1110, 2012

High Availability is not Redundancy

Mika/ October 11, 2012/ High Entropy, Odd

This is about the “A” in the CIA triad of security: Confidentiality, Integrity, Availability Just recently I was a witness of an incident where the failure of a perceived redundant system caused an outage of more than 5 hours of the central IT services of a multinational/intercontinental enterprise. Vital services like VoIP calls and conference bridges (which were interrupted with high profile customers) , SAP, e-mail, central file services, CAD, order processing, printing of delivery notes and therefore loading of trucks, processing of EDIFACT-based orders and invoices, etc. were unavailable for most of the 20.000 employees and customers worldwide during this black-out. What happened? Some when in the morning we noticed a lot of commotion in the department (open plan office) and quite soon it was obvious that all network based services were out

Read More

0610, 2012

DeepSec 2012 Talk: The Interim Years of Cyberspace – Security in a Domain of Warfare

René Pfeiffer/ October 6, 2012/ Conference

In case you haven’t heard about it yet, officially that is, welcome to the fifth domain! As with space and other environments, the networked world has been discovered by various forces and groups for their advantage. The past years have shown that whatever happens in Cyberspace, doesn’t always stay in Cyberspace. It’s not always about the DDoS attacks, which have been blown out of proportion, but it’s about malicious software, reconnaissance, information extraction and other aspects which are less spectacular (watching less television helps to restore the perspective to normal). We’d like to set your perspective right and recommend listening to Robert M. Lee’s presentation about the Interim Years of Cyberspace. His talk focuses on the bigger picture in an effort to add a different view to the discussions taking place at DeepSec. The

Read More

0510, 2012

DeepSec 2012 Talk: Evolution of E-Money

René Pfeiffer/ October 5, 2012/ Conference

The concept of electronic money has been around long before BitCoin entered the stage. The main characteristic is its electronic storage and exchange. This is both convenient and dangerous since digital goods can be stolen by copying data or cracking codes, depending on the design of the e-money system (which often will involve cryptographers). Jon Matonis will give you an overview about both the goals and the scary aspects of the cashless society. While the talk will focus on BitCoin, which is a peer-to-peer crypto-currency, you will get a deeper insight into how electronic currencies work, what challenges existing designs have solved (or haven’t), and which opportunities the use of digital currencies poses in the future. The phenomenon is quite young, but it is popular, even among criminals who already robbed a BitCoin bank.

Read More

0510, 2012

DeepSec 2012 Talk: The Vienna Programme – A Global Strategy for Cyber Security

René Pfeiffer/ October 5, 2012/ Conference

In case you ever felt frustrated by the countless ways digital systems can fail, you should consider listening to Stefan Schumacher‘s talk about a global strategy for cyber security. It’s not about silver bullets or throwing rings into volcanoes, it’s meant as a roadmap leading to an improved security level in our digital landscape. Information technology and therefore IT security play a bigger role in everyday life than 20 years ago. However, even since IT security becomes more and more important, yet we are still discussion the same old problems: rootkits, viruses and even buffer overflows. Unfortunately, IT security  still revolves about the same problems as it did 20-30 years ago. Instead of fighting the same battles again and again we have to take a look at the strategic level to coordinate efforts. This

Read More

0210, 2012

DeepSec 2012 Workshop: Social Engineering Testing for IT Security Professionals

René Pfeiffer/ October 2, 2012/ Conference, Training

Social engineering has been big in the news yet again this year.  In September, security researchers discovered an attack against Germany’s chipTAN banking system, in which bank customers were tricked into approving fraudulent transfers from their own accounts. In August, tech journalist Mat Honan had his digital life erased, as hackers social engineered Apple and Amazon call centres. In May it was reported that Czech thieves stole a 10-tonne bridge.  When challenged by police during a routine check, they showed forged documents saying they were working on a new bicycle path. In January, a fraudster obtained Microsoft co-founder Paul Allen’s credit card details by social engineering workers in Citibank call centres. In December, Wells Fargo were tricked into wiring $2.1 million to a bogus bank account in Hong Kong following a series of fraudulent

Read More

3009, 2012

DeepSec 2012 Workshop: The Exploit Laboratory – Advanced Edition

René Pfeiffer/ September 30, 2012/ Conference

Offensive security is a term often used in combination with defence, attack (obviously), understanding how systems fail and the ever popular „cyberwar“. Exploiting operating systems and applications is the best way to illustrate security weaknesses (it doesn’t matter if your opponents or pentesters illustrate this, you have a problem either way, and you should know about it). So where do exploits come from? Well, you can buy them, you can download them somewhere, or you can develop them. This is where The Exploit Laboratory comes in. Saumil Shah will teach you how exploits work – even on modern operating systems! Exploit Development is one of the hottest topics in offensive security these days. The Exploit Laboratory, in its sixth year, brings advanced topics in exploit development to Vienna this year. Arm yourself with skills

Read More

3009, 2012

DeepSec 2012 Talk: SAP Slapping

René Pfeiffer/ September 30, 2012/ Conference

DeepSec 2012 covers SAP in-depth, and we decided also to include a presentation on how to test/pen-test SAP installation. Dave Hartley will give you an overview about how to approach SAP, show you what you can do, and probably achieve complete compromise of insecure and misconfigured SAP environments by pressing buttons. ☺ SAP systems can incorporate many different modules ERP, ECC, CRM, PLM, SCM, SR, … that are installed on multiple operating systems (UNIX, HP-UX, Linux and Windows etc.) which in turn rely on many different back end databases (DB2, Sybase ASE, Oracle, MS SQL, MaxDB and Informix). There are also many different versions/application stacks (SAP Netweaver 7.1 ABAP AS, 7.2 ABAP/Java AS, 7.3 ABAP/Java AS, …). Basically SAP systems often consist of very complex architectures and employ a myriad of integration choices in order to

Read More

2809, 2012

DeepSec 2012 Talk: AMF Testing Made Easy

René Pfeiffer/ September 28, 2012/ Conference

Protocols are fun. When it comes to security, protocols are both loved and loathed. Security researchers have fun breaking them. Developers have a hard time designing them (this is why short-cuts will be taken and weaknesses are introduced). Penetration testers are sent to discover broken protocols and to exploit them. Attackers usually know some bits about protocols, too. This is where you come in. Regardless on which side you are on, you need to know, too. It’s not always about security, though. Typical software deployment or development requires testing, too. Luca Carettoni has good news for you either way. Despite the popularity of Flex and the AMF binary protocol, testing AMF-based applications is still a manual and time-consuming activity. This research aimed at improving the current state of art, introducing a new testing approach

Read More

2709, 2012

Booking Tickets for DeepSec 2012

René Pfeiffer/ September 27, 2012/ Administrivia

Regulars already know this. We use a ticket shop system for all tickets to DeepSec 2012 that can be booked online for both the conference and the workshops. We received some reports of failed bookings with various payment options, and we already informed the company responsible for the shop system. In case you encounter any errors, please report them to us via e-mail. The most important information is the time and date of your attempt (you know, logs and all that). Once we get this information we will try to figure out what the problem may be. We can also invoice you directly, but you have to tell us. Speaking of tickets, please make sure you book early. This is especially true for the trainings since some workshops are already close to being sold

Read More

2709, 2012

DeepSec 2012 Talk: Breaking SAP Portal

René Pfeiffer/ September 27, 2012/ Conference, Security

SAP products are very widespread in the corporate world. A lot of enterprises run SAP software for a whole variety of purposes. Since enterprises feature many levels of interconnection, there is also a great deal of exposing going on. Usually you do this by means of using portals. The term „portal“ is a trigger for penetration testers, because portals are the gateways to curiosity – and probably compromises. This may give an attacker access to systems that store all informations about your company and process all critical business transactions. You now have compelling reasons to attend DeepSec 2012 for we have a collection of SAP security talks and a workshop for you. Alexander Polyakov talks about how to attack SAP Portal. It is usually connected to the Internet. In turn the Internet is connected

Read More

2509, 2012

DeepSec 2012 Training: Penetration Testing with Metasploit

René Pfeiffer/ September 25, 2012/ Training

Metasploit is one of the major tools used by security researchers and security administrators when it comes to testing security or verifying the operation of intrusion detection/prevention systems. It is also used by penetration testers when trying to circumvent defences and to insert payloads into compromised systems. Everyone dealing with the implementation of security measures is well advised to learn how Metasploit works, how it can be extended and how it can be used to its full potential. Point and click is a nice theory, but when it comes to information security you probably want to know what you are really doing. We therefore invite you to take a look at this workshop held at DeepSec 2012: In the Penetration Testing with Metasploit training you will learn hands on skills that come in to

Read More

2409, 2012

DeepSec 2012 Workshop: Malware Forensics and Incident Response Education (MFIRE)

René Pfeiffer/ September 24, 2012/ Conference, Training

Malicious software is the major tool for attackers. It is used to deliver the payload so that compromised systems can be exploited and secured for executing further tasks by your adversaries. Getting to now this malicious software and finding traces of the breach is very important for dealing with a security event. Proper incident response must be part of every state-of-the-art defence strategy. So this is why we offer the Malware Forensics and Incident Response Education (MFIRE) training at DeepSec 2012. Ismael Valenzuela will be your teacher for this course. The workshop is a proactive weapon to help you normalize your environment after a negative event has occurred. Your opponents have increasingly sophisticated tools and backdoor programs at their disposal to steal your intellectual property and expose sensitive information – all with the ability

Read More

2409, 2012

DeepSec 2012 Workshop: Strategic Thinking and Assessing Risk

René Pfeiffer/ September 24, 2012/ Conference, Training

We have begun to address the increasing demand for strategic thinking by staging the first DeepINTEL event in 2012. Since we strongly believe in the importance of the „big picture“, we offer a workshop on strategic thinking and assessing risk at DeepSec 2012, too. The training will be conducted by Richard Hanson, who has a broad understanding of security concepts and best practices through both formal education and client experience. He will guide you through the two-day workshop. The training will equip you with the knowledge and tools to be able to think strategically though understanding what is important to a business and assess its risks. It will teach you techniques to conduct risks assessments and to prioritize the outcomes in a strategic roadmap. It’s not just theory. You will learn how to effectively

Read More

2009, 2012

DeepSec 2012 Workshop: Attacks on GSM Networks

René Pfeiffer/ September 20, 2012/ Conference

We are proud to follow the tradition of breaking hardware, software, code, ciphers or protocols. When it comes to mobile phone networks, you can break a lot. The workshop on Attacks on GSM Networks will show you the current state of affairs and some new tricks and developments. The attacks that will be discussed during the training are not theoretical, they are feasible and can be exploited to be used against you. Knowing about the capabilities of your adversaries is absolutely important since virtually no organisation or business runs without the use of mobile networks. What do you have to expect? Well, attendees will spend about half the time re-visiting the key aspects of GSM’s security features and their publicly known weaknesses. During the other half, attention is being paid to the hands-on practical

Read More

1909, 2012

DeepSec 2012 Schedule – In-Depth

René Pfeiffer/ September 19, 2012/ Administrivia, Conference

The schedule for DeepSec 2012 has now been online since August. The last two workshop slots have been filled with two superb training by McAfee/Foundstone. There are still some minor blind spots, but Your Favourite Editors work on this. We will start to describe every workshop in-depth with its own blog article, and we will do the same with every presentation. We will try to set every piece of DeepSec 2012’s content into perspective and context. We are really looking forward to the trainings and presentations of DeepSec 2012!