Binary Blob Apocalypse – Firmware + Cryptography = less Security

René Pfeiffer/ November 6, 2018/ High Entropy, Security

A couple of years ago we had a chat with one of our sponsors, Attingo. They are specialised in data recovery from all kinds of media and in all kinds of conditions. Since vendors keep secrets from the rest of the world, the data rescuers do a lot of reverse engineering in order to decode the mysteries of firmware blobs. Guess what they recommend: Don’t trust important tasks to firmware code! It’s the worst software written on this planet. If software gets something wrong, firmware is the best candidate for big SNAFUs. Solid state disks (SSDs) have recently joined the gallery of failures. Carlo Meijer and Bernard van Gastel have published an article titled Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs). They analysed the implementation of hardware full-disk encryption of

Read More

DeepINTEL / DeepSec News for 2017 and Call for Papers

René Pfeiffer/ March 27, 2017/ Administrivia, Call for Papers, Conference

Changing code, layout or designs have something in common – deadlines. But you cannot rush creativity, and so the new design of the DeepSec web site took some time. The old design has served us well. We basically did not change much and used it since 2007. The new design follows the stickers we use for decoration at our conferences, the book cover of the DeepSec chronicles, and many other details we publish via documents – all thanks to the creative mind of fx. So thanks a lot fx! The content of our conference has also slightly changed. DeepSec 2017 will feature additional content, because we will introduce a third track filled with presentations from academic research. Given the fact-free discussions of information security and security in general, we would like to (re)introduce the scientific

Read More

Putting the Context into the Crypto of Secure Messengers

René Pfeiffer/ January 21, 2017/ Communication, Discussion, Internet

Every once in a while the world of encrypted/secure/authenticated messaging hits the wall of usability. In the case for email Pretty Good Privacy (PGP) is an ancient piece of software. These days we have modern tools such as GnuPG, but the concept of creating keys, verifying identities (i.e. determining who is to trust), synchronising trust/keys with communication partners, and handling the software in case something goes wrong is quite a challenge. Plus things might change. People revoke their keys, devices get lost, data gets deleted, people create new keys or even (digital) identities, or do lots of things that is either anticipated by the software developers or not. Communication is not static. There are moving parts involved, especially the communication partners might move a lot. So crypto is hard, we know this. Discussing secure

Read More

Scanning for TR-069 is neither Cyber nor War

René Pfeiffer/ November 30, 2016/ Discussion, High Entropy, Internet

The Deutsche Telekom was in the news. The reason was a major malfunction of routers at the end of the last mile. Or something like that. As always theories and wild assumptions are the first wave. Apparently a modified Mirai botnet tried to gain access to routers in order to install malicious software. The attacks lasted from Sunday to Monday and affected over 900,000 customers. These routers often are the first point of contact when it comes to a leased line. Firewalls and other security equipment usually comes after the first contact with the router. There are even management ports available, provided the ISP has no filters in place. The TR-069 (Technical Report 069) specification is one management interface, and it has its security risks. Now that the dust has settled the Deutsche Telekom

Read More

Transforming Secure Coding into Secure Design

René Pfeiffer/ August 21, 2016/ Discussion, High Entropy, Security

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late. Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart

Read More

DeepSec Video: ZigBee Smart Homes – A Hacker’s Open House

René Pfeiffer/ February 19, 2016/ Conference, Security, Stories

The data protocols of SmartHomes are the FBI’s wet dream. Why? Because they have no security design. Take ZigBee for example. ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have for example a smart light bulb at home, the chance is very high that you are actually using ZigBee by yourself. Popular lighting applications such as Philips Hue or Osram Lightify and also popular smart home systems such as SmartThings or Googles OnHub are based on ZigBee. ZigBee provides also security services for key establishment, key transport, frame protection and device management that are based on established cryptographic algorithms. So a ZigBee home automation network with applied security is secure and the smart home communication is protected?

Read More

DeepSec Video: Not so Smart – On Smart TV Apps

René Pfeiffer/ February 18, 2016/ Conference, Security

„Smart“ follows the footsteps of „cyber“. Everything is smart nowadays. The problem is that using smart in this context just means a combination of „Turing complete“ and „connected to the Internet“. That’s it. This is a pretty low barrier for calling something „smart“. t DeepSec 2015 Markus Niemietz held a presentation about the state of affairs concerning SmartTVs where security is concerned: One of the main characteristics of Smart TVs are apps. Apps extend the Smart TVs menu with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise the question of new attack scenarios and the general security of Smart TV apps. We investigate attack models for Smart TVs and their

Read More

I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in

Read More

Encryption – A brand new „Feature“ for Cars

René Pfeiffer/ February 2, 2015/ Internet, Security, Stories

At DeepSec 2011 Constantinos Patsakis and Kleanthis Dellios held a presentation titled “Patching Vehicle Insecurities”. They pointed out that the car is starting to resemble more to a computer with mechanical peripherals (incase you haven’t seen their talk,  please do!). This is true for all types, not only the modern cars powered by electricity alone. But there is more. Modern cars are connected to networks (i.e. the Internet or the mobile phone network). This means that your method of transportation is part of the dreaded Internet of Things. Given the design flaws we have seen in talks given at DeepSec, there is no surprise that this is a  breeding ground for major trouble. The Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, discovered a lapse in the communication between BMW cars and the servers

Read More

DeepSec 2014 Talk: Build Yourself a Risk Assessment Tool

Sanna/ October 29, 2014/ Conference, Interview

„The only advice I might give to everyone who is responsible for information security is that it is never about a tool or a methodology“, says Vlado Luknar. The never-ending quest for the “best” tool or methodology is a futile exercise. In the end it is you, the security specialist, who adds the most value to a risk assessment (RA) / threat modelling process for your company, claims Vlado Luknar (Orange Slovensko a.s. / France Telecom Orange Group).  In his talk at DeepSec Mr. Luknar will demonstrate that it is quite easy to capture your overall security knowledge in a home-made, free-of-charge tool.  But first, let’s ask Mr. Luknar a couple of questions: 1) Mr. Luknar, please tell us the top 5 facts about your talk! There is no problem with understanding existing RA

Read More

DeepSec 2013 Talk: Trusted Friend Attack – Guardian Angels Strike

René Pfeiffer/ November 5, 2013/ Conference, Security, Stories

Have you ever forgotten a password? It’s a safe bet to assume a yes. Sometimes we forget things. When it comes to logins there is usually a procedure to restore access and change the forgotten password to a known new one. This Forgot Your Password functionality is built into many applications. The mechanism is to rely on other ways to restore trust. There is a risk that unauthorised persons gain access to an account by exploiting the process. Ashar Javed has explored the password recovery function of 50 popular social networking sites. In his talk at DeepSec 2013 he will present the findings of his survey. The attack vector is called Trusted Friend Attack, because once you forgot your credentials you have to rely on trusted friends to recover them. Apart from automatic systems

Read More

High Availability is not Redundancy

Mika/ October 11, 2012/ High Entropy, Odd

This is about the “A” in the CIA triad of security: Confidentiality, Integrity, Availability Just recently I was a witness of an incident where the failure of a perceived redundant system caused an outage of more than 5 hours of the central IT services of a multinational/intercontinental enterprise. Vital services like VoIP calls and conference bridges (which were interrupted with high profile customers) , SAP, e-mail, central file services, CAD, order processing, printing of delivery notes and therefore loading of trucks, processing of EDIFACT-based orders and invoices, etc. were unavailable for most of the 20.000 employees and customers worldwide during this black-out. What happened? Some when in the morning we noticed a lot of commotion in the department (open plan office) and quite soon it was obvious that all network based services were out

Read More

Cloud Security Promises out of thin Air

René Pfeiffer/ May 15, 2012/ Discussion, Security

The „Cloud“ is a wonderful link between the BYOD disaster, data loss and broken security promises. Yet users of all kinds are lured into the web interfaces with eye candy. The German IT magazine Golem.de has published an article about the cloud security study of the Fraunhofer Institute for Secure Information Technology SIT. Researchers have put Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala under scrutiny. The results should be a wake-up call for businesses who blissfully shove all kinds of data out into the thin air of the „Cloud“. The quintessence of the study is that none of the listed „Cloud“ services can provide a basic security or even sensible encryption technology. Some registration forms do not verify the e-mail addresses entered. Some platforms do not use SSL/TLS. Some use their own

Read More

Simple Questions, Security Design, Details and Assumptions

René Pfeiffer/ April 3, 2012/ Security, Stories

A few days ago we received a call from a journalist who was researching for an article about a system about parking place management. Motorists have a hard time finding a place to park in busy urban areas. This is why Austrian researchers thought of fitting street lamps with cameras that monitor parking areas. The cameras report the images to a system that identifies free parking sites and reports available spots to drivers by means of their satnav. The journalist wanted to know how safe this is and if there might be a threat to privacy. The answer is not that easy. In this context it typically resolves to the style of Radio Yerevan and starts with „In principle yes, but …“. In our case it depends on the details of the implementation. Brevity

Read More

Getting your Perception right – Security and Collaboration

René Pfeiffer/ January 29, 2012/ Discussion, Security

If all security-related events were not connected and could be analysed with a closed system in mind, getting security measures right would be much easier. Technicians will probably yawn at this fact, but networks connect a lot of different stuff (think „series of tubes“ and many points between them). In turn this means that you can use this for your own advantage and talk to others on the network, too! This surprising conclusion is often forgotten despite the use of the term „Internet community“ and developers working together on intrusion detection signatures, malware analysis and other projects. Stefan Schumacher talked about cooperative efforts to establish an international cyber defence strategy at DeepSec 2011. Securing infrastructure and implementing a proper defence in depth doesn’t rely on technical solutions alone. You need to establish procedures for

Read More