In Depth Security Vol. II -  - ebook

In Depth Security Vol. II ebook



This book contains a broad spectrum of carefully researched articles dealing with IT-Security: the proceedings of the DeepSec InDepth Security conference, an annual event well known for bringing together the world's most renowned security professionals from academics, government, industry, and the underground hacking community. In cooperation with the Magdeburger Institut für Sicherheitsforschung (MIS) we publish selected articles covering topics of past DeepSec conferences. The publication offers an in-depth description which extend the conference presentation and includes a follow-up with updated information. Carefully picked, these proceedings are not purely academic, but papers written by people of practice, international experts from various areas of the IT-Security zoo. You find features dealing with IT-Security strategy, the social domain as well as with technical issues, all thoroughly researched and hyper contemporary. We want to encourage individuals, organizations and countries to meet and exchange, to improve overall security, understanding and trust. We try to combine hands-on practice with scientific approach. This book is bringing it all together.

Ebooka przeczytasz w aplikacjach Legimi na:

czytnikach certyfikowanych
przez Legimi

Liczba stron: 420

Odsłuch ebooka (TTS) dostepny w abonamencie „ebooki+audiobooki bez limitu” w aplikacjach Legimi na:




Citation: Schumacher, S. and Pfeiffer, R. (Editors). (2017). In Depth Security Vol. II: Proceedings of the DeepSec Conferences. Magdeburg: Magdeburger Institut für Sicherheitsforschung

Begleitmaterial und weitere Informationen erhalten sie unter

Table of Contents

Editors Preface

Stefan Schumacher and René Pfeiffer

It’s About the Administrative Costs

Marcus J. Ranum

A Death in Athens – The Inherent Vulnerability of »Lawful Intercept«

James Bamford

Social Engineering – The Most Underestimated APT

Dominique C. Brack

Bypassing McAfee’s Application Whitelisting for Critical Infrastructure Systems

René Freingruber

Extending a Legacy Platform – Providing a Minimalistic, Secure Single-Sign-On-Library

Bernhard Göschlberger and Sebastian Göttfert

Cryptographic Enforcement of Segregation of Duty

Thomas Maus

HVACKer – Bridging the Air-Gap by Manipulating the Environment Temperature

Yisroel Mirsky and Mordechai Guri and Yuval Elovici

Revisiting SOHO Router Attacks

Álvaro Folgado Rueda and José Antonio Rodríguez García and Iván Sanz de Castro

Applicability of Criminal Law and Jus ad Bellum to Cyber-Incidents

Oscar Serrano and Florin-Răzvan Radu and Ele-Marit Eomois

Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor

Mikhail Utin

CSP Is Dead, Long Live CSP! –

Lukas Weichselbaum and Michele Spagnuolo and Sebastian Lekies and Artur Janc

BadGPO – Using Group Policy Objects for Persistence and Lateral Movement

Immanuel Willi and Yves Kraft

ZigBee Exploited – The Good, the Bad and the Ugly

Tobias Zillner

How to get Published in this Series

Editors Preface: In-Depth Security

Stefan Schumacher and René Pfeiffer

Information security and technology has not changed much since we published the first collection of articles from presenters and researchers who spoke at past DeepSec conferences. Of course the Internet of Things has grown. We have more connected devices. There are more applications in the app stores. Code has changed. New versions of operating systems have arrived. Social media has more user than before, either active or passive. Yet we have new attacks, new strains of malicious software, data leaks in companies both small and very big, issues with security in protocol design, and not enough eyes and brains to look for vulnerabilities and suggest fixes or at least workarounds.

Information security is an ongoing struggle. This is normal since everybody learns that the state of security is not static. There are always changes. There are always questions to ask and facts to check. This is not a technical domain. Security is an interdisciplinary field of activity. Mathematics, physics, computer science, linguistics, and social sciences such as psychology all contribute to the results. This is and was a strong motivation for us to keep collecting articles for the DeepSec Chronicles. The amount of information we have to process is gigantic. This is also true for any project in research. The DeepSec Chronicles’ aim is to provide you with a condensed version of the findings. This is one of the key attributes DeepSec’s in-depth security conference. Facts and reproducibility will get you anywhere you want in science. This is also why the informal motto of DeepSec has been changed to the slogan Science First! in 2017.

Everyone being affected by security vulnerabilities has to get a chance for improving defence in terms of patching systems or avoiding as much damage as possible. A main part of this effort is the publication and exchange of information about bugs and vulnerabilities in systems. How the disclosure of security related information should be done is a matter of ethics. However, the knowledge of the flaws discovered must be accessible to the public. Security can never be achieved by putting a veil over code designed to fail. Vendors, developers, governments, and security researchers have to combine their efforts and must not work against each other.

Furthermore we want to encourage security researchers to use and stick to science. Sadly the scientific method is not as widespread in IT security as it is in other disciplines. We would like to improve the current state of affairs. The proceedings you are reading right now is our second small step towards this goal. We intend to follow it up by yet again compiling new proceedings of hot topics in IT security – both in-depth and with the proper amount of research.

