2409, 2014

DeepSec 2014 Talk: A Myth or Reality – BIOS-based Hypervisor Threat

René Pfeiffer/ September 24, 2014/ Conference, High Entropy

Backdoors are devious. Usually you have to look for them since someone has hidden or „forgotten“ them. Plus backdoors are very fashionable these days. You should definitely get one or more. Software is (very) easy to inspect for any rear entrances. Even if you don’t have access to the source code, you can deconstruct the bytes and eventually look for suspicious parts of the code. When it comes to hardware, things might get complicated. Accessing code stored in hardware can be complex. Besides it isn’t always clear which one of the little black chips holds the real code you are looking for. Since all of our devices we use every days runs on little black chips (the colour doesn’t matter, really), everyone with trust issues should make sure that control of these devices is

2705, 2014

IT Security without Borders

René Pfeiffer/ May 27, 2014/ Discussion, Internet

U.S. government officials are considering to prevent Chinese nationals from attending hacking and IT security conferences by denying visas. The ideas is „to curb Chinese cyber espionage“. While this initiative has been widely criticised and the measure is very easy to circumvent, it doesn’t come as a surprise. Recent years have shown that hacking has become more and more political. This aspect was already explored in the keynote of DeepSec 2012. So what is the real problem? Espionage, be it „cyber“ or not, revolves around information. This is exactly why we have a problem with the word „cyber“. Methods of transporting information have been around for a long time. Guglielmo Marconi and Heinrich Hertz raised problems for information security long before the Internet did. The only difference is the ease of setting up Internet

0111, 2013

DeepSec 2013 Talk: Prism Break – The Value Of Online Identities

René Pfeiffer/ November 1, 2013/ Conference, Internet

We all have identities. We use them on a daily basis in our off-line world. Colleagues greet us at work, because they know who we are. Of course our family members know who we are. When it comes to the digital life-style our identity becomes a lot more complex and diverse. Web shops know what we like and suggest products we do not yet have. Social media sites suggest contacts that might match our interest (as do dating web sites). Frequently used search terms are processed to refine the results our favourite search engine presents us. Customisation and targeting is the key. Everything you do and communicate is processed like ore and the Big Data server farms refine your daily trails through the Internet and produce your online identity – which is a good

1509, 2013

Crypto Wars by Black Boxes and Standards

René Pfeiffer/ September 15, 2013/ High Entropy, Security

Intelligence services go after cryptography. That’s the news you have probably read in the past weeks. That’s no surprise. They have been doing this for centuries. If your job is to intercept and analyse communication, then cryptography gets in your way (provided the target uses it properly). Intelligence services have been dealing with creating and breaking ciphers since their existence. How do you break cryptography? What can you do to attack encrypted communication? There are multiple ways to obtain messages in clear text. Attack the encrypted data! This is widely known as cryptanalysis. Basically you intercept the encrypted message and try to deduce the plain text. Given sufficient failures in the history of cipher designs, this is pretty hard with most modern ciphers. Algorithms used today are developed and tested to withstand attacks like

0507, 2013

„Cyber Cyber Cyber“ revisited – Information Warfare

René Pfeiffer/ July 5, 2013/ Discussion, Security

So far we haven’t commented on the ongoing season of the Game of Spooks miniseries. We wait for the break after the last episode – provided there is one. However we have written about information warfare and espionage in this blog. Enter secrets. During DeepSec 2012 the concept of „cyber war“ was heavily explored. Eventually it led to the phrase „cyber cyber cyber“ due to the sheer popularity of this very word. „Cyber“ and „war“ hide the fact that information is the prime good that is being accessed or copied and put to a fresh use¹. Take a look at the published articles in the past weeks to see misplaced information at work. A couple of misplaced presentation slides can cause more uproar than a data leak of medical records of a nation –

1803, 2012

It’s the Smart Meters that matter – or is it?

