DeepSec 2018 Training: Professional Bug Hunting for Early Bird Millionaires – Sensitive Data Exposure

René Pfeiffer/ September 24, 2018/ Training

DeepSec’s Early Bird Tariff is still valid for today. If you are interested in bug hunting for money, i.e. bug bounties, then you should hurry. Dawid Czagan is conducting a training at DeepSec 2018 where you can learn all you need to get started. If you don’t know what to expect, we recommend one of Dawid’s online courses to get into the mindset. His tutorial on finding sensitive data exposure is available via his web site. In case you are interested, please head over to our ticket shop. Early bird tickets are still available until midnight! 

DeepSec 2014 Talk: Cloud-based Data Validation Patterns… We need a new Approach!

Sanna/ October 28, 2014/ Conference, Interview

Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. Everyone relying on these filters should know how they can fail and what it means to your flow of data. Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City. He was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development life-cycles of client organizations.  He was leading the software security initiative at a major phone

Read More

DeepSec 2013 Talk: Static Data Leak Prevention In SAP – The Next Generation Of Data Loss Prevention

René Pfeiffer/ September 20, 2013/ Conference, Security

Once you use information technology you will have to worry about leaks. Applications can leak data when attached to the network (any network!). That’s no breaking news, but it might be bad news for you and your data. Fortunately there are good news, too. There is a talk by Andreas Wiegenstein about ways of data leak/loss prevention (DLP) and a new methodology which might help your organisation: In the age of digital industrial espionage, protecting intellectual property has become a key topic in every company. In the past, companies addressed data leaks by implementing so called content-aware Data Loss/Data Leak Prevention (DLP) software. Such software analyzes data moving through an IT landscape and reports unauthorized transfer of critical data, i.e. transfers beyond the company’s network borders. The key purpose of this methodology is to

Read More

Cloud Security Promises out of thin Air

René Pfeiffer/ May 15, 2012/ Discussion, Security

The „Cloud“ is a wonderful link between the BYOD disaster, data loss and broken security promises. Yet users of all kinds are lured into the web interfaces with eye candy. The German IT magazine Golem.de has published an article about the cloud security study of the Fraunhofer Institute for Secure Information Technology SIT. Researchers have put Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala under scrutiny. The results should be a wake-up call for businesses who blissfully shove all kinds of data out into the thin air of the „Cloud“. The quintessence of the study is that none of the listed „Cloud“ services can provide a basic security or even sensible encryption technology. Some registration forms do not verify the e-mail addresses entered. Some platforms do not use SSL/TLS. Some use their own

Read More

Getting your Perception right – Security and Collaboration

René Pfeiffer/ January 29, 2012/ Discussion, Security

If all security-related events were not connected and could be analysed with a closed system in mind, getting security measures right would be much easier. Technicians will probably yawn at this fact, but networks connect a lot of different stuff (think „series of tubes“ and many points between them). In turn this means that you can use this for your own advantage and talk to others on the network, too! This surprising conclusion is often forgotten despite the use of the term „Internet community“ and developers working together on intrusion detection signatures, malware analysis and other projects. Stefan Schumacher talked about cooperative efforts to establish an international cyber defence strategy at DeepSec 2011. Securing infrastructure and implementing a proper defence in depth doesn’t rely on technical solutions alone. You need to establish procedures for

Read More

Talk: The Security of non-executable Files

René Pfeiffer/ October 27, 2011/ Conference

Recent security incidents push the imagination of some people to the limits. On today’s menu are U.S. Government satellites (done before albeit with a different vector), insulin pumps, automatic teller machines, smartphones linked to cars, and even vending machines in wilderness resort parks. What’s next? Executing code by the use of postcards or printed newspapers? Exactly! You probably recognise this phrase: „This is a data file, it can never be executed as code.“ It’s nice to think of bits and bytes neatly separated into code and data. In fact some security models encourage this approach. In practice data tells a different story. You have very elaborate document and data formats with thousands of pages of specification. PDF, rich media and office documents are way more complex than you might think. This is why Daniel

Read More

Talk: Data Exfiltration – not just for Hollywood

René Pfeiffer/ June 18, 2011/ Security

Iftach Ian Amit discusses infiltration of networks and exfiltration of data. Imagine you have completed the infiltration, data targeting and acquisition phase. You have secured the data you were looking for. Now what? How do you get to „your“ data out of highly secured environments? You need to avoid data loss protection (DLP) tools, avoid IPS/IDS, avoid updating your payload frequently, need to design a control channel that can handle disconnected operation. The data itself needs to be protected from filters or pattern matching sensors. SSL/TLS comes to mind, but some infrastructures terminate SSL at proxies and inspect content. End-to-end encryption is a better method if combined with content obfuscation (there are patter matches for GPG/PGP and other ways, too). Transport needs to use a covert or back channel. This can be a talk page of

Read More