2302, 2014

DeepSec 2013 Video: Pivoting In Amazon Clouds

René Pfeiffer/ February 23, 2014/ Conference

The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At DeepSec 2013 Andrés Riancho showed what attackers can do once they get access to the company Amazon’s root account. There is more to it than a simple login. You have to deal with EC2, SQS, IAM, RDS, meta-data, user-data, Celery, etc. His talk follows a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user. Regardless of how your

Read More

2202, 2014

DeepSec 2013 Video: Hack The Gibson – Exploiting Supercomputers

René Pfeiffer/ February 22, 2014/ Conference, Security

Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems running the same software. If you manage to break into one node, the chances are good that you have access to all nodes. That’s pretty neat. At DeepSec 2013 John Fitzpatrick and Luke Jennings of MWR InfoSecurity talked about their tests with supercomputers. Their presentation covers the research and demonstrates some of the most interesting and significant vulnerabilities they have uncovered so far. They also demonstrated exploits and previously undocumented attack techniques live so you can see how to

Read More

1802, 2014

DeepSec 2013 Video: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

René Pfeiffer/ February 18, 2014/ Conference, Security

The „Cloud“ is the Fiddler’s Green of information technology. It’s a perpetual paradise built high above the ground where mortal servers and software dwell. Everyone strives to move there eventually, because once you are in digital paradise, then all your sorrows end. So much for the theory. The reality check tell a different story. This is why we invited Mikhail A. Utin (Rubos, Inc.) to DeepSec 2013. He presented an in-depth analysis of the US government’s FedRAMP programme. „…However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a “cloud”. As we identified, all “cloud” misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will

Read More

0201, 2014

Applied Crypto Hardening (ACH) Project

René Pfeiffer/ January 2, 2014/ Communication, Security

DeepSec 2013 featured a talk about the Applied Crypto Hardening (ACH) project. In the wake of the discussion about attacks on cryptography itself and implementations of cryptographic standards almost every aspect of encrypted communication needs to be reviewed. Since system administrators, developers, and other IT staff usually has not the same expertise as crypto experts, the ACH project was formed. Its goal is to compile a reference for the best practice configuration of systems that use cryptographic components. The ACH guide covers SSL/TLS, virtual private network (VPN), algorithms, key sizes, (pseudo) random generators, and more. The advice is targeted at everyone seeking to improve the cryptographic capabilities of software and appliances. Hardening crypto is part of the basic security measures everyone should take care of. It needs to become a habit, just like everything

Read More

1710, 2013

DeepSec 2013 Talk: Pivoting In Amazon Clouds

René Pfeiffer/ October 17, 2013/ Conference, Internet

The „cloud“ infrastructure is a crucial part of information technology. Many companies take advantage of outsourced computing and storage resources. Due to many vendors offering a multitude of services, the term „cloud“ is often ill-defined and misunderstood. This is a problem if your IT security staff needs to inspect and configure your „cloud“ deployment with regards to security. Of course, virtualisation technology can be hardened, too. However the „cloud“ infrastructure brings its own features into the game. This is where things get interesting and where you have to broaden your horizon. Andres Riancho will show you in his talk Pivoting In Amazon Clouds what pitfalls you can expect when deploying code and data in the Amazon Cloud. Classical security tests won’t be enough. The Amazon Elastic Compute Cloud (EC2) is more than just virtual

Read More

1610, 2013

DeepSec 2013 Talk: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

René Pfeiffer/ October 16, 2013/ Conference, Security

The „Cloud“ doesn’t stop when it comes to government data. Once government authorities play with outsourcing a lot more regulations need to be reviewed. Mikhail Utin talks about new results and a continuation of his last presentation at DeepSec conference: Our second presentation at DeepSec on so named “Cloud Computing” (CC) and associated services (CCS) considers practical implementation of the “concept” by US government in its FedRAMP program, which is expected to convert all the government IT services into “cloud” based ones. Our first (DeepSec 2012) presentation considered whether such “concept” is useful to protect privacy and implement such regulation as EU General Data Protection Regulation (GDPR) proposal. In fact, we have shown that CC is a misleading terminology, providing a confusing name to describe well-known IT infrastructure, which is little more than a

Read More

0410, 2013

DeepSec 2013 Workshop: Attacks On GSM Networks

René Pfeiffer/ October 4, 2013/ Conference, Security, Training

Mobile phone networks have penetrated even the most remote areas of the Earth. You can send a tweet from Mount Everest if you like, the cell service is already there. In addition mobile phone networks feature 6 billion subscribers all over the world. Communication by mobile devices has entered the routine of daily life. It’s not all about talking. Smartphone, laptops, tablets and modems access the Internet by mobile phone networks. And as every security specialist knows: If there’s a network, then there are protocols, and these protocols can be attacked. True, it’s not as easy as TCP/IP since mobile phone networks feature sets of more complex protocols. Nevertheless these networks can be accessed, and you cannot block it. This is why you should get in touch with the threats to your organisation. DeepSec

Read More

0310, 2013

DeepSec 2013 Keynote: Geopolitics and the Internet – the Meaning of “Hegemony”

René Pfeiffer/ October 3, 2013/ Conference, Discussion, Internet

Most of us think of the Internet as a place where the world virtually gathers and communicates without boundaries. It is regarded as a „virtual“ space where the confinement by borders of nation states is blurred by digital connectivity. People from all over the globe communicate with each other and form a truly cosmopolitan community. The trouble in paradise starts when countries switch off access to the Internet or prosecute whistle-blowers. Given the ever present notion of „cyber“ war we need to discuss geopolitics. It seems that the USA heavily dominates the Internet and regards it as its territory. Marcus Ranum will address the idea of hegemony and the USA with regards to the Internet in his keynote for the DeepSec 2013 conference: So, the topic is “the meaning of hegemony” – what does

Read More

2309, 2013

DeepSec 2013 Workshop: Secure your Business by Business Continuity Plans

René Pfeiffer/ September 23, 2013/ Conference, Training

Quite a lot of companies stay in business, because they operate continuously and reliably. Few have the luxury to close shop for an extended period of time. If you do, then you are either fabulously successful or in deep trouble. Regardless of what you have in mind for your enterprise you should think of implementing a business continuity plan (BCP) sooner or later. Since designing and implementing a BCP is no piece of cake, we offer you a one day training at DeepSec 2013 where you can get started. The workshop will be conducted by Michel Wolodimiroff, who has over 25 years of experience in dealing with information technology. He will walk you through all bad dreams  of failing infrastructure, data loss, compromised systems, and worse catastrophes you might not even have thought of.

Read More

2709, 2012

Booking Tickets for DeepSec 2012

René Pfeiffer/ September 27, 2012/ Administrivia

Regulars already know this. We use a ticket shop system for all tickets to DeepSec 2012 that can be booked online for both the conference and the workshops. We received some reports of failed bookings with various payment options, and we already informed the company responsible for the shop system. In case you encounter any errors, please report them to us via e-mail. The most important information is the time and date of your attempt (you know, logs and all that). Once we get this information we will try to figure out what the problem may be. We can also invoice you directly, but you have to tell us. Speaking of tickets, please make sure you book early. This is especially true for the trainings since some workshops are already close to being sold

Read More

2008, 2012

Wireless (Wi-Fi) Security Interview

René Pfeiffer/ August 20, 2012/ Discussion, Press, Security, Stories

Today we had a visit from an Austrian television crew to answer some short questions about wireless security. It’s too bad that journalists always look for „hackers“ who „hack something“. While we had no idea what they were talking about, we delivered a short summary of wireless security. For most of you this is old news, but for a broad audience in front of TV sets it’s still a mystery. Usually no one really know what the difference between WPA and WPA2 is. In addition you have WEP and WPS, in-depth you have TKIP and AES, too. All of this sounds pretty intimidating. If you add some cinematic scenes, you can imagine the hero (or evil villain) discovering a wireless network, pressing some keys and gaining access mere seconds later. Defences have been breached,

Read More

0508, 2012

All Your Clouds are to Belong to Whom?

René Pfeiffer/ August 5, 2012/ Discussion, Security

There are probably less than 5 persons on this planet who know what cloud computing really means. The figure might be exaggerated, but while enterprises, consultants and vendors try to figure out the best cloud for their business model the attackers already take advantage of cloud infrastructure. Let’s disregard climate dependencies and extraordinary political environments for a moment (if you say yes to cloud computing, then you have this already taken into account and under control, right?). Let’s focus on on the security implications for the moment. There’s an example of a string of unintended consequences by a successful social engineering attack. The target was a „cloud account“ linked to storage and three personal devices (a phone, a tablet and a laptop). The attacker gained access by means of tech support and bypassing security

Read More

1806, 2012

A „Cool War“ is not cool

René Pfeiffer/ June 18, 2012/ Discussion, High Entropy

The term „Cyberwar“ carries a dark fascination. Most people think of it as „war lite“. You get all the benefits of a real war, but the casualties are limited to bits, bytes and maybe pixels. No one dies, only the targets get destroyed. This sounds too clean to be true. There is even an article called „Cool War“ that glorifies the concept of digital battles even further. The author suggests that a cool war could prevent a „real“ armed conflict by digital preemptive strikes. The good news is that a preemptive cyber attack on the military command-and-control systems of two countries getting ready to fight a “real war” might give each side pause before going into the fight. In this instance, the hackers mounting such attacks should probably publicize their actions — perhaps even

Read More

0806, 2012

Collateral Damage in Cyberspace

René Pfeiffer/ June 8, 2012/ High Entropy, Security

„In cyberspace, no one can hear you scream.“ System administrators know this already for a long time, as do security researchers. Everybody is talking about „cyberwar“ these days (elections are coming). No one is talking about the (digital) fallout from „cyberwar“ operations. Unless you solely rely on passive methods, there’s not much that can happen. As soon as you employ „offensive security“, which is just an euphemism for „breaking things“, there will be damage in terms of service disruption, compromised systems, modified/erased data, inserted attack code and possibly more. Attack tools such as Stuxnet, Duqu and now Flame have been discussed for years by security researchers. Especially anti-virus vendors have repeatedly promised to include malware of any origin in their databases. In theory this includes these „cyberweapons“ as well. In real life these weapons

Read More

1505, 2012

Cloud Security Promises out of thin Air

René Pfeiffer/ May 15, 2012/ Discussion, Security

The „Cloud“ is a wonderful link between the BYOD disaster, data loss and broken security promises. Yet users of all kinds are lured into the web interfaces with eye candy. The German IT magazine Golem.de has published an article about the cloud security study of the Fraunhofer Institute for Secure Information Technology SIT. Researchers have put Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala under scrutiny. The results should be a wake-up call for businesses who blissfully shove all kinds of data out into the thin air of the „Cloud“. The quintessence of the study is that none of the listed „Cloud“ services can provide a basic security or even sensible encryption technology. Some registration forms do not verify the e-mail addresses entered. Some platforms do not use SSL/TLS. Some use their own

Read More