The editors wish to thank Susanne Firzinger and Florian Stocker for their help while creating this book. Furthermore we like to thank all helpers who made the DeepSec conferences possible, and we thank our families for their continued support.

Stefan Schumacher

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall on an East German small computer KC85/3 with 1.75 MHz and a Datasette drive.

Ever since he liked to explore technical and social systems with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology and does a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography.

He is currently leading the research project Psychology of Security, where fundamental qualitative and quantitative research about the perception and construction of security is done. He presents the research results regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

René Pfeiffer René Pfeiffer is one of the organisers of the annual DeepSec In-Depth Security Conference. He works self-employed in information technology, lectures at the Technikum Wien, and is involved with cryptography and information security for over 20 years.

Magdeburg and Vienna, October 2017

It’s about the administrative costs

Marcus J. Ranum

Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. I’ll talk about some of that, and make a few wild guesses for where this may wind up. Spoiler alert: security will not be a »solved« problem.

Citation: Ranum, M. J. (2017). It is about the administrative costs. In S. Schumacher and R. Pfeiffer (Editors), In Depth Security Vol. II: Proceedings of the DeepSec Conferences (Pages 1–4). Magdeburg: Magdeburger Institut für Sicherheitsforschung

1 It’s about the administrative costs

Computer Security’s problems have mostly been a result of bad system administration. The whole regime of patch/vulnerability management that took over the industry in the early 2000s revolves entirely around the problem of applying fixes to buggy software on endpoint devices. Meanwhile, some interesting things have happened in the last decade; we see the rise of cloud computing, software as a service (SAAS), bring your own device (BYOD), and personal handsets as a substitute for desktops. The common trend-line running through all of those happenings is system administration. More exactly, it is the cost of system administration.

The most successful smartphones in the US run iOS, an operating environment that has been designed to reduce system administration costs to nearly zero. Cloud computing amortizes the cost of professionalized system administration into a one-time expense that is shared across an entire customer-base. SAAS solutions further refine the system administration cost story, removing the cost of software versioning and suite management. Put differently: the main thing that’s nice about Google’s gmail service is certainly not its user interface – it’s that the user pays nothing to set it up and maintain it. One profound side effect of this sea-change toward aggregated system administration is that security is left in a difficult position: its role is being outsourced piece-meal in multiple directions.

Management, for over a decade, has been saying »do more with less« and »process, not people« – along with »use off-the-shelf software« and »we don’t do in-house development.« Those are also implicit critiques of the cost of system administration. While computing has enabled some transformative businesses, those transformations have tended to be server-centric, residing in a data-center. The desktop, with its vulnerabilities, browsers, and malware, remains a time and money-consuming loss-leader. This is nothing new, in fact it’s very old. Systems like MIT’s Project Athena, and Bell Labs’ Plan-9 were designed to make endpoints reliable and disposable, with near-zero incremental system administration cost. That’s why cloud computing and SAAS are the current ultimate »do more with less« – they offer companies the ability to jump in and start doing things right away, and to scale in a manner that is linearly predictable. In-house development, in-house security, and occasional unpredictable desktop security breaches: those are nothing for management but an annoying bottomless downside.

The security world is about to get crushed from all sides. From the top, cloud computing Is pulling away enterprise-class responsibility, replacing it with audit and data governance. From the bottom, BYOD and portable devices threaten to obviate the desktop administration problem entirely. BYOD represents a transfer of the burden of system administration onto the user. The remaining crush, from the side, are new desktop management paradigms that may finally remove system administration as a headache. Amazingly, Microsoft has not yet reacted effectively to the threat posed by iOS-style devices as desktop replacements, but they will, eventually (typically of Microsoft: probably too late). Surprisingly, there has not yet been a general business-level ship to Apple desktops, however the new generation entering the workforce may change that. Bear in mind that Apple desktops and iOS devices are popular primarily because of the near-zero system administration load.

Computer security has put itself even more directly in the line of fire through some of its more recent practices. Standards such as PCI, and a focus on penetration testing and audit, amount to increasing the pressure on, and cost of, system administration. While audit regimes are probably the right thing to do, they’re making a bad situation worse and will simply help encourage more SAAS services that remove/hide the additional cost of compliance. Security’s love of compliance (which I admit I share!) amounts to putting out a fire with diesel fuel.

Unfortunately for us, »penetrate and patch« as enshrined in vulnerability management, remains the primary tool that is available for security – despite the fact that it hasn’t worked in the last 20 years and isn’t ever likely to. What will work is automation and professionalization of system administration, with security being folded in as a sub-specialty in release-management: the audit and governance components of security will remain but will no longer merit a large budget or role. We already see this happening in organizations where processing has moved to cloud or SAAS; security gets to review a service-level agreement to verify that the provider’s paperwork includes the necessary bullet-points. There will, of course, be work for security practitioners: analysts at security-as-a-service companies, operations analysts, knowledge-builders that maintain the knowledge-bases that automate security recommendations.

