DeepSec 2014 Talk: Build Yourself a Risk Assessment Tool

Sanna/ October 29, 2014/ Conference, Interview

„The only advice I might give to everyone who is responsible for information security is that it is never about a tool or a methodology“, says Vlado Luknar. The never-ending quest for the “best” tool or methodology is a futile exercise. In the end it is you, the security specialist, who adds the most value to a risk assessment (RA) / threat modelling process for your company, claims Vlado Luknar (Orange Slovensko a.s. / France Telecom Orange Group).  In his talk at DeepSec Mr. Luknar will demonstrate that it is quite easy to capture your overall security knowledge in a home-made, free-of-charge tool.  But first, let’s ask Mr. Luknar a couple of questions: 1) Mr. Luknar, please tell us the top 5 facts about your talk! There is no problem with understanding existing RA

Read More

DeepSec 2014 Talk: Cloud-based Data Validation Patterns… We need a new Approach!

Sanna/ October 28, 2014/ Conference, Interview

Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. Everyone relying on these filters should know how they can fail and what it means to your flow of data. Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City. He was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development life-cycles of client organizations.  He was leading the software security initiative at a major phone

Read More

DeepSec 2014 Talk: Safer Six – IPv6 Security in a Nutshell

René Pfeiffer/ October 20, 2014/ Conference, Internet, Interview

The Internet Protocol Version 6 (IPv6) is the successor to the currently main IP Version 4 (IPv4). IPv6 was designed to address the need for more addresses and for a better routing of packets in a world filled with billions of networks and addresses alike. Once you decide to develop a new protocol, you have the chance to avoid all the mistakes of the past. You can even design security features from the start. That’s the theory. In practice IPv6 has had its fair share of security problems. There has been a lot of research, several vulnerabilities have been discussed at various security conferences. DeepSec 2014 features a presentation called Safer Six – IPv6 Security in a Nutshell held by Johanna Ullrich of SBA Research, a research centre for information security based in Vienna.

Read More

DeepSec 2014 Workshop: Hacking Web Applications – Case Studies of Award-Winning Bugs

René Pfeiffer/ October 14, 2014/ Conference, Training

The World Wide Web has spread vastly since the 1990s. Web technology has developed a lot of methods, and the modern web site of today has little in common with the early static HTML shop windows. The Web can do more. A lot of applications can be accessed by web browsers, because it is easier in terms of having a client available on most platforms. Of course, sometimes things go wrong, bugs bite, and you might find your web application and its data exposed to the wrong hands. This is where you and your trainer Dawid Czagan come in. We offer you a Web Application Hacking training at DeepSec 2014. Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning bugs identified in some of the

Read More

DeepSec 2014 Workshop: Understanding x86-64 Assembly for Reverse Engineering and Exploits

René Pfeiffer/ October 14, 2014/ Training

Assembly language is still a vital tool for software projects. While you can do a lot much easier with all the high level languages, the most successful exploits still use carefully designed opcodes. It’s basically just bytes that run on your CPU. The trick is to get the code into position, and there are lots of ways to do this. In case you are interested, we can recommend the training at DeepSec held by Xeno Kovah, Lead InfoSec Engineer at The MITRE Corporation. Why should you be interested in assembly language? Well, doing reverse engineering and developing exploits is not all you can do with this knowledge. Inspecting code (or data that can be used to transport code in disguise) is part of information security. Everyone accepts a set of data from the outside

Read More

RandomPic XSA-108

Mika/ October 2, 2014/ High Entropy, RandomPic

What a couple of Infosec people thought about XSA-108. Apparently some were a little bit disappointed that XSA-108 affects “only” HVM. Sorry, not another catastrophy, not another heartbleed, Shellshock or something in this class. Only a vulnerability which potentially allows access to other VMs. Anyway, time for an update! (Idea shamelessly stolen from aloria)