1110, 2013

DeepSec 2013 Workshop: Exploiting Web Applications Protected By $WAFs

René Pfeiffer/ October 11, 2013/ Conference, Security, Training

We all use web applications on a daily basis. Search engines, portals, web sites, blogs, information pages and various other content accessible by web browsers accompany us every day. This means that web server are the first exposed systems you will have to protect when deploying web applications. Usually you would add filters to your network that inspect access to the software and block any malicious requests. Packet filters were the tool of choice. Now we have application level firewalls to deal with content and protocols used. In the case of web applications the market has introduced a new kind of device: the web application firewall (WAF). In theory WAFs understand HTTP and know how a web browser talks to a web server. In practice no two web applications are alike, because they may

1010, 2013

DeepSec 2013 Talk: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

René Pfeiffer/ October 10, 2013/ Conference, Security

In past centuries attackers used battering rams to break down doors and siege artillery to blast holes into solid fortification walls. These were very tedious undertakings, so using alternate routes – possibly back-doors – were always highly regarded. Nowadays wonderful World of „Cyber“™ is no exception. The modern web-obsessed infrastructure has seen web browsers in local networks being compromised to access web-based back-end systems (through DNS rebinding attacks for example). Management consoles are a prime target, because once you gain access you probably can make the most out of elevated privileges. What about turning the back-end around and attack applications by it? Shay Chen has explored this attack vector and will present details in his talk at DeepSec 2013. Applications security mechanisms, secure software development processes, web application firewalls – collections of countermeasures that turn hacking

0410, 2013

DeepSec 2013 Workshop: Attacks On GSM Networks

René Pfeiffer/ October 4, 2013/ Conference, Security, Training

Mobile phone networks have penetrated even the most remote areas of the Earth. You can send a tweet from Mount Everest if you like, the cell service is already there. In addition mobile phone networks feature 6 billion subscribers all over the world. Communication by mobile devices has entered the routine of daily life. It’s not all about talking. Smartphone, laptops, tablets and modems access the Internet by mobile phone networks. And as every security specialist knows: If there’s a network, then there are protocols, and these protocols can be attacked. True, it’s not as easy as TCP/IP since mobile phone networks feature sets of more complex protocols. Nevertheless these networks can be accessed, and you cannot block it. This is why you should get in touch with the threats to your organisation. DeepSec

2109, 2013

DeepSec 2013 Talk: Europe In The Carna Botnet – Telnet’s Threat To The Largest Economy

René Pfeiffer/ September 21, 2013/ Conference, Security

Botnets have been around since 1999. These herds of networked and compromised systems (called zombies) are the tool of the trade for many groups. It’s the zombie outbreak of the information age. The analysis of existing botnets is an important task of security researchers around the globe. The study of the malware involved, the infection process and the inter-node communication of the infected systems is crucial for the dismantling of the botnet. Therefore we are happy to present Parth Shukla’s talk on the Carna botnet. It was created by an anonymous hacker to create a census of the (IPv4) Internet. Parth has been analysing the devices that formed part of the Carna Botnet. The data concerning the devices was provided by the anonymous researcher. He has distributed the relevant data to many CERTs and

2009, 2013

DeepSec 2013 Talk: Static Data Leak Prevention In SAP – The Next Generation Of Data Loss Prevention

René Pfeiffer/ September 20, 2013/ Conference, Security

Once you use information technology you will have to worry about leaks. Applications can leak data when attached to the network (any network!). That’s no breaking news, but it might be bad news for you and your data. Fortunately there are good news, too. There is a talk by Andreas Wiegenstein about ways of data leak/loss prevention (DLP) and a new methodology which might help your organisation: In the age of digital industrial espionage, protecting intellectual property has become a key topic in every company. In the past, companies addressed data leaks by implementing so called content-aware Data Loss/Data Leak Prevention (DLP) software. Such software analyzes data moving through an IT landscape and reports unauthorized transfer of critical data, i.e. transfers beyond the company’s network borders. The key purpose of this methodology is to

1609, 2013

DeepSec 2013 Talk: Top 10 Security Mistakes In Software

René Pfeiffer/ September 16, 2013/ Conference, Security

Software Development and information security are tightly tied together. A bug attracts vulnerabilities and bugs and vulnerabilities combined can be turned into exploits to compromise systems. In an ideal world security starts at the design or development stage. While you probably will never be able to completely eliminate bugs in (your) code due to the complexity of modern applications and their dependencies, you still can improve the security record by paying attention. So where do you get started? What are the most common mistakes made during the software development process that leads to security problems in the finished product? Peter af Geijerstam will address the top 10 security mistakes in his talk at DeepSec 2013. Mistakes during software development do not always have to be caught at the quality assurance stage. You can catch

1509, 2013

Crypto Wars by Black Boxes and Standards

René Pfeiffer/ September 15, 2013/ High Entropy, Security

Intelligence services go after cryptography. That’s the news you have probably read in the past weeks. That’s no surprise. They have been doing this for centuries. If your job is to intercept and analyse communication, then cryptography gets in your way (provided the target uses it properly). Intelligence services have been dealing with creating and breaking ciphers since their existence. How do you break cryptography? What can you do to attack encrypted communication? There are multiple ways to obtain messages in clear text. Attack the encrypted data! This is widely known as cryptanalysis. Basically you intercept the encrypted message and try to deduce the plain text. Given sufficient failures in the history of cipher designs, this is pretty hard with most modern ciphers. Algorithms used today are developed and tested to withstand attacks like

