About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

0906, 2013

Protect your Metadata

René Pfeiffer/ June 9, 2013/ Discussion

In the light of the recent news about the collection of call detail records (CDR) the term metadata has come up. Unfortunately the words cyber, virtual, and meta are used quite often – even as a disguise  to hide information when not being used in a technical context. We have heard about all things cyber at the last DeepSec conference. The word virtual is your steady companion when it comes to All Things Cloud™. Now we have a case for meta. Actually metadata is what forensic experts look for – a lot. Metadata usually lives in transaction logs or is part of a data collection. It describes the data it accompanies. Frequently you cannot make sense out of or use the data without the corresponding metadata. A well-stocked library seems like a labyrinth if

Read More

0606, 2013

How to defend against “Cyber” Espionage

René Pfeiffer/ June 6, 2013/ Discussion, Security

When it comes to defence and protection, don’t forget how your organisation treats data. The mindset plays an important role. This can be illustrated by a simple correlation. Organizations which take the protection of data privacy seriously have an edge when it comes to implementing IT security measures. We talked about this relation in an interview with ORF journalist Erich Moechel (article is in German, Google translation). The findings are not surprising. Auditors and penetration testers can tell if your IT staff takes the role of protecting digital assets seriously. The correlation is easily explained : Once you establish data protection guidelines, you also create a motivation to implement defensive procedures and measures against intrusion. Directly linking operational aspects to a reason makes sure that everyone understands why defence is important. Bear in mind

Read More

0506, 2013

Podcast Finux Tech Weekly #25 with DeepSec CfP and U21

René Pfeiffer/ June 5, 2013/ Administrivia, Mission Statement

MiKa and me have been chatting with Finux for his latest recording of the Finux Tech Weekly #25 (mp3/ogg download). We talked about the next DeepSec conference and our special U21 initiative for young security researchers. We like to support young researchers (under the age of 21, hence U21) and enable them to present their works and results in an appropriate manner. Listen to the podcast to hear about our motivations! Oh, and don’t forget, the Call for Papers for DeepSec 2013 is still running! Send us your submissions! We’re looking forward to it 🙂

1405, 2013

Call for Articles – DeepSec Proceedings

René Pfeiffer/ May 14, 2013/ Administrivia, Security

While our Call for Papers for DeepSec 2013 and DeepINTEL is still open, we have a Call for Articles for all our past speakers ready. It’s our pleasure to inform you that we will publish a book with proceedings about past and present DeepSec topics. It will be a summary, a factual overview on what’s been going on at our annual event, from 2007 – 2012, a collection of the most compelling talks and captivating topics we’ve featured at our conference so far. To make this book a bummer we need your help. We want you to send us the abstracts of the talk you held at DeepSec – and we ask you to open up your topic once again. What’s been going on in the very special field you held your talk about?

Read More

2904, 2013

Support your local CryptoParty

René Pfeiffer/ April 29, 2013/ Communication, Discussion, Training

Since September 2012 there are CryptoParty events all over the world. The idea is to bring a group together and have each other teach the basics of cryptography and how to use the various tools that enable you to encrypt and protect information. Of course, encryption by itself cannot guarantee security, but it’s a part of the equation. Since cryptography is hard, most tools using it require a certain amount of knowledge to understand what’s going on and how to properly use them. The CryptoParty helps – in theory and most often in practice, too. If a CryptoParty is near you and you have some knowledge to spare, please take part and share what you know with others. DeepSec supports the local CryptoParty events in Austria, too. Finding a CryptoParty can be easily done

Read More

1204, 2013

BSidesLondon and the Rookie Track

René Pfeiffer/ April 12, 2013/ Conference, Discussion

DeepSec is actively supporting the BSidesLondon conference this month. We are joining the panel of mentors of the rookie track, and we’re looking forward to see a lot of interesting talks. In March we talked about our motivation to support the rookie track idea with Finux on the Rookie Track Podcast. DeepSec has been supporting young security researchers for years. Some of them were given an opportunity to speak at past DeepSec conferences in order to present their work. We think that this is a good idea, and here is why: Speaking publicly in front of an audience can be hard. It is even harder if you have never done this before. It gets a lot harder if you talk about IT security, because there’s a chance you found something that probably broke, is

Read More

1104, 2013

DeepSec 2013 “Seven Seas” – Call for Papers! Submit! Now!

René Pfeiffer/ April 11, 2013/ Administrivia

DeepSec 2013 “Seven Seas” – Call for Papers Dear Researchers, Hackers, Developers, dear Members of the IT-Security Community: This is our call for papers for DeepSec 2013, the seventh DeepSec In-Depth Security Conference. Our annual event will take place from November 19th to 22th at the Imperial Riding School Renaissance Hotel in Vienna. It consists of two days of workshops followed by a two day long conference. Our speakers and trainers traditionally come from the security community, companies, hacker spaces, journalism and academic organisations, talking about different topics and aspects of IT-Security: current threats and vulnerabilities, social engineering and psychological aspects as well as security management and philosophy. Content For DeepSec 2013 we’re not looking for talks about the latest trending technologies, gadgets and behaviours, no, DeepSec 2013 is all about secrets, failures and

Read More

2403, 2013

The Risk of faulty Metrics and Statistics

René Pfeiffer/ March 24, 2013/ Discussion, Security

It’s never a bad idea to see what the outside world looks like. If you intend to go for a walk, you will probably consult the weather report in advance. If you plan to invest money (either for fun or for savings), you will most certainly gather information about the risks involved. There are a lot of reports out there about the IT security landscape, too. While there is nothing wrong with reading reports, you must know what you read, how the data was procured and how it was processed. Not everything that talks percentages or numbers has anything to do with statistics. Let’s talk about metrics by using an example. Imagine an Internet service provider introduced a „real-time map of Cyber attacks“. The map would show attacks to their „honeypot“ systems at 90

