2007, 2021

Secure Communication as an endangered Species

René Pfeiffer/ July 20, 2021/ Conference

Communication is a vital part of modern life and business processes around the world. The rise of the Internet has put sending and receiving information at the centre of most activities. Anyone who has access to personal messages can use them to a significant advantage. Messengers live on billions of smartphones around the world. A compromised telephone opens the door to a treasure trove of highly valuable data. Welcome to the world of information warfare! Repeatedly we issued press articles covering broken secure communication and backdoors to devices. The most recent publications cover the initiative of the German government for mandatory security vulnerabilities in digital infrastructure. Information security cannot distinguish between the purpose of how technology is used. Especially the integrity of computer systems is either preserved or destroyed. There is no middle ground.

Read More

0807, 2021

2021 – The Year of the Supply Chain

René Pfeiffer/ July 8, 2021/ Conference

Logistics and supplies are the fuel that keeps modern society rolling. The COVID-19 pandemic has shown that delivery of goods, medical supplies, and work place administration is a part of our daily lives. The container ship Ever Given blocking the Suez Canal serves as an illustration of how important these lifelines are. Even the digital world is based on supply chains. The computer you use receives updates regularly. Chances are high that you even have some data in online platforms (a.k.a. The Cloud™) somewhere. Thinking in terms of information security, these dependencies are a natural target for attackers. Swedish supermarket customers currently suffer from a digital attack on the US-American company Kaseya. The company develops software for managing IT infrastructure. The REvil malware hit them and disabled clients using the VSA remote managing software

Read More

0607, 2021

Reminder: DeepSec and DeepINTEL 2021 Call for Papers is still open!

René Pfeiffer/ July 6, 2021/ Conference

The year 2021 features some milestone anniversaries. Some of these anniversaries are tragedies. Others are milestones for change. A lot of them affect the world of information security. Technologies come and go, because more often than not we find better solutions. Implementations mature. Some don’t. So let’s take the anniversary of the RSA SecureID faux pas and combine it with the deleted tweet suggesting to replace TCP/IP with Something Based On Blockchain™. In order to grow and develop better applications, we should strife to improve how we approach the challenges of information security. Here is how we will do this. Read on. The DeepSec and DeepINTEL 2021 call for papers are still open. If you have in-depth content or have some observations to share, please submit your ideas! DeepSec is a 100% blockchain-free zone,

Read More

2106, 2021

Communiqué de Presse: Les Environnements de Bureau Modernes : Une Faille dans la Sécurité – La Conférence DeepSec propose des Formations et des Tests pour des Applications Sécurisées

Sanna/ June 21, 2021/ Conference, Press

Qu’est-ce qu’une application bureautique moderne a en commun avec un oléoduc en panne ? L’environnement de bureau qui a conduit à la catastrophe. Les interfaces utilisateur graphiques pour l’exploitation des ordinateurs remontent à des recherches menées dans les années 1960 et 1970. À l’époque, on réfléchissait à la manière dont les ordinateurs pourraient aider au mieux les gens. À partir des années 1990, le bureau est devenu un champ de bataille pour la domination du marché. Cela n’a pas changé, mais on retrouve désormais également des aspects liés à la sécurité. Après tout, l’environnement de bureau est souvent la première étape que les pirates informatiques franchissent pour accéder aux trésors numériques d’une entreprise. La conférence annuelle DeepSec propose aux professionnels de la sécurité et aux développeurs un cours intensif de deux jours consacré à la

Read More

1806, 2021

Deadline for Scholarship Program extended until 31 July 2021

René Pfeiffer/ June 18, 2021/ Conference

Being curious is the first step of answering a question. DeepSec has a long history of pushing the results of research on a public stage. Information security is a branch of computer science. Therefore, the scientific approach is the best way to tackle digital security. Past conferences have featured presentations about the work of dedicated groups of curious people. Now it’s your turn to get some extra support for your project. We have extended the deadline for the DeepSec scholarship program until the end of July 2021. We felt that having some extra time is never a bad idea. So if you have an idea for a research project, please let us know. Drop us an email or a message in a bottle.

1806, 2021

Press Release: Germany Stipulates Security Gaps by Law – DeepSec Conference Warns: Legal Anchoring of the State Trojans Destroys the Security of the Infrastructure.

