Secure Design – Combining Information Security with Software Development

René Pfeiffer/ February 5, 2020/ Discussion, High Entropy

Information security researchers usually see software fail. Sometimes they try to make software fail on purpose. The result is a bug description, also called vulnerability report in case the bug has a security impact. The the best case scenario this information reaches the software developers who in turn fix the problem. Then the cycle continues. This process is fun for the first iterations. After a while it gets boring. Even a while after that you ask yourself why integer overflow, injection attacks, and basic cross-anything is still an issue. Some bug classes are well over 40 years old. Polio is far older, and yet we got rid of it (mostly). What’s different in the field of software creation? The answers are simple, endless, and change depending on the current trend. Just as computing changed

Read More

DeepSec 2019 Talk: Lost in (DevOps) Space – Practical Approach for “Lightway” Threat Modeling as a Code – Vitaly Davidoff

Sanna/ November 4, 2019/ Conference, Development

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the software development life cycle (SDLC) process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scalable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We

Read More

DeepSec 2019 Talk: What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs – Mikhail Egorov

Sanna/ October 16, 2019/ Conference, Security

WebSocket protocol is many times more efficient than HTTP. In recent years we can observe that developers tend to implement functionality in the form of WebSocket APIs instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplify the building of efficient WebSocket APIs. We can name GraphQL subscriptions or Websocket APIs supported in Amazon API Gateway. WebSockets APIs have a different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account. WebSockets in browsers do not use the same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: A handshake and data transfer phase. Most of the time authentication and authorization logic is implemented

Read More

Binary Blob Apocalypse – Firmware + Cryptography = less Security

René Pfeiffer/ November 6, 2018/ High Entropy, Security

A couple of years ago we had a chat with one of our sponsors, Attingo. They are specialised in data recovery from all kinds of media and in all kinds of conditions. Since vendors keep secrets from the rest of the world, the data rescuers do a lot of reverse engineering in order to decode the mysteries of firmware blobs. Guess what they recommend: Don’t trust important tasks to firmware code! It’s the worst software written on this planet. If software gets something wrong, firmware is the best candidate for big SNAFUs. Solid state disks (SSDs) have recently joined the gallery of failures. Carlo Meijer and Bernard van Gastel have published an article titled Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs). They analysed the implementation of hardware full-disk encryption of

Read More

DeepSec 2018 Special Training: Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

René Pfeiffer/ August 29, 2018/ Conference, Security, Training

How do bugs in software get fixed? Well, first of all you have to find them. All code has bugs. Most probably, that is. Usually developers and users of applications find bugs. The history of information security has taught us that now attackers also look for bugs in software. Therefore flaws in code leading to security vulnerabilities have a higher priority for both developers and adversaries. The problem is that software testing finds all kinds of bugs and not always the important ones. Where is the incentive to go and debug software? Well, there is quality assurance, there is full disclosure, and now there are bug bounties. Bug bounties are rewards for bugs in software that have an impact on security. Companies offer these bounties as a means of software quality testing. Bug bounties

Read More

Applied Crypto Hardening Project is looking for Help

René Pfeiffer/ April 25, 2017/ High Entropy, Internet

Hopefully many of you know the Applied Crypto Hardening (ACH) project, also known as BetterCrypto.org. The project was announced at DeepSec 2013. The idea was (and is) to compile hands-on advice for system administrators, dev ops, developers, and others when it comes to selecting the right crypto configuration for an application. The BetterCrypto.org document covers far more protocols than HTTPS. OpenSSH, OpenVPN, IPsec, and more topics are described in the PDF guide. The project is run by volunteers. This is where you come in. The ACH project needs more volunteers to keep going. New GNU/Linux distributions are around the corner (the apt store never sleeps). Some vendors really do upgrade their code base. Libraries change and bleed less. Algorithms get tested, improved, and re-evaluated. The field of cryptography is moving forward, as it should.

Read More

DeepSec2016: 0patch – Self-healing Security Updates. DeepSec and ACROS Security Introduce a Platform for Micropatches

Sanna/ October 20, 2016/ Conference, Development, Schedule, Security, Training

As soon as a security gap in an computer application is made public the anxious wait begins. Whether it is software for your own network, online applications or apps for your mobile devices, as a user you will quickly become aware of your own vulnerability. The nervousness increases. When will the vendor publish the security update? In the meanwhile is there anything you can do to reduce the risks? Alternatively, how long can you manage without this certain software? To provide answers to these questions is the central point of security management. Some vendors have fixed dates for security updates. However, occasionally unscheduled updates take place, while some vendors wait quite a few years before they release another update. And this is only true for applications that are still in production or come with a support

Read More

DeepSec2016 Talk: Java Deserialization Vulnerabilities – The Forgotten Bug Class – Matthias Kaiser

Sanna/ October 13, 2016/ Conference, Development, Security

Most programming languages and frameworks have support for serialization of data. It’s quite handy for storing things to disk (or other media) and transporting them around a network for example. The process can be reversed, aptly called deserialization, in order to obtain the original pieces of data. Great. Even though this process sounds simple, there is a lot that can go wrong. First of all data can be manipulated. Subtle modifications can cause havoc when the data is touched. There is a lesser known class of bugs around deserialization and serialization techniques. Matthias Kaiser has some insights to share. Java deserialization vulnerabilities are a bug class of its own. Although several security researchers have published details in the last ten years, still the bug class is fairly unknown. Early 2015 Chris Frohoff and Gabriel

