27 April 2016 marked a turning point for a lot of countries as well as a lot businesses worldwide: EU regulation 2016/679 (going by it’s more widely known name General Data Protection Regulation and abbreviated GDPR) was adopted by the European Parliament, the Council as well as the Commission [1]. Especially readers from countries outside of the EU might ask “Why should this be of interest for me?”. Continue reading “GDPR and Pseudonymisation – Easing the Pain of Regulation”
Continue reading17. Gulaschprogrammiernacht
Over one of the recent long weekends I attended the 17th “Gulaschprogrammiernacht”, or “GPN17” for short, in Karlsruhe, the largest CCC Event after the Chaos Communication Congress with roughly a thousand attendees. The name literally translates to “goulash programming night”, which makes about as much sense as the German version. Despite the name it lasted from Thursday to Sunday, had a much wider scope than just coding and offered various other (incl. vegan) dishes besides goulash. As an active member of the CCC community I planned on attending it anyway, but submitted my talk about Automated Binary Analysis in case there was interest. I didn’t anticipate that much interest given that it was a fairly theoretical IT-Security topic at an event that was not focused on IT-Security, but nonetheless the hall was filled with people from various backgrounds like math, formal verification and software optimization. The talk was an improved version of the one I gave at Bsides Ljubljana, incorporating feedback I received and new things I had learned since then. The English slides are available here, the recording of the talk in German can be found here.
Continue reading “17. Gulaschprogrammiernacht”
Continue readingDevOps, Continuous Deployment & Agile Security September 7, 2017
The following post is in German as it is covering an Event with German as the main language.
INSIGHT SUMMIT 2017 präsentiert DevOps, Continuous Deployment & Agile Security
Inspiriert durch die erfolgreichen Round Table Session der TROOPERS freuen wir uns Ihnen heute mit dem AgileSecurity Insight Summit 2017 eine weitere Veranstaltung in einer Reihe zu Trend-Themen im Bereich der IT-Sicherheit vorzustellen.
Die Veranstaltung beginnt am Morgen mit einer Keynote, gefolgt von Fallstudien und Vorträgen durch interne und externe Referenten aus der Industrie. Im Anschluss werden alle Teilnehmer in zwei Gruppen aufgeteilt, die nacheinander an beiden Round-Table Sessions teilnehmen. In den Round-Table Sessions werden unter Expertenmoderation typische Problemstellungen und Lösungsansätze diskutiert. Continue reading “DevOps, Continuous Deployment & Agile Security September 7, 2017”
Continue readingDocker Security & (Sec) DevOps Training July 19-20th
The following post is in German as it is covering a Training with German as the main language.
Professionelles Training im Workshop Character:
Docker, Microservices, Kubernetes, DevOps, Continuous
Integration/Deployment/Delivery (CI/CD), Container – moderne
Entwicklungsprozesse kommen nicht mehr ohne diese Begriffe aus. In diesem Kurs
lernen Sie die Security Grundlagen um diese Dinge zu beherschen.
Docker Security & (Sec) DevOps Training:
Im Training werden unter Anderem die folgenden Fragestellungen behandelt:
- Wie stark/zuverlässig sind die Isolationsmechanismen hinter Docker/Linux/Betriebssystem-Containern?
- Wie beeinflussen Container typische Applikations- und Netzwerk-Landschaften?
- Wie beeinflussen die CI/CD/Microservice Paradigmen traditionelle Entwicklungsprozesse?
- Wie sieht eine typische CI/CD Pipeline aus?
- Was sind potentielle Schnittstellen zwischen „Security“ und diesen Paradigmen?
- Welche zusätzlichen Security-Herausforderungen ergeben sich aus der veränderten Entwicklungslandschaft und neuen Tool-Chains?
Continue reading “Docker Security & (Sec) DevOps Training July 19-20th”
Continue readingActive Directory Security & Secure Operations July 18, 2017
The following post is in German as it is covering an Event with German as the main language.
INSIGHT SUMMIT 2017 präsentiert Active Directory Security & Secure Operations
Inspiriert durch die erfolgreichen Round Table Sessions der TROOPERS freuen wir uns Ihnen heute mit dem Active Directory Insight Summit 2017 eine weitere Veranstaltung in einer Reihe zu Trend-Themen im Bereich der IT-Sicherheit vorzustellen.
Die Veranstaltung beginnt am Morgen mit einer Hinführung zum Thema Active Directory Sicherheit gefolgt von Fallstudien und Vorträgen durch interne und externe Referenten aus Wirtschaft und Industrie. Im Anschluss werden alle Teilnehmer in zwei Gruppen aufgeteilt, die nacheinander an beiden Round Table Sessions teilnehmen (jeder Teilnehmer kann an beiden Sessions teilnehmen). In den Round Table Sessions werden unter Expertenmoderation typische Problemstellungen und Lösungsansätze diskutiert.
Continue reading “Active Directory Security & Secure Operations July 18, 2017”
Continue reading6th No-Spy Conference
Last friday Florian and me attended the 6th No-Spy Conference in Stuttgart, Germany. We gave a talk about surveillance and censorship on modern devices in North Korea and discussed various aspects with the attendees. The atmosphere was very welcoming and we had some nice discussions about various topics which allowed us to better clarify some things. The slides are available here.
Thanks to the organizers for having us!
Continue readingLooking back on RIPE 74
From May 8th to 12th I was able to attend the 74th RIPE meeting in Budapest, Hungary. Being rather new to the networking community, I enjoyed learning a lot of different things, not only from the various interesting talks but also from inspiring conversations with a variety of people from all areas during the beautiful social events.
As it was the first RIPE meeting for me, I was very thankful for the “Newcomer’s Introduction” on Monday morning, containing a RIPE and RIPE NCC 101. It was quite helpful to get into the mindset and understand the structure of the meeting, like the division into different working groups based on the participants’ interests. After familiarizing myself with the concept, I chose to attend several sessions on Address Policy, IPv6, Routing, Open Source, and DNS working groups besides the general plenary sessions. I’ll be reviewing those sessions here. Continue reading “Looking back on RIPE 74”
Continue readingRIPE74 / Why IPv6 Security Is So Hard
I’m on my way back from the RIPE74 meeting in Budapest. It was a great event: quite a few nice technical talks in the plenary, productive working group meetings and some really good hallway discussions.
Big thanks to the RIPE NCC team for the smooth organization and for taking care of us!
Continue reading “RIPE74 / Why IPv6 Security Is So Hard”
Continue readingGit Shell Bypass By Abusing Less (CVE-2017-8386)
The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows:
- git-receive-pack
- Receives repository updates from the client.
- git-upload-pack
- Pushes repository updates to the client.
- git-upload-archive
- Pushes a repository archive to the client.
Besides those built-in commands, an administrator can also provide it’s own commands via shell scripts or other executable files. As those are typically completely custom, this post will concentrate on the built-in ones.
Note: This has nothing to do with the also recently fixed vulnerabilities in gitlab [1] [2].
Continue reading “Git Shell Bypass By Abusing Less (CVE-2017-8386)”
Continue readingOne Step Closer – RDNSS (RFC 8106) Support in Windows 10 Creators Update
Good Afternoon,
It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn’t able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support for Windows and DHCPv6 for Android is a major pain point when implementing IPv6 in mixed client segments, as you need to implement both mechanisms to ensure that all clients do get the relevant network parameters. I won’t beat on the dead horse, but Microsoft’s decision is a huge step in the right direction and one can hope that one day Google finds a “compelling use case” to implement at least stateless DHCPv6 for Android. Continue reading “One Step Closer – RDNSS (RFC 8106) Support in Windows 10 Creators Update”
Continue reading