The Cloud (whatever it really is) is the future (of whomever taking advantage of it). This is how information security experts see the outsourcing technologies based on virtualisation and application containment. Ankit Giri explains at DeepSec 2019 what defenders need to be aware of and how you can test your security controls before your adversaries do this. (Pen)Testing the Cloud The intent here is to highlight the fact that pentesting cloud environment comes with legal considerations. AWS (Amazon Web Services) has established a policy that requires a customer to raise a permission request to be able to conduct penetration tests and vulnerability scans to or originating from the AWS environment. We can focus on user-owned entities, identity and access management, user permissions configuration and use of the AWS API integrated into the AWS ecosystem.
DeepSec2016 Talk: Smart Sheriff, Dumb Idea: The Wild West of Government Assisted Parenting – Abraham Aranguren & Fabian Fäßler
Would you want to let your kids discover the darker corners of the Internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the “Smart Sheriff” app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot come about without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team!
Despite current efforts to adapt existing legal instruments to regulate hostile activities in cyber space, there is uncertainty about the legal situation of actors affected by these actions. Part of this uncertainty is due to the fact that the cyber domain is technically complex; there is a strong need for collaboration between technical and legal subject matter experts, collaboration which is difficult to achieve. This talk summarizes the current legal status of Cyber Attacks. It defines a taxonomy of possible cyber-incidents, and analyses the predictable consequences of each type of cyber-incident with the purpose of mapping cyber-incidents to different legal frameworks. Oscar Serrano held a presentation at DeepSec 2015 about legal issues with digital attacks.
Data protection and information security are often seen as different species. Why? Where is the difference between protection, defence, security, and offence? There are a lot of relations between the terms. Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) gave a presentation at DeepSec 2015 on how to link privacy with security: „Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. This presentation will also show how it can be used to further IT security especially in the SME sector. This mostly refers to
History, fictive or real, is full of situations where doubts meet claims. Nearly every invention, every product will be eyed critically, analysed, and tested. There are even whole magazines fully dedicated to this sport, be it for example, consumer protection, reviews of computer games or the car of the year. When it comes to testing the sector of information security is particularly sensitive. Depending on the hard- or software concerned, testing is not only about comfort or in search of a particularly good storyline, but about incidents, which can cause real damage in the real world. How should one deal with the knowledge of a design flaw affecting the security of a system? Locks In 1851 the American lock-smith Alfred Charles Hobbs visited the Great Exhibition in London. He was the first to pick
The global cargo traffic on the Internet needs to revise its routes. The Court of Justice of the European Union has declared the so-called „Safe Harbor“ agreement between the European Commission (EC) and US-American companies as invalid. The agreement was a workaround to export the EU Directive 95/46/EC on the protection of personal data to non-EU countries. The ruling was a result of the ‘Europe v Facebook’ lawsuit by Austrian law student and privacy activist Max Schrems. This means that European companies might violate the EU privacy laws when storing or processing personal data on US-American servers. Among the arguments was that the rights of the European data protection supervision authorities must not be constrained and that due to the NSA PRISM program the protection of personal data according to EU directives is not
We all rely on software every day, one way or another. The bytes that form the (computer) code all around us are here to stay. Mobile devices connected to networks and networked computing equipment in general is a major part of our lives now. Fortunately not all systems decide between life or death in case there is a failure. The ongoing discussion about „cyber war“, „cyber terrorism“, „cyber weapons of mass destruction“, and „cyber in general“ has reached critical levels – it has entered its way into politics. Recently the Wassenaar Arrangement proposed a regulation on the publication of exploited (previously unknown) vulnerabilities in software/hardware, the so-called „0days“. The US Department of Commerce proposed to apply export controls for 0days and malicious software. While the ban is only intended for „intrusion software“, it may
From now on all incoming and outgoing payments for DeepSec and DeepINTEL tickets, sponsor packages, speaker travel reimbursements, hotel, accommodation, catering, support for the community etc. will only be accepted resp. paid in Bitcoins. As we do not trust electronic money transfers (hey, guys – we conduct a security conference!) the following rules will apply: Tickets will only be sold only on-site. We will accept Bitcoins only in cash. Please have the exact amount available as we cannot give change. Bitcoins for speaker travel reimbursements will be sent to the speaker’s home address with registered mail in a neutral envelope. Payments for hotel, accommodation, sponsor packages and other goods and services will be transferred in a inconspicuous suitcase by a courier wearing dark sunglasses. We made this decision because every year we have to