Read More

0203, 2013

Post-Crypto in a Pre-APT World

René Pfeiffer/ March 2, 2013/ High Entropy, Security Intelligence

There was a Cryptographers’ Panel session at the RSA Conference with Adi Shamir of the Weizmann Institute of Science, Ron Rivest of MIT, Dan Boneh of Stanford University, Whitfield Diffie of ICANN and Ari Juels of RSA Labs. You have probably read Adi Shamir’s statement about implementing (IT) security in a „post-crypto“ world. He claimed that cryptography would become less important for defending computer systems and that security experts have to rethink how to protect valuable information in the light of sophisticated Advanced Persistent Threats (APTs). „Highly secured“ Infrastructure has been compromised despite „state of the art” defence mechanisms. So what does rethinking really mean? Do we have to start from scratch? Should we abandon everything we use today and come up with a magic bullet (or a vest more appropriately)? Our first implication

Read More

2102, 2013

DeepSec 2013 – CfP: Covering Secrets, Failures & Visions!

René Pfeiffer/ February 21, 2013/ Conference, Security

DeepSec 2013 – Secrets, Failures & Visions – Call for Papers We are preparing the call for papers for DeepSec 2013, and we are trying to shift your mindset. We could easily come up with a list of trending technologies, gadgets and behaviours that will have an impact on information security. Instead we are looking for presentations and workshops dealing with secrets, failures and visions. This gives us another perspective and hopefully more to think about. Secrets Every person, every group, every enterprise and every government has them. Secrets are the very reason why information security uses encryption, access control, even doors and locks (physical and otherwise). You wouldn’t need all of this if it weren’t for safeguarding the secrets. Failures Sometimes things go wrong. Often not only by malicious action, but also by

Read More

2512, 2012

Call for Papers Security BSides London 2013

René Pfeiffer/ December 25, 2012/ Conference

This is a gentle reminder that the Call for Papers for Security BSides London still runs until January 5th 2013. If you got some extra time during the boring Christmas days or right after New Year’s Eve, then you should submit. Show us how you break or fix something! And if you have never presented before, you should definitely take a look at the Rookie Track. BSides London actively supports speakers with little or no experience on stage. Submit a talk, get a mentor, prepare and tell us what you have found! See you in London!

2012, 2012

DeepSec 2012 Articles and Slides

René Pfeiffer/ December 20, 2012/ Conference, Press

We have collected links to articles covering DeepSec 2012. If we missed one, please let us know. Arron Finnon’s Report on the DeepSEC Conference “Breaking SAP Portal” by Alexander Polyakov DeepSec 2012: Insecurity? It’s just a matter of time (in German) DeepSec 2012: IT-Sicherheitskonferenz in Wien (in German) DeepSec 2012: Services of cyber crime and cyber weapons in the Cloud (in German) DeepSec 2012: Wargames in the Fifth Domain (in German) DeepSec 2012: When I Grow up I want to be a Cyberterrorist (in German) “Malware Analysis on a shoestring budget” commented by Michael Boman The Evolution of e-Money (by Jon Matonis) SAP Slapping (by Dave Hartley) Sicherheitschecks von iPhone-Apps für fast jeden möglich (in German) Übernahme des Hypervisors über ein Gastsystem (in German) The slides of DeepSec 2012 can be found for download

Read More

1312, 2012

DeepINTEL 2013 Call for Papers is open!

René Pfeiffer/ December 13, 2012/ Administrivia, Security Intelligence

During the opening of DeepSec 2012 we announced that there will be a second DeepINTEL seminar taking place in Summer 2013. We have successfully explored topics of security intelligence and strategic security at the past seminar. We wish to continue and ask you to send us submissions for presentations by e-mail. DeepINTEL is a single track two day event addresses mainly critical infrastructure, state organizations (administrative and law enforcement), accredited CERTs, finance organizations and trusted parties and organizations with a strong relation or partnership to the aforementioned. Due to the sensitive topics and the nature of the participants and speakers we will have a vetting process for participants. We’d like to know our audience, so that we all can talk freely and openly during the event. In addition there will be no recordings published

Read More

1112, 2012

Apology – “Bad Things in Good Packages”

René Pfeiffer/ December 11, 2012/ Administrivia, Conference

We’re almost back to daily routine after having a wonderful DeepSec 2012. Given the feedback from speakers and attendees they loved the atmosphere at the conference and at the hotel. We are happy to hear about this and keep an open ear for further comments on your DeepSec experience. However, things can go wrong and they often will. There’s no way around this as every organisation team will confirm. Most of the problems were dealt with by our own damage control teams at the conference. There’s one issue that we wish to discuss openly. We received complaints via Twitter about the slides of the talk „Bad Things in Good Packages – Creative Exploit Delivery“ published by the speaker on Slideshare on 30 November 2012. The complaint was about the offensive portrayal of women. The

Read More

1112, 2012

DeepSec supports Security B-Sides London 2013

René Pfeiffer/ December 11, 2012/ Conference

We are happy to announce that we will support the Security B-Sides London 2013! Specifically we support the BSides London “Rookie Track”, and we offer a ticket for DeepSec 2013 including two nights at the conference hotel in Vienna. There’s also a special arrangement covering a flight to Vienna and back. We believe in new ideas and new perspectives. That’s why we offer special slots at our conference for young security researchers (the U21 category marked in our CfP form). We will be present during the “Rookie Track” talks during BSides London. DeepSec wishes to encourage any kind of security research by supporting curious and talented researchers. Never having presented results in public should be no reason not to share them with all of us. We believe that the idea of having mentors and

Read More