BSidesLondon 2017 – Sharing is indeed Caring

When airport security meets information security it’s usually BSidesLondon time. It was a great experience. And since DeepSec sponsors the Rookie Track we had a very tough decision to make. It’s really hard to pick a winner. A lot of presentations were excellent, and the presenters made the most out of the 15 minutes. The winner is Thaís for her introduction to malware analysis by using satisfiability modulo theories (SMT). If you get the chance of seeing her presenting somewhere, BSidesLondon logotake a seat and listen to her.

We also like to recommend Colette‘s presentation titled ‘How the f**k do I get in? One woman’s struggle to break into cyber security!’. Despite the title it was not a rant, it was a clear and concise summary of the state of affairs for women in technology. We hope to hear more about this, and we encourage you to ask Colette for a presentation in case you organise an event. We did.

The motto sharing is caring is often abused, and the context in which it is used varies wildly. Chris Kubecka explained in the keynote Freaky Leaks from a Chic Geek what her understanding is. Indeed leaks are all around us. And leaks are here to stay, given that networks, software, and systems are not as airtight as advertising wants us to believe. Plus leaks are also used wildly out of context. She addressed some important issues regarding disclosure and incident reporting (or vulnerability reporting, depending on how many already know about the weakness). It’s amazing what people maintaining and „installing“ industrial controls systems can and will do. Industry 4.0 and Smart Power Plants are anything but smartly designed or implemented. Her presentation was full of examples on how to deal with information about critical weaknesses. Make sure you think about implications before they happen, regardless on which side you are on.

We shared and cared a lot. Thanks to the BSidesLondon crew, all speakers, all trainers, and all the sponsors!

The Future of Entangled Security States – Quantum Computing Conference in Berlin

Quantum computing is a fashionable term these days. Some IT news articles are talking about post-quantum cryptographyTaken from, qbits, and more quantum stuff. If you don’t know how the terms relate to each other, what entangled states in quantum physics are, and what everything has to do with computing, then you will have a hard time figuring out what it means for you and your infrastructure. The relationship to cryptography is yet another matter best explored after you know the basics.

Using quantum effects in computing and cryptography is already done. The best example are some hardware random generators which use properties of, well, the hardware to harvest entropy. And then there is quantum key distribution (QKD). It is a method to ensure secure communication between two or more nodes. Vienna even had a working QKD network named SECOQC which was created in 2008.

So how can you learn more? Our friends at stage a conference about quantum computing on 23 June 2017 in Berlin. The conference is aptly titled Dawn of the Quantum Era. Leading experts will explain about the current state of quantum computing, quantum communication and quantum cryptography.

In one intense conference day, IT decision makers and those, who are interested in the future will learn everything that’s important about the very subject. Where does quantum mechanics stay and what has research so far brought to light? What is the current state of research in the development of quantum computers? What can quantum algorithms and quantum encryption do? And which challenges postquantity encryption has to face? These are just a few of the questions to be answered at the upcoming conference. Participants will also discuss which future technology is more promising: supercomputer or quantum computer.

Amongst others, Speakers include Prof. Dr. Vlatko Vedral from the University of Oxford as well as Tracy Northup from the University of Innsbruck, who holds the current quantum computer speed world record. Silicon Valley will be also represented: Will Zeng comes from the quantum startup Rigetti, in which known Venture capital investor Andreessen Horowitz has invested in recently. Stefan Filipp, one of the leading quantum researchers at IBM will also be present as a speaker.

The conference Dawn of the Quantum Era takes place on the 23rd of June 2017 at the Zoo Palace in Berlin. You can find the final programme on the conference’s website as well as the biographies of all the speakers and short abstracts of their talks. Conference tickets are already available.

Biometrics and Failures in understanding Security – Copy & Paste Iris Scans

Biometrics has an irresistible attraction. Simply by mentioning the fact that you can measure parts (or surfaces) of the body and convert them to numbers a lot of people are impressed out of their mind. Literally. In theory biometric information serves as a second set of data to be used for any purposes. A common purpose is to use it for authentication. Most physical sources of biometric data are easily accessible. Fingers (for fingerprints), eyes (for your iris), limbs (for your veins), voice (for the Cloud), and other examples show this well.Biometrics can be copied Where does the security come into play? Well, it doesn’t.

For starters, passwords can be changed. Biometrics can’t unless you have a transplant. In contrast to passwords biometrics can be faked. The biometric source can be copied. In most cases this is as easy as doing a scan and printing it again. The German Chaos Computer Club has repeatedly demonstrated that copies work extremely well. They used simple iris photographs (for gaining access to a Samsung Galaxy S8) and fingerprint copies (to overcome Apple Touch ID) in the past. Almost any multi-factor authentication beats this security record easily.

Furthermore the biometric check is based on a comparison of digital data sets. Algorithms compensate for variations during the measurement, i.e. the scan phase, of the body part used. Since no two measurements are alike, there is some room for errors. This can be exploited by adversaries. Think of it as trying to manipulate optical character recognition (OCR) by manipulating text and fonts. You can do this for voices, too. Recently a Canadian company was in the news, because they showed recreated voices of Barack Obama and Donald Trump. The source were samples from interviews and speeches.

So please don’t use biometrics as a silver bullet to solve problems which can be solved more efficiently by other technologies. And don’t use sensors designed to work for and in your living-room for critical security. In case you won’t do this, we welcome you or your company as a show case at DeepSec 2017. The presentation title might even contain your name.

Disinformation Warfare – Attribution makes you Wannacry

After the Wannacry malware wreaked havoc in networks, ticket vending machines, companies, and hospitals the clean-up has begun. This also means that the blame game has started. The first round of blame was distributed between Microsoft and the alleged inspiration for the code. The stance on vulnerabilities of security researchers is quite clear. Weaknesses in software, hardware, protocols, or design needs to be documented and published. This is the only way to address the problem and to give the defenders a chance to react. The discussion about how to deal with the process is ongoing and will most likely never come to a conclusion. What about the source of the attack?

Attribution is hard. Knowing who attacked has become increasingly difficult in the analogue world. Take any of the conflicts around the world and have a look. There is no clear picture of who did what exactly for which reason. When it comes to cyber warfare you basically have to deal with lots of disinformation. We have had many talks about the use of the Internet and other networks in digital skirmishes. Routing data via a different set of connections is the core property of the Internet. You cannot trace the trajectory of a projectile. You can only rely on the forensic analysis of the attack (and even this is disputed since forensic software can be manipulated) and on data you see in network interactions. Deception is the basic ingredient of any attack. The glorified open field battles where people run at each other screaming is not what you can expect from real situations.

There are speculations that Wannacry was launched by North Korea. Russia, China, and North Korea are the default origins any analysis starts with (the only exception being Stuxnet for obvious reasons). Most people forget that false flags operations are a common military tactic. There is an easy recipe to fake an attack. Want to look like APT28? No problem. Need a specific origin for your reconnaissance? That’s what the cloud is for! You can also use the vast archive of malicious software as a starting point. The code, contrary to the truth, is out there.

Getting intelligence right is as hard as getting the attribution right. It’s not impossible, but you have to keep this in mind when reading the news about incidents such as Wannacry or others. The last attack didn’t even take advantage of the Internet of Things. Imagine that! We have just seen a glimpse of the future. If you want to prepare yourself for what’s next, you need to get your intelligence right in addition to your security. Why not join us in September for DeepINTEL and think about strategies for the future?

Wannacry, Code Red, and „Cyber“ Warfare

Society and businesses increasingly rely on networked infrastructure. This is not news. Worms that used networks to spread to new hosts in order to infect them is also not news. Code Red did this back in 2001. There is a new worm going around. Its name is Wannacry, and it is allegedly based on published attack code developed by the NSA. The malicious software is delivered by email. After successful installation it infects the host and propagates to other systems by using probes to port 139/TCP, 445/TCP and 3389/TCP. It belongs to the class of ransomware, encrypting files and demanding ransom. Thousands of infected systems are still active. The attack is still ongoing. If you are in doubt if you have compromised systems within your network, we recommend taking a look at how to spot the malware.

