1107, 2018

Infrastructure Update – Privacy Shield, Call for Papers, DNSSEC, ROOTS, and Humidity

René Pfeiffer/ July 11, 2018/ Administrivia, High Entropy

Our blog has been a bit silent in the past weeks, because we had to move some stuff around and rearrange our infrastructure. The old office had a problem with too much water. Leaking is for whistleblowers, not water pipes. Rain is fine if the water can get to the drains. If you take a look at the photograph, imagine the scene with Summer temperatures and a high dose of humidity. Moving infrastructure around is a lot more fun when having APIs, lots of bandwidth, and server minions to take care of the storage. This wasn’t the case with our office infrastructure in meatspace. So we did a bit of a workout. It’s amazing what ancient hardware you can find when sorting through real storage space. Remember AUI Ethernet connectors with matching network interface

1806, 2018

DeepSec Web Server is moving today

René Pfeiffer/ June 18, 2018/ Administrivia

We are doing a little relocation of computing infrastructure today. Between 2000 and 2200 CEST we will shift the computing node to a new location. Most content is still being delivered by the reverse proxy, but you may encounter errors for the call for papers manager. For those of you who got a 5xx HTTP status code when submitting a workshop or a talk, we hope that the new infrastructure will solve this problem.

1606, 2018

Call for Papers: Reversing and Offensive-Oriented Trends Symposium (ROOTS) 2018

René Pfeiffer/ June 16, 2018/ Call for Papers, Security

ROOTS 2018 The second Reversing and Offensive-Oriented Trends Symposium (ROOTS) 2017 opens its call for papers. ROOTS is the first European symposium of its kind. ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques or effective deployable defences. Submissions can also provide a comprehensive overview of the state-of-the-art, and pinpoint promising areas that have not received appropriate attention in the past. To facilitate interaction with industry, the ROOTS ticket will be valid for all DeepSec conference tracks on both days, including the industry tracks, and the DeepSec conference tickets for the industry track will be valid for ROOTS. The usual rules for academic discounts apply. Please contact the DeepSec staff or our sponsors for

0806, 2018

BSidesLondon 2018 Rookie Track Follow-Up

René Pfeiffer/ June 8, 2018/ Conference, Discussion, High Entropy

We would like to share some impressions about the BSidesLondon 2018 Rookie Track presentations. It gets hard and harder to tell which one of the talks is the best. And picking a winner is not the right approach. We do this, because we can only invite one person to DeepSec, and because the intention is to have a motivation to work hard on the presentation. From what we have seen, we were quite impressed. The quality has much improved, also thanks to the tireless efforts of the mentors (if you see someone with a mentor badge, please buy them a drink!). Apart from the 15 minute time slot some talks were hard to distinguish from their bigger cousins in the main tracks. The topics were well-chosen. The mix was great. Every single rookie did

0806, 2018

Big Data Analytica – What Attackers might be after

René Pfeiffer/ June 8, 2018/ Discussion, High Entropy, Security Intelligence

A while ago the Cambridge Analytica issue rocked the news and the online discussions about how personal data and profiles should be used. Frankly the surprise of data being abused comes as a surprise. The terms and conditions of most online portals, services, and platforms contains lots of rights – which you give to the owner of the platform. Once something is concentrated, cached, and accessible to digital evaluation, it will be harvested for its content and context. It’s as simple as that. This has always been the case. Penetration testers (best case) select their targets based on this criterion (among others). What has all of this to do with information security? Well, information security, just as the social media platforms, just can’t do without analysing data. The difference is how to protect and

0506, 2018

Rookie Track – BSidesLondon 2018

René Pfeiffer/ June 5, 2018/ Conference, Security

We are looking forward to see the Rookie Track at BSidesLondon 2018! If you are curious what the rookie have to say, drop by and have a look! Presentations are meant to be heard. Do the newbies a favour and listen to them. They have put a lot of work into their 15 minute talk slot. They deserve an audience. Presenting a topic is hard. You have to understand what you are talking about. Furthermore you need to know a bit extra, because people will ask questions. Richard Feynman once said: If you want to master something, teach it. A great way to learn is to teach. If you have ever conducted a workshop, this will sound familiar. DeepSec sponsors the winner of the rookie track – a ticket to DeepSec 2018 and a

2505, 2018

DSGVO / GDPR / RGPD Update – We have Policies and Stuff!

René Pfeiffer/ May 25, 2018/ Administrivia, High Entropy

In information security policies are like opinions – everyone has one or more. So this is why we did some updating. You can now find our privacy policy on the main DeepSec web site and on our blog. We use few third party services, because most of our infrastructure is hosted on our own systems. When it comes to (tele)communication, payment services, and (sadly) email we have to rely on operators doing this for us. Our email infrastructure will move in the near future (i.e. in 2018). We will announce the change via your local DNS resolver when the time comes. 😊 Bear in mind that we take the agile approach when it comes to developing policies. Publish often, do rolling releases. At least that is how we understand the process. A policy is

1405, 2018

#efail, Crypto, HTML, PDF, and other complex Topics

René Pfeiffer/ May 14, 2018/ High Entropy, Security

You probably have noticed the #efail hashtag that came with the claim that the crypto world of PGP/GPG and S/MIME is about to end. Apocalyptic announcements were made. The real news is due for 15 May 2018 (i.e. the publication with all the facts). There was even the advice to stop using encryption until more information is known. The authors of the bug claimed that responsible disclosure was being followed. Well, it seems that this is not the case. Judging from the Internet response, the bug depends on the content of the encrypted message, not on the protocol of the encryption or the encryption tools. Lessons learned so far: It is a bug in some mail user client software. It’s all about the content of the message and how it gets interpreted. Responsible disclosure

1405, 2018

Reminder: DeepINTEL and DeepSec Call for Papers are still open

René Pfeiffer/ May 14, 2018/ Call for Papers

We have been a bit radio silent. We have to deal with the General Data Protection Regulation (GDPR), and we are moving our infrastructure across the Internet. The blog is already moved. Further services wait for their transport. The reason is simple maintenance work and hosting our data a bit more privacy-friendly. For example our new ticket portal features privacy by design. Since the threats to information security don’t have to deal with boring stuff such as privacy and upgrades, we would like to remind you that the call for papers for both DeepINTEL and DeepSec is still open.

0104, 2018

Manufacturers integrate Blockchain into Processors to counter Spectre and Meltdown

René Pfeiffer/ April 1, 2018/ Discussion, High Entropy

The Spectre and Meltdown security vulnerabilities gathered a lot of attention in January. Processor manufacturers have rushed to fix the design of the chips and to patch products already in production. The vulnerabilities show that secure design is critical to our modern infrastructure. Computing has become ubiquitous, so has networking. The current fixes change the microcode on the chips. Altering the flow of assembler instructions is bound to have a detrimental impact on performance. There is not much you can do about this – but there is hope. Future generations of processors will have a defence against unknown security vulnerabilities – the blockchain! The past decade in information security has taught us that a pro-active holistic approach to IT defence is not enough. To counter unknown threats you have to go below 0(day). The

2803, 2018

Metrics, Measurement, and Information Security

René Pfeiffer/ March 28, 2018/ Discussion, High Entropy, Security

Metric is a great word. Depending how you use it, it changes its meaning. The metric of a network path is quite different from the metric system. When it comes to measuring something, the might be an agreement. Why bother? Because we have heard of the term security metrics being used for something which should better be called security statistics. In mathematics a metric is a function which tells you the distance between each pair of elements in a set. While this does not necessarily have to do something with distance, it is a fitting analogy. It also connects metric to physics. Measuring how far two points are apart gives you usually a distance (either a straight line or a sum of straight lines). In essence measuring something boils down to comparing your object

2603, 2018

Advanced and In-Depth Persistent Defence

René Pfeiffer/ March 26, 2018/ Discussion, Security Intelligence

The attribution problem in digital attacks is one of these problems that get solved over and over again. Of course, there are forensics methods, analysis of code samples, false flags, mistakes, and plenty of information to get things wrong. This is nothing new. Covering tracks is being done for thousands of years. Why should the digital world be any different? Attribution policy tactics, APT, is part of the arsenal and thus part of the threats you are facing. It has less impact though, because it is only of interest when your defence is breached – and this means you have something else to worry about. Attribution is not useful for defending against threats. While you can use to to „hack back“, this will most probably not help you at all. The main problem with

2303, 2018

Upgrade to HTTP2

René Pfeiffer/ March 23, 2018/ Administrivia

We are busy with a little housekeeping. Among other things we have changed the way you can access our blog. It is now using HTTP2. We also added encryption and redirect all HTTP requests to HTTPS. Search engines should update their caches as soon as they refresh the pages. Hopefully this does not break anything. If so, please let us know. The DeepSec blog has been long using HTTP only. This was due to infrastructure constraints. Since future versions of web browsers will give you a warning when surfing to a HTTP site, we decided to change the blog configuration. You might want to do the same before June 2018. Otherwise you might get some enquiries about the security warning. Next stop: TLS 1.3.

1903, 2018

The Grotesqueness of the “Federal Hack” of the German Government Network

Sanna/ March 19, 2018/ High Entropy, Security Intelligence

[Editor’s note: This article was originally published on the web site of the FM4 radio channel of the Austrian Broadcasting Corporation. We have translated the text in order to make the content accessible for our English-speaking audience. We will follow-up on it with an article of our own about attribution, digital warfare, security intelligence, and the DeepINTEL conference.] A friendly secret service knew more about espionage against the German government network than the German counterintelligence. Three months after the hack was discovered, the attackers are still somewhere in this huge federal network. By Erich Moechel for fm4.orf.at One week after the announcement of the attack on the security network of the German Federal Government details only leak slowly. The first official statement on Friday claiming that the alleged Russian Trojan suite was already under

2702, 2018

Support for BSidesLondon’s Rookie Track

René Pfeiffer/ February 27, 2018/ Security

We are proud to support the Rookie Track at BSidesLondon in 2018 again. This means that one of us will be present at the Rookie Track and that the winner will get to attend DeepSec in November. It’s hard to get a start, so we like to help the rookies with that. We also like to encourage everyone to share ideas, thoughts, code, and insights either at the Rookie Track or on the main stage. If you have never presented before, get a mentor and work on your presentation. Don’t be afraid. We like to hear your thoughts on infosec and related topics. The same is true for our U21 presentation slot. We encourage young researchers to submit a presentation to DeepSec. We also offer mentoring and help you to get your content on

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: