3101, 2018

Change of Ticket System for DeepSec and DeepINTEL

René Pfeiffer/ January 31, 2018/ Administrivia, Conference

We have made some changes behind the scenes, as always when preparing the new events for the year. This time we decided to change the ticket shop for both DeepINTEL and DeepSec. The reason for the new shop is its focus on privacy and security. Most shops are part of a social media network or collect too much information (can be both, depends on the interaction and the platform). It doesn’t matter if the collected information is being protected by privacy procedures or not. Our intent was to streamline the process. For you this means that you can buy your tickets as easy as before. We still have vouchers, too. Ask our sponsors. Furthermore the payment is done directly to us, so we can manage your visit to DeepSec and DeepINTEL more efficiently. Also

Read More

3101, 2018

DeepSec 2018 calls for Trainings and Content – Focus Mobility

René Pfeiffer/ January 31, 2018/ Call for Papers, Conference, Discussion

The DeepSec 2018 Call for Papers is open. The focus for this year is mobility. Mobile networks and mobile devices have established themselves firmly in our society. And mobility doesn’t end here. Transport is transforming into new technologies by incorporating access to data networks (yes, that’s the „Cloud“), the power grid (think electric vehicles), drones, new propulsion systems, artificial intelligent (sometimes even both!) personal assistants and algorithms (mathematics has become mainstream). The ever growing number of dependencies between components are a fertile breeding ground for cascading errors that impact more than your new car or your latest order from your favourite online shop. Information security must become as mobile as home deliveries of goods and electric power. And it must become common. Infosec isn’t optional any more. Since bug logos have captured the minds

Read More

2601, 2018

Secret Router Security Discussion in Germany

René Pfeiffer/ January 26, 2018/ Internet, Security

Routers are the main component when it comes to connect sites, homes, and businesses. They often „just“ take care of the access to the Internet. The firewall comes after this access device. The German Telekom suffered an attack on their routers on 2016. The German Federal Office for Information Security now tries to create a policy for securing these critical systems. In theory this should add a set of documents on how to securely operate a router for the last mile access. Information security basically runs on checklists and policies. The trouble starts with the firmware. In Germany these is a discussion about using alternative devices as access components, enabling customers and organisations to use products of their own choice. Since firmware is the worst code on this planet, changing models and code is

Read More

2401, 2018

Save the Dates for DeepSec 2018 and DeepINTEL 2018

René Pfeiffer/ January 24, 2018/ Administrivia, Conference

While everyone was busy with the holidays, Meltdown and Spectre, we did some updates behind the scenes. DeepSec 2018 will be held from 27 to 30 November 2018. We tried not to collide with Thanksgiving, so that you can come to Vienna after being with your family. As always, the first two days will be the trainings followed by two days of conference. DeepINTEL 2018 will be on 17 / 18 September 2018. We have a topical focus for both events and will present each of them in a separate article. There still some details to work out. Wordsmithing and administrivia are the equivalence of dependencies and patches in software development – necessary, but they take time. It’s worth it, you will see for yourself. We have a special message for anyone who intends

Read More

0601, 2018

Meltdown & Spectre – Processors are Critical Infrastructure too

René Pfeiffer/ January 6, 2018/ Discussion, High Entropy

Information security researchers like to talk about and to analyse critical infrastructure. The power grid belongs to this kind of infrastructure, so does the Internet (or networks in general). Basically everything we use has components. Software developers rely on libraries. Usually you don’t want to solve a problem multiple times. Computer systems are built with many components. Even a System on a Chip (SoC) has components, albeit smaller and close to each other. 2018 begins with critical bugs in critical infrastructure of processors. Meltdown and Spectre haunt the majority of our computing infrastructure, be it the Cloud, local systems, servers, telephones, laptops, tablets, and many more. Information security relies on the weakest link. Once your core components have flaws, then the whole platform may be in jeopardy. In 2017 malicious hypervisors in terms of

Read More

0112, 2017

DeepSec 2017 Presentation Slides

René Pfeiffer/ December 1, 2017/ Administrivia, Conference

While the videos are on their way to the rendering farm, the presentation slides for DeepSec 2017 can already be downloaded. We put them online as soon as we get the final version from our speakers. If you do some guessing URL-wise you can also find the presentations of past conferences at the very same spot. Since we collect the final slides after the conference and not ask speakers to put USB sticks into their computers during the conference, the download repository will fill in time. Unfortunately we cannot speed up this process. So bear with us, we are as curious as you (especially since some of us never get the see any presentation at DeepSec because there is too much to do). As for the videos, all speakers and attendees will also get

Read More

2211, 2017

DeepSec 2017 thanks you and DeepSec 2018 is almost ready

René Pfeiffer/ November 22, 2017/ Administrivia, Conference, Mission Statement

We caught up on sleep and are right in the middle of post-processing DeepSec 2017. Thanks to you all for attending, presenting, sending feedback, and being part of a great event. The slides will be online soon. The videos are being converted. We will upload them as bandwidth permits. All speakers and attendees will get a code to access them early. Thanks for your feedback as well! We listen, and we have some plans to address the issues you reported. 2018 will see a lot of improvements. We will announce the dates for DeepSec and DeepINTEL 2018 soon. The events will stay in November and September. We just need to coordinate with the venue and will let you know as soon as possible. The Calls for Papers open early in 2018, as does the

Read More

1511, 2017

DeepSec2017 U21 Talk: Lessons Learned: How To (Not) Design Your Own Protocol – Nicolai Davidsson

Sanna/ November 15, 2017/ Conference, Development, Security

“One of the first lessons of cryptography is “don’t roll your own crypto” but we were bold enough to ignore it”, says Nicolai. “Single Sign-On is so 2016 which is why we’d like to introduce its replacement, Forever Alone Sign-On – FASO. This talk will discuss one of the ugliest SSO solutions you’ll ever see, its updated, slightly less ugly, iteration, and, ultimately, FASO. We’ll discuss the use cases, questionable decisions made during the planning process, the actual self-rolled, totally vulnerable, cryptography, and the even worse code architecture. In all seriousness: The talk reflects on the design process of a SSO protocol and its first two iterations, going from a semi-functional workaround to an experimental OAuth-and-the-like alternative utilizing pre-shared keys, symmetric cryptography and implicit authentication.”   Nicolai is a security researcher at zyantific and

Read More

1511, 2017

ROOTS: Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications – Sophia d’Antoine

Sanna/ November 15, 2017/ Conference, Security

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities, inherent to systems which share hardware resources, will become increasingly attractive targets to malicious software authors. In this talk, Sophia will introduce a novel side channel across virtual machines through the detection of out-of-order execution. She and her colleagues created a simple duplex channel as well as a broadcast channel. She’ll discuss possible adversaries for this channel and proposes further work to make this channel more secure, efficient and applicable in realistic scenarios. In addition, she considers seven possible malicious applications of this channel: theft of encryption keys, program identification, environmental keying, malicious triggers, denial of service attacks, determining VM co-location, malicious data injection, and side channels. We asked Sophia a few questions about her talk. Please tell us the top 5 facts

Read More

1511, 2017

DeepSec 2017 Talk: OpenDXL In Active Response Scenarios – Tarmo Randel

Sanna/ November 15, 2017/ Conference

Automating response to cyber security incidents is the trend which is – considering increasing amount of incidents organizations handle and ever-increasing attack surface – already becoming mainstream. In this talk Tarmo explores the options of using OpenDXL in real life situation of mixed environments, legacy solutions and multiple vendors for connecting existing (and future) cyber security system components for coordinated information exchange and orchestrating incident response action. Tarmo is a researcher at NATO Cooperative Cyber Defence Center of Excellence, various research projects and developing for large scale cyber exercises. He’s also a developer at the Estonian eHealth Foundations, “Kickstarting” in-house development team. Tarmo’s creating supporting infrastructure, preparations and execution of plans for taking over selected external vendor development projects. He’s Head of Department at CERT-EE, Running Computer Emergency Response Team, Information security expert at CERT-EE,

Read More

1411, 2017

ROOTS: On The (In-)Security Of JavaScript Object Signing and Encryption – Dennis Detering

Sanna/ November 14, 2017/ Security

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web used for application configuration, cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity, authenticity and confidentiality of sensitive data, JavaScript Object Signing and Encryption (JOSE) was created to apply cryptographic mechanisms directly in JSON messages. We investigated the security of JOSE and present different applicable attacks on several popular libraries. We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed Burp Suite extension, which automatically performs security analysis on targeted applications. JOSEPH’s automatic vulnerability detection ranges from executing simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks breaking the confidentiality of encrypted JSON messages.

Read More

1411, 2017

DeepSec2017 Talk: Building Security Teams – Astera Schneeweisz

Sanna/ November 14, 2017/ Conference

While ‘security is not a team’, you’ll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team – it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone’s concern. In this talk, Astera will review what the purposes of a security team can be, which challenges you’ll face, how you can make it scale beyond the team’s boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team

Read More

1411, 2017

Notes on the ROOTS Schedule and the Conference

René Pfeiffer/ November 14, 2017/ Administrivia, Conference, Discussion

We are all set for the conference on Thursday. We did some last minute changes to the schedule due to some speakers running into issues, but we can confirm almost all presentations.You may have noticed the ROOTS schedule. It’s a bit shorter than DeepSec’s, but both events are not competing. The review for ROOTS is a lot harder, because the presentation is about a scientific publication. This means your submission gets peer-reviewed and voted by the programme committee. We received some content more suitable for, let’s say, standard events. This won’t do, and this is why you see the best submissions of ROOTS published in the schedule. All in all we are very glad to present you high quality presentations from speakers who really know information security. Enjoy! See you at DeepSec!

1411, 2017

DeepSec 2017 Talk: How I Rob Banks – Freakyclown

Sanna/ November 14, 2017/ Conference, High Entropy, Security

You are in for an adventure at DeepSec this year. We have a tour on robbing banks for you: A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line and useful illustrative slides, I will attempted to take you through the lessons to be learned from an ethical hacker with a penchant for breaking into the impossible. Let me take you on a rollercoaster ride of epic fails and grandiose plans and my Jason Bourne like adventures including Lockpicking, Kidnap, Police chases and multi-million pound bank heists. FC is a well-known ethical hacker and social engineer. He has been working in the infosec field for over 20 years

Read More

0311, 2017

Screening of “The Maze” at DeepSec 2017

René Pfeiffer/ November 3, 2017/ Administrivia, Conference, High Entropy

We have some news for you. Everyone attending DeepSec 2017 will get a cinematic finish on the last day of the conference. We will be showing The Maze by Friedrich Moser. For all who don’t know Friedrich’s works: He is the director of A Good American which was screened at DeepSec 2015. The Maze is a documentary covering terrorism, counter-terrorism, surveillance, business, and politics. So it’s basically information security in a nutshell. Right after the closing of DeepSec you can enjoy The Maze – with popcorn and hopefully everyone who is attending DeepSec. We have seen the documentary before, and we highly recommend it! The Maze from Friedrich Moser on Vimeo.