Our wonderful world of technology is full of surprises, bugs, intentional weaknesses, adversaries, defenders, vendors, and users. Some software just got more lines of code instead of a decent audit or refactoring. Everything is turning smart, but no one knows what smart really means. Big Data is all the fashion, Big Knowledge still isn’t. So there is ample opportunity for security research. And we haven’t mentioned recent weaknesses such as Stack Clash or broken hyperthreading yet. Strategy hasn’t evolved much either. Most high profile attacks seem to contain a lot of cyber, originating from Russia, USA, Israel, North Korea, or China. The context matters, as do the agendas of all parties involved. A thorough and careful analysis can shape the digital defence of your future. This is why we like to discuss methods, incidents,
After the Wannacry malware wreaked havoc in networks, ticket vending machines, companies, and hospitals the clean-up has begun. This also means that the blame game has started. The first round of blame was distributed between Microsoft and the alleged inspiration for the code. The stance on vulnerabilities of security researchers is quite clear. Weaknesses in software, hardware, protocols, or design needs to be documented and published. This is the only way to address the problem and to give the defenders a chance to react. The discussion about how to deal with the process is ongoing and will most likely never come to a conclusion. What about the source of the attack? Attribution is hard. Knowing who attacked has become increasingly difficult in the analogue world. Take any of the conflicts around the world and
Seminar on Digital Defence with Experts. The news is full of reports covering attacks against networked systems and digital components. Every day there is new media coverage about stolen data, compromised accounts, the impact of malicious software, digital second strikes, cyber attacks between countries and new vulnerabilities in computer systems. All that leads to the impression that in the modern digital world we are almost helplessly vulnerable to attacks. Clever entrepreneurs benefit from the general uncertainty and sell countermeasures in the form of security software or other components, which, according to their praise, once installed will kill off every threat automatically. But the media don’t show the whole picture – hardly any report on “hacker attacks” could be called a realistic depiction of real life events. The consequence? It is not possible to build
There will be a screening of the documentary A Good American in Vienna tomorrow. We highly recommend watching this film, even if you are not directly connected to information security. Threat intelligence has far-reaching consequences, and in the case of the world’s biggest intelligence agency it also affects you. A Good American will be shown at 1000, Village Cinema Wien Mitte, and at 1600, Audimax of the Technische Universität Wien (you need to send an email with a RSVP to attend). All of this takes place in the course of a lecture about the topic. Markus Huber and Martin Schmiedecker have kindly organised everything. Bill Binney will be present, too. So you can directly talk to him and ask him questions. We highly recommend not to miss this opportunity.
DeepSec 2016 Talk: Assessing the Hacking Capabilities of Institutional and Non-institutional Players – Stefan Schumacher
Cyberwar, Cyberterror and Cybercrime have been buzzwords for several years now. Given the correct context, using cyber has merits. However Cyber-Headlines are full with Cyber-Reports about Cyber-Incidents, Cyber-Hacking and Cyber-Cyber in general. However, that whole discussion does not only suffer from sensationalism of journalists and bloggers, there are also some fundamental problems, says Stefan Schumacher. We are still lacking useful definitions for modern IT security threats and we still have to think about the assessment of capabilities in the IT field.Besides institutional actors like states and their military and intelligence community we also have to assess the capabilities of non-institutional actors like terrorist groups or organised crime. Unlike the assessment of classic military strength (eg. fighting power or Kriegsstärkenachweise), assessing the capabilities and powers of actors in the IT field is much more complicated
Nation state attacks are very popular – in the news and in reality. High gain, low profile, maximum damage. From the point of information security it is always very insightful to study the anatomy of these attacks once they are known. Looking at ways components fail, methods adversaries use for their own advantage, and thinking of possible remedies strengthens your defence. At DeepSec 2016 Gadi Evron will share knowledge about an operation that went after government systems all around the world. Patchwork is a highly successful nation state targeted attack operation, which infected approximately 2,500 high-value targets such as governments, worldwide. It is the first targeted threat captured using a commercial cyber deception platform. In his talk Gadi Evron will share how deception was used to catch the threat actor, and later on secure their second stage malware
DeepSec2016 Talk: Cover Your SaaS: Protecting Your Cloud With Analytics and Machine Learning – Ian Thornton-Trump
Some people call military intelligence an oxymoron. This usually happens when something goes wrong. It might be due to sloppy reconnaissance, operations, or simply bad luck. While it’s always good to have someone or something to blame, things are not so easy in modern „cyberspace“. Improving your security means to have something to base this improvement on. Despite the fact that being lucky is never a bad thing, the selection of your defences and the assessment of the threats you are facing need to be based on something more solid. IT departments have been mining logs and other kind of raw materials that produce metrics for decades. Every once in a while there is a new trend. Now that we can store enormous amounts of data and can access it, we have a lot
Surveillance has a bad reputation. No one likes to be watched. Yet infosec researchers, sysadmins, and developers talk a lot about log files. We need to watch stuff for various reasons. You got your mail logs, diagnostic messages, performance metrics, network addresses, and more painstakingly sorted by timestamps and maybe geolocation. Log data is part of information technology. It gets interesting once you store, process and mine this data. Some people like to collect it all and do all kinds of Big Data stuff with it. Others filter out the relevant bits of information and work with that. Opinion is divided, results may vary. Enter A Good American, the documentary which was screened in Vienna during the DeepSec 2015 conference. It has been shown all over the world. The film itself is fully funded,
Analysing threat intelligence hasn’t been more important. We all know that bad things will happen. That’s not the issue to worry about. You should spend some thoughts on why something happens, what methods are involved, and what your adversaries look like on the inside. Defending your assets is much more than using a fence, some doors, and badges for your employees. We would like to welcome you to DeepINTEL to discuss security intelligence in-depth. The DeepINTEL 2016 has been moved. Save the new date; DeepINTEL will take place on 20/21 September. The location hasn’t changed, and good weather has been ordered. Make sure you order your tickets!
