The ROOTS and DeepSec Calls for Papers are still running! We did some bugfixing on the web page, so the deadline for any ROOTS submissions is now 26 August 2018. Please spread the word and submit your research. If you need any assistance feel free to contact us. The DeepSec Call for Papers closes on 31 July 2018. Now is the time for your submission. We are looking forward to see your presentation on stage at DeepSec 2018!
As mentioned in an earlier blog article we moved our office infrastructure to a new location. Once you use a space for more than a decade things inevitably pile up. So I had to sort through hardware, software (on optical storage hardware and floppy disks), lecture notes from a previous life, ancient project documentation, and notes on ideas for a brighter future. Most things were thrown away (i.e. responsibly recycled), some stuff could be saved by enthusiasts (for example the two old Amigas that were sitting in the basement). All of the things we had to move had a purpose once. The main purpose was to get familiar with technology, accumulate knowledge, and understand how things work. This is essentially the hacker mindset, also found among scientists. Given the many presentations at past DeepSec
[Editor’s note: This article was originally published on the web site of the FM4 radio channel of the Austrian Broadcasting Corporation. We have translated the text in order to make the content accessible for our English-speaking audience.] How the BND monitors communication in Austria At the most important connection to the Frankfurt node DE-CIX data streams from Austria are copied in their entirety to lines of the BND. Selected results of their evaluation are returned by the BND to the Austrian Army Intelligence Office in Vienna. by Erich Moechel for fm4.orf.at The reaction of the Austrian government regarding the publication of a list of targets of the German Federal Intelligence Service (BND) in Austria has caused surprise and amusement amongst intelligence experts. The general tenor: Either the Austrian government really has no idea how
Our blog has been a bit silent in the past weeks, because we had to move some stuff around and rearrange our infrastructure. The old office had a problem with too much water. Leaking is for whistleblowers, not water pipes. Rain is fine if the water can get to the drains. If you take a look at the photograph, imagine the scene with Summer temperatures and a high dose of humidity. Moving infrastructure around is a lot more fun when having APIs, lots of bandwidth, and server minions to take care of the storage. This wasn’t the case with our office infrastructure in meatspace. So we did a bit of a workout. It’s amazing what ancient hardware you can find when sorting through real storage space. Remember AUI Ethernet connectors with matching network interface
We are doing a little relocation of computing infrastructure today. Between 2000 and 2200 CEST we will shift the computing node to a new location. Most content is still being delivered by the reverse proxy, but you may encounter errors for the call for papers manager. For those of you who got a 5xx HTTP status code when submitting a workshop or a talk, we hope that the new infrastructure will solve this problem.
ROOTS 2018 The second Reversing and Offensive-Oriented Trends Symposium (ROOTS) 2017 opens its call for papers. ROOTS is the first European symposium of its kind. ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques or effective deployable defences. Submissions can also provide a comprehensive overview of the state-of-the-art, and pinpoint promising areas that have not received appropriate attention in the past. To facilitate interaction with industry, the ROOTS ticket will be valid for all DeepSec conference tracks on both days, including the industry tracks, and the DeepSec conference tickets for the industry track will be valid for ROOTS. The usual rules for academic discounts apply. Please contact the DeepSec staff or our sponsors for
We would like to share some impressions about the BSidesLondon 2018 Rookie Track presentations. It gets hard and harder to tell which one of the talks is the best. And picking a winner is not the right approach. We do this, because we can only invite one person to DeepSec, and because the intention is to have a motivation to work hard on the presentation. From what we have seen, we were quite impressed. The quality has much improved, also thanks to the tireless efforts of the mentors (if you see someone with a mentor badge, please buy them a drink!). Apart from the 15 minute time slot some talks were hard to distinguish from their bigger cousins in the main tracks. The topics were well-chosen. The mix was great. Every single rookie did
A while ago the Cambridge Analytica issue rocked the news and the online discussions about how personal data and profiles should be used. Frankly the surprise of data being abused comes as a surprise. The terms and conditions of most online portals, services, and platforms contains lots of rights – which you give to the owner of the platform. Once something is concentrated, cached, and accessible to digital evaluation, it will be harvested for its content and context. It’s as simple as that. This has always been the case. Penetration testers (best case) select their targets based on this criterion (among others). What has all of this to do with information security? Well, information security, just as the social media platforms, just can’t do without analysing data. The difference is how to protect and
We are looking forward to see the Rookie Track at BSidesLondon 2018! If you are curious what the rookie have to say, drop by and have a look! Presentations are meant to be heard. Do the newbies a favour and listen to them. They have put a lot of work into their 15 minute talk slot. They deserve an audience. Presenting a topic is hard. You have to understand what you are talking about. Furthermore you need to know a bit extra, because people will ask questions. Richard Feynman once said: If you want to master something, teach it. A great way to learn is to teach. If you have ever conducted a workshop, this will sound familiar. DeepSec sponsors the winner of the rookie track – a ticket to DeepSec 2018 and a
In information security policies are like opinions – everyone has one or more. So this is why we did some updating. You can now find our privacy policy on the main DeepSec web site and on our blog. We use few third party services, because most of our infrastructure is hosted on our own systems. When it comes to (tele)communication, payment services, and (sadly) email we have to rely on operators doing this for us. Our email infrastructure will move in the near future (i.e. in 2018). We will announce the change via your local DNS resolver when the time comes. 😊 Bear in mind that we take the agile approach when it comes to developing policies. Publish often, do rolling releases. At least that is how we understand the process. A policy is
You probably have noticed the #efail hashtag that came with the claim that the crypto world of PGP/GPG and S/MIME is about to end. Apocalyptic announcements were made. The real news is due for 15 May 2018 (i.e. the publication with all the facts). There was even the advice to stop using encryption until more information is known. The authors of the bug claimed that responsible disclosure was being followed. Well, it seems that this is not the case. Judging from the Internet response, the bug depends on the content of the encrypted message, not on the protocol of the encryption or the encryption tools. Lessons learned so far: It is a bug in some mail user client software. It’s all about the content of the message and how it gets interpreted. Responsible disclosure
We have been a bit radio silent. We have to deal with the General Data Protection Regulation (GDPR), and we are moving our infrastructure across the Internet. The blog is already moved. Further services wait for their transport. The reason is simple maintenance work and hosting our data a bit more privacy-friendly. For example our new ticket portal features privacy by design. Since the threats to information security don’t have to deal with boring stuff such as privacy and upgrades, we would like to remind you that the call for papers for both DeepINTEL and DeepSec is still open.
The Spectre and Meltdown security vulnerabilities gathered a lot of attention in January. Processor manufacturers have rushed to fix the design of the chips and to patch products already in production. The vulnerabilities show that secure design is critical to our modern infrastructure. Computing has become ubiquitous, so has networking. The current fixes change the microcode on the chips. Altering the flow of assembler instructions is bound to have a detrimental impact on performance. There is not much you can do about this – but there is hope. Future generations of processors will have a defence against unknown security vulnerabilities – the blockchain! The past decade in information security has taught us that a pro-active holistic approach to IT defence is not enough. To counter unknown threats you have to go below 0(day). The
Metric is a great word. Depending how you use it, it changes its meaning. The metric of a network path is quite different from the metric system. When it comes to measuring something, the might be an agreement. Why bother? Because we have heard of the term security metrics being used for something which should better be called security statistics. In mathematics a metric is a function which tells you the distance between each pair of elements in a set. While this does not necessarily have to do something with distance, it is a fitting analogy. It also connects metric to physics. Measuring how far two points are apart gives you usually a distance (either a straight line or a sum of straight lines). In essence measuring something boils down to comparing your object
The attribution problem in digital attacks is one of these problems that get solved over and over again. Of course, there are forensics methods, analysis of code samples, false flags, mistakes, and plenty of information to get things wrong. This is nothing new. Covering tracks is being done for thousands of years. Why should the digital world be any different? Attribution policy tactics, APT, is part of the arsenal and thus part of the threats you are facing. It has less impact though, because it is only of interest when your defence is breached – and this means you have something else to worry about. Attribution is not useful for defending against threats. While you can use to to „hack back“, this will most probably not help you at all. The main problem with