2701, 2014

DeepSec 2013 Video: Finux’s Historical Tour Of IDS Evasion, Insertions, and Other Oddities

René Pfeiffer/ January 27, 2014/ Conference, Security

Ever since intrusion detection systems were put into operation, attackers have found ways to evade discovery. So what can you expect from the wonderful tools that are designed to detect intrusions? If you are looking for metrics which can easily compared and have a connection to your typical production environment, then you are mistaken. There is no such thing as a magical box, ready to be installed to solve all your intrusion problems. Arron ‘Finux’ Finnon of Alba13 Labs held a presentation at DeepSec 2013 about this topic. He illustrated the evasion techniques used and discussed the history of IDS/IPS systems. If you follow the talk closely, you will understand why detection systems like IDS/IPS can work, but why they’re set to fail all at the same time.

1901, 2014

DeepSec 2013 Video: Cracking Open “Secure” Android Containers

René Pfeiffer/ January 19, 2014/ Conference

Cell phones, especially the smart ones, become more and more part of your company’s infrastructure. These devices accumulate software (a.k.a. „apps“), authentication tokens, passwords, and a lot of data worthy of protection. While smartphone systems have their own protection mechanisms, not every one of them might work reliably. Chris John Riley explains in his presentation held at DeepSec 2013 why „secure“ containers on Android phones might not be as secure as advertised. Please make sure that you show this presentation to anyone riding the „BYOD“ train. You might want to rethink what you let your users put on their phones.

1701, 2014

DeepSec 2013 Video: Cracking And Analyzing Apple iCloud Protocols

René Pfeiffer/ January 17, 2014/ Conference

The „Cloud“ has been advertised as the magic bullet of data management. Basically you put all your precious eggs into one giant basket, give it to someone else, and access your data from everywhere – provided you have a decent Internet connection. Since someone else is now watching over your data, you do not always know what protocols and security measures are in place. Few „cloud“ solutions publish what they actually do. Apple’s iCloud system is no different. Vladimir Katalov (ElcomSoft Co. Ltd.) explained in his talk at DeepSec 2013 how the iCloud protocol works and how you can develop your own clients to access your own data in Apple’s „cloud“ infrastructure. His reverse-engineering work is based on publicly available information. Have a look!

1501, 2014

DeepSec 2013 Video: spin – Static Instrumentation For Binary Reverse-Engineering

René Pfeiffer/ January 15, 2014/ Conference

Reverse engineering is a fundamental tool of information security research. The news coverage of the past year have given black boxes a bad name. David Guillen Fandos introduces methods for binary reverse-engineering in his presentation at DeepSec 2013. Binary instrumentation is used for performance evaluation, CPU emulation, tracing, and profiling. It can also be used for malware and threat analysis. David’s tool called spin is able to characterize and identify security-critical functions by applying conditions. If you are into reverse engineering or simply are curious, take a look at the video from his talk:

1401, 2014

DeepSec 2013 Video – Relax Everybody: HTML5 Is Securer Than You Think

René Pfeiffer/ January 14, 2014/ Conference

A lot of tags have been created since the 1980s when the foundation of the modern World Wide Web was born. HTML5 is being deployed on servers around the world. Just like the many 802.11xyz wireless standards it is being used before the stable standard has been released by the W3C. Moving targets attract all kinds of developers and information security enthusiasts. This is why we invited Sebastian Lekies of SAP to hold a presentation about HTML5. He systematically explores security relevant HTML5 APIs and summarises what web developers need to know when designing, implementing and deploying web applications. We will see at DeepSec 2014 if HTML5-based sites will be still featured in talks. ☺

1301, 2014

DeepSec 2013 Video: Psychology of Security – a Research Programme

René Pfeiffer/ January 13, 2014/ Conference

The DeepSec 2013 keynote presentation featured the cultural background of China in order to better understand the news about impending „cyber doom“. The past year has shown that you need a lot more than hands-on information security if you want to make sense of incidents. Next to history and culture there is psychology. In his talk at DeepSec 2013 Stefan Schumacher make a good case for combining psychology and the scientific approach with topics of information security. Watch his talk online!

0201, 2014

Applied Crypto Hardening (ACH) Project

René Pfeiffer/ January 2, 2014/ Communication, Security

DeepSec 2013 featured a talk about the Applied Crypto Hardening (ACH) project. In the wake of the discussion about attacks on cryptography itself and implementations of cryptographic standards almost every aspect of encrypted communication needs to be reviewed. Since system administrators, developers, and other IT staff usually has not the same expertise as crypto experts, the ACH project was formed. Its goal is to compile a reference for the best practice configuration of systems that use cryptographic components. The ACH guide covers SSL/TLS, virtual private network (VPN), algorithms, key sizes, (pseudo) random generators, and more. The advice is targeted at everyone seeking to improve the cryptographic capabilities of software and appliances. Hardening crypto is part of the basic security measures everyone should take care of. It needs to become a habit, just like everything

Read More

3112, 2013

DeepSec wishes you a Happy New Year 2014!

René Pfeiffer/ December 31, 2013/ Misc

The DeepSec team wishes you a Happy New Year 2014! We hope that you will put your ideas for the coming 12 months into reality. We have some New Year’s resolutions as well, and we hope to implement them in the months to come. Supporting rookie security researchers and fostering the scientific approach to, well, research in information security. If you call yourself a researcher, then you should employ scientific methods. It’s simple, and we will explain in ample depth what this is all about. Don’t party too hard! 😉 There’s work to be done.

2012, 2013

DeepSec 2013 Keynote – “Cultural Learning Of China To Make Benefit Glorious Profession Of Infosec”

René Pfeiffer/ December 20, 2013/ Conference

Our video team gave us an early Christmas present, fresh from the rendering farm. The keynote of DeepSec 2013 by Wim Remes is already online. His keynote talk puts information security into a broader context. More often than not blaming China seems to be an easy way to “explain” digital attacks or to silence legitimate questions. Wim explores the cultural side and history in order to improve what we know about the context. Since the Internet is a global network information security experts need to broaden their horizon. For every complex problem there is an answer that is clear, simple, and wrong. Attacks, persistent or not, can become complex, and dealing with the attribution problem is definitely no easy task. We heard about it at past DeepSec conferences. So enjoy Wim’s talk, have some

Read More

1212, 2013

Recordings and Slides from DeepSec 2013

René Pfeiffer/ December 12, 2013/ Administrivia, Conference

We are still dealing with the administrative tasks of DeepSec 2013, and we would like to give a short update on the publication of the slides. We have published all PDFs from the talks on our web server. Some speakers are still refining their documents. We will add them to the collection as soon as we get the files. There are audio and video recordings as well. Both are in post-production in order to ensure that the content is ok and everything works (we had some troubles with broken media files and storage containers in the past). We will put the audio recordings on our web site, too. The videos will be published on our Vimeo account soon. So, thank you for attending and speaking at DeepSec 2013! We hope to see you again

Read More

2111, 2013

DeepINTEL 2014 – 3rd Security Intelligence Conference – Call for Papers is open!

René Pfeiffer/ November 21, 2013/ Administrivia, Call for Papers, Security Intelligence

Good news everyone, there will be a DeepINTEL conference in 2014, and we are looking for presentations! DeepINTEL 2014 will be held in September at the same location as in 2013. This single track two day event addresses mainly critical infrastructure, state organizations (administrative and law enforcement), accredited CERTs, finance organizations and trusted parties and organizations with a strong relation or partnership to the aforementioned. Due to the sensitive topics and the nature of the participants and speakers we will have a vetting process for participants. We’d like to know our audience, so that we all can talk freely and openly during the event. If you have questions on this, please contact us directly via deepsec@deepsec.net or the contact information given on our web site. Here is the Call for Papers for DeepINTEL 2014:

Read More

2111, 2013

The DeepSec 2013 Conference – „Secrets, Failures, and Visions“

René Pfeiffer/ November 21, 2013/ Conference

Welcome to the DeepSec 2013 In-Depth Security Conference! The seventh DeepSec has just started. We welcome everyone at the conference venue and everyone else Out There™ connected by networks. If you have a Twitter account, make use of the hashtag #DeepSec. We will have an eye on tweets throughout the conference. So if you have feedback or want to comment something, feel free to do so! Enjoy DeepSec 2013!

1911, 2013

Last Changes to DeepSec 2013 Schedule

René Pfeiffer/ November 19, 2013/ Administrivia, Conference

Unfortunately we had to change our DeepSec 2013 schedule again. We promise that this will be the last changes before the conference starts (or a certain Murphy will get a talk slot). Marcus Ranum couldn’t make it to DeepSec. He apologised, and there really is no way he could have made it. We will invite him for DeepSec 2014, so you will have a good reason to come back next year. We are grateful for Aaron Kaplan from CERT.at who helps out with a presentation about better cryptography. In essence he talks about applied crypto hardening in order to help everyone deploying cryptography to improve the configuration and to Get Things Right™. We highly encourage you to attend his talk. For anyone interested in geopolitics: Wim Remes has kindly agreed to hold the keynote

Read More

1511, 2013

DeepSec 2013 Talk: Bypassing Security Controls With Mobile Devices

René Pfeiffer/ November 15, 2013/ Conference, Security

How do you counter threats emerging from a new trend? Well, standard practice is to buy a new appliance, add-on, or similar magic trick. People do this currently with the trend of Bring Your Own Device (BYOD). Once you say yes to BYOD, you just gave Santa Claus (or your chief financial officer) more options for Christmas presents. There is Mobile Device Management (MDM in short), plus you can do a lot of filtering at the edge of your network(s). Still mobile devices are a threat. At DeepSec 2013 Georgia Weidman of Bulb Security LLC will show you how the threats work in real environments. Testing if your wonderful BYOD playground works for attackers can be done by taking your MDM’s promises to the limits. Let’s see if your MDM has ever heard of

Read More

1511, 2013

DeepSec 2013 Talk: Supply Chain – The Exposed Flank

René Pfeiffer/ November 15, 2013/ Conference, Security, Stories

Securing your own perimeter is the prime task IT security teams are worried about. However there is Murphy’s Law of Firewalls, too. Given a sufficient amount of time, business requirements will pierce a lot of holes in your firewall and your defences. Once you work with suppliers, you will have to deal with their perimeters as well. Your opponents will go for the weakest link, and if the links on your end are strong, then they go for your suppliers and partners. Dave Lewis of Akamai Technologies will talk about this problem in his talk at DeepSec 2013. It’s not your immediate partners you have to think about. There are trading partner networks, code developed by off shore development centres and outsourced help desks. Even if you use security products you can get into

Read More