DeepSec 2015 Talk: Cryptography Tools, Identity Vectors for „Djihadists“ – Julie Gommes

René Pfeiffer/ September 30, 2015/ Conference, Security, Security Intelligence

Some speak of Crypto Wars 2.0. For others the Crypto Wars have never ended. FBI Directory James Comey does not get tired of demanding back doors to IT infrastructure and devices (there is no difference between back door and front door, mind you). Let’s take a step back and look at the threats. We did this in 2011 with a talk by Duncan Campbell titled How Terrorists Encrypt. The audience at DeepSec 2011 was informed that encryption does not play a major role in major terror plots. What about today? Have terrorists adopted new means of communication? Since the authorities demanding access to protected information do not have statistics readily available, we turned to researchers who might answer this question. Julie Gommes will present the results of studies analysing the communication culture of criminal

Read More

DeepSec 2015 Workshop: PowerShell for Penetration Testers – Nikhil Mittal

Sanna/ September 29, 2015/ Conference, Security, Training

The platform you are working with (or against) determines the tools you can use. Of course, everyone loves to boot the operating system of choice and hack on familiar grounds. Occasionally you have no choice, and you have to use what’s available. This is especially true for penetration testing. You get to use what you find on the systems of your digital beachhead. And you are well advised to get familiar with the tools you most definitely will find on these systems. This is a reason to look at the PowerShell. It is available on the Microsoft® Windows platform, so it’s the way to go. In his workshop at DeepSec 2015 Nikhil Mittal will teach you all you need to know about the PowerShell. PowerShell is the ideal tool for penetration testing of a

Read More

DeepSec 2015: The Early Bird Gets the Luxury Bed, Swimming Pool and a Royal Breakfast

Sanna/ September 28, 2015/ Administrivia, Conference, Veranstaltung

DeepSec 2015 is drawing nearer and tickets sell like hot cakes! Just an insider tip for all the smart birds out there: Get a DeepSec ticket for Early Birds and, while you’re at it book a room at our conference hotel straightaway – before they’re sold out! We have arranged a very competitive conference rate for you (including the breakfast, swimming pool & leisure aerea). Free Internet will be provided in the conference area. For comparison, direct booking rates are more expensive, and typically don’t include breakfast or free Wi-Fi. About the Hotel The Imperial Riding School Renaissance Vienna Hotel is located in a historical building, the former military horse riding school, which was built and used by Emperor Franz Josef I in 1850. Today this exquisite neo-classical hotel features 339 Deluxe Rooms, a Club Lounge, a conference centre, bar, library,

Read More

DeepSec Talk 2015: Cryptographic Enforcement of Segregation of Duty within Work-Flows – Thomas Maus

Sanna/ September 20, 2015/ Conference

Encryption is great. Once you have a secret key and an algorithm, you can safeguard your information. The trouble starts when you communicate. You have to share something. And you need to invest trust. This is easy if you  have a common agenda. If things diverge, you need something else. Thomas Maus will explain in his talk cryptographic methods that can help you dealing with this problem. Meet Alice and Bob, who might not be friends at all. Workflows with segregation-of-duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations. These ideas are illustrated by challenging examples – constructing various checks and balances for telecommunications data retention, a vividly discussed

Read More

DeepSec 2015 Talk: Legal Responses Against Cyber Incidents – Oscar Serrano

Sanna/ September 19, 2015/ Conference, Security

Like it or not, „cyber“ is here to stay. No matter what word you use, the networks have become a battlefield for various military operations. While you won’t be able to secure physical territory by keyboard (you still need boots on the ground for this), you can gain information, thwart hostile communications, and possibly sabotage devices (given the sorry state of the Internet of Stuff). When you deal  with actions in this arena, you might want to know what your options are. It’s worth to think about legal consequences. When it comes to mundane cyber crime, you usually have laws to deal with incidents. What is the response to a military cyber attack? And what counts as one? In his presentation at DeepSec 2015 Oscar Serrano will introduce you to the legal implications and

Read More

DeepSec 2015 Talk: Revisiting SOHO Router Attacks – Jose Antonio Rodriguez Garcia and Ivan Sanz de Castro

Sanna/ September 18, 2015/ Conference, Internet, Security

Have you seen Jon Schiefer’s  film Algorithm? If you haven’t, then you should catch up. The protagonist of the story gain access by using the good old small office / home office (SOHO) infrastructure. The attack is pretty realistic, and it shows that SOHO networks can expose all devices connected to it, either briefly or permanently. Combined with the Bring Your Own Device (BYOD) hype, SOHO networks are guaranteed to contain devices used for business purposes. We haven’t even talked about the security of entertainment equipment or the Internet of Stuff (IoT). Like it or not, SOHO areas are part of your perimeter once you allow people to work from home or to bring work home. Be brave and enter the wonderful world of consumer devices used to protect enterprise networks. José Antonio Rodríguez

Read More

DeepSec 2015 Talk: Building a Better Honeypot Network – Josh Pyorre (OpenDNS)

Sanna/ September 17, 2015/ Conference, Internet, Security

Most defenders only learn what attackers can do after recovering from a successful attack. Evaluating forensic evidence can tell you a lot. While this is still useful, wouldn’t it be better to learn from your adversaries without risking your production systems or sensitive data? There is a way. Use some bait and watch. Honeypots to the rescue! Josh Pyorre will tell you in his presentation how this works. Honeypots and honeypot networks can assist security researchers in understanding different attacker techniques across a variety of systems. This information can be used to better protect our systems and networks, but it takes a lot of work to sift through the data. Installing a network of honeypots to provide useful information should be an easy task, but there just isn’t much to tie everything together in

Read More

DeepSec 2015 Talk: illusoryTLS – Nobody But Us. Impersonate,Tamper and Exploit (secYOUre)

Sanna/ September 11, 2015/ Conference, Internet, Security

Transport Layer Security is a cornerstone of modern infrastructure. The „Cloud“ is full of it (at least it should be). For most people it is the magic bullet to solve security problems. Well, it is helpful, but only until you try to dive into the implementation on servers, clients, certificate vendors, or Certificate Authorities. Alfonso De Gregorio has done this. He will present his findings at DeepSec 2015 in his presentation aptly titled „illusoryTLS: Nobody But Us. Impersonate,Tamper and Exploit“. Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of

Read More

DeepSec 2015 Talk: “Yes, Now YOU Can Patch That Vulnerability Too!” A short Interview with Mitja Kolsek

Sanna/ September 10, 2015/ Discussion, Interview, Security

Patching software is a crucial task when it comes to fixing security vulnerabilities. While this totally works, usually you have to wait until the vendors or the developers provide you either an upgrade or a patch. What do you do in the meantime? Reducing the exposure of the software helps, but sometimes you have no choice. Public interfaces are public. There’s help. Do it yourself! Mitja Kolsek will tell you more. Please tell us the top 5 facts about your talk. We want to shake the security world by introducing a simple twist and essentially reinventing software patching. Attackers’ main advantage comes from software vulnerabilities (often very old and long-patched ones), which are a critical ingredient of most breaches into corporate and government networks. Unfortunately, most software vendors are lacking economical motivation for providing patches, let alone pro-actively

Read More

Social Engineering: Cold Call Warning (EHS, EHM)

René Pfeiffer/ September 8, 2015/ Administrivia, Odd

While we have a workshop on social engineering for you at DeepSec 2015, we do not do any trainings or exercises before the DeepSec event starts. A speaker alerted us that he got a cold call from a company offering cheap rates for accommodation. In case you have received any call from Exhibition Housing Management (EHM) and Exhibitors Housing Services (EHS), you can safely hang up. Both organisations have been used for scams in the past. Apparently they are alive and kicking. We thank EHS/EHM for providing exercise material and contact data for use during the conference.

DeepSec 2015 Talk: Deactivating Endpoint Protection Software in an Unauthorized Manner

René Pfeiffer/ September 7, 2015/ Conference, Security

Your infrastructure is full of endpoints. Did you know that? You even have endpoints if you use your employees’ devices (BYOD!) or the „Cloud“ (YMMV!). Can’t escape them. Since the bad girls and guys knows this, they will attack these weak points first. How are your endpoints (a.k.a. clients in the old days) protected? In case you use software to protect these vulnerable systems, then you should attend Matthias Deeg’s talk. He will show you the art of Deactivating Endpoint Protection Software in an Unauthorized Manner: Endpoint protection software such as anti-virus or firewall software often have a password protection in order to restrict access to a management console for changing settings or deactivating protection features to authorized users only. Sometimes the protection can only be deactivated temporarily for a few minutes, sometimes it

Read More

DeepSec 2015 Schedule is almost stable & BSidesVienna CfP Deadline

René Pfeiffer/ September 7, 2015/ Administrivia, Conference

The schedule of DeepSec 2015 is almost done. We’re still reviewing submissions and talk to authors. We are confident to call the schedule stable soon. Until this happens, we will describe the presentations and trainings with a little more detail here. Take a good look, but don’t wait too long before booking a ticket. The workshops can only accommodate a limited amount of attendees. Don’t miss the opportunity! We also like to point out that the Call for Papers for the BSidesVienna event is ending on 15th September 2015! If you have interesting content, please submit!

The Enemy Within: Industrial Espionage and Your Network at DeepSec 2015

Sanna/ September 3, 2015/ Conference, High Entropy, Security

Networking is vital to aquire jobs in the business world, manage projects, and develop products. It all started with the World Wide Web, now we also interact via various clouds and social media platforms with our staff, clients, and customers. Data gets outsourced to third parties, and business letters are airily send by Instant Messenger (due to the lack of messenger ravens, sadly). But the thoughtless embrace of networks invites threats, previously known only from the silver screen – spies. And, unfortunately, in today’s digital environment, it is no longer enough to just close the door to protect yourself from prying eyes. There is much more to be considered. We’re here to help. DeepSec does not want to leave your company out in the cold: Attend our next conference which takes place in Vienna on

Read More