War Dialing Video Conference Systems

René Pfeiffer/ March 11, 2020/ Security

Do you remember the Golden Age of Wardialing? The idea back then was to try calling phone numbers and to see if a computer systems answers. This methods still works, because you can wardial any system with a suitable addressing scheme. VoIP wardialing is a lot easier since you do not need a modem. You just need to send signalling messages. Video conferencing systems are no exception. They have to do signalling, too. Furthermore, participants of a meeting need to join and leave. For joining there must be a process that authenticates participants. Usually you get a conference identification number and maybe a PIN code. Other systems require an account, so that you have to log in first. Finding conference rooms gets real easy if you just need an URL. The Bavarian Ministry of

Read More

Translated Article: Campaign of the Spy Alliance “Five Eyes” against WhatsApp and Co

Sanna/ January 8, 2019/ Discussion, High Entropy, Security

Feldzug der Spionageallianz „Five Eyes“ gegen WhatsApp und Co for fm4 by Erich Moechel The current scattered news and reports on “encryption” belong together. The military secret services of the “Five Eyes” conduct a global campaign; in Australia they’ve already reached their first milestone. Every two years, around the same time, a campaign of the espionage alliance “Five Eyes” against encryption programs takes place. Unlike in 2016, the new campaign has reached its first goal in a flash. In early December, a bill was passed in the Australian Parliament obliging Internet companies to break up encrypted communications. The providers of Whatsapp, Snapchat, and Co are hereby required to build surveillance interfaces into their apps to give hidden access to the Australian law enforcement. In a parliamentary coup – without discussion or amendments – the “Assistance

Read More

Translated RadioFM4 Article: Hype about “Chinese Espionage Chips” stems from the Pentagon

Sanna/ October 16, 2018/ Discussion, High Entropy, Press, Security

[Editor’s note: This article was originally published on the web site of the FM4 radio channel of the Austrian Broadcasting Corporation. We have translated the text in order to make the content accessible for our English-speaking audience, because the author raises some important questions.] In the FM4 fact check the sensational report by the business portal Bloomberg about manipulated hardware for cloud computing turns out to be almost completely fact-free. On Friday a long-awaited report from the Pentagon was released warning about electronics manufacturing in China. by Erich Moechel for fm4.orf.at In the US, the “Cyber Security Month” October has begun, related news come thick and fast. The documentary presented on Thursday about a Russian espionage attack that failed miserably was spectacular, but had already taken place in April. England, Holland and Canada have waited

Read More

Wannacry, Code Red, and „Cyber“ Warfare

René Pfeiffer/ May 14, 2017/ High Entropy, Security

Society and businesses increasingly rely on networked infrastructure. This is not news. Worms that used networks to spread to new hosts in order to infect them is also not news. Code Red did this back in 2001. There is a new worm going around. Its name is Wannacry, and it is allegedly based on published attack code developed by the NSA. The malicious software is delivered by email. After successful installation it infects the host and propagates to other systems by using probes to port 139/TCP, 445/TCP and 3389/TCP. It belongs to the class of ransomware, encrypting files and demanding ransom. Thousands of infected systems are still active. The attack is still ongoing. If you are in doubt if you have compromised systems within your network, we recommend taking a look at how to

Read More

DeepSec Video: HackingTeam – How They Infected Your Android Device By 0days

René Pfeiffer/ February 20, 2016/ Conference, Discussion, High Entropy, Security

Backdoors are very popular these days. Not only cybercrime likes extra access, governments like it too. There’s even a lucrative market for insecurity. You can buy everything your IT team defends against legally. Hacking Team is/was one of the companies supplying 0days along with intrusive software to take over client systems. Attila Marosi explained at DeepSec 2015 how products of Hacking Team were used to attack and compromise Android clients. There is no need to make a long introduction when speaking about the famous Remote Control System (RCS), the product of the Italian company Hacking Team. The huge amount – 400 GB – of leaked data gives rise to lengthy discussion and is extremely concerning for every part of the professionally, politically or even those superficially interested only. Enjoy Attila’s presentation. Be careful about

Read More

DeepSec Video: A Death in Athens – The inherent Vulnerability of “Lawful Intercept” Programs

René Pfeiffer/ January 20, 2016/ Conference, Discussion

In politics it is en vogue to create new words by connecting them. The words „cyber“ and „lawful“ come to mind. You can add „crime“ and „intercept(ion)“, and then you got something. Actually you can combine both of the latter words with the first two. Either combination makes sense if you take a look at the Athens Affair. More than ten years ago the lawful interception modules of Vodaphone Greece were used to eavesdrop on the Greek government. Kostas Tsalikidis (Κώστας Τσαλικίδης) , Vodaphone’s network planning manager, was found dead in his apartment. At DeepSec 2015 James Bamford talked about what the Athens Affair really was and shed light on the many uses of the lawful intercept systems which are mandatory for most telecommunications equipment. We don’t know how many Athens Affairs are still

Read More

Debugging Information Security: Self Defence for Entrepreneurs

Sanna/ November 5, 2015/ Conference, High Entropy, Internet, Security, Security Intelligence

In our economy data leaks are a constant companion. That’s the impression one gets when reading the news. Customer portals, online shops, digital communications, plans of products, personnel data, and more can be found in department stores throughout the shadow economy. Blind faith in global networks has indeed suffered in recent years, but companies and individuals still have a partially carefree attitude when it comes to the imminent risk their data is exposed to. “Who cares about our data?”, is often said. This year’s DeepSec IT Security Conference has some very specific answers to this question. Duncan Campbell and James Bamford open IT Security Conference in Vienna Duncan Campbell is a freelance British journalist, author, and television producer. Since 1975 he has specialized in intelligence and security services, defence, policing and civil liberty rights.

Read More

Special Screening of the Documentary “A Good American” during DeepSec 2015

René Pfeiffer/ October 28, 2015/ Conference, Discussion, High Entropy, Security Intelligence

Attendees of DeepSec 2015 will receive a special treat. We have been talking to Friedrich Moser, and he has agreed to show his documentary „A Good American“ on 20 November 2015 exclusively. The private screening will take place in Vienna. It starts at 2100 at the Burg Kino, known for showing „The Third Man“. „A Good American“ explains how to do threat intelligence in a more efficient way, according to the creator of ThinThread: „A codebreaker genius, a revolutionary surveillance program and corruption across the board of NSA. Against this backdrop unfolds the feature documentary A GOOD AMERICAN. The film tells the story of Bill Binney and his program ThinThread and how this perfect alternative to mass surveillance got ditched by NSA for money.“ After the film Friedrich Moser, Duncan Campbell, James Bamford, and

Read More

DeepSec 2015 Keynote: Can Societies manage the SIGINT Monster?

René Pfeiffer/ October 27, 2015/ Conference, Discussion

Gathering data has become very important in the past years. Everyone is talking about intelligence of all shades, few know what it actually means and how you do it properly (we got a workshop for that, if you are interested). Information security needs to anticipate threats and adapt the defences accordingly. The same is true for other areas where security plays an important role, such as national defence. There are also new threats. Surveillance systems expand steadily, and the facts about them were published after 2013. The impact effects all of us, especially companies moving data around and communicating digitally. Although is it difficult to gauge what it means for your daily business, you should not close your eyes and assume that it is somebody else’s problem. We have asked Duncan Campbell to paint

Read More

DeepSec 2015 Talk: A Death in Athens: The inherent Vulnerability of “lawful Intercept” Programs, and Why all Government authorized Backdoors are very dangerous – James Bamford

Sanna/ October 22, 2015/ Conference, Security Intelligence

Some of you might remember the „Athens Affair“. In 2005 Ericsson found backdoors in the lawful interception systems of Vodafone Greece. The software on these modules was altered to successfully wiretap phone numbers without detection. When one of the tapped phones made or received a phone call, the exchange, or switch, sent a duplication of the conversation to one of fourteen anonymous prepaid mobile phones. The incident sparked an investigation, and Vodafone Greece was fined millions of Euros for breaching privacy laws. In February 2015 the Greek authorities issued a warrant for a suspect linked to the NSA. Lawful interception (LI) capabilities are mandatory for telecommunication equipment. In Europe the technical requirements and standards are developed by the European Telecommunications Standards Institute (ETSI); the 3rd Generation Partnership Project (3GPP) maintains the part relevant for

Read More

Digital Naval Warfare – European Safe Harbor Decree has been invalidated

René Pfeiffer/ October 8, 2015/ Discussion, High Entropy, Internet, Legal

The global cargo traffic on the Internet needs to revise its routes. The Court of Justice of the European Union has declared the so-called „Safe Harbor“ agreement between the European Commission (EC) and US-American companies as invalid. The agreement was a workaround to export the EU Directive 95/46/EC on the protection of personal data to non-EU countries. The ruling was a result of the ‘Europe v Facebook’ lawsuit by Austrian law student and privacy activist Max Schrems. This means that European companies might violate the EU privacy laws when storing or processing personal data on US-American servers. Among the arguments was that the rights of the European data protection supervision authorities must not be constrained and that due to the NSA PRISM program the protection of personal data according to EU directives is not

Read More

I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in

Read More

DeepINTEL 2015 – How to deal with (Industrial) Espionage

René Pfeiffer/ May 15, 2015/ Call for Papers, Security Intelligence

The DeepINTEL event in September will have a strong focus on a specific kind of intelligence. We will address the issue of espionage. Given the headlines of the past six months it is clear that companies are subject to spying. There is no need for euphemisms any more. Even with half of the information published on this matter, there is no way to deny it. Since the trading of data is a lucrative business, the issue won’t go away. So if you run a company or an organisation, then you might want to deal with risks and threats before they deal with you. DeepINTEL is focused on security intelligence. Few CISOs and CEOs have a grasp what this really means. It is much more than doing risks analysis or threat assessment. As we have

Read More

DeepSec 2014 Talk: A Myth or Reality – BIOS-based Hypervisor Threat

René Pfeiffer/ September 24, 2014/ Conference, High Entropy

Backdoors are devious. Usually you have to look for them since someone has hidden or „forgotten“ them. Plus backdoors are very fashionable these days. You should definitely get one or more. Software is (very) easy to inspect for any rear entrances. Even if you don’t have access to the source code, you can deconstruct the bytes and eventually look for suspicious parts of the code. When it comes to hardware, things might get complicated. Accessing code stored in hardware can be complex. Besides it isn’t always clear which one of the little black chips holds the real code you are looking for. Since all of our devices we use every days runs on little black chips (the colour doesn’t matter, really), everyone with trust issues should make sure that control of these devices is

Read More

IT Security without Borders

René Pfeiffer/ May 27, 2014/ Discussion, Internet

U.S. government officials are considering to prevent Chinese nationals from attending hacking and IT security conferences by denying visas. The ideas is „to curb Chinese cyber espionage“. While this initiative has been widely criticised and the measure is very easy to circumvent, it doesn’t come as a surprise. Recent years have shown that hacking has become more and more political. This aspect was already explored in the keynote of DeepSec 2012. So what is the real problem? Espionage, be it „cyber“ or not, revolves around information. This is exactly why we have a problem with the word „cyber“. Methods of transporting information have been around for a long time. Guglielmo Marconi and Heinrich Hertz raised problems for information security long before the Internet did. The only difference is the ease of setting up Internet

Read More