1209, 2018

Translated Press Release: Bug Bounty Programs – Vulnerabilities as a worthwhile Investment

René Pfeiffer/ September 12, 2018/ Conference, Press

DeepSec Conference offers trainings for security researchers Vienna (pts010 / 04.09.2018 / 08:30) – This year, in addition to lectures about the failing of security measures, the DeepSec In-Depth Security Conference will offer a workshop for finding vulnerabilities. Unfortunately the testing of software in the context of quality assurance is no longer sufficient in the modern, networked world. The prefix “Smart” does not change anything about existing weaknesses. The training is therefore aimed at professionals, already working in development, and at security experts, to specifically strengthen the development of safer products in industry and companies. Complex Technologies and their Susceptibility to Errors Not only since the birth of the Internet of Things modern products can’t manage without software. If you add networking and the high level of complexity of individual parts, this is a

1109, 2018

Translated Press Release: Intelligence Agencies want to abolish Information Security

René Pfeiffer/ September 11, 2018/ Conference, Press

https://www.pressetext.com/news/deepsec-konferenz-veroeffentlicht-programm-fuer-2018.html DeepSec Conference criticizes the open Attack on secure End-to-End Encryption Vienna (pts014/21.08.2018/09:25) – Ever since security measures have been in existence, there have been discussions about their benefits and their strength. In digital communication, the topic of back doors keeps coming up. In the analog world high quality locks are desired to protect against theft. In the digital world this may now change. The Five Eyes (i.e. the intelligence services of the United States, the United Kingdom, Australia, New Zealand, and Canada) want to force all countries around the world to implement duplicate keys, thus to implement back doors, in their encrypted communication. For this purpose, at the end of August, a meeting of the Five Eyes Ministers of the Interior took place in Australia. This proposal has serious disadvantages for the economy

1009, 2018

DeepSec 2018 Training: Attacking Internet of Things with Software Defined Radio – Johannes Pohl

Sanna/ September 10, 2018/ Conference, Security, Training

In Johannes Pohls training participants will learn how to reverse engineer the wireless communication between Internet of Things (IoT) devices with Software Defined Radios (SDR) using the Universal Radio Hacker (URH). The workshop covers required HF (high frequency) basics such as digital modulations and encodings and shows how to reveal the protocol logic step by step and, finally, how to develop attacks against devices. For demonstration they will investigate and attack a wireless socket and a smart home door lock. During the course of the workshop the communication of the two devices will be analyzed and reverse engineered. In conclusion, attacks on both devices will be developed. By the end of the workshop participants will be able to switch the socket and open the door lock with SDRs. This of course requires knowledge in the

0609, 2018

DeepSec 2018 Talk: Cracking HiTag2 Crypto – Weaponising Academic Attacks for Breaking and Entering – Kevin Sheldrake

Sanna/ September 6, 2018/ Conference, Security

HiTag2 is an Radio-Frequency Identification (RFID) technology operating at 125KHz. It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions – the majority of RFID technologies at 125KHz feature no authentication or encryption at all. As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers. In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2’ that presented three attacks on the encryption system used in HiTag2; in 2016 Garcia et al presented a further attack in ‘Lock It and Still Lose It’. They implemented their attacks on the Proxmark 3 device

0609, 2018

Translated Press Release: DeepSec Conference releases Schedule for 2018

René Pfeiffer/ September 6, 2018/ Conference, Press

Focusing on the Insecurity of Things and infrastructure Vienna (pts014 / 21.08.2018 / 09:25) – This year’s DeepSec In-Depth Security Conference will focus on the topic of Insecurity of Things (IoT) and components of everyday infrastructure. The ever-advancing networking opens up completely new ways for attackers – faster than developers and manufacturers can fix bugs. Instead of using secure design for products and code, machine learning and artificial intelligence are integrated – unfortunately, implemented using convenient statistics and the algorithm of the week from the daily menu of the development kit. The presentations at the DeepSec conference will therefore put the alleged technologies of the future to the test. Mobile networks, the Internet of Things, collaboration platforms in the cloud, customer relationship management systems and the human factor are in the cross-hairs. Smart is

0509, 2018

DeepSec 2018 Talk: Defense Informs Offense Improves Defense – How to Compromise an ICS Network and How to Defend It – Joe Slowik

Sanna/ September 5, 2018/ Conference, Security

Industrial control system (ICS) attacks have an aura of sophistication, high barriers to entry, and significant investment in time and resources. Yet when looking at the situation – especially recent attacks – from a defender’s perspective, nothing could be further from the truth. Initial attack, lateral movement, and entrenchment within an ICS network requires – and probably operates best – via variations of ‘pen tester 101’ actions combined with some knowledge of the environment and living off the land. Only after initial access is achieved and final targets are identified do adversaries need to enhance their knowledge of ICS-specific environments to deliver disruptive (or destructive) impacts resulting in a potentially large pool of adversaries capable of conducting operations. Examining concrete ICS attack examples allows us to explore just what is needed to breach and

0409, 2018

DeepSec 2018 Talk: Can not See the Wood for the Trees – Too Many Security Standards for Automation Industry – Frank Ackermann

Sanna/ September 4, 2018/ Conference, Discussion, Security

“Plant operators and manufacturers are currently faced with many challenges in the field of automation.”, says Frank Ackermann. “Issues such as digitization, Industry 4.0, legal requirements or complex business processes that connect IT and OT are paramount. Related security problems and risks need to be addressed promptly and lastingly. Existing and newly created industry security standards (such as 62443, 61508 and 61511, 27001, …) are designed to help to improve security. But do the different approaches of these standards fit together? Are managers of the companies and manufacturers supported or rather confused by them? The presentation provides an overview of the key security industry standards, discusses the dependency and coverage of the standards, and aims to encourage discussion about if the standards optimize general security in industrial control systems.” We asked Frank a few

0309, 2018

DeepSec 2018 Talk: Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests – Tomasz Tuzel

Sanna/ September 3, 2018/ Conference, Development, Security

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an “introspecting” hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn’t. We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which

3108, 2018

DeepSec 2018 Talk: Open Source Network Monitoring – Paula de la Hoz Garrido

Sanna/ August 31, 2018/ Conference, Security

“I’d like to offer an introduction into Network System Monitoring using different open tools available in Linux.”, says Paula. “The talk is a technical approach to identify the best sniffing points in a network and how to orchestrate a full analysis of the content to secure the network, as well as showing ideas of collaborative and distributed hacking. Also, for a better performance, the talk includes a brief guide into configuring a Raspberry Pi for creating a simple Network Capture Probe. The main point of the talk is to show how open source tools are a nice option for this kind of security assessment.” We asked Paula a few more questions about her topic of expertise: Please tell us the top 5 facts about your talk. First of all, this talk is not solely

3008, 2018

DeepSec 2018 Talk: Building your Own WAF as a Service and Forgetting about False Positives – Juan Berner

Sanna/ August 30, 2018/ Conference, Internet, Security

When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). In his talk Juan Berner will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it. To achieve this you will have to abstract the WAF around a

2908, 2018

DeepSec 2018 Special Training: Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

René Pfeiffer/ August 29, 2018/ Conference, Security, Training

How do bugs in software get fixed? Well, first of all you have to find them. All code has bugs. Most probably, that is. Usually developers and users of applications find bugs. The history of information security has taught us that now attackers also look for bugs in software. Therefore flaws in code leading to security vulnerabilities have a higher priority for both developers and adversaries. The problem is that software testing finds all kinds of bugs and not always the important ones. Where is the incentive to go and debug software? Well, there is quality assurance, there is full disclosure, and now there are bug bounties. Bug bounties are rewards for bugs in software that have an impact on security. Companies offer these bounties as a means of software quality testing. Bug bounties

2808, 2018

DeepSec 2018 Training: Hunting with OSSEC – Xavier Mertens

Sanna/ August 28, 2018/ Conference, Training

“OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points”, says Xavier Mertens, who’s giving a training called “Hunting with OSSEC” at this years DeepSec. “During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. Then I will demonstrate how to deploy specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack

2708, 2018

DeepSec 2018 Talk: DNS Exfiltration and Out-of-Band Attacks – Nitesh Shilpkar

Sanna/ August 27, 2018/ Conference, Security

“The Domain Name System or DNS is one of the most fundamental parts of the Internet”, says Nitesh Shipkar. “It is crucial for a billion of users daily to help us build presence on the internet using names humans can understand rather than IP addresses. However, DNS comes with security issues organizations should be aware of and take into consideration. Attackers are abusing the DNS to redirect traffic to malicious sites, communicate with command and control (C&C) servers, steal data from organizations and conduct massive attacks that cause harm to organizations. Many organizations are not prepared to mitigate, or even detect, the problems DNS might bring. Due to the criticality of DNS to maintain an Internet presence, access applications, connect to a network or simply send an email, everyone has the potential to be

1708, 2018

DeepSec 2018 Conference “Smart is the new Cyber” – Preliminary Schedule published

René Pfeiffer/ August 17, 2018/ Conference, Schedule, Security

The preliminary schedule for DeepSec 2018 has been published. It took us some time to select and review all submissions. We cracked the 100 submissions mark, thus we are pleased that you made it very difficult for us this year. The number of slots for presentations and workshops has been constant. The number of content being submitted is steadily growing. So we hope we did a good job and that you find a pleasant mixture of topics (as pleasant as information security can get). All speakers have been informed. There may be some changes to the schedule which we will announce on our blog. The abstracts of every presentation and workshop will be discussed in-depth here on the blog as well. We have asked the trainers and speakers some questions. As soon as we

0808, 2018

DeepSec Call for Papers Ended – Review Process – Melting Brains – Hard Facts

René Pfeiffer/ August 8, 2018/ Administrivia, Conference

Year by year it is getting harder to review the growing numbers of submissions. Thanks a lot for your contribution! It’s always a pleasure to read what you sent us. We have started to review as soon as you submit, but given the heat and the sheer number of submissions, it will take a few more days. We only have two days of trainings and two days of conference – which isn’t nearly enough. We will try to come up with a schedule that covers current events, science, and threats of tomorrow. Speaking of science, the Call for Papers for ROOTS 2018 is still running! We like to see more solid research in information security. It’s easy to get headlines or flourish on social media, but information security needs to do its homework. This

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: