Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

René Pfeiffer/ October 9, 2018/ Conference, Discussion, Press, Security

DeepSec and Privacy Week highlight consequences of backdoors in IT Vienna (pts009/09.10.2018/09:15) – Ever since the first messages were sent, people try to intercept them. Today, our modern communication society writes more small, digital notes than one can read along. Everything is protected with methods of mathematics – encryption is omnipresent on the Internet. The state of security technology is the so-called end-to-end encryption, where only the communication partners have access to the conversation content or messages. Third parties can not read along, regardless of the situation. The introduction of this technology has led to a battle between security researchers, privacy advocates and investigators. Kick down doors with Horses In end-to-end encryption the keys to the messages, as well as the content itself, remain on the terminal devices involved in the conversation. This is

Read More

DeepSec 2018 Talk: Security as a Community Healthcare: Helping Small Non-Profit Organisations Stay Secure – Eva Blum-Dumontet

Sanna/ October 2, 2018/ Conference, Security

This talk will look at the way Privacy International has relied on its experience from working with a network of small NGOs across the Global South to shape its approach to security and develop Thornsec, an automated way to deploy, test, and audit internal and external services for an organisation. Privacy International works with a network of over twenty organisations located in Latin America, Africa, Asia and the Middle-East. Together we research and document threats and abuses to privacy from governments and corporations and advocate for better privacy protection both from a technological and a legal standpoint. Being at the forefront of the fight against surveillance means that the partners of privacy International are sometimes exposed to oppressive political regimes. They experience a wide range of threats from office burglary, physical surveillance by intelligence

Read More

DeepSec 2018 Talk: IoD – Internet of Dildos, a Long Way to a Vibrant Future – Werner Schober

René Pfeiffer/ September 26, 2018/ Conference, Internet, Security

The Internet of Things has grown. Interconnected devices have now their own search engine. Besides power plants, air conditioning systems, smart (or not so smart) TV sets, refrigerators, and other devices there are a lot smaller and more personal things connected to the Internet. Your smartphone includes a lot of personal conversations, most probably pictures, sound recordings, and a treasure trove of data for profiling. Let’s get more personal. Let’s talk about teledildonics. Teledildonics is the art and technology of remote sex. Call it cybersex (apologies to William Gibson), cyberdildonics (again, sorry, Mr Gibson), or whatever you like. It’s been around for a long time, think decades. The term was used in 1975 by Ted Nelson in his book Computer Lib/Dream Machines. It even has its own conference, called Arse Elektronika (which was first

Read More

Whatever happened to CipherSaber?

René Pfeiffer/ September 11, 2018/ High Entropy

Some of you still know how a modem sounds. Back in the days of 14400 baud strong encryption was rare. Compression was king. Every bit counted. And you had to protect yourself. This is where CipherSaber comes into play. Given the exclusive use of strong cryptographic algorithms by government authorities, the CipherSaber algorithm was meant to be easy enough to be memorised, and yet strong enough to protect messages from being intercepted in clear. It is based on the RC4 algorithm. According to the designer CipherSaber can be implemented in a few lines of code. Basically you have crypto to go which cannot be erased from the minds of the public, because it is readily available. That’s where the name came from. It is modelled after the light sabers found in the Star Wars

Read More

DeepSec 2018 Talk: Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests – Tomasz Tuzel

Sanna/ September 3, 2018/ Conference, Development, Security

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an “introspecting” hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn’t. We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which

Read More

DeepSec and Tor Tickets – Update

René Pfeiffer/ August 24, 2018/ High Entropy, Internet

We wrote about the German Tor operator relay organisation Zwiebelfreunde e.V. a while ago. They were raided on 20 June 2018 by the German police in five different locations. The police was investigating a German left-wing blog and was trying to find the author of articles published there. As many of you know, Tor exit relay operators are the last hop in a chain of communication channels, so the origin of the operator’s servers can be seen. However Tor exit relays bear to relation to the real origin of the transmission. This is the essence of the Tor anonymity network. Zwiebelfreunde e.V. is a non-profit organisation that runs Tor nodes for anyone donating money (realised by the Torservers.net project). Their nodes have a combined bandwidth of 5000 Mbit/s. They know what they are doing,

Read More

DeepSec Video: The German Data Privacy Laws and IT Security

René Pfeiffer/ January 27, 2016/ Conference, Discussion, Legal, Schedule

Data protection and information security are often seen as different species. Why? Where is the difference between protection, defence, security, and offence? There are a lot of relations between the terms. Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) gave a presentation at DeepSec 2015 on how to link privacy with security: „Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. This presentation will also show how it can be used to further IT security especially in the SME sector. This mostly refers to

Read More

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

René Pfeiffer/ February 21, 2014/ Conference, Internet

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It

Read More

DeepSec 2013 Talk: Uncovering your Trails – Privacy issues of Bluetooth Devices

René Pfeiffer/ October 30, 2013/ Conference, Security

Bluetooth has been around for a while. Hackers and security researchers (such as trifinite.org and others) immediately investigated the weaknesses of protocol and implementations – The specifications have evolved, but so has the proliferation of Bluetooth-capable devices. Smartphones, dumb phones, computers, bulletin boards, media players, tablets, game consoles, headsets, and many more support Bluetooth wireless communication. Even though bugs of the past were fixed, the widespread capabilities of devices allow for a lot of creative use by adversaries. At DeepSec 2013 Verónica Valeros and Garcia Sebastian will give you an update about Bluetooth hacking and your exposure to attackers. When we think about our own privacy, we usually think of our private data, passwords, personal stuff, web pages we have accessed or phone calls we have made. Information about our behaviour in real life (where

Read More

How to defend against “Cyber” Espionage

René Pfeiffer/ June 6, 2013/ Discussion, Security

When it comes to defence and protection, don’t forget how your organisation treats data. The mindset plays an important role. This can be illustrated by a simple correlation. Organizations which take the protection of data privacy seriously have an edge when it comes to implementing IT security measures. We talked about this relation in an interview with ORF journalist Erich Moechel (article is in German, Google translation). The findings are not surprising. Auditors and penetration testers can tell if your IT staff takes the role of protecting digital assets seriously. The correlation is easily explained : Once you establish data protection guidelines, you also create a motivation to implement defensive procedures and measures against intrusion. Directly linking operational aspects to a reason makes sure that everyone understands why defence is important. Bear in mind

Read More

The Internet: Agora or Boudoir?

Mika/ June 10, 2012/ Discussion, Internet

Some people believe the Internet is like the Agora of ancient Greek cities where everybody meets and everything happens in public and open sight while others regard it is as their boudoir where they can pursue their private business without anyone peeping through the keyhole. The challenge is that the Internet is both and this calls for rules, which will satisfy both expectations. If you didn’t guess it already: I’m talking about telecommunications data retention and the recent act in the European Union which requires service providers to log details about communications on the Internet and retain the data for a minimum of six months. But why do I bring up this topic? Because I believe this discussion affects the security and privacy (also known as confidentiality) of organizations and private persons. The European

Read More

Mobile Phone Calls as Security Risk

René Pfeiffer/ October 13, 2011/ Conference, Security

Do you rely on your mobile phone? Do you frequently call someone or get called? Do you transmit messages or data across mobile phone networks? Maybe you shouldn’t unless you use additional security layers since mobile phone networks must be regarded as a security risk. Karsten Nohl of Security Research Labs has taken a look at Austrian mobile networks. The result is a wake-up call for companies and individuals alike. According to Nohl the local Austrian providers A1/Mobilkom, T-Mobile Österreich und Orange have not updated their networks as other operators in Europe have already. He explained that there is no sign of any additional hardening. The transmissions of mobile phone network clients can be intercepted and decrypted with very little technical effort. The networks still use the A5/1 encryption standard which has been repeatedly

Read More

Talk: Why the Software we use is designed to violate our Privacy

René Pfeiffer/ September 29, 2011/ Conference

Most of us are used to take advantage of  the fruits of the Web 2.0. There is web e-mail, online backups, social networking, blogs, media sharing portals (for audio/video), games, instant messaging and more – available for private and corporate users. A lot of sites offer their services for free (meaning without charging anything), thus increasing the number of accounts created. Nevertheless you pay something. You are being mined for information and data. Some of these products collect our data directly. In such cases, the exchange of user data for free services is well known, at least to many savvy users. However, many other products do not collect our private data. Instead, they quietly facilitate and enable data collection by other parties. It all depends on the business model. Of course most portals and

Read More

Discussion about Data Protection and the Game Industry at GamesCon

René Pfeiffer/ August 20, 2011/ Report, Security

The GamesCon is taking place in Cologne. We were present at the first day in order to participate in a discussion about data protection in online games. Discussion partners were Konstantin Ewald, a lawyer and blogger (Online. Spiele. Recht) and Ulrich Lepper, North Rhine-Westphalia’s Commissioner for Data Protection and Freedom of Information. Online gaming is tied to user accounts and personal data. It is linked with targeted advertising. Since the Sownage series of attacks the issue has arrived in the mainstream media. There is no need to name Sony or any other company as a culprit, or to shift the blame around. Just as web applications, the world of online games is complex by itself. Hardening your infrastructure is fine, but this is only a part of the story. There are other components such

Read More