Your infrastructure is full of endpoints. Did you know that? You even have endpoints if you use your employees’ devices (BYOD!) or the „Cloud“ (YMMV!). Can’t escape them. Since the bad girls and guys knows this, they will attack these weak points first. How are your endpoints (a.k.a. clients in the old days) protected? In case you use software to protect these vulnerable systems, then you should attend Matthias Deeg’s talk. He will show you the art of Deactivating Endpoint Protection Software in an Unauthorized Manner: Endpoint protection software such as anti-virus or firewall software often have a password protection in order to restrict access to a management console for changing settings or deactivating protection features to authorized users only. Sometimes the protection can only be deactivated temporarily for a few minutes, sometimes it
Take advantage of our Call for Papers! We can’t believe that all the devices, networks, services, and shiny things around us are completely secure. Once it got Wi-Fi, a SIM card, memory, or a processor there is bound to be an accident. It’s not just hunting rifles, jeeps, currencies, experts, and airplanes that can be hacked. There is more. Tell us! Don’t let the IT crowd of today repeat the mistakes of our ancestors. Submit a two-day training and help to save some souls! We are especially interested in secure application development, intrusion detection/prevention, penetration testing, crypto & secure communication, mobiles devices, the Internet of Things, security intelligence, wireless hacking (Wi-Fi, mobile networks, …), forensics, and your workshop that really knocks the socks off our attendees! Drop your training submission into our CfP manager!
What is your first impulse when you see a fence? Well, we can’t speak for you, but we like to look for weak spots, holes, and ways to climb it. The same is true for filters of all kinds. Let’s see what one can do to bypass them. Anti-virus software is a good example. At DeepSec 2014 Daniel Sauder explained how malware filters/detectors fail. Daniel was kind to provide an article for the special edition „In Depth Security – Proceedings of the DeepSec Conferences“: „Based on my work about antivirus evasion techniques, I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these. A result of my research are
Once you live in the Cloud, you shouldn’t spent your time daydreaming about information security. Don’t cloud the future of your data. The Magdeburger Journal zur Sicherheitsforschung published a new article by Armin Simma (who talked about this topic at DeepSec 2014). The Paper titled »Trusting Your Cloud Provider: Protecting Private Virtual Machines« discusses an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders. This article proposes an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders (e.g. administrators). It is based on Mandatory Access Control and Trusted Computing technologies, namely Measured Boot, Attestation and Sealing. It gives customers strong guarantees about the provider’s host system and binds encrypted virtual machines to the previously attested host. This article
Internet Protocol version 6 (IPv6) is not new. Its history goes back to 1992 when several proposals for expanding the address scheme of the Internet were discussed (then know by the name of IP Next Generation or IPng). A lot has happened since RFC 1883 has been published in 1996. Due to the deployment of IPv6 we see now implications for information security. Several vulnerabilities in the protocol suite have already been discussed. DeepSec 2014 features a whole training session and three presentations about the future protocol of the Internet. First Johanna Ullrich talked about a publication called IPv6 Security: Attacks and Countermeasures in a Nutshell. The paper gives you a very good view on the state of affairs regarding security and privacy weaknesses. It is strongly recommended for anyone dealing with the deployment
The DeepSec 2014 schedule features a presentation about (hidden) hypervisors in server BIOS environments. The research is based on a Russian analysis of a Malicious BIOS Loaded Hypervisor (conducted between 2007 and 2010) and studies published by the University of Michigan in 2005/2006 as well as 2012/2013. The latter publications discuss the capabilities of a Virtual-Machine Based Rootkits and Intelligent Platform Management Interface (IPMI) / Baseboard Management Controller (BMC) vulnerabilities. Out-of-band management is sensitive to attacks when not properly protected. In the case of IPMI and BMC the management components also play a role on the system itself since they can access the server hardware, being capable to control system resources. Combining out-of-band components with a hypervisor offers ways to watch any operating system running on the server hardware. Or worse. It’s definitely something
In cooperation with the Magdeburger Institut für Sicherheitsforschung (MIS) we publish selected articles covering topics of past DeepSec conferences. The publication offers an in-depth description which extend the conference presentation and includes a follow-up with updated information. Latest addition is Marco Lancini’s article titled Social Authentication: Vulnerabilities, Mitigations, and Redesign. High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust
Backdoors are devious. Usually you have to look for them since someone has hidden or „forgotten“ them. Plus backdoors are very fashionable these days. You should definitely get one or more. Software is (very) easy to inspect for any rear entrances. Even if you don’t have access to the source code, you can deconstruct the bytes and eventually look for suspicious parts of the code. When it comes to hardware, things might get complicated. Accessing code stored in hardware can be complex. Besides it isn’t always clear which one of the little black chips holds the real code you are looking for. Since all of our devices we use every days runs on little black chips (the colour doesn’t matter, really), everyone with trust issues should make sure that control of these devices is
Do you get a lot of email? Do customers and business partners send you documents? Do you talk to people on the phone? Then you might be interested in an assessment of your vulnerability by social interactions. We are proud to host a presentation by Enrico Frumento of CEFRIEL covering this topic. As anyone probably knows nowadays spear-phishing is probably the most effective threat, and it is often used as a first step of most sophisticated attacks. Even recent JP Morgan Chase’s latest data breach seems to be originated by a single employee (just one was enough!) who was targeted by a contextualized mail. Into this new scenario it is hence of paramount importance to consider the human factor into companies’ risk analysis. However, is any company potentially vulnerable to these kind attacks? How
Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes of the botnet consist of virtually unsecured IPv4 devices – modems and other network equipment. Point of entry where mostly Telnet management interfaces exposed to the Internet. Analysing the devices that were part of the Carna Botnet is well worth the effort. This is why we invited Parth Shukla (Australian Computer Emergency Response Team, AusCERT) to present his findings about the Carna Botnet at DeepSec 2013. „A complete list of compromised devices that formed part of the Carna Botnet
Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems running the same software. If you manage to break into one node, the chances are good that you have access to all nodes. That’s pretty neat. At DeepSec 2013 John Fitzpatrick and Luke Jennings of MWR InfoSecurity talked about their tests with supercomputers. Their presentation covers the research and demonstrates some of the most interesting and significant vulnerabilities they have uncovered so far. They also demonstrated exploits and previously undocumented attack techniques live so you can see how to
Once you set up alarm systems, you will have to deal with false alarms. This is true for your whole infrastructure, be it digital or otherwise. When it comes to intrusion detection systems (IDS) you will have to deal with false positives. Since you want to be notified of any anomalies, you cannot ignore alarms. Investigating false alarms creates costs and forces you to divert efforts from other tasks of your IT infrastructure. In turn attackers can use false positives against you, if they know how to trigger them and use them in heaps. Where do you draw the line? In his presentation at DeepSec 2013 Gavin ‘Jac0byterebel’ Ewan (of Alba13 Research Labs) introduced an interesting approach to deal with false positives: „…Taking false positive figures from a number of real business entities ranging
Modern technology expands into various areas of our lives all by its own. Medical facilities also use networks and networked devices. This makes sense since monitoring vital signs creates data you want to transport to your staff. Regardless of the technology used, once you expose the device to the outside world it needs to be hardened against tampering and abuse. The U.S. Food and Drug Administration (FDA) is aware of this issue and has published a recommendation regarding the security of medical devices. „…manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks…” At DeepSec
The DeepSec 2013 keynote presentation featured the cultural background of China in order to better understand the news about impending „cyber doom“. The past year has shown that you need a lot more than hands-on information security if you want to make sense of incidents. Next to history and culture there is psychology. In his talk at DeepSec 2013 Stefan Schumacher make a good case for combining psychology and the scientific approach with topics of information security. Watch his talk online!
Defending one’s own resources against malicious software is daily business for information security professionals. Usually you deploy a range of measures and try to minimise the risk. It may or may not work, depending if you have to fear the mysterious Advanced Persistent Threat (APT). APTs are highly targeted, very stealthy and can greatly impact your security in terms of damage and level of compromise. Their stealth aspect makes them hard to detect and hard to counter. Tom Ueltschi from the Swiss Post has gained experience with these kind of attacks. This is why he will share his insights at DeepSec 2013. His talk is titled My Name Is Hunter, Ponmocup Hunter. Ponmocup is a strain of malicious software which forms its own botnet. It is known by a couple of names, depending on