The first recording of DeepSec 2014 has finished post-processing. Just in time for the holidays we have the keynote presentation by Alex Hutton ready for you. Despite its title “The Measured CSO” the content is of interest for anyone dealing with information security. Alex raises questions and gives you lots of answers to think about. Don’t stay in the same place. Keep moving. Keep thinking.
We would like to thank everyone who attended DeepSec 2014! Thanks go to all our trainers and speakers who contributed with their work to the conference! We hope you enjoyed DeepSec 2014, and we certainly like to welcome you again for DeepSec 2015! You will find the slides of the presentations on our web site. Some slides are being reviewed and corrected. We will update the collection as soon as we get new documents. The video recordings are in post-processing and will be available via our Vimeo channel. We will start publishing the content soon. The pictures our photographer took during the conference are being post-processed too. We will publish a selection on our Flickr site.
DeepSec 2014 is open. Right now we start the two tracks with all the presentations found in our schedule. It was hard to find a selection, because we received a lot of submissions with top quality content. We hope that the talks you attend give you some new perspectives, fresh information, and new ideas how to protect your data better. Every DeepSec has its own motto. For 2014 we settled for a quote from the science-fiction film Starship Troopers. The question Would you like to know more? is found in the news sections portrayed in the film. It captures the need to know about vulnerabilities and how to mitigate their impact on your data and infrastructure. Of course, we want to know more! This is why we gather at conferences and talk to each
The DeepSec 2014 schedule features a presentation about (hidden) hypervisors in server BIOS environments. The research is based on a Russian analysis of a Malicious BIOS Loaded Hypervisor (conducted between 2007 and 2010) and studies published by the University of Michigan in 2005/2006 as well as 2012/2013. The latter publications discuss the capabilities of a Virtual-Machine Based Rootkits and Intelligent Platform Management Interface (IPMI) / Baseboard Management Controller (BMC) vulnerabilities. Out-of-band management is sensitive to attacks when not properly protected. In the case of IPMI and BMC the management components also play a role on the system itself since they can access the server hardware, being capable to control system resources. Combining out-of-band components with a hypervisor offers ways to watch any operating system running on the server hardware. Or worse. It’s definitely something
Given the many colourful vulnerabilities published (with or without logo) and attacks seen in the past 12 months, one wonders if IT Security works at all. Of course, 100% of all statistics are fake, and only looking at the things that went wrong gives a biased impression. So what’s ████ed up with IT Security? Are we on course? Can we improve? Is it still possible to defend the IT infrastructure? Stefan Schumacher, director of the Magdeburger Institut für Sicherheitsforschung (MIS), will tell you what is wrong with information security and what you (or we) can do about it. He writes about his presentation in his own words: Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014 This was one tweet about my talk
In cooperation with the Magdeburger Institut für Sicherheitsforschung (MIS) we publish selected articles covering topics of past DeepSec conferences. The publication offers an in-depth description which extend the conference presentation and includes a follow-up with updated information. Latest addition is Marco Lancini’s article titled Social Authentication: Vulnerabilities, Mitigations, and Redesign. High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust
The deployment of the new Internet Protocol Version 6 (IPv6) is gathering momentum. A lot of applications now have IPv6 capabilities. This includes security software. Routers and firewall systems were first, now there are also plugins and filters available for intrusion detection software such as Snort. Martin Schütte will present the IPv6 Snort Plugin at DeepSec 2014. We have asked him to give us an overview of what to expect. Please tell us the top 5 facts about your talk! Main research for my talk was done in 2011. I am quite surprised (and a little bit frightened) by how little the field of IPv6 security has developed since then. It is often easier to build attack tools than to defend against them. But to improve IPv6 network security we urgently need more detection
„The only advice I might give to everyone who is responsible for information security is that it is never about a tool or a methodology“, says Vlado Luknar. The never-ending quest for the “best” tool or methodology is a futile exercise. In the end it is you, the security specialist, who adds the most value to a risk assessment (RA) / threat modelling process for your company, claims Vlado Luknar (Orange Slovensko a.s. / France Telecom Orange Group). In his talk at DeepSec Mr. Luknar will demonstrate that it is quite easy to capture your overall security knowledge in a home-made, free-of-charge tool. But first, let’s ask Mr. Luknar a couple of questions: 1) Mr. Luknar, please tell us the top 5 facts about your talk! There is no problem with understanding existing RA
Data validation threats (e.g. sensitive data, injection attacks) account for the vast majority of security issues in any system, including cloud-based systems. Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. Everyone relying on these filters should know how they can fail and what it means to your flow of data. Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City. He was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development life-cycles of client organizations. He was leading the software security initiative at a major phone
The Internet Protocol Version 6 (IPv6) is the successor to the currently main IP Version 4 (IPv4). IPv6 was designed to address the need for more addresses and for a better routing of packets in a world filled with billions of networks and addresses alike. Once you decide to develop a new protocol, you have the chance to avoid all the mistakes of the past. You can even design security features from the start. That’s the theory. In practice IPv6 has had its fair share of security problems. There has been a lot of research, several vulnerabilities have been discussed at various security conferences. DeepSec 2014 features a presentation called Safer Six – IPv6 Security in a Nutshell held by Johanna Ullrich of SBA Research, a research centre for information security based in Vienna.
The World Wide Web has spread vastly since the 1990s. Web technology has developed a lot of methods, and the modern web site of today has little in common with the early static HTML shop windows. The Web can do more. A lot of applications can be accessed by web browsers, because it is easier in terms of having a client available on most platforms. Of course, sometimes things go wrong, bugs bite, and you might find your web application and its data exposed to the wrong hands. This is where you and your trainer Dawid Czagan come in. We offer you a Web Application Hacking training at DeepSec 2014. Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning bugs identified in some of the
Assembly language is still a vital tool for software projects. While you can do a lot much easier with all the high level languages, the most successful exploits still use carefully designed opcodes. It’s basically just bytes that run on your CPU. The trick is to get the code into position, and there are lots of ways to do this. In case you are interested, we can recommend the training at DeepSec held by Xeno Kovah, Lead InfoSec Engineer at The MITRE Corporation. Why should you be interested in assembly language? Well, doing reverse engineering and developing exploits is not all you can do with this knowledge. Inspecting code (or data that can be used to transport code in disguise) is part of information security. Everyone accepts a set of data from the outside
What a couple of Infosec people thought about XSA-108. Apparently some were a little bit disappointed that XSA-108 affects “only” HVM. Sorry, not another catastrophy, not another heartbleed, Shellshock or something in this class. Only a vulnerability which potentially allows access to other VMs. Anyway, time for an update! (Idea shamelessly stolen from aloria)
Getting to know what’s going on is a primary goal of information security. There is even a name for it: intrusion detection. And there are tools to do this. That’s the easy part. Once you have decided you want intrusion detection or intrusion prevention, the implementation part becomes a lot more difficult. Well, if you need help with this issue, there is a two-day workshop for you at DeepSec 2014 – the Suricata Training Event. Suricata is a high performance Network Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Network Security Monitoring engine. It can serve pretty much all your needs. It’s Open Source (so it cannot be bought and removed from the market) and owned by a very active community. Suricata is managed by the non-profit foundation; the Open Information Security Foundation
Backdoors are devious. Usually you have to look for them since someone has hidden or „forgotten“ them. Plus backdoors are very fashionable these days. You should definitely get one or more. Software is (very) easy to inspect for any rear entrances. Even if you don’t have access to the source code, you can deconstruct the bytes and eventually look for suspicious parts of the code. When it comes to hardware, things might get complicated. Accessing code stored in hardware can be complex. Besides it isn’t always clear which one of the little black chips holds the real code you are looking for. Since all of our devices we use every days runs on little black chips (the colour doesn’t matter, really), everyone with trust issues should make sure that control of these devices is