2102, 2013

DeepSec 2013 – CfP: Covering Secrets, Failures & Visions!

René Pfeiffer/ February 21, 2013/ Conference, Security

DeepSec 2013 – Secrets, Failures & Visions – Call for Papers We are preparing the call for papers for DeepSec 2013, and we are trying to shift your mindset. We could easily come up with a list of trending technologies, gadgets and behaviours that will have an impact on information security. Instead we are looking for presentations and workshops dealing with secrets, failures and visions. This gives us another perspective and hopefully more to think about. Secrets Every person, every group, every enterprise and every government has them. Secrets are the very reason why information security uses encryption, access control, even doors and locks (physical and otherwise). You wouldn’t need all of this if it weren’t for safeguarding the secrets. Failures Sometimes things go wrong. Often not only by malicious action, but also by

Read More

2512, 2012

Call for Papers Security BSides London 2013

René Pfeiffer/ December 25, 2012/ Conference

This is a gentle reminder that the Call for Papers for Security BSides London still runs until January 5th 2013. If you got some extra time during the boring Christmas days or right after New Year’s Eve, then you should submit. Show us how you break or fix something! And if you have never presented before, you should definitely take a look at the Rookie Track. BSides London actively supports speakers with little or no experience on stage. Submit a talk, get a mentor, prepare and tell us what you have found! See you in London!

2012, 2012

DeepSec 2012 Articles and Slides

René Pfeiffer/ December 20, 2012/ Conference, Press

We have collected links to articles covering DeepSec 2012. If we missed one, please let us know. Arron Finnon’s Report on the DeepSEC Conference “Breaking SAP Portal” by Alexander Polyakov DeepSec 2012: Insecurity? It’s just a matter of time (in German) DeepSec 2012: IT-Sicherheitskonferenz in Wien (in German) DeepSec 2012: Services of cyber crime and cyber weapons in the Cloud (in German) DeepSec 2012: Wargames in the Fifth Domain (in German) DeepSec 2012: When I Grow up I want to be a Cyberterrorist (in German) “Malware Analysis on a shoestring budget” commented by Michael Boman The Evolution of e-Money (by Jon Matonis) SAP Slapping (by Dave Hartley) Sicherheitschecks von iPhone-Apps für fast jeden möglich (in German) Übernahme des Hypervisors über ein Gastsystem (in German) The slides of DeepSec 2012 can be found for download

Read More

1112, 2012

Apology – “Bad Things in Good Packages”

René Pfeiffer/ December 11, 2012/ Administrivia, Conference

We’re almost back to daily routine after having a wonderful DeepSec 2012. Given the feedback from speakers and attendees they loved the atmosphere at the conference and at the hotel. We are happy to hear about this and keep an open ear for further comments on your DeepSec experience. However, things can go wrong and they often will. There’s no way around this as every organisation team will confirm. Most of the problems were dealt with by our own damage control teams at the conference. There’s one issue that we wish to discuss openly. We received complaints via Twitter about the slides of the talk „Bad Things in Good Packages – Creative Exploit Delivery“ published by the speaker on Slideshare on 30 November 2012. The complaint was about the offensive portrayal of women. The

Read More

1112, 2012

DeepSec supports Security B-Sides London 2013

René Pfeiffer/ December 11, 2012/ Conference

We are happy to announce that we will support the Security B-Sides London 2013! Specifically we support the BSides London “Rookie Track”, and we offer a ticket for DeepSec 2013 including two nights at the conference hotel in Vienna. There’s also a special arrangement covering a flight to Vienna and back. We believe in new ideas and new perspectives. That’s why we offer special slots at our conference for young security researchers (the U21 category marked in our CfP form). We will be present during the “Rookie Track” talks during BSides London. DeepSec wishes to encourage any kind of security research by supporting curious and talented researchers. Never having presented results in public should be no reason not to share them with all of us. We believe that the idea of having mentors and

Read More

2511, 2012

DeepSec 2012 Talk: When I Grow up I want to be a Cyberterrorist

René Pfeiffer/ November 25, 2012/ Conference

We have asked Mike Kemp to give an overview of what to expect from his talk When I Grow up I want to be a Cyberterrorist: Terrorism is not big. It is not clever. It is definitely not funny (unless it involves pies in the face). It can however (like so much in life), be utterly absurd. To clarify, the reactions to it can be. The UK is the most surveiled place on earth (outside of Disneyland). The United Kingdom has lots of cameras, lots of privately collected and held data, lots of asinine legislation, and lots of panic. The media and political classes have conspired to protect the once freedom loving residents of the UK against themselves (and we are not alone in living the Panopticon dream). Frankly, it’s pissing me off. In

Read More

1511, 2012

Using untrusted Network Environments

René Pfeiffer/ November 15, 2012/ Administrivia, Conference, Security

We mentioned on Twitter that DeepSec 2012 will again feature an open wireless network. This means that there will be no barriers when connecting to the Internet – no passwords, no login, no authentication and no encryption. Some of us are used to operate in untrusted environments, most others aren’t. So the tricky part is giving proper advice for all those who are not familiar with protecting their computing devices and network connections. We don’t know what your skills are, but we try to give some (hopefully) sensible hints. If you are well-versed with IT security and its tools, then you probably already know what you are doing. Nevertheless it’s a good habit to double-check. We caught one of our own sessions chairs with his crypto pants down and found a password – just

Read More

1411, 2012

DeepSec 2012 Talk: A Non-Attribution-Dilemma and its Impact on legal Regulation of Cyberwar

René Pfeiffer/ November 14, 2012/ Conference, Discussion

We asked Michael Niekamp and Florian Grunert to give an outlook on their presentation titled A Non-Attribution-Dilemma and its Impact on Legal Regulation of Cyberwar: A general challenge of cyberwar lies in the field of legal regulation under conditions of non-attribution. The optimistic view emphasizes that our international law and its underlying standards are sufficient (in principle and de facto) to solve all emerging problems. A more sceptical view postulates “the impossibility of global regulation”. Although we lean towards the sceptical view, we’ll provide a different and new line of reasoning for the impossibility of a rational legal regulation by formulating a non-attribution-dilemma. In contrast to some prominent arguments, we do not overestimate the suggestive power of the non-attribution-problem concerning the question of rational “deterrence through a threat of retaliation” (DTR for short), but

Read More

0811, 2012

Conference seats are running low…

Mika/ November 8, 2012/ Conference

Honestly: We have such a big interest this year, which is beyond any expectations that we might need to close our ticket sales one or two weeks before the conference. If the trend continues like past years we will exceed the capacity for the conference rooms and the restaurant.We are negotiating with the hotel and do our best to accommodate everyone who wants to attend. Booking is still open at: https://deepsec.net/register.html We have already exceeded the room contingency at our hotel, The Imperial Riding School (Renaissance Vienna Hotel), which grants an attractive room rate, incl breakfast etc… The rate is EUR115,- per night (single person) inc. all fees and taxes, inc. American breakfast and a cancellation possible until 6 PM on the arrival date. Cheaper offers on travel-booking sites typically don’t include breakfast or

Read More

0811, 2012

DeepSec 2012 Talk: Pentesting iOS Apps – Runtime Analysis and Manipulation

René Pfeiffer/ November 8, 2012/ Conference, Security

Since one of the focus topics of DeepSec 2012 deals with mobile computing and devices, we asked Andreas Kurtz to elaborate on his presentation about pentesting iOS apps: „Apple’s iPhone and iPad are quite trendy consumer devices, and have become increasingly popular even in enterprises nowadays. Apps, downloaded from the AppStore or developed in-house, are supposed to completely change and optimize the way of work. Suddenly, managers have access to business intelligence information, data warehouses and financial charts on their mobile devices: Apps are used as front ends to executive information systems and, thus, are carrying around loads of sensitive data. At a first glance it seems, that there’s nothing new on it. Indeed, it is quite common to remotely access critical business data. However, the popularity of mobile devices, combined with the sensitive

Read More

0211, 2012

DeepSec 2012 Talk: Wargames in the Fifth Domain

René Pfeiffer/ November 2, 2012/ Conference

We asked Karin Kosina to illustrate her talk Wargames in the Fifth Domain: “This is a pre-9/11 moment. The attackers are plotting.” These are the words of U.S. Secretary of Defense Leon Panetta addressing business executives on the dangers of cyberwar two weeks ago in New York. And just in case this did not leave the audience scared enough, Panetta also warned about the possibility of an upcoming “cyber-Pearl Harbor”. A massively destructive cyberwar, it seems, is imminent. Or is it? Is the world really on the brink of cyberwar? Time to panic and hide in our cyber shelters? – Well, I think things are slightly more complicated than that. Before you dismiss me as a peace-loving hippie who views the world through rose-tinted glasses: There is no doubt that our emerging information society

Read More

2410, 2012

DeepSec 2012 Talk: The „WOW Effect“

René Pfeiffer/ October 24, 2012/ Conference

If you have ever been in the position of analysing the remains of a compromised system, then you will probably know that a lot of forensic methods rely on data stored in file systems. Of course, you can always look at individual blocks, too, however sooner or later you will need the logical structure of the data. The question is: Do you rely on the file system to be honest with you? What happens if the file system (with a little help from the OS around it) tricks you into believing false information? The answer is easy. Your investigation will fail. Christian Wojner from CERT.at has a presentation for you which describes the stunning „WOW Effect“ stemming from Microsoft’s WoW64 technology. WoW64 is the abbreviation for Windows 32-bit on Windows 64-bit. It allows 64-bit

Read More

1910, 2012

DeepSec 2012 Keynote: We Came In Peace – They Don’t: Hackers vs. CyberWar

René Pfeiffer/ October 19, 2012/ Conference

„Cyberwar“ is all the fashion these days. Everyone knows about it, everyone has capabilities, everyone has a military doctrine to deal with it. Sceptics make fun of it, politicians use it for election campaigns, security researchers wonder what’s new about it, „experts“ use it to beef up their CV, cybercrime yawns, journalists invent new words, most others are confused or don’t care (probably both). This is why DeepSec 2012 features four talks about this topic, including the keynote by Felix ‘FX’ Lindner. FX explains what you can expect from his presentation: “The issues we are facing concerning the militarization and beginning arms race in the so-called “cyber domain” are not what you might think they are. I would like to highlight two aspects of how we, the civilian hackers, in my opinion handle things

Read More

1510, 2012

DeepSec 2012 Talk: I’m the guy your CSO warned you about

René Pfeiffer/ October 15, 2012/ Conference

Social engineering has a bit of a soft touch. Mostly people think of it as “you can get into trouble by talking to strangers”, remember the “don’t talk to strangers” advice from their parents, dismiss all warnings and will get bitten by social security leaks anyway. You have to talk to people, right? You are aware that attackers will use social engineering to get past the expensive security hardware and software. Being aware is very different from being prepared. This is why we asked an expert of social engineering to give you an example of his skills. Be warned, it won’t get pretty and you won’t leave the presentation with the warm and cosy feeling that everything will be alright. To give you a sneak preview, here’s a digital letter from Gavin Ewan himself:

Read More

1410, 2012

DeepSec 2012 Talk: Passive IPS Reconnaissance and Enumeration – false positive (ab)use

René Pfeiffer/ October 14, 2012/ Conference

Once you have a network, you will have intruders. You may already have been compromised. How do you know? Right, you use proper and hard to fool monitoring tools that will always detect good and evil. If you believe this statement, then you probably never heard of the dreaded false positive, commonly known as false alarm. Sometimes a search pattern triggers, but there is no attack. Getting rid of false positives is difficult. As a side effect security researchers have explored false positives as an attack vector. Arron ‘Finux’ Finnon is presenting a new look at intrusion detection/prevention systems (IDS/IPS) and new uses for false positives. You can use false positives to better understand the security posture from an attacker’s point of view, and more importantly be used to discover security devices such as

Read More