2504, 2012

What is a Hacker Tool and how do you ban it?

René Pfeiffer/ April 25, 2012/ Discussion, Internet, Stories

What exactly is a hacker tool? The answer to this question depends on who you ask. To McGyver it would probably everything, to a hacker it would be any suitable tool and to a politician it would be anything that cannot be easily understood. The English Wikipedia has no entry on hacker tool. So what is it and why should we care? Care comes first. We have to care because the European Union is working on banning hacking tools. This is no news for some parts of Europe. Germany has tried to address the nebulous hacking tools issue in 2007. The law has drawn a lot of critic from security researchers. Some even moved their research abroad to avoid operating in a grey area of the law. There’s an open letter to the German

Read More

1504, 2012

Pattern, Matching and IT Folklore

René Pfeiffer/ April 15, 2012/ Discussion, High Entropy, Security

Every once in a while there is a lively discussion about the efficiency of pattern-based security measures. Usually you see these discussions in the wake of security software tests. Mostly it concerns intrusion detection, malware filter or spam filter tools. As soon as you are trying to implement filters or detection, you will need some criteria to base decisions on. It doesn’t matter if you apply whitelisting, blacklisting or a mixture of both. Even if you add some intricate algorithms ranging from good ideas to artificial intelligence you still need to base the decision on something. Patterns and signatures is still the way to go. So why do these discussion about „all methods using patterns/signatures are snake oil“ stem from? Let’s take another pattern-based defence mechanism as an example – our immune systems. It

Read More

1602, 2012

Of CAs, DLP, CSRs, MITM, inspection and compliance

René Pfeiffer/ February 16, 2012/ Discussion, Security

Writing about certificate authorities is slowly turning into beating dead horses. We have seen a couple of security breaches at CAs in the past. We have witnessed security researchers turning to SSL/TLS. Fairly recently researchers have put RSA keys to the test and found common prime factors in thousands of keys. Now we have a discussion about compliance. The Mozilla team has given CAs a stern warning sparked by the issue of a signing certificate by the Trustwave CA to a customer using a data loss prevention (DLP) device. According to a report the signing root certificate was used inside a Hardware Security Module for the purpose of dynamically creating fake certificates in order to inspect encrypted web traffic. While there was an audit at the customer’s site, this incident has sparked a heated

Read More

0112, 2011

Water Plants, Cyberwar, and Scenario Fulfillment

René Pfeiffer/ December 1, 2011/ High Entropy, Security, Stories

While we refuse to add a Cyberwar category to this blog, we want to explore this shady topic with a story. Do you recall the water plant hack a few weeks ago? According to news floating around in the Internet an US-American water plant in Illinois suffered from a security breach together with a failed water pump. Apparently attackers took the pump out by applying a well-tried IT technique called „Have you tried to turn it off and on again?“. So in theory this is a full-scale Cyberwar incident that puts all of our infrastructure at risk – plus you can add the magical acronym SCADA when talking about it, thus lowering the room temperature a few degrees and imposing the well-tried fear and awe effect on your audience. While industrial control systems remain

Read More

2210, 2011

Stealing Digital Assets with Knives

René Pfeiffer/ October 22, 2011/ Discussion, High Entropy

This article on the ElReg® web site caught my attention today. Police forces in England and Wales read the statistics stemming from crime reports more closely. They think to have found a correlation between the increase of robbery and robbery with knives and the demand for smartphones to sell on the black market. The stolen devices could now be in demand for the hardware (probably), the software (doubtful) or the identity information stored on them (what about this, then?). The protection level of personal data and identity information is quite low for most phone owners. Of course, there are „lies, damned lies and statistics“ and you have to be careful to draw conclusions from a quick glance of a news article. Then again correlations is what you are interested in when building your radar.

Read More

1110, 2011

0zapftis revisited – 0ktoberfest for Security Researchers

René Pfeiffer/ October 11, 2011/ High Entropy, Odd

The CCC analysis of the malicious software bought and used by the German government has put our blog schedule and RSS reading habits out of balance. Frankly our necks hurts because we constantly shake our heads since the PDF of the analysis was published. We have talked to journalists who showed interested in the design of the malware. It’s very hard not to go into rant or BOFH mode when talking about the design and the use of the trojan horse. You have to use quite some Zen skills to stay focused and to see what we have here. In fact the whole discovery and the avalanche of questions raining down on German officials marks a turning point for the significance of computer security. Furthermore it is a perfect example of all the problems

