2009, 2015

DeepSec Talk 2015: Cryptographic Enforcement of Segregation of Duty within Work-Flows – Thomas Maus

Sanna/ September 20, 2015/ Conference

Encryption is great. Once you have a secret key and an algorithm, you can safeguard your information. The trouble starts when you communicate. You have to share something. And you need to invest trust. This is easy if you have a common agenda. If things diverge, you need something else. Thomas Maus will explain in his talk cryptographic methods that can help you dealing with this problem. Meet Alice and Bob, who might not be friends at all. Workflows with segregation-of-duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations. These ideas are illustrated by challenging examples – constructing various checks and balances for telecommunications data retention, a vividly discussed

1909, 2015

DeepSec 2015 Talk: Legal Responses Against Cyber Incidents – Oscar Serrano

Sanna/ September 19, 2015/ Conference, Security

Like it or not, „cyber“ is here to stay. No matter what word you use, the networks have become a battlefield for various military operations. While you won’t be able to secure physical territory by keyboard (you still need boots on the ground for this), you can gain information, thwart hostile communications, and possibly sabotage devices (given the sorry state of the Internet of Stuff). When you deal with actions in this arena, you might want to know what your options are. It’s worth to think about legal consequences. When it comes to mundane cyber crime, you usually have laws to deal with incidents. What is the response to a military cyber attack? And what counts as one? In his presentation at DeepSec 2015 Oscar Serrano will introduce you to the legal implications and

1809, 2015

DeepSec 2015 Talk: Revisiting SOHO Router Attacks – Jose Antonio Rodriguez Garcia and Ivan Sanz de Castro

Sanna/ September 18, 2015/ Conference, Internet, Security

Have you seen Jon Schiefer’s film Algorithm? If you haven’t, then you should catch up. The protagonist of the story gain access by using the good old small office / home office (SOHO) infrastructure. The attack is pretty realistic, and it shows that SOHO networks can expose all devices connected to it, either briefly or permanently. Combined with the Bring Your Own Device (BYOD) hype, SOHO networks are guaranteed to contain devices used for business purposes. We haven’t even talked about the security of entertainment equipment or the Internet of Stuff (IoT). Like it or not, SOHO areas are part of your perimeter once you allow people to work from home or to bring work home. Be brave and enter the wonderful world of consumer devices used to protect enterprise networks. José Antonio Rodríguez

1709, 2015

DeepSec 2015 Talk: Building a Better Honeypot Network – Josh Pyorre (OpenDNS)

Sanna/ September 17, 2015/ Conference, Internet, Security

Most defenders only learn what attackers can do after recovering from a successful attack. Evaluating forensic evidence can tell you a lot. While this is still useful, wouldn’t it be better to learn from your adversaries without risking your production systems or sensitive data? There is a way. Use some bait and watch. Honeypots to the rescue! Josh Pyorre will tell you in his presentation how this works. Honeypots and honeypot networks can assist security researchers in understanding different attacker techniques across a variety of systems. This information can be used to better protect our systems and networks, but it takes a lot of work to sift through the data. Installing a network of honeypots to provide useful information should be an easy task, but there just isn’t much to tie everything together in

1109, 2015

DeepSec 2015 Talk: illusoryTLS – Nobody But Us. Impersonate,Tamper and Exploit (secYOUre)

Sanna/ September 11, 2015/ Conference, Internet, Security

Transport Layer Security is a cornerstone of modern infrastructure. The „Cloud“ is full of it (at least it should be). For most people it is the magic bullet to solve security problems. Well, it is helpful, but only until you try to dive into the implementation on servers, clients, certificate vendors, or Certificate Authorities. Alfonso De Gregorio has done this. He will present his findings at DeepSec 2015 in his presentation aptly titled „illusoryTLS: Nobody But Us. Impersonate,Tamper and Exploit“. Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of

1009, 2015

DeepSec 2015 Talk: “Yes, Now YOU Can Patch That Vulnerability Too!” A short Interview with Mitja Kolsek

Sanna/ September 10, 2015/ Discussion, Interview, Security

Patching software is a crucial task when it comes to fixing security vulnerabilities. While this totally works, usually you have to wait until the vendors or the developers provide you either an upgrade or a patch. What do you do in the meantime? Reducing the exposure of the software helps, but sometimes you have no choice. Public interfaces are public. There’s help. Do it yourself! Mitja Kolsek will tell you more. Please tell us the top 5 facts about your talk. We want to shake the security world by introducing a simple twist and essentially reinventing software patching. Attackers’ main advantage comes from software vulnerabilities (often very old and long-patched ones), which are a critical ingredient of most breaches into corporate and government networks. Unfortunately, most software vendors are lacking economical motivation for providing patches, let alone pro-actively

0709, 2015

DeepSec 2015 Talk: Deactivating Endpoint Protection Software in an Unauthorized Manner

René Pfeiffer/ September 7, 2015/ Conference, Security

Your infrastructure is full of endpoints. Did you know that? You even have endpoints if you use your employees’ devices (BYOD!) or the „Cloud“ (YMMV!). Can’t escape them. Since the bad girls and guys knows this, they will attack these weak points first. How are your endpoints (a.k.a. clients in the old days) protected? In case you use software to protect these vulnerable systems, then you should attend Matthias Deeg’s talk. He will show you the art of Deactivating Endpoint Protection Software in an Unauthorized Manner: Endpoint protection software such as anti-virus or firewall software often have a password protection in order to restrict access to a management console for changing settings or deactivating protection features to authorized users only. Sometimes the protection can only be deactivated temporarily for a few minutes, sometimes it

0709, 2015

DeepSec 2015 Schedule is almost stable & BSidesVienna CfP Deadline

René Pfeiffer/ September 7, 2015/ Administrivia, Conference

The schedule of DeepSec 2015 is almost done. We’re still reviewing submissions and talk to authors. We are confident to call the schedule stable soon. Until this happens, we will describe the presentations and trainings with a little more detail here. Take a good look, but don’t wait too long before booking a ticket. The workshops can only accommodate a limited amount of attendees. Don’t miss the opportunity! We also like to point out that the Call for Papers for the BSidesVienna event is ending on 15th September 2015! If you have interesting content, please submit!

0309, 2015

The Enemy Within: Industrial Espionage and Your Network at DeepSec 2015

Sanna/ September 3, 2015/ Conference, High Entropy, Security

Networking is vital to aquire jobs in the business world, manage projects, and develop products. It all started with the World Wide Web, now we also interact via various clouds and social media platforms with our staff, clients, and customers. Data gets outsourced to third parties, and business letters are airily send by Instant Messenger (due to the lack of messenger ravens, sadly). But the thoughtless embrace of networks invites threats, previously known only from the silver screen – spies. And, unfortunately, in today’s digital environment, it is no longer enough to just close the door to protect yourself from prying eyes. There is much more to be considered. We’re here to help. DeepSec does not want to leave your company out in the cold: Attend our next conference which takes place in Vienna on

3007, 2015

Last Reminder – the DeepSec 2015 Call for Papers closes today!

René Pfeiffer/ July 30, 2015/ Call for Papers, Conference

Take advantage of our Call for Papers! We can’t believe that all the devices, networks, services, and shiny things around us are completely secure. Once it got Wi-Fi, a SIM card, memory, or a processor there is bound to be an accident. It’s not just hunting rifles, jeeps, currencies, experts, and airplanes that can be hacked. There is more. Tell us! Don’t let the IT crowd of today repeat the mistakes of our ancestors. Submit a two-day training and help to save some souls! We are especially interested in secure application development, intrusion detection/prevention, penetration testing, crypto & secure communication, mobiles devices, the Internet of Things, security intelligence, wireless hacking (Wi-Fi, mobile networks, …), forensics, and your workshop that really knocks the socks off our attendees! Drop your training submission into our CfP manager!

3007, 2015

New MJS Article: Why Anti-Virus Software Fails

René Pfeiffer/ July 30, 2015/ Security

What is your first impulse when you see a fence? Well, we can’t speak for you, but we like to look for weak spots, holes, and ways to climb it. The same is true for filters of all kinds. Let’s see what one can do to bypass them. Anti-virus software is a good example. At DeepSec 2014 Daniel Sauder explained how malware filters/detectors fail. Daniel was kind to provide an article for the special edition „In Depth Security – Proceedings of the DeepSec Conferences“: „Based on my work about antivirus evasion techniques, I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these. A result of my research are

2707, 2015

Security of Things – Dead Horses just get beaten with the Internet

René Pfeiffer/ July 27, 2015/ High Entropy, Internet, Security

What do NoSQL databases and cars have in common? You can find and freely access them by using the trusty Internet. Wired magazine has published a story about a remotely controlled Jeep Cherokee. Charlie Miller and Chris Valasek have found a way to use the properties of UConnect™ combined with (design) flaws to take full control of the vehicle . The threat is real since the car was attacked remotely by using a network connection. UConnect™ was formerly known as MyGIG™, and systems are available since 2007. It’s basically your entertainment system on steroids with added telemetry, internal commands, and network capabilities. Hacking cars by attacking the entertainment system was already discussed at DeepSec 2011. This is the next level, because cars have now their own IP addresses (and no firewall apparently). NoSQL databases are very

2906, 2015

Software Security: The Lost Art of Refactoring

René Pfeiffer/ June 29, 2015/ Development, Discussion, Security

A sysadmin, a software developer, and an infosec researcher almost walked into a bar. Unfortunately they couldn’t agree where to go together. So they died of thirst. Sounds familiar? When it comes to information technology, there is one thing that binds us all together: software. This article was written and published by software. You can read it by using (different) software. This doesn’t automagically create stalwart bands of adventurers fighting dragons (i.e. code vulnerabilities) and doing good deeds (i.e. not selling 0days). However it is a common ground where one can meet. Since all software has bugs, and we all use software, there’s also a common cause. Unfortunately this is where things go wrong. Code has a life cycle. It usually starts out as a (reasonably) good idea. Without a Big Bang. Then the implementation

2706, 2015

I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: