3108, 2016

Information Warfare: “Breaking News” considered harmful

René Pfeiffer/ August 31, 2016/ Discussion, High Entropy

Eight years ago the stocks of UAL took a dive. Apparently a six year old news article resurfaced via Google. Googlebot, which is used to index news sites, confused one of the most popular web articles of The Sun-Sentinel with breaking news. The story contained the words United Airlines Files for Bankruptcy. Unfortunately a software error turned the date of the original story from 10 December 2002 to 6 September 2008. And so this little piece of misinformation due to the time travel caused a lot of havoc with UAL’s stock price. A little misunderstanding. Fortunately it was not a cyber attack, because the word was used rarely back then. Breaking news can break things, hence the name. It happens with data leaks, password leaks/breaches (depending on which side you are), incomplete reports, social

Read More

2108, 2016

Transforming Secure Coding into Secure Design

René Pfeiffer/ August 21, 2016/ Discussion, High Entropy, Security

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late. Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart

Read More

2008, 2016

Preliminary Schedule of DeepSec 2016 – almost done

René Pfeiffer/ August 20, 2016/ Administrivia, Call for Papers, Conference, Schedule

We got over 100 submissions for DeepSec 2016! This is a new record. Consider that we have only room for about 40% of the content. While you may be impatient to hear about the trainings and the talks, please bear with us. We are in the final round of reviews and will have the preliminary schedule ready the day after tomorrow. You will be able to enjoy reading the announcement during your morning coffee break. Promised. To give you a little sneak preview, here are the main topics we will be addressing with the content: cryptography, Internet of Things (IoT), social engineering, threat hunting, the current state of affairs in information security, networking stuff (both wired and wireless), penetration testing, exploit automation, attacking web applications, iOS exploits, physical security, world domination a.k.a. „cyber“ threats,

Read More

0608, 2016

DeepSec 2016 – Thank you for all your submissions!

René Pfeiffer/ August 6, 2016/ Conference, Security

The DeepSec Call for Papers closed on 31 July 2016. We are currently reviewing the content. Thank you very much for your participation! The talks and workshops look awesome. We have a hard time deciding what will be part of the schedule and what has to be postponed. For everyone who has missed the deadline, you can  still submit your talk or training. However we will consider all the others first. Prepare for a fantastic DeepSec 2016!

3007, 2016

OpenPGP.conf is calling for Content

René Pfeiffer/ July 30, 2016/ Call for Papers, Conference, Security

If you don’t know what PGP means (or GPG), you should consult your favourite search engine. While it has a bad reputation for its usability, it is a lot more useful than the rumours might suggest (please attend your local CryptoParty chapter for more details). This is why the German Unix Users Group organises an OpenPGP.conf event. It takes place on 8/9 September 2016 in Cologne, Germany. The Call for Papers is still running, so  be quick and submit. The international conference, initiated by Werner Koch, maintainer of the free OpenPGP implementation Gnu Privacy Guard (GnuPG), and organized by the German Unix Users Group Association introduces the subject of confidential and untampered with communication including, but not limited to security aware users, IT managers and architects responsible for security objectives, software developers who plan to

Read More

2107, 2016

A Perspective on Code and Components – assert(), don’t assume()

René Pfeiffer/ July 21, 2016/ Development, Discussion, High Entropy

Have you ever looked closely at the tools you use on a daily basis? Taking things apart and putting them back together is an integral part of understanding the universe. Scientists do it all of the time (well, at least some do, there are things that can’t be put together easily once taken apart). So lets focus on components and how they interact. ASN.1 and libraries that deal with it are popular components. Few people get a kick out of ASN.1, so they use code that does it. It’s just an example for parts that handle data being sent to and received from other systems. We live in a networked world, so communication is a crucial part of modern software. So to use business lingo: Most software works by delegating tasks to third-party code.

Read More

2107, 2016

Intelligence on the Silver Screen: A Good American Kickstarter Campaign

René Pfeiffer/ July 21, 2016/ Discussion, High Entropy, Security Intelligence

Surveillance has a bad reputation. No one likes to be watched. Yet infosec researchers, sysadmins, and developers talk a lot about log files. We need to watch stuff for various reasons. You got your mail logs, diagnostic messages, performance metrics, network addresses, and more painstakingly sorted by timestamps and maybe geolocation. Log data is part of information technology. It gets interesting once you store, process and mine this data. Some people like to collect it all and do all kinds of Big Data stuff with it. Others filter out the relevant bits of information and work with that. Opinion is divided, results may vary. Enter A Good American, the documentary which was screened in Vienna during the DeepSec 2015 conference. It has been shown all over the world. The film itself is fully funded,