Read More

0409, 2011

Encrypted Communication with DeepSec

René Pfeiffer/ September 4, 2011/ Administrivia

For all of you who do not pay close attention to our contact section on our web site, we offer various way to communicate via encrypted messages. We have published two GPG keys, one for our role account (key 0x22860969)  and one for a person from our organisation team (key 0x6E4037AF). Use PGP/MIME format if possible (ASCII armour is so old school ☺). We have set up an e-mail forwarding service via privacybox.de. You can use a standard web form, a form suited for mobile clients and a form reachable via a TOR hidden service. While we have no idea how privacybox.de handle their own security, it’s a nice service. You can always double- or triple-encrypt if in doubt. When on IRC (channel #deepsec on irc.freenode.net, usually most active prior to and shortly after

Read More

2108, 2011

Cargo Cult Security

René Pfeiffer/ August 21, 2011/ High Entropy, Stories

Here is a fictional story for you that bears no resemblance to any living, dead, or undead persons whatsoever. Imagine someone who is interested in establishing and maintaining a „medium“ to „high“ level of security for his or her business data. This person is a power user and uses hard disk encryption, an encrypted file server, access to internal data by VPN and GPG/PGP for communication. So far, so good. Now for the bad news: untrusted devices without security software may also access internal resources and shiny new workstations run without anti-virus protection or firewalls. Questions regarding potential risks go unnoticed, suggestions to periodically check the security measures also disappear into the vast void of email. What is wrong with this picture? Well, given that all of this is purely fictional, someone you might

Read More

0708, 2011

Explaining Security to non-technical Audiences

René Pfeiffer/ August 7, 2011/ Discussion, Report

A few days ago we had the opportunity to present a review of vulnerabilities in mobile phone networks and typical attack vectors to a non-technical audience (we announced the event in a previous blog posting, the event language was German). The background of the attendees was a spectrum of social sciences, political sciences, different technical science (but not information science), governmental agencies (again non-technical) and journalists. We adapted the slides in order to reduce the complexity and the technical details. The reaction was positive, but most of the questions were aimed at how to defend against the risks. Thus our reduction only lasted until the QA section. If you really want to defend yourself, you have to deal with the details. If you don’t dive into the details, you can give superficial answers at

Read More

0506, 2011

Tips for Conference Speakers

René Pfeiffer/ June 5, 2011/ Discussion

We’ve been through four DeepSec conferences already, and MiKa and me have talked in person at other events. Given the feedback we received about past DeepSec speakers, the video recordings and our own experience, we’d like to give everyone who is thinking about submitting a talk some advise. It really doesn’t matter if you are going to speak at DeepSec (though we prefer this option) or anywhere else. If you have something to say, then make sure your message is delivered in an appropriate wrapping. Try to address your audience and make them listen to you. There are ways to do this, and most of them can be practised and learnt. Structure : Most talks have an outline of what the audience can expect. Take some extra time and think about the agenda. If

Read More

0805, 2011

Talks held at the Linuxwochen Wien

René Pfeiffer/ May 8, 2011/ Security, Veranstaltung

MiKa and me held three talks at the Linuxwochen Wien 2011. The scheduled talks were „VoIP Security“ and „The Wind Chill Factor of Security“. The third talk was a review of the trust models used with X.509 certificates and issued by certificate authorities. The review was a drop-in replacement talk for a speaker who did not show up. Since the talks were held in German, I’d like to present a short summary in our blog. VoIP has become a well-established technology in companies during the past years. Periodically we assess the security of VoIP protocols and implementations. The talk we gave was a review of the state-of-the-art focussing on SIP signalling and audio/video codecs. We discussed the basics, the SIP Digest Authentication Leak found by Sandro Gauci, SIP probes, the troubles of SIP gateway

Read More

1502, 2011

The Antivirus-Virus Conundrum

René Pfeiffer/ February 15, 2011/ Security

Last week the EU’s statistics office published statistical data about the state of anti-virus protection and virus infections. According to the figures nearly a third of Europe’s PCs carry some kind of malware. Although it is difficult to assess the accuracy or methods of studies, this figure is hardly surprising. Anyone who has ever dealt with filtering messages, web content or any other data entering the perimeter of your network knows about the positives and negatives, be them false or true. The problem starts with UBE/UCE (a.k.a. spam) filtering and continues right into the domain of malware. Just as their biological counterparts a computer malware, indiscriminately called virus, changes its shape and flavour. We had a talk from Joan Calvet about the Tripoux project. They analyse malware packers. If you have seen the branch

Read More