Since DeepSec 2011 has ended and we still want to have a chat with you, let’s meet at the party! It takes place at the Metalab, a local hacker space next to the town hall. We have music, we have stuff to drink, we got access to the Intertubes, we got lots of nice people, and even more reasons to have some fun! Don’t miss it!
For all of you who frequently visits „hacking hot spots“ this should be familiar. For all others who blindly trust the Net it should be a wake-up call. Here’s a short and probably incomplete check-list in case you are preparing for DeepSec 2011 or any other event with a public Internet access (the CCC has a more complete list on their event web site). Secure your operating system (vendor and type doesn’t matter). Backup your data. Do run a firewall or a similar filter on your device (vendor and type doesn’t matter). The hostile network starts right at your antenna or Ethernet jack (again regardless of vendor and layer 1 technology). Try to use a VPN tunnel to a trusted network (such as your company or home network). Tunnel all traffic through your VPN
For all of you who do not pay close attention to our contact section on our web site, we offer various way to communicate via encrypted messages. We have published two GPG keys, one for our role account (key 0x22860969) and one for a person from our organisation team (key 0x6E4037AF). Use PGP/MIME format if possible (ASCII armour is so old school ☺). We have set up an e-mail forwarding service via privacybox.de. You can use a standard web form, a form suited for mobile clients and a form reachable via a TOR hidden service. While we have no idea how privacybox.de handle their own security, it’s a nice service. You can always double- or triple-encrypt if in doubt. When on IRC (channel #deepsec on irc.freenode.net, usually most active prior to and shortly after
Finally we have reviewed all your submissions, and we have published a preliminary schedule on our web site. We have not filled all workshop slots, because some of the workshop submissions are still under review and some submitters have been asked for further material. We wish to express our deepest thanks for your submissions! We received much more than we possibly can squeeze into the conference schedule, most of the material being absolutely new and of high interest. We had a hard time rejecting talks, so don’t be sad if you couldn’t make it this time. So, to everyone whose submission was rejected: We will contact you again. The topics range from encryption, attacking mobile devices, IT compliance management, SAP weaknesses (yes, SAP deployments can be attacked, really), cyber-peace (we’re curious as well), insights
We’ve been busy attending the 1. Sicherheitspolitische Aufbauakademie des Bundesverbandes Sicherheitspolitik an Hochschulen in the past days, so we will not comment the submission for DeepSec 2011 immediately. Gathering from the summaries and descriptions so far we are every impressed. DeepSec 2011 will feature some serious talks and new content. Thanks for taking your time and considering to hold a talk at our conference! We will need some time to sort through all submissions and rank them. We may come back to you for questions, but you will get a notice on the state of your submission as soon as possible. Stay tuned! In case you want to submit a talk late, please drop it into our mailbox or use the Call for Papers manager. You will be ranked after the submission that we
Come on, get your submissions in order and send them to us! The past weeks were full of vulnerabilities, exploits in action and illustrated security very well. Let’s recall what we are looking for. Mobile computing and communications (the protocols and the gadgets) IPv6 (again protocols and the gadgets) Security management and IT governance (a.k.a. “The Big Picture”) Cloud computing and virtualisation (a.k.a. infrastructure 2.0) Security intelligence (few have it) Psychological aspect of security (social engineering, usable security, …) Topics that have a high impact on IT security (or your/our life in general) Design flaws (“defective by design”, the bugs are out there…) We’re looking for workshops, talks and submissions from young talents (U21). Updates and reviews are welcome provided they are still a threat (the web never gets boring for example). New uses
In case you have not yet prepared a submission for DeepSec 2011, please consider to do so. The deadline is approaching! We have already received submissions, but we have a hard time believing that everything is secure out there. That can’t be, you know it, and we know it. Submit your in-depths talks and workshops, give our programme committee some work to do, and maybe we can even have some in-depth lulz, who knows. Speaking of security and design flaws, don’t forget the ubiquitous web interfaces. Everyone and everything has a web interface – your bank, your government, your routers, your servers, your average smart meter (measuring electricity/water/gas consumption), your printers, your household appliances, your TV set, your video/audio player and possibly a lot of devices you are unaware of. Of course, feel free
Some of you might already noticed the videos from the DeepSec 2009 conference on Vimeo. Sadly we don’t have all the slides for all talks, but here are some documents from our archive. #TwitterRisks: Bot C&C, Data Loss, Intel Collection & More by Ben Feinstein – Slides Dynamic Binary Instrumentation for Deobfuscation and Unpacking by Daniel Reynaud and Jean-Yves Marion – Slides Windows Secure Kernel Development by Fermin J. Serna – Slides Stoned déjà vu – again by Peter Kleissner – Slides Key Management Death Match? Competing KM Standards Technical Deep Dive by Marc Massar – Slides USB Device Drivers: A Stepping Stone into your Kernel by Moritz Jodeit and Martin Johns – Slides eKimono: Detecting Rootkits inside Virtual Machine by Nguyen Anh Quynh – Slides Ownage 2.0 by Saumil Shah – Slides
A few days ago we uploaded the keynote speech held by Matt Watchinski at DeepSec 2009. The title was: „Technology Won’t Save You, Only People Will“ This statement can be turned into the opposite: Technology won’t threaten you, people will. We’re not talking about threats from insiders turned rogue. We are talking about holes in your defence because of badly configured or mishandled security devices and software. This has nothing to do with being Bastard Operator from Hell and putting the blame on the users or colleagues. A modern company infrastructure has to deal with a lot of complexity all by itself. Adding security won’t reduce this complexity. Adding badly designed user interfaces (for security devices and options), confusing status/error messages and hardly comprehensible settings will most certainly increase the risk of security incidents.
The registration for DeepSec 2011 is now officially open. You can register for the conference, workshops or both. We offer three booking phases: Early Bird, Regular and Last Minute. Please keep in mind that the Early Bird tickets are the cheapest. The longer you wait, the more you have to pay. Since the Call for Papers is still running the workshop slots are empty, but you can buy workshop or conference+workshop tickets now and decide which workshop you want later (when we publish the schedule). If you have any questions, drop us a few lines.
Finally we found some time to sort through the video recording legacy of past DeepSec conferences. We’ve been asked for video material repeatedly since we record all talks held at DeepSec (except those where the speaker does not want to be published on video). Let me explain what the state of our video archive is. All video recordings were done by different teams consisting of video professionals, volunteers from Metalab and students of the St. Pölten University of Applied Sciences. We used different camera equipment, sound feeds due to changes with the audio system on-site and various storage media because of different digital cameras on-site. The videos of DeepSec 2007 are on Google Video since June 2008. We have re-added them to our internal archive, and we noticed that killab66661 has added the videos
Have you lost track of the risks that may or may not impact your security? How good are the facts you base your security decisions on? Does your organisation follow defined procedures in terms of deploying, monitoring or evaluating security measures? Who decides what’s next and what’s being phased out? Is there a way to get more sleep while fencing off risk factors at the same time? It’s very easy to get lost in the details and drown in the various tools of the security trade. Every day something happens. A single 0day can ruin your meticulously designed schedule. It would be nice to get a grip on the dynamics and introduce more stability. CIOs need to address the Big Picture. That’s exactly why we mentioned security management in our CfP. We’d like to
Since 3 February 2011 the IPv4 pool is now officially and fully depleted. „Peak IPv4“ was a long time ago. IANA can no longer hand out any IPv4 address space. Everyone who needs more address space will be force to look to IPv6. What about security? Are there any benefits? Has IPv6 eliminated all the weaknesses known with IPv4? Those who attended DeepSec 2010 already know the answers to these questions. Mark Heuse conducted a workshop and held a talk about IPv6 security. There’s no doubt that IPv6 is coming to town. Due to tunnels some networks even have IPv6 connectivity, some without even knowing. Setting up a tunnel with a router in your local network is easy. The router will announce itself to local nodes which will in turn automatically grab addresses and
For the fifth time the DeepSec In-Depth Security Conference invites security researchers and professionals to submit suggestions for talks and workshops for our conference which will take place in November 2011 in Vienna. Please visit our updated website for more details about the venue, the schedule and information about our past conferences. We’re currently migrating the old content and collect the data from the old server in order to present archives of the past conference web sites. The DeepSec offers a mix of different topics and aspects like current threats and vulnerabilities, social engineering and psychological aspects as well as security management and philosophy. Our speakers and trainers traditionally come from the security community, companies, hacker spaces and academic organisations. We’ve updated the CfP, and you can submit content for three categories: Talks for
In the wake of the 23rd annual FIRST conference there will be a B-Sides Vienna event together with the NinjaCon 11, 3rd edition. The B-Sides Vienna will be on June 18th, as will be the NinjaCon 11. The Call For Papers is now open and we ask you to submit your material! At B-Sides Vienna aka NinjaCon 11, we’re looking forward to see a selection of trainings, hands-on workshops, 50-minute presetations and 15-minute lightning talks. As we understand ourselves as an open, international event, the official conference language for all talks, trainings and workshops (as well as submitted abstracts), as always, is English. Topics of interest include (but are in no way limited to) the following: Information technology, network security, web application security, virtualisation and cloud computing, innovative attack strategies, forensics, embedded devices, physical