2408, 2018

DeepSec and Tor Tickets – Update

René Pfeiffer/ August 24, 2018/ High Entropy, Internet

We wrote about the German Tor operator relay organisation Zwiebelfreunde e.V. a while ago. They were raided on 20 June 2018 by the German police in five different locations. The police was investigating a German left-wing blog and was trying to find the author of articles published there. As many of you know, Tor exit relay operators are the last hop in a chain of communication channels, so the origin of the operator’s servers can be seen. However Tor exit relays bear to relation to the real origin of the transmission. This is the essence of the Tor anonymity network. Zwiebelfreunde e.V. is a non-profit organisation that runs Tor nodes for anyone donating money (realised by the Torservers.net project). Their nodes have a combined bandwidth of 5000 Mbit/s. They know what they are doing,

1808, 2017

Mythbusting: Anti-Virus Research considered dangerous

Sanna/ August 18, 2017/ High Entropy, Internet, Security Intelligence, Stories

Everyone doing research in information security or doing any work in this field takes some risks. Since most of the „cyber stuff“ is black magic to others not working in this context, there are a lot of problems and severe misunderstandings. The Crypto Wars still haven’t been decided in favour of mathematics. Real people prefer end-to-end encryption over insecure communication all of the time. Proposals of severely damaging information security for all of us by using sanctioned malicious software are still being debated in parliaments. Backdoors, covert or otherwise, are no line of any defence, as many military strategists will readily tell you. Marcus Hutchins was in the news recently, because of claims that he developed a strand of malware tied to attacks on financial institutions. While you can debate all you want about

1602, 2016

DeepSec Video: Legal Responses Against Cyber Incidents

René Pfeiffer/ February 16, 2016/ Conference, Legal

Despite current efforts to adapt existing legal instruments to regulate hostile activities in cyber space, there is uncertainty about the legal situation of actors affected by these actions. Part of this uncertainty is due to the fact that the cyber domain is technically complex; there is a strong need for collaboration between technical and legal subject matter experts, collaboration which is difficult to achieve. This talk summarizes the current legal status of Cyber Attacks. It defines a taxonomy of possible cyber-incidents, and analyses the predictable consequences of each type of cyber-incident with the purpose of mapping cyber-incidents to different legal frameworks. Oscar Serrano held a presentation at DeepSec 2015 about legal issues with digital attacks.

2001, 2016

DeepSec Video: A Death in Athens – The inherent Vulnerability of “Lawful Intercept” Programs

René Pfeiffer/ January 20, 2016/ Conference, Discussion

In politics it is en vogue to create new words by connecting them. The words „cyber“ and „lawful“ come to mind. You can add „crime“ and „intercept(ion)“, and then you got something. Actually you can combine both of the latter words with the first two. Either combination makes sense if you take a look at the Athens Affair. More than ten years ago the lawful interception modules of Vodaphone Greece were used to eavesdrop on the Greek government. Kostas Tsalikidis (Κώστας Τσαλικίδης) , Vodaphone’s network planning manager, was found dead in his apartment. At DeepSec 2015 James Bamford talked about what the Athens Affair really was and shed light on the many uses of the lawful intercept systems which are mandatory for most telecommunications equipment. We don’t know how many Athens Affairs are still

0611, 2015

Endangered Species: Full Disclosure in Information Security

Sanna/ November 6, 2015/ Discussion, High Entropy, Legal, Security

History, fictive or real, is full of situations where doubts meet claims. Nearly every invention, every product will be eyed critically, analysed, and tested. There are even whole magazines fully dedicated to this sport, be it for example, consumer protection, reviews of computer games or the car of the year. When it comes to testing the sector of information security is particularly sensitive. Depending on the hard- or software concerned, testing is not only about comfort or in search of a particularly good storyline, but about incidents, which can cause real damage in the real world. How should one deal with the knowledge of a design flaw affecting the security of a system? Locks In 1851 the American lock-smith Alfred Charles Hobbs visited the Great Exhibition in London. He was the first to pick

1909, 2015

DeepSec 2015 Talk: Legal Responses Against Cyber Incidents – Oscar Serrano

Sanna/ September 19, 2015/ Conference, Security

Like it or not, „cyber“ is here to stay. No matter what word you use, the networks have become a battlefield for various military operations. While you won’t be able to secure physical territory by keyboard (you still need boots on the ground for this), you can gain information, thwart hostile communications, and possibly sabotage devices (given the sorry state of the Internet of Stuff). When you deal with actions in this arena, you might want to know what your options are. It’s worth to think about legal consequences. When it comes to mundane cyber crime, you usually have laws to deal with incidents. What is the response to a military cyber attack? And what counts as one? In his presentation at DeepSec 2015 Oscar Serrano will introduce you to the legal implications and

2504, 2012

What is a Hacker Tool and how do you ban it?

