Welcome to the DeepSec 2013 In-Depth Security Conference! The seventh DeepSec has just started. We welcome everyone at the conference venue and everyone else Out There™ connected by networks. If you have a Twitter account, make use of the hashtag #DeepSec. We will have an eye on tweets throughout the conference. So if you have feedback or want to comment something, feel free to do so! Enjoy DeepSec 2013!
Unfortunately we had to change our DeepSec 2013 schedule again. We promise that this will be the last changes before the conference starts (or a certain Murphy will get a talk slot). Marcus Ranum couldn’t make it to DeepSec. He apologised, and there really is no way he could have made it. We will invite him for DeepSec 2014, so you will have a good reason to come back next year. We are grateful for Aaron Kaplan from CERT.at who helps out with a presentation about better cryptography. In essence he talks about applied crypto hardening in order to help everyone deploying cryptography to improve the configuration and to Get Things Right™. We highly encourage you to attend his talk. For anyone interested in geopolitics: Wim Remes has kindly agreed to hold the keynote
How do you counter threats emerging from a new trend? Well, standard practice is to buy a new appliance, add-on, or similar magic trick. People do this currently with the trend of Bring Your Own Device (BYOD). Once you say yes to BYOD, you just gave Santa Claus (or your chief financial officer) more options for Christmas presents. There is Mobile Device Management (MDM in short), plus you can do a lot of filtering at the edge of your network(s). Still mobile devices are a threat. At DeepSec 2013 Georgia Weidman of Bulb Security LLC will show you how the threats work in real environments. Testing if your wonderful BYOD playground works for attackers can be done by taking your MDM’s promises to the limits. Let’s see if your MDM has ever heard of
Securing your own perimeter is the prime task IT security teams are worried about. However there is Murphy’s Law of Firewalls, too. Given a sufficient amount of time, business requirements will pierce a lot of holes in your firewall and your defences. Once you work with suppliers, you will have to deal with their perimeters as well. Your opponents will go for the weakest link, and if the links on your end are strong, then they go for your suppliers and partners. Dave Lewis of Akamai Technologies will talk about this problem in his talk at DeepSec 2013. It’s not your immediate partners you have to think about. There are trading partner networks, code developed by off shore development centres and outsourced help desks. Even if you use security products you can get into
Being popular is not always a good thing and here’s why: As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. The threat to mobile devices, however, is not limited to rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions. Android continues to be a primary target for malware attacks due to its market share and open source architecture. Nowadays, several behaviour-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices but only about 30 percent of all Android smart phones and tablets have security apps installed. At DeepSec 2013 Jaime Sanchez (@segofensiva) will present AndroIDS, a signature-based intrusion
The production of code leaves traces in the final binary. There can be debugging symbols present, which give you a lot of information. Maybe the binary has some commonly used libraries or functions. A lot of fingerprinting can be done with software. Why is this of interest? Well, there is the attribution problem of attacks and malicious software. Identifying where malware comes from can be crucial for the assessment of risks and the impact of compromised systems. Michael Boman has researched this topic and will present his findings in his talk titled Malware Datamining And Attribution at DeepSec 2013. Stuxnet and related malware is a prime example where the source of the code is of fundamental interest. Even for more „mundane“ code malware authors use leaves traces in their work which can be used
Defending one’s own resources against malicious software is daily business for information security professionals. Usually you deploy a range of measures and try to minimise the risk. It may or may not work, depending if you have to fear the mysterious Advanced Persistent Threat (APT). APTs are highly targeted, very stealthy and can greatly impact your security in terms of damage and level of compromise. Their stealth aspect makes them hard to detect and hard to counter. Tom Ueltschi from the Swiss Post has gained experience with these kind of attacks. This is why he will share his insights at DeepSec 2013. His talk is titled My Name Is Hunter, Ponmocup Hunter. Ponmocup is a strain of malicious software which forms its own botnet. It is known by a couple of names, depending on
If something happens in your network, it’s an established custom to blame it on China. This approach is tried and true among the Chief Information Officers (CIOs) who have some explaining to do. Throw in the inevitable Advanced Persistent Threat (APT) and you are set. No more explanations necessary. Why is that? Well, most people don’t know, therefore Wim Remes of IOactive will give you a thorough overview in his talk titled Cultural Learning Of China To Make Benefit Glorious Profession Of InfoSec. Geopolitics is a good start. The current debate about the role of China as a nation, in international hacking incidents and corporate espionage is framed in an almost exclusively US-centric narrative. Using your adversaries as scapegoat works well, provided you talk to like-minded people and nations. China, however, is a nation
You may have heard of background radiation. It’s the kind of ionizing radiation you are exposed when wandering around on this planet. The sources are radioactive isotopes in the air, the soil, our food, and the water. In addition there is cosmic radiation from outer space. So even without artificial radiation sources you will have a natural background radiation. The Internet has a similar phenomenon. The pendant of the fundamental particle in Nature is the packet. Internet traffic consists of data packets going from their source to a target address. Imagine a part of the Internet which isn’t used at all. Its address space isn’t advertised anywhere. It holds no services and no active hosts. This place is called Darknet. In theory there will be no packets. In practice there are. A student from
Cross Site Request Forgery (CSRF) is a real threat to web users and their sessions. To quote from the OWASP web site: „CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.“ Combined with social engineering this is a very effective attack tool. Believe it or not, web sites prone to CSRF are very common. If your web developers do not know what „unique web form“ means, you will have to deal with CSRFs eventually. Paul Amar is a student of computer science, and at DeepSec 2013 he will present a framework to study and prototype CSRF interaction with web servers. The tool presented is the Cross Site Request Forgeries Toolkit (CSRFT). It has been developed in Python and Node.JS. The
Over the last few years the desire to have information at our fingertips whenever and wherever we want has driven us more and more towards mobile devices. The convenience of having our email, files and access codes available to us on our smartphones or tablets has given rise to a new problem… that of securing our sensitive data on an inherently insecure device. The same form factor that makes smart phones the easy choice for remote access to email and services also makes them easy to lose. In response, we’ve begun to move security closer to the data, relying on “secure” container applications to keep our private and company data secure. Mobile apps such as LastPass, Dropbox, Evernote, GOOD for Enterprise, and may others all offer differing degrees of security. In this presentation Chris
Hey, you! Want to know a secret? Your adversaries are after money. Taken the „cyber shoot-outs“ of governments aside, no sophisticated attack happens without economical benefits. Attackers don’t care where the money comes from. However they care for efficiency. They do not compromise web server after web server to hope for some loot which can be turned into profit. Instead they go after the places where people store and move their money. Financial institutions have been battling attacks against their customers and their infrastructure since their services entered the Internet. It’s an arms race, and if you are involved you need to keep up. We are proud to have Konstantinos Karagiannis at DeepSec 2013 talking about the future of banking and financial attacks. Advanced User Enumeration and DDoS Every attack needs a proper target.
No man is an island. If this is true for every single one of us, then it is also true for companies. Modern enterprises have business to business (B2B) relations. They are at the centre of a network of suppliers and other vendors. Information flows between the players since they need to exchange data. What do you do if you deal with confidential or regulated data which mustn’t flow freely? How do you assess the risks? How do you determine what security measures work best? How do you deal with the situation of not enforcing security because every player runs its own policies? Luciano Ferrari has prepared a presentation for you and talks about his experience. The first issue is physical proximity. Once you are linked with business entities several thousands of miles away
If you like to attend DeepSec 2013, here’s your last chance. Space is getting crowded and the ticket sale enters the last minute tariff! For everyone interested in booking tickets for the workshops, now is the time! Don’t wait for others to fill your seat. You have been warned. In case you are still deciding, as always DeepSec will feature 0talks with tricks, code, vulnerabilities not seen before in public. Give yourself a premature Christmas treat, enjoy the conference, and leave for home with a dozen of 1337 presents information-wise. Totally beats the stuff Santa and the elves will bring you weeks later. We are looking forward to see you all at DeepSec 2013!
Have you ever forgotten a password? It’s a safe bet to assume a yes. Sometimes we forget things. When it comes to logins there is usually a procedure to restore access and change the forgotten password to a known new one. This Forgot Your Password functionality is built into many applications. The mechanism is to rely on other ways to restore trust. There is a risk that unauthorised persons gain access to an account by exploiting the process. Ashar Javed has explored the password recovery function of 50 popular social networking sites. In his talk at DeepSec 2013 he will present the findings of his survey. The attack vector is called Trusted Friend Attack, because once you forgot your credentials you have to rely on trusted friends to recover them. Apart from automatic systems