0509, 2016

Of Clouds & Cyber: A little Story about Wording in InfoSec

René Pfeiffer/ September 5, 2016/ Discussion, High Entropy

In case you ever received a message about our calls for papers, you may have noticed that we do not like the word cyber. Of course we know that it is used widely. Information security experts are divided if it should be used. Some do it, some reject it, some don’t know what to do about it. We use it mostly in italics or like this: „cyber“. There is a reason why, but first let’s take a look where the word comes from. The Oxford Dictionaries blog mentions the origin in the word cybernetics. This word was used in the 1940 by scientists from the fields of engineering, social sciences, and biology. Cybernetics deals with the study of communication and control systems in living beings and machines. Hence the word is derived from the

Read More

0509, 2016

Deep Sec2016 Talk: DROWN – Breaking TLS using SSLv2 – Nimrod Aviram

Sanna/ September 5, 2016/ Conference, Internet

In the past years encrypted communication has been subject to intense scrutiny by researchers. With the advent of Transport Layer Security (TLS) Internet communication via HTTP became a lot more secure. Its predecessor Secure Sockets Layer (SSL) must not be used any more. The real world has its own ideas. SSLv2 and SSLv3 is still present. Attackers can try to downgrade the TLS session by switching to insecure ciphers. When using the correct configuration, these downgrade attacks cannot happen. The question is: Are all of your devices, applications, and systems correctly configure? If you are not sure, better check again. In order to illustrate how these attacks work, we have invited Nimrod Aviram for DeepSec 2016. He will explain the inner workings of the DROWN attack. We present a novel cross-protocol attack on TLS

Read More

0409, 2016

DeepSec2016 Workshop: Offensive iOS Exploitation – Marco Lancini

Sanna/ September 4, 2016/ Conference, Training

If an iPhone gets exploited in the forest and no one is around to 0wn it, does it worry you? This philosophical question has been answered sufficiently by the latest Pegasus incident. All smartphone should worry you. The iPhone and its operating system is no exception. Actually breaking a smartphone give an attacker a lot of advantages. Chances are that you carry the exploited device with you all the time. At last the Age of Mobility has reached information security! In order to develop exploits you need a healthy dose of software development and a (deep) knowledge of the platform being attacked. For those of you who do a lot of penetratoion testing, security analysis, or plain software quality management, we have a shortcut for you: the iOS exploitation workshop. This is an exercise-driven

Read More

0309, 2016

DeepSec 2016 Workshop: Penetration Testing Humans – Bethany Ward & Cyni Winegard

Sanna/ September 3, 2016/ Conference, Security, Training

Do you know the film where the victim gets an unsuspecting phone call and dies three days later? No? Relax, it happens in the real world, too. The difference is that you get a quite normal phone call at the office and three days later some of your data has been copied. The technical term is leaked, also known as stolen. All your security measures will be untouched. Why break into a firewall or into servers when you get the access credentials by phone? Social engineering is an advanced and very persistent threat. You probably get phone calls and emails every day. You may often interact with people you have never seen or met before. Given the right approach they will make you and your employees believe anything. In turn this technique is very

Read More

0209, 2016

DeepSec 2016 Workshop: Hacking Web Applications – Case Studies of award-winning Bugs in Google, Yahoo!, Mozilla and more – Dawid Czagan

Sanna/ September 2, 2016/ Conference, Internet, Security, Training

Have you been to the pictures lately? If so, what’s the best way to attack an impenetrable digital fortress? Right, go for the graphical user interface! Or anything exposed to the World Wide Web. The history of web applications is riddled with bugs that enable attackers to do things they are not supposed to. We bet that you have something exposed on the Web and even probably don’t know about it. Don’t worry. Instead attend the DeepSec training session „Hacking Web Applications“ conducted by Dawid Czagan. He will teach you about what to look for when examining web applications with a focus on information security. This hands-on web application hacking training is based on authentic, award-winning security bugs identified in some of the greatest companies (Google, Yahoo!, Mozilla, Twitter, etc.). You will learn how bug hunters

Read More

0109, 2016

DeepSec 2016 Schedule explained in a Series of Articles

René Pfeiffer/ September 1, 2016/ Administrivia, Conference, Schedule

We have almost finished the reviews of the submissions for DeepSec 2016. The preliminary schedule is already online. Our staff got quite some impatient requests about what to expect from the conference. Due to the sheer amount of submissions it was very difficult to review the content. We really read what you submit. We ask questions; we discuss the focus of the conference. While we try to suggest a motto when sending out the Call for Papers, we never know what the focus will be. It all depends on the presenters and trainers. Hopefully we found the right balance for all of you. Since the schedule is a short summary we have started to compile material about every talk and workshop. The series of articles will start tomorrow. It is a good way to

Read More

3108, 2016

Buy your ticket for 44CON – and go to prison for free!

René Pfeiffer/ August 31, 2016/ Administrivia, Conference, Security

Forget Winter! 44CON is coming! The conference will be 14 to 16 September 2016 in London. The schedule is online. Take a look! This year’s 44CON also features a Capture The Flag (CTF) contest. It is hosted by the UK Ministry of Justice. Your mission, should you decide to accept it, consists of breaking into a prison! 20 teams have announced to participate. Sounds terrific, if you ask us. We will be there as well. So grab a ticket, cross the Channel, and we’ll meet in the lobby or, better yet, at the registration desk. Spread the word!

3108, 2016

Information Warfare: “Breaking News” considered harmful

René Pfeiffer/ August 31, 2016/ Discussion, High Entropy

Eight years ago the stocks of UAL took a dive. Apparently a six year old news article resurfaced via Google. Googlebot, which is used to index news sites, confused one of the most popular web articles of The Sun-Sentinel with breaking news. The story contained the words United Airlines Files for Bankruptcy. Unfortunately a software error turned the date of the original story from 10 December 2002 to 6 September 2008. And so this little piece of misinformation due to the time travel caused a lot of havoc with UAL’s stock price. A little misunderstanding. Fortunately it was not a cyber attack, because the word was used rarely back then. Breaking news can break things, hence the name. It happens with data leaks, password leaks/breaches (depending on which side you are), incomplete reports, social

Read More

2108, 2016

Transforming Secure Coding into Secure Design

René Pfeiffer/ August 21, 2016/ Discussion, High Entropy, Security

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late. Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart

Read More

2008, 2016

Preliminary Schedule of DeepSec 2016 – almost done

René Pfeiffer/ August 20, 2016/ Administrivia, Call for Papers, Conference, Schedule

We got over 100 submissions for DeepSec 2016! This is a new record. Consider that we have only room for about 40% of the content. While you may be impatient to hear about the trainings and the talks, please bear with us. We are in the final round of reviews and will have the preliminary schedule ready the day after tomorrow. You will be able to enjoy reading the announcement during your morning coffee break. Promised. To give you a little sneak preview, here are the main topics we will be addressing with the content: cryptography, Internet of Things (IoT), social engineering, threat hunting, the current state of affairs in information security, networking stuff (both wired and wireless), penetration testing, exploit automation, attacking web applications, iOS exploits, physical security, world domination a.k.a. „cyber“ threats,

Read More

0608, 2016

DeepSec 2016 – Thank you for all your submissions!

René Pfeiffer/ August 6, 2016/ Conference, Security

The DeepSec Call for Papers closed on 31 July 2016. We are currently reviewing the content. Thank you very much for your participation! The talks and workshops look awesome. We have a hard time deciding what will be part of the schedule and what has to be postponed. For everyone who has missed the deadline, you can  still submit your talk or training. However we will consider all the others first. Prepare for a fantastic DeepSec 2016!

3007, 2016

DeepSec 2016 Call for Papers – Reminder – 24h to go!

René Pfeiffer/ July 30, 2016/ Call for Papers, Conference, Security

The Call for Papers for the tenth DeepSec conference officially ends in 24 hours. This is a gentle reminder to submit your presentation or your kick-ass workshop.

3007, 2016

OpenPGP.conf is calling for Content

René Pfeiffer/ July 30, 2016/ Call for Papers, Conference, Security

If you don’t know what PGP means (or GPG), you should consult your favourite search engine. While it has a bad reputation for its usability, it is a lot more useful than the rumours might suggest (please attend your local CryptoParty chapter for more details). This is why the German Unix Users Group organises an OpenPGP.conf event. It takes place on 8/9 September 2016 in Cologne, Germany. The Call for Papers is still running, so  be quick and submit. The international conference, initiated by Werner Koch, maintainer of the free OpenPGP implementation Gnu Privacy Guard (GnuPG), and organized by the German Unix Users Group Association introduces the subject of confidential and untampered with communication including, but not limited to security aware users, IT managers and architects responsible for security objectives, software developers who plan to

Read More

2107, 2016

A Perspective on Code and Components – assert(), don’t assume()

René Pfeiffer/ July 21, 2016/ Development, Discussion, High Entropy

Have you ever looked closely at the tools you use on a daily basis? Taking things apart and putting them back together is an integral part of understanding the universe. Scientists do it all of the time (well, at least some do, there are things that can’t be put together easily once taken apart). So lets focus on components and how they interact. ASN.1 and libraries that deal with it are popular components. Few people get a kick out of ASN.1, so they use code that does it. It’s just an example for parts that handle data being sent to and received from other systems. We live in a networked world, so communication is a crucial part of modern software. So to use business lingo: Most software works by delegating tasks to third-party code.

Read More

2107, 2016

Intelligence on the Silver Screen: A Good American Kickstarter Campaign

René Pfeiffer/ July 21, 2016/ Discussion, High Entropy, Security Intelligence

Surveillance has a bad reputation. No one likes to be watched. Yet infosec researchers, sysadmins, and developers talk a lot about log files. We need to watch stuff for various reasons. You got your mail logs, diagnostic messages, performance metrics, network addresses, and more painstakingly sorted by timestamps and maybe geolocation. Log data is part of information technology. It gets interesting once you store, process and mine this data. Some people like to collect it all and do all kinds of Big Data stuff with it. Others filter out the relevant bits of information and work with that. Opinion is divided, results may vary. Enter A Good American, the documentary which was screened in Vienna during the DeepSec 2015 conference. It has been shown all over the world. The film itself is fully funded,

Read More