The new ingredients of this worm are known vulnerabilities and network capabilities to spread near infected computers. This means that nearby hosts will be infected even if they did not receive the initial email with the malicious document. The patch for the exploited vulnerability is out since 14 March 2017. The code seems to be based on tools published by the Shadow Brokers in August 2016. Since the code has already been changed and uses different payloads, the threat will persist for a while. It’s easy to blame the lack of upgrades, but upgrading can be quite difficult. Containing networked systems, filtering local network traffic (especially taking care of management access protocols), and keeping an eye out for an increase in scans works regardless of the weaknesses exploited.

The deeper problem has to do with how we handle vulnerabilities in software. Bugs need to the disclosed as early as possible. Developers and vendors do need a chance to fix their code. This is especially true for vulnerabilities (where the bug has been applied) and exploits (where the vulnerability has been refined to production status). There is also a connection to malicious software used in law enforcement, military operations, and intelligence organisations. Breaking into networks or computer systems works well if you possess knowledge about exploits no one else has. Wannacry is a good example of how this secret code endangers critical infrastructure. There have been reports that hospitals in the UK were hit by the worm. Back in 2012 fx talked about this very scenario in the keynote presentation (titled We Came In Peace – They Don’t: Hackers vs. CyberWar). The existence of 0-days put everyone at risk. This is why biological warfare does not work – and we are dealing with a virus in the wild attacking networked systems as of now.

At DeepINTEL we will discuss strategic aspects of information security. This includes how to handle threats like Wannacry and how to counter these threats.

DeepSec welcomes SEC Consult as Sponsor for 2017!

Testing products, production code, security measures, or the overall security of infrastructure is hard work. The typical needs in term of information technology for a company or an organisation has become a variety of components that need to be maintained and hardened against attacks. The devil is in the details. In order to find critical weaknesses you need decades of experience, a thorough understanding of the technologies in use, in-depth knowledge of processes that touch information technology, and a decent portion of creativity to come up with ways around obstacles. SEC Consult, our long-time sponsor, has all of this – and more. They publish their findings and offer consulting for anyone needing extra security. Take a look at the House of Keys project, the IoT Inspector, or gaping holes in digital forensics software that allows to manipulate evidence.

SEC Consult is the leading consultant in the field of cyber and cyberspace application security within the German-speaking countries. The company with offices in Europe, Asia and North America specialises in the establishment of Information security management and certification support according to ISO27001, Cyber Defence, DDoS tests, external and internal security tests, secure software (development) and the gradual, sustainable improvement of the level of security. SEC Consult’s customers include leading companies, authorities and organizations from various sectors of the private economy as well as the critical infrastructure.

Experts from SEC Consult will be present throughout the conference. If you want to get in touch for a chat, we encourage you to do so. They can tell you more about their published work, ongoing projects, and will share their view of critical infrastructure and how to protect it. We can also recommend to attend presentations by their researchers. You will learn a lot, and they are willing to share their opinion. Plus they can help you to attend DeepSec 2017 – contact them and ask for a sponsored ticket.

DeepSec welcomes Digital Guardian as Sponsor for 2017

No event can be done with supporters, and so we welcome Digital Guardian as sponsor for the upcoming DeepSec 2017 conference! If you have data in your organisation, then you might be interested in talking to Digital Guardian’s experts, because they know a lot about what data does, where it lives, what endpoints really are, how you protect it, and how you keep exclusive access to it. Since data is code on most computing architectures, there’s a double benefit.

Digital Guardian is a next generation data protection platform purpose built to stop data theft. The Digital Guardian platform performs across the corporate network, traditional endpoints, mobile devices and cloud applications to make it easier to see and stop all threats to sensitive data. For more than 10 years, it has enabled data-rich organizations to protect their most valuable assets with an on premise deployment or an outsourced managed security program (MSP). Digital Guardian’s unique data awareness and transformative endpoint visibility, combined with behavioral threat detection and response, enables you to protect data without slowing the pace of your business.

So if you want to protect your digital assets and still be able to work with them, you should take advantage of the opportunity of meeting the data protection experts at DeepSec 2017. They also have a contingent of sponsored tickets, so go and talk to them to make an appointment.

Call for Papers: 1st Reversing and Offensive-Oriented Trends Symposium (ROOTs) 2017

ROOTs 2017

The first Reversing and Offensive-Oriented Trends Symposium (ROOTs) 2017 opens its call for papers. ROOTs is the first European symposium of its kind. ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques or effective deployable defenses. Submissions can also provide a comprehensive overview of the state-of-the-art, and pinpoint promising areas that have not received appropriate attention in the past.

To facilitate interaction with industry, the ROOTs ticket will be valid for all DeepSec conference tracks on both days, including the industry tracks, and the DeepSec conference tickets for the industry track will be valid for ROOTs. The usual rules for academic discounts apply. Please contact the DeepSec staff or our sponsors for discount codes.


Topics of interest include, but are not limited to:

  • New exploitation techniques and methodologies
  • New reverse engineering techniques and methodologies
  • The role of exploitation in the science of security
  • The role of reverse engineering in the science of security
  • New unintended models of programming and execution wherein the program is encoded in data, metadata, descriptors, etc.
  • Formal models of exploitation and formal methods for exploitation
  • Systematization of knowledge in exploitation
  • Systematization of knowledge in reverse engineering
  • Exploitation of trending platforms and architectures: IoT, cloud, SDNs, etc.
  • Reverse engineering of trending platforms and architectures: IoT, cloud, SDNs, etc.
  • Exploitation perspectives on emerging trust models: SGX, blockchains, etc.

PC & Publisher

The Call for Papers is open, and we welcome any kind of submissions. All submitted presentations will be reviewed by the programme committee consisting of the following persons.

Program chair: Sergey Bratus (Dartmouth College)
General chair: Edgar Weippl (TU Wien, SBA Research)
Co-General chair: René Pfeiffer (DeepSec)

Patroklos (argp) Argyroudis (CENSUS S.A.)
Jean-Philippe Aumasson (Kudelski Security, Switzerland)
Hebert Bos (V.U. Amsterdam)
Stephen Checkoway (University of Illinois at Chicago)
Gynvael Coldwind (Google Security Team)
Lucas Davi (University of Duisburg-Essen)
Thomas Dullien (Google Project Zero)
Aurelien Francion (EURECOM)
Mario Heiderich (Cure53)
Vasileios Kemerlis (Brown University)
René Mayrhofer (JKU Linz)
Marion Marschalek (BlackHoodie)
Collin Mulliner (Trifinite)
Marcus Niemietz (RUB)
Alexander Peslyak (Openwall)
Konrad Rieck (TU Braunschweig)
Ahmad-Reza Sadeghi (TU Darmstadt)
Sebastian Schinzel (FH Münster)
Juraj Somorovsky (Hackmanit)
Filippo Valsorda (Cloudflare)
Edgar Weippl (TU Wien, SBA Research)
Fabian Yamaguchi (TU Braunschweig, LeftShift)
Stephano Zanero (University Politecnico di Milano)

Application for inclusion in ACM DL via the International Conference Proceedings Series (ICPS) is pending. See ACM’s details about author’s rights.

The Call for Papers uses the Easychair CfP manager. All submissions must be sent until 5 August 2017. Authors will be notified by 15 September 2017. We need your camera-ready papers until 5 October 2017.

Submission Instructions

Submissions to ROOTS are not limited in page count, but their length should be commensurate with the results; 5-10 pages of two-column PDF using the sigconf template from We encourage submissions of papers based on results previously presented at industry or hacker conferences, so long as the papers themselves have not been presented elsewhere. We also encourage Systematization of Knowledge (SoK) submissions.

If you have further questions, do not hesitate to contact us.

DeepINTEL Update, Science First Campaign, Early Birds, and other News

The Easter break is over. We didn’t sleep (much), and we did not look for Easter eggs in software either. Instead we did a bit of work behind the scenes. DeepSec 2017 will have some more content due to the co-hosted ROOTs workshop. The full call for papers will be ready on 1 May 2017. We will publish the text here on this blog, and email it to interested researchers. In the meantime the DeepSec 2017 Call for Papers is waiting patiently for your submission.

In case you haven’t noticed, the DeepSec and DeepINTEL ticket shops are online. Please book your ticket as early as possible! Every year so far we had some people at our conference who were very sad because their favourite training was not available. If you book early you’ll help us to secure your favourite training. Instant messaging is a lot easier than the instant transport of a trainer halfway across Europe or the globe. We will inform you about the training submissions in advance, so that you can plan your education for the fourth quarter.

