Cryptographic backdoors are a timely topic often debated as a government matter to legislate on. At the same time, they define a space that some entities might have practically explored for intelligence purposes, regardless of the policy framework. The Web Public Key Infrastructure (PKI) we daily rely on provides an appealing target for attack. The entire X.509 PKI security architecture falls apart if a single CA certificate with a secretly embedded backdoor enters the certificate store of trusting parties. Do we have sufficient assurance that this has not happened already? Alfonso De Gregorio presented at DeepSec 2015 his findings and introduced illusoryTLS. Aptly named illusoryTLS, the entry is an instance of the Young and Yung elliptic curve asymmetric backdoor in the RSA key generation. The backdoor targets a Certification Authority public-key certificate, imported in
Calling for encryption and implementing it may be easy at a first glance. The problem starts when you have to grant access to data including a segregation of duty. Workflows with Segregation-of-Duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations. At DeepSec 2015 Thomas Maus held a presentation explaining the problems and possible solutions.
How do you manage your technical and operational security? Do you follow a model? If so, what’s the flavour? Do you borrow concepts from software development? In case you do or you plan to do, then Daniel Liber might have some ideas for you. At DeepSec 2015 he held a presentation about Agile and a possible relation to information security. Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a ‘high level’ talk, or, sometimes, as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This talk will help security engineers,
XML is often the way to go when exchanging information between (business) entities. Since it is older than the widespread adoption of SSL/TLS, there is a special standard called XML Encryption Syntax and Processing. You can use XML encryption to encrypt any kind of data. So far, so good. But In recent years, XML Encryption became a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order to protect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard. Juraj Somorovsky (Ruhr University Bochum) held a presentation at DeepSec 2015 explaining what these attacks look like. .
Cookies are solid gold when it comes to security. Once you have logged in, your session is the ticket to enter any web application. This is why most web sites use HTTPS these days. The problem is that your browser and the web applications needs to store these bits of information. Enter cookie hacking. A lot has changed since 1994, and Dawid Czagan of Silesia Security Lab held presentation at DeepSec 2015 about what you can and cannot do with cookies in modern web applications and browsers. Learn about user impersonation, remote cookie tampering, XSS and more. .
The Stagefright exploit haunts the Android platform. The vulnerability was published in Summer 2015. It gives attackers a way to infect Android smartphones by using multimedia files such as pictures, text, and videos. This is a perfect vector since most people will look at media instantly. Dr. Aleksandr Yampolskiy gave a presentation at DeepSec 2010 about malicious software hidden in multimedia (the talk was aptly titled Malware goes to the Movies). So what if there are more bugs like this in the Android platform? Enter fuzzing technology. Alexandru Blanda spoke at DeepSec2015 about fuzzing on the Android platform. This approach can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. Since these vulnerabilities affect critical components of the Android system, the impact of the results will
Wherever and whenever terrorism, „cyber“, and cryptography (i.e. mathematics) meet, then there is a lot of confusion. The Crypto Wars 2.0 are raging as you read this article. Cryptography is usually the perfect scapegoat for a failure in intelligence. What about the facts? At DeepSec 2015 Julie Gommes talked about results of the studies done by the Middle East Media Research Institute (MEMRI). The Internet is the method of choice for communication: the number of sites calling for a “jihad” rose from 28 in 1997 to over 5,000 in 2005. The basic use of these sites for the purpose of basic classical communication began in the 2000s. It was replaced by that of social networks, allowing almost instant mass communication. Julie’s talk give you an overview about the tools used according to the study.
„It’s a trap!“ is a well-known quote from a very well-known piece of science fiction. In information security you can use bait to attract malicious minds. The bait is called honeypot or honeynet (if you have a lot of honeypots tied together with network protocols). A honeypot allows you to study what your adversaries do with an exposed system. The idea has been around for over a decade. There’s even a guide on how to start. Josh Pyorre has some ideas how you can extend your basic honeypot in order to boost the knowledge gain. At DeepSec 2015 he showed the audience how to process attack-related data, to automate analysis and create actionable intelligence. Why else would you run a honeypot? So go forth and multiply the output of your honeynet!
Sometimes your endpoint is a server (or a couple thereof). Very often your server is a web server. A lot of interesting, dangerous, and odd code resides on web servers these days. In case you have ever security-tested web applications, you know that these beasts are full of surprises. Plus the servers get lots of requests, some trying to figure out where the weaknesses are. This is how web application firewalls (WAF) come into play. Firewalls have come a long way from inspecting layer 3/4 traffic up to all the peculiarities of layer 7 protocols. Once your firewall turns ALG and more, things get complicated. Since security researchers love complexity Ashar Javed has taken a look at WAF systems. Here is his presentation held at DeepSec 2015. He found 50 ways to bypass the
Endpoint security is where it all starts. The client is the target most attackers go after. Once you have access there (let’s say by emailing cute cat videos), you are in. Compromised systems are the daily routine of information security. Even without contact with the outside world, you have to think about what happens next. Thomas Fischer has thought a lot about scenarios concerning the endpoint, and he presented his findings at the DeepSec 2015 conference. To quote from the talk: This presentation will demonstrate that one of the most complete sources of actionable intelligence resides at the end point, and that living as close as possible to Ring 0 makes it possible to see how a malicious process or party is acting and the information being touched. There you go. Have a look!
The word cyber has entered the information security circus a couple of years ago. It should have been long gone according to its creator William Gibson. Meanwhile everything has developed into something being cyber – CSI, war, politics, security, homes, cars, telephones, and more. Inventing new words helps to distract. Distraction is what Raoul Chiesa has seen in the last five years, while training various military units in different countries. He held a presentation at DeepSec 2015 about his experiences. While we don’t use the word cyber when talking about (information) security, others sadly do. So think of Information Warfare or Information Offensive Operations when hearing cyber and don’t let yourself be distracted by the fog of war.
Data protection and information security are often seen as different species. Why? Where is the difference between protection, defence, security, and offence? There are a lot of relations between the terms. Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) gave a presentation at DeepSec 2015 on how to link privacy with security: „Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. This presentation will also show how it can be used to further IT security especially in the SME sector. This mostly refers to
The information technology world is full of fancy words that re-invent well-known and well-understood terms. Everyone is talking about the endpoint these days. Endpoint is the trusty old client in disguise. Plus the end in endpoint doesn’t means that something ends there. From the information security point of view all your troubles actually start there. So the client is the start of all your endpoint problems. Why? Because attacks start at the endpoint, regardless how you call it. At DeepSec 2015 Matthias Deeg held a presentation on how malicious software (a.k.a. malware, the good old virus/trojan horse/worm) can deactivate endpoint protection software (a.k.a. anti-virus software) in order to turn your endpoint into a startpoint. Enjoy!
Isolation is a prime ingredient of information security. The air-gap is the best way to isolate systems. Only wireless communication can transport data across these gaps. Apart from Wi-Fi the signals of mobile radio communication are very common. At DeepSec we have seen a lot of hacking when it comes to mobile phones and their networks. Mordechai Guri and Yisroel Mirsky (both of Ben-Gurion University of the Negev) held a talk about how to overcome the air-gap barrier by means of cellular frequencies. Their presentation addresses the way of exfiltrating data across the air-gap: „Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this talk we present GSMem, a malware that can exfiltrate data through an air-gap over
Once you got software, you most probably got yourself some decent bugs. Software vulnerabilities are everywhere. They come with the code. Managing patches and changes is they way of handling these weaknesses. At DeepSec 2015 Mitja Kolsek spoke about a new way of addressing vulnerabilities: „Software vulnerabilities are likely the biggest problem of information security, fuelling a rapidly growing market for “0days”, “1days” and exploits alike. It can be highly intellectually challenging to find a vulnerability and create an exploit for it, and super entertaining to reveal it all to the bug-hungry crowds (preferably along with a logo and a catchy name, courtesy of the marketing department). As a result, there’s been a lot of innovation and progress on the offensive side of information security, and a corresponding defensive industry is thriving providing quasi-solutions