Security needs to, above all, focus on its impact on and relationship to management cost. Because, in the long run, we’re going to be judged on systems administrations’ failures. For the system administrators, professionalizing and automating is the only way out: replace the ongoing burden of administration with a one-time cost to deploy and automate configuration management. When you read about how Google’s system administration practice is so automated that administrators only pull and put systems into racks, you’re seeing the future.

A standard complaint of security managers is that »security needs to learn how to talk to the business.« It’s true; the business talks in terms of metrics, and computer security is hopelessly mired in fear, uncertainty, and doubt – quoting nonsense numbers like »80% of security incidents are inside jobs.« If you think about that for a minute you’ll realize that such a metric is useless, and probably incorrect anyway. Security practitioners need to understand metrics, and so do system administrators. Security practitioners should look at network operations centers management measurements, or availability measurements from cloud systems administrators. If you look at that, you will notice one thing, immediately: producing such measurements requires standardized administrative practices, centralized, and highly automated. Measurable and predictable computing environments do not look like today’s enterprise, with a mish-mosh of desktops running a variety of configurations, some users doing local administrative tasks and installing whatever software they like, endlessly chasing the tail of vulnerability management. The security practitioners and system administrators who come out the other side of the 2020s happily employed are going to be the ones who embrace a shift away from the 90’s way of doing things; the desktop revolution is dead – long live the revolution!

2 About the Author

Marcus Ranum has been building security products and businesses since the late 1980s. He has held every job in start-ups from coder and presales support to founder and CEO, has spent thousands of hours speaking and teaching about security, and still wonders if technology will ever get any better. He writes a regular column for SearchSecurity, and blogs at the freethoughtblogs collective as »stderr«. He despises social media and politicians.

A Death in Athens

The Inherent Vulnerability of »Lawful Intercept«

James Bamford

I will discuss the »Athens Affair,« the subject of a recent investigation by me in The Intercept. In 2004, the NSA and CIA worked secretly with the Greek government to subvert Vodafone and other telecom companies in order to conduct widespread eavesdropping during the 2004 Athens Summer Olympics. The NSA agreed, however, to remove the spyware once the games were over. But rather than remove it, they instead secretly turned it on the top members of the Greek government and members of the Greek public, including journalists. When the covert operation was accidentally discovered, however, a Vodafone engineer involved was found dead, either by suicide or murder, and the death was officially connected to the bugging operation. I will show how the operation was pulled off, by recruiting an inside person, then subverting the company’s »lawful intercept« program, and transferring the data back to NSA headquarters at Fort Meade. The episode demonstrates the enormous vulnerability of widespread »lawful intercept« programs, and government backdoors in general, and also how the NSA often uses a »bait and switch« in its operations – promising to help find terrorists, but really spying on the host government and local population instead.

This paper is a transcript of the talk held at DeepSec 2015.

The slides can be found online in Bamford, J. (2016). A Death in Athens: The Inherent Vulnerability of »Lawful Intercept«. Magdeburger Journal zur Sicherheitsforschung, 12, 725–741. Retrieved September 2, 2016, from

Citation: Bamford, J. (2017). A Death in Athens: The Inherent Vulnerability of »Lawful Intercept«. In S. Schumacher and R. Pfeiffer (Editors), In Depth Security Vol. II: Proceedings of the DeepSec Conferences (Pages 5–14). Magdeburg: Magdeburger Institut für Sicherheitsforschung


Thanks very much, it's great being here. I love being in Vienna, it’s a terrific place to do a talk.

I used to come here a lot when I was covering the cold war for ABC News. My job was chasing spies here in Vienna. And one of my most memorable times was being arrested by the Secret Police and then interrogated for two hours.


I was after this guy: Zoltan Szabo. He was one of the most wanted American spies. He was running a big spy ring here in Vienna, he was a former US Army officer and I wanted an interview with him. So it took me about a week to find him, he was hiding out, but I found him and I wanted to follow him around Vienna for about half a day, just to see where he went before I'd approach him for an interview. What I didn’t know was that the Austrian secret police where also following him and they couldn’t understand who I was - So, after about an hour or two, they pulled me over and pulled me out of my car and took me down. They thought I was an assassin from the communist countries, trying to assassinate Szabo, who had defected to the West here to Austria. So, anyway that was my last experience here in Vienna, so I’m happy to be here not under interrogation and to give my little talk.


One of the reasons that I’m giving this talk here today is I did a piece for the Intercept Magazine a few months ago, basically on this case in Athens, and I’ve always been fascinated by it for years. There was this event in Athens, where this huge bugging operation was discovered. It was an enormous scandal in Athens, it was basically like Watergate in Athens. It was discovered that somehow, someway, somebody was bugging the major actors of the government, the prime minister, his wife, the Mayor of Athens, most of the top officials in Greece. That was back in 2004 during the Olympics there. It became a big scandal, but nobody knew what to do with it, because nobody knew who did the bugging. I mean they did a number of investigations in Greece but they didn’t come up with much evidence. Well, I interviewed Ed Snowden last summer, I spent three days with him in Moscow, hanging out with him when I did the cover story for Wired. So, in addition to interviewing him I also got access to Snowdens documents, and going through them I saw documents that dealt with the bugging of the Greek government and the bugging of the Greek telecom system, that never have been revealed before. So, I really started to look into it and I found a number of sources in Washington - that’s sort of what I do, I specialize in Intelligence. So I had some top NSA, CIA officials I talked to and one of them told me that yes, it was an NSA bugging operation, not only that, it was a rogue operation: It was an operation that was done without the permission of the CIA Chief of Station in Athens.

Just recently I did a piece on the attack in Paris. It just came out a couple of days ago in Time.

One of the things that the Director of the CIA came out with this week was to basically blame Snowden for the fact that the US failed in it’s attempt to discover this attempt before it happened. So I wrote a piece basically saying it had nothing to do with Snowden, it was just bad intelligence. The NSA has missed VIRTUALLY every INTELLIGENCE or every terrorist incident since the beginning, so it wasn’t really any big surprise.


This is the person that was involved in the Athens affair: Costas Tsalikidis was a really interesting guy, he had his masters degree in Electrical Engineering, he got that in the UK, he was about to be married, he was happy, he was living a very good life in Athens - And then he was found hanged. He was hanging in his apartment, from the ceiling leading into the bathroom. What had happened was, the day before the CEO of Vodafone, the big wireless company in Greece, discovered malware, a huge piece of malware, and they had it removed. And the next day Costas was found dead. So, obviously this led to questions. How did this happen? What was Costas connection? And again, there was no answer because there were no leaks from the US, nothing came out, and again, this was one of the reasons I decided to look into this.


Here’s one of the documents. I’ve been writing about NSA forever - but this is one of the very few times where you can trace an NSA operation from the very beginning to the very end and show exactly how the whole thing worked. So the very first thing is, - you know, this should be a wake up call for the governments in Europe or actually anywhere around the world, South America and other places - is the NSA will come into a country and they’ll say: »Look, YOU’RE GOING TO have the World Cup, or YOU’RE GOING TO have the Olympics, or YOU’RE GOING TO have some big event: You need us, because we can tell you when there’s GOING TO be a terrorist event, because we can search through all the communications, so have us come in, have us bug your whole telecom system and we can help you. You know, we’re here to help you.«

So, that’s what they did, they got the permission from the Greek government to come in and do the bugging and what this document here from the Snowden archive talks about is they’ve been doing this for years. The NSA has been going around to various Olympic venues saying »We’re here to help.« and »Let us come in, bug all your phones and when the event's over we’ll disappear and you’ll never hear from us again.« So that’s pretty much what NSAs pitch was to the Greek government.


So, that’s the agreement. This was from one of my Intelligence sources: »The Greeks identified terrorist nets, so NSA put these devices in there and they told the Greeks, »Ok, when it’s done we’ll turn it off.«

So, my information is coming from both Snowden documents and also from Senior NSA Officials.


One of the key things, and this is something that’s very rarely discussed, especially by NSA or the CIA, is, when they wanna do this kind of operation, you can do a fair amount remotely, but if you really want to get in there and get a lot of intercept done you really prefer to have an inside person. Somebody in the country, who works for the telecom system. In this case it’s the CIA that actually goes in there and recruits a spy, that’s their job. CIA is Human Intelligence, NSA is technical. So they had a CIA person that went in there and this is what my Intelligence source said. You can just read it on the Slide.


NSA collects the technical side but they need the human aspect so they really need the CIA to do that. So, the CIA comes up with a recruiter. This was the recruiter. He looks like Santa Claus, actually this was one of the few public shots of Basil. Basil was never known until I did the story. I found out who he was and I did a lot of investigation about who he was and where he came from and how he did his work and everything for my article. He was the chief recruiter in Athens for the CIA, recruiting local Greek citizens to spy for the US. He had one picture taken for Facebook and he put this phony beard on, I think it’s glued on or whatever, to hide his face. His family was on either side, so I’ve managed to find that picture, and here’s a picture I’ve got from the Greek government, it was his passport picture. Here’s another picture of him from a visa, and this is a picture I found: His daughter got married in Greece and I managed to find the photos of the wedding. He was trying to hide from the photographer. You can see as soon as he saw the photographer he put his head down, he DIDN’T wanted any pictures taken. So, this is the CIA official that was involved in the case. Again, he wasn’t really known until he was exposed in this story here. One of the things that made Basil really useful was his parents were born in Greece, his been back and forth to Greece a great deal, he spoke Greek fluently like a native, he knew everything about the culture.


This is Basil as a young kid, over when his father got re-married on one of the Greek islands, we got that from one of his relatives. So, and this was his business card, he was posing - that’s his cover title - as a Secretary of Regional Affairs for the Embassy, in reality he was a CIA COVERT officer.


