Murder Board Blog Series: Chapter 4 – Trojan Horses or: State Hacking

Sanna/ May 17, 2021/ Internet, Security, Stories

Feeding Pigeons in the Park—Espionage Knowledge is power. Knowing nothing makes one envious when looking at the model of modern information societies. The natural application of networks that transport information is espionage. So the Internet early made acquaintance with it. The aspect of smuggling messages in and out of an area is obvious. It also involves breaking through security measures to gain access to protected information. Whereby large parts of our own information are much less protected than we would like or even be aware of. The e-mails mentioned above are always in plain text and therefore are visible to everyone. An unknown number of third parties read them on the way from sender to recipient and assess this information. And all the information we have in accounts on US platforms (photos, more or

Read More

Murder Board Blog Series: Chapter 3 – Serial Hackers: Organized Crime or Grand Theft Data

Sanna/ May 7, 2021/ Internet, Security, Stories

Motivations and Motifs of the “Cosa Data” Elevate data to a valuable commodity and it gets automatically traded, hoarded, stolen and counterfeited. We can use digital processes both legally and illegally, just like the economy in the physical world. However, cyber crime is about much more than data. Accounts with certain privileges also represent value because they act as a multiplier. For example, a simple e-mail account with stored contacts (address book or even the contact data in existing e-mails). This has several properties at once: Identity, trust and an archive of messages. The archive can be searched directly for valuable data. The identity can be used for fraud with the help of the trust of the contacts to get further access to more accounts and data. Motivation is—on balance—always something like a benefit

Read More

Murder Blog Series: Chapter 2 – Investigations

Sanna/ April 30, 2021/ Stories

Letters as Windows to the World When young people discover the world, they are often happy to receive mail. Who doesn’t like it when others think of you? Once the love letters from the crush have undergone the metamorphosis into heartless letters with windows, we realize: Money rules their content, just like in this story. Leon has a habit. When walking back from the mailbox, he likes to feel the meaning of the contents of letters with his fingers. Here, it’s the letter from the credit card bill. And it has grown to several meaty millimeters. Leon hopes for a change in the terms and conditions. However, after opening it, it turns out that, unfortunately; it is a list of payments. He can barely remember the individual items. There are just too many—and most

Read More

Murder Board Blog Series: Prequel

Sanna/ April 16, 2021/ Security, Stories

[This is the first part of a five-part article series describing analogies between the world of IT security and research in other fields. Analogies are often used to deflect and conceal missing arguments. Didactics uses analogies as a powerful tool to explore your own understanding and to help you use your knowledge from other fields. Please use the articles of the Murderboard series (our name for the five-part article) for educating IT-affine people about information security. It’s never bad to have allies who understand what to look for in time of trouble.] It was a warm summer day when I got a call from an acquaintance who wanted to hire me for data protection coaching with one of his clients. Besides crime writing, I also work in data protection, helping self-employed people and small

Read More

Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

René Pfeiffer/ October 9, 2018/ Conference, Discussion, Press, Security

DeepSec and Privacy Week highlight consequences of backdoors in IT Vienna (pts009/09.10.2018/09:15) – Ever since the first messages were sent, people try to intercept them. Today, our modern communication society writes more small, digital notes than one can read along. Everything is protected with methods of mathematics – encryption is omnipresent on the Internet. The state of security technology is the so-called end-to-end encryption, where only the communication partners have access to the conversation content or messages. Third parties can not read along, regardless of the situation. The introduction of this technology has led to a battle between security researchers, privacy advocates and investigators. Kick down doors with Horses In end-to-end encryption the keys to the messages, as well as the content itself, remain on the terminal devices involved in the conversation. This is

Read More

DeepSec 2018 Talk: Security as a Community Healthcare: Helping Small Non-Profit Organisations Stay Secure – Eva Blum-Dumontet

Sanna/ October 2, 2018/ Conference, Security

This talk will look at the way Privacy International has relied on its experience from working with a network of small NGOs across the Global South to shape its approach to security and develop Thornsec, an automated way to deploy, test, and audit internal and external services for an organisation. Privacy International works with a network of over twenty organisations located in Latin America, Africa, Asia and the Middle-East. Together we research and document threats and abuses to privacy from governments and corporations and advocate for better privacy protection both from a technological and a legal standpoint. Being at the forefront of the fight against surveillance means that the partners of privacy International are sometimes exposed to oppressive political regimes. They experience a wide range of threats from office burglary, physical surveillance by intelligence

Read More

DeepSec 2018 Talk: IoD – Internet of Dildos, a Long Way to a Vibrant Future – Werner Schober

