Reminder – Call for Papers DeepSec 2011 – deadline approaching

René Pfeiffer/ June 30, 2011/ Administrivia, Conference

In case you have not yet prepared a submission for DeepSec 2011, please consider to do so. The deadline is approaching! We have already received submissions, but we have a hard time believing that everything is secure out there. That can’t be, you know it, and we know it. Submit your in-depths talks and workshops, give our programme committee some work to do, and maybe we can even have some in-depth lulz, who knows. Speaking of security and design flaws, don’t forget the ubiquitous web interfaces. Everyone and everything has a web interface – your bank, your government, your routers, your servers, your average smart meter (measuring electricity/water/gas consumption), your printers, your household appliances, your TV set, your video/audio player and possibly a lot of devices you are unaware of. Of course, feel free

Read More

Some Slides from DeepSec 2009

René Pfeiffer/ June 24, 2011/ Administrivia, Conference

Some of you might already noticed the videos from the DeepSec 2009 conference on Vimeo. Sadly we don’t have all the slides for all talks, but here are some documents from our archive. #TwitterRisks: Bot C&C, Data Loss, Intel Collection & More by Ben Feinstein – Slides Dynamic Binary Instrumentation for Deobfuscation and Unpacking by Daniel Reynaud and Jean-Yves Marion – Slides Windows Secure Kernel Development by Fermin J. Serna – Slides Stoned déjà vu – again by Peter Kleissner – Slides Key Management Death Match? Competing KM Standards Technical Deep Dive by Marc Massar – Slides USB Device Drivers: A Stepping Stone into your Kernel by Moritz Jodeit and Martin Johns – Slides eKimono: Detecting Rootkits inside Virtual Machine by Nguyen Anh Quynh – Slides Ownage 2.0 by Saumil Shah – Slides

Talk: Data Exfiltration – not just for Hollywood

René Pfeiffer/ June 18, 2011/ Security

Iftach Ian Amit discusses infiltration of networks and exfiltration of data. Imagine you have completed the infiltration, data targeting and acquisition phase. You have secured the data you were looking for. Now what? How do you get to „your“ data out of highly secured environments? You need to avoid data loss protection (DLP) tools, avoid IPS/IDS, avoid updating your payload frequently, need to design a control channel that can handle disconnected operation. The data itself needs to be protected from filters or pattern matching sensors. SSL/TLS comes to mind, but some infrastructures terminate SSL at proxies and inspect content. End-to-end encryption is a better method if combined with content obfuscation (there are patter matches for GPG/PGP and other ways, too). Transport needs to use a covert or back channel. This can be a talk page of

Read More

Talk: Attack UPnP – The Useful plug and pwn protocols

René Pfeiffer/ June 18, 2011/ Security

Most firewall admins are quite allergic to Universal Plug and Play (UPnP). This is why it is usually turned off. Arron „Finux“ Finnon explains what UPnP can do. Its intended use is to facilitate data transmissions of UPnP-capable devices, meaning that these devices and software can use UPnP to poke holes into NAT devices and firewalls. Enabling UPnP a spare router with a free Wi-Fi network enables you to learn a lot about your neighbours. You can do device enumerating and identify devices requesting. And this is just the beginning. UPnP solved their security problems by not implying any security It’s a bit like Bonjour, a bit like mDNS, a bit like this and that. From the security point of view it’s a nightmare. There’s no authentication and no authorisation. UPnP will happily do

Read More

Talk: Hacking Digital Measuring Devices

René Pfeiffer/ June 18, 2011/ Security

We just listened to the talk by Franz Lehner about „Hacking Digital Measuring Devices“. Smart meters are ubiquitous. A lot of measuring devices have turned digital and are composed of a small CPU with some memory and connections to sensors or data outlets. Calibration is always involved when you measure something. Having access to the calibration mode/commands of a smart meter can change your bills, supply false readings to operators and can even be ramped up to be a security risk. Think vapour/liquid pressure, temperature, speed, humidity, power, etc. Usually you rely on the output of sensors, right? Smart meters is something to watch very closely. Again there’s a link to cars (which use smart meters for measuring the speed and other parameters), then there’s a link to the power grid, and there a

Read More

Is your car on the Internet?

René Pfeiffer/ June 14, 2011/ Security, Stories

We published some press releases in the past that dealt with networked subsystems in cars. Security researchers connected to the Controller-Area Network (CAN) and tried to inject commands (which worked scarily well). We claimed that automobile manufacturer were way behind in security compared to everyone who has to secure systems in the Internet. The claim was half-part fact and half-part conjecture. Now it’s time to correct our claim. Cars can now leak information and push it to the Internet: Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver’s location, speed and destination to websites accessed through the vehicle’s built in RSS reader, a security blogger has found. … “All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn’t

Read More

DeepSec 2011 Focus: Usable Security

René Pfeiffer/ June 13, 2011/ Administrivia, Conference

A few days ago we uploaded the keynote speech held by Matt Watchinski at DeepSec 2009. The title was: „Technology Won’t Save You, Only People Will“ This statement can be turned into the opposite: Technology won’t threaten you, people will. We’re not talking about threats from insiders turned rogue. We are talking about holes in your defence because of  badly configured or mishandled security devices and software. This has nothing to do with being Bastard Operator from Hell and putting the blame on the users or colleagues. A modern company infrastructure has to deal with a lot of  complexity all by itself. Adding security won’t reduce this complexity. Adding badly designed user interfaces (for security devices and options), confusing status/error messages and hardly comprehensible settings will most certainly increase the risk of security incidents.

Read More

Tips for Conference Speakers

René Pfeiffer/ June 5, 2011/ Discussion

We’ve been through four DeepSec conferences already, and MiKa and me have talked in person at other events. Given the feedback we received about past DeepSec speakers, the video recordings and our own experience, we’d like to give everyone who is thinking about submitting a talk some advise. It really doesn’t matter if you are going to speak at DeepSec (though we prefer this option) or anywhere else. If you have something to say, then make sure your message is delivered in an appropriate wrapping. Try to address your audience and make them listen to you. There are ways to do this, and most of them can be practised and learnt. Structure : Most talks have an outline of what the audience can expect. Take some extra time and think about the agenda. If

Read More

Registration for DeepSec 2011 is now open!

René Pfeiffer/ June 1, 2011/ Administrivia, Conference

The registration for DeepSec 2011 is now officially open. You can register for the conference, workshops or both. We offer three booking phases: Early Bird, Regular and Last Minute. Please keep in mind that the Early Bird tickets are the cheapest. The longer you wait, the more you have to pay. Since the Call for Papers is still running the workshop slots are empty, but you can buy workshop or conference+workshop tickets now and decide which workshop you want later (when we publish the schedule). If you have any questions, drop us a few lines.