Read More

DeepSec2016 Workshop: Secure Web Development – Marcus Niemietz

Sanna/ September 21, 2016/ Development, Security, Training

The World Wide Web is everywhere. It has become the standard protocol for transferring data, accessing applications, configuring devices, controlling software, or even multimedia streaming. Most software development can’t be done without web applications. Despite the easy concept the technologies used in „HTTP/HTTPS“ have grown in very complex beasts. Few get it right, lots of developers make mistakes and end up at the wrong side of a security presentation at a conference. Fortunately there is help. We offer you a workshop at DeepSec 2016 to make your web software development great again! The “Secure Web Development” training by Marcus Niemietz systematically covers the OWASP Top 10 threats as well as threats, which may be important in the future (e.g. HTML5 and AngularJS attacks). At the end of the training each attendee will be able to create her/his

Read More

Firmware Threats – House of Keys

René Pfeiffer/ September 10, 2016/ Discussion, Security

SEC Consult, our long-term supporter, has updated a report on the use of encryption keys in firmware. These hardcoded cryptographic secrets pose a serious threat to information security. The report features 50 different vendors and has some interesting statistics. The results were coordinated with CERT/CC in order to inform the vendors about the problem. The highlights of the research includes: 40% increase in devices on the web using known private keys for HTTPS server certificates 331 certificates and 553 individual private keys (accessible via Github) some crypto material is used by 500,000 and 280,000 devices on the web as of now The recommendations are crystal clear: Make sure that each device uses random and unique cryptographic material. If operating systems can change account passphrases after initialisation, so can your device. Take care of management

Read More

DeepSec 2016 Talk: CSP Is Dead, Long Live Strict CSP! – Lukas Weichselbaum

Sanna/ September 8, 2016/ Conference

The Content Security Policy (CSP) is an additional layer of security for web applications. It is intended to detect and mitigate certain types of attacks. CSP is deployed by using the HTTP Content-Security-Policy header for publishing a policy. The policy instructs the web client how various resources will be used, where they come from, and the like. Violations of the policy can be reported to an application. Basically you can give the web client important hints what to expect. The reporting helps your intrusion detection process since the web clients usually understand the Web better than IDS modules. Lukas Weichselbaum is working at Google, and he will explain how CSP can be bypassed. In this presentation I’ll highlight the major roadblocks that make CSP deployment difficult. I talk about common mistakes, about how we automatically bypassed

Read More

Transforming Secure Coding into Secure Design

René Pfeiffer/ August 21, 2016/ Discussion, High Entropy, Security

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late. Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart

Read More

A Perspective on Code and Components – assert(), don’t assume()

René Pfeiffer/ July 21, 2016/ Development, Discussion, High Entropy

Have you ever looked closely at the tools you use on a daily basis? Taking things apart and putting them back together is an integral part of understanding the universe. Scientists do it all of the time (well, at least some do, there are things that can’t be put together easily once taken apart). So lets focus on components and how they interact. ASN.1 and libraries that deal with it are popular components. Few people get a kick out of ASN.1, so they use code that does it. It’s just an example for parts that handle data being sent to and received from other systems. We live in a networked world, so communication is a crucial part of modern software. So to use business lingo: Most software works by delegating tasks to third-party code.

Read More

DeepSec 2015 Talk: Agile Security – The Good, The Bad, and mostly the Ugly – Daniel Liber

Sanna/ October 14, 2015/ Conference, Security

Particle collisions are a rich source for insights into the inner workings of Nature. Physicists know this. The Large Hadron Collider (LHC) built by the European Organization for Nuclear Research (CERN) demonstrates this to the extreme. You can to the same in information security if you lock developers and security experts into a room. Acceleration can be achieved by asking for the best way for implementing security. Analyse the high energetic trails of heated arguments to gain new insights. This recipe works best with certain models of software development. David Liber will show you the results of the collisions and tell you what you can learn about security with a specific software development methodology. Moving away from Waterfall and traditional development processes towards Agile methodologies has become more and more popular recently. Talking about sprints, looking

Read More

DeepSec 2015 Talk: Continuous Intrusion – Why CI Tools Are an Attacker’s Best Friend – Nikhil Mittal

Sanna/ October 3, 2015/ Conference, Development, Security

In information security pessimism rules. Unfortunately. Extreme Programming might breed extreme problems, too. The short-lived app software cycle is a prime example. If your main goal is to hit the app store as soon and as often as possible, then critical bugs will show up faster than you can spell XCodeGhost. The development infrastructure has some nice features attackers will love and most probably exploit. In his presentation Nikhil Mittal will show you how Continuous Integration (CI) tools can be turned into a Continuous Intrusion. Continuous Integration (CI) tools are part of build and development processes of a large number of organizations. I have seen a lot of CI tools during my penetration testing engagements. I always noticed the lack of basic security controls on the management consoles of such tools. On a default installation, many CI tools

Read More