René Pfeiffer/ September 26, 2018/ Conference, Internet, Security

The Internet of Things has grown. Interconnected devices have now their own search engine. Besides power plants, air conditioning systems, smart (or not so smart) TV sets, refrigerators, and other devices there are a lot smaller and more personal things connected to the Internet. Your smartphone includes a lot of personal conversations, most probably pictures, sound recordings, and a treasure trove of data for profiling. Let’s get more personal. Let’s talk about teledildonics. Teledildonics is the art and technology of remote sex. Call it cybersex (apologies to William Gibson), cyberdildonics (again, sorry, Mr Gibson), or whatever you like. It’s been around for a long time, think decades. The term was used in 1975 by Ted Nelson in his book Computer Lib/Dream Machines. It even has its own conference, called Arse Elektronika (which was first

Read More

Whatever happened to CipherSaber?

René Pfeiffer/ September 11, 2018/ High Entropy

Some of you still know how a modem sounds. Back in the days of 14400 baud strong encryption was rare. Compression was king. Every bit counted. And you had to protect yourself. This is where CipherSaber comes into play. Given the exclusive use of strong cryptographic algorithms by government authorities, the CipherSaber algorithm was meant to be easy enough to be memorised, and yet strong enough to protect messages from being intercepted in clear. It is based on the RC4 algorithm. According to the designer CipherSaber can be implemented in a few lines of code. Basically you have crypto to go which cannot be erased from the minds of the public, because it is readily available. That’s where the name came from. It is modelled after the light sabers found in the Star Wars

Read More

DeepSec 2018 Talk: Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests – Tomasz Tuzel

Sanna/ September 3, 2018/ Conference, Development, Security

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an “introspecting” hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn’t. We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which

Read More

DeepSec and Tor Tickets – Update

René Pfeiffer/ August 24, 2018/ High Entropy, Internet

We wrote about the German Tor operator relay organisation Zwiebelfreunde e.V. a while ago. They were raided on 20 June 2018 by the German police in five different locations. The police was investigating a German left-wing blog and was trying to find the author of articles published there. As many of you know, Tor exit relay operators are the last hop in a chain of communication channels, so the origin of the operator’s servers can be seen. However Tor exit relays bear to relation to the real origin of the transmission. This is the essence of the Tor anonymity network. Zwiebelfreunde e.V. is a non-profit organisation that runs Tor nodes for anyone donating money (realised by the Torservers.net project). Their nodes have a combined bandwidth of 5000 Mbit/s. They know what they are doing,

Read More

DeepSec Video: The German Data Privacy Laws and IT Security

René Pfeiffer/ January 27, 2016/ Conference, Discussion, Legal, Schedule

Data protection and information security are often seen as different species. Why? Where is the difference between protection, defence, security, and offence? There are a lot of relations between the terms. Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) gave a presentation at DeepSec 2015 on how to link privacy with security: „Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. This presentation will also show how it can be used to further IT security especially in the SME sector. This mostly refers to

Read More

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

René Pfeiffer/ February 21, 2014/ Conference, Internet

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It

Read More

DeepSec 2013 Talk: Uncovering your Trails – Privacy issues of Bluetooth Devices

René Pfeiffer/ October 30, 2013/ Conference, Security

Bluetooth has been around for a while. Hackers and security researchers (such as trifinite.org and others) immediately investigated the weaknesses of protocol and implementations – The specifications have evolved, but so has the proliferation of Bluetooth-capable devices. Smartphones, dumb phones, computers, bulletin boards, media players, tablets, game consoles, headsets, and many more support Bluetooth wireless communication. Even though bugs of the past were fixed, the widespread capabilities of devices allow for a lot of creative use by adversaries. At DeepSec 2013 Verónica Valeros and Garcia Sebastian will give you an update about Bluetooth hacking and your exposure to attackers. When we think about our own privacy, we usually think of our private data, passwords, personal stuff, web pages we have accessed or phone calls we have made. Information about our behaviour in real life (where

Read More

How to defend against “Cyber” Espionage

René Pfeiffer/ June 6, 2013/ Discussion, Security

When it comes to defence and protection, don’t forget how your organisation treats data. The mindset plays an important role. This can be illustrated by a simple correlation. Organizations which take the protection of data privacy seriously have an edge when it comes to implementing IT security measures. We talked about this relation in an interview with ORF journalist Erich Moechel (article is in German, Google translation). The findings are not surprising. Auditors and penetration testers can tell if your IT staff takes the role of protecting digital assets seriously. The correlation is easily explained : Once you establish data protection guidelines, you also create a motivation to implement defensive procedures and measures against intrusion. Directly linking operational aspects to a reason makes sure that everyone understands why defence is important. Bear in mind

Read More