Events

LEET’13

I have the pleasure to visit this year’s USENIX Security Symposium in Washington, DC. Besides the nice venue close to the national mall, there are also several co-located workshops. Every night I will try and provide a summary of those presentations I regard as most interesting. However, I hope to manage to keep up with it as there are a lot of interesting events, people to meet, and still some projects to keep up with. The short summaries below are from the 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats.

Continue reading “LEET’13”

Continue reading
Events

IPv6 Hackers Meeting @ IETF 87 in Berlin / Slides

That meeting was actually a great event. Once more, big thanks! to Fernando for organizing it and to EANTC for providing the logistics.
A couple of unordered notes to follow:

a) The slides of our contribution can be found here. Again, pls note that this is work in progress and we’re happy to receive any kind of feedback.
[given Fernando explicitly mentioned Troopers, we’ve allowed ourselves to put some reference to it into this version of the slide deck…]

b) the scripts Stefan currently puts together will be released here once they’ve undergone more testing ;-).

c) Sander Steffann mentioned that Juniper SRX models do have IPv6 support for management protocols. According to this link this seems somewhat correct.

d) we had that discussion about (which) ASA inspects work with IPv6.
Here‘s a link providing some info for 8.4 software releases, this is the respective one for 9.0.

e) I was really impressed by the work performed by these guys and I think that ft6 (“Firewalltester for IPv6”) is a great contribution to the IPv6 security (testing) space.
And, of course, Marc’s latest additions to THC-IPV6 shouldn’t go unnoticed ;-). And I learned he can not only code, but cook as well.

===

Eric Vyncke commented “To be repeated”. We fully second that ;-).

thanks

Enno

Continue reading
Events

IPv6 Hackers Meeting @ IETF 87, Berlin

Next to IETF 87 going on in Berlin in a few days there will be an informal meeting of the “IPv6 Hackers” on Tuesday. We really look forward to personally meet a number of people who we (so far) only know from the associated mailing list or similar machine-enhanced exchange. We hope to contribute as well. Based on the stuff of this workshop from the IPv6 Security Summit at Troopers13 we might give a short project presentation along the lines of “Some Notes on Testing the Real-World IPv6 Capabilities of Commercial Security Products”, providing an overview of some testing done on commercial gear, together with a discussion of testing approaches, tools and key aspects.

I currently discuss this potential input with the guy who gratefully organized the meeting. In any case I encourage everybody interested in IPv6 security to show up there (you don’t have to be registered to IETF 87) as there’s not much that can substitute meeting in person to discuss how to make the IPv6 world a safer place.

best

Enno

Continue reading
Events

TROOPERS14 Registration Open + TROOPERS13 Photos Online

Dear blog followers, TROOPERS speakers & attendees,
we hope you’re doing fine! Today we have a couple of great things to share with you:

TROOPERS14
Let’s start with a date. Get your calendar and mark March 17th – 21st 2014. It’s your TROOPERS14 holidays. One week full of high-end education, workshops, talks, reconnecting with friends, action, delicious food and one or the other party. You know the drill – more details further down.

Continue reading “TROOPERS14 Registration Open + TROOPERS13 Photos Online”

Continue reading
Events

Impressions from the Google I/O Con

moscone
From 15th – 17th of May, the sixth Google I/O conference took place in San Francisco, California and I was one of the lucky guys attending. More then 5500 people, primarily web, mobile, and enterprise developers, attended this annual event. A lot of presentations included announcements of new and exciting technologies, APIs as well as of two new devices.

During the first minutes of the keynote some of Google’s managers announced that by now over 900 million Android devices are activated and that 48 billion apps are installed, which demonstrates that this market is still heavily growing. As the major part of the audience were (app-) developers, these numbers were received quite greatfully and euphoric.


Some of the presentations announced new services as well as new features and designs for existing services like:

  • Google Play Music All Access, which makes it possible to stream music legally for a monthly fee (comparable to spotify).
  • Underwater Streetview, where Google tries to capture all coral reefs worldwide in order to enable virtual diving.
  • The new user interface and features of Google+, which make it easier to use the social network while providing more functionalities (e.g. automated sorting and quality assurance of uploaded holiday pictures).
  • Google Maps, which now provides more intelligent localization features for target locations of users as well as clouds hovering over the world in realtime.
  • “Sign in with G+” which is a OAuth2 based Single Sign-On that can be used to replace all kind of web authentication mechanisms.

Of course, quite some talks dealt with the privacy critic project Google Glass, that had been introduced at last years I/O. From a technical point of view Google Glass is an interesting project not only due to its new “in-eye-projection” technology. Also the voice interface allows to easily control the device. By saying “OK Glass, take a picture” the user’s actual view is captured and directly uploaded – of course to Google servers. In addition, the integrated navigation system is an interesting feature which enables augmented navigation by means of semitransparent arrows being displayed directly in the users’ field of view. However, there is the other side of the coin: privacy. All data that is captured by the device is processed by Google’s servers. The fact, that one of the responsible Google managers answered the question, in which way Google handles the captured and GPS data, with “in the same way as Google handles all the other data that is collected by our other services”, does not calm at that point. It rather states that when considering Lawful Interception as it exists in almost all countries (and in particular in the USA), Google Glass can turn into a surveillance instrument par excellence. Of course this does not only imply an impact for owners of Google Glass but also for all other people being faced by people wearing Googles new toy. In fact, there is a tiny LED shining while the device is taking a video. However, this can easily be manipulated (e.g. with a sticker) and it is questionable if visibility of this LED is in appropriate proportion to the resolution of the integrated camera. In other words, it is possible to be filmed and photographed while walking in the streets without even being able to notice it. Since Glass is not publicly available so far we have some time left to think about how to deal with this…

fancy_io

All in all Google I/O was a very impressive and informative event. In some kind I felt amazed like a child when I saw all these crazy Android figures hanging around and being surrounded by remotely controlled zeppelins flying through the building.

Have a good weekend
Kevin

P.S.: All talks can be reviewd here.

Continue reading
Events

Summary of Talks Held at HITB 2013 – Day 2

This is a short summary of some selected talks from the second day of this year’s Hack in the Box conference in Amsterdam.

 
Rethinking the Front Lines by Bob Lord

Bob Lord is currently the Director of Information Security at Twitter. He has worked at numerous companies in the area of security and software engineering.

In his keynote for the second day of HITB13AMS he tackled a topic that has raised a lot of discussions in the past months. His talk was a summary of what twitter does internally to ensure the security of the company and a plea to implement so called security awareness trainings for employees in a sustainable way. Continue reading “Summary of Talks Held at HITB 2013 – Day 2”

Continue reading
Events

Summary of Talks Held at HITB 2013 – Day 1

This is a short summary of some selected talks from the first day of this year’s Hack in the Box conference in Amsterdam.

 
Abusing Twitter’s API and OAuth Implementation by Nicolas Seriot

Nicolas Seriot (https://twitter.com/nst021) is an iOS Cocoa developer with an interest in privacy and security. He is currently a mobile applications developer and project manager in Switzerland. Nicolas focused his talk on the extraction of consumer tokens that are needed for OAuth to authenticate a consumer to a service provider. These tokens can then be used by rogue applications to gain access to a victims twitter account. Continue reading “Summary of Talks Held at HITB 2013 – Day 1”

Continue reading