Building

Some Notes on Types of Security Controls & the Way they’re Implemented in Enterprise Environments

Welcome back, Dear Reader,

in this post I’d like to share some reflections on the (potentially inefficient) way some security controls can be observed to be deployed in complex organisations and what this may mean for the future of those controls.

In general the space of security controls can be categorized according to different schemes, such as:

  • By fundamental principle (preventive, detective, reactive, corrective, deterrent, compensating etc. security controls. see for example this overview or this one or some illustration here).
  • By “state of matter” (e.g. components, implementation, operations. again, for some supplemental information look at this one).
  • By type of admission: whitelisting vs. blacklisting (some general discussion here, the respective Schneier-Ranum Face-Off to be found here, and this is only Bruce’s half, but with a number of comments).
  • Related to the overall architecture of implementation: centralized vs. distributed.

For today’s topic I’ll just focus on the latter two and will introduce those shortly.

Continue reading “Some Notes on Types of Security Controls & the Way they’re Implemented in Enterprise Environments”

Continue reading
Misc

Ganz Gallien?

“Nein! Ein von unbeugsamen Galliern bevölkertes Dorf hört nicht auf, dem Eindringling Widerstand zu leisten.”

This is a famous quote pretty much every German kid used to know. Not sure if this still applies though, my three haven’t touched Asterix comics so far. Anyhow, you might ask why I cite this.

Simple answer: see this recent article from the Guardian on a Utah-based ISP “resisting some pressure”. That’s the spirit…

Have a great Sunday everybody,

Enno

Continue reading
Breaking

Reverse Engineering Tools Part 1: BinDiff

When teaching courses on topics like Reverse Engineering or Malware Analysis we always emphasize the need to minimize unneeded work. Because reversing an unknown binary is a time consuming and complex process, tools that simplify the RE process are invaluable when working under time pressure. In this blogpost series I will present multiple tools and techniques that can help to reverse an unknown binary. Please note that these articles do not contain cutting edge research but rather target at newcomers. However, I hope to also provide some useful and interesting information for moreexperienced practitioners.
Continue reading “Reverse Engineering Tools Part 1: BinDiff”

Continue reading
Building

EMET v4.0 with New Certificate Trust Feature Released

Microsoft released EMET v4.0  with a new (security) feature that enables protection against fraudulent websites or compromised root certification authorities (do you remember Comodo, DigiNotar, DigiCert, Turktrust et al. ;-)?)

EMET defines via “certificate trust“ a trust chain between the domain name of a website (and its associated website certificate) and a root CA certificate. This is done through so called “pinning rules”. Here is one of the default pinning rules of EMET 4.0 for the domain name login.live.com:

Continue reading “EMET v4.0 with New Certificate Trust Feature Released”

Continue reading
Events

TROOPERS14 Registration Open + TROOPERS13 Photos Online

Dear blog followers, TROOPERS speakers & attendees,
we hope you’re doing fine! Today we have a couple of great things to share with you:

TROOPERS14
Let’s start with a date. Get your calendar and mark March 17th – 21st 2014. It’s your TROOPERS14 holidays. One week full of high-end education, workshops, talks, reconnecting with friends, action, delicious food and one or the other party. You know the drill – more details further down.

Continue reading “TROOPERS14 Registration Open + TROOPERS13 Photos Online”

Continue reading
Breaking

Slides & Scripts from Antonios Atlasis’ “Advanced Attack Techniques against IPv6 Networks” Workshop

After his great presentations on IPv6 Extensions Headers and security problems related to fragmentation we had invited Antonios Atlasis to Heidelberg to give  this workshop at ERNW. It was a great experience with many fruitful discussions between the participants (mostly security practitioners from very large organizations planning to have their Internet edge IPv6 enabled within the next 6-12 months) and him/us. Antonios thankfully decided to make his slides and scripts available for those interested in further research on the topics (it should be noted that the scripts have not been tested thoroughly and he’s happy to receive feedback of any kind at antoniosDOTatlasisDOTgmailDOTcom). Today Marc (Heuse) gives his workshop on pentesting in the IPv6 age. Hopefully such events help to move things into the right direction in the IPv6 security space…

Best

Enno

Continue reading
Events

Impressions from the Google I/O Con

moscone
From 15th – 17th of May, the sixth Google I/O conference took place in San Francisco, California and I was one of the lucky guys attending. More then 5500 people, primarily web, mobile, and enterprise developers, attended this annual event. A lot of presentations included announcements of new and exciting technologies, APIs as well as of two new devices.

During the first minutes of the keynote some of Google’s managers announced that by now over 900 million Android devices are activated and that 48 billion apps are installed, which demonstrates that this market is still heavily growing. As the major part of the audience were (app-) developers, these numbers were received quite greatfully and euphoric.


Some of the presentations announced new services as well as new features and designs for existing services like:

  • Google Play Music All Access, which makes it possible to stream music legally for a monthly fee (comparable to spotify).
  • Underwater Streetview, where Google tries to capture all coral reefs worldwide in order to enable virtual diving.
  • The new user interface and features of Google+, which make it easier to use the social network while providing more functionalities (e.g. automated sorting and quality assurance of uploaded holiday pictures).
  • Google Maps, which now provides more intelligent localization features for target locations of users as well as clouds hovering over the world in realtime.
  • “Sign in with G+” which is a OAuth2 based Single Sign-On that can be used to replace all kind of web authentication mechanisms.

Of course, quite some talks dealt with the privacy critic project Google Glass, that had been introduced at last years I/O. From a technical point of view Google Glass is an interesting project not only due to its new “in-eye-projection” technology. Also the voice interface allows to easily control the device. By saying “OK Glass, take a picture” the user’s actual view is captured and directly uploaded – of course to Google servers. In addition, the integrated navigation system is an interesting feature which enables augmented navigation by means of semitransparent arrows being displayed directly in the users’ field of view. However, there is the other side of the coin: privacy. All data that is captured by the device is processed by Google’s servers. The fact, that one of the responsible Google managers answered the question, in which way Google handles the captured and GPS data, with “in the same way as Google handles all the other data that is collected by our other services”, does not calm at that point. It rather states that when considering Lawful Interception as it exists in almost all countries (and in particular in the USA), Google Glass can turn into a surveillance instrument par excellence. Of course this does not only imply an impact for owners of Google Glass but also for all other people being faced by people wearing Googles new toy. In fact, there is a tiny LED shining while the device is taking a video. However, this can easily be manipulated (e.g. with a sticker) and it is questionable if visibility of this LED is in appropriate proportion to the resolution of the integrated camera. In other words, it is possible to be filmed and photographed while walking in the streets without even being able to notice it. Since Glass is not publicly available so far we have some time left to think about how to deal with this…

fancy_io

All in all Google I/O was a very impressive and informative event. In some kind I felt amazed like a child when I saw all these crazy Android figures hanging around and being surrounded by remotely controlled zeppelins flying through the building.

Have a good weekend
Kevin

P.S.: All talks can be reviewd here.

Continue reading