0909, 2016

DeepSec 2016 Workshop: Deploying Secure Applications with TLS – Juraj Somorovsky

Sanna/ September 9, 2016/ Security, Training

Cryptography is all around us. It has become something like the background radiation of the networked world. We use it on a daily basis. Since nothing usually comes into existence by mistake, there must be someone responsible for deploying this crypto stuff. You are right. Software developers, mathematicians, engineers, system administrators, and many more people are involved to make encryption happen. The hard part is to get it right. The mathematics involved is hard. A lot can go wrong. This is why we have a workshop for you at DeepSec 2016! Have you (or your manager) ever wondered why your server is getting bad grades from SSL labs? Or are you interested in improving the performance of your TLS server? If you answer one of these question with “yes”, you should consider to take part in the

0409, 2016

DeepSec2016 Workshop: Offensive iOS Exploitation – Marco Lancini

Sanna/ September 4, 2016/ Conference, Training

If an iPhone gets exploited in the forest and no one is around to 0wn it, does it worry you? This philosophical question has been answered sufficiently by the latest Pegasus incident. All smartphone should worry you. The iPhone and its operating system is no exception. Actually breaking a smartphone give an attacker a lot of advantages. Chances are that you carry the exploited device with you all the time. At last the Age of Mobility has reached information security! In order to develop exploits you need a healthy dose of software development and a (deep) knowledge of the platform being attacked. For those of you who do a lot of penetratoion testing, security analysis, or plain software quality management, we have a shortcut for you: the iOS exploitation workshop. This is an exercise-driven

0209, 2016

DeepSec 2016 Workshop: Hacking Web Applications – Case Studies of award-winning Bugs in Google, Yahoo!, Mozilla and more – Dawid Czagan

Sanna/ September 2, 2016/ Conference, Internet, Security, Training

Have you been to the pictures lately? If so, what’s the best way to attack an impenetrable digital fortress? Right, go for the graphical user interface! Or anything exposed to the World Wide Web. The history of web applications is riddled with bugs that enable attackers to do things they are not supposed to. We bet that you have something exposed on the Web and even probably don’t know about it. Don’t worry. Instead attend the DeepSec training session „Hacking Web Applications“ conducted by Dawid Czagan. He will teach you about what to look for when examining web applications with a focus on information security. This hands-on web application hacking training is based on authentic, award-winning security bugs identified in some of the greatest companies (Google, Yahoo!, Mozilla, Twitter, etc.). You will learn how bug hunters

2010, 2015

DeepSec Workshops: Digitale Verteidigung – Wissen ist Macht

René Pfeiffer/ October 20, 2015/ Conference, Internet, Training

Wann haben Sie Ihren letzten Geschäftsbrief geschrieben? Und wann haben Sie das letzte Mal Stift und Papier dazu benutzt? Es macht nichts wenn Sie sich nicht daran erinnern können: Digitale Kommunikation ist Teil unseres Alltagslebens, nicht nur in der Geschäftswelt. Wir haben uns so sehr daran gewöhnt ständig online zu kommunizieren, das offline sein sich schon fast unnatürlich anfühlt. Das heißt natürlich auch, dass wir ständig irgendwelchen Netzwerken ausgeliefert sind, vor allem dem Internet. Unsere Tür steht Tag und Nacht offen. Wir können sie nicht mehr schließen und laden somit offen auch ungebetene Gäste ein, die dieselben Netzwerke nutzen wie wir. Es ist Zeit ernsthaft darüber nachzudenken. Was für Bedrohungen gibt es da draußen? Und wie können wir uns vor Ihnen schützen? Cyber Kriminalität und Datenschutz Alles ist „Cyber“ heutzutage. Kriminalität genauso wie Sicherheitsbestrebungen.

1310, 2015

Defence – Beating the Odds with Knowledge

René Pfeiffer/ October 13, 2015/ Conference, Discussion, Mission Statement, Training

When did you write your last business letter? You probably don’t recall, because you write one all of the time. When did you last use ink and paper to do this? If you can’t remember the answer to this question, don’t bother trying. Digital communication is part of our daily life, not only in the business world. We are very accustomed to communicate in the here and now, up to the point where being offline feels unnatural. In turn this means that we are constantly exposed to networks of all kinds, especially the Internet. Our door is open all around the clock. We can’t close it any more, thus openly inviting every kind of threat also using networks. It’s time to seriously think about this. What does it mean? What do we need to

0710, 2015

DeepSec 2015 Workshop: Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices – Alexander Bolshev & Boris Ryutin

Sanna/ October 7, 2015/ Conference, Training

The Internet of Things (IoT), more common known as the Internet of Stuff, is all around us. You don’t have to wait for it any more. Take a peek at the search results from Shodan and you will see that lots of devices are connected to the Internet. Since your refrigerator does not run high performance hardware, it is well worth to take a look at the hardware being used. For connected household devices and their controllers you need low power equipment. Think small, think embedded, not different. This is why we offer the Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices training to you at DeepSec 2015. Alexander Bolshev and Boris Ryutin will show you how to create exploits for the Internet of Things: Embedded systems are everywhere. And all of

0510, 2015

DeepSec 2015 Workshop: Crypto Attacks – Juraj Somorovsky & Tibor Jager

Sanna/ October 5, 2015/ Conference, Training

Fvcelsiuetwq lcv xlt hsyhv xd kexh yw pdp, tlkli? Well, yes and no. ITEzISqbI1ABITAhITAhLZzQFsQ6JnkhMTMhpNK5F5rF9dctkiExMyEv9Fh1ITMzIaX2VCJpEQc= , and that’s where it often goes wrong. Your cryptographic defence can be attacked just as any other barrier you can come up with. Attackers never sleep, you know. Crypto attacks are often facilitated by a simple psychological bias: Since cryptographic algorithms are so complicated (for me), no one can easily figure out how to break them. But this may be true for ASN.1 or Chinese (with apologies to all native speakers, it is meant as a metaphor). The fertile growth of CrypoParties all around the globe documents the interest in using cryptography as a means of protecting data, be it in transit or stored locally. Since you use encryption algorithms every day, regardless if you know about them or

0410, 2015

DeepSec 2015 Workshop: Practical Incident Handling – Felix Schallock

Sanna/ October 4, 2015/ Conference, Security, Training

Things go wrong or break, it’s just a matter of time. Ask your sysadmin about this. Apart from wear and tear, there are information security incidents that tend to ruin your perfect day at the office. What happens next? What do you do when noticing that your infrastructure has been compromised? Where do you start? Who needs to be told? Few employees know the answers to these questions. While you might have policies in place that regulate everything one needs to know, the practice looks wildly different. Apart from having a plan, you need to test if your plan works. At DeepSec 2015 Felix Schallock will show you what to do when digital lightning strikes. During two days of training you will take a tour on how to address and handle incidents properly. During

2909, 2015

DeepSec 2015 Workshop: PowerShell for Penetration Testers – Nikhil Mittal

Sanna/ September 29, 2015/ Conference, Security, Training

The platform you are working with (or against) determines the tools you can use. Of course, everyone loves to boot the operating system of choice and hack on familiar grounds. Occasionally you have no choice, and you have to use what’s available. This is especially true for penetration testing. You get to use what you find on the systems of your digital beachhead. And you are well advised to get familiar with the tools you most definitely will find on these systems. This is a reason to look at the PowerShell. It is available on the Microsoft® Windows platform, so it’s the way to go. In his workshop at DeepSec 2015 Nikhil Mittal will teach you all you need to know about the PowerShell. PowerShell is the ideal tool for penetration testing of a

1410, 2014

DeepSec 2014 Workshop: Hacking Web Applications – Case Studies of Award-Winning Bugs

René Pfeiffer/ October 14, 2014/ Conference, Training

The World Wide Web has spread vastly since the 1990s. Web technology has developed a lot of methods, and the modern web site of today has little in common with the early static HTML shop windows. The Web can do more. A lot of applications can be accessed by web browsers, because it is easier in terms of having a client available on most platforms. Of course, sometimes things go wrong, bugs bite, and you might find your web application and its data exposed to the wrong hands. This is where you and your trainer Dawid Czagan come in. We offer you a Web Application Hacking training at DeepSec 2014. Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning bugs identified in some of the

1410, 2014

DeepSec 2014 Workshop: Understanding x86-64 Assembly for Reverse Engineering and Exploits

René Pfeiffer/ October 14, 2014/ Training

Assembly language is still a vital tool for software projects. While you can do a lot much easier with all the high level languages, the most successful exploits still use carefully designed opcodes. It’s basically just bytes that run on your CPU. The trick is to get the code into position, and there are lots of ways to do this. In case you are interested, we can recommend the training at DeepSec held by Xeno Kovah, Lead InfoSec Engineer at The MITRE Corporation. Why should you be interested in assembly language? Well, doing reverse engineering and developing exploits is not all you can do with this knowledge. Inspecting code (or data that can be used to transport code in disguise) is part of information security. Everyone accepts a set of data from the outside

2509, 2014

DeepSec 2014 Workshop: Suricata Intrusion Detection/Prevention Training

René Pfeiffer/ September 25, 2014/ Conference, Internet, Training

Getting to know what’s going on is a primary goal of information security. There is even a name for it: intrusion detection. And there are tools to do this. That’s the easy part. Once you have decided you want intrusion detection or intrusion prevention, the implementation part becomes a lot more difficult. Well, if you need help with this issue, there is a two-day workshop for you at DeepSec 2014 – the Suricata Training Event. Suricata is a high performance Network Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Network Security Monitoring engine. It can serve pretty much all your needs. It’s Open Source (so it cannot be bought and removed from the market) and owned by a very active community. Suricata is managed by the non-profit foundation; the Open Information Security Foundation

2610, 2013

DeepSec 2013 Workshop: Effective IDS/IPS Auditing And Testing With Finux

René Pfeiffer/ October 26, 2013/ Conference, Security, Training

A major part of information security is to deal with intrusions. It doesn’t matter if you have to anticipate them, detect them, or desperately wish to avoid them. They are a part of your infosec life. This is why gentle software developers, security researchers, and vendors have created intrusion detection/preventi0n systems. It’s all there for your benefit. The trouble is that once you buy and deploy and IDS/IPS system, its dashboard looks a lot like the one from the space shuttle or a fighter jet. You can do a lot, you can combine a lot more, and you see all kinds of blinking lights when you turn everything on. That’s probably not what you want. But there is help. Arron ‘Finux’ Finnon of Alba13 Research Labs will conduct a training on effective IDS/IPS auditing

2010, 2013

DeepSec 2013 Workshop: Hands On Exploit Development (Part 1)

René Pfeiffer/ October 20, 2013/ Conference, Training

Software bugs evolve, just like their animal counterparts. Lesser bugs impact usability or are simple malfunctions. Once a bug impacts the security it is called a vulnerability. This means that something major is broken and that the internal logic can be manipulated to produce undesirable effects. Vulnerabilities can be exploited to create deterministic effects such as bypassing security checks, elevating privileges or other things. Exploits are the biggest bugs around. They have to work every time (at least with the software version affected by the bug/vulnerability), they need to insert specific code with a given purpose, and they should not compromise the functionality of the software (since you don’t want to be noticed) – So there is software development involved. Georgia Weidman will teach you how to get from a bug via a vulnerability

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: