1710, 2011

Talk: Behavioral Security: 10 steps forward 5 steps backward

René Pfeiffer/ October 17, 2011/ Conference

How do you distinguish good from evil? Have you ever asked yourself this question? In order to avoid diving into philosophy let’s translate evil to harmful and good to harmless. What’s your strategy to find out if something is harmful or harmless? When it comes to food maybe you try a small bit and gradually increase the dose. This strategy fails for software since you cannot install a bit of code and install more if everything looks ok. Analysing the behaviour is the next analogy in line. Behavioural analysis is well-known to anthropologists, psychologists and most human resources departments. Does is work for code, too? If you look at your security tools you will probably find tools that use a rule-based approach; then there are signatures and some tools offer to detect/decide based on

1610, 2011

Talk: Extending Scapy by a GSM Air Interface

René Pfeiffer/ October 16, 2011/ Conference

Scapy is the „Swiss Army tool“ among security software. Scapy is a powerful interactive packet manipulation program. It is used for scanning, probing, testing software implementations, tracing network packets, network discovery, injecting frames, and other tasks. So it’s a security power tool useful for a lot of tasks in security research. Wouldn’t it be nice to add some capabilities on layer 3 of the Global System for Mobile Communications (GSM) protocol? This layer covers the UM interface that connects mobile network clients over the air interface to the base stations. Capturing packets on this link alone would be a great benefit to security researchers. Laurent ‘kabel’ Weber of the Ruhr-Universität Bochum will talk about „Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks“ at DeepSec 2011. Laurent’s talk describes the enhancement

1410, 2011

Talk: Design and Implementation of a Secure Encryption-Layer for Skype Voice-Calls

René Pfeiffer/ October 14, 2011/ Conference

You probably use communication tools that transport the voice/messaging data over the Internet. We’re not speaking about e-mail, but about recent software of the information age – Skype. Skype is widely used for audio/video chats around the world. Its security is shrouded in proprietary mystery and many urban legends exist. In 2006 Philippe Biondi and Fabrice Desclaux analysed the Skype network and its security in their talk „Silver Needle in the Skype“. Since end users can neither create their own cryptographic keys nor see the ones that are actually used, the network has always the capability of eavesdropping on calls. It is not clear if this capability is used or abused at all, but the risk is present. As with eavesdropping in mobile phone networks the communication partners will be totally oblivious, and neither

1010, 2011

Talk: Identity X.0 – Securing the Insecure

René Pfeiffer/ October 10, 2011/ Conference

Identities are important. You might already know this, but in the times of heavily meshed web applications and users moving between different web sites keeping track of a client’s identity can be difficult. Moreover it’s not just about identities but also about transporting account/user attributes by various protocols and standards between various applications. You might remember Microsoft Wallet/Passport which is now Windows Live ID. OpenID defines an open standard about authenticating an user by using a decentralized architecture. OAuth is another open standard, handling authorization and it is widely used by small and large organizations such as Yahoo! and Twitter. So where’s the security? How resilient are these protocols against attacks? Khash Kiani will address these questions in his presentation titled Identity X.0 – Securing the Insecure. His talk focuses on some of these

0610, 2011

Talk: Armageddon Redux – The Changing Face of the Infocalypse

René Pfeiffer/ October 6, 2011/ Conference, High Entropy

DeepSec has a tradition of holding a „night talk“. This is the last talk on the first day, just before the Speaker’s Dinner. Don’t let the expectation of good Austrian food fool you. Morgan Marquis-Boire will serve you an appetiser which may be hard to digest: Armageddon Redux The talk is a follow-up on Morgan’s Fear, Uncertainty and the Digital Armageddon talk held at DeepSec 2008. During the past years security researchers have been warning about attacks on fundamental infrastructure. The ghosts and dæmons haunting SCADA systems lead to scary scenarios portraying a failing civilisation. At the time, there was significant worry about the danger that digital sabotage posed to the systems that run our everyday lives. Take a look at the recent Tōhoku earthquake and tsunami in Japan and its impact on industrial control

0510, 2011

Talk: Alerting, Reminding, Reminding, Reminding and Releasing Vulnerability

René Pfeiffer/ October 5, 2011/ Conference

Some of you have first-hand experience with the discussions around full disclosure. Enumerating Bugtraq moderated by Aleph One, SecurityFocus and the full-disclosure mailing list is a heavily condensed view of the problem. The term full disclosure actually originates from the problems locksmiths had with weaknesses of locks. The discussion is over a hundred years old and opinion is still divided on the matter, not only among the Internet security community. So if full disclosure and its cryptographic cousin, the Kerckhoffs’s principle, was „discovered“ in the 19th century why are we still arguing about it? Thomas Mackenzie will talk about how to deal with exposing vulnerabilities in his talk at DeepSec 2011. When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and

0410, 2011

Talk: Ground BeEF – Cutting, devouring and digesting the legs off a Browser

René Pfeiffer/ October 4, 2011/ Conference

Web browsers have turned into industrial standard software. There’s no office, no company, no network, no client any more that does not use web browsers for at least one task. Any attacker can safely assume that browser software will be present in most target networks. Sadly browser security has not kept up with the spread of web browsing software. Browser security is still one of the trickiest challenges to afford nowadays. A lot of efforts has been spent on mitigating browser exploitation from heap and stack overflows, pointers dereference and other memory corruption bugs. On the other hand there is still an almost unexplored landscape. X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing are good starting points to mitigate the XSS plague, but they are still not widely implemented. An explorer willing to look for

