In the light of the recent news about the collection of call detail records (CDR) the term metadata has come up. Unfortunately the words cyber, virtual, and meta are used quite often – even as a disguise to hide information when not being used in a technical context. We have heard about all things cyber at the last DeepSec conference. The word virtual is your steady companion when it comes to All Things Cloud™. Now we have a case for meta.
Actually metadata is what forensic experts look for – a lot. Metadata usually lives in transaction logs or is part of a data collection. It describes the data it accompanies. Frequently you cannot make sense out of or use the data without the corresponding metadata. A well-stocked library seems like a labyrinth if you have no access to the library catalogue. Likewise the content of your harddisk(s) makes no sense without file name and directories. Without metadata you have no instructions to figure out what you are looking at. Databases are structured by use of metadata. Once your metadata is gone, your database record become meaningless. That’s why everyone is so keen about acquiring, storing and analysing metadata.
What can you do with metadata? Well, you could extract groups of people or organisations from communication logs. If you take a look at the graph, then you see nodes representing communication end-points (usually people) linked by communication (usually messages such as e-mails, tweets, phone call, …). The graph says a lot more than the log itself. You can clearly see hubs attracting/sending lots of messages. Additionally you see links between hubs and therefore can identify groups. IT security staff regularly uses these methods to gain insight into log files of security systems and applications. It’s used for defence in this context. You can very easily use filters, transformations and visualisation for other purposes as well. This is the reason why metadata is not less valuable as data. Often it’s the other way around. The conclusion: Protect your metadata!
For other interpretations of metadata see the blog post by Kurt Opsahl. He describes five examples where you can deduce the content of communication just by examining the metadata.
In case your infrastructure is distributed and you do not own or control all the systems your communication flows through, then the task of protecting metadata gets difficult or even impossible. This doesn’t mean that you shouldn’t care; you should. You need to know where and when your organisation leaks information and what the impact is. Some companies leak their entire business relations through their transaction logs. Make sure you know what this means!
When it comes to defence and protection, don’t forget how your organisation treats data. The mindset plays an important role. This can be illustrated by a simple correlation. Organizations which take the protection of data privacy seriously have an edge when it comes to implementing IT security measures. We talked about this relation in an interview with ORF journalist Erich Moechel (article is in German, Google translation).
The findings are not surprising. Auditors and penetration testers can tell if your IT staff takes the role of protecting digital assets seriously. The correlation is easily explained : Once you establish data protection guidelines, you also create a motivation to implement defensive procedures and measures against intrusion. Directly linking operational aspects to a reason makes sure that everyone understands why defence is important. Bear in mind that this is more than simply stating “Hey, let’s protect our customer’s data!” Paying lip service to a policy is easily done. Getting the message down to all staff members (and external consultants) doing the actual work is much more difficult.
The key to all learning is motivation. If you want to learn something new, such as understanding new attack vectors and tactics of your adversaries, then you need to be motivated to do so. Simply claiming “I like to learn something!” just for the sake of it, or just because your boss want’s you to, won’t do the job, sorry. It might work for a short time, but then again you are more likely to abandon your efforts in the long run – you need a reason to keep it up, a personal goal that keeps you going.
Value your Data and teach all your staff members to do so by explaining how Data treachery and thievery can damage your business as your personal life (by the way, attending DeepSec is also a good way to get into the mood of exploring new ways to protect your data or attack your defenses).
It is essential that you establish a focus on protection before you buy gadgets and hire consultants by the dozen. If you don’t care about your or your customer’s data, your adversaries probably will.
MiKa and me have been chatting with Finux for his latest recording of the Finux Tech Weekly #25 (mp3/ogg download). We talked about the next DeepSec conference and our special U21 initiative for young security researchers. We like to support young researchers (under the age of 21, hence U21) and enable them to present their works and results in an appropriate manner. Listen to the podcast to hear about our motivations!
Oh, and don’t forget, the Call for Papers for DeepSec 2013 is still running! Send us your submissions!
We’re looking forward to it
Finally! Our 2012 Deep Sec T’s have arrived – Yes, and they rock!
If you want a T-Shirt please write an e-mail to firstname.lastname@example.org including your size and your postal address so we can send it to you!
If you have a VAT number please let us know, and we will include it in your invoice. Invoice will be sent with the T-Shirt.
P.S.: There will be a 2011 T-Shirt Edition too – We’ll keep you posted
Your DeepSec Crew.
While our Call for Papers for DeepSec 2013 and DeepINTEL is still open, we have a Call for Articles for all our past speakers ready. It’s our pleasure to inform you that we will publish a book with proceedings about past and present DeepSec topics. It will be a summary, a factual overview on what’s been going on at our annual event, from 2007 – 2012, a collection of the most compelling talks and captivating topics we’ve featured at our conference so far. To make this book a bummer we need your help.
We want you to send us the abstracts of the talk you held at DeepSec – and we ask you to open up your topic once again.
Since we choose the talks for DeepSec very carefully we believe every topic is well worth thinking about once again and worth updating.
We need your input in the form of an academic publication: Please send us the original content of your talk in the form of an article, including a clearly separated endorsement where you write about your current thoughts on your special topic. We also have some formal requirements:
We also plan to publish proceedings for future DeepSec conferences. Title and Abstract for your chapter needs to be submitted until June (end of Juna at latest). Manuscript needs to be submitted until the 1st of August, 2013. The editors of the proceedings are René ‘Lynx’ Pfeiffer and Stefan Schumacher. For those who do not know them, here is a short description.
René Pfeiffer is part of the DeepSec conference organisation team and lectures information security at the University of Applied Sciences Technikum Wien. He has a solid background in system administration and researches selected topics of information security such as Security Information and Event Management (SIEM), communication protocols and configuration convergence of distributed systems.
Stefan Schumacher is executive director of the Magdeburger Institut für Sicherheitsforschung (Magdeburg Institute of Security Research) and a regular speaker at the DeepSec and various other conferences. His research is focused on psychological phenomenons of security, like Social Engineering, Security Awareness and a didactics of security.
Since September 2012 there are CryptoParty events all over the world. The idea is to bring a group together and have each other teach the basics of cryptography and how to use the various tools that enable you to encrypt and protect information. Of course, encryption by itself cannot guarantee security, but it’s a part of the equation. Since cryptography is hard, most tools using it require a certain amount of knowledge to understand what’s going on and how to properly use them. The CryptoParty helps – in theory and most often in practice, too.
If a CryptoParty is near you and you have some knowledge to spare, please take part and share what you know with others. DeepSec supports the local CryptoParty events in Austria, too. Finding a CryptoParty can be easily done by looking up your country in the wiki. The next CryptoParty meetings in Austria can be found at the CryptoParty.at web site.
DeepSec is actively supporting the BSidesLondon conference this month. We are joining the panel of mentors of the rookie track, and we’re looking forward to see a lot of interesting talks. In March we talked about our motivation to support the rookie track idea with Finux on the Rookie Track Podcast. DeepSec has been supporting young security researchers for years. Some of them were given an opportunity to speak at past DeepSec conferences in order to present their work. We think that this is a good idea, and here is why:
Speaking publicly in front of an audience can be hard. It is even harder if you have never done this before. It gets a lot harder if you talk about IT security, because there’s a chance you found something that probably broke, is probably a secret, or is generally unpleasant to talk about. Vendors, customers and developers might get angry (with you). All of this doesn’t sound very cheerful. However we strongly believe in making failures public and talk about them openly – and fairly. In order to get potential/ future security researchers to participate, we decided to support them. It’s just a matter of sharing knowledge and information. We do this at DeepSec anyway, so why not do it with speakers who are new to the arena? This is exactly why we decided to support BSidesLondon back in November 2012.
So we ask you to focus your attention on the BSidesLondon Rookie Track. Have a look at the schedule. Read the abstracts. The Rookie Track is not just an exercise. Everyone presenting there has worked hard to prepare the content of their talk. The titles and the abstracts look very promising. Please give all the rookies respect for what they have done so far. We will be present throughout the whole Rookie Track and will watch all Rookie talks. One of the Rookie speakers will be invited to DeepSec 2013 (we provide a ticket for the conference and accommodation at the hotel in Vienna).
Since DeepSec 2013 is all about secrets, failures and visions: Our vision for future IT security events includes a lot more support and respect for anyone daring to address IT security issues in public. That’s how community works!
