2006, 2017

BSidesLondon 2017 – Sharing is indeed Caring

René Pfeiffer/ June 20, 2017/ Discussion, High Entropy

When airport security meets information security it’s usually BSidesLondon time. It was a great experience. And since DeepSec sponsors the Rookie Track we had a very tough decision to make. It’s really hard to pick a winner. A lot of presentations were excellent, and the presenters made the most out of the 15 minutes. The winner is Thaís for her introduction to malware analysis by using satisfiability modulo theories (SMT). If you get the chance of seeing her presenting somewhere, take a seat and listen to her. We also like to recommend Colette‘s presentation titled ‘How the f**k do I get in? One woman’s struggle to break into cyber security!’. Despite the title it was not a rant, it was a clear and concise summary of the state of affairs for women in technology.

Read More

2505, 2017

The Future of Entangled Security States – Quantum Computing Conference in Berlin

René Pfeiffer/ May 25, 2017/ Conference, Security

Quantum computing is a fashionable term these days. Some IT news articles are talking about post-quantum cryptography, qbits, and more quantum stuff. If you don’t know how the terms relate to each other, what entangled states in quantum physics are, and what everything has to do with computing, then you will have a hard time figuring out what it means for you and your infrastructure. The relationship to cryptography is yet another matter best explored after you know the basics. Using quantum effects in computing and cryptography is already done. The best example are some hardware random generators which use properties of, well, the hardware to harvest entropy. And then there is quantum key distribution (QKD). It is a method to ensure secure communication between two or more nodes. Vienna even had a working

Read More

2305, 2017

Biometrics and Failures in understanding Security – Copy & Paste Iris Scans

René Pfeiffer/ May 23, 2017/ High Entropy, Security

Biometrics has an irresistible attraction. Simply by mentioning the fact that you can measure parts (or surfaces) of the body and convert them to numbers a lot of people are impressed out of their mind. Literally. In theory biometric information serves as a second set of data to be used for any purposes. A common purpose is to use it for authentication. Most physical sources of biometric data are easily accessible. Fingers (for fingerprints), eyes (for your iris), limbs (for your veins), voice (for the Cloud), and other examples show this well. Where does the security come into play? Well, it doesn’t. For starters, passwords can be changed. Biometrics can’t unless you have a transplant. In contrast to passwords biometrics can be faked. The biometric source can be copied. In most cases this is

Read More

1605, 2017

Disinformation Warfare – Attribution makes you Wannacry

René Pfeiffer/ May 16, 2017/ Discussion, High Entropy, Security Intelligence

After the Wannacry malware wreaked havoc in networks, ticket vending machines, companies, and hospitals the clean-up has begun. This also means that the blame game has started. The first round of blame was distributed between Microsoft and the alleged inspiration for the code. The stance on vulnerabilities of security researchers is quite clear. Weaknesses in software, hardware, protocols, or design needs to be documented and published. This is the only way to address the problem and to give the defenders a chance to react. The discussion about how to deal with the process is ongoing and will most likely never come to a conclusion. What about the source of the attack? Attribution is hard. Knowing who attacked has become increasingly difficult in the analogue world. Take any of the conflicts around the world and

Read More

1405, 2017

Wannacry, Code Red, and „Cyber“ Warfare

René Pfeiffer/ May 14, 2017/ High Entropy, Security

Society and businesses increasingly rely on networked infrastructure. This is not news. Worms that used networks to spread to new hosts in order to infect them is also not news. Code Red did this back in 2001. There is a new worm going around. Its name is Wannacry, and it is allegedly based on published attack code developed by the NSA. The malicious software is delivered by email. After successful installation it infects the host and propagates to other systems by using probes to port 139/TCP, 445/TCP and 3389/TCP. It belongs to the class of ransomware, encrypting files and demanding ransom. Thousands of infected systems are still active. The attack is still ongoing. If you are in doubt if you have compromised systems within your network, we recommend taking a look at how to

Read More

1205, 2017

DeepSec welcomes SEC Consult as Sponsor for 2017!

René Pfeiffer/ May 12, 2017/ Conference, Security

Testing products, production code, security measures, or the overall security of infrastructure is hard work. The typical needs in term of information technology for a company or an organisation has become a variety of components that need to be maintained and hardened against attacks. The devil is in the details. In order to find critical weaknesses you need decades of experience, a thorough understanding of the technologies in use, in-depth knowledge of processes that touch information technology, and a decent portion of creativity to come up with ways around obstacles. SEC Consult, our long-time sponsor, has all of this – and more. They publish their findings and offer consulting for anyone needing extra security. Take a look at the House of Keys project, the IoT Inspector, or gaping holes in digital forensics software that

Read More

1105, 2017

DeepSec welcomes Digital Guardian as Sponsor for 2017

René Pfeiffer/ May 11, 2017/ Conference, Security

No event can be done with supporters, and so we welcome Digital Guardian as sponsor for the upcoming DeepSec 2017 conference! If you have data in your organisation, then you might be interested in talking to Digital Guardian’s experts, because they know a lot about what data does, where it lives, what endpoints really are, how you protect it, and how you keep exclusive access to it. Since data is code on most computing architectures, there’s a double benefit. Digital Guardian is a next generation data protection platform purpose built to stop data theft. The Digital Guardian platform performs across the corporate network, traditional endpoints, mobile devices and cloud applications to make it easier to see and stop all threats to sensitive data. For more than 10 years, it has enabled data-rich organizations to

Read More

0105, 2017

Call for Papers: 1st Reversing and Offensive-Oriented Trends Symposium (ROOTs) 2017

René Pfeiffer/ May 1, 2017/ Call for Papers, Conference

ROOTs 2017 The first Reversing and Offensive-Oriented Trends Symposium (ROOTs) 2017 opens its call for papers. ROOTs is the first European symposium of its kind. ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques or effective deployable defenses. Submissions can also provide a comprehensive overview of the state-of-the-art, and pinpoint promising areas that have not received appropriate attention in the past. To facilitate interaction with industry, the ROOTs ticket will be valid for all DeepSec conference tracks on both days, including the industry tracks, and the DeepSec conference tickets for the industry track will be valid for ROOTs. The usual rules for academic discounts apply. Please contact the DeepSec staff or our sponsors for

Read More

2804, 2017

DeepINTEL Update, Science First Campaign, Early Birds, and other News

René Pfeiffer/ April 28, 2017/ Administrivia, Conference

The Easter break is over. We didn’t sleep (much), and we did not look for Easter eggs in software either. Instead we did a bit of work behind the scenes. DeepSec 2017 will have some more content due to the co-hosted ROOTs workshop. The full call for papers will be ready on 1 May 2017. We will publish the text here on this blog, and email it to interested researchers. In the meantime the DeepSec 2017 Call for Papers is waiting patiently for your submission. In case you haven’t noticed, the DeepSec and DeepINTEL ticket shops are online. Please book your ticket as early as possible! Every year so far we had some people at our conference who were very sad because their favourite training was not available. If you book early you’ll help us to secure

Read More

2504, 2017

Applied Crypto Hardening Project is looking for Help

René Pfeiffer/ April 25, 2017/ High Entropy, Internet

Hopefully many of you know the Applied Crypto Hardening (ACH) project, also known as BetterCrypto.org. The project was announced at DeepSec 2013. The idea was (and is) to compile hands-on advice for system administrators, dev ops, developers, and others when it comes to selecting the right crypto configuration for an application. The BetterCrypto.org document covers far more protocols than HTTPS. OpenSSH, OpenVPN, IPsec, and more topics are described in the PDF guide. The project is run by volunteers. This is where you come in. The ACH project needs more volunteers to keep going. New GNU/Linux distributions are around the corner (the apt store never sleeps). Some vendors really do upgrade their code base. Libraries change and bleed less. Algorithms get tested, improved, and re-evaluated. The field of cryptography is moving forward, as it should.

