April 2016 – Insinuator.net

April 29, 2016 by Dominik Phillips

How ‘security’ black boxes might corrupt your investment

Usually I’m not the kind of guy who talks about such economic topics. Because I’m an engineer / security researcher who is exclusively concerned with understanding technical problems and if possible, solving them accordingly. My whole education is based on this and contains predominantly technical aspects of information security. This sometimes makes it difficult to understand what the market cares about (and why some products are being developed / exist on the market 😉 ). Nevertheless, a current engagement for one of our customers made me stumble upon such a product.

We were involved in a test where a security appliance (a black box 😉 ) played the core role. As you might know, the test procedure generally depends on the security question to be answered. In this case the question to be answered was, whether the black box provides the promised information security benefit. More specifically, we took a look at the environment / infrastructure, the protocols and the systems around it and checked if the black box does its magic. So the black box itself wasn’t in direct focus of the test. We were quite amazed about the blind trust the product received (but what else can one do, but trust the device they have already purchased ;-)? You can analyze it and that is what we did. Continue reading “How ‘security’ black boxes might corrupt your investment”

Events

April 25, 2016 by Wojtek Przibylla

SAP Security @ Troopers16

When it comes to SAP, Troopers has two events that are about Security in SAP Systems in particular. On the first day of the Troopers16 Trainings the BIZEC workshop takes place. The second event is a dedicated SAP track during the conference. Apart from these events there were of course a lot of nice folks to talk to (about SAP) 🙂 This post is a short overview about SAP security @ TROOPERS16.

Continue reading “SAP Security @ Troopers16”

Events

April 15, 2016 by Felix Wilhelm

Infiltrate and Syscan 360

Hi everyone,

I spent the last weeks traveling to Singapore and Miami to present my Xenpwn research about double fetch vulnerabilities in paravirtualized devices at Infiltrate and Syscan360. You can find my slides here. Both conferences had great organization, very technical talks and a cool audience. In the following I want to give a short recap of some of the talks I liked the most:

Continue reading “Infiltrate and Syscan 360”

Events

April 15, 2016 by Niki Vonderwell

Defense & Management Day 2

TROOPERS16 offered many different speakers from around the globe. Below are three different talks from the afternoon of Day 2’s Defense and Management Track. Continue reading “Defense & Management Day 2”

Breaking

April 11, 2016 by Niklaus Schiess

Discover the Unknown: Analyzing an IoT Device

This blog post will give a brief overview about how a simple IoT device can be assessed. It will show a basic methodology, what tools can be used for different tasks and how to solve problems that may arise during analyses. It is aimed at readers that are interested in how such a device can be assessed, those with general interest in reverse engineering or the ones who just want to see how to technically approach an unknown device.

This post will most likely not cover any vulnerabilities per se. However, it outlines weaknesses which affect a wide range of IoT devices so various aspects are applicable to other devices and scenarios.

Continue reading “Discover the Unknown: Analyzing an IoT Device”

Events

April 8, 2016 by Dr. Andreas Dewald

Summary GI Sicherheit

This is a short summary of selected talks (i.e. those that I found the most interesting of those I was able to personally attend) of the GI Sicherheit 2016.

First of all, congratulations to Dr. Fabian Yamaguchi, who received an award (the GI Promotionspreis) for his PhD thesis “Pattern-Based Vulnerability Discovery“!
His work presents an “approach for identifying vulnerabilities which combines techniques from static analysis, machine learning, and graph mining to augment the analyst’s abilities rather than trying to replace her” by identifying and highlighting patterns of potential vulnerabilities in source code.
Continue reading “Summary GI Sicherheit”

Events

April 7, 2016 by Hendrik Schmidt

TSD 2016 – Follow Up

Thanks again for all the great talks and fruitful discussions @TSD 2016! I hope everybody had a safe trip home and enjoyed Troopers as we did. In the meantime I contacted all speakers to talk about publication of their slidesets. Some of them agreed (or already published them on their own) so I’d like to share these with you:
Continue reading “TSD 2016 – Follow Up”

Events

April 7, 2016 by Christoph Klaaßen

Unpatchable – Living with a vulnerable implanted device

TL;DR: Marie Moe talked about security issues of medical devices, especially implantable devices like pacemakers, but not in overwhelming technological depth. She wanted to point out the necessity of intensified security research in the field of medical devices as vendors and medical personnel seem to be lacking necessary awareness of security of devices, interfaces, services, and even data privacy.”Get involved, join the cavalry” was her core message. Continue reading “Unpatchable – Living with a vulnerable implanted device”

Events

April 6, 2016 by Olga Yanushkevich

Security Assessment of Microsoft DirectAccess

A talk about DirectAccess (an IPv6-only VPN solution) was given by our colleague Ali Hardudi during IPv6 summit. Ali has recently finished his master thesis on this topic.
Continue reading “Security Assessment of Microsoft DirectAccess”