. Usually data loss is tied to defects of storage media. You can counter physical data loss by having sufficient and recent copies of your data. This is where the logical data loss kicks in – unauthorised copies. Espionage thrives on these copies, and since information can be sold so does crime. Establishing a proper data loss prevention strategy and implementing it, requires a combination throughout all branches of information security. First you need to define some classifications for all your data. Public, private and confidential is common. Then you must find all places where your data is stored. You noticed the small word „all“. Yes, that’s right, all places and every single bit of your data. If you start getting sloppy at this stage, your defence against

Read More

0505, 2012

Security in the Light of Emergency Situations

René Pfeiffer/ May 5, 2012/ High Entropy, Security

Let’s assume you have put proper security measures into place and you have spiced them up with proper policies so that everyone always knows what to do in certain situations. So far, so good. Now let’s combine this solid security framework with something out of the ordinary. Catastrophic storage failures are a very good example. Imagine your shared storage array goes AWOL (including the disk images of your precious virtualised servers). In this case your operating status has gone from „all green“ to „full red alert“. Your staff can’t restart the storage array, so you have to rely on experts in the field of data rescue. Due to the critical nature of the data you yank out the disks, label them and send your storage components by messenger to a laboratory. Since time is

Read More

0703, 2012

Disinfect your Information Environment

René Pfeiffer/ March 7, 2012/ High Entropy, Security, Stories

Since information technology relies heavily on analogies (as does lot of other „cyber“ things), we have a question for you. What do an intercepted phone call, infectious diseases and nuclear waste spilling into the environment have in common? Faulty containment. The Naked Security blog explains in an article how Anonymous was able to record the FBI phone call whose audio file was published in January 2012. Apparently „an Irish Garda police officer who was invited to attend the conference call about ongoing hacking investigations forwarded the message to a personal email account“. This personal e-mail account was compromised, and the information about the conference call was used to participate and to record the audio stream. This teaches a couple of lessons. Conference calls can be attended by having the correct string of characters (i.e.

Read More

2901, 2012

Getting your Perception right – Security and Collaboration

René Pfeiffer/ January 29, 2012/ Discussion, Security

If all security-related events were not connected and could be analysed with a closed system in mind, getting security measures right would be much easier. Technicians will probably yawn at this fact, but networks connect a lot of different stuff (think „series of tubes“ and many points between them). In turn this means that you can use this for your own advantage and talk to others on the network, too! This surprising conclusion is often forgotten despite the use of the term „Internet community“ and developers working together on intrusion detection signatures, malware analysis and other projects. Stefan Schumacher talked about cooperative efforts to establish an international cyber defence strategy at DeepSec 2011. Securing infrastructure and implementing a proper defence in depth doesn’t rely on technical solutions alone. You need to establish procedures for

Read More

2201, 2012

Interaction between Security and Hierarchies

René Pfeiffer/ January 22, 2012/ Security

You all know hierarchies. You use them, you work within them and you are probably part of one. This is also true for IT staffers or even freelancers dealing with security issues. Usually there is a team/project leader, a CEO, a CIO and all kinds of specialists from other departments (if the company or organisation is bigger). While the „chain of command“ may not be important during daily routine, it is tremendously critical when incidents happen or when the infrastructure is prepared against compromise. More often than not security-aware admins and developers experience the „override by pointy haired boss“ effect. Checks and balances are great, the budget might confirm this, but once you deviate from routine there’s the nasty blame game. That’s when hierarchies turn to bite you in the back. Time spent on

Read More

3110, 2011

Defending against the Hype of Advanced Persistent Threat (APT)

René Pfeiffer/ October 31, 2011/ Security

Many articles like to mention Advanced Persistent Threat (APT), point out that 0-day attacks are extremely dangerous, and that anyone and your neighbour might already be compromised, but doesn’t know about it. So APT casts a long shadow even when not having arrived yet. This is exactly why we used the word „hype“ in the title. If you are not feeling very well and you look up symptoms in popular search engines, then you suddenly end up with lots of diseases that might fit. Doing this won’t change anything, you still got the symptoms and you still got no idea what’s going on. Reading information on security breaches alone won’t alone won’t get you anywhere (currently you can find some news on the RSA hack online). Exchanging ideas and hearing about stories is fine,

Read More

0109, 2011

Talk (U21): Solving Social Engineering Attacks

René Pfeiffer/ September 1, 2011/ Conference

You’ve heard about social engineering. You know your weakest links. You have the task of defending your network against intruders. You know how to do this with your web applications, networks, clients and servers. All these things have neat classifications of attacks, best practice lists and lots of other resources. What about social engineering? How do you keep the wrong people out and your critical information in? How do you classify the attacks? Toby Foster of the University of York, student of Computer Science and intern at First Defence Information Security, tries to address this problem by talking about modelling and categorising and solving the attacks: „There are many definitions of social engineering; almost every book or website on the subject has a different definition. Probably the only consistent point is that it relies

Read More