Read More

0104, 2017

SS8 – Replacement for Insecure Signalling System No. 7 (SS7) Protocol revealed

René Pfeiffer/ April 1, 2017/ High Entropy

The ageing SS7 protocol has reached it’s end of life. Security experts around the world have criticised vulnerabilities a long time ago. SS7 even facilitated unsolicited surveillance attacks. What’s more, it has its own talks at the annual Chaos Communication Congress – which is a clear sign of fail if there is more than one presentation dealing with inherent design failures. It’s time to put SS7 to rest. Since the 1970s the requirements for signalling have clearly changed. It’s not only about telephones any more. SS8, its successor, features a brand new design and fixes the many shortcomings of SS7. New technologies such as blockchain, artificial intelligence, crowd routing, social signalling, full “tapping”, and deep state connections are now part of the core functions. Furthermore, SS8 is completely in harmony with Big Data, because it offers a

Read More

2703, 2017

DeepINTEL / DeepSec News for 2017 and Call for Papers

René Pfeiffer/ March 27, 2017/ Administrivia, Call for Papers, Conference

Changing code, layout or designs have something in common – deadlines. But you cannot rush creativity, and so the new design of the DeepSec web site took some time. The old design has served us well. We basically did not change much and used it since 2007. The new design follows the stickers we use for decoration at our conferences, the book cover of the DeepSec chronicles, and many other details we publish via documents – all thanks to the creative mind of fx. So thanks a lot fx! The content of our conference has also slightly changed. DeepSec 2017 will feature additional content, because we will introduce a third track filled with presentations from academic research. Given the fact-free discussions of information security and security in general, we would like to (re)introduce the scientific

Read More

1403, 2017

Submit your Talk – Call for Papers for BSidesLondon

René Pfeiffer/ March 14, 2017/ Call for Papers

The Call for Papers for BSidesLondon is still running! If you haven’t submitted your talk yet, please do! The deadline is 27 March 2017. Don’t miss it! The Wonderful World of Cyber is full of stuff to talk about. There is broken software all over the Internet (of Things). 0days await. Infrastructure is ready to be defended or attacked. Let others know about your ideas. If you have never presented at a conference before, then you should consider a submission for the rookie track. You have to start somewhere or somewhen, so why not at BSidesLondon? Looking forward to listen to your presentation at BSidesLondon!

1303, 2017

DeepINTEL 2017 – Modern Strategies for Information Security

Sanna/ March 13, 2017/ Conference, Security Intelligence, Veranstaltung

Seminar on Digital Defence with Experts. The news is full of reports covering attacks against networked systems and digital components. Every day there is new media coverage about stolen data, compromised accounts, the impact of malicious software, digital second strikes, cyber attacks between countries and new vulnerabilities in computer systems. All that leads to the impression that in the modern digital world we are almost helplessly vulnerable to attacks. Clever entrepreneurs benefit from the general uncertainty and sell countermeasures in the form of security software or other components, which, according to their praise, once installed will kill off every threat automatically. But the media don’t show the whole picture – hardly any report on “hacker attacks” could be called a realistic depiction of real life events. The consequence? It is not possible to build

Read More

2701, 2017

Putting the Science into Security – Infosec with Style

René Pfeiffer/ January 27, 2017/ Discussion, Security

The world of information security is full of publications. It’s like being in a maze of twisted little documents, all of them alike. Sometimes these works of art lack structure, deep analysis, or simply reproducibility. Others are perfectly researched, contain (a defence of) arguments, proofs of concept, and solid code or documentation to make a point. Information security is a mixture of different disciplines such as mathematics, physics, computer science, psychology, sociology, linguistics, or history. It’s not about computers and networks alone. There is interaction between components. Protocols are involved. Even the simple act of logging in and staying in an active session requires in some parts to talk to each other. And then there are rituals. Scepticism is widespread in information security. Questioning your environment is the way to go, but you need to

Read More