René Pfeiffer/ March 18, 2012/ Communication, High Entropy, Security

Wired’s Danger Room has an article about how ubiquitous computing and smart homes are eagerly awaited by the CIA to turn your networked environment into a gigantic spy tool. CIA Director David Petraeus very much likes the „Internet of things” as an information gathering tool. Security researchers can’t wait, too. However they have a very practical approach by pointing out the missing security design. Smart homes might be very dumb after all, and they might not be a „home“. If your home turns against you and breaches your privacy, it’s not a home any more. Plus the next „digital Pearl Harbor“ (whatever this means) might start in your refrigerator. Who knows? This is a very simplistic view on the „Internet of things”. If things automatically turn into sensors and report useful information once they

2205, 2011

Thoughts about Threats by „Virtual Bombs“

René Pfeiffer/ May 22, 2011/ Security

The German Federal Minister of the Interior, Hans-Peter Friedrich, has warned „that it is only a question of time until criminal gangs and terrorists have virtual bombs at their disposal“. While the term „virtual bomb“ is very vague by itself, the minister mentioned „malware“ as well. This is no surprise for security researchers. Malicious software has already been used for attacking companies. The infrastructure of whole countries has been attacked as well. Logic bombs have been used in the past, but they have never been used to wage warfare. They have been used for revenge by disgruntled employees or for blackmailing someone (as the ransomware malware also does). Tools like this are used for very specific purposes (such as espionage or targeted destruction), but never for an all-out assault. Even a (D)DoS often has

1603, 2011

Reminder: Mind2Mind Event I/2011 – „Wir werden Sie belauschen!“

René Pfeiffer/ March 16, 2011/ Communication, Veranstaltung

This is a short reminder of our local Mind2Mind event about the technology means of espionage in companies and organisations. The talk will be held by Wolfgang K. Meister of VOXCOM (and will be in German). Mr. Meister will address eavesdropping devices, microphones, attacks on telephone communication (VoIP, ISDN, analogue, 2G/3G), peculiarities of mobile phone networks and attacks on Internet communication, local computer systems and IT infrastructure. He will also discuss countermeasures. Dies ist eine kurze Erinnerung an unseren lokalen Mind2Mind Event „Wir werden Sie belauschen!“, der die Technologie von Spionage und Lauschangriff an Unternehmen und Organisationen beleuchtet. Der am Abend stattfindende Vortrag von Herrn Wolfgang K. Meister der Firma VOXCOM beschäftigt sich mit Wanzen, Mikrofonen, Aufnahme von Körperschall, Funk, Angriffen auf Telefone (VoIP, ISDN, analog, 2G/3G), Eigenheiten von Mobilfunknetzwerken und Attacken auf IKT

0302, 2011

Mind2Mind Event I/2011 – „Wir werden Sie belauschen!“

René Pfeiffer/ February 3, 2011/ Veranstaltung

Wir beginnen im März mit der ersten Mind2Mind Veranstaltung. Es handelt sich dabei um lokale Events in Wien, bei der wir ein bestimmtes Thema mit Bezug auf Sicherheit miteinander und gegeneinander diskutieren möchten. Der erste Mind2Mind Vortrag handelt um alltäglichen Lauschangriff, den viele unterschätzen: Der elektronische Lauschangriff ist nicht nur ein Instrument von Behörden oder Politik. Oder etwa doch? Lassen Sie uns Fiktion und Wirklichkeit mit handfesten Fakten vergleichen. Der Experte Wolfgang K. Meister der Firma VOXCOM möchte Unternehmer, Angestellte und weitere Betroffene über die Situation fernab von Spielfilmen aufklären. Hollywood ist nicht die Realität. Jedoch sind nicht nur ehemalige Finanzminister potentielle Ziele von Abhöraktionen, es kann auch uns betreffen, wenn auch vielleicht nicht direkt. Zwei große Firmen wollen die Machenschaften des jeweils andren auspionieren? Warum nicht über eine Überwachung eines gemeinsamen Nenners? Vielleicht