3008, 2013

DeepSec 2013 Talk: Automation in Android & iOS Application Security Review

René Pfeiffer/ August 30, 2013/ Conference, Security

Even if you do not want to follow the Bring Your Own Device (BYOD) hype you might have to deal with mobile operating systems and applications running on them. Once you have a need to deploy a system, you need to know how to review the security. Hemil Shah will explain in his talk how you can deal with this problem. Mobile application hacking and its security is becoming a major concern in today’s world – especially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI jacking, tab jacking, traffic redirection, logical attacks,

0507, 2013

„Cyber Cyber Cyber“ revisited – Information Warfare

René Pfeiffer/ July 5, 2013/ Discussion, Security

So far we haven’t commented on the ongoing season of the Game of Spooks miniseries. We wait for the break after the last episode – provided there is one. However we have written about information warfare and espionage in this blog. Enter secrets. During DeepSec 2012 the concept of „cyber war“ was heavily explored. Eventually it led to the phrase „cyber cyber cyber“ due to the sheer popularity of this very word. „Cyber“ and „war“ hide the fact that information is the prime good that is being accessed or copied and put to a fresh use¹. Take a look at the published articles in the past weeks to see misplaced information at work. A couple of misplaced presentation slides can cause more uproar than a data leak of medical records of a nation –

0407, 2013

Products, Vendors, Security, and Bias

René Pfeiffer/ July 4, 2013/ Discussion, Mission Statement, Security

The DeepSec conference is meant to be a neutral event where security related topics can be discussed without bias. Periodically we have discussions with companies about this issue. Our web site states that DeepSec is a non-product, non-vendor-biased conference event. In short this simply means that the topics discussed at DeepSec are all about facts not ads. We are looking for honest talks about security: If something breaks, tell us about it. If you can repair it, tell us about it. If you discovered something, tell us about it. That’s our goal. The DeepSec conference is not a trade fair – but it’s a place to mention what you have researched or what you have created. We are all about information security and want everyone to talk about it. We invite everyone to share results of

0606, 2013

How to defend against “Cyber” Espionage

René Pfeiffer/ June 6, 2013/ Discussion, Security

When it comes to defence and protection, don’t forget how your organisation treats data. The mindset plays an important role. This can be illustrated by a simple correlation. Organizations which take the protection of data privacy seriously have an edge when it comes to implementing IT security measures. We talked about this relation in an interview with ORF journalist Erich Moechel (article is in German, Google translation). The findings are not surprising. Auditors and penetration testers can tell if your IT staff takes the role of protecting digital assets seriously. The correlation is easily explained : Once you establish data protection guidelines, you also create a motivation to implement defensive procedures and measures against intrusion. Directly linking operational aspects to a reason makes sure that everyone understands why defence is important. Bear in mind

1405, 2013

Call for Articles – DeepSec Proceedings

René Pfeiffer/ May 14, 2013/ Administrivia, Security

While our Call for Papers for DeepSec 2013 and DeepINTEL is still open, we have a Call for Articles for all our past speakers ready. It’s our pleasure to inform you that we will publish a book with proceedings about past and present DeepSec topics. It will be a summary, a factual overview on what’s been going on at our annual event, from 2007 – 2012, a collection of the most compelling talks and captivating topics we’ve featured at our conference so far. To make this book a bummer we need your help. We want you to send us the abstracts of the talk you held at DeepSec – and we ask you to open up your topic once again. What’s been going on in the very special field you held your talk about?

2403, 2013

The Risk of faulty Metrics and Statistics

René Pfeiffer/ March 24, 2013/ Discussion, Security

It’s never a bad idea to see what the outside world looks like. If you intend to go for a walk, you will probably consult the weather report in advance. If you plan to invest money (either for fun or for savings), you will most certainly gather information about the risks involved. There are a lot of reports out there about the IT security landscape, too. While there is nothing wrong with reading reports, you must know what you read, how the data was procured and how it was processed. Not everything that talks percentages or numbers has anything to do with statistics. Let’s talk about metrics by using an example. Imagine an Internet service provider introduced a „real-time map of Cyber attacks“. The map would show attacks to their „honeypot“ systems at 90

2102, 2013

DeepSec 2013 – CfP: Covering Secrets, Failures & Visions!

René Pfeiffer/ February 21, 2013/ Conference, Security

DeepSec 2013 – Secrets, Failures & Visions – Call for Papers We are preparing the call for papers for DeepSec 2013, and we are trying to shift your mindset. We could easily come up with a list of trending technologies, gadgets and behaviours that will have an impact on information security. Instead we are looking for presentations and workshops dealing with secrets, failures and visions. This gives us another perspective and hopefully more to think about. Secrets Every person, every group, every enterprise and every government has them. Secrets are the very reason why information security uses encryption, access control, even doors and locks (physical and otherwise). You wouldn’t need all of this if it weren’t for safeguarding the secrets. Failures Sometimes things go wrong. Often not only by malicious action, but also by

1511, 2012

Using untrusted Network Environments

René Pfeiffer/ November 15, 2012/ Administrivia, Conference, Security

We mentioned on Twitter that DeepSec 2012 will again feature an open wireless network. This means that there will be no barriers when connecting to the Internet – no passwords, no login, no authentication and no encryption. Some of us are used to operate in untrusted environments, most others aren’t. So the tricky part is giving proper advice for all those who are not familiar with protecting their computing devices and network connections. We don’t know what your skills are, but we try to give some (hopefully) sensible hints. If you are well-versed with IT security and its tools, then you probably already know what you are doing. Nevertheless it’s a good habit to double-check. We caught one of our own sessions chairs with his crypto pants down and found a password – just

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: