„Smart“ follows the footsteps of „cyber“. Everything is smart nowadays. The problem is that using smart in this context just means a combination of „Turing complete“ and „connected to the Internet“. That’s it. This is a pretty low barrier for calling something „smart“. t DeepSec 2015 Markus Niemietz held a presentation about the state of affairs concerning SmartTVs where security is concerned: One of the main characteristics of Smart TVs are apps. Apps extend the Smart TVs menu with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise the question of new attack scenarios and the general security of Smart TV apps. We investigate attack models for Smart TVs and their
Even if you are not running a mainframe you probably have some old applications which you still need and whose code you cannot lift into the present (technology-wise). This is something you need to address. Despite decades of security research and authentication standards there’s still a vast amount of systems with custom solutions and embedded user databases. Such systems are typically hard to securely integrate with others. We analysed an existing system of an organisation with approximately 12.000 sensitive user data sets and uncovered severe vulnerabilities in their approach. We developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider
A lot of people use TOR for protecting themselves and others. Fortunately the TOR network is almost all around us. But what does it do? How can you get access to metrics? TOR is an anonymisation network and by design doesn’t know anything about its users. However, the question about the structure of the user base often arises. Some people are just interested in the size of the network while others want details about the diversity of its users and relays. Furthermore, TOR is used as a circumvention tool. It is interesting to automatically detect censorship events and to see how the number of users changes in those countries. TOR’s measurement team tries to give answer to those (and more) questions. At DeepSec 2015 Jens Kubieziel explained the collection of different data and how
XML is often the way to go when exchanging information between (business) entities. Since it is older than the widespread adoption of SSL/TLS, there is a special standard called XML Encryption Syntax and Processing. You can use XML encryption to encrypt any kind of data. So far, so good. But In recent years, XML Encryption became a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order to protect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard. Juraj Somorovsky (Ruhr University Bochum) held a presentation at DeepSec 2015 explaining what these attacks look like. .
Wherever and whenever terrorism, „cyber“, and cryptography (i.e. mathematics) meet, then there is a lot of confusion. The Crypto Wars 2.0 are raging as you read this article. Cryptography is usually the perfect scapegoat for a failure in intelligence. What about the facts? At DeepSec 2015 Julie Gommes talked about results of the studies done by the Middle East Media Research Institute (MEMRI). The Internet is the method of choice for communication: the number of sites calling for a “jihad” rose from 28 in 1997 to over 5,000 in 2005. The basic use of these sites for the purpose of basic classical communication began in the 2000s. It was replaced by that of social networks, allowing almost instant mass communication. Julie’s talk give you an overview about the tools used according to the study.
Information security borrows a lot of tools from the analogue world. Keys, locks, bars, doors, walls, or simply jails (to use a combination). Most operating systems support isolation of applications in various levels. You may call it change root (or chroot) or even jails environment. The containment is not perfect, but it helps to separate applications and to have a better control of the access to resources. Breaking out of chroots is possible, and there are various ways to do this. So preparing a tight configuration is the key. At DeepSec 2015 Balazs Bucsay held a presentation about how to create a reasonably “secure” chroot environment or how to breakout from a misconfigured one. If you a considering to use chroots/jails as a way to build compartments, make sure you know what you are
Sometimes your endpoint is a server (or a couple thereof). Very often your server is a web server. A lot of interesting, dangerous, and odd code resides on web servers these days. In case you have ever security-tested web applications, you know that these beasts are full of surprises. Plus the servers get lots of requests, some trying to figure out where the weaknesses are. This is how web application firewalls (WAF) come into play. Firewalls have come a long way from inspecting layer 3/4 traffic up to all the peculiarities of layer 7 protocols. Once your firewall turns ALG and more, things get complicated. Since security researchers love complexity Ashar Javed has taken a look at WAF systems. Here is his presentation held at DeepSec 2015. He found 50 ways to bypass the
If you have no money but some time to spare, you should head over to the RuhrSec ticket shop and get yourself some freshly issued Early Bird tickets! Our friends in Bochum have a decent schedule for you. Inevitably the Internet of Things gets broken (again), you hear more about TLS v1.3, caches get a thorough Rowhammer beating, Eve pays a visit to your WebTRC talk, and more security wait for you. RuhSec takes place on 28 and 29 April 2016. The location is the Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum. Google has a map for you as well.
Application whitelisting is a method where you create a baseline selection of software on a system. You then freeze the state, and after this point any code not being part of your original „white list“ is considered dangerous and blocked from execution. In theory this should prevent the execution of malware and therefore protect against the pesky advanced persistent threat (APT) attacks everyone is talking about. What does this mean for your daily business? René Freingruber of SEC Consult talked about a case study at DeepSec 2015. This should save you some time and pain. Theory is not always the same when deployed in the field. René’s presentation even contains vendor names, so you can talk to the sales executive of your favourite brand of security products. This presentation is also a prime example
History, fictive or real, is full of situations where doubts meet claims. Nearly every invention, every product will be eyed critically, analysed, and tested. There are even whole magazines fully dedicated to this sport, be it for example, consumer protection, reviews of computer games or the car of the year. When it comes to testing the sector of information security is particularly sensitive. Depending on the hard- or software concerned, testing is not only about comfort or in search of a particularly good storyline, but about incidents, which can cause real damage in the real world. How should one deal with the knowledge of a design flaw affecting the security of a system? Locks In 1851 the American lock-smith Alfred Charles Hobbs visited the Great Exhibition in London. He was the first to pick
DeepSec 2015 Talk: Bridging the Air-Gap: Data Exfiltration from Air-Gap Networks – Mordechai Guri & Yisroel Mirsky
Air does not conduct electricity, usually. Using air gaps between parts transporting electric power by high voltages is a standard method in electrical engineering. Similar strategies are used in information security. Compartmentalisation can be done by network components, logical/physical separation, solid walls, and space filled with air. The only threat you have to worry about are wireless transmissions. Since mobile phone networks permeate our private and business life, access to wireless networks is everywhere. Unless you live in a cave, literally. Mordechai Guri and Yisroel Mirsky have found a way to use cellular frequencies as a carrier in order to transport data out of an air-gapped environment. They will present their results at DeepSec 2015. Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems
Last year we talked about publishing the proceedings of past DeepSec conferences with a collection of articles covering presentation held in Vienna. We like to introduce Parth Shukla, who presented a report of the devices compromised by the Carna Botnet. This article will showcase the latest analysis and the progress of industry collaboration on the problem of Internet facing devices that have default credential logins through telnet. The Carna Botnet, which was used to perform the first-ever map of the Internet – Internet Census 2012 – highlighted a major information security concern with devices that allow default credential login from the Internet by default. For more information on the Internet Census 2012, please refer to the anonymous researcher’s paper. A complete list of compromised devices that formed part of the Carna Botnet was obtained
Since information security experts don’t grow on trees, we maintain close relationships to academic partners. The science in computer science has to come from somewhere. So we are very happy to welcome the University of Applied Sciences Upper Austria among the supporters of DeepSec 2015. The University of Applied Sciences Upper Austria is a national leader in its field. They offer internationally recognised, practice-oriented degree programmes at four locations in the heart of Upper Austria. As part of their commitment to developing international links, they maintain contacts with some 200 partner universities around the world. How’s that for an open mind? One of their major focuses is the national economy, and their research and development centres are continually developing cutting edge products for a wide range of practical applications. This solid combination of theory and
DeepSec 2015 Talk: Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library – Bernhard Göschlberger & Sebastian Göttfert
Upgrading existing infrastructure and migrating from one architecture to another is often the way to keep your information technology up-to-date. Changing major revisions of software is not for the faint of heart. Many sysadmins sacrificed a good portion of their life force just to jump to the next version. Sometimes you are simply stuck. Code is not always maintained. Products might be obsolete. Developers might have abandoned the project. However the application is still in place and keeps on working. When changes hit this kind of environment, you can’t decline the challenge. Meet the legacy systems that will ruin your day. Bernhard Göschlberger and Sebastian Göttfert have spent thoughts on this problem. They will tell you all about it in their presentation at DeepSec 2015. Well elaborated principles of software engineering foster interoperability between
Encryption is great. Once you have a secret key and an algorithm, you can safeguard your information. The trouble starts when you communicate. You have to share something. And you need to invest trust. This is easy if you have a common agenda. If things diverge, you need something else. Thomas Maus will explain in his talk cryptographic methods that can help you dealing with this problem. Meet Alice and Bob, who might not be friends at all. Workflows with segregation-of-duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations. These ideas are illustrated by challenging examples – constructing various checks and balances for telecommunications data retention, a vividly discussed