1909, 2015

DeepSec 2015 Talk: Legal Responses Against Cyber Incidents – Oscar Serrano

Sanna/ September 19, 2015/ Conference, Security

Like it or not, „cyber“ is here to stay. No matter what word you use, the networks have become a battlefield for various military operations. While you won’t be able to secure physical territory by keyboard (you still need boots on the ground for this), you can gain information, thwart hostile communications, and possibly sabotage devices (given the sorry state of the Internet of Stuff). When you deal  with actions in this arena, you might want to know what your options are. It’s worth to think about legal consequences. When it comes to mundane cyber crime, you usually have laws to deal with incidents. What is the response to a military cyber attack? And what counts as one? In his presentation at DeepSec 2015 Oscar Serrano will introduce you to the legal implications and

Read More

1809, 2015

DeepSec 2015 Talk: Revisiting SOHO Router Attacks – Jose Antonio Rodriguez Garcia and Ivan Sanz de Castro

Sanna/ September 18, 2015/ Conference, Internet, Security

Have you seen Jon Schiefer’s  film Algorithm? If you haven’t, then you should catch up. The protagonist of the story gain access by using the good old small office / home office (SOHO) infrastructure. The attack is pretty realistic, and it shows that SOHO networks can expose all devices connected to it, either briefly or permanently. Combined with the Bring Your Own Device (BYOD) hype, SOHO networks are guaranteed to contain devices used for business purposes. We haven’t even talked about the security of entertainment equipment or the Internet of Stuff (IoT). Like it or not, SOHO areas are part of your perimeter once you allow people to work from home or to bring work home. Be brave and enter the wonderful world of consumer devices used to protect enterprise networks. José Antonio Rodríguez

Read More

1709, 2015

DeepSec 2015 Talk: Building a Better Honeypot Network – Josh Pyorre (OpenDNS)

Sanna/ September 17, 2015/ Conference, Internet, Security

Most defenders only learn what attackers can do after recovering from a successful attack. Evaluating forensic evidence can tell you a lot. While this is still useful, wouldn’t it be better to learn from your adversaries without risking your production systems or sensitive data? There is a way. Use some bait and watch. Honeypots to the rescue! Josh Pyorre will tell you in his presentation how this works. Honeypots and honeypot networks can assist security researchers in understanding different attacker techniques across a variety of systems. This information can be used to better protect our systems and networks, but it takes a lot of work to sift through the data. Installing a network of honeypots to provide useful information should be an easy task, but there just isn’t much to tie everything together in

Read More

1109, 2015

DeepSec 2015 Talk: illusoryTLS – Nobody But Us. Impersonate,Tamper and Exploit (secYOUre)

Sanna/ September 11, 2015/ Conference, Internet, Security

Transport Layer Security is a cornerstone of modern infrastructure. The „Cloud“ is full of it (at least it should be). For most people it is the magic bullet to solve security problems. Well, it is helpful, but only until you try to dive into the implementation on servers, clients, certificate vendors, or Certificate Authorities. Alfonso De Gregorio has done this. He will present his findings at DeepSec 2015 in his presentation aptly titled „illusoryTLS: Nobody But Us. Impersonate,Tamper and Exploit“. Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of

Read More

1009, 2015

DeepSec 2015 Talk: “Yes, Now YOU Can Patch That Vulnerability Too!” A short Interview with Mitja Kolsek

Sanna/ September 10, 2015/ Discussion, Interview, Security

Patching software is a crucial task when it comes to fixing security vulnerabilities. While this totally works, usually you have to wait until the vendors or the developers provide you either an upgrade or a patch. What do you do in the meantime? Reducing the exposure of the software helps, but sometimes you have no choice. Public interfaces are public. There’s help. Do it yourself! Mitja Kolsek will tell you more. Please tell us the top 5 facts about your talk. We want to shake the security world by introducing a simple twist and essentially reinventing software patching. Attackers’ main advantage comes from software vulnerabilities (often very old and long-patched ones), which are a critical ingredient of most breaches into corporate and government networks. Unfortunately, most software vendors are lacking economical motivation for providing patches, let alone pro-actively

Read More

0309, 2015

The Enemy Within: Industrial Espionage and Your Network at DeepSec 2015

Sanna/ September 3, 2015/ Conference, High Entropy, Security

Networking is vital to aquire jobs in the business world, manage projects, and develop products. It all started with the World Wide Web, now we also interact via various clouds and social media platforms with our staff, clients, and customers. Data gets outsourced to third parties, and business letters are airily send by Instant Messenger (due to the lack of messenger ravens, sadly). But the thoughtless embrace of networks invites threats, previously known only from the silver screen – spies. And, unfortunately, in today’s digital environment, it is no longer enough to just close the door to protect yourself from prying eyes. There is much more to be considered. We’re here to help. DeepSec does not want to leave your company out in the cold: Attend our next conference which takes place in Vienna on

Read More

2406, 2015

Crypto Article: „Cornerstones of German Encryption Policy“ from 1999 are still in place

Sanna/ June 24, 2015/ Discussion, Security

We have some more translated news for you. In theory it is an article about policies and the process of law-making. In practice it concerns the use of encryption and everyone relying on service providers (mostly connected to the Internet, i.e. „cloud providers“). No matter how cool your start-up is and what its products aim to replace, information security will probably need a backdoor-free and working encryption technology as a core component. This is exactly why you cannot stay focused on the technology alone. Threats may come in the guise of new laws or regulations (think Wassenaar Arrangement). Matthias Monroy has some information about the official stance of the German government regarding the currently raging „crypto wars“. Enjoy! Federal Ministry of the Interior: The “Cornerstones of German encryption policy“ from 1999 still remain Source: netzpolitik.org Author: Matthias

Read More

2910, 2014

DeepSec 2014 Talk: Build Yourself a Risk Assessment Tool

Sanna/ October 29, 2014/ Conference, Interview

„The only advice I might give to everyone who is responsible for information security is that it is never about a tool or a methodology“, says Vlado Luknar. The never-ending quest for the “best” tool or methodology is a futile exercise. In the end it is you, the security specialist, who adds the most value to a risk assessment (RA) / threat modelling process for your company, claims Vlado Luknar (Orange Slovensko a.s. / France Telecom Orange Group).  In his talk at DeepSec Mr. Luknar will demonstrate that it is quite easy to capture your overall security knowledge in a home-made, free-of-charge tool.  But first, let’s ask Mr. Luknar a couple of questions: 1) Mr. Luknar, please tell us the top 5 facts about your talk! There is no problem with understanding existing RA

Read More

2810, 2014

DeepSec 2014 Talk: Cloud-based Data Validation Patterns… We need a new Approach!

Sanna/ October 28, 2014/ Conference, Interview

Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. Everyone relying on these filters should know how they can fail and what it means to your flow of data. Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City. He was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development life-cycles of client organizations.  He was leading the software security initiative at a major phone

Read More

1907, 2013

Reminder: DeepSec – the Book: Call for Papers

Sanna/ July 19, 2013/ Administrivia, Call for Papers

Dear DeepSec speakers, this reminder goes out to you! We will publish a book about past and present DeepSec topics – To make this book a bummer we need your help! The book will be a summary, a factual overview on what’s been going on at our annual event, from 2008 – 2012, a collection of the most compelling talks and captivating topics we’ve featured at our conference so far. We want you to send us the abstracts of the talk you held at DeepSec – and we ask you to open up your topic once again. What’s been going on in the very special field you held your talk about? Have there been some new developments? Is your talk still up to date or does it seem kind of antiquated to you? If

Read More

2506, 2013

DeepSec Proceedings: The Book – Call for Papers Reminder

Sanna/ June 25, 2013/ Administrivia

Dear DeepSec speakers this goes out to you: It’s our pleasure to inform you that we will publish a book as proceedings about past and present DeepSec topics. A summary, a factual overview on what’s been going on at our annual event, from 2008 – 2012, a collection of the most compelling talks and captivating topics we’ve featured at our conference so far. To make this book a bummer we need your help. We want you to send us the abstracts of the talk you held at DeepSec – and we ask you to open up your topic once again. What’s been going on in the very special field you held your talk about? Have there been some new developments? Is your talk still up to date or does it seem kind of antiquated

Read More

2506, 2013

Timeless elegance: DeepSec T-Shirts 2011

Sanna/ June 25, 2013/ Administrivia, High Entropy

Somewhere it’s still 2011. In another dimension it’s probably always Monday. ANYWAY — for those of you who want to wear a garment of timeless elegance we have the very T-Shirt: DeepSec T-Shirt 2011 proudly presented by our favourite model, Mme Cyberduck.     Wow, look at this imprint   – neat, isn’t it? T- Shirt can be ordered either via e-mail Price: 25€ (VAT excluded) + shipping costs Payment: Prepay, either via Paypal or Credit Card or you can get them at our next conference, DeepSec 2013. C u!  

2205, 2013

We proudly present our 2012 DeepSec T-Shirts

Sanna/ May 22, 2013/ Administrivia

Finally! Our 2012 Deep Sec T’s have arrived – Yes, and they rock!     If you want a T-Shirt please write an e-mail to deepsec@deepsec.net including your size and your postal address so we can send it to you! Sizes available: M, L, XL Price: 25€ (VAT excluded) + shipping costs Payment: Prepay, either via Paypal or bank transfer If you have a VAT number please let us know, and we will include it in your invoice. Invoice will be sent with the T-Shirt. P.S.: There will be a 2011 T-Shirt Edition too –  We’ll keep you posted 🙂 Your DeepSec Crew.