1110, 2013

DeepSec 2013 Workshop: Exploiting Web Applications Protected By $WAFs

René Pfeiffer/ October 11, 2013/ Conference, Security, Training

We all use web applications on a daily basis. Search engines, portals, web sites, blogs, information pages and various other content accessible by web browsers accompany us every day. This means that web server are the first exposed systems you will have to protect when deploying web applications. Usually you would add filters to your network that inspect access to the software and block any malicious requests. Packet filters were the tool of choice. Now we have application level firewalls to deal with content and protocols used. In the case of web applications the market has introduced a new kind of device: the web application firewall (WAF). In theory WAFs understand HTTP and know how a web browser talks to a web server. In practice no two web applications are alike, because they may

Read More

0410, 2013

DeepSec 2013 Workshop: Attacks On GSM Networks

René Pfeiffer/ October 4, 2013/ Conference, Security, Training

Mobile phone networks have penetrated even the most remote areas of the Earth. You can send a tweet from Mount Everest if you like, the cell service is already there. In addition mobile phone networks feature 6 billion subscribers all over the world. Communication by mobile devices has entered the routine of daily life. It’s not all about talking. Smartphone, laptops, tablets and modems access the Internet by mobile phone networks. And as every security specialist knows: If there’s a network, then there are protocols, and these protocols can be attacked. True, it’s not as easy as TCP/IP since mobile phone networks feature sets of more complex protocols. Nevertheless these networks can be accessed, and you cannot block it. This is why you should get in touch with the threats to your organisation. DeepSec

Read More

2609, 2013

DeepSec 2013 Workshop: Developing and Using Cybersecurity Threat Intelligence

René Pfeiffer/ September 26, 2013/ Conference, Security Intelligence, Training

The arsenal of components you can use for securing your organisation’s digital assets is vast. The market offers a sheer endless supply of application level gateways (formerly know as „firewalls“), network intrusion detection/prevention systems, anti-virus filters for any kind of platform (almost down to the refrigerator in the office), security tokens, biometrics, strong cryptography (just stay away from the fancy stuff), and all kinds of Big Data applications that can turn shoddy metrics into beautiful forecasts of Things to Come™ (possibly with a Magic Quadrant on top, think cherry). What could possibly go wrong? Well, it seems attackers still compromise systems, copy protected data, and get away with it. Security often doesn’t „add up“, i.e. you cannot improve your „security performance“ by buying fancy appliances/applications and piling them on top of each other. What

Read More

2509, 2013

Workshops at DeepSec 2013 – One/Two Days and Dates

René Pfeiffer/ September 25, 2013/ Administrivia, Conference, Training

In case you are interested in attending a training at DeepSec 2013: We have changed the standard two day format for two of the nine workshops. The „Social Engineering Awareness Training“ and the „Secure Your Business By Business Continuity Plans“ workshops are the only courses that will be held for one day. The dates are: 19 November 2013 for the „Social Engineering Awareness Training“ 20 November 2013 for the „Secure your Business by Business Continuity Plans“ workshop We will add the dates to the ticket categories accordingly.

2509, 2013

DeepSec 2013 Workshop: Social Engineering Awareness Training – Win A Free Ticket!

René Pfeiffer/ September 25, 2013/ Conference, Training

“If a tree falls in a forest and no one is around to hear it, does it make a sound?” You probably know this question. It’s a philosophical thought experiment questioning observation and knowledge of reality. There is a similar gedankenexperiment for information security: “If your organisation receives a spear phishing e-mail and no one is around to read it, does it create a security breach?” Communication is essential for everyone these days. If you run a business, you are forced to deal with communication on a daily basis. This didn’t start with the Internet. The telephone was first, and before there were letters and all kinds of ways to relay word from A to B. It’s a good idea to go back in time to avoid being distracted by technology but Trojan Horses

Read More

2309, 2013

DeepSec 2013 Workshop: Secure your Business by Business Continuity Plans

René Pfeiffer/ September 23, 2013/ Conference, Training

Quite a lot of companies stay in business, because they operate continuously and reliably. Few have the luxury to close shop for an extended period of time. If you do, then you are either fabulously successful or in deep trouble. Regardless of what you have in mind for your enterprise you should think of implementing a business continuity plan (BCP) sooner or later. Since designing and implementing a BCP is no piece of cake, we offer you a one day training at DeepSec 2013 where you can get started. The workshop will be conducted by Michel Wolodimiroff, who has over 25 years of experience in dealing with information technology. He will walk you through all bad dreams  of failing infrastructure, data loss, compromised systems, and worse catastrophes you might not even have thought of.