Dear Researchers, Hackers, Developers, dear Members of the IT-Security Community: This is our call for papers for DeepSec 2013, the seventh DeepSec In-Depth Security Conference. Our annual event will take place from November 19th to 22th at the Imperial Riding School Renaissance Hotel in Vienna. It consists of two days of workshops followed by a two day long conference. Our speakers and trainers traditionally come from the security community, companies, hacker spaces, journalism and academic organisations, talking about different topics and aspects of IT-Security: current threats and vulnerabilities, social engineering and psychological aspects as well as security management and philosophy.
For DeepSec 2013 we’re not looking for talks about the latest trending technologies, gadgets and behaviours, no, DeepSec 2013 is all about secrets, failures and visions! We are looking for talks that will enable us to see things from another perspective and hopefully give us a lot to think about. We still talk about technology, exploits, bug, vulnerabilities, defence (hopefully in-depth), software, hardware, infrastructure, procedures and everything. We just think it’s important to put your findings into perspective with the real world – which in turn consists of secrets, failures and vision on a daily basis.
Every person, every group, every enterprise and every government has them. Secrets are the very reason why information security uses encryption, access control, even doors and locks (physical and otherwise). You wouldn’t need all of this if it wasn’t for safeguarding these secrets. How do you protect your secrets? And are secrets still secret once they escape?
Sometimes things go wrong. Often not only by malicious action, but by bad design or bad implementation. Human error contributes as well to major and minor catastrophes. All it takes is a missed state (or states or bugs or anything) during quality assurance or changes to an already “perfect” system to start the chain reaction. Failures are always an option. So how do you deal with failures? How do you detect them? Do you dare to talk about them? And what do you (not) learn from them?
In an ideal world nothing stays bad forever. While sometimes it can get worse, there are lots of ideas for improvement. That’s what upgrades and changes in behavior are for (learning helps too). If you have ideas how to improve the current state of affairs, then visions are for you. We want to hear them!
You can put all hot topics of IT security into either one of these categories. Really good lessons touch all three. You can submit content for three formats.
Please submit all your proposals by using our CfP form on our web site.
Talks should be up-to-date, of high quality and preferably exclusive. We’re looking for the vanguard and lateral thinkers – no rock stars, no marketing, no panic creating, no 2nd hand opinions – we want you to introduce us to new ideas and we do like a bit of controversy: We’re keen on unconventional thoughts that challenge the mainstream.
Again: It’s quality that counts. We’re looking for novel, challenging lectures for a sophisticated audience with a very high level of technical understanding, deeply involved with security management, implementation, operation and research. There’s no need to keep it simple but we like you to be precise. Don’t try to cover too much ground, focus! Two days may sound a lot but it isn’t.
DeepSec will sponsor young security researchers by providing an opportunity to attend the conference for free. In order to take advantage of this offer your have to submit a description of your own security research project. Please don’t copy & paste, be creative! Be original! There’s no need to be shy: Viennese people may look grumpy, but they don’t bite and we’re really looking forward to introduce some brand new faces to the IT security community. If you get accepted your work will be an exhibit during the breaks at the conference, optionally you can do a lightning talk about your work (roughly 5 minutes). The offer is intended for everyone with a maximum age of 21 (or slightly more, depending on your social engineering skills).
All CfP submissions must go through the form on our web site. Yes, all.
Please make sure that you read our tips for conference speakers before submitting your ideas. Practice is never a bad thing.
We will support anyone if you have question, need clarification or whatever comes to your mind, just contact us for additional questions by e-mail: email@example.com
We invite you to send us your submissions for talks and trainings and we’re looking forward to it! Keep secrets, failures and visions in mind!
the DeepSec Organisation Team.
From now on all incoming and outgoing payments for DeepSec and DeepINTEL tickets, sponsor packages, speaker travel reimbursements, hotel, accommodation, catering, support for the community etc. will only be accepted resp. paid in Bitcoins.
As we do not trust electronic money transfers (hey, guys – we conduct a security conference!) the following rules will apply:
We made this decision because every year we have to handle many different currencies, have to calculate exchange rates and pay a huge amount of banking fees for international bank transfers. Our international branch in Cayman Islands (DeepIsland intl.) will handle all financial matters.
I hope you all understand our decision and will support us as every year.
This decision was made in Vienna, Austria on March 31st 2013 at 2:30 AM and is irrevocable.
Lynx and MiKa.
It’s never a bad idea to see what the outside world looks like. If you intend to go for a walk, you will probably consult the weather report in advance. If you plan to invest money (either for fun or for savings), you will most certainly gather information about the risks involved. There are a lot of reports out there about the IT security landscape, too. While there is nothing wrong with reading reports, you must know what you read, how the data was procured and how it was processed. Not everything that talks percentages or numbers has anything to do with statistics.
Let’s talk about metrics by using an example. Imagine an Internet service provider introduced a „real-time map of Cyber attacks“. The map would show attacks to their „honeypot“ systems at 90 locations worldwide. Let’s say that the bait hosts record up to 450,000 attacks per day. Furthermore let’s assume the data is published on a web page will real-time updates of counters, date, country of origin, attacked subsystem and target sensor type. What does this give you in terms of risk assessment? Answer: A lot of open questions.
So a half-hearted dashboard with colourful graphs, charts and numbers won’t get you anywhere. Once the metrics and the methods are flawed, all you get is digital manure. Picking meaningful metrics is difficult. You can just take anything that can be counted and put it into databases. You have to attach meaning and a link to real threats to real production networks.
Even if you disregard the technical issues and use „incidents“ instead, then you may run into trouble. First of all there is the problem of publishing security incidents. You will always have a difference between detected and undetected breaches, and there will always be organisation which won’t disclose all/some incidents. Then there is the growth of the Internet. The number of connected systems is rising. It is pretty hard to count all active hosts and their services. We are not even talking about IPv6 where special methods of enumeration work better, given the vast address space. So if you see reports claiming that the number of attacks is rising, well, the number of connected hosts is rising, too. Even here you have to get the meaning and metrics right.
If you have dealt with meaning, metrics and statistics, are a security researcher and have visions how to assess risks and the state of IT security closer to reality, then you are invited to share your findings with us at the DeepSec conference or the DeepINTEL seminar. In case you know that statistics is a part of mathematics and is a lot more than simply dividing two numbers to get a percentage, we will be very happy! ☺
There was a Cryptographers’ Panel session at the RSA Conference with Adi Shamir of the Weizmann Institute of Science, Ron Rivest of MIT, Dan Boneh of Stanford University, Whitfield Diffie of ICANN and Ari Juels of RSA Labs. You have probably read Adi Shamir’s statement about implementing (IT) security in a „post-crypto“ world. He claimed that cryptography would become less important for defending computer systems and that security experts have to rethink how to protect valuable information in the light of sophisticated Advanced Persistent Threats (APTs). „Highly secured“ Infrastructure has been compromised despite „state of the art” defence mechanisms. So what does rethinking really mean? Do we have to start from scratch? Should we abandon everything we use today and come up with a magic bullet (or a vest more appropriately)?
Our first implication is not to abandon cryptography alltogether. Speaking of cryptography is a broad generalisation. Encrypting information will always be a part of securing infrastructure and data. Shamir mentioned that once attackers have compromised a system they have access to decrypted information. This is true for any security measure – It doesn’t imply that we should abandon access controls, tokens and passwords just because we might have a security breach. There will be breaches sooner or later, but cryptography isn’t at fault here. You can break trust without breaking cryptography. Ask the social engineers.
Speaking of trust, there is a big issue with trust and secure data transport. Past attacks have featured valid certificates of certificate authorities. Even certificate authorities themselves have been breached, abused or broken (look up the Comodo, DigiNotar or TurkTrust cases). While there are plenty of certificates left, the term authority has lost some – if not all – of it’s credibility. If you use a public key infrastructure (PKI) you can either run and secure it yourself (which is a lot of effort depending on what you use the PKI for), or you can outsource it to trusted certificate authorities. Most infrastructures require a mix of different certificate authorities. You can experience this mix if you install the Certificate Patrol add-on for Firefox and watch certificates and certificate authorities changing every time you load web pages using content distribution networks. Even experts have a hard time to tell which change is legitimate and which might be a threat. PKI is a nice tool, but you will need additional or alternate methods to anchor and verify trust relationships. There is no way around it.
Let’s skip the part about the Bring Your Own Device (BYOD) hype. If you open the flood gates and allow any kind of device into your network, then you are clearly not afraid of APTs.
Adi Shamirs talks about secrets, failures and visions. And even if we do not fully agree with his statement, we concur that we need some visions. The motto for DeepSec 2013 is „Secrets, Failures and Visions“.Our Call for Papers is open. Send them to us.
We are preparing the call for papers for DeepSec 2013, and we are trying to shift your mindset. We could easily come up with a list of trending technologies, gadgets and behaviours that will have an impact on information security. Instead we are looking for presentations and workshops dealing with secrets, failures and visions. This gives us another perspective and hopefully more to think about.
You can put all hot topics of IT security into either one of these categories. Really good lessons touch all three.
We ask you to send us your submissions for talks and trainings and we’re looking forward to it!
Keep secrets, failures and visions in mind!
(This is the first part of a series which can be regarded as our “Mission Statements”.)
No, this is not what a conference should be like: By some obscure coincidence 32 speakers emerge with a talk in their pockets and hit the stage, one after the other. Rather this is true: We are shaping our DeepSec and DeepINTEL events and those who know us a little bit closer are not surprised. We are searching for topics, we are soliciting submissions and we invite people to our stage whom we find interesting, ground-breaking, promising, surprising or just plain ingenious. Additionally we read our CfP submissions very carefully and often we discuss the submissions with the speakers if we are not fully confident where the talk leads to. We also discuss submissions with close friends in the security community whom we trust to be objective, neutral and knowledgeable about new trends and topics. Both of us have a solid technical background and we are able to separate the wheat from the chaff. E.g. “Hole196” would not have made it onto our stage. And while we are at the topic: we both were mildly amused about the submission from Ligatt Security a few years a ago.
The line-up of our speakers is not randomly chosen and not based on fame or reputation alone. We even observe sometimes that superstars of the security circus lack brilliance, novelty and something that we really love: Controversy, a little bit of provocation and alternatives to the mainstream. We can fully understand that some people rather stay on the safe side when they address a very large audience. But maybe exactly this is a hindrance to develop better and more efficient strategies to achieve our goal: Mitigating and preventing risk at the highest possible level. We believe that in a landscape that changes so quickly as the threat landscape conservatism is maybe not the best choice. We want the vanguard and lateral thinkers (No! you won’t hear “out of the box thinking” from our mouths!) and being a small conference we can afford not to attract an audience of thousands of people, retreating to the lowest common denominator.
We don’t like exaggeration and creation of panic: “Experts are warning: We are all doomed!”, “Everyone can be attacked, only I can save you”… come on, guys, are you serious?
When selecting talks or workshops from our submissions we strictly make no discrimination or preference based on anything else than the quality, novelty, impact or relevance of that specific submission. Or in other words, we “discriminate” only on the grounds of ability, in contrast to Tom Lehrer’s satiric introduction to his song “It Makes a Fellow Proud to be a Soldier”:
[...] one of the many fine things one has to admit is the way that the army has carried the American democratic ideal to its logical conclusion in the sense that not only do they prohibit discrimination on the grounds of race, creed, and color, but also on the grounds of ability.
We are very proud to receive every year more than double the number of submissions than we have slots for the talks and it also gives a lot of headache which submission to choose. Often we prefer to invite a newcomer to the stage if the content is more promising than the “safe choice” of well established truths, which are repeated all over the place.
That’s how we see our events. Again this year we will carefully chose the conference talks and workshops. The DeepINTEL, which takes place the second time, will move to the south of Austria into a rustic ressort in the middle of the Alps close to the Slovenian border and the DeepSec will stay at our traditional Venue, the Imperial Riding School in the center of Vienna. Call for Papers will be open soon for both events.
This is a gentle reminder that the Call for Papers for Security BSides London still runs until January 5th 2013. If you got some extra time during the boring Christmas days or right after New Year’s Eve, then you should submit. Show us how you break or fix something!
And if you have never presented before, you should definitely take a look at the Rookie Track. BSides London actively supports speakers with little or no experience on stage. Submit a talk, get a mentor, prepare and tell us what you have found!
See you in London!
We have collected links to articles covering DeepSec 2012. If we missed one, please let us know.