So Costas was the perfect inside person, if the CIA wanted to recruit somebody. He was a 39 year old telecom engineer, he was a network planer, manager, he’d risen up the ranks, he’s been there, I think, a dozen years - So, if someone wants to recruit somebody - that’s Costas, inside the Vodafone facility - he would be a perfect person to do.


That’s his brother. I interviewed his brother and he said Costas was living a happy life, he was doing very well right up until the time they found his body hanging. Nobody could understand why he would commit suicide, there was no real reason, he was fine financially, about to get married, he had a nice living, but ironically he was found dead the day after the bugging was discovered.


So, once you recruit the inside person, the next thing is to develop the malware to take control of the system, to take control of the network basically, to take control of Vodafone, of all of the cell phones in Greece, that are using the Vodafone system, and that was the biggest system there.

NSA developed a procedure, known as Lawful Intercept. Well, let me backup. Lawful Intercept is a program that goes with most telecom systems. If you’re Vodafone and you’re buying a big system, the company you’re buying it from, in this case it was Ericsson, will also supply you with a program known as Lawful Intercept. A program, that if the government wants to monitor somebody's phone, a suspects phone, legitimate monitoring of criminal activity or whatever, has the technical capability of doing that. It’s called the Lawful Intercept System.

So it comes as a package. Vodafone got it from Ericsson, Costas actually was the person who signed for it. The problem was the Greek government didn’t have any capability for doing eavesdropping. All they had was a very rudimentary alligator clip type of bugging system, they didn’t have any very wide-spread system for eavesdropping, so they never needed the Lawful Intercept Program, so Vodafone never bought it, or they had it, but they never paid for the digital key to turn it on.

It costs tens of thousands of Euros to pay to Ericsson to actually turn it on, so they never turned it on. So that was the perfect opportunity for NSA. NSA developed malware. You see the document on this Slide here, the one that reads »Top Secret // (S//SI//REL) TO USA, FVEY. Exploiting Foreign Lawful Intercept (LI) Roundtable« - This was the NSAs program, and this is one of the top secret slides from Snowden. This was the NSAs basic internal round table about how to turn Lawful Intercept Programs to their use. The way the system worked was the NSA developed this malware that they put into the system that would not activate the – actually let me go to the next slide, i think it will reveal a little bit more -


There are two parts of the Lawful Intercept System. The first one is the Intercept Management System and that basically creates an audit trail. If you’re the Greek government, you wanna come in, you wanna eavesdrop on James Bamford, cause you think he’s a spy, then you turn that over to Vodafone and Vodafone will put my name and my phone number into that first program, the Intercept Management System, the IMS. That will keep a record of the Intercept.

The second part, the RIS, will actually initiate the taping, that’s actually doing the tap. So the malware that NSA came up with bypassed the first part and secretly turned on the second part, without ever notifying Ericsson that they were turning on the system, without the key or whatever. If anyone looked at it it would seem that there is no activity, when in reality they are doing a great deal of eavesdropping. That was the way NSA has been using the system in countries around the world, countries who don’t necessarily use the Lawful Intercept Program, or even do. The NSA would come in there and secretly turn that system to their own use.


And this again is from another slide from Snowden, it shows all the different places the NSA used this technique of Lawful Intercept.


That’s one way into the system. The NSA uses a variety and Duncan (Campbell) did a really excellent job to HELP me by explaining how these others systems work.

So in addition to eavesdropping, using the system I just mentioned, subverting the Lawful Intercept, they have other ways.

FORNSAT, that is foreign satellite interception – these are all top secret slides from Snowden – the map on the right shows where all these FORNSAT locations are, those are big satellite dishes intercepting satellite communications.

Microwave (F6), that was the system that Duncan mentioned, the Special Collection Service, those little huts on the top of Embassies. What they do is they collect the Microwaves passing through the city. So they getting all the local communication. And because the embassy is usually along an embassy row or in an embassy area you’re getting a lot of foreign embassy communications as well as federal or national government communications. So, F6 is the internal code for Special Collection Service.

Special Source Operations, SSO, is the section of the NSA that works with the telecom companies. In other words they would work with AT&T to secretly get AT&T to eavesdrop on US communications, in this case they probably worked with Vodafone to get access.

TAO, Tailored Access Operations - these are the ones who would actually do the malware, they are the ones who would have created it. So all these groups, according to the Snowden documents that I had, people from all these groups were sent to Athens to do this work.


So basically, now you’ve got the agreement of the government, you’ve got the inside person, you’ve got the malware, you’ve got the external intercept operations going, what now was needed was some way to get the information after it’s been collected, after it’s been intercepted basically, in Vodafone. Now as phone calls will come in from the targets, a duplicate will be made of those signals and the duplicate signal will be sent out to an NSA facility. So you need some way to get that signal out and normally, in a normal case they would go out to the law enforcement agency of Greece or whatever, if this was a legitimate wire tap. But since it wasn’t a legitimate wire tap NSA had to find another way to do that. So they came up with a whole bunch of - basically they are called shadow phones, phones that are untraceable. They go round to a lot places to buy this phones that are untraceable and then the signals get transmitted to these phones.