Sanna/ June 18, 2021/ Conference, DeepIntel, Press

People on business trips are accustomed to take precautions against untrustworthy Internet access. Employees have been equipped with Virtual Private Network (VPN) technology in order to have secure access to company resources and internal systems. VPNs are also often used to circumvent the insecurity of the so-called last mile, i.e. the connection between your own computer and the actual systems on the Internet. The law, which was passed in the German Bundestag on June 10th, creates opportunities for the use of so-called State Trojans (term literally translated from the German Staatstrojaner, meaning a malicious piece of software provided and used by authorities). This institutionalizes security gaps so that state Trojans can be installed on end systems. The safe home office is a thing of the past. Comprehensive surveillance through digital intrusions The alterations to

Read More

1406, 2021

Communiqué de Presse: Menaces Actuelles sur les Réseaux Mobiles – La Conférence DeepSec sur la Sécurité propose une Formation à L’utilisation des Technologies Mobiles Actuelles

Sanna/ June 14, 2021/ Conference, Press

En 40 ans, la technologie des communications mobiles a connu un véritable essor. La disponibilité, la stabilité et les débits de données ont considérablement augmenté par rapport aux origines des réseaux 1G/2G. En revanche, la recherche sur la sécurité dans ce domaine n’a pas connu un succès comparable. Il existe encore des faiblesses et des lacunes en matière de sécurité de l’information. En 2007, la première conférence DeepSec a exposé les faiblesses du chiffrement A5. La conférence de cette année proposera donc à nouveau un atelier de deux jours sur la sécurité des technologies actuelles de communication mobile. La base de la société de communication De nombreuses commodités de la vie moderne seraient inconcevables sans les réseaux mobiles. L’Internet est presque toujours à notre disposition. La communication est également très facile en dehors des

Read More

0706, 2021

Communiqué de Presse: Attaques « low-tech »: Infrastructures Critiques mal Sécurisées – Les Attaques contre Colonial Pipeline reposaient sur des outils d’accès standard

Sanna/ June 7, 2021/ Conference, Press

En mai, l’entreprise américaine Colonial Pipeline a été victime d’une attaque par ransomware. Après de tels événements, il y a toujours une demande en sécurité accrue et en nouvelles mesures. Pourtant, l’analyse de ces attaques révèle souvent des lacunes dans la sécurité de base. Il n’est souvent pas nécessaire d’utiliser des outils compliqués et sophistiqués pour cibler des infrastructures critiques. Les attaquants aiment utiliser des outils standards, disponibles partout, pour éviter d’être détectés. Ceci est rendu possible par une sécurité de base insuffisante. Un camouflage adapté Pour défendre ses propres systèmes et réseaux, il est nécessaire de connaître en profondeur les particularités de son infrastructure. Les groupes organisés qui ciblent les entreprises recherchent exactement ce qu’utilise la cible avant d’attaquer. Suite à cette phase de planification, ils utilisent seulement des outils que la victime

Read More

1205, 2021

First DeepSec 2021 Trainings published

René Pfeiffer/ May 12, 2021/ Conference, Training

We dug through the submissions and selected trainings for the preliminary schedule. It’s just the trainings, and the intention is to give you some information for planning the rest of the year. We intend the trainings to be on site at the conference hotel. We will also explore ways to offer a virtual training or to attend the course virtually. The topics range from attacking modern desktop applications, in-depth network security (mobile networks and traffic analysis), penetration testing industrial control systems over to how to break and secure single-sign on systems. The entire collection of content aims to educate your IT department and your development team regarding the current state of affairs in companies with employees connected in home office. All technologies and tools are vital parts of the workplace. We included attacking industrial

Read More

1005, 2021

ROOTS 2021 – Call for Papers

René Pfeiffer/ May 10, 2021/ Conference

The Reversing and Offensive-oriented Trends Symposium, an academic workshop, is again co-located with the DeepSec conference in its fifth year. ROOTS solicits contributions that focus on theorems and root shells: In security, two things you absolutely cannot argue with. Security is hard to define. Most often, security is defined by its absence. For scientists, this is particularly unsatisfactory. A lack of definition increases the difficulty to find suitable quantitive and qualitative models. Even though the overall landscape is blurry at best; exploitation, reverse engineering, and offensive techniques have their place. ROOTS aims to explore this territory. The first European symposium of its kind, ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques, or effective

Read More

1904, 2021

DeepSec, ROOTS and DeepINTEL Update – Call for Papers open

René Pfeiffer/ April 19, 2021/ Administrivia, Call for Papers, Conference, DeepIntel

Planning events is still challenging. The COVID-19 pandemic celebrated its first birthday. Despite efforts not to have the second birthday of the pandemic, the ever changing regulations and statues updates regarding the infections make preparations for conferences very hard. We know you want to plan as well, therefore we have an update for you. DeepSec, ROOTS, and DeepINTEL will happen on-site here in Vienna. We closely coordinate with our conference hotel. Their staff is eager to reopen. Everything depends on the rate of vaccination and the regulations issued by the European and Austrian authorities. There is not much we can influence. Given our health protection measure we worked out last year, we are well prepared to handle everything short of a total lockdown. We don’t do any forecasts at the moment. The next months

Read More

0804, 2021

Software Architecture, Code, and Information Security

René Pfeiffer/ April 8, 2021/ Conference

Information security is tightly linked with the code running on platforms and decisions made during the software architecture planning phase. One can trace a lot of results in penetration tests to workarounds caused by inadequate tools, bad design choices, trends in software development, legacy applications, and too optimistic testing strategies. Let’s visit some of the accident sites by example. Implementing the basic principles of information security can be hard. The dreaded undefined behaviour or the lack of graceful failures in error conditions happens frequently. A recent presentation about autonomous systems illustrates what we expected from your code – it must be completely self-reliant. Doing n restarts and halting is not the best way of dealing with unexpected situations. Rejecting dangerous states and input is always an option, but sysadmins frequently need to bash applications

Read More

0103, 2021

DeepSec 2021 – Call for Papers is open

René Pfeiffer/ March 1, 2021/ Call for Papers, Conference

DeepSec 2021 is looking for your ideas, solutions, incident reports, insights, and expertise. The call for papers is open. You can submit your contribution via our call for papers manager online. If you have questions or want to submit additional material, please use the online form and send an email to us. DeepSec has always presented a mix of attack and defence presentations. The motto for 2021 connects both approaches. Studying how adversaries work, what tools they employ, how they plan their attack, and what they do once they get access is vital to your defence. IT infrastructure has grown over the years. Defence has a lot to take care of. If you have any ideas how to help the defenders, please let us know. Topics covering attacks should always contain some advice on

Read More

2912, 2020

Translated Article: EU Directive for “High-Class Cybersecurity” with Duplicate Keys

Sanna/ December 29, 2020/ Conference, Security, Stories

EU-Richtlinie für „hochklassige Cybersicherheit“ mit Nachschlüsseln by Erich Moechel for fm4.ORF.at. The key message of the Council of Ministers’ resolution against secure encryption has already arrived in a first draft directive. For this reason here’s a historical outline of the new Crypto Wars since 2014. The resolution of the EU Council of Ministers against secure encryption, which resulted in so much criticism, has already appeared in a first draft directive. A corresponding passage can be found in the new draft directive on “Measures for high-quality cybersecurity in the Union”. The date of December 16 of the document shows that it was already drawn up before the Council resolution was passed (on December 19). Here, too, it is claimed that secure end-to-end encryption remains intact if duplicate keys are generated for third parties. Meanwhile the EU

Read More

2011, 2020

DeepSec 2020 Mission Control – Behind the Scenes

René Pfeiffer/ November 20, 2020/ Administrivia, Conference

The fully virtual DeepSec conference was very different from the usual configuration and setting. While we learned a lot over the years, there is one constant: What’s the difference between hardware and software? Well, hardware can be kicked. There is always one converter, one computer, one network devices, one USB device, or something else that doesn’t quite fit into the ensemble. Then there are the many desktop oddities and multimedia formats. So we had to do some damage control during the first day of streaming (having damage control teams and replacement parts ready is not just for ships). Networking did its own magic by introducing delays between the speaker’s feed and the live stream. Fortunately the stream connections held, and we had no losses in terms of connectivity. Mission control at the office used

Read More