2708, 2014

Preliminary Schedule of DeepSec 2014 published

René Pfeiffer/ August 27, 2014/ Administrivia, Conference

After weeks of hard work we have now the preliminary schedule of DeepSec 2014 online! We received over hundred submissions, and we had to navigate through a lot of publications, abstracts and references. We hope that you like the mixture of topics. We especially hope that you will find the offered trainings interesting. We still wait for content and corrections, so bear with us while the schedule takes its final form. Contrary to the past years we had a lot more to do in terms of completing information about submitted talks and trainings. We will tell you more about this in the upcoming blog articles (which we will announce on our Twitter account, so you don’t miss anything). Looking forward to see you in Vienna in November!

0108, 2014

Reviewing all your Submissions for DeepSec 2014

René Pfeiffer/ August 1, 2014/ Administrivia, Conference

The Call for Papers of DeepSec 2014 officially ended yesterday. We are currently reviewing all your submissions and will publish the preliminary schedule in the course of the next two weeks. As always, you did a very good job of finding things to break and to exploit. Our choice what to include in the schedule will be pretty hard! For those who still have bright ideas and no time to submit, please send us your abstracts as soon as possible! We will consider everything submitted so far first, but we will take your proposals into account. You just need to tell us.

0307, 2014

Reminder: Call for Papers DeepSec 2014

René Pfeiffer/ July 3, 2014/ Call for Papers, Conference

The Call for Papers of DeepSec 2014 is still open. Since its motto is the power of knowledge we address everyone having knowledge. Information is the „cyber“ weapon of the 21rst century, we have heard. So if you know about the 0day that affects half the Internet, you should definitely think about presenting it at DeepSec 2014. ☻ Seriously, we have chosen this motto, because a lot of issues in information security deal with knowledge. If your IT staff knows about the latest threats, the capabilities of the defences, the state of the systems, and how to deal with problems, then you have a distinct advantage. Not knowing is usually the first step of running into problems. In this tradition we prefer disclosure of security-related knowledge. The dreaded CVE-2014-0160 is a good example. Imagine OpenSSL

Read More

1806, 2014

Ticket Registration is open

René Pfeiffer/ June 18, 2014/ Administrivia, Conference

The ticket registration for DeepSec 2014 „The Octave“ is open. You can either use the embedded version on the DeepSec web site or go directly to the ticketing site. The tickets are now available for the early bird tariff. Make sure you get your tickets as soon as possible. The later tariffs are more expensive. The current Call for Papers for DeepSec 2014 (and DeepINTEL 2015) is open, and we are looking for talks applying the power of knowledge to information security. Would you like to know more?

3005, 2014

New Use Cases for Bitcoin

Mika/ May 30, 2014/ Security, Stories

Although I’m new in the Bitcoin world I had a quite promising start. Earlier this month I was able to visit the Bitcoin Conference in Amsterdam and had some very good conversations with core developers from the Bitcoin Foundation and to my honor also the chance to talk to Gavin Andreesen, long-time lead developer and now chief scientist of the Bitcoin Foundation. At DeepSec our first contact with Bitcoin was in 2012 when John Matonis, now Executive Director and Board Member of the Bitcoin Foundation, talked about the evolution of e-Money.  But since then we hadn’t intense contact. Tomorrow I will visit the Bitcoin Expo in Vienna and hope to meet new people in the community and discuss the latest trends and developments. The fascinating thing about Bitcoin and the global block-chain is the

Read More

2705, 2014

IT Security without Borders

René Pfeiffer/ May 27, 2014/ Discussion, Internet

U.S. government officials are considering to prevent Chinese nationals from attending hacking and IT security conferences by denying visas. The ideas is „to curb Chinese cyber espionage“. While this initiative has been widely criticised and the measure is very easy to circumvent, it doesn’t come as a surprise. Recent years have shown that hacking has become more and more political. This aspect was already explored in the keynote of DeepSec 2012. So what is the real problem? Espionage, be it „cyber“ or not, revolves around information. This is exactly why we have a problem with the word „cyber“. Methods of transporting information have been around for a long time. Guglielmo Marconi and Heinrich Hertz raised problems for information security long before the Internet did. The only difference is the ease of setting up Internet

Read More

0505, 2014

DeepSec 2014 “The Power of Knowledge” – Call for Papers

René Pfeiffer/ May 5, 2014/ Call for Papers

After a couple of months tinkering behind the scenes we can finally open our Call for Papers for DeepSec 2014! The upcoming DeepSec 2014 will be in November at our well-known conference hotel. We accept submissions as of now, and we are keen to hear your ideas. To give you some thoughts on what we are looking for: DeepSec 2014 is all about the Power of Knowledge! The past years have shown that knowledge is a true „cyber“ weapon. Everyone recalling the endless discussions about full/responsible/no/delayed disclosure of bugs affecting the security of IT systems can relate to the power of knowledge. Other might not be so lucky and grasp what knowledge means when turned into exploits and compromised systems. This is why we want your contribution to DeepSec 2014 centred around knowledge. Let’s