And once they are transmitted to these phones, the phones then transmit them to another location, which is NSAs secret location, where they have the ability to store and analyze the communications. But if anybody did trace them, if anybody did follow the signals, they only would go to these untraceable cell phones and go no further. So this was a very good set up: You got the agreement of the government, you put them in there, look for terrorists during the Olympics, keep everybody happy, get an inside person there, you get the malware, then you exfiltrate the intercepted communications to these untraceable cell phones and they transmit it to the NSA.


So what happens now. The Olympics are all over. You know they have a closing ceremony, that was supposed to be the end of the operation, the NSA was supposed to take it all out, fly back to Fort Meade and say goodbye to the Greek government and the Greek telecom system. The problem was, according to my confidential source, they never removed it, all they did is they turned it off for a day and then they turned it back on again. But now instead of going after the terrorists, which was the whole raison d'être for the operation in the first place, now they secretly turning it on the Greek government, they turning it on the prime minister, his wife - I don’t know why, but they did - , the Mayor of Athens - that will keep us safe by knowing what the Mayor of Athens is telling us. This is total overreach by the NSA, but this is what they do, this is one, just one little example, you can extend this around the world to other places. I mean it came out that in Germany they have been bugging Angela Merkel and so forth, and so, this is just standard operation procedure on a mission according to a senior NSA source. I asked »You know, is this unusual or what?« And he laughed and said »They never remove it. Are you kidding? Once you got it in there you leave it in there.« So that’s just standard operation procedure for NSA.


Then, everything is going fine, the Olympics are over, the NSA doing their illegal eavesdropping and then something happened. Somebody made a reboot or some change in the Vodafone system or updated the System, a routine update or whatever, but because of that it screwed up the NSA system. And as a result of that it stopped a number of text messages from going out, so Vodafone began getting complaints from customers, that weren’t getting text messages. That set of something like a burglar alarm at Vodafone, you know, all of a sudden the system isn’ working, so they sent all their data to Ericsson for a technical analysis. On March 8th Ericsson sent back the Vodafone report saying »Sorry Folks, but you got a huge bug in your system there. 6500 lines of a piece of code of malware. So you got a huge problem, you got a very big bug in your system for some reason.« Then the CEO of Vodafone made a bad mistake, if he did it on purpose or not nobody can know at this point, but he immediately got rid of that malware. The problem with doing that is - I mean, the good thing is you get the malware out, the bad thing is there’s no way to do a forensic analysis now. You can’t figure out where it came from, you can’t trace it back very well, it’s like destroying the evidence. Anyway, the next day Costas was found dead. Costas brother was going to Costas apartment and he walked in and saw his brother hanging from the ceiling. A horrible, horrible event.


So then there were a few pieces of technical details that the Greeks could trace back. And they were able to trace the signals, some of the signals being sent to some of the phones, the supposedly untraceable cell phones. And what they did was, they saw the signals all went in the direction of the US Embassy. So you know, there’s a fairly big clue there. But there was no smoking gun. Again, they didn’t have the Snowden documents that I had, they didn’t have the sources I had, that told me these things, all they had were diagrams that told them were the signals were going.


So, after a decade of on-again and off-again investigations - the Greeks, to give them credit, they were really trying to find this out, but you know, how do you find these invisible signals? It’s really, really difficult. One of the things, they were able to find though, was that some of the cell phones were bought from a particular cell phone store. They were able to trace them back and find out who purchased them. The owner of the cell phone store actually recognized, when the Greek investigators showed him pictures, Basils wife as the person who purchased those shadow phones. Well, there’s a big clue right there. That’s how Basil came into the picture in terms of the Greek investigation. In addition to that they were very sloppy. The CIA, it’s not what you see on television, it’s a very sloppy organization most of the time. They used some of these untraceable cell phones to make calls to Maryland were NSA is, to the Embassy and all that. So they were able to see that these shadow phones, bought by the CIA officers wife, were actually being used not only to collect the intercepted signals but then to make phone calls to the Embassy and even to Maryland, even to the place were Basil used to live, near NSA. So this was very sloppy and as a result there’s now an arrest warrant out for Santa Claus. He hasn’t come back to Greece since and that’s really sad for him actually, because he has a house on a little island in Greece, his wife’s actually living in Athens. His wife is ethnically Greek also, and he, according to documents I found, planned to retire in Athens. Well, that’s out of the window right now, unless he wants to spend his retirement in a Greek jail. So the Greeks are after him, he hasn’t surfaced, I found him, his location is in the US of all places, and sent e-mails and phone calls to him and all of his relatives, his wife, his son, his daughter and everybody, but he never got back to me, big surprise. So he’s disappeared to some place in the US and if he ever goes back to Greece there will be an arrest, there will be a trial, and the trial will be very interesting, because all of this will come out, which is exactly is why he will never go back to Greece and why the US won’t send him back.


Anyway Costas family is still hoping for answers. Hopefully, maybe there will be some answers send from the US government, but I really doubt it. And one of the things they did in 2011, they asked some coroners to re-examine some of the documents that the original medical examiners produced. Among the people they asked was a pathologist from the United States, from San Francisco, somebody, who has a lot of medical experience in terms of looking into causes of death and so forth. He went to Athens, looked into it all and he thought the whole original examination was very, very sloppy. He didn’t actually think that there was a suicide, he thought, you know, it might be murder. So, I’m not big on conspiracy theories, but there it is, there’s a medical examiner from San Francisco, who did say, that, from looking at the photos and the autopsy report, he didn’t think it was suicide, he thought it could be murder or some external cause.

So what are the possibilities? There are a couple of possibilities here. One is Costas was the inside person and he thinks he’s doing something very patriotic. He’s bugging the system to find terrorists. Because somebody either from Greek Intelligence or Basil posing at what they call a false flag, pretending he’s from the Greek Intelligence said to him »We’re trying to catch terrorists, so you’re doing something very patriotic here.« And then all of a sudden he discovers they’re not looking for terrorists, they’re bugging the top people of the government. It’ d be like me or somebody from the US working for AT&T, just trying to do something honorable, suddenly discovering they’re bugging President Obama, his wife and everybody else from the top members of government.

Can you imagine the scandal? I mean facing your family, the public, everybody after it is discovered that you’re the guy who put the malware in there that caused that?

I mean that would be a good excuse for a suicide.

On the other hand he may not have been the inside person, there are other people who could have been the inside person, and Costas could have been the person, who discovered the malware and wanted to report it to the press or the public or expose it somehow, and someone didn’t want him to expose it and explain that Vodafone was bugging all this senior member of government. I mean that would have been a good reason to bump him off. So, these are questions that haven’t been answered, but at least we’re moved down the road quite a bit to show how it happened, who’s responsible, why it happened and so forth.


Anyway that was my talk, and we have ten minutes left, so if anybody has some questions left I’m happy to take them.

1 About the Speaker

James Bamford is a columnist for Foreign Policy Magazine, a contributor to Wired magazine, a documentary producer for PBS, and a bestselling author. He is widely noted for his writing about the United States intelligence agencies, especially the highly secretive National Security Agency. The New York Times has called him "the nation’s premier journalist on the subject of the National Security Agency." And in a lengthy profile, The New Yorker referred to him as "the NSA’s chief chronicler." His most recent book, The Shadow Factory: The Ultra-Secret NSA From 9/11 to The Eavesdropping on America, became a New York Times bestseller and was named by The Washington Post as one of "The Best Books of the Year." It is the third in a trilogy by Mr. Bamford on the NSA, following The Puzzle Palace (1982) and Body of Secrets (2001), also New York Times bestsellers.

In September 2014 he wrote a cover story for Wired magazine based on his three days in Moscow with fugitive NSA whistleblower Edward Snowden, the longest any journalist has spent with him there. In addition, he has written for the New York Review of Books, New York Times Magazine, The Atlantic, Harpers, Rolling Stone, and many other publications.

In 2006, he won the National Magazine Award for Reporting, the highest honor in the magazine industry, for his writing in Rolling Stone on the war in Iraq. He also writes and produces documentaries for PBS, including The Spy Factory, based of his most recent book, which was nominated for an Academy Award in 2010. His most recent documentary for PBS, Cyber War Threat, aired on October 14, 2015.

Throughout the 1990s, Mr. Bamford served as the Washington Investigative Producer for ABC’s World News Tonight with Peter Jennings where he won a number of journalism awards for his coverage of national security issues. In 2005, he released A Pretext for War: 9/11, Iraq and The Abuse of America’s Intelligence Agencies, an examination of the intelligence community from the attacks of September 11 to the war in Iraq and was also a bestseller.

Mr. Bamford holds a Juris Doctor degree; was awarded a Polymer fellowship at Yale Law School; received a postgraduate diploma in International Law from the Institute on International and Comparative Law, Université Panthéon Sorbonne; and taught at the University of California, Berkeley’s Goldman School of Public Policy as a distinguished visiting professor. He has been a member of the defense team in a variety of high profile espionage and whistleblower cases, including the case involved NSA whistleblower Thomas Drake. He currently lives in Washington, DC after four years in London.

Email: [email protected]

Facebook: [email protected]

Twitter: @WashAuthor

Social Engineering - The Most Underestimated APT

Hacking the Human Operating System

Dominique C. Brack

Social Engineering is an accepted APT and is going to stay. Most of the high-value hacking attacks feature components of social engineering. Understanding of the methods and approaches used behind the scene of Social Engineering will help you to make the world a safer place. Or make your attack plans more successful. This article is based on a book I recently wrote about Social Engineering. As a bonus I will present the readers with a free download code for ebook-versions (PDF, epub, mobi) of my book for further study.

Citation: Brack, D. C. (2017). Social Engineering - The Most Underestimated APT: Hacking the Human Operating System. In S. Schumacher and R. Pfeiffer (Editors), In Depth Security Vol. II: Proceedings of the DeepSec Conferences (Pages 15–60). Magdeburg: Magdeburger Institut für Sicherheitsforschung

1 Social Engineering

As a senior security professional I work with many clients.

International, local, governmental, defence clients in highly sensitive settings (politically or regulatory). For them, I am always going the extra mile or two. Some of my clients experienced highly sophisticated spear phishing attacks and attempts of industrial espionage. To address these types of attacks I started to collect best practices and I've developed additional methods for dealing with Social Engineering in its many facets. Soon I realized that the problem of Social Engineering is systemic and grossly underrated even by security professionals. Social Engineering has progressed and professionalized more than you think. It is disastrously effective. In order to adress this issue, to raise awareness and to be able to communicate my findings to all of my clients and other people at the same time I decided to take action. Together with my business partner in Germany, I wrote a book. «Social Engineering Engagement Framework (SEEF) – FIRST CUT« is available as paperback and ebook. As supporter of the DeepSec conference you, dear reader, will be given a download code for a free download of the complete ebook and its Social Engineering icons. You find the download code in the Appendix of this article, at the end of this chapter.

The following article is an excerpt of our book, a summary of its most important parts.

When it comes to Social Engineering the media often refers to people as «the weakest link,«. On the contrary, I actually believe that people are the strongest and best link you will ever have to fight Social Engineering. People are flexible when it comes to decision making and they are able to execute tasks based on intuition. Many amazing tasks were only achieved because people are not machines but human beings, who sometimes make irrational decisions. No machine would rescue a cat from a tree or selflessly try to save someone’s life. We need people to stay people and machines to stay machines.

2 Social Engineering Engagement Framework (SEEF)

SEEF has been invented and developed by Dominique C. Brack, aka »D#fu5e,« and Alexander Bahram, aka »4en5icr.« The framework is based on our personal work experience coming from decades of practical application of information-security principles on an international level.

As professionals in the information-security field, we understand the challenges and know what it takes to protect and safeguard corporate assets, because we have helped many of the world’s most dynamic and ambitious companies to develop their information-security posture. We aim to lead the Social Engineering profession by delivering visionary leadership projects like the Social Engineering Engagement Framework (SEEF), setting the benchmark, aiming for the highest ethical and professional standards. Our goal is to improve Social Engineering as a discipline and add transparency and professionalism to it, to produce comparable and reproducible results and reduce risk in the process.

There are many different definitions of Social Engineering, but none of them seemed to fit our purpose. Therefore, we had to create our own definition of Social Engineering as we understand it. We feel this definition matches up perfectly with what we understand as Social Engineering. SEEF defines Social Engineering as follows:

»The elicitation of information from systems, networks or human beings through methods and tools«

In today’s highly complex business structures, more advanced methods for Social Engineering are necessary. Social Engineering is a fairly new discipline that is sometimes complex, relatively unstructured and not yet fully developed.

But it already has become an engineering discipline with precise tools, selected dynamic approaches and execution plans. This makes it so damn hard to define countermeasures against SE attacks on the receiving end. You never really know where you could get hit next. But as with all things, the best strategy of detection and defense (active/passive) is to stick to your own processes, raise awareness and train your staff, employees and especially your senior executives.

SEEF focuses on the human part of Social Engineering, not on the underlying technology supporting Social Engineering.

SEEF addresses different stakeholders. Not all the topics in the framework will appeal to everyone. This is the reason why we defined three stakeholder groups. Every group has its specific field of interest in the framework. Whether you want to become a Social Engineering expert or just get yourself up to date concerning the latest developments and associated risks of Social Engineering, you will find specific content tailored to your needs.

The framework defines three groups of key stakeholders.

Professionals (Ps)

Organizations (Os)

Governments (Gs)

Professionals comprise the group of individuals who have a professional interest in Social Engineering, people in functions or roles requiring Social Engineering knowledge either for active use or for building protection against Social Engineering attacks. Some examples might include the following:

Chief Information Security Officer (CISO)

Risk Managers

Project Managers

Risk & Compliance Officer

Privacy Officer




Organizations comprise the stakeholder group whose companies and other professional bodies take a vested interest in Social Engineering. This could be any of the following:

Private intelligence companies

Big 4 consulting firms

SE companies

International organizations

Information-security companies

Governments include public-sector interests. These are the people who can devise, pass and enforce laws and regulations. The groups included in this stakeholder group could be the following:

Intelligence organizations



Diplomatic relations

Strategic security



2.1 Engagement Management

The Social Engineering engagement management method is comprised of three individual core processes. The core processes are as follows:

Pre-engagement process group

During-engagement process group

Post-engagement process group