DeepSec2018 Talk: Manipulating Human Memory for Fun and Profit – Stefan Schumacher

Sanna/ October 31, 2018/ Conference, Discussion

Manipulating the Human Memory for Fun and Profit, or: Why you’ve never met Bugs Bunny in DisneyLand Hacking is not limited to technical things — like using a coffee machine to cook a soup — but also makes use of social engineering. Social engineering is the (mis)use of human behaviour like fixed action patterns, reciprocity or commitment and consistency. Simple social engineering attacks like phishing mails do not require much preparation, but more complex ones do so. Especially when one wants to set up some kind of advanced persistent threat in the psychological domain. So, besides the psychological fundamentals of social engineering we also did research on human memory, how it works, how it pretty much fails to store what really happened, and how it can be misused for a sinister purpose. The fundamental

Read More

DeepSec 2017 Talk: Hacking The Brain For Fun And Profit – Stefan Hager

Sanna/ October 2, 2017/ Conference, Discussion

You are what you think. At least we think so. Is this mental model the right way to explore our surroundings and our interconnected world? Well, let’s find out by thinking about it. When we’re talking and thinking about security, we very often have a rather fixed mindset and keep using what we think are proven methods. We tend not to question our decisions and thoughts, and the way how our brains work reaffirms our bias and our mediocre choices. In this talk we take a closer look at how we are thinking, and how we can change or expand this as well as our perception, by hacking into our own brains in order to get a clearer picture of what we really want and need. New ways of thinking and creativity can be

Read More

Social Engineering: Cold Call Warning (EHS, EHM)

René Pfeiffer/ September 8, 2015/ Administrivia, Odd

While we have a workshop on social engineering for you at DeepSec 2015, we do not do any trainings or exercises before the DeepSec event starts. A speaker alerted us that he got a cold call from a company offering cheap rates for accommodation. In case you have received any call from Exhibition Housing Management (EHM) and Exhibitors Housing Services (EHS), you can safely hang up. Both organisations have been used for scams in the past. Apparently they are alive and kicking. We thank EHS/EHM for providing exercise material and contact data for use during the conference.

DeepSec 2014 Talk: An innovative and comprehensive Framework for Social Vulnerability Assessment

René Pfeiffer/ September 11, 2014/ Conference

Do you get a lot of email? Do customers and business partners send you documents? Do you talk to people on the phone? Then you might be interested in an assessment of your vulnerability by social interactions. We are proud to host a presentation by Enrico Frumento of CEFRIEL covering this topic. As anyone probably knows nowadays spear-phishing is probably the most effective threat, and it is often used as a first step of most sophisticated attacks. Even recent JP Morgan Chase’s latest data breach seems to be originated by a single employee (just one was enough!) who was targeted by a contextualized mail. Into this new scenario it is hence of paramount importance to consider the human factor into companies’ risk analysis. However, is any company potentially vulnerable to these kind attacks? How

Read More

BSidesLondon is near!

René Pfeiffer/ April 25, 2014/ Conference, Discussion

We will attend the BSidesLondon event, and we are looking forward to meet you there! DeepSec is again sponsoring the rookie track. We believe that information security can only benefit from fresh perspectives and newcomers that take a hard look at “well established” facts. This is why we support young infosec researchers and welcome their contribution. The  winner of the BSidesLondon rookie track will be invited to join DeepSec 2014. If you attend BSidesLondon, have a chat with MiKa or me. We are always looking for new talents, ideas to put more research into infosec research, and creativity to take apart facts everyone takes for granted. See you in London!

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

René Pfeiffer/ February 21, 2014/ Conference, Internet

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It

Read More

DeepSec 2013 Video: Trusted Friend Attack – (When) Guardian Angels Strike

René Pfeiffer/ February 6, 2014/ Conference, Internet, Security, Stories

We live in a culture where everybody can have thousands of friends. Social media can catapult your online presence into celebrity status. While your circle of true friends may be smaller than your browser might suggest, there is one thing that plays a crucial role when it comes to social interaction: trust. Did you ever forget the password to your second favourite social media site? If so, how did you recover or reset it? Did it work, and were you really the one who triggered the „lost password“ process? In a world where few online contacts can meet each other it is difficult for a social media site to verify that the person requesting a new password is really the individual who holds the account. Facebook has introduced Trusted Friends to facilitate the identity

Read More

DeepSec 2013 Talk: Trusted Friend Attack – Guardian Angels Strike

René Pfeiffer/ November 5, 2013/ Conference, Security, Stories

Have you ever forgotten a password? It’s a safe bet to assume a yes. Sometimes we forget things. When it comes to logins there is usually a procedure to restore access and change the forgotten password to a known new one. This Forgot Your Password functionality is built into many applications. The mechanism is to rely on other ways to restore trust. There is a risk that unauthorised persons gain access to an account by exploiting the process. Ashar Javed has explored the password recovery function of 50 popular social networking sites. In his talk at DeepSec 2013 he will present the findings of his survey. The attack vector is called Trusted Friend Attack, because once you forgot your credentials you have to rely on trusted friends to recover them. Apart from automatic systems

Read More

DeepSec 2013 Workshop: Social Engineering Awareness Training – Win A Free Ticket!

René Pfeiffer/ September 25, 2013/ Conference, Training

“If a tree falls in a forest and no one is around to hear it, does it make a sound?” You probably know this question. It’s a philosophical thought experiment questioning observation and knowledge of reality. There is a similar gedankenexperiment for information security: “If your organisation receives a spear phishing e-mail and no one is around to read it, does it create a security breach?” Communication is essential for everyone these days. If you run a business, you are forced to deal with communication on a daily basis. This didn’t start with the Internet. The telephone was first, and before there were letters and all kinds of ways to relay word from A to B. It’s a good idea to go back in time to avoid being distracted by technology but Trojan Horses

Read More

DeepSec 2012 Talk: I’m the guy your CSO warned you about

René Pfeiffer/ October 15, 2012/ Conference

Social engineering has a bit of a soft touch. Mostly people think of it as “you can get into trouble by talking to strangers”, remember the “don’t talk to strangers” advice from their parents, dismiss all warnings and will get bitten by social security leaks anyway. You have to talk to people, right? You are aware that attackers will use social engineering to get past the expensive security hardware and software. Being aware is very different from being prepared. This is why we asked an expert of social engineering to give you an example of his skills. Be warned, it won’t get pretty and you won’t leave the presentation with the warm and cosy feeling that everything will be alright. To give you a sneak preview, here’s a digital letter from Gavin Ewan himself:

Read More

DeepSec 2012 Workshop: Social Engineering Testing for IT Security Professionals

René Pfeiffer/ October 2, 2012/ Conference, Training

Social engineering has been big in the news yet again this year.  In September, security researchers discovered an attack against Germany’s chipTAN banking system, in which bank customers were tricked into approving fraudulent transfers from their own accounts. In August, tech journalist Mat Honan had his digital life erased, as hackers social engineered Apple and Amazon call centres. In May it was reported that Czech thieves stole a 10-tonne bridge.  When challenged by police during a routine check, they showed forged documents saying they were working on a new bicycle path. In January, a fraudster obtained Microsoft co-founder Paul Allen’s credit card details by social engineering workers in Citibank call centres. In December, Wells Fargo were tricked into wiring $2.1 million to a bogus bank account in Hong Kong following a series of fraudulent

Read More

A Word about Conference Conduct

René Pfeiffer/ August 7, 2012/ Administrivia, Conference, Discussion

You have probably been to conferences, and might even have seen hackers in the wild attending events. When it comes to events where IT security is discussed, everyone needs a friendly atmosphere so you can trust the people you meet. The DeepSec conference aims to be a place where these criteria are met. We want you to be able to talk to anyone about anything. Judging from the feedback we got this goal was met. We’d like to introduce a statement published on our web site to emphasise our mission. It’s a policy to express our intention to provide a friendly and safe environment for everyone talking at and attending DeepSec events (the policy covers all DeepSec activities). Before any of you jump to conclusions, let me explain why we added the policy as

Read More

The Internet: Agora or Boudoir?

Mika/ June 10, 2012/ Discussion, Internet

Some people believe the Internet is like the Agora of ancient Greek cities where everybody meets and everything happens in public and open sight while others regard it is as their boudoir where they can pursue their private business without anyone peeping through the keyhole. The challenge is that the Internet is both and this calls for rules, which will satisfy both expectations. If you didn’t guess it already: I’m talking about telecommunications data retention and the recent act in the European Union which requires service providers to log details about communications on the Internet and retain the data for a minimum of six months. But why do I bring up this topic? Because I believe this discussion affects the security and privacy (also known as confidentiality) of organizations and private persons. The European

Read More

Workshop: Social Engineering for IT Security Professionals

René Pfeiffer/ October 12, 2011/ Conference

Social Engineering has been around for a long time and predates the Internet. The method of the Nigerian scams today dates back to the 16th century. It is much more widespread today. Social networking sites supply attackers with a rich source of information. They may even get hold of confidential information without any effort (as the Robin Sage experiment has shown). Directed attacks such as spear-phishing can have a high impact. The use of deception or impersonation to gain unauthorised access to sensitive information or facilities is a persistent threat to your company or organisation, provided you communicate with the outside world. Since computer security is becoming more sophisticated, hackers are combining their technical expertise with social engineering to gain access to sensitive information or valuable resources in your organisation. Social engineering attacks can

Read More