Read More

1507, 2016

Call for Papers – DeepSec 2016 – Reminder

René Pfeiffer/ July 15, 2016/ Call for Papers, Conference

The Call for Papers for DeepSec 2016 ends on 31 July 2016. If you have some top content, a new way to break the Internet of Things, a piece of code that lets the director of the FBI sweat (for whatever reasons), then let us know. Basically anything that breaks stuff, melts networks/applications/hardware, or singes the fur off things is a good choice (see isic for the original quote). Despite the Internet of Things not being yours it can be 0wned any way. Have a go and tell us! In case you are inclined to teaching we also host top quality workshops, just before the conference. If you got material to keep a group of nerds, pentesters, and people worried about the state of information security busy, then drop us your abstract. See you

Read More

1407, 2016

The Internet of Threats revisited

René Pfeiffer/ July 14, 2016/ Communication, High Entropy, Internet

Everyone is talking about the Internet of Things. Connecting household applications (yes, applications, appliances is so 1990s) to a network hasn’t been more fun than now. Also measuring things is great. Today most sensors are deployed to generate endless streams of data because we can, not because there is a need for it. And I haven’t even talked about the information security aspect yet. Let’s take a step back into 1995/1996. Those were the days of the first browser wars. Jamie Zawinski has a quote of the Law of Software Envelopment on his web site. Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can. The proof of concept was undertaken by creating the Netscape Mail and News client. Processing email once

Read More

2406, 2016

Early Birds, save the Date! BSidesVienna has opened the Call for Papers!

René Pfeiffer/ June 24, 2016/ Call for Papers, Conference

Grab your calendars, you have to be in Vienna on 12 November 2016! BSidesVienna is accepting your submissions for an awesome community conference. The range of topics is wide, so don’t ask yourself “Is this interesting or not?” – just submit and come to Vienna in November! While you are preparing your submission, you might want to make some extra space in your calendar for DeepSec 2016. The submission we got so far look great. Crypto, the Internet of Stuff (IoT), exploit labs, pentesting training, and more waits for you. Make sure you get the Early Bird prices for your tickets!

1806, 2016

DeepSec welcomes Google as Sponsor for the next Conference

René Pfeiffer/ June 18, 2016/ Administrivia, Conference

We are proud and happy to announce Google as sponsor for DeepSec 2016! Google has been a supporter of DeepSec in the past. While we may not need to introduce Google to you, we would like to point out that they have a very capable security team and that members of their researchers have held presentations at DeepSec conferences. Google staff is often around, so take the advantage and talk to them.

1706, 2016

DeepSec welcomes SEC4YOU as Conference Sponsor!

René Pfeiffer/ June 17, 2016/ Conference

DeepSec would not be possible without the support from sponsors. So we welcome SEC4YOU as sponsor for the next DeepSec 2016! SEC4YOU offers services regarding advanced auditing, penetration testing, and vendor-agnostic IT security consulting. SEC4YOU experts support your team when it comes to test and to implement security measures. Especially when it comes to compliance requirements, you will need assistance to make sure that nothing goes wrong. SEC4YOU’s portfolio covers IT security analysis (dealing with risks and threats to your organisation), auditing, ISO 27001 certification (with or without BSI standards), creation of security policies, risk management, information security management system (ISMS), internal government and revision processes. Their experts are well-versed with clients from internal auditing, accounting/controlling, information technology, data protection, risk/compliance management, and information security. Plus they like hackers! Make sure you have a

Read More

1306, 2016

DeepSec 2015 Slides: Bridging the Air-Gap – Data Exfiltration from Air-Gap Networks! Much Slides! Very Animated! Wow!

Sanna/ June 13, 2016/ Conference, Security

The presentation titled Bridging the Air-Gap – Data Exfiltration from Air-Gap Networks was held at DeepSec 2015. Since the presentation format was not meant to be printed or viewed with generic documents viewers, the slide deck had to be converted. The slides in PDF format can be downloaded from this link: https://drive.google.com/file/d/0B_dwBl7uf6PdRndDa1Rad1dMdFk/view?usp=sharing For an animated version of the slides, use one of these links: http://prezi.com/mrzzjpzgvcr8/?utm_campaign=share&utm_medium=copy or in short http://goo.gl/mpCNWC Mind the gap and enjoy!

1206, 2016

DeepINTEL 2016 – Save the Date for Security Intelligence

René Pfeiffer/ June 12, 2016/ Administrivia, Security Intelligence

Analysing threat intelligence hasn’t been more important. We all know that bad things will happen. That’s not the issue to worry about. You should spend some thoughts on why something happens, what methods are involved, and what your adversaries look like on the inside. Defending your assets is much more than using a fence, some doors, and badges for your employees. We would like to welcome you to DeepINTEL to discuss security intelligence in-depth. The DeepINTEL 2016 has been moved. Save the new date; DeepINTEL will take place on 20/21 September. The location hasn’t changed, and good weather has been ordered. Make sure you order your tickets!