Read More

0305, 2014

BSidesLondon 2014 Rookie Track Videos

René Pfeiffer/ May 3, 2014/ Conference

We are back from the BSidesLondon 2014, and we had a great time. It was good to meet everyone to get some new ideas and to work on old ideas too. The Rookie Track was a success. We had a hard time deciding which talk was best. We managed to find a winner which will be invited to attend DeepSec 2014. Congratulations to Georgi Boiko! The Rookie Track recordings will be published online depending on the choice of the speaker. Some are already online. Here is a list of talks you can already watch. More are being published in the coming weeks (we will update this list). A Look at Modern Warfare by @kaitlyn4495 The Joy of Passwords by Joseph Gwynne-Jones RFID Hacking – An Introduction by @d3sre Run-time tools to aid application security

Read More

2504, 2014

BSidesLondon is near!

René Pfeiffer/ April 25, 2014/ Conference, Discussion

We will attend the BSidesLondon event, and we are looking forward to meet you there! DeepSec is again sponsoring the rookie track. We believe that information security can only benefit from fresh perspectives and newcomers that take a hard look at “well established” facts. This is why we support young infosec researchers and welcome their contribution. The  winner of the BSidesLondon rookie track will be invited to join DeepSec 2014. If you attend BSidesLondon, have a chat with MiKa or me. We are always looking for new talents, ideas to put more research into infosec research, and creativity to take apart facts everyone takes for granted. See you in London!

3103, 2014

Talk about Cryptography and the NSA’s Capabilities

René Pfeiffer/ March 31, 2014/ Discussion, Security, Veranstaltung

The published documents about the NSA’s capabilities have led to a review of cryptographic tools. Mastering SSL/TLS by itself can be tricky. This is especially true if you have to deal with clients that do not take advantage of the latest TLS protocols. System administrators and developers are well advised to keep an eye on the capabilities of libraries and the algorithms available for securing network communication. We recommend to have a look at the publication of the Applied Crypto Hardening project in case you wish to review your crypto deployment. The standardisation of cryptographic methods has been criticised as well. Apart from the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) there is a lot of discussion going on where the practices of standardisation are being questioned. Given the design problem in

Read More

2702, 2014

DeepSec 2013 Video: Static Data Leak Prevention In SAP – The Next Generation Of DLP

René Pfeiffer/ February 27, 2014/ Conference, Stories

Leaks are problems you don’t want in your infrastructure. While this is clear for water pipes, it is not so clear for digital data. Copying is a part of the process, and copying data is what your systems do all day. A leak comes into existence when someone without access privileges gets hold of data. The industry has coined the term data leak/loss prevention (DLP) for products trying to stop intruders from ex-filtrating your precious files. Just like other defence mechanisms DLP systems cannot be bought and switched on. You have to know where your data lives, which software you use, what data formats need to be protected, and so on. We invited Andreas Wiegenstein to talk about data loss prevention in SAP systems. His presentation was held at the DeepSec 2013 conference and

Read More

2602, 2014

DeepSec 2013 Video: Using Memory, Filesystems And Runtime To App Pen iOS And Android

René Pfeiffer/ February 26, 2014/ Conference

Your iOS or Android smartphone can do a lot. „There’s an app for that!“ is also true for information security. So what can you do? We have seen smartphones used as an attack platform for penetration testing. You can use them for wardriving, and, of course, for running malicious software (next to „normal“ software which can do a lot too). At DeepSec 2013 Andre Gironda unlocked some of the mysteries of the iDevice and Android-device memory intrinsics, filesystem/process sandboxes, and the OO runtime by walking through the techniques, including common obfuscations. His talk is recommended to anyone interested in the capabilities of modern smartphones.

2502, 2014

DeepSec 2013 Video: Europe In The Carna Botnet

René Pfeiffer/ February 25, 2014/ Conference, Security

Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes of the botnet consist of virtually unsecured IPv4 devices – modems and other network equipment. Point of entry where mostly Telnet management interfaces exposed to the Internet. Analysing the devices that were part of the Carna Botnet is well worth the effort. This is why we invited Parth Shukla (Australian Computer Emergency Response Team, AusCERT) to present his findings about the Carna Botnet at DeepSec 2013. „A complete list of compromised devices that formed part of the Carna Botnet

Read More

2402, 2014

DeepSec 2013 Video: Future Banking And Financial Attacks

René Pfeiffer/ February 24, 2014/ Conference, Security

Predicting the future is very hard when it comes to information technology. However in terms of security analysis it is vital to keep your head up and try to anticipate what attackers might try next. You have to be as creative as your adversaries when designing a good defence. This is why we invited Konstantinos Karagiannis (BT) to DeepSec 2013.  Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.

2302, 2014

DeepSec 2013 Video: Pivoting In Amazon Clouds

René Pfeiffer/ February 23, 2014/ Conference

The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At DeepSec 2013 Andrés Riancho showed what attackers can do once they get access to the company Amazon’s root account. There is more to it than a simple login. You have to deal with EC2, SQS, IAM, RDS, meta-data, user-data, Celery, etc. His talk follows a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user. Regardless of how your

Read More