About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

DeepSec conference focuses on the precarious security situation in the world-wide mobile phone network

René Pfeiffer/ September 7, 2010/ Press

DeepSec 2010 features 33 talks and 8 workshops by international experts Vienna, 31 August 2010. The international security conference DeepSec brings together the world’s elite in network security and hacking in Vienna from 23 to 26 November 2010. This year, the conference focuses on the security of mobile systems and their users, as well as on the next-generation infrastructure. IT and security companies, users, officials, researchers and the hacker community have the opportunity to take part in the conference with 33 talks and 8 workshops scheduled this year. “We are happy to offer for the fourth time so many experts the chance to exchange ideas and experiences on the most important security issues of everyday IT work in our modern days”, says René Pfeiffer, organiser of DeepSec. Live attacks on iPhone through a weak

Read More

Schedule for DeepSec 2010 published

René Pfeiffer/ August 20, 2010/ Schedule

Reviewing the submissions took us a while longer than anticipated. The reason was the high-quality content you submitted. We had to make some tough decisions and could have easily filled three or four days of In-Depth security talks and many more workshops. We hope that the schedule we published yesterday satisfies your interest and gives some CIOs something to think about. We tackle the security of the GSM network (which is failing, as was reported at DeepSec 2009 already). We also show you how to probe the security of GSM networks (there’s a whole two-day workshop if you want to dive into the gory details). Watch out for remote binary planting! Just yesterday Mitja Kolsek reveiled that about 200 Microsoft Windows applications are vulnerable to remote code execution. We deal with SAP security by

Read More

CfP revision is almost done

René Pfeiffer/ August 11, 2010/ Administrivia, Schedule

We’re almost finished with the review of presentations and trainings submitted via the Call for Papers form. Everyone will get a notification during the next couple of days. You really sent us a lot of high-quality content, and we are proud to set the stage for your research results. Some vendors might not be as happy as we, but let’s see what happens. Expect the preliminary schedule soon.

Sneak Preview – your cellphone can be tapped

René Pfeiffer/ August 2, 2010/ Schedule, Security

You probably have a cellphone. Your company might even provide an additional one. Your boss most certainly uses a cellphone. What do you use it for? Do you share details about your private life via phone conversations? Did you ever talk to a business partner about confidential offers? Do you rely on cellphone when it comes to important messages? If so you might be interested in hearing some news about the state of security of mobile networks. Most of them are broken, outdated or both when it comes to security. Details of the security issues have been presented at DeepSec 2009 by Karsten Nohl. During Defcon18 in Las Vegas a security researcher successfully faked several attendees’ cell phones into connecting to his phony GSM base station during a live demonstration that had initially raised

Read More

How to secure Wireless Networks

René Pfeiffer/ July 28, 2010/ Security

You have probably followed the news and heard about AirTight Networks’ demonstration of the WPA2 design flaw. What does this mean for operators of wireless networks? Do you have to care? Do you feel threatened? Is there a way to feel better again? First take a look what the design flaw means and what the attack looks like. Hole 196 means that „an insider can bypass WPA2 private key encryption and authentication to sniff and decrypt data from other authorized users as well as scan their Wi-Fi devices for vulnerabilities, install malware and possibly compromise those Wi-Fi devices”. So an attacker has to be authenticated before she can use the exploit. This does not mean that „WPA2” is compromised entirely (yet). It just means that we (maybe) deal with a design flaw. Attacking „WPA2”

Read More

In-Depth Security Conference DeepSec Tackles Mobile Data Assaults

René Pfeiffer/ July 17, 2010/ Press

Vienna – it’s the 4th time that the international IT security conference DeepSec calls the world’s elite from the sectors Network-Security and Hacking together. From the 23rd until the 26th of November 2010 the conference focuses on mobile security (for users and gadgets alike) and Next Generation Infrastructure. „After the success of DeepSec 2009 we try once again to present exciting and controversial topics.  It’s our aim as a neutral platform to bring Hacker-Community, IT- and Security companies, users, government agencies and researchers together to interact and exchange experience and thoughts in workshops and talks.”, prompts René Pfeiffer – one of DeepSec’s organisers. The call for papers is still going until the 31st of July and young security researchers can register for  special support in this year’s U21 programme (U21 means under 21 years

Read More

Sneak Preview – Workshop about Advanced PHP Security

René Pfeiffer/ July 1, 2010/ Schedule

Our CfP ends on 31 July 2010, so we start publishing information about some of the submissions in advance. We got the confirmation from Laurent Oudot, founder of TEHTRI-Security, concerning the Advanced PHP Hacking training. The workshop will deal with breaking into PHP environments, methods of attackers once they are inside, defense against intruders and real hack simulations. This is a hands-on exercise guided by TEHTRI Security experts. Everyone running, developing or auditing PHP web applications should attend. Knowing how attacks work is the first step of avoiding them. When it comes to web applications, there is no silver bullet. You have to deal with the hosting environment, known about possible vulnerabilities, learn about the tools attackers use and then you can tune your defenses. Code analysis, filters, fuzzing, NIDS and hardening alone are

Read More

Native Code Protection and Security

René Pfeiffer/ June 24, 2010/ Development, Internet

The Mozilla vice president of products announced that Firefox doesn’t need to run native code anymore when it comes to plugins. The idea is called crash protection for it aims to keep the web browser alive when a plugin fails to run correctly. At the same time the magical words about the future being in the hands of (open) web standards and HTML5 are uttered. What does this imply in terms of security? Is there any benefit? The thought of having more reliable web browsers is certainly tempting. It is also true that overloading the browser with plugins increases the „angle of attack” to the point of stalling or most probably catching some malware floating around on the Web. The message seems to be that seperating vulnerable plugins from the browser doesn’t rule out

Read More

Call for Papers – Reminder

René Pfeiffer/ June 19, 2010/ Schedule

Our Call for Papers is still running until 31 July 2010. We already have some very interesting talk and workshop submissions. Two experts cover the black magic of the last mile and network backbones. Clearly this is critical infrastructure and is often neglected when implementing security measures. Few administrators put their firewalls in front of the ISP’s modem. There are attacks against infrastructure. Wireless networks illustrate this problem very well. Strangely when it comes to wired networks people think of them as more secure. True, wired connections cannot be accessed through thin air, but this doesn’t immunise them against threats on the infrastructure level. Routing protocols, administrative interfaces, unpatched firmware, bugs, noisy broadcasts and network design errors can lead to a fertile ground for a compromised network well before your firewall kicks in. So

Read More