René Pfeiffer/ April 25, 2012/ Discussion, Internet, Stories

What exactly is a hacker tool? The answer to this question depends on who you ask. To McGyver it would probably everything, to a hacker it would be any suitable tool and to a politician it would be anything that cannot be easily understood. The English Wikipedia has no entry on hacker tool. So what is it and why should we care? Care comes first. We have to care because the European Union is working on banning hacking tools. This is no news for some parts of Europe. Germany has tried to address the nebulous hacking tools issue in 2007. The law has drawn a lot of critic from security researchers. Some even moved their research abroad to avoid operating in a grey area of the law. There’s an open letter to the German

1801, 2012

DeepSec.net is on Strike!

René Pfeiffer/ January 18, 2012/ Administrivia, Internet

You have probably heard of the Stop Online Piracy Act (SOPA) and its chilling effects on the Internet and all its users. „The originally proposed bill would allow the U.S. Department of Justice, as well as copyright holders,to seek court orders against websites accused of enabling or facilitating copyright infringement. “ (quote taken from the Wikipedia article) SOPA is a major security risk for it advocates to change the DNS zones for specific domains. Blocking would be done by DNS, so the bill compromises the Internet’s infrastructure. Speaking from the view of security researchers we would like to quote the white paper written by Steve Crocker and Dan Kaminsky: From an operational standpoint, a resolution failure from a nameserver subject to a court order and from a hacked nameserver would be indistinguishable. Users running

0311, 2011

Talk: Laws, Compliance and real Life

René Pfeiffer/ November 3, 2011/ Conference

If you believe that computer security is all about having the right tools and an expert staff, then you are mistaken. Never forget why you have computers in the first place – because of your business. Mikhail Utin will shed light on the corporate side of security by talking about laws, compliance and real life (full title of his talk is US experience – laws, compliance and real life – when everything seems right but does not work). While information security can be improved in a number of ways, one powerful approach is continually overlooked by security researchers. This approach constitutes a collective effort by masses of computer users, where each individual has a very limited understanding of information security and is frequently forced to improve security by various laws and regulations. Pressure coming from

3110, 2011

Lessons in Trust and Malicious Code from the Staatstrojaner

René Pfeiffer/ October 31, 2011/ Security

Since it is Halloween we will beat an undead horse in our blog today. Zombies are all the fashion both in literature and on your computer. The question is: Are all zombies alike? Are there good and bad zombies, or only bad ones? How can you distinguish between good and evil intentions if all you got is a compromised system? It all boils down to trust, and the zombie in question is (again) the German Federal Trojan („Staatstrojaner“). The German magazine Telepolis published an article that compares the statement of Jörg Ziercke, the head of the German Federal Criminal Police Office (Bundeskriminalamt or BKA), to the words of Rudyard Kipling’s python Kaa. The basis for this analogue are Mr. Ziercke’s claims stem from leaked notes of his speech in the commission of the German

2410, 2011

Dissection of Malware and Legality

René Pfeiffer/ October 24, 2011/ Discussion, Security

You have probably seen the articles about the 0zapftis (a.k.a. the German Federal Trojan) malware used by the German police for investigation. There’s a lot going on in Germany and the German parliament, so we’d like to point out the issue of dissecting governmental malware and its relation to common sense and the law. The politician Patrick Sensburg accused the Chaos Computer Club to have thwarted investigations and thus the punishment of potential perpetrators. This violates German law (§ 258 Strafvereitelung, to be exact, description is in German). So is it legal to analyse malicious software or is it illegal? Mr. Sensburg has already answered three questions regarding his statements in parliament. He clarified his message. He criticises that the code had been published on the Internet instead of contacting the appropriate government agencies.

3108, 2011

Talk: How Terrorists Encrypt

René Pfeiffer/ August 31, 2011/ Conference

Encryption technology has always been regarded as a weapon, due to its uses in wars and espionage. Software used for encryption was banned for export to other countries in the US. The export regulations for strong cryptography were relaxed in 1996. Some countries still consider cryptographic software as a threat. Recently there have been discussions in the USA again about controlling access to encrypted communication channels. The United Arab Emirates, Indonesia, India, and Saudi-Arabia legally attacked the BlackBerry’s strong encryption of the BlackBerry Messenger Service. Encrypted messaging was discussed in UK after the riots in August. Pakistan has banned all encryption and requires users to apply for a permit. Usually the proponents of regulations claim that terrorists and cybercrime are heavy users of strong cryptography. So how do terrorists really encrypt? Are there software