BSides København – Meaningful Metrics in Information Security

René Pfeiffer/ November 9, 2024/ Development, Security/ 0 comments

The next BSides København will take place on 9 November 2024. There is one presentation in the schedule about the use of metrics in information security. Computers allow us to create documents, charts, and statistical values easily from any data collection we like. Therefore, the World Wide Web is full of graphs, tables with numbers, predictions, and all kinds of results. The problem is that not everything you can count is a suitable metric tied to real-life observations. Finding a metric is a science on its own. This presentation will give you some examples of how to measure meaningful attributes of computer systems and networks. You will also get to know the term metric more closely. Using proper metrics and assessing customer-provided reports will help you immensely when dealing with information security decisions. The

Read More

Press Release: IT World in AI Mania

Sanna/ February 16, 2023/ Development, Legal, Press, Security

Artificial intelligence (AI) is on everyone’s lips, but its results fall short of all expectations. Wouldn’t it be nice if computers could effortlessly give meaningful results to all kinds of questions from all kinds of unstructured data collections? Periodically, algorithms that do incredible things are celebrated in information technology. At the moment, it is the turn of artificial intelligence algorithms. Search engines are retrofitting AI. But the supposed product is far from real cognitive performance. Many open questions remain. History of Algorithms The first experts to work with algorithms to emulate human thought processes came from the fields of mathematics and philosophy. They wanted to formalise analytical thinking from the subfield of logic and describe it in models. In the 1950s, the algorithms were implemented on the computers that were emerging at the time.

Read More

DeepSec 2021: A lack of software security paralyzes the economy in times of crisis – visit DeepSec 2021 to train your developers

Sanna/ April 20, 2021/ Development, Press, Training

In every crisis, one’s own infrastructure and logistics are put to serious tests. The COVID-19 pandemic illustrates this particularly drastically through the many structural failures in the past 12 months. They try to solve biological problems with smartphones, favor dead-end technologies such as blockchain, discover the lack of network expansion in recent decades and then panic and publish software applications that are only subjected to serious tests after they have been published. All these quick fixes are snapshots of a lack of sustainability. But the economy is dependent on stable solutions based on many years of experience, especially now. In November 2021, the DeepSec conference would like to give support to everyone who works with software through trainings and the transfer of experience from security researchers. Code rules the World The word digitization is

Read More

Press Release: Digitalisation without Information Security has no Future

Sanna/ July 15, 2020/ Conference, Development, Discussion

DeepSec conference warns of unsafe software and insufficient knowledge of professionals. The months in which we had to learn to deal with the effects of various quarantine measures on our everyday lives have decisively emphasized the importance of information technology. Although the Internet has long been an integral part of work and everyday life in many industries, the physical restrictions due to the Covid-19 pandemic could have been significantly more drastic for public authorities, the economy and society without modern telecommunications. Audio, video and chat platforms have prevented things getting worse. The call for more digitalisation, however, lacks the most important ingredient – information security. Published software is safe, isn’t it? In the world of software development, there is an unofficial saying that a product is ready when you can install it. The rest

Read More

DeepSec 2019 Talk: Lost in (DevOps) Space – Practical Approach for “Lightway” Threat Modeling as a Code – Vitaly Davidoff

Sanna/ November 4, 2019/ Conference, Development

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the software development life cycle (SDLC) process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scalable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We

Read More

DeepSec 2018 Talk: Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests – Tomasz Tuzel

Sanna/ September 3, 2018/ Conference, Development, Security

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an “introspecting” hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn’t. We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which

Read More

DeepSec2017 U21 Talk: Lessons Learned: How To (Not) Design Your Own Protocol – Nicolai Davidsson

Sanna/ November 15, 2017/ Conference, Development, Security

“One of the first lessons of cryptography is “don’t roll your own crypto” but we were bold enough to ignore it”, says Nicolai. “Single Sign-On is so 2016 which is why we’d like to introduce its replacement, Forever Alone Sign-On – FASO. This talk will discuss one of the ugliest SSO solutions you’ll ever see, its updated, slightly less ugly, iteration, and, ultimately, FASO. We’ll discuss the use cases, questionable decisions made during the planning process, the actual self-rolled, totally vulnerable, cryptography, and the even worse code architecture. In all seriousness: The talk reflects on the design process of a SSO protocol and its first two iterations, going from a semi-functional workaround to an experimental OAuth-and-the-like alternative utilizing pre-shared keys, symmetric cryptography and implicit authentication.”   Nicolai is a security researcher at zyantific and

Read More

DeepSec 2016 Talk: Obfuscated Financial Fraud Android Malware: Detection And Behavior Tracking – Inseung Yang

Sanna/ November 9, 2016/ Conference, Development, Internet, Report, Security

In Korea in particular, hackers have distributed sophisticated and complex financial fraud android malware through various means of distribution, such as SMS phishing, Google play, compromised web servers and home routers (IoT). In some cases, both smartphone and PC users are targeted simultaneously. Inseung Yang and his team collect mobile android malware via an automated analysis system, detect obfuscations and malicious packer apps. In his presentation Inseung Yang will describe trends of malicious android apps and obfuscated mobile malware in Korea. He’ll explain the policy methods for Korean mobile banking and the attack methods used by hackers, f.ex. the stealing of certifications, fake banking apps that require the  security numbers issued to users when they open their accounts, Automatic Response Service(ARS) phishing attacks in conjunction with Call Forwarding, and the requesting of the One Time Password(OTP) number. But

Read More

DeepSec 2016 Talk: Systematic Fuzzing and Testing of TLS Libraries – Juraj Somorovsky

Sanna/ November 8, 2016/ Conference, Development, Security

In his talk Juraj Somorovsky presents TLS-Attacker, a novel framework for evaluating the security of TLS libraries. Using a simple interface, TLS-Attacker allows security engineers to create custom TLS message flows and arbitrarily modify TLS message contents in order to test the behavior of their TLS libraries. Based on TLS-Attacker, he and his team first developed a two-stage TLS fuzzing approach. This approach automatically searches for cryptographic failures and boundary violation vulnerabilities. It allowed him to find unusual padding oracle vulnerabilities and overflows/overreads in widely used TLS libraries, including OpenSSL, Botan, and MatrixSSL. Juraj’s findings encouraged the use of comprehensive test suites for the evaluation of TLS libraries, including positive as well as negative tests. He and his team used TLS-Attacker to create such a test suite framework, which finds further problems in TLS libraries. TLS-Attacker is an open source tool, and is currently being deployed for internal

Read More

DeepSec 2016 Talk: I Thought I Saw a |-|4><0.- Thomas Fischer

Sanna/ October 21, 2016/ Conference, Development, Security

Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. “But what does this really mean?”, asks Thomas Fischer. “And what real impact does it have on the security team? Can we use threat hunting to provide a process to better detect and understand when you’ve been breached?” More and more security data is being produced and usually aggregated into a central location or body to hopefully take quick and informed decisions on attacks or compromises amongst a mountain of data. When you start to include data gathered from your endpoints the amount of data starts to explode exponentially. This level of data provides us with a large amount of visibility. But is having visibility enough? What

Read More

DeepSec2016: 0patch – Self-healing Security Updates. DeepSec and ACROS Security Introduce a Platform for Micropatches

Sanna/ October 20, 2016/ Conference, Development, Schedule, Security, Training

As soon as a security gap in an computer application is made public the anxious wait begins. Whether it is software for your own network, online applications or apps for your mobile devices, as a user you will quickly become aware of your own vulnerability. The nervousness increases. When will the vendor publish the security update? In the meanwhile is there anything you can do to reduce the risks? Alternatively, how long can you manage without this certain software? To provide answers to these questions is the central point of security management. Some vendors have fixed dates for security updates. However, occasionally unscheduled updates take place, while some vendors wait quite a few years before they release another update. And this is only true for applications that are still in production or come with a support

Read More

DeepSec2016 Talk: AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That – Nikhil Mittal

Sanna/ October 20, 2016/ Conference, Development, Security

In his talk Nikhil Mittal will focus on AMSI: In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common. AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn’t

Read More

DeepSec 2016 Talk: TLS 1.3 – Lessons Learned from Implementing and Deploying the Latest Protocol – Nick Sullivan

Sanna/ October 19, 2016/ Conference, Development, Internet, Security

Version 1.3 is the latest Transport Layer Security (TLS) protocol, which allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. TLS is the S in HTTPS. TLS was last changed in 2008, and a lot of progress has been made since then. CloudFlare will be the first company to deploy this on a wide scale. In his talk Nick Sullivan will be able to discuss the insights his team gained while implementing and deploying this protocol. Nick will explore differences between TLS 1.3 and previous versions in detail, focusing on the security improvements of the new protocol as well as some of the challenges his team faces around securely implementing new features such as 0-RTT resumption. He’ll also demonstrate an attack on the way some

Read More

DeepSec2016 Talk: Security and Privacy in the Current E-Mobility Charging Infrastructure – Achim Friedland

Sanna/ October 15, 2016/ Conference, Development, Security

The whole information technology strongly depends on electric power. Your servers will turn into expensive door stoppers once the power goes out. The same is true for your mobile devices and the hardware you use to get around. Hence there are efforts to extend the power grid to accommodate the demand of new and emerging technologies. The charging infrastructure requires some security considerations. You cannot simply put a cable into any power socket, throw it our of the windows, and use it for charging unknown devices and vehicles. It’s a bit more complicated. At DeepSec 2016 Achim Friedland will give you an overview on what charging really means. In his talk Achim Friedland focuses on the emerging market of  smart and electric mobility as an interesting area of research and development for both academia and startups.

Read More

DeepSec 2016 Workshop: Do-It-Yourself Patching: Writing Your Own Micropatch – Mitja Kolsek

Sanna/ October 13, 2016/ Conference, Development, Security, Training

The current state of updating software – be it operating systems, applications or appliances – is arguably much better than it was a decade ago, but apparently not nearly good enough to keep even the most critical systems patched in a timely manner – or at all, says Mitja Kolsek. Official vendor updates are cumbersome, costly to apply, even more costly to revert and prone to breaking things as they replace entire chunks of a product. Enterprises are therefore left with extensive and expensive testing of such updates before they dare to apply them in production, which gives attackers an endless supply of “n-day” vulnerabilities with published exploit code. Furthermore, for various entirely rational reasons, many organizations are using products with no security updates such as old Java runtimes, Windows XP, or expensive industry

Read More