Articles about DeepSec 2011

René Pfeiffer/ November 22, 2011/ Conference, Press

We have some more articles for you. Apparently the talks of our speakers raised a few eyebrows. Most of the articles are in German. Dradio: Das sichere Auto ist ein Mythos Interview with Mariann Unterluggauer about impressions from DeepSec 2011 and the myth of automobile security. Dradio: Nur scheinbare Datensicherheit This is a second article published on the Deutschlandfunk web site features Duncan’s talk and bugs in security software. Ö1: Können Hacker Autos fernsteuern? „Can hackers remotely control cars?“ Well, given the current design and lack of security they probably will do so in time for DeepSec 2012. Ö1: Make Cyberpeace, not Cyberwar. Ein Bericht von der DeepSec The topic of cyber warfare is still hot. Wie Terroristen verschlüsseln – Digitale Spuren kaum verwischt The Neuer Zürcher Zeitung (NZZ) has a comment about Duncan’s

Read More

Press Release: From Car to „Zombie“ – Data-driven Attacks on Automobiles

DeepSec Organisation/ October 19, 2011/ Press

Data-driven Attacks on Automobiles Security conference DeepSec broaches the issue of automobile security  Vienna – Hacking attacks on cars sound like something out of a Hollywood blockbuster. However, they’re possible today and pose a real threat for individuals and the automotive industry. The international security conference DeepSec, which takes place between the 15th and 18th of November 2011 chose the security of mobile phones, cars and their users as central topics for this year’s conference. „As in the years before we want to present exciting and controversial topics which concern not only experts, but most of us directly or indirectly in 7 workshops and 34 talks.The liability of modern cars to attacks is on of our topics.” says René Pfeiffer, organiser of DeepSec. “DeepSec acts as neutral platform to connect the hacker-community with IT

Read More

0zapftis revisited – 0ktoberfest for Security Researchers

René Pfeiffer/ October 11, 2011/ High Entropy, Odd

The CCC analysis of the malicious software bought and used by the German government has put our blog schedule and RSS reading habits out of balance. Frankly our necks hurts because we constantly shake our heads since the PDF of the analysis was published. We have talked to journalists who showed interested in the design of the malware. It’s very hard not to go into rant or BOFH mode when talking about the design and the use of the trojan horse. You have to use quite some Zen skills to stay focused and to see what we have here. In fact the whole discovery and the avalanche of questions raining down on German officials marks a turning point for the significance of computer security. Furthermore it is a perfect example of all the problems

Read More

Talk: Identity X.0 – Securing the Insecure

René Pfeiffer/ October 10, 2011/ Conference

Identities are important. You might already know this, but in the times of heavily meshed web applications and users moving between different web sites keeping track of a client’s identity can be difficult. Moreover it’s not just about identities but also about transporting account/user attributes by various protocols and standards between various applications. You might remember Microsoft Wallet/Passport which is now Windows Live ID. OpenID defines an open standard about authenticating an user by using a decentralized architecture. OAuth is another open standard, handling authorization and it is widely used by small and large organizations such as Yahoo! and Twitter. So where’s the security? How resilient are these protocols against attacks? Khash Kiani will address these questions in his presentation titled Identity X.0 – Securing the Insecure. His talk focuses on some of these

Read More

Talk: Human Factors Engineering for IT Security

René Pfeiffer/ October 7, 2011/ Conference

Members of IT staff love acronyms such as RTFM, PEBKAC, PICNIC and ID-10T error. These will often be mentioned when human factors are playing a key role. If you dig deeper and analyse typical situations where human errors are involved, then you will have to deal with user interfaces (UIs) and technical documentation. It’s easy to blame operators (it doesn’t matter if you look at end user, power users or IT staff) even if UIs or manuals have failed before the human erred. This is exactly why the talk Human Factors Engineering for IT Security of Peter Wolkerstorfer (Center of Usability Research and Engineering, CURE) will focus on the human factor in the context of operating security tools by UI. The user is often the weakest link in the chain and this fact has to

Read More

Talk: Why the Software we use is designed to violate our Privacy

René Pfeiffer/ September 29, 2011/ Conference

Most of us are used to take advantage of  the fruits of the Web 2.0. There is web e-mail, online backups, social networking, blogs, media sharing portals (for audio/video), games, instant messaging and more – available for private and corporate users. A lot of sites offer their services for free (meaning without charging anything), thus increasing the number of accounts created. Nevertheless you pay something. You are being mined for information and data. Some of these products collect our data directly. In such cases, the exchange of user data for free services is well known, at least to many savvy users. However, many other products do not collect our private data. Instead, they quietly facilitate and enable data collection by other parties. It all depends on the business model. Of course most portals and

Read More

Talk: Windows Pwn 7 OEM – Owned Every Mobile?

René Pfeiffer/ September 19, 2011/ Conference

Windows Phone is an operating system for mobile phones. Similar to other operating systems it has security features such as sandboxing applications, APIs for exchanging data across applications and isolation of storage built in. It also offer methods for encrypting data on the phone itself. There’s more documentation out in the Internet or directly available at Microsoft’s web site. So, this is good, right? In theory, yes. In practice currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices. This does not refer to the documentation. It’s all about assessing risks, and risk assessment can’t be done by looking at APIs. Alex Plaskett will talk about WP7 security in-depth. He will address the ever increasing challenges and stages of exploitation an

Read More

Talk: Hacking Digital Measuring Devices

René Pfeiffer/ June 18, 2011/ Security

We just listened to the talk by Franz Lehner about „Hacking Digital Measuring Devices“. Smart meters are ubiquitous. A lot of measuring devices have turned digital and are composed of a small CPU with some memory and connections to sensors or data outlets. Calibration is always involved when you measure something. Having access to the calibration mode/commands of a smart meter can change your bills, supply false readings to operators and can even be ramped up to be a security risk. Think vapour/liquid pressure, temperature, speed, humidity, power, etc. Usually you rely on the output of sensors, right? Smart meters is something to watch very closely. Again there’s a link to cars (which use smart meters for measuring the speed and other parameters), then there’s a link to the power grid, and there a

Read More

Is your car on the Internet?

René Pfeiffer/ June 14, 2011/ Security, Stories

We published some press releases in the past that dealt with networked subsystems in cars. Security researchers connected to the Controller-Area Network (CAN) and tried to inject commands (which worked scarily well). We claimed that automobile manufacturer were way behind in security compared to everyone who has to secure systems in the Internet. The claim was half-part fact and half-part conjecture. Now it’s time to correct our claim. Cars can now leak information and push it to the Internet: Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver’s location, speed and destination to websites accessed through the vehicle’s built in RSS reader, a security blogger has found. … “All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn’t

Read More

Hacking Transportation Devices – 0wning Cars!

René Pfeiffer/ March 17, 2011/ Security, Stories

Last Summer we published a short article about an experimental study of modern car sensors systems and their security. Researches took a modern car, connected to the internal data bus and tried to do some hacking. They were able to manipulate on-board systems up to controlling the brakes and the engines. The study shows that once you have access to the (internal) network, you can do things that were most probably never anticipated by the designers. Arguably the risks of these kind of attacks is rather low – for now. However if you think about the Internet, software working in networked environments or the plethora of devices that can be connected to computers, then the number of attack vectors increases. This is not breaking news. You can see this trend in the wonderful world

Read More

27C3 and Misunderstandings about Security

René Pfeiffer/ December 27, 2010/ Conference, Security

We’ve hooked a computer to the video stream of the 27C3 conference. Currently we’re listening to the keynote speech which touches a relevant topic for security issue. Are you happy or are you unhappy? It sounds a bit strange, but usually happy people have nothing to worry about. So in turn it does make sense not to worry people. The examples given in the keynote were electronic voting machines. The process of selecting a government by anonymous voting is a cornerstone of democracies. This is exactly why electronic voting must not happen through black boxes. India has already threatened (and arrested) security researchers who analyse the security of the voting machines used in the country. Electronic voting is only one example. Another one is the publication about the broken chip and PIN design of

Read More

A Brief History of GSM A5/2 and 2G/3G Security

René Pfeiffer/ November 15, 2010/ Stories

MiKa and me shared some knowledge about the design flaws and the state of security in 2G/3G networks. The idea was to present an overview. Those networks have been shrouded in NDAs for too long. It is good to see that this is changing. Given the fact that millions of people use this technology on a daily basis, there should have been more publications and a deeper analysis many years ago. GSM features four A5 encryption algorithms. They are called A5/0, A5/1, A5/2 and A5/3. A5/0 is basically plaintext, because no encryption is used. A5/1 is the original A5 algorithm used in Europe. A5/2 is a weaker encryption algorithm created for export (the weakness is a design feature). A5/3 is a strong encryption algorithm created as part of the 3rd Generation Partnership Project. The

Read More

Native Code Protection and Security

René Pfeiffer/ June 24, 2010/ Development, Internet

The Mozilla vice president of products announced that Firefox doesn’t need to run native code anymore when it comes to plugins. The idea is called crash protection for it aims to keep the web browser alive when a plugin fails to run correctly. At the same time the magical words about the future being in the hands of (open) web standards and HTML5 are uttered. What does this imply in terms of security? Is there any benefit? The thought of having more reliable web browsers is certainly tempting. It is also true that overloading the browser with plugins increases the „angle of attack” to the point of stalling or most probably catching some malware floating around on the Web. The message seems to be that seperating vulnerable plugins from the browser doesn’t rule out

Read More