The Call for Papers of DeepSec 2015 is open! We are looking for your presentation and your in-depth training to add to our schedule. There has been a lot of activity in the past six months with regards to information security. Given the cultural and political impact of vulnerable code there are ample topics to talk about and to teach.
Cryptography has its place in the limelight since the high impact but with a cute logo. Getting cryptography right has been the problem of developers and academics since decades. Now everyone knows about it. So if you have some research on encryption, authentication, and secure communication in general, send us your thoughts along with your submission.
Protecting your infrastructure is harder than ever before. Once upon a time only your servers and classic clients used the network. Now your telephone, your refrigerator, air conditioning, the light bulbs in the office, coffee machines, door bells, and many devices have network access too. The Internet of Things (IoT) is slowly taking shape. IoT won’t disappear, so you have to adapt. How does this change your information technology architecture? Share your thoughts on this matter with the DeepSec audience.
Are you afraid of the digital age? Do you fear getting your data stolen? Germany may switch back to the good old typewriters to protect data from high-tech espionage. What do you do? How do you prevent spies from using your network and your systems as a drive-through? Let us know.
Software developers and security researcher have left the Golden Age of Science behind. Involuntarily. Now everything bit we do is literally being categorised as „cyber war“. There’s the current debate about the handling of 0days by the Wassenaar Arrangement impacts the IT security industry and academic research. The question is: Will the Internet kill you or will the Internet kill your research? We are used to publish security vulnerabilities and to talk openly about them. This has changed, and this change is reflected in current policies and laws. We like to hear your ideas about this matter.
Speaking of policies and laws, we also need to look into this direction. Information security has always been a very interdisciplinary field. Now it reaches far into politics, military, aspects of society, and culture. If you have facts about the interaction between infosec and the rest of our world(s), you should consider presenting at DeepSec in November.
We all put a varying degree of trust in devices, network, software, hardware, and algorithms. Have you ever questioned the way we handle trust in a digital world? Of course you can always go with your gut feeling, but this is probably not what you want when it comes to important decisions. We have entered a research project to take the trust in technology apart and put it back together. In case you have some opinions on this matter that can be turned into a submission for DeepSec 2015, let us know.
When everything fails, you can always use forensics. The pathologist knows what went wrong. Sometimes we have no other means to improve but to learn about what we should have done. The same is true for the digital age. If you are into IT forensics, we like to hear about what you have seen and what methods work best.
If you have questions, don’t hesitate to get into contact. We are looking forward to receive your submissions for DeepSec 2015 as soon as possible!
The BSidesLondon event is taking place next week. In case you have missed the tweets and don’t surf the web, check out the schedule. The keynote will shed some light on the gap between information security and technology already being used “out there” in the real world. It’s nice to spend months on solid designs and policies, but this doesn’t help you much when your users go shopping in the meantime.
Further presentations will tell you all about DarkComet, how to rob a bank, Android malware analysis, Point-of-Sale (POS) devices turning you into a billionaire, elliptic curve cryptography for the fearless, hash algorithm magic, infosec for the masses, and much more. You are really in for a treat.
BSidesLondon will feature a rookie track again! Do the rookies a favour and give them a chance. They have worked hard for their talk, don’t let them down. Presenting security issues publicly requires courage, so let’s give them all the support they deserve. We will attend every single rookie talk. Join us!
The DeepINTEL event in September will have a strong focus on a specific kind of intelligence. We will address the issue of espionage. Given the headlines of the past six months it is clear that companies are subject to spying. There is no need for euphemisms any more. Even with half of the information published on this matter, there is no way to deny it. Since the trading of data is a lucrative business, the issue won’t go away. So if you run a company or an organisation, then you might want to deal with risks and threats before they deal with you.
DeepINTEL is focused on security intelligence. Few CISOs and CEOs have a grasp what this really means. It is much more than doing risks analysis or threat assessment. As we have emphasized time and again, the Big Picture counts. You can counter some threats with a single device or a filtering rule. You cannot counter an concerted attack such as espionage easily. Spying involves many components and steps to retrieve the desired information. It also involves time. In order to detect malicious behaviour over the course of months or even years, you have to apply different techniques. This is where security intelligence enters the stage. You have to create your own tools and processes to get your very own early warning system. The knowledge of your company needs to be part of the analysis. There is no off-the-shelf software which does everything for you. Any vendor claiming to have the solution for your needs in this context is wrong. Of course there are a lot of good tools out there, but first you have to make up a clear picture of what your organisation does, where all relevant data sits, and how it flows.
If you are dealing with espionage in your day job or research ways to counter it, please consider the Call for Papers. Encrypted email preferred. DeepINTEL 2015 takes place on 21/22 September 2015.
We have been quieter than usual. We did a lot of preparations for the upcoming DeepSec events and were busy with research projects. In case you want to update your calendars, here are the dates to look out for.
The Call for Papers for the DeepINTEL is open. Please contact us via (encrypted) email.
The Calls for Papers for DeepSec and BSidesVienna will open soon.
Internet Protocol version 6 (IPv6) is not new. Its history goes back to 1992 when several proposals for expanding the address scheme of the Internet were discussed (then know by the name of IP Next Generation or IPng). A lot has happened since RFC 1883 has been published in 1996. Due to the deployment of IPv6 we see now implications for information security. Several vulnerabilities in the protocol suite have already been discussed. DeepSec 2014 features a whole training session and three presentations about the future protocol of the Internet.
First Johanna Ullrich talked about a publication called IPv6 Security: Attacks and Countermeasures in a Nutshell. The paper gives you a very good view on the state of affairs regarding security and privacy weaknesses. It is strongly recommended for anyone dealing with the deployment of IPv6-enabled applications and systems.
When it comes to attacks, you probably want to do intrusion detection as well. Once you use new protocols in production environments, you have to make sure that your security infrastructure can cope with them. Martin Schütte introduced his IPv6 plugin for the Snort intrusion detection engine. The plugin contains a preprocessor for neighbour discovery messages and several rule options to evaluate IPv6 specific protocol fields. The code has its own project web site where you can find more information and links to the code itself.
Lastly a team from ERNW consisting of Enno Rey, Antonios Atlasis & Jayson Salazar presented weaknesses in the Multicast Listener Discovery (MLD) and its successor MLDv2. It is used to discover locally connected multicast listeners, similar to IGMP for IPv4. Their work features an overview of the subprotocol, OS fingerprinting on the local-link by sniffing the wire passively, amplification of DoS attacks, potential security issues related with the design of MLD and how they can be exploited by attackers. Since all operating system come with a variety of IPv6 components enabled, make sure what you already have to deal with.
We recommend these talks to anyone connected to the Internet.
Encrypted communication is periodically in the news. A few weeks ago politicians asked companies and individuals all over the world to break the design of all secure communication. Demanding less security in an age where digital threats are increasing is a tremendously bad idea. Cryptographic algorithms are a basic component of information security. Encryption is used to protect data while being transported or stored on devices. Strong authentication is a part of this as well. If you don’t know who or what talks to you, then you are easy prey for frauds.
Should you be interested in ways to improve the security of your messaging and phone calls, we recommend watching the presentation of Dr. Christine Corbett Moran. She is the lead developer of the iOS team at Open WhisperSystems. She talks about bringing the TextSecure and RedPhone applications to the iOS platform. RedPhone can be used for encrypted voice calls. It uses ZRTP for the voice channel, and it displays a shared phrase to identify the integrity of the connection (communication partners can read the phrase to avoid falling victim to manipulation). Calls can be made between two RedPhone applications or to the Signal application on iOS. TextSecure can be used to send and receive SMS, MMS, and instant messages. It uses Curve25519, AES-256, and HMAC-SHA256 as primitives, and it has been audited by a researcher team from the Ruhr University Bochum.
The presentation held at DeepSec 2014 will tell you how these applications work, and what the current state of porting the code to iOS looks like (both apps are readily available for the Android platform for years now). In addition you get an inside view on the challenges and rewards of managing an active repository for open source iOS development. We strongly recommend watching the recording. You probably rely on secure communication more than you can imagine.
At DeepSec 2011 Constantinos Patsakis and Kleanthis Dellios held a presentation titled “Patching Vehicle Insecurities”. They pointed out that the car is starting to resemble more to a computer with mechanical peripherals (incase you haven’t seen their talk, please do!). This is true for all types, not only the modern cars powered by electricity alone. But there is more. Modern cars are connected to networks (i.e. the Internet or the mobile phone network). This means that your method of transportation is part of the dreaded Internet of Things. Given the design flaws we have seen in talks given at DeepSec, there is no surprise that this is a breeding ground for major trouble. The Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, discovered a lapse in the communication between BMW cars and the servers being responsible for crucial commands such as unlocking the car.
The ADAC team was able to reverse engineer the protocol being used and to manipulate commands. Why? Because the communication did not feature any kind of encryption or authentication. This means that your Connected Car of the future uses the protocol standards of the 1990s Internet. Apparently BMW fixed the security issue by adding HTTPS. The implications are bigger than you might expect. In the case of stolen cars insurance companies might also be interested in what exactly happened to the car and which security vulnerabilities were involved.
Security should be part of the design right from the start. This is especially true for “simple” features like encryption and authentication. If the brakes, the passenger protection, and other aspects are taken seriously, then this must also be true for the communication protocols. There can be no exception.
At the opening of DeepSec 2014 we announced the next DeepINTEL to be in Spring 2015. We have now finalised the date. DeepINTEL 2015 will take place on 11 / 12 May 2015, and it will be held in Vienna. The call for papers, already announced at the opening of last year’s DeepSec, is still open. We are looking for your submissions.
Since we want to address security intelligence, we like to know everything about threats, risk assessment, metrics that give you an idea what you really see, forensics, and improvements on the way to detect and defend. We are definitely not interested in presentations about the cyber hype. We want to hear about real sabotage, real compromised systems; you know, reality and all that.
Please make sure to send your ideas to cfp at deepsec dot net, or you can use deepsec at deepsec dot net (encrypted emails preferred, please use our key 0xE1170EDE22860969).
We are back from our break. We have been busy behind the scenes. The video recordings of DeepSec 2014 have been fully post-processed. The video files are currently on their way to our Vimeo account. The same goes for the many photographs that were taken by our photographer at the conference. We are preparing a selection to publish some impressions from the event.
The dates for DeepSec 2015 and DeepINTEL 2015 have been finalised. DeepSec will be on 17 to 20 November 2015. DeepINTEL will be on 11 and 12 May 2015. The Call for Papers for DeepSec will be open soon. You can send your submissions for DeepINTEL by email to us (use either cfp at deepsec dot net or deepsec at deepsec dot net, the latter has a public key for encrypted communication). There has been a lot broken since November 2014, we love to hear about it.
For everyone interested in attending DeepINTEL, please get in contact with us.
The first recording of DeepSec 2014 has finished post-processing. Just in time for the holidays we have the keynote presentation by Alex Hutton ready for you. Despite its title “The Measured CSO” the content is of interest for anyone dealing with information security. Alex raises questions and gives you lots of answers to think about. Don’t stay in the same place. Keep moving. Keep thinking.
We would like to thank everyone who attended DeepSec 2014! Thanks go to all our trainers and speakers who contributed with their work to the conference!
We hope you enjoyed DeepSec 2014, and we certainly like to welcome you again for DeepSec 2015!
You will find the slides of the presentations on our web site. Some slides are being reviewed and corrected. We will update the collection as soon as we get new documents. The video recordings are in post-processing and will be available via our Vimeo channel. We will start publishing the content soon.
DeepSec 2014 is open. Right now we start the two tracks with all the presentations found in our schedule. It was hard to find a selection, because we received a lot of submissions with top quality content. We hope that the talks you attend give you some new perspectives, fresh information, and new ideas how to protect your data better.
Every DeepSec has its own motto. For 2014 we settled for a quote from the science-fiction film Starship Troopers. The question Would you like to know more? is found in the news sections portrayed in the film. It captures the need to know about vulnerabilities and how to mitigate their impact on your data and infrastructure. Of course, we want to know more! This is why we gather at conferences and talk to each other. We are especially proud to welcome friends and projects that attended DeepSec in the past and return with the results of lively discussions.
Of course, we could also have selected the only good bug is a dead bug for this year’s conference, but we believe this motto should be every day’s motto.
Enjoy DeepSec 2014!
The DeepSec 2014 schedule features a presentation about (hidden) hypervisors in server BIOS environments. The research is based on a Russian analysis of a Malicious BIOS Loaded Hypervisor (conducted between 2007 and 2010) and studies published by the University of Michigan in 2005/2006 as well as 2012/2013. The latter publications discuss the capabilities of a Virtual-Machine Based Rootkits and Intelligent Platform Management Interface (IPMI) / Baseboard Management Controller (BMC) vulnerabilities. Out-of-band management is sensitive to attacks when not properly protected. In the case of IPMI and BMC the management components also play a role on the system itself since they can access the server hardware, being capable to control system resources.
Combining out-of-band components with a hypervisor offers ways to watch any operating system running on the server hardware. Or worse. It’s definitely something you can do without. The researcher investigated the published information and found indications of increased execution times of code running on different hardware. The talk will explain the set-up, the hardware being used, and will introduce a test framework enabling researcher to test (server) hardware for anomalies.
The complete research will be published after the talk in a comprehensive article describing the work. We highly recommend attending the presentation.
Given the many colourful vulnerabilities published (with or without logo) and attacks seen in the past 12 months, one wonders if IT Security works at all. Of course, 100% of all statistics are fake, and only looking at the things that went wrong gives a biased impression. So what’s ████ed up with IT Security? Are we on course? Can we improve? Is it still possible to defend the IT infrastructure?
Stefan Schumacher, director of the Magdeburger Institut für Sicherheitsforschung (MIS), will tell you what is wrong with information security and what you (or we) can do about it. He writes about his presentation in his own words:
Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014
This was one tweet about my talk of security in a post-NSA age at the AusCert conference in Australia this year. It pretty much sums up my opinion about what is currently going on in the IT Security circus.
Why IT security is ████ed up certainly is a strong stance against what is going on at IT security in general and conferences like DeepSec in particular. However, for the last three to four decades modern IT security exists, we have come a long way in securing our machines, processes and networks. However, certain fields of IT security are thoroughly ignored in research and practical application.
This has to do with computer science being the primary science behind IT security. Computer science is the child of mathematics as a formal science and engineering sciences. This limits the scientific methods to those used in that fields.
Unfortunately, IT security is more than just mathemathics and engineering. Neither social engineering nor human behaviour can be explained with CS methods. Nor can it be combated with it. The same goes for political/policy problems, like intelligence services attacking our human rights in the digital space of living. This is a political problem and we need a political solution for it. So political science also plays a role in IT Security.
When we keep this in mind, we see that current IT security lacks further development in certain fields. So I propose to emancipate IT security research from Computer Science and turn it into a new field of science. We can use the methods and tools of CS, Maths and engineering, but also need the methods, tools and philosophies (!) of humanities and social sciences like psychology and pedagogy.
So lets go and create a new Science. It will be fun and games until theories of science clash. 😉
In cooperation with the Magdeburger Institut für Sicherheitsforschung (MIS) we publish selected articles covering topics of past DeepSec conferences. The publication offers an in-depth description which extend the conference presentation and includes a follow-up with updated information. Latest addition is Marco Lancini’s article titled Social Authentication: Vulnerabilities, Mitigations, and Redesign.
High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
The MIS web site has a collection of all published articles. The full articles will be found in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“.