Archive for February, 2014

DeepSec 2013 Video: Static Data Leak Prevention In SAP – The Next Generation Of DLP

February 27, 2014

Leaks are problems you don’t want in your infrastructure. While this is clear for water pipes, it is not so clear for digital data. Copying is a part of the process, and copying data is what your systems do all day. A leak comes into existence when someone without access privileges gets hold of data. […]

Tags: , , ,
Posted in Conference, Stories 2 Comments »

DeepSec 2013 Video: Using Memory, Filesystems And Runtime To App Pen iOS And Android

February 26, 2014

Your iOS or Android smartphone can do a lot. „There’s an app for that!“ is also true for information security. So what can you do? We have seen smartphones used as an attack platform for penetration testing. You can use them for wardriving, and, of course, for running malicious software (next to „normal“ software which […]

Tags: , , , ,
Posted in Conference 1 Comment »

DeepSec 2013 Video: Europe In The Carna Botnet

February 25, 2014

Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes […]

Tags: , , , ,
Posted in Conference, Security Comments Off on DeepSec 2013 Video: Europe In The Carna Botnet

DeepSec 2013 Video: Future Banking And Financial Attacks

February 24, 2014

Predicting the future is very hard when it comes to information technology. However in terms of security analysis it is vital to keep your head up and try to anticipate what attackers might try next. You have to be as creative as your adversaries when designing a good defence. This is why we invited Konstantinos […]

Tags: , , , , ,
Posted in Conference, Security Comments Off on DeepSec 2013 Video: Future Banking And Financial Attacks

DeepSec 2013 Video: Pivoting In Amazon Clouds

February 23, 2014

The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At […]

Tags: , , , ,
Posted in Conference 1 Comment »

DeepSec 2013 Video: Hack The Gibson – Exploiting Supercomputers

February 22, 2014

Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems […]

Tags: , , , , ,
Posted in Conference, Security 1 Comment »

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

February 21, 2014

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and […]

Tags: , , , ,
Posted in Conference, Internet Comments Off on DeepSec 2013 Video: Prism Break – The Value Of Online Identities

DeepSec 2013 in Pictures

February 19, 2014

For those who were not present at the DeepSec 2013 conference (shame on you!) we have compiled a selection of photographs taken at the event. Static imagery cannot give you the full experience, but maybe you want to drop by in 2014! Credits and our big thank you go to our graphic designer and our […]

Tags: ,
Posted in Conference, Stories Comments Off on DeepSec 2013 in Pictures

DeepSec 2013 Video: Risk Assessment For External Vendors

February 19, 2014

CIOs don’t like words like „third party“ and „external vendor“. Essentially this means „we have to exchange data and possibly code with organisation that handle security differently“. Since all attackers go for the seams between objects, this is where you have to be very careful. The fun really starts once you have to deal with […]

Tags: , , ,
Posted in Conference 1 Comment »

DeepSec 2013 Video: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

February 18, 2014

The „Cloud“ is the Fiddler’s Green of information technology. It’s a perpetual paradise built high above the ground where mortal servers and software dwell. Everyone strives to move there eventually, because once you are in digital paradise, then all your sorrows end. So much for the theory. The reality check tell a different story. This […]

Tags: , , ,
Posted in Conference, Security 1 Comment »

DeepSec 2013 Video: Hackanalytics – What’s hot, what’s not

February 17, 2014

Penetration testing is much more than trying a couple of attacks and be done with it. The results matter, and you have to prepare them in a fashion they can be used afterwards. Putting defences to the test is not a matter of „yes, it works“ or „no, it doesn’t“. There are expectations of the […]

Tags: , , ,
Posted in Conference Comments Off on DeepSec 2013 Video: Hackanalytics – What’s hot, what’s not

DeepSec 2013 Video: CSRFT – A Cross Site Request Forgeries Toolkit

February 14, 2014

While Cross Site Request Forgery (CSRF) is an attack that is primarily targeted at the end user, it still affects web sites. Some developers try to avoid it by using secret cookies or restricting clients to HTTP POST requests, but this won’t work. The usual defence is to implement unique tokens in web forms. CSRF […]

Tags: , , , ,
Posted in Conference 1 Comment »

DeepSec 2013 Video: Bypassing Security Controls With Mobile Devices

February 11, 2014

Controls blocking the flow of data are an important tool of defence measures. Usually you need to enforce your organisation’s set of permissions. There are even fancy gadgets available to help you cope with data loss in terms of unauthorised access. This only works in controlled environments. Fortunately the modern IT policy allows intruders to […]

Tags: , , ,
Posted in Conference, Security, Stories 3 Comments »

DeepSec 2013 Video: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

February 9, 2014

Attacking fortified positions head on looks good on the silver screen. Real life attackers have no sense for drama and special effects. Battering closed doors will get you nowhere fast. Instead modern adversaries take a good look at open doors and exploit them to get what they want. Security specialists know about the dangers of […]

Tags: , , , ,
Posted in Conference, Security Comments Off on DeepSec 2013 Video: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

DeepSec 2013 Video: Top 10 Security Mistakes In Software (Development)

February 8, 2014

Everybody makes mistakes. It’s no surprise that this statement applies to software development, too. When you deal with information security it is easy to play the blame game and say that the application developers must take care to avoid making mistakes. But how does software development work? What are the processes? What can go wrong? […]

Tags: , , ,
Posted in Conference, Security, Stories 1 Comment »