DeepSec 2015 Workshop: Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices – Alexander Bolshev & Boris Ryutin

Sanna/ October 7, 2015/ Conference, Training

The Internet of Things (IoT), more common known as the Internet of Stuff, is all around us. You don’t have to wait for it any more. Take a peek at the search results from Shodan and you will see that lots of devices are connected to the Internet. Since your refrigerator does not run high performance hardware, it is well worth to take a look at the hardware being used. For connected household devices and their controllers you need low power equipment. Think small, think embedded, not different. This is why we offer the Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices training to you at DeepSec 2015. Alexander Bolshev and Boris Ryutin will show you how to create exploits for the Internet of Things: Embedded systems are everywhere. And all of

Read More

DeepSec 2015 Workshop: Crypto Attacks – Juraj Somorovsky & Tibor Jager

Sanna/ October 5, 2015/ Conference, Training

Fvcelsiuetwq lcv xlt hsyhv xd kexh yw pdp, tlkli? Well, yes and no. ITEzISqbI1ABITAhITAhLZzQFsQ6JnkhMTMhpNK5F5rF9dctkiExMyEv9Fh1ITMzIaX2VCJpEQc= , and that’s where it often goes wrong. Your cryptographic defence can be attacked just as any other barrier you can come up with. Attackers never sleep, you know. Crypto attacks are often facilitated by a simple psychological bias: Since cryptographic algorithms are so complicated (for me), no one can easily figure out how to break them. But this may be true for ASN.1 or Chinese (with apologies to all native speakers, it is meant as a metaphor). The fertile growth of CrypoParties all around the globe documents the interest in using cryptography as a means of protecting data, be it in transit or stored locally. Since you use encryption algorithms every day, regardless if you know about them or

Read More

DeepSec 2015 Workshop: Practical Incident Handling – Felix Schallock

Sanna/ October 4, 2015/ Conference, Security, Training

Things go wrong or break, it’s just a matter of time. Ask your sysadmin about this. Apart from wear and tear, there are information security incidents that tend to ruin your perfect day at the office. What happens next? What do you do when noticing that your infrastructure has been compromised? Where do you start? Who needs to be told? Few employees know the answers to these questions. While you might have policies in place that regulate everything one needs to know, the practice looks wildly different. Apart from having a plan, you need to test if your plan works. At DeepSec 2015 Felix Schallock will show you what to do when digital lightning strikes. During two days of training you will take a tour on how to address and handle incidents properly. During

Read More

DeepSec 2015 Workshop: PowerShell for Penetration Testers – Nikhil Mittal

Sanna/ September 29, 2015/ Conference, Security, Training

The platform you are working with (or against) determines the tools you can use. Of course, everyone loves to boot the operating system of choice and hack on familiar grounds. Occasionally you have no choice, and you have to use what’s available. This is especially true for penetration testing. You get to use what you find on the systems of your digital beachhead. And you are well advised to get familiar with the tools you most definitely will find on these systems. This is a reason to look at the PowerShell. It is available on the Microsoft® Windows platform, so it’s the way to go. In his workshop at DeepSec 2015 Nikhil Mittal will teach you all you need to know about the PowerShell. PowerShell is the ideal tool for penetration testing of a

Read More

DeepSec 2014 Workshop: Hacking Web Applications – Case Studies of Award-Winning Bugs

René Pfeiffer/ October 14, 2014/ Conference, Training

The World Wide Web has spread vastly since the 1990s. Web technology has developed a lot of methods, and the modern web site of today has little in common with the early static HTML shop windows. The Web can do more. A lot of applications can be accessed by web browsers, because it is easier in terms of having a client available on most platforms. Of course, sometimes things go wrong, bugs bite, and you might find your web application and its data exposed to the wrong hands. This is where you and your trainer Dawid Czagan come in. We offer you a Web Application Hacking training at DeepSec 2014. Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning bugs identified in some of the

Read More

DeepSec 2014 Workshop: Understanding x86-64 Assembly for Reverse Engineering and Exploits

René Pfeiffer/ October 14, 2014/ Training

Assembly language is still a vital tool for software projects. While you can do a lot much easier with all the high level languages, the most successful exploits still use carefully designed opcodes. It’s basically just bytes that run on your CPU. The trick is to get the code into position, and there are lots of ways to do this. In case you are interested, we can recommend the training at DeepSec held by Xeno Kovah, Lead InfoSec Engineer at The MITRE Corporation. Why should you be interested in assembly language? Well, doing reverse engineering and developing exploits is not all you can do with this knowledge. Inspecting code (or data that can be used to transport code in disguise) is part of information security. Everyone accepts a set of data from the outside

Read More

DeepSec 2014 Workshop: Suricata Intrusion Detection/Prevention Training

René Pfeiffer/ September 25, 2014/ Conference, Internet, Training

Getting to know what’s going on is a primary goal of information security. There is even a name for it: intrusion detection. And there are tools to do this. That’s the easy part. Once you have decided you want intrusion detection or intrusion prevention, the implementation part becomes a lot more difficult. Well, if you need help with this issue, there is a two-day workshop for you at DeepSec 2014 – the Suricata Training Event. Suricata is a high performance Network Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Network Security Monitoring engine. It can serve pretty much all your needs. It’s Open Source (so it cannot be bought and removed from the market) and owned by a very active community. Suricata is managed by the non-profit foundation; the Open Information Security Foundation

Read More

DeepSec 2013 Workshop: Effective IDS/IPS Auditing And Testing With Finux

René Pfeiffer/ October 26, 2013/ Conference, Security, Training

A major part of information security is to deal with intrusions. It doesn’t matter if you have to anticipate them, detect them, or desperately wish to avoid them. They are a part of your infosec life. This is why gentle software developers, security researchers, and vendors have created intrusion detection/preventi0n systems. It’s all there for your benefit. The trouble is that once you buy and deploy and IDS/IPS system, its dashboard looks a lot like the one from the space shuttle or a fighter jet. You can do a lot, you can combine a lot more, and you see all kinds of blinking lights when you turn everything on. That’s probably not what you want. But there is help. Arron ‘Finux’ Finnon of Alba13 Research Labs will conduct a training on effective IDS/IPS auditing

Read More

DeepSec 2013 Workshop: Hands On Exploit Development (Part 1)

René Pfeiffer/ October 20, 2013/ Conference, Training

Software bugs evolve, just like their animal counterparts. Lesser bugs impact usability or are simple malfunctions. Once a bug impacts the security it is called a vulnerability. This means that something major is broken and that the internal logic can be manipulated to produce undesirable effects. Vulnerabilities can be exploited to create deterministic effects such as bypassing security checks, elevating privileges or other things. Exploits are the biggest bugs around. They have to work every time (at least with the software version affected by the bug/vulnerability), they need to insert specific code with a given purpose, and they should not compromise the functionality of the software (since you don’t want to be noticed) – So there is software development involved. Georgia Weidman will teach you how to get from a bug via a vulnerability

Read More

DeepSec 2013 Workshop: Exploiting Web Applications Protected By $WAFs

René Pfeiffer/ October 11, 2013/ Conference, Security, Training

We all use web applications on a daily basis. Search engines, portals, web sites, blogs, information pages and various other content accessible by web browsers accompany us every day. This means that web server are the first exposed systems you will have to protect when deploying web applications. Usually you would add filters to your network that inspect access to the software and block any malicious requests. Packet filters were the tool of choice. Now we have application level firewalls to deal with content and protocols used. In the case of web applications the market has introduced a new kind of device: the web application firewall (WAF). In theory WAFs understand HTTP and know how a web browser talks to a web server. In practice no two web applications are alike, because they may

Read More

DeepSec 2013 Workshop: Attacks On GSM Networks

René Pfeiffer/ October 4, 2013/ Conference, Security, Training

Mobile phone networks have penetrated even the most remote areas of the Earth. You can send a tweet from Mount Everest if you like, the cell service is already there. In addition mobile phone networks feature 6 billion subscribers all over the world. Communication by mobile devices has entered the routine of daily life. It’s not all about talking. Smartphone, laptops, tablets and modems access the Internet by mobile phone networks. And as every security specialist knows: If there’s a network, then there are protocols, and these protocols can be attacked. True, it’s not as easy as TCP/IP since mobile phone networks feature sets of more complex protocols. Nevertheless these networks can be accessed, and you cannot block it. This is why you should get in touch with the threats to your organisation. DeepSec

Read More

DeepSec 2013 Workshop: Developing and Using Cybersecurity Threat Intelligence

René Pfeiffer/ September 26, 2013/ Conference, Security Intelligence, Training

The arsenal of components you can use for securing your organisation’s digital assets is vast. The market offers a sheer endless supply of application level gateways (formerly know as „firewalls“), network intrusion detection/prevention systems, anti-virus filters for any kind of platform (almost down to the refrigerator in the office), security tokens, biometrics, strong cryptography (just stay away from the fancy stuff), and all kinds of Big Data applications that can turn shoddy metrics into beautiful forecasts of Things to Come™ (possibly with a Magic Quadrant on top, think cherry). What could possibly go wrong? Well, it seems attackers still compromise systems, copy protected data, and get away with it. Security often doesn’t „add up“, i.e. you cannot improve your „security performance“ by buying fancy appliances/applications and piling them on top of each other. What

Read More

Workshops at DeepSec 2013 – One/Two Days and Dates

René Pfeiffer/ September 25, 2013/ Administrivia, Conference, Training

In case you are interested in attending a training at DeepSec 2013: We have changed the standard two day format for two of the nine workshops. The „Social Engineering Awareness Training“ and the „Secure Your Business By Business Continuity Plans“ workshops are the only courses that will be held for one day. The dates are: 19 November 2013 for the „Social Engineering Awareness Training“ 20 November 2013 for the „Secure your Business by Business Continuity Plans“ workshop We will add the dates to the ticket categories accordingly.

DeepSec 2013 Workshop: Social Engineering Awareness Training – Win A Free Ticket!

René Pfeiffer/ September 25, 2013/ Conference, Training

“If a tree falls in a forest and no one is around to hear it, does it make a sound?” You probably know this question. It’s a philosophical thought experiment questioning observation and knowledge of reality. There is a similar gedankenexperiment for information security: “If your organisation receives a spear phishing e-mail and no one is around to read it, does it create a security breach?” Communication is essential for everyone these days. If you run a business, you are forced to deal with communication on a daily basis. This didn’t start with the Internet. The telephone was first, and before there were letters and all kinds of ways to relay word from A to B. It’s a good idea to go back in time to avoid being distracted by technology but Trojan Horses

Read More

DeepSec 2013 Workshop: Secure your Business by Business Continuity Plans

René Pfeiffer/ September 23, 2013/ Conference, Training

Quite a lot of companies stay in business, because they operate continuously and reliably. Few have the luxury to close shop for an extended period of time. If you do, then you are either fabulously successful or in deep trouble. Regardless of what you have in mind for your enterprise you should think of implementing a business continuity plan (BCP) sooner or later. Since designing and implementing a BCP is no piece of cake, we offer you a one day training at DeepSec 2013 where you can get started. The workshop will be conducted by Michel Wolodimiroff, who has over 25 years of experience in dealing with information technology. He will walk you through all bad dreams  of failing infrastructure, data loss, compromised systems, and worse catastrophes you might not even have thought of.

Read More