0510, 2015

DeepSec 2015 Workshop: Crypto Attacks – Juraj Somorovsky & Tibor Jager

Sanna/ October 5, 2015/ Conference, Training

Fvcelsiuetwq lcv xlt hsyhv xd kexh yw pdp, tlkli? Well, yes and no. ITEzISqbI1ABITAhITAhLZzQFsQ6JnkhMTMhpNK5F5rF9dctkiExMyEv9Fh1ITMzIaX2VCJpEQc= , and that’s where it often goes wrong. Your cryptographic defence can be attacked just as any other barrier you can come up with. Attackers never sleep, you know. Crypto attacks are often facilitated by a simple psychological bias: Since cryptographic algorithms are so complicated (for me), no one can easily figure out how to break them. But this may be true for ASN.1 or Chinese (with apologies to all native speakers, it is meant as a metaphor). The fertile growth of CrypoParties all around the globe documents the interest in using cryptography as a means of protecting data, be it in transit or stored locally. Since you use encryption algorithms every day, regardless if you know about them or

0410, 2015

DeepSec 2015 Workshop: Practical Incident Handling – Felix Schallock

Sanna/ October 4, 2015/ Conference, Security, Training

Things go wrong or break, it’s just a matter of time. Ask your sysadmin about this. Apart from wear and tear, there are information security incidents that tend to ruin your perfect day at the office. What happens next? What do you do when noticing that your infrastructure has been compromised? Where do you start? Who needs to be told? Few employees know the answers to these questions. While you might have policies in place that regulate everything one needs to know, the practice looks wildly different. Apart from having a plan, you need to test if your plan works. At DeepSec 2015 Felix Schallock will show you what to do when digital lightning strikes. During two days of training you will take a tour on how to address and handle incidents properly. During

0310, 2015

DeepSec 2015 Talk: Continuous Intrusion – Why CI Tools Are an Attacker’s Best Friend – Nikhil Mittal

Sanna/ October 3, 2015/ Conference, Development, Security

In information security pessimism rules. Unfortunately. Extreme Programming might breed extreme problems, too. The short-lived app software cycle is a prime example. If your main goal is to hit the app store as soon and as often as possible, then critical bugs will show up faster than you can spell XCodeGhost. The development infrastructure has some nice features attackers will love and most probably exploit. In his presentation Nikhil Mittal will show you how Continuous Integration (CI) tools can be turned into a Continuous Intrusion. Continuous Integration (CI) tools are part of build and development processes of a large number of organizations. I have seen a lot of CI tools during my penetration testing engagements. I always noticed the lack of basic security controls on the management consoles of such tools. On a default installation, many CI tools

0210, 2015

DeepSec 2015 Talk: Visualizing Wi-Fi Packets the Hacker’s Way – Milan Gabor

Sanna/ October 2, 2015/ Conference, Internet

Silent service was the name many submarine services gave themselves. U-boats have the habit of hiding, usually in large bodies of water. How Not To Be Seen remains the prime directive of attackers throughout the age. For the submarines this changed with the introduction of ASDIC and SONAR. You know these technologies from the acoustic sounds of the ping. In the air one often uses radar instead. What do you use for the defence of your wireless networks? At DeepSec 2015 Milan Gabor will show you his idea of Wi-Fi radar, so your IT security admins can become air traffic controllers. Imagine you could see more than console windows from aircrack-ng tools provide. Imagine you could have quick dashboards and deep into more details in short amount of time. And this without writing a

0110, 2015

DeepSec2015 Talk: Hacking Cookies in Modern Web Applications and Browsers – a short Interview with Dawid Czagan

Sanna/ October 1, 2015/ Discussion, Interview, Security

You don’t have to be the cookie monster to see cookies all around us. The World Wide Web is full of it. Make sure not to underestimate their impact on information security. Dawid Czagan will tell you why. 1) Please tell us the top 5 facts about your talk. The following topics will be presented: – cookie related vulnerabilities in web applications – insecure processing of secure flag in modern browsers – bypassing HttpOnly flag and cookie tampering in Safari – problem with Domain attribute in Internet Explorer – underestimated XSS via cookie – and more 2) How did you come up with it? Was there something like an initial spark that set your mind on creating this talk? I noticed that cookie related problems are underestimated. People claim, for example, that XSS via cookie requires

3009, 2015

DeepSec 2015 Talk: Cryptography Tools, Identity Vectors for „Djihadists“ – Julie Gommes

René Pfeiffer/ September 30, 2015/ Conference, Security, Security Intelligence

Some speak of Crypto Wars 2.0. For others the Crypto Wars have never ended. FBI Directory James Comey does not get tired of demanding back doors to IT infrastructure and devices (there is no difference between back door and front door, mind you). Let’s take a step back and look at the threats. We did this in 2011 with a talk by Duncan Campbell titled How Terrorists Encrypt. The audience at DeepSec 2011 was informed that encryption does not play a major role in major terror plots. What about today? Have terrorists adopted new means of communication? Since the authorities demanding access to protected information do not have statistics readily available, we turned to researchers who might answer this question. Julie Gommes will present the results of studies analysing the communication culture of criminal

2909, 2015

DeepSec 2015 Workshop: PowerShell for Penetration Testers – Nikhil Mittal

Sanna/ September 29, 2015/ Conference, Security, Training

The platform you are working with (or against) determines the tools you can use. Of course, everyone loves to boot the operating system of choice and hack on familiar grounds. Occasionally you have no choice, and you have to use what’s available. This is especially true for penetration testing. You get to use what you find on the systems of your digital beachhead. And you are well advised to get familiar with the tools you most definitely will find on these systems. This is a reason to look at the PowerShell. It is available on the Microsoft® Windows platform, so it’s the way to go. In his workshop at DeepSec 2015 Nikhil Mittal will teach you all you need to know about the PowerShell. PowerShell is the ideal tool for penetration testing of a

2809, 2015

DeepSec 2015: The Early Bird Gets the Luxury Bed, Swimming Pool and a Royal Breakfast

Sanna/ September 28, 2015/ Administrivia, Conference, Veranstaltung

DeepSec 2015 is drawing nearer and tickets sell like hot cakes! Just an insider tip for all the smart birds out there: Get a DeepSec ticket for Early Birds and, while you’re at it book a room at our conference hotel straightaway – before they’re sold out! We have arranged a very competitive conference rate for you (including the breakfast, swimming pool & leisure aerea). Free Internet will be provided in the conference area. For comparison, direct booking rates are more expensive, and typically don’t include breakfast or free Wi-Fi. About the Hotel The Imperial Riding School Renaissance Vienna Hotel is located in a historical building, the former military horse riding school, which was built and used by Emperor Franz Josef I in 1850. Today this exquisite neo-classical hotel features 339 Deluxe Rooms, a Club Lounge, a conference centre, bar, library,

2009, 2015

DeepSec Talk 2015: Cryptographic Enforcement of Segregation of Duty within Work-Flows – Thomas Maus

Sanna/ September 20, 2015/ Conference

Encryption is great. Once you have a secret key and an algorithm, you can safeguard your information. The trouble starts when you communicate. You have to share something. And you need to invest trust. This is easy if you have a common agenda. If things diverge, you need something else. Thomas Maus will explain in his talk cryptographic methods that can help you dealing with this problem. Meet Alice and Bob, who might not be friends at all. Workflows with segregation-of-duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations. These ideas are illustrated by challenging examples – constructing various checks and balances for telecommunications data retention, a vividly discussed

1909, 2015

DeepSec 2015 Talk: Legal Responses Against Cyber Incidents – Oscar Serrano

Sanna/ September 19, 2015/ Conference, Security

Like it or not, „cyber“ is here to stay. No matter what word you use, the networks have become a battlefield for various military operations. While you won’t be able to secure physical territory by keyboard (you still need boots on the ground for this), you can gain information, thwart hostile communications, and possibly sabotage devices (given the sorry state of the Internet of Stuff). When you deal with actions in this arena, you might want to know what your options are. It’s worth to think about legal consequences. When it comes to mundane cyber crime, you usually have laws to deal with incidents. What is the response to a military cyber attack? And what counts as one? In his presentation at DeepSec 2015 Oscar Serrano will introduce you to the legal implications and

1809, 2015

DeepSec 2015 Talk: Revisiting SOHO Router Attacks – Jose Antonio Rodriguez Garcia and Ivan Sanz de Castro

Sanna/ September 18, 2015/ Conference, Internet, Security

Have you seen Jon Schiefer’s film Algorithm? If you haven’t, then you should catch up. The protagonist of the story gain access by using the good old small office / home office (SOHO) infrastructure. The attack is pretty realistic, and it shows that SOHO networks can expose all devices connected to it, either briefly or permanently. Combined with the Bring Your Own Device (BYOD) hype, SOHO networks are guaranteed to contain devices used for business purposes. We haven’t even talked about the security of entertainment equipment or the Internet of Stuff (IoT). Like it or not, SOHO areas are part of your perimeter once you allow people to work from home or to bring work home. Be brave and enter the wonderful world of consumer devices used to protect enterprise networks. José Antonio Rodríguez

1709, 2015

DeepSec 2015 Talk: Building a Better Honeypot Network – Josh Pyorre (OpenDNS)

Sanna/ September 17, 2015/ Conference, Internet, Security

Most defenders only learn what attackers can do after recovering from a successful attack. Evaluating forensic evidence can tell you a lot. While this is still useful, wouldn’t it be better to learn from your adversaries without risking your production systems or sensitive data? There is a way. Use some bait and watch. Honeypots to the rescue! Josh Pyorre will tell you in his presentation how this works. Honeypots and honeypot networks can assist security researchers in understanding different attacker techniques across a variety of systems. This information can be used to better protect our systems and networks, but it takes a lot of work to sift through the data. Installing a network of honeypots to provide useful information should be an easy task, but there just isn’t much to tie everything together in

1109, 2015

DeepSec 2015 Talk: illusoryTLS – Nobody But Us. Impersonate,Tamper and Exploit (secYOUre)

Sanna/ September 11, 2015/ Conference, Internet, Security

Transport Layer Security is a cornerstone of modern infrastructure. The „Cloud“ is full of it (at least it should be). For most people it is the magic bullet to solve security problems. Well, it is helpful, but only until you try to dive into the implementation on servers, clients, certificate vendors, or Certificate Authorities. Alfonso De Gregorio has done this. He will present his findings at DeepSec 2015 in his presentation aptly titled „illusoryTLS: Nobody But Us. Impersonate,Tamper and Exploit“. Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of

1009, 2015

DeepSec 2015 Talk: “Yes, Now YOU Can Patch That Vulnerability Too!” A short Interview with Mitja Kolsek

Sanna/ September 10, 2015/ Discussion, Interview, Security

Patching software is a crucial task when it comes to fixing security vulnerabilities. While this totally works, usually you have to wait until the vendors or the developers provide you either an upgrade or a patch. What do you do in the meantime? Reducing the exposure of the software helps, but sometimes you have no choice. Public interfaces are public. There’s help. Do it yourself! Mitja Kolsek will tell you more. Please tell us the top 5 facts about your talk. We want to shake the security world by introducing a simple twist and essentially reinventing software patching. Attackers’ main advantage comes from software vulnerabilities (often very old and long-patched ones), which are a critical ingredient of most breaches into corporate and government networks. Unfortunately, most software vendors are lacking economical motivation for providing patches, let alone pro-actively

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: