1405, 2017

Wannacry, Code Red, and „Cyber“ Warfare

René Pfeiffer/ May 14, 2017/ High Entropy, Security

Society and businesses increasingly rely on networked infrastructure. This is not news. Worms that used networks to spread to new hosts in order to infect them is also not news. Code Red did this back in 2001. There is a new worm going around. Its name is Wannacry, and it is allegedly based on published attack code developed by the NSA. The malicious software is delivered by email. After successful installation it infects the host and propagates to other systems by using probes to port 139/TCP, 445/TCP and 3389/TCP. It belongs to the class of ransomware, encrypting files and demanding ransom. Thousands of infected systems are still active. The attack is still ongoing. If you are in doubt if you have compromised systems within your network, we recommend taking a look at how to

Read More

1205, 2017

DeepSec welcomes SEC Consult as Sponsor for 2017!

René Pfeiffer/ May 12, 2017/ Conference, Security

Testing products, production code, security measures, or the overall security of infrastructure is hard work. The typical needs in term of information technology for a company or an organisation has become a variety of components that need to be maintained and hardened against attacks. The devil is in the details. In order to find critical weaknesses you need decades of experience, a thorough understanding of the technologies in use, in-depth knowledge of processes that touch information technology, and a decent portion of creativity to come up with ways around obstacles. SEC Consult, our long-time sponsor, has all of this – and more. They publish their findings and offer consulting for anyone needing extra security. Take a look at the House of Keys project, the IoT Inspector, or gaping holes in digital forensics software that

Read More

1105, 2017

DeepSec welcomes Digital Guardian as Sponsor for 2017

René Pfeiffer/ May 11, 2017/ Conference, Security

No event can be done with supporters, and so we welcome Digital Guardian as sponsor for the upcoming DeepSec 2017 conference! If you have data in your organisation, then you might be interested in talking to Digital Guardian’s experts, because they know a lot about what data does, where it lives, what endpoints really are, how you protect it, and how you keep exclusive access to it. Since data is code on most computing architectures, there’s a double benefit. Digital Guardian is a next generation data protection platform purpose built to stop data theft. The Digital Guardian platform performs across the corporate network, traditional endpoints, mobile devices and cloud applications to make it easier to see and stop all threats to sensitive data. For more than 10 years, it has enabled data-rich organizations to

Read More

0105, 2017

Call for Papers: 1st Reversing and Offensive-Oriented Trends Symposium (ROOTs) 2017

René Pfeiffer/ May 1, 2017/ Call for Papers, Conference

ROOTs 2017 The first Reversing and Offensive-Oriented Trends Symposium (ROOTs) 2017 opens its call for papers. ROOTs is the first European symposium of its kind. ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques or effective deployable defenses. Submissions can also provide a comprehensive overview of the state-of-the-art, and pinpoint promising areas that have not received appropriate attention in the past. To facilitate interaction with industry, the ROOTs ticket will be valid for all DeepSec conference tracks on both days, including the industry tracks, and the DeepSec conference tickets for the industry track will be valid for ROOTs. The usual rules for academic discounts apply. Please contact the DeepSec staff or our sponsors for

Read More

2804, 2017

DeepINTEL Update, Science First Campaign, Early Birds, and other News

René Pfeiffer/ April 28, 2017/ Administrivia, Conference

The Easter break is over. We didn’t sleep (much), and we did not look for Easter eggs in software either. Instead we did a bit of work behind the scenes. DeepSec 2017 will have some more content due to the co-hosted ROOTs workshop. The full call for papers will be ready on 1 May 2017. We will publish the text here on this blog, and email it to interested researchers. In the meantime the DeepSec 2017 Call for Papers is waiting patiently for your submission. In case you haven’t noticed, the DeepSec and DeepINTEL ticket shops are online. Please book your ticket as early as possible! Every year so far we had some people at our conference who were very sad because their favourite training was not available. If you book early you’ll help us to secure

Read More

2504, 2017

Applied Crypto Hardening Project is looking for Help

René Pfeiffer/ April 25, 2017/ High Entropy, Internet

Hopefully many of you know the Applied Crypto Hardening (ACH) project, also known as BetterCrypto.org. The project was announced at DeepSec 2013. The idea was (and is) to compile hands-on advice for system administrators, dev ops, developers, and others when it comes to selecting the right crypto configuration for an application. The BetterCrypto.org document covers far more protocols than HTTPS. OpenSSH, OpenVPN, IPsec, and more topics are described in the PDF guide. The project is run by volunteers. This is where you come in. The ACH project needs more volunteers to keep going. New GNU/Linux distributions are around the corner (the apt store never sleeps). Some vendors really do upgrade their code base. Libraries change and bleed less. Algorithms get tested, improved, and re-evaluated. The field of cryptography is moving forward, as it should.

Read More

0104, 2017

SS8 – Replacement for Insecure Signalling System No. 7 (SS7) Protocol revealed

René Pfeiffer/ April 1, 2017/ High Entropy

The ageing SS7 protocol has reached it’s end of life. Security experts around the world have criticised vulnerabilities a long time ago. SS7 even facilitated unsolicited surveillance attacks. What’s more, it has its own talks at the annual Chaos Communication Congress – which is a clear sign of fail if there is more than one presentation dealing with inherent design failures. It’s time to put SS7 to rest. Since the 1970s the requirements for signalling have clearly changed. It’s not only about telephones any more. SS8, its successor, features a brand new design and fixes the many shortcomings of SS7. New technologies such as blockchain, artificial intelligence, crowd routing, social signalling, full “tapping”, and deep state connections are now part of the core functions. Furthermore, SS8 is completely in harmony with Big Data, because it offers a

Read More

2703, 2017

DeepINTEL / DeepSec News for 2017 and Call for Papers

René Pfeiffer/ March 27, 2017/ Administrivia, Call for Papers, Conference

Changing code, layout or designs have something in common – deadlines. But you cannot rush creativity, and so the new design of the DeepSec web site took some time. The old design has served us well. We basically did not change much and used it since 2007. The new design follows the stickers we use for decoration at our conferences, the book cover of the DeepSec chronicles, and many other details we publish via documents – all thanks to the creative mind of fx. So thanks a lot fx! The content of our conference has also slightly changed. DeepSec 2017 will feature additional content, because we will introduce a third track filled with presentations from academic research. Given the fact-free discussions of information security and security in general, we would like to (re)introduce the scientific

Read More

1403, 2017

Submit your Talk – Call for Papers for BSidesLondon

René Pfeiffer/ March 14, 2017/ Call for Papers

The Call for Papers for BSidesLondon is still running! If you haven’t submitted your talk yet, please do! The deadline is 27 March 2017. Don’t miss it! The Wonderful World of Cyber is full of stuff to talk about. There is broken software all over the Internet (of Things). 0days await. Infrastructure is ready to be defended or attacked. Let others know about your ideas. If you have never presented at a conference before, then you should consider a submission for the rookie track. You have to start somewhere or somewhen, so why not at BSidesLondon? Looking forward to listen to your presentation at BSidesLondon!

1303, 2017

DeepINTEL 2017 – Modern Strategies for Information Security

Sanna/ March 13, 2017/ Conference, Security Intelligence, Veranstaltung

Seminar on Digital Defence with Experts. The news is full of reports covering attacks against networked systems and digital components. Every day there is new media coverage about stolen data, compromised accounts, the impact of malicious software, digital second strikes, cyber attacks between countries and new vulnerabilities in computer systems. All that leads to the impression that in the modern digital world we are almost helplessly vulnerable to attacks. Clever entrepreneurs benefit from the general uncertainty and sell countermeasures in the form of security software or other components, which, according to their praise, once installed will kill off every threat automatically. But the media don’t show the whole picture – hardly any report on “hacker attacks” could be called a realistic depiction of real life events. The consequence? It is not possible to build

Read More

2701, 2017

Putting the Science into Security – Infosec with Style

René Pfeiffer/ January 27, 2017/ Discussion, Security

The world of information security is full of publications. It’s like being in a maze of twisted little documents, all of them alike. Sometimes these works of art lack structure, deep analysis, or simply reproducibility. Others are perfectly researched, contain (a defence of) arguments, proofs of concept, and solid code or documentation to make a point. Information security is a mixture of different disciplines such as mathematics, physics, computer science, psychology, sociology, linguistics, or history. It’s not about computers and networks alone. There is interaction between components. Protocols are involved. Even the simple act of logging in and staying in an active session requires in some parts to talk to each other. And then there are rituals. Scepticism is widespread in information security. Questioning your environment is the way to go, but you need to

Read More

2601, 2017

The Sound of „Cyber“ of Zero Days in the Wild – don’t forget the Facts

René Pfeiffer/ January 26, 2017/ Discussion, High Entropy

The information security world is full of buzzwords. This fact is partly due to the relationship with information technology. No trend goes without the right amount of acronyms and leetspeaktechnobabble. For many decades this was not a problem. A while ago the Internet entered mainstream. Everyone is online. The digital world is highly connected. Terms such as cyber, exploit, (D)DoS, or encryption are used freely in news items. Unfortunately they get mixed up with words from earlier decades leading to cyber war(fare), crypto ransom(ware), dual use, or digital assets. Some phrases are here to stay. So let’s talk about the infamous cyber again. In case you have not seen Zero Days by Alex Gibney, then go and watch it. It is a comprehensive documentary about the Stuxnet malware and elements of modern warfare (i.e.

Read More

2101, 2017

Putting the Context into the Crypto of Secure Messengers

René Pfeiffer/ January 21, 2017/ Communication, Discussion, Internet

Every once in a while the world of encrypted/secure/authenticated messaging hits the wall of usability. In the case for email Pretty Good Privacy (PGP) is an ancient piece of software. These days we have modern tools such as GnuPG, but the concept of creating keys, verifying identities (i.e. determining who is to trust), synchronising trust/keys with communication partners, and handling the software in case something goes wrong is quite a challenge. Plus things might change. People revoke their keys, devices get lost, data gets deleted, people create new keys or even (digital) identities, or do lots of things that is either anticipated by the software developers or not. Communication is not static. There are moving parts involved, especially the communication partners might move a lot. So crypto is hard, we know this. Discussing secure

Read More

2001, 2017

DeepSec Administrivia for 2017, the Year of the Cyber

René Pfeiffer/ January 20, 2017/ Administrivia, Conference

2017 is in full swing, and it didn’t wait long. December was full of „hacking“ news. It seems digital war(e)fare knows no break. We will address some of the issues in a series of blog articles. Also we have uploaded the DeepSec 2016 videos to Vimeo. Attendees and speaker will get access before we publish the videos for everyone. This is our review in case someone doesn’t like a video or needs to adapt the description. The date for DeepSec will be published soon, along with the date. We look to the fourth quarter of the year, as usual. The Call for Papers will be online in February. If you got some ideas, write them to us. We have plenty of topics to address. The most pressing problem was raised at the 33C3. Go

Read More

2312, 2016

Security BSides Events – Give a Present to the Community

René Pfeiffer/ December 23, 2016/ Conference

You most certainly have heard about the security BSides events. If you are not sure what gift to get, why not help out the BSides events a bit? BSides London is looking for help. BSides Ljubljana has started its call for papers. Have a look and give them a hand. Happy Holidays!