The preliminary schedule for DeepINTEL is ready. We will send it to interested parties via email and publish a shorter version on the DeepINTEL web site. Threat intelligence is as important as ever. We have some interesting topics for you.

Looking forward to see you in September and in November in Vienna!

Applied Crypto Hardening Project is looking for Help

Hopefully many of you know the Applied Crypto Hardening (ACH) project, also known as The project was announced at DeepSec 2013. The idea was (and is) to compile hands-on advice for system administrators, dev ops, developers, and others when it comes to selecting the right crypto configuration for an application. The document covers far more protocols than HTTPS. OpenSSH, OpenVPN, IPsec, and more topics are described in the PDF guide. The project is run by volunteers. This is where you come in.

The ACH project needs more volunteers to keep going. New GNU/Linux distributions are around the corner (the apt store never sleeps). Some vendors really do upgrade their code base. Libraries change and bleed less. Algorithms get tested, improved, and re-evaluated. The field of cryptography is moving forward, as it should. So if you have some mathematics skills, know your way around configurations, like to work with text fragments and documents, and would like to help improving the crypto capabilities of the software around you, then there is a way to express yourself. Join the mailing list. Get a Github account or use you existing one. Send pull requests. Help with the reviews.

Just because some vendors and some developers haven’t been fast asleep for the past four years, the effort to promote, test, and deploy solid cryptographic configurations does not happen automagically. It’s not all about OpenSSL cipher strings. It is about all applications that use cryptography. Help with your skills. We do.

Plus you can even submit a talk for the DeepSec 2017 Call for Papers and talk about how you did things cryptographically right. We had some talks about this in the past. Don’t be a pre-quantum crypto couch potato!

SS8 – Replacement for Insecure Signalling System No. 7 (SS7) Protocol revealed

The ageing SS7 protocol has reached it’s end of life. Security experts around the world have criticised vulnerabilities a long time ago. SS7 even facilitated unsolicited surveillance attacks. What’s more, it has its own talks at the annual Chaos Communication Congress – which is a clear sign of fail if there is more than one presentation dealing with inherent design failures. It’s time to put SS7 to rest. Since the 1970s the requirements for signalling have clearly changed. It’s not only about telephones any more.

SS8, its successor, features a brand new design and fixes the many shortcomings of SS7. New technologies such as blockchain, artificial intelligence, crowd routing, social signalling, full “tapping”, and deep state connections are now part of the core functions. Furthermore, SS8 is completely in harmony with Big Data, because it offers a compressed metadata format for long-time storage (thus accommodating requirements of different countries all over the world). It had been secretly tested, and the deployment is planned to start at the end of 2017. The upgrade will be seamless and will be over by Christmas, as usual.

New features of SS8 include

  • zero-knowledge surveillance,
  • in-band cyber defence by cloud algorithms,
  • Big Data API for metadata backup to off-site storage,
  • military-grade end-to-end obfuscation,
  • wire “tapp” proof countermeasure heuristics,
  • signalling transactions secured by a blockchain,
  • multi-peer conversations (bidirectional and listening-only),
  • attocells for PAN or NFC environments,
  • integration with 5G networks, and
  • backported 6G features.

The future of communication is looking bright again. An in-depth security analysis of SS8 will be given at DeepSec 2017 in November. If you regularly use telephones of any kind, then you might be interested in attending.

DeepINTEL / DeepSec News for 2017 and Call for Papers

Changing code, layout or designs have something in common – deadlines. But you cannot rush creativity, and so the new design of the DeepSec web site took some time. The old design has served us well. We basically did not change much and used it since 2007. The new design follows the stickers we use for decoration at our conferences, the book cover of the DeepSec chronicles, and many other details we publish via documents – all thanks to the creative mind of fx. So thanks a lot fx!

The content of our conference has also slightly changed. DeepSec 2017 will feature additional content, because we will introduce a third track filled with presentations from academic research. Given the fact-free discussions of information security and security in general, we would like to (re)introduce the scientific method into infosec. Finding flaws in software, hardware, protocols, devices, and many other parts of modern society requires solid lab work, repeatable experiments, and a sound documentation of the findings. This is why the motto of DeepSec 2017 is “Science First!”.

Many of you are unaware that we are running two Call for Papers in parallel. Both presentations for DeepSec and DeepINTEL can be submitted. The process is slightly different.

