DeepSec 2018 Talk: Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests – Tomasz Tuzel

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers?

While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an “introspecting” hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn’t.

We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which has been deployed onto a hypervisor to determine the potential presence (or lack) of introspection. These techniques are developed to examine properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behaviour of the hypervisor. Moreover, we have developed timing methods such as thread racing to determine whether a hypervisor is monitoring regions of memory or hooking instructions.

Tomasz has been a security researcher for over seven years, having spent the first five at the Department of Defense, followed by Assured Information Security, Inc. He has primarily specialized in low-level security research.

DeepSec 2018 Talk: Open Source Network Monitoring – Paula de la Hoz Garrido

“I’d like to offer an introduction into Network System Monitoring using different open tools available in Linux.”, says Paula. “The talk is a technical approach to identify the best sniffing points in a network and how to orchestrate a full analysis of the content to secure the network, as well as showing ideas of collaborative and distributed hacking. Also, for a better performance, the talk includes a brief guide into configuring a Raspberry Pi for creating a simple Network Capture Probe. The main point of the talk is to show how open source tools are a nice option for this kind of security assessment.”

We asked Paula a few more questions about her topic of expertise:

Please tell us the top 5 facts about your talk.

First of all, this talk is not solely technical. I like to give context to every technical fact I throw, and so it’s not just useful, but it makes sense. Second, I really like hardware so there are also some maker tips! Third, the most important fact of my talk, apart from security of course, is open culture. Fourth, hey do you like CTF’s? Some of the details told in the talk can be used to solve these puzzles! And, last but not least, I’d like to show how hacking can be collaborative.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I’m into open culture and I tried to make my way on security, my passion, using open resources. I had the luck to find security jobs where I was allowed to choose my own tools, also I was asked to guide a group of telecommunications students into collaborative network hacking, and it was an amazing experience.

Why do you think this is an important topic?

Because both security and open software are becoming more and more important in the tech industry, and I think it’s important to show how they can both match and at the same time don’t perpetuate the “lone wolf” hacking stereotype.

Is there something you want everybody to know – some good advice for our readers maybe?

Maybe that I would love to hear about their own advises regarding the main topics of the talk, any time! Guess I’m not wise enough to throw an epic sentence. Oh wait yes, may the force be with you?

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I think we are heading towards ubiquitous computing, and that our way of thinking about security needs to update to fit that! Distributed tech requires distributed security, probably not -completely- based on the hardware (as open hardware and low cost resources are becoming more and more important in IoT and related) but based in its network.

Paula de la Hoz Garrido is a 22 years old computer engineering student. So far, she’s worked as a systems analyst, as a robotics teacher in Switzerland and Arduino monitor at a summer camp for girls at the University of Granada.

She has a Columbia University certificate in Investigative Journalism and recently founded a digital rights and privacy awareness association in Spain called “Interferencias”, which already has around 500 members. Paula is into Network security, and is training a group of telecommunications students who passed a CTF test in the kind of security assessment Paula introduces us to in her talk.

DeepSec 2018 Talk: Building your Own WAF as a Service and Forgetting about False Positives – Juan Berner

When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). In his talk Juan Berner will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.

To achieve this you will have to abstract the WAF around a web service, something that developers are commonly used to work with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate.

In this talk, Juan will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type. He will also cover the drawbacks of what’s not a fully inline solution and speak about possible improvements of this architecture.

We asked Juan a few more questions about his topic of expertise.

Please tell us the top 5 facts about your talk.

  • Web Application Firewalls (WAF) can take advantage of event streaming technologies (such as Kafka) to replicate a network tap to perform out of band analysis.
  • Creating a web service around a WAF means you do not need to limit to a single WAF but can use multiple different types to enhance the detection.
  • A WAF web service also allows to add business logic to the detection of Web Application Attacks.
  • By using context in relation to Web Application Attacks, the false positive rate can be decided not by just tuning the particular rules but also what context would trigger a response from the WAF service.
  • It’s possible to have a hybrid setup where most traffic will not have the downsides of a WAF (latency on the request analysis) and yet allow blocking of malicious requests by selective routing.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Due to constraints of not being able to implement a commercial WAF, due to the latency it might add and fear of false positives, I came up with a design that would solve both of these problems. This led to finding other benefits, such as the use of business logic and the ability to add multiple types of WAF’s and enhancements improving detection.

