We are still dealing with the administrative tasks of DeepSec 2013, and we would like to give a short update on the publication of the slides. We have published all PDFs from the talks on our web server. Some speakers are still refining their documents. We will add them to the collection as soon as we get the files.
There are audio and video recordings as well. Both are in post-production in order to ensure that the content is ok and everything works (we had some troubles with broken media files and storage containers in the past). We will put the audio recordings on our web site, too. The videos will be published on our Vimeo account soon.
So, thank you for attending and speaking at DeepSec 2013! We hope to see you again in 2014!
Good news everyone, there will be a DeepINTEL conference in 2014, and we are looking for presentations!
DeepINTEL 2014 will be held in September at the same location as in 2013. This single track two day event addresses mainly critical infrastructure, state organizations (administrative and law enforcement), accredited CERTs, finance organizations and trusted parties and organizations with a strong relation or partnership to the aforementioned. Due to the sensitive topics and the nature of the participants and speakers we will have a vetting process for participants. We’d like to know our audience, so that we all can talk freely and openly during the event. If you have questions on this, please contact us directly via firstname.lastname@example.org or the contact information given on our web site.
Here is the Call for Papers for DeepINTEL 2014:
We are looking for talks and topics around security intelligence. Security intelligence is any information, which enables us to choose better strategies for defending our information infrastructure. Basically it’s background information, information about what/where/why/who/… which is not covered by our traditional security topics like security management, incident handling, vulnerability research, and the like.
Security intelligence is using several different approaches: algorithmic and statistical analysis, infiltration of adversaries, data correlation, meta analysis and related techniques. Any of these topics is welcome. Furthermore if you use or know about other approaches regarding these topics you are more than welcome to complete our view!
Do you have in-depth information about the current threat landscape? Can you adapt security strategies based on new/old/re-examined information? Care for a „threat weather forecast“? Do you have ideas how to gather relevant information and isolate risks to your IT infrastructure? It’s not about tools and gadgets, it’s all about the Big Picture™ and Your Radar™. We invite everyone working in this field to send us submissions for a presentation.
Since the DeepINTEL event will be different from DeepSec 2014, please send your submissions to email@example.com and make sure the subject contains the string „CFP DeepINTEL 2014“. You can also send encrypted messages to us if you think that your suggestion is too sensitive for a public and clear-text mail service (please see our contact section on our web site).
Information about DeepINTEL 2014 for speakers:
This is our fist call, more will follow as we want to reflect on inputs from you!
So please send us your suggestions or questions and forward this to anyone who might be interested.
René “Lynx” Pfeiffer and Michael “MiKa” Kafka
Welcome to the DeepSec 2013 In-Depth Security Conference!
The seventh DeepSec has just started. We welcome everyone at the conference venue and everyone else Out There™ connected by networks. If you have a Twitter account, make use of the hashtag #DeepSec. We will have an eye on tweets throughout the conference. So if you have feedback or want to comment something, feel free to do so!
Enjoy DeepSec 2013!
Unfortunately we had to change our DeepSec 2013 schedule again. We promise that this will be the last changes before the conference starts (or a certain Murphy will get a talk slot). Marcus Ranum couldn’t make it to DeepSec. He apologised, and there really is no way he could have made it. We will invite him for DeepSec 2014, so you will have a good reason to come back next year.
We are grateful for Aaron Kaplan from CERT.at who helps out with a presentation about better cryptography. In essence he talks about applied crypto hardening in order to help everyone deploying cryptography to improve the configuration and to Get Things Right™. We highly encourage you to attend his talk.
For anyone interested in geopolitics: Wim Remes has kindly agreed to hold the keynote which is now titled Cultural Learning Of China To Make Benefit Glorious Profession Of Infosec. Context matters, so does history. Don’t miss Wim’s ideas on this matter!
How do you counter threats emerging from a new trend? Well, standard practice is to buy a new appliance, add-on, or similar magic trick. People do this currently with the trend of Bring Your Own Device (BYOD). Once you say yes to BYOD, you just gave Santa Claus (or your chief financial officer) more options for Christmas presents. There is Mobile Device Management (MDM in short), plus you can do a lot of filtering at the edge of your network(s). Still mobile devices are a threat. At DeepSec 2013 Georgia Weidman of Bulb Security LLC will show you how the threats work in real environments.
Testing if your wonderful BYOD playground works for attackers can be done by taking your MDM’s promises to the limits. Let’s see if your MDM has ever heard of polymorphic code. What about that proxy that stops all outbound traffic unless its in the Internet Explorer process authenticated against the internal domain? Why not just send your shell back to an exploited mobile device in the environment and have it pass the shell out via SMS? Creativity will get you almost anywhere, and this is what Georgia’s talk is all about. She will give you a live demonstration of the techniques used. Everything you see will be released as additions to her Smartphone Pentest Framework.
If you bring your own device to the talk, we will add a voucher for some extra sleepless nights – for free!
Securing your own perimeter is the prime task IT security teams are worried about. However there is Murphy’s Law of Firewalls, too. Given a sufficient amount of time, business requirements will pierce a lot of holes in your firewall and your defences. Once you work with suppliers, you will have to deal with their perimeters as well. Your opponents will go for the weakest link, and if the links on your end are strong, then they go for your suppliers and partners. Dave Lewis of Akamai Technologies will talk about this problem in his talk at DeepSec 2013.
It’s not your immediate partners you have to think about. There are trading partner networks, code developed by off shore development centres and outsourced help desks. Even if you use security products you can get into trouble as the break-in at RSA Security illustrates (it’s just an example, pick any vendor and think of the scenario). Every person, every company, every device that has access to your enterprise network is a part of the equation. Dave will illustrate the need to address these parts by the use of real world stories. It’s not just theory. You will be confronted with real issues, real cases, and real consequences.
Dave’s talk is of interest for anyone dealing with the defences of modern companies and organisations. You will benefit from failures others have experienced for you. It’s never a bad time to take a step back and question what you already know.
Being popular is not always a good thing and here’s why: As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. The threat to mobile devices, however, is not limited to rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions. Android continues to be a primary target for malware attacks due to its market share and open source architecture.
Nowadays, several behaviour-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices but only about 30 percent of all Android smart phones and tablets have security apps installed.
At DeepSec 2013 Jaime Sanchez (@segofensiva) will present AndroIDS, a signature-based intrusion detection system (IDS) and intrusion prevention system (IPS) that protects your mobile phone by examining headers and contents of all packets entering or leaving it. It will raise alerts or will drop packets when it sees suspicious headers or payloads.
This open source network-based intrusion detection/protection system is being presented as a solution that will provide a high return on investment based on visibility, control, and uptime.
It has the ability to perform real-time traffic analysis and packet logging on networks, featuring:
The framework architecture consists of:
The IDS rule language is powerful enough to represent current and future security exploits accurately and very precisely. With the help of custom build signatures, the framework can also be used to detect all kind of attacks designed for mobile devices like the USSD exploit, Webkit remote code execution exploits, DoS attacks or the meterpreter module for Android. IDS rule language converts Snort-like rules to an AndroIDS friendly format. It has also some interesting modules that let users cheat the operating system fingerprinting attempts by sending up to 16 TCP, UDP, and ICMP responses to nmap’s probes or changing the TCP header fields to avoid pof’s detection engine.
Android mobile users should start taking security seriously…and attending this talk at DeepSec 2013 is the first step!
The production of code leaves traces in the final binary. There can be debugging symbols present, which give you a lot of information. Maybe the binary has some commonly used libraries or functions. A lot of fingerprinting can be done with software. Why is this of interest? Well, there is the attribution problem of attacks and malicious software. Identifying where malware comes from can be crucial for the assessment of risks and the impact of compromised systems. Michael Boman has researched this topic and will present his findings in his talk titled Malware Datamining And Attribution at DeepSec 2013.
Stuxnet and related malware is a prime example where the source of the code is of fundamental interest. Even for more „mundane“ code malware authors use leaves traces in their work which can be used to attribute malware to a a individual or a group of individuals. This is a great help when assessing the nature of malicious activity. You might identify the tools used, notice patterns, determine if the malware is part of an organised attack, a single incident or something else. It is especially interesting if you can combine the forensic data gathered with evidence found on computers where the malware was actually produced. Either way it is a good method to gain insight into how attack tools are used, who uses them, and how they are traded (in the case of malware being sold to groups performing the actual attacks).
Don’t turn a blind eye on the binaries that end up on your systems or in your networks. You should always post-process incidents and acquire as much data as you can. Data mining starts small, and when it comes to malicious software it is your personal radar. Follow Michael Boman’s presentation to get ideas how and where to start.
Defending one’s own resources against malicious software is daily business for information security professionals. Usually you deploy a range of measures and try to minimise the risk. It may or may not work, depending if you have to fear the mysterious Advanced Persistent Threat (APT). APTs are highly targeted, very stealthy and can greatly impact your security in terms of damage and level of compromise. Their stealth aspect makes them hard to detect and hard to counter. Tom Ueltschi from the Swiss Post has gained experience with these kind of attacks. This is why he will share his insights at DeepSec 2013. His talk is titled My Name Is Hunter, Ponmocup Hunter.
Ponmocup is a strain of malicious software which forms its own botnet. It is known by a couple of names, depending on the date of discovery. Tom tells the story from a single anti-virus event to the full blown analysis of the Command & Control (C&C) mechanisms along with the underlying botnet. The first chapter begins in 2011 when several host- and network-based indicators of intrusions were found. After several infections within the company were found, countermeasures were implemented. The anti-virus detection names for this particular malware vary greatly and there may be as little as one registry key in common as indicator for all infected hosts. Over time the infection and C&C domains, IP addresses and URL patterns changed to avoid detection. Defence against ongoing attacks involves the sink-holing of communication transmissions, i.e. the blocking of C&C messages. In late 2012 a “anti-sinkholing technique” was introduced in using the C&C domains of the malware. Just recently Tom discovered how this technique can be overcome to allow sink-holing of botnet domains again.
The case is a very good example how malicious activity can be detected, analysed, and how you can derive defensive actions against invading malware. If you are responsible for your organisations network defences, you should definitely take a look at his presentation.
If something happens in your network, it’s an established custom to blame it on China. This approach is tried and true among the Chief Information Officers (CIOs) who have some explaining to do. Throw in the inevitable Advanced Persistent Threat (APT) and you are set. No more explanations necessary. Why is that? Well, most people don’t know, therefore Wim Remes of IOactive will give you a thorough overview in his talk titled Cultural Learning Of China To Make Benefit Glorious Profession Of InfoSec.
Geopolitics is a good start. The current debate about the role of China as a nation, in international hacking incidents and corporate espionage is framed in an almost exclusively US-centric narrative. Using your adversaries as scapegoat works well, provided you talk to like-minded people and nations. China, however, is a nation that has been familiar with innovation, economics and societal (im)balances long before Christopher Columbus accidentally landed in the New World. Wim’s talk will take the audience on a rollercoaster ride across more than 5000 years of history and cultural heritage that will allow you to not only understand the reality of APT and state-sponsored hacking. When it comes to threats on high levels you absolutely have to understand the background up to the point of culture and history. Only by doing this can you correctly assess the threat and improve your protection.
We will open the DeepSec 2013 conference with this talk. It combines the topics security intelligence, information security, geopolitics, and risk assessment perfectly. Marcus Ranum will follow with his keynote talk on the second day in order to complement the discussion about the influence of nation states on information security. Do not miss both talks!
You may have heard of background radiation. It’s the kind of ionizing radiation you are exposed when wandering around on this planet. The sources are radioactive isotopes in the air, the soil, our food, and the water. In addition there is cosmic radiation from outer space. So even without artificial radiation sources you will have a natural background radiation. The Internet has a similar phenomenon. The pendant of the fundamental particle in Nature is the packet. Internet traffic consists of data packets going from their source to a target address. Imagine a part of the Internet which isn’t used at all. Its address space isn’t advertised anywhere. It holds no services and no active hosts. This place is called Darknet. In theory there will be no packets. In practice there are.
A student from our U21 initiative has explored a Darknet and will present his findings in the talk The Dark Side of the Internet. The idea was to take an unallocated portion of the Internet and to watch it. In a sense it is a network telescope. All you need it to record packets hitting the address space. Since there are no services, all packets are likely to be probes, attacks or back scatter. The collected samples are very interesting for security researchers of all kinds. They can be linked to active attacks, can serve as an indicator for malicious software running rampant, and they can be analysed to counter their impact.
The U21 talk will focus will focus on the analysis of the information collected using a particular Darknet as well as the set-up being used to extract the back scatter. Furthermore you will get to see the results of the projects together with statistics, metadata and packet analysis. We recommend this talk to anyone dealing with network security or analysis of malicious activities.
Cross Site Request Forgery (CSRF) is a real threat to web users and their sessions. To quote from the OWASP web site: „CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.“ Combined with social engineering this is a very effective attack tool. Believe it or not, web sites prone to CSRF are very common. If your web developers do not know what „unique web form“ means, you will have to deal with CSRFs eventually. Paul Amar is a student of computer science, and at DeepSec 2013 he will present a framework to study and prototype CSRF interaction with web servers.
The tool presented is the Cross Site Request Forgeries Toolkit (CSRFT). It has been developed in Python and Node.JS. The configuration files are written in JSON. The CSRFT can be used to explore CSRF weaknesses. Paul will give you examples on how to use it, and he will show you that users do not need to be logged into a site in order to take advantage of those vulnerabilities. The real strength of the CSRFT is performing complex exploitation techniques using custom scenarios. There will be specially designed examples for the DeepSec audience.
If you are interested in securing web sites or do penetration testing, then you should attend Paul’s talk. Providing feedback, testing the CSRFT, and writing more examples is a way to contribute to the project. Let Paul know what you think.
Over the last few years the desire to have information at our fingertips whenever and wherever we want has driven us more and more towards mobile devices. The convenience of having our email, files and access codes available to us on our smartphones or tablets has given rise to a new problem… that of securing our sensitive data on an inherently insecure device. The same form factor that makes smart phones the easy choice for remote access to email and services also makes them easy to lose.
In response, we’ve begun to move security closer to the data, relying on “secure” container applications to keep our private and company data secure. Mobile apps such as LastPass, Dropbox, Evernote, GOOD for Enterprise, and may others all offer differing degrees of security.
In this presentation Chris John Riley of the Raiffeisen Informatik Security Competence Center team will discuss specific design flaws in the security of “secure” Android container applications that promise to keep your data, passwords and even company email safe and sound should the device fall into the wrong hands. Examples of how these simple flaws can be used to disable or bypass security features will show that even if you think your data is secured, physical access still equals game over.
Hey, you! Want to know a secret? Your adversaries are after money. Taken the „cyber shoot-outs“ of governments aside, no sophisticated attack happens without economical benefits. Attackers don’t care where the money comes from. However they care for efficiency. They do not compromise web server after web server to hope for some loot which can be turned into profit. Instead they go after the places where people store and move their money. Financial institutions have been battling attacks against their customers and their infrastructure since their services entered the Internet. It’s an arms race, and if you are involved you need to keep up. We are proud to have Konstantinos Karagiannis at DeepSec 2013 talking about the future of banking and financial attacks.
Every attack needs a proper target. When it comes to accounts the user identifications (IDs) are your targets (think of them as the login part). Adversaries will try to collect them during reconnaissance when preparing their move. Since the user ID is part of the account credentials it should be protected in the same way as the password. Surprisingly few organisations go out of their way to protect user IDs. It is a matter of time before the get harvested. This opens two attack vectors. Compromising is obvious. A second attack is to lock out users. This works if the application suspends the account after a couple of unsuccessful logins. If you don’t care about gaining access, then you can lock out others thus staging a (distributed) denial of service attack.
Competition is hard in the financial sector. Combine this with online resources that absolutely need to be online and you got a very fertile ground for attacks that push services off the Internet. This can especially be dangerous for time-critical transactions at stock markets. Network-based attacks disrupting transaction time by milliseconds can cost millions of dollars. The motive is there, so the motivation for undertaking attacks will follow.
Attacks do not come from the outside only. Imagine attacker are inside your financial organisation. They could have taken a foothold by using elusive advanced persistent threats (APTs) to get their attack tools in position. Provided your defences do not look in any direction, your adversaries have an unobstructed view on your internal network. They can do a lot more damage then. APT cases have been documented. Right now they are rare and expensive – but if the profits are right, this might change.
Malicious software evolves, just like any other software product. It comes with a warranty. This means that the developers follow the evolution of the defence mechanisms and constantly avoid them. In turn attacker don’t need to crack your password or watch your network traffic any more. They can virtually sit right next to you while you use your trusted session. They can record, intercept and manipulate transactions. This is a classical external attack, but it is done from the end-point.
Konstantinos Karagiannis’ presentation is an outlook on the future. Just as your adversaries keep track of your defences, you should follow the capabilities of your adversaries. If attacks would stop as soon as we understood the mechanisms, then securing networks, applications and infrastructure would be a whole lot easier. This is why we absolutely recommend to attend this talk.
No man is an island. If this is true for every single one of us, then it is also true for companies. Modern enterprises have business to business (B2B) relations. They are at the centre of a network of suppliers and other vendors. Information flows between the players since they need to exchange data. What do you do if you deal with confidential or regulated data which mustn’t flow freely? How do you assess the risks? How do you determine what security measures work best? How do you deal with the situation of not enforcing security because every player runs its own policies? Luciano Ferrari has prepared a presentation for you and talks about his experience.
The first issue is physical proximity. Once you are linked with business entities several thousands of miles away (think halfway across the globe), then being on site for a risk assessment is not always an option. While globalisation may help you business-wise, it may create headaches for your information security needs. Considering the amount of data companies are transferring to the cloud and external vendors the regulations, especially in a globalised world, require proper management to be effective, compliant and efficient in order to protect the data and the companies reputation. This task is radically different from managing the information security needs of a company with next to none sensitive data exchanges with the outside world.
Non-technical issues will haunt you as well. There is always corporate culture. When facing security problems this culture is often a part of it. You need to be able to rely on cooperation – across boundaries – in order to secure your business processes (which are by themselves another non-technical issue as well).
During the course of his professional career Luciano Ferrari has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. Make sure to attend his talk, because proper risk assessment will help at any level. You don’t have to be a global player, getting this right a local level will be a big benefit to your organisation, too.