2101, 2017

Putting the Context into the Crypto of Secure Messengers

René Pfeiffer/ January 21, 2017/ Communication, Discussion, Internet

Every once in a while the world of encrypted/secure/authenticated messaging hits the wall of usability. In the case for email Pretty Good Privacy (PGP) is an ancient piece of software. These days we have modern tools such as GnuPG, but the concept of creating keys, verifying identities (i.e. determining who is to trust), synchronising trust/keys with communication partners, and handling the software in case something goes wrong is quite a challenge. Plus things might change. People revoke their keys, devices get lost, data gets deleted, people create new keys or even (digital) identities, or do lots of things that is either anticipated by the software developers or not. Communication is not static. There are moving parts involved, especially the communication partners might move a lot. So crypto is hard, we know this. Discussing secure

Read More

1011, 2016

DeepSec 2016 – expect 48 Hours of Failures and Fixes in Information Security

René Pfeiffer/ November 10, 2016/ Conference, Discussion

The conference part of DeepSec 2016 has officially started. During the workshops we already discussed a lot of challenges (to phrase it lightly) for infrastructure and all kinds of software alike. The Internet of Things (IoT) has only delivered major flaws and gigantic Distributed Denial of Service attacks so far. There is even a worm for LEDs these days. And we haven started the conference preparations yet. So we have plenty of reasons to talk about what went wrong, what will go wrong, and what we can do about it. The world of information security is not always about good news. Something has to break, before it can be repaired – usually. Systems administrators know this, for some it’s their daily routine. Nevertheless we hope everyone at DeepSec gets some new insights, fresh ideas,

Read More

0911, 2016

Screening of “A Good American” in Vienna with Bill Binney

René Pfeiffer/ November 9, 2016/ Discussion, High Entropy, Security Intelligence

There will be a screening of the documentary A Good American in Vienna tomorrow. We highly recommend watching this film, even if you are not directly connected to information security. Threat intelligence has far-reaching consequences, and in the case of the world’s biggest intelligence agency it also affects you. A Good American will be shown at 1000, Village Cinema Wien Mitte, and at 1600, Audimax of the Technische Universität Wien (you need to send an email with a RSVP to attend). All of this takes place in the course of a lecture about the topic. Markus Huber and Martin Schmiedecker have kindly organised everything. Bill Binney will be present, too. So you can directly talk to him and ask him questions. We highly recommend not to miss this opportunity.

0811, 2016

DeepSec 2016 Keynote: Security in my Rear-View Mirror – Marcus J. Ranum

Sanna/ November 8, 2016/ Conference, Discussion, Security, Stories

Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. At this year’s DeepSec conference the keynote will be given by Marcus Ranum, who set up the first email server for whitehouse.gov. He will reflect upon over 30 years of IT security and make a few wild guesses for where this all may wind up. Spoiler alert: Security will not be a “solved” problem. Marcus answered a few questions beforehand: Please tell us the Top 5 facts about your talk. I’ll be talking about how the security market evolves from here. I’ll be talking about the relationship between security and management It’s going to be depressing. I have

Read More

0509, 2016

Of Clouds & Cyber: A little Story about Wording in InfoSec

René Pfeiffer/ September 5, 2016/ Discussion, High Entropy

In case you ever received a message about our calls for papers, you may have noticed that we do not like the word cyber. Of course we know that it is used widely. Information security experts are divided if it should be used. Some do it, some reject it, some don’t know what to do about it. We use it mostly in italics or like this: „cyber“. There is a reason why, but first let’s take a look where the word comes from. The Oxford Dictionaries blog mentions the origin in the word cybernetics. This word was used in the 1940 by scientists from the fields of engineering, social sciences, and biology. Cybernetics deals with the study of communication and control systems in living beings and machines. Hence the word is derived from the

Read More

3108, 2016

Information Warfare: “Breaking News” considered harmful

René Pfeiffer/ August 31, 2016/ Discussion, High Entropy

Eight years ago the stocks of UAL took a dive. Apparently a six year old news article resurfaced via Google. Googlebot, which is used to index news sites, confused one of the most popular web articles of The Sun-Sentinel with breaking news. The story contained the words United Airlines Files for Bankruptcy. Unfortunately a software error turned the date of the original story from 10 December 2002 to 6 September 2008. And so this little piece of misinformation due to the time travel caused a lot of havoc with UAL’s stock price. A little misunderstanding. Fortunately it was not a cyber attack, because the word was used rarely back then. Breaking news can break things, hence the name. It happens with data leaks, password leaks/breaches (depending on which side you are), incomplete reports, social

Read More

2108, 2016

Transforming Secure Coding into Secure Design

René Pfeiffer/ August 21, 2016/ Discussion, High Entropy, Security

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late. Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart

Read More

2107, 2016

A Perspective on Code and Components – assert(), don’t assume()

René Pfeiffer/ July 21, 2016/ Development, Discussion, High Entropy

Have you ever looked closely at the tools you use on a daily basis? Taking things apart and putting them back together is an integral part of understanding the universe. Scientists do it all of the time (well, at least some do, there are things that can’t be put together easily once taken apart). So lets focus on components and how they interact. ASN.1 and libraries that deal with it are popular components. Few people get a kick out of ASN.1, so they use code that does it. It’s just an example for parts that handle data being sent to and received from other systems. We live in a networked world, so communication is a crucial part of modern software. So to use business lingo: Most software works by delegating tasks to third-party code.

Read More

2107, 2016

Intelligence on the Silver Screen: A Good American Kickstarter Campaign

René Pfeiffer/ July 21, 2016/ Discussion, High Entropy, Security Intelligence

Surveillance has a bad reputation. No one likes to be watched. Yet infosec researchers, sysadmins, and developers talk a lot about log files. We need to watch stuff for various reasons. You got your mail logs, diagnostic messages, performance metrics, network addresses, and more painstakingly sorted by timestamps and maybe geolocation. Log data is part of information technology. It gets interesting once you store, process and mine this data. Some people like to collect it all and do all kinds of Big Data stuff with it. Others filter out the relevant bits of information and work with that. Opinion is divided, results may vary. Enter A Good American, the documentary which was screened in Vienna during the DeepSec 2015 conference. It has been shown all over the world. The film itself is fully funded,

Read More

0104, 2016

FBI, NSA, DoD and CDC join forces to combat Cyber Pathogens

René Pfeiffer/ April 1, 2016/ Discussion, High Entropy

The world economy is threatened by a new strain of microorganisms. These so-called cyber pathogens spread via networks and the touch of digital devices. They can also lie dormant for days and months, only to spring to life when the victim’s immune system is at its weakest point. It is widely believed that cyber pathogens can infect the population of a whole country and wipe it completely off the grid of the Earth. Current antidotes can only treat the symptoms. The best way to get rid off the pathogens is to resort to physical means and destroy every surface it can cling to. Amputation of infected tissue also works. Unless security researchers will find a suitable vaccination soon, every single one of us is at risk. The cyber pathogen threat is the reason for

Read More

1503, 2016

Reminder: DeepINTEL 2016 – Call for Papers – Beat Big Data and Full Take with Brains

René Pfeiffer/ March 15, 2016/ Call for Papers, Conference, Security Intelligence

We already published a Call for Papers for the upcoming DeepINTEL 2016. Here are some thoughts to get your creativity going. Standard solutions and off-the-shelf products to solve your security needs are remains from the 1990s. Everything else has gone smart, and that’s how you have to address security problems in the future. NSA director Admiral Michael Rogers told the audience of the RSA Conference 2016 that the NSA cannot counter the digital attacks it faces on its own. GCHQ, the NSA’s British counterpart, has publicly stated that the £860m budget to counter digital adversaries is not sufficient to defend Britain’s digital assets. Modern digital defence needs a sound foundation of data to base decisions on. You can neither combat a forest fire or an infectious disease by blindly throwing money at it. You

Read More

1103, 2016

“A Good American” opens next Week in Austrian Theatres

René Pfeiffer/ March 11, 2016/ Administrivia, Discussion, High Entropy, Security, Security Intelligence

For everyone attending DeepSec 2015 we organised a private screening of the film “A Good American”. Everyone else now gets the chance to see this film in theatres beginning on 18 March 2016. Next week there will be the premiere in Vienna, Linz, and Innsbruck here in Austria. Bill Binney will be present himself, and he will answer questions from the audience. We highly recommend “A Good American” to everyone dealing with information security, regardless of the level. Full take and Big Data is not always the answer to your security challenges. Every gadget around is turning smart, and so should you. We hope to see you at the premiere here in Vienna next week!

1802, 2016

DeepSec Video: Not so Smart – On Smart TV Apps

René Pfeiffer/ February 18, 2016/ Conference, Security

„Smart“ follows the footsteps of „cyber“. Everything is smart nowadays. The problem is that using smart in this context just means a combination of „Turing complete“ and „connected to the Internet“. That’s it. This is a pretty low barrier for calling something „smart“. t DeepSec 2015 Markus Niemietz held a presentation about the state of affairs concerning SmartTVs where security is concerned: One of the main characteristics of Smart TVs are apps. Apps extend the Smart TVs menu with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise the question of new attack scenarios and the general security of Smart TV apps. We investigate attack models for Smart TVs and their

Read More

1102, 2016

DeepSec Video: Agile Security – The Good, The Bad, and mostly the Ugly

René Pfeiffer/ February 11, 2016/ Conference, Security

How do you manage your technical and operational security? Do you follow a model? If so, what’s the flavour? Do you borrow concepts from software development? In case you do or you plan to do, then Daniel Liber might have some ideas for you. At DeepSec 2015 he held a presentation about Agile and a possible relation to information security. Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a ‘high level’ talk, or, sometimes, as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This talk will help security engineers,

Read More

2801, 2016

DeepSec Video: Cyber Cyber Cyber Warfare: Mistakes from the MoDs

René Pfeiffer/ January 28, 2016/ Conference, Internet, Security

The  word cyber has entered the information security circus a couple of years ago. It should have been long gone according to its creator William Gibson. Meanwhile everything has developed into something being cyber – CSI, war, politics, security, homes, cars, telephones, and more. Inventing new words helps to distract. Distraction is what Raoul Chiesa has seen in the last five years, while training various military units in different countries. He held a presentation at DeepSec 2015 about his experiences. While we don’t use the word cyber when talking about (information) security, others sadly do. So think of Information Warfare or Information Offensive Operations when hearing cyber and don’t let yourself be distracted by the fog of war.