2810, 2015

Special Screening of the Documentary “A Good American” during DeepSec 2015

René Pfeiffer/ October 28, 2015/ Conference, Discussion, High Entropy, Security Intelligence

Attendees of DeepSec 2015 will receive a special treat. We have been talking to Friedrich Moser, and he has agreed to show his documentary „A Good American“ on 20 November 2015 exclusively. The private screening will take place in Vienna. It starts at 2100 at the Burg Kino, known for showing „The Third Man“. „A Good American“ explains how to do threat intelligence in a more efficient way, according to the creator of ThinThread: „A codebreaker genius, a revolutionary surveillance program and corruption across the board of NSA. Against this backdrop unfolds the feature documentary A GOOD AMERICAN. The film tells the story of Bill Binney and his program ThinThread and how this perfect alternative to mass surveillance got ditched by NSA for money.“ After the film Friedrich Moser, Duncan Campbell, James Bamford, and

Read More

2710, 2015

DeepSec 2015 Keynote: Can Societies manage the SIGINT Monster?

René Pfeiffer/ October 27, 2015/ Conference, Discussion

Gathering data has become very important in the past years. Everyone is talking about intelligence of all shades, few know what it actually means and how you do it properly (we got a workshop for that, if you are interested). Information security needs to anticipate threats and adapt the defences accordingly. The same is true for other areas where security plays an important role, such as national defence. There are also new threats. Surveillance systems expand steadily, and the facts about them were published after 2013. The impact effects all of us, especially companies moving data around and communicating digitally. Although is it difficult to gauge what it means for your daily business, you should not close your eyes and assume that it is somebody else’s problem. We have asked Duncan Campbell to paint

Read More

1310, 2015

Defence – Beating the Odds with Knowledge

René Pfeiffer/ October 13, 2015/ Conference, Discussion, Mission Statement, Training

When did you write your last business letter? You probably don’t recall, because you write one all of the time. When did you last use ink and paper to do this? If you can’t remember the answer to this question, don’t bother trying. Digital communication is part of our daily life, not only in the business world. We are very accustomed to communicate in the here and now, up to the point where being offline feels unnatural. In turn this means that we are constantly exposed to networks of all kinds, especially the Internet. Our door is open all around the clock. We can’t close it any more, thus openly inviting every kind of threat also using networks. It’s time to seriously think about this. What does it mean? What do we need to

Read More

0810, 2015

Digital Naval Warfare – European Safe Harbor Decree has been invalidated

René Pfeiffer/ October 8, 2015/ Discussion, High Entropy, Internet, Legal

The global cargo traffic on the Internet needs to revise its routes. The Court of Justice of the European Union has declared the so-called „Safe Harbor“ agreement between the European Commission (EC) and US-American companies as invalid. The agreement was a workaround to export the EU Directive 95/46/EC on the protection of personal data to non-EU countries. The ruling was a result of the ‘Europe v Facebook’ lawsuit by Austrian law student and privacy activist Max Schrems. This means that European companies might violate the EU privacy laws when storing or processing personal data on US-American servers. Among the arguments was that the rights of the European data protection supervision authorities must not be constrained and that due to the NSA PRISM program the protection of personal data according to EU directives is not

Read More

0110, 2015

DeepSec2015 Talk: Hacking Cookies in Modern Web Applications and Browsers – a short Interview with Dawid Czagan

Sanna/ October 1, 2015/ Discussion, Interview, Security

You don’t have to be the cookie monster to see cookies all around us. The World Wide Web is full of it. Make sure not to underestimate their impact on information security. Dawid Czagan will tell you why. 1) Please tell us the top 5 facts about your talk. The following topics will be presented: – cookie related vulnerabilities in web applications – insecure processing of secure flag in modern browsers – bypassing HttpOnly flag and cookie tampering in Safari – problem with Domain attribute in Internet Explorer – underestimated XSS via cookie – and more 2) How did you come up with it? Was there something like an initial spark that set your mind on creating this talk? I noticed that cookie related problems are underestimated. People claim, for example, that XSS via cookie requires

Read More

1009, 2015

DeepSec 2015 Talk: “Yes, Now YOU Can Patch That Vulnerability Too!” A short Interview with Mitja Kolsek

Sanna/ September 10, 2015/ Discussion, Interview, Security

Patching software is a crucial task when it comes to fixing security vulnerabilities. While this totally works, usually you have to wait until the vendors or the developers provide you either an upgrade or a patch. What do you do in the meantime? Reducing the exposure of the software helps, but sometimes you have no choice. Public interfaces are public. There’s help. Do it yourself! Mitja Kolsek will tell you more. Please tell us the top 5 facts about your talk. We want to shake the security world by introducing a simple twist and essentially reinventing software patching. Attackers’ main advantage comes from software vulnerabilities (often very old and long-patched ones), which are a critical ingredient of most breaches into corporate and government networks. Unfortunately, most software vendors are lacking economical motivation for providing patches, let alone pro-actively

Read More

2906, 2015

Software Security: The Lost Art of Refactoring

René Pfeiffer/ June 29, 2015/ Development, Discussion, Security

A sysadmin, a software developer, and an infosec researcher almost walked into a bar. Unfortunately they couldn’t agree where to go together. So they died of thirst. Sounds familiar? When it comes to information technology, there is one thing that binds us all together: software. This article was written and published by software. You can read it by using (different) software. This doesn’t automagically create stalwart bands of adventurers fighting dragons (i.e. code vulnerabilities) and doing good deeds (i.e. not selling 0days). However it is a common ground where one can meet. Since all software has bugs, and we all use software, there’s also a common cause. Unfortunately this is where things go wrong. Code has a life cycle. It usually starts out as a (reasonably) good idea. Without a Big Bang. Then the implementation

Read More

2706, 2015

I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in

Read More

2406, 2015

Crypto Article: „Cornerstones of German Encryption Policy“ from 1999 are still in place

Sanna/ June 24, 2015/ Discussion, Security

We have some more translated news for you. In theory it is an article about policies and the process of law-making. In practice it concerns the use of encryption and everyone relying on service providers (mostly connected to the Internet, i.e. „cloud providers“). No matter how cool your start-up is and what its products aim to replace, information security will probably need a backdoor-free and working encryption technology as a core component. This is exactly why you cannot stay focused on the technology alone. Threats may come in the guise of new laws or regulations (think Wassenaar Arrangement). Matthias Monroy has some information about the official stance of the German government regarding the currently raging „crypto wars“. Enjoy! Federal Ministry of the Interior: The “Cornerstones of German encryption policy“ from 1999 still remain Source: netzpolitik.org Author: Matthias

Read More

2106, 2015

Dual Use Equation: Knowledge + Vulnerability = “Cyber” Nuclear Missile

René Pfeiffer/ June 21, 2015/ Discussion, High Entropy, Legal, Odd

We all rely on software every  day, one way or another. The bytes that form the (computer) code all around us are here to stay. Mobile devices connected to networks and networked computing equipment in general is a major part of our lives now. Fortunately not all systems decide between life or death in case there is a failure. The ongoing discussion about „cyber war“, „cyber terrorism“, „cyber weapons of mass destruction“, and „cyber in general“ has reached critical levels – it has entered its way into politics. Recently the Wassenaar Arrangement proposed a regulation on the publication of exploited (previously unknown) vulnerabilities in software/hardware, the so-called „0days“. The US Department of Commerce proposed to apply export controls for 0days and malicious software. While the ban is  only intended for „intrusion software“, it may

Read More

1606, 2015

Crypto Article: EU Economy needs secure Encryption

René Pfeiffer/ June 16, 2015/ Discussion, Security

Given the ongoing demonisation of cryptography we have translated an article for you, written by Erich Moechel, an ORF journalist. The use of encryption stays an important component for information security, regardless which version of the Crypto Wars is currently running. While most of the voices in news articles get the threat model wrong, there are still some sane discussions about the beneficial use of technology. The following article was published on the FM4 web site on 25 January 2015. Have a look and decide for yourself if the Crypto Wars have begun again (provided they came to an end at some point in the past). Maybe you work in this field and like to submit a presentation covering the current state of affairs. Let us know. EU Economy needs secure Encryption The EU technical bodies

Read More

1912, 2014

DeepSec 2014 Video – “The Measured CSO”

René Pfeiffer/ December 19, 2014/ Discussion, Schedule, Stories

The first recording of DeepSec 2014 has finished post-processing. Just in time for the holidays we have the keynote presentation by Alex Hutton ready for you. Despite its title “The Measured CSO” the content is of interest for anyone dealing with information security. Alex raises questions and gives you lots of answers to think about. Don’t stay in the same place. Keep moving. Keep thinking.

2011, 2014

BIOS-based Hypervisor Threats

René Pfeiffer/ November 20, 2014/ Discussion, High Entropy, Security

The DeepSec 2014 schedule features a presentation about (hidden) hypervisors in server BIOS environments. The research is based on a Russian analysis of a Malicious BIOS Loaded Hypervisor (conducted between 2007 and 2010) and studies published by the University of Michigan in 2005/2006 as well as 2012/2013. The latter publications discuss the capabilities of a Virtual-Machine Based Rootkits and Intelligent Platform Management Interface (IPMI) / Baseboard Management Controller (BMC) vulnerabilities. Out-of-band management is sensitive to attacks when not properly protected. In the case of IPMI and BMC the management components also play a role on the system itself since they can access the server hardware, being capable to control system resources. Combining out-of-band components with a hypervisor offers ways to watch any operating system running on the server hardware. Or worse. It’s definitely something

Read More

2705, 2014

IT Security without Borders

René Pfeiffer/ May 27, 2014/ Discussion, Internet

U.S. government officials are considering to prevent Chinese nationals from attending hacking and IT security conferences by denying visas. The ideas is „to curb Chinese cyber espionage“. While this initiative has been widely criticised and the measure is very easy to circumvent, it doesn’t come as a surprise. Recent years have shown that hacking has become more and more political. This aspect was already explored in the keynote of DeepSec 2012. So what is the real problem? Espionage, be it „cyber“ or not, revolves around information. This is exactly why we have a problem with the word „cyber“. Methods of transporting information have been around for a long time. Guglielmo Marconi and Heinrich Hertz raised problems for information security long before the Internet did. The only difference is the ease of setting up Internet

Read More

2504, 2014

BSidesLondon is near!

René Pfeiffer/ April 25, 2014/ Conference, Discussion

We will attend the BSidesLondon event, and we are looking forward to meet you there! DeepSec is again sponsoring the rookie track. We believe that information security can only benefit from fresh perspectives and newcomers that take a hard look at “well established” facts. This is why we support young infosec researchers and welcome their contribution. The  winner of the BSidesLondon rookie track will be invited to join DeepSec 2014. If you attend BSidesLondon, have a chat with MiKa or me. We are always looking for new talents, ideas to put more research into infosec research, and creativity to take apart facts everyone takes for granted. See you in London!