  • Please use the web form for all things DeepSec. Use it know, use it before 31 July 2017.
  • Everything suitable for the DeepINTEL conference should be submitted via email to deepsec (at) deepsec (dot) net. Please make use of encryption. We like to decrypt your messages. The Call for Papers for DeepINTEL is up and running. Again be quick, submit your work/thoughts on security intelligence, threat analysis, war stories forensics, or incident response by email.

Looking forward to meet you in person and listen to your presentations.

Submit your Talk – Call for Papers for BSidesLondon

The Call for Papers for BSidesLondon is still running! If you haven’t submitted your talk yet, please do! The deadline is 27 March 2017. Don’t miss it!

The Wonderful World of Cyber is full of stuff to talk about. There is broken software all over the Internet (of Things). 0days await. Infrastructure is ready to be defended or attacked. Let others know about your ideas. If you have never presented at a conference before, then you should consider a submission for the rookie track. You have to start somewhere or somewhen, so why not at BSidesLondon?

Looking forward to listen to your presentation at BSidesLondon!

DeepINTEL 2017 – Modern Strategies for Information Security

Seminar on Digital Defence with Experts.

The news is full of reports covering attacks against networked systems and digital components. Every day there is new media coverage about stolen data, compromised accounts, the impact of malicious software, digital second strikes, cyber attacks between countries and new vulnerabilities in computer systems. All that leads to the impression that in the modern digital world we are almost helplessly vulnerable to attacks. Clever entrepreneurs benefit from the general uncertainty and sell countermeasures in the form of security software or other components, which, according to their praise, once installed will kill off every threat automatically. But the media don’t show the whole picture – hardly any report on “hacker attacks” could be called a realistic depiction of real life events. The consequence? It is not possible to build an effective strategy for your own information security based only on media reports and promises of clever vendors. Digital defence is as individual as fire protection or physical measures against burglaries – there is no standard solutions, no one-size-fits-all. What about the security of your own data? Do you know about the risks that may affect you and about the vulnerabilities of your company?

At DeepINTEL you have the opportunity to strategically reflect upon your digital protection. The seminar provides a platform for security officers and experts from threat analysis to work together on strategies for digital defence. Strategies from which you directly benefit as participants.

Security Intelligence and Knowledge

The current practice of companies when it comes to information security consists of protection by the catalogue of measures and security components from the vendor’s tray of the IT security industry. The ones, who really want to be sure, may additionally take a look at the end-of-the-year review or the trends for the upcoming year. However, this approach is completely out of touch with reality – many companies simply do not know which risks affect their own business. A real threat analysis and a thorough judgement of your opponents is the most important component of a good defence! Yet, it is often sadly lacking. Instead, protective devices are used according to their advertised abilities, often without accurate background knowledge about how and from which attacks one should actually be protected by the acquired safety components. But the necessary information would be easy to access, if you know how to, usually it is already available. Your company’s own operating data and a structured analysis of previous safety-related events are the way to improve your security. The magic word? “Security Intelligence”. The structure of your security measures must be based on facts and built methodically correct. To establish a functioning security infrastructure documented threats, data of your own infrastructure, actual dangers and appropriate indicators for a security incident have to be taken into account.

The DeepINTEL conference provides a platform for security officers and experts from the threat analysis to work together on strategies for digital defence. Security Intelligence is interdisciplinary and requires experience in analysis beyond the pure application of statistics. The flow of data, communication, the right metric, sure indicators for a break-in, the appropriate evaluation, or the correct deconstruction of IT into its individual parts must be carried out by experts. You can find this expertise at DeepINTEL.

Big data without content is no solution

Machine learning or Big Data are often used as buzz words to conceal ones own deficits. But with big words alone you can’t score points when it comes to IT security. You have to examine your own infrastructure and look for meaningful metrics. It is not about plenty, it’s about the right data records. Anyone who blindly analyzes data, misses the relevant threats. Even the best algorithms have to be used correctly. A methodological approach is very important. Perceived threats can not be measured and inevitably lead to security nihilism,a sentiment also easily evoked by reading the latest articles of everyday IT news.

Of course one has to draw attention to existing threats. But never forget that the side of the defence knows best about its own infrastructure and digital treasures. If you don’t use this advantage, you do your opponents an invaluable service.

IT Security with Security Intelligence

What difference does Security Intelligence make for your IT? How do you incorporate its insights and knowledge into your own security system? The customary opinion among many service providers will lead you to coloured product palettes, supposed to do everything for you automatically. But in the real world, apart from the exhibitions and fairs where these solutions are presented, it’s not that easy. First of all, you need a clear picture of your infrastructure and reliable metrics, which provide information about the state of your own security. From this data, a picture emerges, on which the actual security strategy can be built upon. Digital defense is as individual as fire protection or physical measures against burglary. You won’t screw sensors on the walls at random and hope you cover the neuralgic points. You only get meaningful measurements when you focus on the critical points – and know how to find them.

The DeepINTEL conference would like to provide a platform for both experts and users to exchange ideas about methods of security intelligence. Modern information security is interdisciplinary because IT evolved into so much more since the days of mere electronic data processing of the 1960s. Delegation in the form of outsourcing only shifts your problems and makes you blind to threats. At the DeepINTEL, you have the opportunity to strategically reflect upon your digital protection.

The DeepINTEL conference will take place on the 21 & 22 September 2017 at the Imperial Riding School Renaissance Hotel in Vienna, Austria.

Putting the Science into Security – Infosec with Style

The world of information security is full of publications. It’s like being in a maze of twisted little documents, all of them alike. Sometimes these works of art lack structure, deep analysis, or simply reproducibility. Others are perfectly researched, contain (a defence of) arguments, proofs of concept, and solid code or documentation to make a point. Information security is a mixture of different disciplines such as mathematics, physics, computer science, psychology, sociology, linguistics, or history. It’s not about computers and networks alone. There is interaction between components. Protocols are involved. Even the simple act of logging in and staying in an active session requires in some parts to talk to each other. And then there are rituals. Scepticism is widespread in information security. Questioning your environment is the way to go, but you need to do it methodically and with evidence-based reasoning.

There is an emotional component to IT security too. „Everything is broken, everyone’s going to get hacked eventually.“ You hear this statement a lot, mostly from frustrated engineers. Well, we already know that stuff around us is badly designed or broken by design. Levels of brokenness vary depending on where the stuff (i.e. devices / technology) is being used. Important stuff gets more maintenance and security design than, let’s say, your toothbrush. At this point we can veer off and discuss the Internet of Things at length. Unless you methodically lead this discussion based on evidence, please, just don’t discuss it. The Internet of Things won’t go away just because it is broken (so far). We can handle substances too hot to touch or dangerous chemicals (again, no discussion, we can handle this stuff most of the time), so we can surely deal with dangerous bits. We just have to do it properly. This also means to realise that it is sometimes better to say „I don’t know what that means.“ until you have all the facts to decide what you see or hear.

To get the train of thought back on the infosec track, have a look at Hanno Böck‘s presentation titled „In Search of Evidence-Based IT-Security“. Origin of this talk was the work of Google’s Project Zero where the security of anti-virus engines, among other code, was discussed. Confronting the fancy advertising of security products with the fundamentals of theoretical computer science is a good test to see how evidence-based the approach is. Hanno suggests to take a look at the methods used in other fields where things and stuff are also complicated. Randomised controlled trials (RCTs) are an example. While RCTs are not without disadvantages, you don’t even find the most basic scientific methods in information security publications. White papers and documents titled “(field) study” are even worse. The lack of gathering facts and to process them scientifically makes information security research vulnerable to manipulation. Infosec people smile when cyber attacks are in the news or politicians talk about cyber war. That’s great, but the shoddy work found in some/many published „results“ leave too much room for ambiguous discussions. We agree with Hanno: „Applying rigorous science to IT security could provide a way out of the security nihilism that dominates the debate so often these days…And by learning from other fields Evidence-Based IT Security could skip the flaws that rife other fields of science.“

DeepSec 2017 will have a stronger focus on academic research in the field of information security. In case you need help improving the scientific approach in your project, please let us know. We might be able to help, and we know a lot of researchers who can also help. Plus there are already results of fine research online and published. Take a look at them. It is much easier to defend claims against the legal department of a vendor. Facts are your friend. Dealing with them correctly will save your day.