DeepSec 2015 Talk: Agile Security – The Good, The Bad, and mostly the Ugly – Daniel Liber

Sanna/ October 14, 2015/ Conference, Security

Particle collisions are a rich source for insights into the inner workings of Nature. Physicists know this. The Large Hadron Collider (LHC) built by the European Organization for Nuclear Research (CERN) demonstrates this to the extreme. You can to the same in information security if you lock developers and security experts into a room. Acceleration can be achieved by asking for the best way for implementing security. Analyse the high energetic trails of heated arguments to gain new insights. This recipe works best with certain models of software development. David Liber will show you the results of the collisions and tell you what you can learn about security with a specific software development methodology. Moving away from Waterfall and traditional development processes towards Agile methodologies has become more and more popular recently. Talking about sprints, looking

Read More

DeepSec 2015 Talk: Continuous Intrusion – Why CI Tools Are an Attacker’s Best Friend – Nikhil Mittal

Sanna/ October 3, 2015/ Conference, Development, Security

In information security pessimism rules. Unfortunately. Extreme Programming might breed extreme problems, too. The short-lived app software cycle is a prime example. If your main goal is to hit the app store as soon and as often as possible, then critical bugs will show up faster than you can spell XCodeGhost. The development infrastructure has some nice features attackers will love and most probably exploit. In his presentation Nikhil Mittal will show you how Continuous Integration (CI) tools can be turned into a Continuous Intrusion. Continuous Integration (CI) tools are part of build and development processes of a large number of organizations. I have seen a lot of CI tools during my penetration testing engagements. I always noticed the lack of basic security controls on the management consoles of such tools. On a default installation, many CI tools

Read More

DeepSec2015 Talk: Hacking Cookies in Modern Web Applications and Browsers – a short Interview with Dawid Czagan

Sanna/ October 1, 2015/ Discussion, Interview, Security

You don’t have to be the cookie monster to see cookies all around us. The World Wide Web is full of it. Make sure not to underestimate their impact on information security. Dawid Czagan will tell you why. 1) Please tell us the top 5 facts about your talk. The following topics will be presented: – cookie related vulnerabilities in web applications – insecure processing of secure flag in modern browsers – bypassing HttpOnly flag and cookie tampering in Safari – problem with Domain attribute in Internet Explorer – underestimated XSS via cookie – and more 2) How did you come up with it? Was there something like an initial spark that set your mind on creating this talk? I noticed that cookie related problems are underestimated. People claim, for example, that XSS via cookie requires

Read More

DeepSec 2015 Talk: “Yes, Now YOU Can Patch That Vulnerability Too!” A short Interview with Mitja Kolsek

Sanna/ September 10, 2015/ Discussion, Interview, Security

Patching software is a crucial task when it comes to fixing security vulnerabilities. While this totally works, usually you have to wait until the vendors or the developers provide you either an upgrade or a patch. What do you do in the meantime? Reducing the exposure of the software helps, but sometimes you have no choice. Public interfaces are public. There’s help. Do it yourself! Mitja Kolsek will tell you more. Please tell us the top 5 facts about your talk. We want to shake the security world by introducing a simple twist and essentially reinventing software patching. Attackers’ main advantage comes from software vulnerabilities (often very old and long-patched ones), which are a critical ingredient of most breaches into corporate and government networks. Unfortunately, most software vendors are lacking economical motivation for providing patches, let alone pro-actively

Read More

Software Security: The Lost Art of Refactoring

René Pfeiffer/ June 29, 2015/ Development, Discussion, Security

A sysadmin, a software developer, and an infosec researcher almost walked into a bar. Unfortunately they couldn’t agree where to go together. So they died of thirst. Sounds familiar? When it comes to information technology, there is one thing that binds us all together: software. This article was written and published by software. You can read it by using (different) software. This doesn’t automagically create stalwart bands of adventurers fighting dragons (i.e. code vulnerabilities) and doing good deeds (i.e. not selling 0days). However it is a common ground where one can meet. Since all software has bugs, and we all use software, there’s also a common cause. Unfortunately this is where things go wrong. Code has a life cycle. It usually starts out as a (reasonably) good idea. Without a Big Bang. Then the implementation

Read More

Dual Use Equation: Knowledge + Vulnerability = “Cyber” Nuclear Missile

René Pfeiffer/ June 21, 2015/ Discussion, High Entropy, Legal, Odd

We all rely on software every  day, one way or another. The bytes that form the (computer) code all around us are here to stay. Mobile devices connected to networks and networked computing equipment in general is a major part of our lives now. Fortunately not all systems decide between life or death in case there is a failure. The ongoing discussion about „cyber war“, „cyber terrorism“, „cyber weapons of mass destruction“, and „cyber in general“ has reached critical levels – it has entered its way into politics. Recently the Wassenaar Arrangement proposed a regulation on the publication of exploited (previously unknown) vulnerabilities in software/hardware, the so-called „0days“. The US Department of Commerce proposed to apply export controls for 0days and malicious software. While the ban is  only intended for „intrusion software“, it may

Read More

Encrypted Messaging, Secure by Design – RedPhone and TextSecure for iOS

René Pfeiffer/ February 2, 2015/ Communication, Security

Encrypted communication is periodically in the news. A few weeks ago politicians asked companies and individuals all over the world to break the design of all secure communication. Demanding less security in an age where digital threats are increasing is a tremendously bad idea. Cryptographic algorithms are a basic component of information security. Encryption is used to protect data while being transported or stored on devices. Strong authentication is a part of this as well. If you don’t know who or what talks to you, then you are easy prey for frauds. Should you be interested in ways to improve the security of your messaging and phone calls, we recommend watching the presentation of Dr. Christine Corbett Moran. She is the lead developer of the iOS team at Open WhisperSystems. She talks about bringing

Read More

DeepSec 2013 Video: Top 10 Security Mistakes In Software (Development)

René Pfeiffer/ February 8, 2014/ Conference, Security, Stories

Everybody makes mistakes. It’s no surprise that this statement applies to software development, too. When you deal with information security it is easy to play the blame game and say that the application developers must take care to avoid making mistakes. But how does software development work? What are the processes? What can go wrong? Answering these questions will give you an insight into ways to avoid being bitten by bugs. Peter af Geijerstam of Factor 10 talked about security mistakes in software development in his presentation held at the DeepSec 2013 conference. We recommend his presentation for everyone dealing with information security, not just software developers.

DeepSec 2013 Video: Building The First Android IDS On Network Level

René Pfeiffer/ January 28, 2014/ Conference

Did you know that you can do more than playing Angry Birds on your smartphone? You can get attacked for example. Since your smart phone is Turing complete, you can do what you want. Jaime Sánchez presented the first Android Intrusion Detection System at DeepSec 2013. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. This is a reason to deploy security software on these devices, too. With the help of custom built signatures, Jaime’s framework can also be used to detect probes or attacks designed for mobile devices, fool and cheat operating system fingerprinting attempts. Have a look!

DeepSec 2013 Video: spin – Static Instrumentation For Binary Reverse-Engineering

René Pfeiffer/ January 15, 2014/ Conference

Reverse engineering is a fundamental tool of information security research. The news coverage of the past year have given black boxes a bad name. David Guillen Fandos introduces methods for binary reverse-engineering in his presentation at DeepSec 2013. Binary instrumentation is used for performance evaluation, CPU emulation, tracing, and profiling. It can also be used for malware and threat analysis. David’s tool called spin is able to characterize and identify security-critical functions by applying conditions. If you are into reverse engineering or simply are curious, take a look at the video from his talk:

DeepSec 2013 Video – Relax Everybody: HTML5 Is Securer Than You Think

René Pfeiffer/ January 14, 2014/ Conference

A lot of tags have been created since the 1980s when the foundation of the modern World Wide Web was born. HTML5 is being deployed on servers around the world. Just like the many 802.11xyz wireless standards it is being used before the stable standard has been released by the W3C. Moving targets attract all kinds of developers and information security enthusiasts. This is why we invited Sebastian Lekies of SAP to hold a presentation about HTML5. He systematically explores security relevant HTML5 APIs and summarises what web developers need to know when designing, implementing and deploying web applications. We will see at DeepSec 2014 if HTML5-based sites will be still featured in talks. ☺

DeepSec 2013 Talk: Building The First Android IDS On Network Level

René Pfeiffer/ November 13, 2013/ Conference, Development, Security

Being popular is not always a good thing and here’s why: As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. The threat to mobile devices, however, is not limited to rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions. Android continues to be a primary target for malware attacks due to its market share and open source architecture. Nowadays, several behaviour-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices but only about 30 percent of all Android smart phones and tablets have security apps installed. At DeepSec 2013 Jaime Sanchez (@segofensiva) will present AndroIDS, a signature-based intrusion

Read More

DeepSec 2013 Talk: Top 10 Security Mistakes In Software

René Pfeiffer/ September 16, 2013/ Conference, Security

Software Development and information security are tightly tied together. A bug attracts vulnerabilities and bugs and vulnerabilities combined can be turned into exploits to compromise systems. In an ideal world security starts at the design or development stage. While you probably will never be able to completely eliminate bugs in (your) code due to the complexity of modern applications and their dependencies, you still can improve the security record by paying attention. So where do you get started? What are the most common mistakes made during the software development process that leads to security problems in the finished product? Peter af Geijerstam will address the top 10 security mistakes in his talk at DeepSec 2013. Mistakes during software development do not always have to be caught at the quality assurance stage. You can catch

Read More

DeepSec 2012 Talk: The Vienna Programme – A Global Strategy for Cyber Security

René Pfeiffer/ October 5, 2012/ Conference

In case you ever felt frustrated by the countless ways digital systems can fail, you should consider listening to Stefan Schumacher‘s talk about a global strategy for cyber security. It’s not about silver bullets or throwing rings into volcanoes, it’s meant as a roadmap leading to an improved security level in our digital landscape. Information technology and therefore IT security play a bigger role in everyday life than 20 years ago. However, even since IT security becomes more and more important, yet we are still discussion the same old problems: rootkits, viruses and even buffer overflows. Unfortunately, IT security  still revolves about the same problems as it did 20-30 years ago. Instead of fighting the same battles again and again we have to take a look at the strategic level to coordinate efforts. This

Read More

DeepSec 2012 Talk: AMF Testing Made Easy

René Pfeiffer/ September 28, 2012/ Conference

Protocols are fun. When it comes to security, protocols are both loved and loathed. Security researchers have fun breaking them. Developers have a hard time designing them (this is why short-cuts will be taken and weaknesses are introduced). Penetration testers are sent to discover broken protocols and to exploit them. Attackers usually know some bits about protocols, too. This is where you come in. Regardless on which side you are on, you need to know, too. It’s not always about security, though. Typical software deployment or development requires testing, too. Luca Carettoni has good news for you either way. Despite the popularity of Flex and the AMF binary protocol, testing AMF-based applications is still a manual and time-consuming activity. This research aimed at improving the current state of art, introducing a new testing approach

Read More