Why do you think this is an important topic?

I think it’s an important topic due to the problems that affect today’s WAFs. Lack of context awareness and false positives make them less effective and mostly unused in companies that can’t deal with their false positive rate, or, if they decide not to block it, would just suffer from alert fatigue. Showing that a false positive rate can be managed and context can enhance WAFs analysis would allow them to take advantage of their domain knowledge to improve detection.

Is there something you want everybody to know – some good advice for our readers maybe?

While WAF’s get a bad reputation, they are a useful layer of defence for any company that has web applications. I would advise them to consider if this talk could be useful in other contexts, and where  we could use known security components and enhance their capabilities with a more service oriented architecture.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I think that while Runtime Application Self-Protection (RASP) is the natural progression for web application defence it is still missing context awareness, a drawback similar to our current WAF implementations, which is one of the features I’m introducing in this talk. I would expect that using a similar approach with RASP’s will allow them to become more effective and in some cases less intrusive.

Juan Berner is a security researcher with over 8 years of experience in the field, currently working as Security Lead Developer at, as SME for Application Security and Architect for security solutions.

DeepSec 2018 Special Training: Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

The first computer bug. Source: US Navy,

The first documented computer bug.

How do bugs in software get fixed? Well, first of all you have to find them. All code has bugs. Most probably, that is. Usually developers and users of applications find bugs. The history of information security has taught us that now attackers also look for bugs in software. Therefore flaws in code leading to security vulnerabilities have a higher priority for both developers and adversaries. The problem is that software testing finds all kinds of bugs and not always the important ones. Where is the incentive to go and debug software? Well, there is quality assurance, there is full disclosure, and now there are bug bounties.

Bug bounties are rewards for bugs in software that have an impact on security. Companies offer these bounties as a means of software quality testing. Bug bounties can be claimed by anyone. You just have to make sure that the fault can be reproduced. Documentation is important. This work is very important, because finding vulnerabilities before they can be used for attacks or deployment of malicious software is the best defence. Bad news is good news. HackerOne, a platform for hacker-powered security, has reached the milestone of $20 million in rewards to hackers. Their aim to to get to $100 million by 2020. That’s a lot of motivation. So how do you get the money?

In order to find weaknesses in applications, you have to acquire some skills and work on your mindset. First of all you absolutely have to master web application technology. Everything has a web server or talks to one. Modern web applications are complex, and it’s all about full-stack nowadays. This is the key. It’s not just watching request and response. You have to use and to understand all the layers and components involved. REST APIs, AngularJS, bypassing Content Security Policy, know your browser, NoSQL injection, database truncation attacks, type confusion vulnerabilities, exploiting race conditions, subdomain takeover, server-side request forgery, and more knowledge is required to find security-related bugs. This is way beyond the standard quality assurance. You have to know about software development, information security, and the tools of both worlds.

DeepSec has teamed up with Dawid Czagan (@dawidczagan) to turn you into a Bug Hunter. Dawid is one of the top 10 HackerOne bug hunters. He has found security vulnerabilities in applications from Google, Yahoo, Mozilla, Microsoft®, Twitter, Tesla, BlackBerry, Atlassian, and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid has prepared a two-day training for DeepSec attendees. Instead of sending months with books on your knees and hacking hard, he will guide you through the skills needed to find bugs in modern web applications and make money for your work in bug bounty programs. Only intermediate knowledge of web application security is needed. If you did some common web application vulnerability research and know how to use debugging/security proxies (such as BurpSuite Proxy or similar), then you have a good start in terms of requirements. The training session will bring you on the next level. We invite penetration testers, bug hunters, security researchers, and consultants to participate.

What students will receive: Students will receive a VMware® image with a specially prepared testing environment to play with the bugs. What’s more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

What students should know: To get the most out of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.

What students should bring: Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB or more preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware® Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11 (you can get download it from Microsoft®).

DeepSec 2018 Training: Hunting with OSSEC – Xavier Mertens

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points”, says Xavier Mertens, who’s giving a training called “Hunting with OSSEC” at this years DeepSec.

“During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. Then I will demonstrate how to deploy specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk /etc…”

We asked Xavier a few more questions about his course.

Please tell us the top 5 facts about your training.

1. It is mandatory to keep an eye on event logs to catch new threats or suspicious behaviors
2. There are plenty of information available on the Internet that could improve your monitoring process
3. Endpoints are the weakest point of your network, they must be kept under the radar
4. Security controls can be implemented at a low cost
5. Integration / sharing of information is key

How did you come up with it? Was there something like an initial spark that set your mind on creating it?

I’m a big fan of OSSEC for years and already blogged a lot about it. I participated to the project (ex: I wrote the initial GeoIP support). And, of course, I’m using it daily to monitor my infrastructure. Many (small) organizations do not have resources to implement or seem afraid to deploy solutions like OSSEC. I think it was time to wrap-up all this content and propose it as a training.

Why do you think this is an important topic?

Despite the fact that we deploy more and more security controls at our network boundaries, we still see compromized hosts, data leaks, etc. Keeping an eye on events is a key to detect as soon as possible all suspicious activity.

Is there something you want everybody to know – some good advice for our readers maybe?

Sharing and integration of tools are a key point. Each of them has interesting data that could be reused by other tool to improve detection capabilities. The training could be interesting for Blue Team people or system/security engineers. Investing in tools like OSSEC will also raise your overall protection and, in case of incident, you will already have some data to analyze.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

We will be more and more flooded with “security data” that must be analyzed. They challenge is really to find the needle in a hay stack. The key message is not to ask “if” you’ll face a security incident but “when” you will face one. Be prepared!

Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, threat hunting, OSINT). Besides his daily job, Xavier is also a security blogger, a SANS Internet Storm Center Senior Handler, and co-organizer of the BruCON security conference.

DeepSec 2018 Talk: DNS Exfiltration and Out-of-Band Attacks – Nitesh Shilpkar

“The Domain Name System or DNS is one of the most fundamental parts of the Internet”, says Nitesh Shipkar. “It is crucial for a billion of users daily to help us build presence on the internet using names humans can understand rather than IP addresses. However, DNS comes with security issues organizations should be aware of and take into consideration. Attackers are abusing the DNS to redirect traffic to malicious sites, communicate with command and control (C&C) servers, steal data from organizations and conduct massive attacks that cause harm to organizations. Many organizations are not prepared to mitigate, or even detect, the problems DNS might bring.
Due to the criticality of DNS to maintain an Internet presence, access applications, connect to a network or simply send an email, everyone has the potential to be impacted by DNS vulnerabilities. Since DNS is important for routing traffic, it simply cannot be disabled. Organizations should look for ways to protect their DNS data. We should learn about ways to manage the attack surface DNS offers and also to benefit from the capabilities DNS has to offer.
Security companies and vendors are getting more aware of the fact that DNS is the first line of defence and, since all the traffic is routed through the DNS, it acts as a good resource for analysing any form of malicious traffic or attacks. Most vendors now provide IP address management (IPAM) data for diagnosing the network traffic regarding network and security problems. DNS plays an important role for malware detection based on its logical place in the network architecture. Incident Response teams look to DNS, DHCP and IPAM data for carrying out thorough investigations and improving threat hunting capabilities.
DNS traffic should result into being one of the main points for network traffic data analysis, which would serve organizations to improve their detection and analyzing capabilities in order to be ready for what may come.”

We asked Nitesh a few more questions about his topic of expertise.

Please tell us the top 5 facts about your talk.

1. DNS is quite neglected in terms of security monitoring.
2. My talk is quite to the point.
3. It includes case studies with relevant examples.
4. It helps to shed a much needed light on DNS
5. It’s my first conference as a speaker.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I came up with this topic during a pentest, when I could not find much available material on exploiting “out-of-band” attacks.

Why do you think this is an important topic?

This is an important topic cause it points out the facts about DNS, the risks associated with DNS, and, most of all, how one can exfiltrate data using DNS.

Is there something you want everybody to know – some good advice for our readers maybe?

I’ll just say, this is my first conference as a speaker and I’ve always wanted to share my knowledge related to security, your presence at this talk would be a great encouragement.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I think the future of pentesting is much more than just red-teaming. In the future companies will be so security aware that they will go for security assessments anytime just to check their resilience.

Nitesh Shilpkar is a security researcher currently working with PwC Singapore. He has received CVE’s for finding bugs in products like Adobe Coldfusion, Adobe Shockwave Player, Apple iCloud and Amazon Kindle. He has been acknowledged by over 40 websites such as Facebook, Google, AT&T etc. He currently holds certifications like OSCE, OSCP, OSWP, CREST-CRT. His interests lie in Exploit Development and Research.

ROOTS 2018 Call for Papers – Deadline extended

Top/Antitop quark event. Source:‘ deadline for abstract submissions has been extended. The new deadline is the 17 September 2018. Authors will be notified by 30 September 2018. We need your camera-ready papers until 13 October 2018. Please spread the word. The Reversing and Offensive-Oriented Trends Symposium 2018 still accepts your research. We are looking forward to the results of your work. Information security is all about well-researched facts and reproducible findings. If you need some more time to prepare your submission, this is the time. Let us know if you need help when submitting.

The first European symposium of its kind, ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques, or effective deployable defences. Submissions can also provide a comprehensive overview of the state-of-the-art, and pinpoint promising areas that have not received appropriate attention in the past.

DeepSec and Tor Tickets – Update

Red onion to illustrate Tor. Source: wrote about the German Tor operator relay organisation Zwiebelfreunde e.V. a while ago. They were raided on 20 June 2018 by the German police in five different locations. The police was investigating a German left-wing blog and was trying to find the author of articles published there. As many of you know, Tor exit relay operators are the last hop in a chain of communication channels, so the origin of the operator’s servers can be seen. However Tor exit relays bear to relation to the real origin of the transmission. This is the essence of the Tor anonymity network. Zwiebelfreunde e.V. is a non-profit organisation that runs Tor nodes for anyone donating money (realised by the project). Their nodes have a combined bandwidth of 5000 Mbit/s. They know what they are doing, they know what information security is, and they offer a service for all of us, because law enforcement, journalists, security researchers, and many more use Tor on a daily basis. It turns out that the raids were illegal. A German court confirmed this yesterday. Essentially the police raided witnesses, which is somewhat counter-productive for investigations.

Back in June we introduced Tor tickets for DeepSec. They differ in price, and the difference will be donated to Zwiebelfreunde e.V. for their support of Tor nodes. We do this to thank the Tor community for their work. They are an important part of the information security ecosystem. We had and will have speakers from the Tor community at DeepSec conferences. Despite the decision of the court regarding the raids, we will keep the Tor tickets in the shop to give something back. Of course you can donate them directly, and we encourage you to do so. Help to make the digital world a safer place.

DeepSec 2018 Conference “Smart is the new Cyber” – Preliminary Schedule published

VHF-Funkgerät SE-227 der Schweizer Armee - radio of the Swiss Army. Source: preliminary schedule for DeepSec 2018 has been published. It took us some time to select and review all submissions. We cracked the 100 submissions mark, thus we are pleased that you made it very difficult for us this year. The number of slots for presentations and workshops has been constant. The number of content being submitted is steadily growing. So we hope we did a good job and that you find a pleasant mixture of topics (as pleasant as information security can get). All speakers have been informed. There may be some changes to the schedule which we will announce on our blog.

The abstracts of every presentation and workshop will be discussed in-depth here on the blog as well. We have asked the trainers and speakers some questions. As soon as we get the answers, you will find them here. Some will provide an article describing a specific aspect of the topic they are addressing.

The ticket shop is already being used. Now is the time to get early bird tickets and save some money. If you know some full-time students who are interested in information security, please let them know about our discount for academics. Given the rampant misinformation we need all the science we can get. The academic discount is also valid for the trainings. If you are interested in a specific training, please book the tickets as soon as possible! Not all trainers live around the corner, and they need to prepare their travel. Every year we have disappointment, and people need to switch courses. Do yourself a favour and make up your mind as soon as possible.

Looking forward to see you all in Vienna in November!

New date, same Location: DeepINTEL 2018 has been moved

The DeepINTEL 2018 has been moved in time, not in space. DeepINTEL 2018 will take place on 28 November 2018. The day is the second day of trainings at DeepSec. DeepINTEL Jubilee and Munin, Ravens of the Tower of London. © User:Colin / Wikimedia Commons / CC BY-SA 4.0,_Ravens,_Tower_of_London_2016-04-30.jpgwill be in parallel, and it will be for one day instead of the original two days. We had to moved because of organisational constraints. By moving DeepINTEL we hope to create a better placement for the security intelligence platform. In addition the DeepINTEL Call for Papers is easier, allowing trainers and speakers at DeepSec to contribute to the aspect of DeepINTEL with specific content.

In case you have some content for us: he focus for 2018 are stealthy and persistent attacks. This is the classic espionage attack vector, only with modern means. Ubiquitous networking, complex trust-relationships, and the increased flow of information (and code) is the perfect breeding ground for advanced and persistent threats. We would like to discuss past and present threats in this context without the hype. Essentially we like to focus on (industrial) espionage and methods of nation state actors. If this sounds interesting and you have something to say on this topic, please let us know as soon as possible.

DeepSec Call for Papers Ended – Review Process – Melting Brains – Hard Facts

Year by year it is getting harder to review the growing numbers of submissions. Thanks a lot for your contribution! It’s always a pleasure to read what you sent us. We have started to review as soon as you submit, but given the heat and the sheer number of submissions, it will take a few more days. We only have two days of trainings and two days of conference – which isn’t nearly enough. We will try to come up with a schedule that covers current events, science, and threats of tomorrow.

Speaking of science, the Call for Papers for ROOTS 2018 is still running!A photograph of papyrus. {{PD}} Source: We like to see more solid research in information security. It’s easy to get headlines or flourish on social media, but information security needs to do its homework. This means you have to get rid of bias, make sure your results can be reproduced, and most importantly be able to defend your claims with facts. Every year we get the same rock star/best logo/much-noise-less-signal discussion. On top of that someone writing about the newest may get something wrong, thus everything get worse very fast. The motto „Science First!“ and the the birth of Reversing and Offensive-oriented Trends Symposium (ROOTS) parallel to the DeepSec conference was meant to combine information with security. Our work is based on observation, careful analysis, well-written documentation, and solid evidence. It doesn’t matter if you believe that something works or doesn’t work. In addition we should be open to analysis and question the wisdom and experience we all use every day. Maybe we missed something – if so, we need to know.

So, we try to keep our heads cool, not easy in the Summer heat, and we will continue to review what you submitted. Please relay the ROOTS CfP to everyone doing research. We’d love to have presentations about the results research in Vienna in November!

DeepSec 2018 Call for Papers – Deadline today!

Sadly the climate does not extend deadlines. The Call for Papers of DeepSec In-Depth Security Conference 2018 ends today at midnight. Please make sure that you send us your submission in time. All submissions reaching us before the deadline ends have priority over any later submissions!Barbecue fire We will leave the submission form online for a while longer in order to compensate for the heatwave currently rolling over Europe.

Don’t forget that the Call for Papers for ROOTS 2018 (the Reversing and Offensive-oriented Trends Symposium) is still open and accepts submissions! Please spread word about ROOTS. We would like to feature „Science first!“ again in 2018.

A big thank you for all who already sent us their content! As always we will have a hard time sorting through everything and selecting the presentations and trainings.

New in the DeepSec Ticket Shop: Tor Tickets for Early Birds and InfoSec Minds

Link to the DeepSec 2018 ticket shop.We have a new category in the DeepSec ticket shop. We now have Tor tickets! Why is that? Well, information security relies heavily on the tools of the trade and the knowledge to use them. Tools can be created and used, knowledge can be shared and used. This is not a new insight. The special Tor tickets are a way to help the German non-profit registered association Zwiebelfreunde e.V. for rebooting their infrastructure. They run Tor nodes and provide the necessary infrastructure to do this. Members of Zwiebelfreunde have been speakers at DeepSec in the past because they are also active security researchers. The difference between the Tor ticket and the normal ticket price will be given to them to recover the damage to their infrastructure.

Security tools such as Tor are widely used by law enforcement, agencies, security researchers, academics, normal people, businesses, and more. The Tor project maintains a list of typical Tor users. Non-profit organisations keep Tor alive, and the ticket category is our contribution. We use Tor and other security tools daily too. So if you want to contribute you just need the right ticket. We will confirm your contribution and send the price difference to Zwiebelfreunde. Security is a team effort. We hope that some of you give their support as well.

ROOTS and DeepSec 2018 Call for Papers – Reminder and Bugfix

The ROOTS and DeepSec Calls for Papers are still running! We did some bugfixing on the web page, so the deadline for any ROOTS submissions is now 26 August 2018. Please spread the word and submit your research. If you need any assistance feel free to contact us.ROOTS Call for Papers link.
The DeepSec Call for Papers closes on 31 July 2018. Now is the time for your submission. We are looking forward to see your presentation on stage at DeepSec 2018!

Thoughts on the Information Security Skill Set

Converting coffee into experience and knowledge.As mentioned in an earlier blog article we moved our office infrastructure to a new location. Once you use a space for more than a decade things inevitably pile up. So I had to sort through hardware, software (on optical storage hardware and floppy disks), lecture notes from a previous life, ancient project documentation, and notes on ideas for a brighter future. Most things were thrown away (i.e. responsibly recycled), some stuff could be saved by enthusiasts (for example the two old Amigas that were sitting in the basement). All of the things we had to move had a purpose once. The main purpose was to get familiar with technology, accumulate knowledge, and understand how things work. This is essentially the hacker mindset, also found among scientists. Given the many presentations at past DeepSec conferences, the workshops, the many hours spent with bad documentation and even worse code, there is a simple question. What do you need to know to work in information security?

I want to give you an example for illustration. During the past weeks I had to write a summary about the state of affairs regarding Transport Level Security (TLS) for email transport. If you have 20+ years actual experience as a postmaster, running MTAs and routing email, and you haven’t stopped looking at new protocols or standards, then you know all you need. Nevertheless it took days to get the document done. Written correctly, it featured almost 100 sources for everything mentioned. The introduction alone was the biggest part. You have to understand all the parts involved – Internet protocols such as DNS (which includes DNSSEC and DANE), the SMTP family, SSL/TLS obviously, but also local considerations such as storage and the intermediate end points of the message chain, cryptography (X.509, algorithms and friends), and more stuff I leave out here. After that you can get to the point and describe the current state of affairs. This says a lot about the skills necessary for a „simple“ thing as email transport. Yet you are right in the middle of information security, because even as a system administrator you are responsible for doing the best you can to protect the content your systems are transporting. End-to-end encryption is still missing in this picture.

Modern society is run and requires an army of specialists. The days in science where a researcher could know everything in all fields were probably more than 300 years ago (my teachers taught me that Gottfried Wilhelm Leibniz was the last human who could do this. They might have been wrong about this though, it’s hard to measure what people really know and what they don’t). Information security is no different. Security tests and implementations are done in teams. Learning is done in groups. Knowing a single skill set is not enough. Having worked in three different fields for some time (i.e. longer than a year) is a good start. Sysadmin’s often say: „Rome wasn’t burnt in one day.“ 😈 It’s true. 🙃 People new to information security often don’t know where to start. Well, the fact is that you have to start more than once, and you have to keep going. This is exactly why we support the Rookie Track at BSidesLondon for years. You need to be around a group of people who will share their experience and give you insights into what you can do next. Make sure never to start from unfamiliar ground. If you are interested in secure communication, then you have to know about communication in general first (you might even want to forget about digital ways to communicate to get a good start, most things don’t change when being turned digital).

The DeepSec schedule will be published in three weeks. We work hard to give you the diversity you need, topic-wise and human-wise, to get a good start in and to continue with your information security path. If you have a knack for teaching, think about submitting a presentation with these thoughts in the back of your mind. If you want to aquire a knack for teaching, please submit too. You have to start somewhere, and in information security you will never start without helping hands.