Read More

2904, 2013

Support your local CryptoParty

René Pfeiffer/ April 29, 2013/ Communication, Discussion, Training

Since September 2012 there are CryptoParty events all over the world. The idea is to bring a group together and have each other teach the basics of cryptography and how to use the various tools that enable you to encrypt and protect information. Of course, encryption by itself cannot guarantee security, but it’s a part of the equation. Since cryptography is hard, most tools using it require a certain amount of knowledge to understand what’s going on and how to properly use them. The CryptoParty helps – in theory and most often in practice, too. If a CryptoParty is near you and you have some knowledge to spare, please take part and share what you know with others. DeepSec supports the local CryptoParty events in Austria, too. Finding a CryptoParty can be easily done

Read More

0211, 2012

DeepSec 2012 Training: SAP Security In-Depth

René Pfeiffer/ November 2, 2012/ Security, Training

Your SAP installation is probably the most critical system in your company’s infrastructure. At the same time the informations accessed and processed by SAP systems origin from many sources. Securing infrastructure with this complexity is not an easy task, and testing your security measures requires a great deal of knowledge and training. In addition your will probably run web services talking to your SAP system – which is quite handy for attackers. In case you are short on knowledge about your own SAP deployment, there’s help. There will be an SAP security workshop at DeepSec 2012! The SAP Security In-Depth training will show you how to find out if your SAP infrastructure is secured. Knowing about segregation of duties and securing roles and profiles is fine in theory, but you have to make sure

Read More

1110, 2012

DeepSec 2012 Workshop: Web Application Penetration Testing

René Pfeiffer/ October 11, 2012/ Conference, Training

If eyes are the window to your soul, then web applications are the gateways to your heart. Of course this is only a figure of speech, but once you take a look at security incidents and the role of web applications, then you get the idea of the analogy. Web applications are everywhere. It’s not always about your favorite intranet application. A lot of devices run web applications, too. And there are portals which really give you access to a whole variety of information and services. Speaking of services, you can have application programming interfaces (APIs), too. APIs usually do not talk to humans, but maybe they can be automated to do Bad Things™. This is where penetration testing comes in. Ari Elias-Bachrach will teach you how to approach web applications in the context

Read More

0210, 2012

DeepSec 2012 Workshop: Social Engineering Testing for IT Security Professionals

René Pfeiffer/ October 2, 2012/ Conference, Training

Social engineering has been big in the news yet again this year.  In September, security researchers discovered an attack against Germany’s chipTAN banking system, in which bank customers were tricked into approving fraudulent transfers from their own accounts. In August, tech journalist Mat Honan had his digital life erased, as hackers social engineered Apple and Amazon call centres. In May it was reported that Czech thieves stole a 10-tonne bridge.  When challenged by police during a routine check, they showed forged documents saying they were working on a new bicycle path. In January, a fraudster obtained Microsoft co-founder Paul Allen’s credit card details by social engineering workers in Citibank call centres. In December, Wells Fargo were tricked into wiring $2.1 million to a bogus bank account in Hong Kong following a series of fraudulent

Read More

2509, 2012

DeepSec 2012 Training: Penetration Testing with Metasploit

René Pfeiffer/ September 25, 2012/ Training

Metasploit is one of the major tools used by security researchers and security administrators when it comes to testing security or verifying the operation of intrusion detection/prevention systems. It is also used by penetration testers when trying to circumvent defences and to insert payloads into compromised systems. Everyone dealing with the implementation of security measures is well advised to learn how Metasploit works, how it can be extended and how it can be used to its full potential. Point and click is a nice theory, but when it comes to information security you probably want to know what you are really doing. We therefore invite you to take a look at this workshop held at DeepSec 2012: In the Penetration Testing with Metasploit training you will learn hands on skills that come in to

Read More

2409, 2012

DeepSec 2012 Workshop: Malware Forensics and Incident Response Education (MFIRE)

René Pfeiffer/ September 24, 2012/ Conference, Training

Malicious software is the major tool for attackers. It is used to deliver the payload so that compromised systems can be exploited and secured for executing further tasks by your adversaries. Getting to now this malicious software and finding traces of the breach is very important for dealing with a security event. Proper incident response must be part of every state-of-the-art defence strategy. So this is why we offer the Malware Forensics and Incident Response Education (MFIRE) training at DeepSec 2012. Ismael Valenzuela will be your teacher for this course. The workshop is a proactive weapon to help you normalize your environment after a negative event has occurred. Your opponents have increasingly sophisticated tools and backdoor programs at their disposal to steal your intellectual property and expose sensitive information – all with the ability

Read More

2409, 2012

DeepSec 2012 Workshop: Strategic Thinking and Assessing Risk

René Pfeiffer/ September 24, 2012/ Conference, Training

We have begun to address the increasing demand for strategic thinking by staging the first DeepINTEL event in 2012. Since we strongly believe in the importance of the „big picture“, we offer a workshop on strategic thinking and assessing risk at DeepSec 2012, too. The training will be conducted by Richard Hanson, who has a broad understanding of security concepts and best practices through both formal education and client experience. He will guide you through the two-day workshop. The training will equip you with the knowledge and tools to be able to think strategically though understanding what is important to a business and assess its risks. It will teach you techniques to conduct risks assessments and to prioritize the outcomes in a strategic roadmap. It’s not just theory. You will learn how to effectively

Read More

1106, 2012

Software Development and Security Training

René Pfeiffer/ June 11, 2012/ Security, Training

Prior to every DeepSec conference we offer two-day trainings, and we regularly advertise trainings on secure software development. Attending security-centric workshops is really not meant as a humiliation. Modern (and not so modern) software development deals with a lot of code and dependencies. Even if your code is clean and well-written there’s a chance that something you rely on isn’t. This happens a lot with library functions (think DLLs) and thus can happen in high level programming languages, too. A training focussing on security will sharpen your „spider sense“ and you will be able to detect sections of code that can go wrong more easily. This is also true for reading documentation. Take a look at CVE-2012-2122. In essence you can get access to some MySQL database servers by repeatedly trying to access an

Read More