Misc

Sell Your Own Device – A Field Study on Decommissioning of Mobile Devices

On Friday we released our latest technical newsletter with the fancy title “Sell Your Own Device – A Field Study on Decommissioning of Mobile Devices”. It is the result of a field study on decommissioned mobile business devices bought on eBay and about how stored data may be extracted in different ways.

As always we love to share plenty of practical advise: At the end of the newsletter you will find the mitigating controls to securely handle mobile devices at the end of their life cycle process.

Find the newsletter here.
And a digitally signed version here.

Special thanks go to Sergej Schmidt for performing the field study.

Talking about our great team: Meet the whole ERNW crew at TROOPERS12, or even better: Dig deeper into mobile security together with Rene Graf during the mobile security workshop. There are a few slots left.

Enjoy the newsletter & hopefully see you soon in Heidelberg!
Florian

Continue reading
Events

Diving Into Real-World Security Threats to SAP Systems

This is a guest post by the SAP security experts of BIZEC. Enjoy reading:

On March 20th, the first BIZEC workshop will be held at the amazing Troopers conference in Heidelberg, Germany. For those still unfamiliar with BIZEC: the business application security initiative is a non-profit organization focused on security threats affecting ERP systems and business-critical infrastructures.

The main goals of BIZEC are:

  • Raise awareness, demonstrating that ERP security must be analyzed holistically.
  • Analyze current and future threats affecting these systems.
  • Serve as a unique central point of knowledge and reference in this subject.
  • Provide experienced feedback to global organizations, helping them to increase the security of their business-critical information.
  • Organize events with the community to share and exchange information.

The “BIZEC workshop at Troopers 2012” will dive into the security of SAP platforms. Still to this day, a big part of the Auditing and Information Security industries believe that Segregation of Duties (SoD) controls are enough to protect these business-critical systems.
By attending this session, InfoSec professionals and SAP security managers will be able to stop “flying blind” with regards to the security of their SAP systems. They will learn why SoD controls are not enough, which current threats exist that could be exploited by evil hackers, and how to protect their business-critical information from cyber-attacks.

Attendees can expect a high-dose of technical content covering the latest advances in the SAP security field.

The agenda is really exciting, covering hot topics such as:

  • Real-world cyber-threats to SAP systems, by Mariano Nunez Di Croce (Onapsis)
  • Five years of ABAP Code Reviews – A retrospective, by Frederik Weidemann (VirtualForge)
  • SAP Solution Manager from the hackers point of view, by Ralf Kemp (akquinet)

The workshop will be full of live demonstrations of attacks and discussions on possible mitigation techniques. Furthermore, attendees will have the pleasure of enjoying a great introduction by Gary McGraw, CTO of Cigital and pioneer in software security.

If you want to stay ahead of the threats affecting your SAP platforms, you can’t miss this workshop!

The BIZEC team

Comment by the Insinuator: We’ve prolongued the early-bird period until February 10th. We hope that helps to get your favorite event budgeted 😉


Continue reading
Breaking

How Safe is Smart?

Bluetooth Smart Ready LogoAbout two months ago the Bluetooth SIG renamed their latest standard, which was previously known as “Bluetooth v4.0”. When version numbers get higher and higher marketing likes to interfere and try something new. In this case: Bluetooth Smart.

Sounds smart, but is it?

Without getting into too much detail, let me quickly quote Wikipedia to get started:

 “Cost-reduced single-mode chips, which enable highly integrated and compact devices, feature a lightweight Link Layer providing ultra-low power idle mode operation, simple device discovery, and reliable point-to-multipoint data transfer with advanced power-save and secure encrypted connections at the lowest possible cost.”

http://en.wikipedia.org/wiki/Bluetooth#Bluetooth_v4.0 (sounds more like a marketing text than a proper technical specification, but gives you a rough idea what you as an end-user can expect ;)).

So we’re talking about the usual stuff: Lower energy consumption combined with more functionality. Great!

Ubertooth One Description
Ubertooth One - Photo from: ubertooth.sourceforge.net

Sounds smart, but is it safe?

With “Bluetooth Smart Ready” products just coming in it’s too early to tell. But one thing is for sure: 2012 will be the year where every major consumer product (smartphones, heart-rate straps or even simple clocks) will be equipped with it. Oh, and guess what… a new wireless standard doesn’t just come along with a new shiny gadget. Obviously you need an app for that. How about tracking your heart beat? Personally I’m looking forward for the first Bluetooth Smart Ready cardiac pacemaker…

And back to security: Either you trust the Bluetooth committee which states “Bluetooth technology is an industry leader when it comes to wireless data security.”, OR you ask somebody who would tell you the plain truth (given there is one): Michael Ossmann.

Will it blend?

We did the latter and invited Michael to talk at TROOPERS12. He is a wireless security experts who also makes hardware tools to progress with his research. In early 2011 he successfully crowd-funded his latest gadget: Ubertooth One. A very capable Bluetooth monitoring device.

We’re looking forward to mid March where we all meet to discuss things in more depth at TROOPERS12. Until then keep yourself up-to-date and have a look into Michael’s latest blog entry: Bluetooth for Bad Guys

Have a wonderful Christmas time,
Florian

PS: Drop us a comment, when you find some “Bluetooth Smart Ready” labels under your Christmas tree 😉

Continue reading
Events

A Sneak Peek into TROOPERS12

TROOPERS11 Speaker badgesHere we go again: TROOPERS12 is scheduled for March 19th – 23rd 2012 in Heidelberg, Germany.

Those who attended TROOPERS before know for what we are up to. For all newcomers I’ll quickly outline what’s going to happen:

TROOPERS is your premium IT security event in Europe. Think of your usual IT educational event without annoying sales pitching and outdated topics. Now add a superb conference location, an elite line-up of international researchers and practitioners as well as an organizing team not dedicated to make a living doing this, but to celebrate our craftsmanship together with like-minded people.

Sounds good? Let’s see what we have planned for you:

Monday & Tuesday

We start with a great selection of workshops. You’ll have a bigger choice than ever before:

One-day workshops on Monday:

  • Advanced IPv6 Security
  • Android Security
  • CloudSec
  • ISECOM Workshop (to be announced shortly) 

One-day workshops on Tuesday:

  • Advanced Email Security
  • iOS Security
  • ISECOM’s “Smarter, Safer, Better” security awareness training
Special event on Tuesday:

We call it the “TelcoSec Day” – A workshop that assembles researchers and practitioners in the telecommunications operator security space. Invitation only. Please drop us an email, if you think you should be part of it.

Two-day boot camp on Monday and Tuesday:

Chema playing Minesweeper

  • Hacking 101 – Your personal preparation for PacketWars (and beyond…)

Wednesday & Thursday

These are the main conference days. Expect more than 20 international researchers coming in to present on their latest discoveries – ready to share their experience with you. In order to serve you with the latest and greatest we won’t announce a final agenda yet. Topics of already confirmed talks include:

  • Web Application Firewalls
  • iCloud
  • SAP Hacking
  • Quantum Cryptography
  • Bioinformatics

Friday

Orange TROOPERS flagWe’ll finish up with a bunch of roundtable sessions. This is the perfect place to recap the week’s happenings and look ahead on upcoming developments.

Something is missing right?

TROOPERS conference is more than a yearly get-together of some IT guys. This event is for enthusiasts, idealists and doers of all nationalities, age groups and sexes. Our common denominator is the passion for what we do and the strong belief that we will succeed in the daily battle of IT security. Professionals from various backgrounds are longing for an environment where their thoughts, work and experience is appreciated and amplified.

TROOPERS11 electronic badgeTherefore we spare no efforts to do just that. To name just a few highlights of your complimentary supporting program:

  • Shared dinner in the Old Town
  • PacketWars hacking contest
  • 10k Morning run to keep you going
  • [TOP SECRET] Competition

Registration

Registration is open now. Head over to the sign up page and make yourself familiar with all the deals we offer. Please contact us, if you need any assistance or guidance on your selection.

We’re looking forward to meet you soon,
Florian & the TROOPERS/ERNW crew

Continue reading
Events

TROOPERS11 – Slides available

TROOPERS11 slides are available now! Please find them here: http://www.troopers.de/troopers11/downloads/

TROOPERS11 was a blast! We received great feedback from all attendees and speakers. This really pushes ourselves towards the next goals and an even better security conference in 2012.

We’re happy that everybody got home safely with new ideas and inspirations in mind. On a side note: The awesome TROOPERS badge caused trouble for some of you with the airport security 😉 I really hope everybody could find a way to take it back home. It will hopefully find its way to an adequate place right next to your old memorabilia (cup of the first won soccer match, your college degree or photos from your first ballet show). Regard it as the proof of your latest achievement and tell everybody proud and loud: WE ARE TROOPERS.

Best regards,
Florian

PS: Videos and photos are coming soon. Stay tuned.

Continue reading
Breaking

Research on “Application Virtualization” – Results online now

Just wanted to let you know that we sent out ERNW Newsletter 32 end of last week. As we promised it includes the results of  research regarding the question “Is browser virtualization a valid security control in order to mitigate browser based security risks?”.

Simon did a great job with writing the latest newsletter. It’s a 30-page document which should help you to have a basis for well-informed decisions when it comes to the deployment of an application virtualization technology.

Download a signed version of the PDF here, or visit the archive to browse other issues of our highly technical newsletters.

Best wishes,
Florian

Continue reading
Breaking

Try Loki!

Loki is set free!

Everybody who is interested in our newest tool ‘Loki’ is welcomed to head over to ERNW’s tool section and download it. Take this monster for a spin and let us know in the comments how you like it. Loki’s coding father Daniel is more than happy to answer your questions and criticism.

You don’t even know what Loki is?

In short: An advanced security testing tool for layer 3 protocols.

In long: Have a read in the Blackhat2010 presentation slides and mark TROOPERS11 in your calendar to meet the guys behind the research and for sure get a live demo of the capabilities – development is still ongoing, so prepare yourself for even more supported protocols and attack types.

And again: Talking about TROOPERS11… we’ve already selected the first round of speakers. Details to be published soon 🙂

Have a great day!
Florian

Continue reading
Events

ERNW at NinjaCon (fka PlumberCon)

Yesterday we made our way to Vienna to participate and contribute to NinjaCon (formerly known as PlumberCon, before Nintendo Inc. claimed their rights ;)).

After our arrival Oliver held a five hour workshop on Penetration Testing and did the finishing touches on his slides about ‘Attacking Cisco Enterprise WLANs‘, which he will deliver later today together with Daniel. And last but not least Daniel will be the Packet Master of PacketWars™ Vienna taking place in the evening.

As sponsor of this young and vibrant conference we’re proud to share our equipment and know-how to support the networks on site.

Talking about young and vibrant: Last week we held one of our beloved internal workshops at ERNW to discuss the latest in ITSec and teamwork – but also to chat with colleagues or listen to a rant on $some-broken-technology of Enno. When having dinner on Tuesday we went crazy on planning for TROOPERS11. I don’t like it too much to talk about ‘good energy in the room’, but there was something really enthusiastic and insanely creative about it – and whatever it was, we gonna use it to make it even more enjoyable, educating and unforgettable than this year.

As we’re progressing at Vienna I’m going to update this blog post. So stay tuned!
Cheers, Florian & the team

UPDATE: NinjaCon is over. Besides the usual small hiccups at such an event it was a really great conference for all of us. Excellent speakers, an exciting location and the overall perfect atmosphere to interact, chat and learn really made the deal here. Big applause to the host @astera and her team!

Continue reading
Events

TROOPERS10 presentation materials finally online

I’m happy to announce that the presentations and a majority of the videos from TROOPERS10 are finally available to you.

You’ll find the slides at the conference’s website troopers.de, more precisely here. Plenty of videos were uploaded and are now ready for streaming at viddler.com/TROOPERS. Enjoy!

Please excuse the long waiting time – this is a big point on our ‘improvements for upcoming events’ list. Talking about improvements: If you have any suggestions, criticism or even praise for past or upcoming events – let us know in the comment section.

Thanks,
Florian

PS: At the moment I’m doing the finishing touches to some really nice photos from TROOPERS10. To stay up-to-date please subscribe to our RSS feed or if you’re into twitter: Follow @WEareTROOPERS 😉

Continue reading