2505, 2017

The Future of Entangled Security States – Quantum Computing Conference in Berlin

René Pfeiffer/ May 25, 2017/ Conference, Security

Quantum computing is a fashionable term these days. Some IT news articles are talking about post-quantum cryptography, qbits, and more quantum stuff. If you don’t know how the terms relate to each other, what entangled states in quantum physics are, and what everything has to do with computing, then you will have a hard time figuring out what it means for you and your infrastructure. The relationship to cryptography is yet another matter best explored after you know the basics. Using quantum effects in computing and cryptography is already done. The best example are some hardware random generators which use properties of, well, the hardware to harvest entropy. And then there is quantum key distribution (QKD). It is a method to ensure secure communication between two or more nodes. Vienna even had a working

Read More

1205, 2017

DeepSec welcomes SEC Consult as Sponsor for 2017!

René Pfeiffer/ May 12, 2017/ Conference, Security

Testing products, production code, security measures, or the overall security of infrastructure is hard work. The typical needs in term of information technology for a company or an organisation has become a variety of components that need to be maintained and hardened against attacks. The devil is in the details. In order to find critical weaknesses you need decades of experience, a thorough understanding of the technologies in use, in-depth knowledge of processes that touch information technology, and a decent portion of creativity to come up with ways around obstacles. SEC Consult, our long-time sponsor, has all of this – and more. They publish their findings and offer consulting for anyone needing extra security. Take a look at the House of Keys project, the IoT Inspector, or gaping holes in digital forensics software that

Read More

1105, 2017

DeepSec welcomes Digital Guardian as Sponsor for 2017

René Pfeiffer/ May 11, 2017/ Conference, Security

No event can be done with supporters, and so we welcome Digital Guardian as sponsor for the upcoming DeepSec 2017 conference! If you have data in your organisation, then you might be interested in talking to Digital Guardian’s experts, because they know a lot about what data does, where it lives, what endpoints really are, how you protect it, and how you keep exclusive access to it. Since data is code on most computing architectures, there’s a double benefit. Digital Guardian is a next generation data protection platform purpose built to stop data theft. The Digital Guardian platform performs across the corporate network, traditional endpoints, mobile devices and cloud applications to make it easier to see and stop all threats to sensitive data. For more than 10 years, it has enabled data-rich organizations to

Read More

0105, 2017

Call for Papers: 1st Reversing and Offensive-Oriented Trends Symposium (ROOTs) 2017

René Pfeiffer/ May 1, 2017/ Call for Papers, Conference

ROOTs 2017 The first Reversing and Offensive-Oriented Trends Symposium (ROOTs) 2017 opens its call for papers. ROOTs is the first European symposium of its kind. ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques or effective deployable defenses. Submissions can also provide a comprehensive overview of the state-of-the-art, and pinpoint promising areas that have not received appropriate attention in the past. To facilitate interaction with industry, the ROOTs ticket will be valid for all DeepSec conference tracks on both days, including the industry tracks, and the DeepSec conference tickets for the industry track will be valid for ROOTs. The usual rules for academic discounts apply. Please contact the DeepSec staff or our sponsors for

Read More

2804, 2017

DeepINTEL Update, Science First Campaign, Early Birds, and other News

René Pfeiffer/ April 28, 2017/ Administrivia, Conference

The Easter break is over. We didn’t sleep (much), and we did not look for Easter eggs in software either. Instead we did a bit of work behind the scenes. DeepSec 2017 will have some more content due to the co-hosted ROOTs workshop. The full call for papers will be ready on 1 May 2017. We will publish the text here on this blog, and email it to interested researchers. In the meantime the DeepSec 2017 Call for Papers is waiting patiently for your submission. In case you haven’t noticed, the DeepSec and DeepINTEL ticket shops are online. Please book your ticket as early as possible! Every year so far we had some people at our conference who were very sad because their favourite training was not available. If you book early you’ll help us to secure

Read More

2703, 2017

DeepINTEL / DeepSec News for 2017 and Call for Papers

René Pfeiffer/ March 27, 2017/ Administrivia, Call for Papers, Conference

Changing code, layout or designs have something in common – deadlines. But you cannot rush creativity, and so the new design of the DeepSec web site took some time. The old design has served us well. We basically did not change much and used it since 2007. The new design follows the stickers we use for decoration at our conferences, the book cover of the DeepSec chronicles, and many other details we publish via documents – all thanks to the creative mind of fx. So thanks a lot fx! The content of our conference has also slightly changed. DeepSec 2017 will feature additional content, because we will introduce a third track filled with presentations from academic research. Given the fact-free discussions of information security and security in general, we would like to (re)introduce the scientific

Read More

1303, 2017

DeepINTEL 2017 – Modern Strategies for Information Security

Sanna/ March 13, 2017/ Conference, Security Intelligence, Veranstaltung

Seminar on Digital Defence with Experts. The news is full of reports covering attacks against networked systems and digital components. Every day there is new media coverage about stolen data, compromised accounts, the impact of malicious software, digital second strikes, cyber attacks between countries and new vulnerabilities in computer systems. All that leads to the impression that in the modern digital world we are almost helplessly vulnerable to attacks. Clever entrepreneurs benefit from the general uncertainty and sell countermeasures in the form of security software or other components, which, according to their praise, once installed will kill off every threat automatically. But the media don’t show the whole picture – hardly any report on “hacker attacks” could be called a realistic depiction of real life events. The consequence? It is not possible to build

Read More

2001, 2017

DeepSec Administrivia for 2017, the Year of the Cyber

René Pfeiffer/ January 20, 2017/ Administrivia, Conference

2017 is in full swing, and it didn’t wait long. December was full of „hacking“ news. It seems digital war(e)fare knows no break. We will address some of the issues in a series of blog articles. Also we have uploaded the DeepSec 2016 videos to Vimeo. Attendees and speaker will get access before we publish the videos for everyone. This is our review in case someone doesn’t like a video or needs to adapt the description. The date for DeepSec will be published soon, along with the date. We look to the fourth quarter of the year, as usual. The Call for Papers will be online in February. If you got some ideas, write them to us. We have plenty of topics to address. The most pressing problem was raised at the 33C3. Go

Read More

1711, 2016

Disclosures, Jenkins, Conferences, and the Joys of 0Days

René Pfeiffer/ November 17, 2016/ Conference, Discussion, High Entropy

DeepSec 2016 was great. We have slightly recovered and deal with the aftermath in terms of administrivia. As announced on Twitter, we would like to publish a few thoughts on the remote code execution issue found by Matthias Kaiser. He mentioned the possibility in this presentation titled Java Deserialization Vulnerabilities – The Forgotten Bug Class. First let’s explain some things about how DeepSec runs the Call for Papers, the submissions, and the conference. During the Call for Papers process our speakers send us title, abstract, and mostly an in-depth description of the presentation’s content. This means that we usually know what’s going to happen, except for the things that are actually said and shown during the presentation slot. Since we do not offer any live video streams and publish all presentation slides after we

Read More

1011, 2016

DeepSec 2016 – expect 48 Hours of Failures and Fixes in Information Security

René Pfeiffer/ November 10, 2016/ Conference, Discussion

The conference part of DeepSec 2016 has officially started. During the workshops we already discussed a lot of challenges (to phrase it lightly) for infrastructure and all kinds of software alike. The Internet of Things (IoT) has only delivered major flaws and gigantic Distributed Denial of Service attacks so far. There is even a worm for LEDs these days. And we haven started the conference preparations yet. So we have plenty of reasons to talk about what went wrong, what will go wrong, and what we can do about it. The world of information security is not always about good news. Something has to break, before it can be repaired – usually. Systems administrators know this, for some it’s their daily routine. Nevertheless we hope everyone at DeepSec gets some new insights, fresh ideas,

Read More

0911, 2016

DeepSec 2016 Talk: Obfuscated Financial Fraud Android Malware: Detection And Behavior Tracking – Inseung Yang

Sanna/ November 9, 2016/ Conference, Development, Internet, Report, Security

In Korea in particular, hackers have distributed sophisticated and complex financial fraud android malware through various means of distribution, such as SMS phishing, Google play, compromised web servers and home routers (IoT). In some cases, both smartphone and PC users are targeted simultaneously. Inseung Yang and his team collect mobile android malware via an automated analysis system, detect obfuscations and malicious packer apps. In his presentation Inseung Yang will describe trends of malicious android apps and obfuscated mobile malware in Korea. He’ll explain the policy methods for Korean mobile banking and the attack methods used by hackers, f.ex. the stealing of certifications, fake banking apps that require the  security numbers issued to users when they open their accounts, Automatic Response Service(ARS) phishing attacks in conjunction with Call Forwarding, and the requesting of the One Time Password(OTP) number. But

Read More

0811, 2016

DeepSec 2016 Keynote: Security in my Rear-View Mirror – Marcus J. Ranum

Sanna/ November 8, 2016/ Conference, Discussion, Security, Stories

Everything that’s old is new again, and if you work in security long enough, you’ll see the same ideas re-invented and marketed as the new new thing. Or, you see solutions in search of a problem, dusted off and re-marketed in a new niche. At this year’s DeepSec conference the keynote will be given by Marcus Ranum, who set up the first email server for whitehouse.gov. He will reflect upon over 30 years of IT security and make a few wild guesses for where this all may wind up. Spoiler alert: Security will not be a “solved” problem. Marcus answered a few questions beforehand: Please tell us the Top 5 facts about your talk. I’ll be talking about how the security market evolves from here. I’ll be talking about the relationship between security and management It’s going to be depressing. I have

Read More

0811, 2016

DeepSec 2016 Talk: Systematic Fuzzing and Testing of TLS Libraries – Juraj Somorovsky

Sanna/ November 8, 2016/ Conference, Development, Security

In his talk Juraj Somorovsky presents TLS-Attacker, a novel framework for evaluating the security of TLS libraries. Using a simple interface, TLS-Attacker allows security engineers to create custom TLS message flows and arbitrarily modify TLS message contents in order to test the behavior of their TLS libraries. Based on TLS-Attacker, he and his team first developed a two-stage TLS fuzzing approach. This approach automatically searches for cryptographic failures and boundary violation vulnerabilities. It allowed him to find unusual padding oracle vulnerabilities and overflows/overreads in widely used TLS libraries, including OpenSSL, Botan, and MatrixSSL. Juraj’s findings encouraged the use of comprehensive test suites for the evaluation of TLS libraries, including positive as well as negative tests. He and his team used TLS-Attacker to create such a test suite framework, which finds further problems in TLS libraries. TLS-Attacker is an open source tool, and is currently being deployed for internal

Read More

0411, 2016

DeepSec2016 Talk: Smart Sheriff, Dumb Idea: The Wild West of Government Assisted Parenting – Abraham Aranguren & Fabian Fäßler

Sanna/ November 4, 2016/ Conference, Legal, Security, Stories

Would you want to let your kids discover the darker corners of the Internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the “Smart Sheriff” app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team!

Read More