Events

BSides LV 2016: Recap

Hey everyone,

Just a short recap from my side regarding this year’s BSide in Las Vegas, NV. It was my first time there and I pretty much enjoyed it. After entering the venue on the first con day (Tuesday) I was a little bit shocked, as the staff sent me to the “end of the line just around the corner” – the end being many corners and many floors away 😉 Speaking to some guys while standing in line, time quickly passed by and before finally hitting the registration desk, there were already some people from the staff giving away the conference badges to the waiting folks. The waiting time was no comparison to last year’s DEF CON, where I (and obviously all the other “humans”, how attendees at DEF CON are called) had to wait nearly _four_ hours to get a badge to enter the con. DEF CON staff already calls this the annual “Line Con”. Enough bashing, back to topic 😉

The opening keynote was held by Lorrie Cranor, who spoke first and Michael Kaiser, who did the second part. I enjoyed Lorrie’s part which was about frequent password changes in environments like companies or universities. She talked about studies that revealed, many people who have to change passwords frequently use patterns by changing their passwords, like shifting letters or iterating numbers. This behavior mostly provides only a little security benefit or could otherwise also decrease security, she said.

Continue reading “BSides LV 2016: Recap”

Continue reading
Events

SIGS DC Day

Today I had to give the pleasure to give a keynote at the SIGS DC Day on the need to evaluate Cloud Service Providers in a way that looks behind (or at least tries to) security whitepapers and certification reports. The slides can be found here.

I also particularly enjoyed the following two talks:

Sean O’Tool from Swisscom AG covered challenges of an infrastructure to cloud migration. Even though he only briefly touched the topic, I enjoyed his description of their firewalling model: Seeing that centralized firewall operation (or more precisely, rule design and approval) is limited/challenged by the understanding of the application, they transferred control over firewall rule sets (beyond a basic set of infrastructure/ground rules) to the application teams (using of features like OpenStack’s security groups, where he also talked about limitations of those). They compensated the loss of “centralized enforcement by a security group” with rule reviews — an approach that will become way more relevant (and necessary) in the future.

Marc Holitscher from Microsoft covered their “second line of defense”, which is a strong audit framework for controls they implement for their Azure/Office cloud environment. The relevant information (which was new for me too) was that they published a lot of audit information just recently. Details are described here.

Cheers,
Matthias

Continue reading
Events

25th USENIX Security Symposium & WOOT Workshop

Last month the annual USENIX Security Symposium with its co-located workshops (WOOT, CSET, FOCI, ASE, and HotSec) was held in Austin, Texas. The program of the conference together with the published papers can be found here and information on the workshops can be found here.

The research topics were quite diverse and included subjects such as low-level attacks, cryptographic attacks, and vehicle attacks. To give you an impression on the research that has been presented at the conference, let us discuss some of the talks in the following:

Continue reading “25th USENIX Security Symposium & WOOT Workshop”

Continue reading
Events

MRMCD16 – diagnosis:critical

This year’s MRMCD16 had a topic that immediately let me submit a talk about medical device security: “diagnosis:critical”. Or to quote the official website:

Security issues in soft- and hardware have a low chance of healing, especially in medical IT.

Despite years of therapy using code reviews and programming guidelines, we still face huge amounts of vulnerable software that probably is in need of palliative treatment.

Security vulnerabilities caused by the invasion of IT in the medical sector are becoming real threats. From insulin pumps over analgesic pumps through to pace makers, more and more medical devices have been hacked already. This year's motto "mrmcd2016 - diagnosis:critical" stands summarizing for the current state of the whole IT sector.


Continue reading “MRMCD16 – diagnosis:critical”

Continue reading
Events

Black Hat 2016 Summary

Just a few days ago I had a blast again at this year’s Black Hat. Some of the talks were really worth listening to, so I wanted to point them out and give a short summary.

 

USING UNDOCUMENTED CPU BEHAVIOR TO SEE INTO KERNEL MODE AND BREAK KASLR IN THE PROCESS – Anders Fogh & Daniel Gruss

They had the last slot at the last day of Black Hat which resulted in a kind of empty room, but in my opinion it was an awesome talk and I even had the pleasure to meet these two guys at our ERNW dinner.

 

The talk was about a very weirdly documented Intel instruction which does not check for privileges or throw exceptions:

Continue reading “Black Hat 2016 Summary”

Continue reading
Events

Area41 Conference 2016

Last Friday, Brian and I were at the  Area41 Security Conference. The conference is a branch of Defcon conference and is more or less a small conference of the Swiss hacker community. Being in a “rock music club”, the speakers presented on a stage where usually the rock stars are performing – which gives the conference a very special flair and an interesting atmosphere. We’ve been at the conference to present our research about VoLTE technology including some attack scenarios we’ve evaluated in the past. More on this later, let’s first talk about the conference itself.
Continue reading “Area41 Conference 2016”

Continue reading