0110, 2011

Talk: Patching Vehicle Insecurity

René Pfeiffer/ October 1, 2011/ Conference

The good old car has turned into a high-tech computing device. Researchers of the Freie Universität Berlin have recently tested a car without a driver. Scientists sat in the back seat while the car travelled 80 km in total on roads through Berlin and Brandenburg. An advertisement of a car company proudly touts: The road is not exactly a place of intelligence.…This is why we engineered a car that analyzes real-time information, reads your handwriting, and makes 2,000 decisions every second. With 2,000 decisions per second there’s no way a human can cancel or correct decisions in time. Modern cars heavily rely on self-contained embedded controllers interfacing with an array of sensors. These controllers are connected to diagnostic systems, throttle, transmission, brakes, speedometer, climate and lighting controls, external lights, entertainment systems, navigation subsystem, and

2109, 2011

Talk: Intelligent Bluetooth fuzzing – Why bother?

René Pfeiffer/ September 21, 2011/ Conference, Security

Bluetooth devices and software implementations have been a fruitful playground for security researchers for years. You probably remember the PoC code from the trinifite.group and other bugs dragged out into the open. Riding public transport often led to Bluetooth scanning with tools such as Blooover. But that’s all past and gone. Software has evolved. Developers have learned. Modern quality assurance won’t let this happen again. Sadly this is fiction. Tommi Mäkilä has some stories to share about the state of Bluetooth: „Bluetooth robustness is wretched, no surprise there. Bluetooth test results from plugfests show 80% failure rate, eight out of ten tests end with a crash. It is not pretty, it is sad and frustrating. For a moment, few years back, there seemed to be light at the end of the tunnel: the failures

2009, 2011

Talk: IT Security Compliance Management can be done right

René Pfeiffer/ September 20, 2011/ Conference

Your IT infrastructure needs more than hardware or software. If your IT landscape is big enough you already know that. The question how to tackle compliance management remains. What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture? First of all, you need to know whats in your environment, what assets your organisation consists of. How do you want to protect something if you don’t know it exists? Also make sure you know where it is. Charting the access paths to data is not a trivial task. Then you need to know the risk appetite of your company. How much risk are you

1909, 2011

Talk: Windows Pwn 7 OEM – Owned Every Mobile?

René Pfeiffer/ September 19, 2011/ Conference

Windows Phone is an operating system for mobile phones. Similar to other operating systems it has security features such as sandboxing applications, APIs for exchanging data across applications and isolation of storage built in. It also offer methods for encrypting data on the phone itself. There’s more documentation out in the Internet or directly available at Microsoft’s web site. So, this is good, right? In theory, yes. In practice currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices. This does not refer to the documentation. It’s all about assessing risks, and risk assessment can’t be done by looking at APIs. Alex Plaskett will talk about WP7 security in-depth. He will address the ever increasing challenges and stages of exploitation an

1809, 2011

Talk: How To Rob An Online Bank And Get Away With It

René Pfeiffer/ September 18, 2011/ Conference

We’ve all heard of – or have even been a victim of – attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules’ accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims’ accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult. From the attacker’s point of view this is very undesirable. These factors create incentive for criminals to focus on online banking servers. Incidentally, that’s where – as famous bank robber Willie Sutton might say – all the money is. Now, Mr. Sutton lived in the times of physical currency and had

1409, 2011

Talk: An online Game Trojan Framework from China Underground Market

René Pfeiffer/ September 14, 2011/ Conference

Malware infecting computers always serves a purpose. Zombies, as infected systems are called, usually connect to a Command & Control channel and receive their orders from the owners of the zombie herd. Malicious software can also be used as a tool for retrieving information. Some of these tools are specialised and look for specific data such as login credentials. At DeepSec 2011 Hermes Li will explain how a trojan horse designed for stealing user information is installed, how it works and give a short introduction into the Chinese underground market. The talk will also discuss parts of the code, DLL injection and the packer encryption. There is a market for most stolen data. When it comes to games there is even real money in data trafficking. In-game goods (items, currencies, …) can be sold,

0709, 2011

Talk: Insight Into the Russian Black Market

René Pfeiffer/ September 7, 2011/ Conference

You have all heard the term cybercrime, and you have heard about all things cybercrime – stolen credentials, data theft, fraud, blackmail and more. You may have heard the there are markets for goods connected to computer crime. You may have heard that there’s a lot of money in it (enough to pay off the national debts of most states including the USA, if you total all reports on damages by cybercrime). As usual the problems lie in connecting the dots. What are the mechanisms behind these black markets? What are the goods? Who pays for them and by which means? Surely you cannot just walk into a chat room, drop your credit card number and part with the digital loot, or can you? What if you end up being a trade object yourself?

0609, 2011

Talk/Workshop: IPv6 Security In-Depth

René Pfeiffer/ September 6, 2011/ Conference

The tale of two protocol suites has been being written for some time now. The IPv4 Internet has run out of fresh addresses. The IPv6 deployment has begun, but it will take some time before IPv4 is completely phased out (if ever). The work on the IPv6 protocol started in the early 1990s with the temporary IP Next Generation Working Group, collecting proposals. In theory IPv6 addresses many shortcomings of IPv4 and consists of a thoroughly well-designed protocol suite with security in mind. In practice you will neither just switch to IPv6 nor skip the step where you consider the security implications. There is no zero conf mechanism when it comes to security. All businesses need to know what the security impact of IPv6 really is. Some networks have already deployed IPv6, others think

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: