0504, 2011

BSidesVienna: Call For Papers

René Pfeiffer/ April 5, 2011/ Administrivia, Conference

In the wake of the 23rd annual FIRST conference there will be a B-Sides Vienna event together with the NinjaCon 11, 3rd edition. The B-Sides Vienna will be on June 18th, as will be the NinjaCon 11. The Call For Papers is now open and we ask you to submit your material! At B-Sides Vienna aka NinjaCon 11, we’re looking forward to see a selection of trainings, hands-on workshops, 50-minute presetations and 15-minute lightning talks. As we understand ourselves as an open, international event, the official conference language for all talks, trainings and workshops (as well as submitted abstracts), as always, is English. Topics of interest include (but are in no way limited to) the following: Information technology, network security, web application security, virtualisation and cloud computing, innovative attack strategies, forensics, embedded devices, physical

Read More

1703, 2011

Hacking Transportation Devices – 0wning Cars!

René Pfeiffer/ March 17, 2011/ Security, Stories

Last Summer we published a short article about an experimental study of modern car sensors systems and their security. Researches took a modern car, connected to the internal data bus and tried to do some hacking. They were able to manipulate on-board systems up to controlling the brakes and the engines. The study shows that once you have access to the (internal) network, you can do things that were most probably never anticipated by the designers. Arguably the risks of these kind of attacks is rather low – for now. However if you think about the Internet, software working in networked environments or the plethora of devices that can be connected to computers, then the number of attack vectors increases. This is not breaking news. You can see this trend in the wonderful world

Read More

1603, 2011

Reminder: Mind2Mind Event I/2011 – „Wir werden Sie belauschen!“

René Pfeiffer/ March 16, 2011/ Communication, Veranstaltung

This is a short reminder of our local Mind2Mind event about the technology means of espionage in companies and organisations. The talk will be held by Wolfgang K. Meister of VOXCOM (and will be in German). Mr. Meister will address eavesdropping devices, microphones, attacks on telephone communication (VoIP, ISDN, analogue, 2G/3G), peculiarities of mobile phone networks and attacks on Internet communication, local computer systems and IT infrastructure. He will also discuss countermeasures. Dies ist eine kurze Erinnerung an unseren lokalen Mind2Mind Event „Wir werden Sie belauschen!“, der die Technologie von Spionage und Lauschangriff an Unternehmen und Organisationen beleuchtet. Der am Abend stattfindende Vortrag von Herrn Wolfgang K. Meister der Firma VOXCOM beschäftigt sich mit Wanzen, Mikrofonen, Aufnahme von Körperschall, Funk, Angriffen auf Telefone (VoIP, ISDN, analog, 2G/3G), Eigenheiten von Mobilfunknetzwerken und Attacken auf IKT

Read More

1403, 2011

DeepSec 2011 – Call for Papers out soon

René Pfeiffer/ March 14, 2011/ Administrivia, Conference

We’re currently working on the Call for Papers for DeepSec 2011. The conference will take places from 15 to 18 November 2011, so you might want to save this date and mark it in your calendar. Mobile gadgets, the wonderful world of app stores filled with mal- and software, infrastructure and information war(rez)fare are top on the list of Things To Watch Out For™. We will sum up what we’re after in the CfP published on our new web site.

1203, 2011

Rare Catastrophic Events and Infrastructure

René Pfeiffer/ March 12, 2011/ High Entropy

Most security administrators have to deal with risks and their management. If you read the news, then you will hear about lots of things that can go wrong for a multitude of reasons. A common tactic to get the required budget for securing infrastructure is to collect some horror stories and present them to management. Basically this is a polite form of blackmail. It might work, but there’s already enough fear and uncertainty spread through various media channels and word of mouth (or both). Now if you’re really interested in more stories about the End of your Data Days, why not go for earthquakes and global warming? Asteroids will do fine, too. But seriously, there’s some real thoughts behind this idea. The Internet is not strongly bound by geographical boundaries. The data of most

Read More

1502, 2011

The Antivirus-Virus Conundrum

René Pfeiffer/ February 15, 2011/ Security

Last week the EU’s statistics office published statistical data about the state of anti-virus protection and virus infections. According to the figures nearly a third of Europe’s PCs carry some kind of malware. Although it is difficult to assess the accuracy or methods of studies, this figure is hardly surprising. Anyone who has ever dealt with filtering messages, web content or any other data entering the perimeter of your network knows about the positives and negatives, be them false or true. The problem starts with UBE/UCE (a.k.a. spam) filtering and continues right into the domain of malware. Just as their biological counterparts a computer malware, indiscriminately called virus, changes its shape and flavour. We had a talk from Joan Calvet about the Tripoux project. They analyse malware packers. If you have seen the branch

Read More

0402, 2011

The Networks as Tool and Target at the same time

René Pfeiffer/ February 4, 2011/ Internet, Security

Unless you have been without access to the Internet, mobile network(s) and independent media you’ve probably followed the events in Egypt. The shutdown of the Internet throughout the country was an unprecedented move. It took some people by surprise, but anyone with a decent knowledge of routing protocols knew what was going on. There was no magic involved, just simply BGP packets. The aftermath of the still ongoing demonstrations and the show of force can already be seen. The Internet is gaining relevance when it comes to infrastructure. It’s not as important as telephone networks or the power grid, but sooner or later it probably will (especially since phone and power grid services move to the Internet for messaging/transport purposes). The lack of Internet connectivity was bypassed by telephone lines. Dial-up connections with modems

Read More

0302, 2011

Mind2Mind Event I/2011 – „Wir werden Sie belauschen!“

René Pfeiffer/ February 3, 2011/ Veranstaltung

Wir beginnen im März mit der ersten Mind2Mind Veranstaltung. Es handelt sich dabei um lokale Events in Wien, bei der wir ein bestimmtes Thema mit Bezug auf Sicherheit miteinander und gegeneinander diskutieren möchten. Der erste Mind2Mind Vortrag handelt um alltäglichen Lauschangriff, den viele unterschätzen: Der elektronische Lauschangriff ist nicht nur ein Instrument von Behörden oder Politik. Oder etwa doch? Lassen Sie uns Fiktion und Wirklichkeit mit handfesten Fakten vergleichen. Der Experte Wolfgang K. Meister der Firma VOXCOM möchte Unternehmer, Angestellte und weitere Betroffene über die Situation fernab von Spielfilmen aufklären. Hollywood ist nicht die Realität. Jedoch sind nicht nur ehemalige Finanzminister potentielle Ziele von Abhöraktionen, es kann auch uns betreffen, wenn auch vielleicht nicht direkt. Zwei große Firmen wollen die Machenschaften des jeweils andren auspionieren? Warum nicht über eine Überwachung eines gemeinsamen Nenners? Vielleicht

Read More

1501, 2011

FIRST Conference in Vienna

René Pfeiffer/ January 15, 2011/ Conference

2011 is already in full swing. That’s why we have an announcement for you. The 23rd annual FIRST Conference will take place in Vienna, Austria. We strongly recommend to participate. IT security never sleeps, and neither should you – at least when it comes to getting new ideas and get into touch with others. We will be there, so it would be great to meet you. Make sure you drop us a line, so we know you are around. If you have material for a lightning talk, there’s still time to get a slot. You just have to contact the conference office by e-mail. The address can be found on the conference program web site.

0101, 2011

Welcome to 2011!

René Pfeiffer/ January 1, 2011/ Misc

Welcome to the new year 2011! Hopefully you have arrived safely and in the best of spirits. We wish you a happy new year! And we look forward to see if the forecast with predicted security nightmares for 2011 will turn into reality. There’s definitely a chance.

2712, 2010

27C3 and Misunderstandings about Security

René Pfeiffer/ December 27, 2010/ Conference, Security

We’ve hooked a computer to the video stream of the 27C3 conference. Currently we’re listening to the keynote speech which touches a relevant topic for security issue. Are you happy or are you unhappy? It sounds a bit strange, but usually happy people have nothing to worry about. So in turn it does make sense not to worry people. The examples given in the keynote were electronic voting machines. The process of selecting a government by anonymous voting is a cornerstone of democracies. This is exactly why electronic voting must not happen through black boxes. India has already threatened (and arrested) security researchers who analyse the security of the voting machines used in the country. Electronic voting is only one example. Another one is the publication about the broken chip and PIN design of

Read More

1612, 2010

Conference aftermath, slides and more

René Pfeiffer/ December 16, 2010/ Administrivia

We have been busy dealing with the aftermath of the conference. This has been mainly collecting the presentation materials and preparing the speaker reimbursements. We aim to get as much done as possible in December. So far there haven’t been any nasty suprises or delays. Some of you have asked for the slides of the talks. The speakers gave us more than two thirds of the material yet. We’re still collecting and reminding. We have planned to publish the whole collection (including the archives from DeepSec 2007, 2008 and 2009) in February 2011 along with our new web site. There’s too much cruft in our web tubes to handle this differently. If you really want the documents in advance, let’s say for your long and boring Winter evenings, then drop us a few lines

Read More

2711, 2010

Press Conference – Impressions and Links

René Pfeiffer/ November 27, 2010/ Press

We’ve got some news from yesterday’s press conference with Ivan Ristić (Qualys), Sharon Conheady (First Defence Information Security Ltd.) and Harald Welte (hmw-consulting) followed by a seven interviews with speakers was a great success. The spirit of DeepSec – bringing people (security experts and journalists in this case) together to talk to each other – was felt every second. Here are the first links to coverage in German media: “Unverschlüsselte Internet-Kommunikation ist fahrlässig” Deepsec 2010: Sicherheitskonferenz im Zeichen mobiler Systeme DeepSec: Faktor Mensch als Sicherheitslücke DeepSec 2010: Interview mit Sharon Conheady zum Thema Social Engineering Krieg von der Couch

2611, 2010

DeepSec Photographs – have a look!

René Pfeiffer/ November 26, 2010/ Conference

There are some people running around with digital cameras here at the conference. Check out these impressions: Tienod’s preview Sven’s pictures ChrisJohnRiley @ Flickr If you have some photographs online, drop us a note. All your images are belong to us.

2311, 2010

The workshops have started!

René Pfeiffer/ November 23, 2010/ Administrivia

We’re near the end of the first day of workshops. We got a smooth start and the mood is great. Wi-Fi is up and running, we got a radio uplink with 32 MBit/s in both directions.¹ The GSM guys have their demonstration set-up up and running. We suspect the social engineering goes well (we can’t tell, we only see smiling faces and awfully nice persons in there). Our ISP enabled Marc to set-up the 6to4 tunnel for the IPv6 security/pentesting workshop. Mariano teaches his class how to determine if their (or your) business-critical SAP implementation is secure. If you are a really late booker, we still accept registrations for the conference, either by our online ticketing service or by ¹ When on site, look for ESSIDs DeepSec2010, DeepSec2010a, DeepSec2010g and DeepSec2010N (no encryption, bring

Read More