We already published a Call for Papers for the upcoming DeepINTEL 2016. Here are some thoughts to get your creativity going. Standard solutions and off-the-shelf products to solve your security needs are remains from the 1990s. Everything else has gone smart, and that’s how you have to address security problems in the future. NSA director Admiral Michael Rogers told the audience of the RSA Conference 2016 that the NSA cannot counter the digital attacks it faces on its own. GCHQ, the NSA’s British counterpart, has publicly stated that the £860m budget to counter digital adversaries is not sufficient to defend Britain’s digital assets. Modern digital defence needs a sound foundation of data to base decisions on. You can neither combat a forest fire or an infectious disease by blindly throwing money at it. You
For everyone attending DeepSec 2015 we organised a private screening of the film “A Good American”. Everyone else now gets the chance to see this film in theatres beginning on 18 March 2016. Next week there will be the premiere in Vienna, Linz, and Innsbruck here in Austria. Bill Binney will be present himself, and he will answer questions from the audience. We highly recommend “A Good American” to everyone dealing with information security, regardless of the level. Full take and Big Data is not always the answer to your security challenges. Every gadget around is turning smart, and so should you. We hope to see you at the premiere here in Vienna next week!
Information security without intelligence is less than half the fun. That’s why we organise the DeepINTEL 2016 conference. The focus is entirely on the intelligence side of security. Given the events in the recent months it’s about time that you get your focus right and turn your radar on. Flying blind will get you into trouble. The DeepINTEL is a single track / two day event that addresses mainly critical infrastructure, state organizations (administrative and law enforcement), accredited CERTs, finance organizations and trusted parties and organizations with a strong relation or partnership to the aforementioned. Due to the sensitive topics and the nature of the participants and speakers we will have a vetting process for participants. We’d like to know our audience, so that we all can talk freely and openly during the event.
In our economy data leaks are a constant companion. That’s the impression one gets when reading the news. Customer portals, online shops, digital communications, plans of products, personnel data, and more can be found in department stores throughout the shadow economy. Blind faith in global networks has indeed suffered in recent years, but companies and individuals still have a partially carefree attitude when it comes to the imminent risk their data is exposed to. “Who cares about our data?”, is often said. This year’s DeepSec IT Security Conference has some very specific answers to this question. Duncan Campbell and James Bamford open IT Security Conference in Vienna Duncan Campbell is a freelance British journalist, author, and television producer. Since 1975 he has specialized in intelligence and security services, defence, policing and civil liberty rights.
Attendees of DeepSec 2015 will receive a special treat. We have been talking to Friedrich Moser, and he has agreed to show his documentary „A Good American“ on 20 November 2015 exclusively. The private screening will take place in Vienna. It starts at 2100 at the Burg Kino, known for showing „The Third Man“. „A Good American“ explains how to do threat intelligence in a more efficient way, according to the creator of ThinThread: „A codebreaker genius, a revolutionary surveillance program and corruption across the board of NSA. Against this backdrop unfolds the feature documentary A GOOD AMERICAN. The film tells the story of Bill Binney and his program ThinThread and how this perfect alternative to mass surveillance got ditched by NSA for money.“ After the film Friedrich Moser, Duncan Campbell, James Bamford, and
DeepSec 2015 Talk: A Death in Athens: The inherent Vulnerability of “lawful Intercept” Programs, and Why all Government authorized Backdoors are very dangerous – James Bamford
Some of you might remember the „Athens Affair“. In 2005 Ericsson found backdoors in the lawful interception systems of Vodafone Greece. The software on these modules was altered to successfully wiretap phone numbers without detection. When one of the tapped phones made or received a phone call, the exchange, or switch, sent a duplication of the conversation to one of fourteen anonymous prepaid mobile phones. The incident sparked an investigation, and Vodafone Greece was fined millions of Euros for breaching privacy laws. In February 2015 the Greek authorities issued a warrant for a suspect linked to the NSA. Lawful interception (LI) capabilities are mandatory for telecommunication equipment. In Europe the technical requirements and standards are developed by the European Telecommunications Standards Institute (ETSI); the 3rd Generation Partnership Project (3GPP) maintains the part relevant for