1210, 2012

DeepSec 2012 Talk: Own the Network – Own the Data

René Pfeiffer/ October 12, 2012/ Conference

We all use networks every day. This is obvious when it comes to the Internet, but there are more networks if you use phones and other gadgets. Like it or not, these networks are a part of your infrastructure. Now you know, but attackers (and security people) knew this before. So, what can happen to your data if the network is compromised? The short answer: a lot! The long answer is given by Paul Coggin in his presentation at DeepSec 2012. Paul’s presentation discusses the security issues with the critical network architectures being deployed by service providers and utilities to support next generation network services such as IPTV, 3G/4G, smart grid, and more. There’s a lot happening behind the scenes. Once new products are announced, the stage has already been prepared. Network infrastructure security

Read More

1110, 2012

DeepSec 2012 Workshop: Web Application Penetration Testing

René Pfeiffer/ October 11, 2012/ Conference, Training

If eyes are the window to your soul, then web applications are the gateways to your heart. Of course this is only a figure of speech, but once you take a look at security incidents and the role of web applications, then you get the idea of the analogy. Web applications are everywhere. It’s not always about your favorite intranet application. A lot of devices run web applications, too. And there are portals which really give you access to a whole variety of information and services. Speaking of services, you can have application programming interfaces (APIs), too. APIs usually do not talk to humans, but maybe they can be automated to do Bad Things™. This is where penetration testing comes in. Ari Elias-Bachrach will teach you how to approach web applications in the context

Read More

0610, 2012

DeepSec 2012 Talk: The Interim Years of Cyberspace – Security in a Domain of Warfare

René Pfeiffer/ October 6, 2012/ Conference

In case you haven’t heard about it yet, officially that is, welcome to the fifth domain! As with space and other environments, the networked world has been discovered by various forces and groups for their advantage. The past years have shown that whatever happens in Cyberspace, doesn’t always stay in Cyberspace. It’s not always about the DDoS attacks, which have been blown out of proportion, but it’s about malicious software, reconnaissance, information extraction and other aspects which are less spectacular (watching less television helps to restore the perspective to normal). We’d like to set your perspective right and recommend listening to Robert M. Lee’s presentation about the Interim Years of Cyberspace. His talk focuses on the bigger picture in an effort to add a different view to the discussions taking place at DeepSec. The

Read More

0510, 2012

DeepSec 2012 Talk: Evolution of E-Money

René Pfeiffer/ October 5, 2012/ Conference

The concept of electronic money has been around long before BitCoin entered the stage. The main characteristic is its electronic storage and exchange. This is both convenient and dangerous since digital goods can be stolen by copying data or cracking codes, depending on the design of the e-money system (which often will involve cryptographers). Jon Matonis will give you an overview about both the goals and the scary aspects of the cashless society. While the talk will focus on BitCoin, which is a peer-to-peer crypto-currency, you will get a deeper insight into how electronic currencies work, what challenges existing designs have solved (or haven’t), and which opportunities the use of digital currencies poses in the future. The phenomenon is quite young, but it is popular, even among criminals who already robbed a BitCoin bank.

Read More

0510, 2012

DeepSec 2012 Talk: The Vienna Programme – A Global Strategy for Cyber Security

René Pfeiffer/ October 5, 2012/ Conference

In case you ever felt frustrated by the countless ways digital systems can fail, you should consider listening to Stefan Schumacher‘s talk about a global strategy for cyber security. It’s not about silver bullets or throwing rings into volcanoes, it’s meant as a roadmap leading to an improved security level in our digital landscape. Information technology and therefore IT security play a bigger role in everyday life than 20 years ago. However, even since IT security becomes more and more important, yet we are still discussion the same old problems: rootkits, viruses and even buffer overflows. Unfortunately, IT security  still revolves about the same problems as it did 20-30 years ago. Instead of fighting the same battles again and again we have to take a look at the strategic level to coordinate efforts. This

Read More

0210, 2012

DeepSec 2012 Workshop: Social Engineering Testing for IT Security Professionals

René Pfeiffer/ October 2, 2012/ Conference, Training

Social engineering has been big in the news yet again this year.  In September, security researchers discovered an attack against Germany’s chipTAN banking system, in which bank customers were tricked into approving fraudulent transfers from their own accounts. In August, tech journalist Mat Honan had his digital life erased, as hackers social engineered Apple and Amazon call centres. In May it was reported that Czech thieves stole a 10-tonne bridge.  When challenged by police during a routine check, they showed forged documents saying they were working on a new bicycle path. In January, a fraudster obtained Microsoft co-founder Paul Allen’s credit card details by social engineering workers in Citibank call centres. In December, Wells Fargo were tricked into wiring $2.1 million to a bogus bank account in Hong Kong following a series of fraudulent

Read More

3009, 2012

DeepSec 2012 Workshop: The Exploit Laboratory – Advanced Edition

René Pfeiffer/ September 30, 2012/ Conference

Offensive security is a term often used in combination with defence, attack (obviously), understanding how systems fail and the ever popular „cyberwar“. Exploiting operating systems and applications is the best way to illustrate security weaknesses (it doesn’t matter if your opponents or pentesters illustrate this, you have a problem either way, and you should know about it). So where do exploits come from? Well, you can buy them, you can download them somewhere, or you can develop them. This is where The Exploit Laboratory comes in. Saumil Shah will teach you how exploits work – even on modern operating systems! Exploit Development is one of the hottest topics in offensive security these days. The Exploit Laboratory, in its sixth year, brings advanced topics in exploit development to Vienna this year. Arm yourself with skills

Read More

3009, 2012

DeepSec 2012 Talk: SAP Slapping

René Pfeiffer/ September 30, 2012/ Conference

DeepSec 2012 covers SAP in-depth, and we decided also to include a presentation on how to test/pen-test SAP installation. Dave Hartley will give you an overview about how to approach SAP, show you what you can do, and probably achieve complete compromise of insecure and misconfigured SAP environments by pressing buttons. ☺ SAP systems can incorporate many different modules ERP, ECC, CRM, PLM, SCM, SR, … that are installed on multiple operating systems (UNIX, HP-UX, Linux and Windows etc.) which in turn rely on many different back end databases (DB2, Sybase ASE, Oracle, MS SQL, MaxDB and Informix). There are also many different versions/application stacks (SAP Netweaver 7.1 ABAP AS, 7.2 ABAP/Java AS, 7.3 ABAP/Java AS, …). Basically SAP systems often consist of very complex architectures and employ a myriad of integration choices in order to

Read More

2809, 2012

DeepSec 2012 Talk: AMF Testing Made Easy

René Pfeiffer/ September 28, 2012/ Conference

Protocols are fun. When it comes to security, protocols are both loved and loathed. Security researchers have fun breaking them. Developers have a hard time designing them (this is why short-cuts will be taken and weaknesses are introduced). Penetration testers are sent to discover broken protocols and to exploit them. Attackers usually know some bits about protocols, too. This is where you come in. Regardless on which side you are on, you need to know, too. It’s not always about security, though. Typical software deployment or development requires testing, too. Luca Carettoni has good news for you either way. Despite the popularity of Flex and the AMF binary protocol, testing AMF-based applications is still a manual and time-consuming activity. This research aimed at improving the current state of art, introducing a new testing approach

Read More

2709, 2012

DeepSec 2012 Talk: Breaking SAP Portal

René Pfeiffer/ September 27, 2012/ Conference, Security

SAP products are very widespread in the corporate world. A lot of enterprises run SAP software for a whole variety of purposes. Since enterprises feature many levels of interconnection, there is also a great deal of exposing going on. Usually you do this by means of using portals. The term „portal“ is a trigger for penetration testers, because portals are the gateways to curiosity – and probably compromises. This may give an attacker access to systems that store all informations about your company and process all critical business transactions. You now have compelling reasons to attend DeepSec 2012 for we have a collection of SAP security talks and a workshop for you. Alexander Polyakov talks about how to attack SAP Portal. It is usually connected to the Internet. In turn the Internet is connected

Read More

2409, 2012

DeepSec 2012 Workshop: Malware Forensics and Incident Response Education (MFIRE)

René Pfeiffer/ September 24, 2012/ Conference, Training

Malicious software is the major tool for attackers. It is used to deliver the payload so that compromised systems can be exploited and secured for executing further tasks by your adversaries. Getting to now this malicious software and finding traces of the breach is very important for dealing with a security event. Proper incident response must be part of every state-of-the-art defence strategy. So this is why we offer the Malware Forensics and Incident Response Education (MFIRE) training at DeepSec 2012. Ismael Valenzuela will be your teacher for this course. The workshop is a proactive weapon to help you normalize your environment after a negative event has occurred. Your opponents have increasingly sophisticated tools and backdoor programs at their disposal to steal your intellectual property and expose sensitive information – all with the ability

Read More

2409, 2012

DeepSec 2012 Workshop: Strategic Thinking and Assessing Risk

René Pfeiffer/ September 24, 2012/ Conference, Training

We have begun to address the increasing demand for strategic thinking by staging the first DeepINTEL event in 2012. Since we strongly believe in the importance of the „big picture“, we offer a workshop on strategic thinking and assessing risk at DeepSec 2012, too. The training will be conducted by Richard Hanson, who has a broad understanding of security concepts and best practices through both formal education and client experience. He will guide you through the two-day workshop. The training will equip you with the knowledge and tools to be able to think strategically though understanding what is important to a business and assess its risks. It will teach you techniques to conduct risks assessments and to prioritize the outcomes in a strategic roadmap. It’s not just theory. You will learn how to effectively

Read More

2009, 2012

DeepSec 2012 Workshop: Attacks on GSM Networks

René Pfeiffer/ September 20, 2012/ Conference

We are proud to follow the tradition of breaking hardware, software, code, ciphers or protocols. When it comes to mobile phone networks, you can break a lot. The workshop on Attacks on GSM Networks will show you the current state of affairs and some new tricks and developments. The attacks that will be discussed during the training are not theoretical, they are feasible and can be exploited to be used against you. Knowing about the capabilities of your adversaries is absolutely important since virtually no organisation or business runs without the use of mobile networks. What do you have to expect? Well, attendees will spend about half the time re-visiting the key aspects of GSM’s security features and their publicly known weaknesses. During the other half, attention is being paid to the hands-on practical

Read More

1909, 2012

DeepSec 2012 Schedule – In-Depth

René Pfeiffer/ September 19, 2012/ Administrivia, Conference

The schedule for DeepSec 2012 has now been online since August. The last two workshop slots have been filled with two superb training by McAfee/Foundstone. There are still some minor blind spots, but Your Favourite Editors work on this. We will start to describe every workshop in-depth with its own blog article, and we will do the same with every presentation. We will try to set every piece of DeepSec 2012’s content into perspective and context. We are really looking forward to the trainings and presentations of DeepSec 2012!

1609, 2012

DeepINTEL 2012 Review Articles

René Pfeiffer/ September 16, 2012/ Conference, Security Intelligence

The first DeepINTEL was very successful, and we enjoyed the presentations given and the many discussion that followed. While we will not disclose details or publish the slides of the talks, we would like to point you to reviews others have written. DeepINTEL 2012 by c-APT-ure DeepIntel 2012 – An Intelligent Security Conference DeepINTEL – Day one DeepINTEL – Day two Cybercrime – Who are the offenders? (Slides) Ergebnisse der IT-Sicherheitstagung DEEPINTEL am 3.3.2012 in Fuschl am See (in German) We definitely have some more ideas of how to tackle big data, how to identify and defend (in this order) digital assets, what „Cyberwar“ looks like, how to deal with threats and how to aquire information for analysing who’s after your data. Some of the topics with be described in more detail on our

Read More