0709, 2010

DeepSec conference focuses on the precarious security situation in the world-wide mobile phone network

René Pfeiffer/ September 7, 2010/ Press

DeepSec 2010 features 33 talks and 8 workshops by international experts Vienna, 31 August 2010. The international security conference DeepSec brings together the world’s elite in network security and hacking in Vienna from 23 to 26 November 2010. This year, the conference focuses on the security of mobile systems and their users, as well as on the next-generation infrastructure. IT and security companies, users, officials, researchers and the hacker community have the opportunity to take part in the conference with 33 talks and 8 workshops scheduled this year. “We are happy to offer for the fourth time so many experts the chance to exchange ideas and experiences on the most important security issues of everyday IT work in our modern days”, says René Pfeiffer, organiser of DeepSec. Live attacks on iPhone through a weak

2908, 2010

It’s tiem*) again: NAT66

Mika/ August 29, 2010/ Internet, Security

ITT *) : NAT66 (picture unrelated) In this thread we discuss NAT Maybe the picture is related. We all want to have our communications as safe as possible and we choose appropriate security mechanisms to achieve this goal. We follow “Best Current Practices”, recommendations from security experts and we follow traditions in our own organization. And there is an old tradition, maybe too old to get it out of our heads: NAT will add to security. It will not. Full stop. No Discussion. The topic has been closed long ago and there is no need to microwave it and serve it as a quick midnight-snack just because you feel a little bit hungry, just because you have the feeling there is something missing. We are living on a new diet in the IPv6 world.

2708, 2010

Are Hackers Speeding on the Information Highway?

Mika/ August 27, 2010/ High Entropy

(or “Has our Security Crashed?”) I just came back from a discussion with our national CERT and took some thoughts back home: (TL;DR section at the end) I have the impression, that some of our security mechanisms, which seemed so sturdy and and healthy until recently, are turning soft and weak in our hands. The developments in the last few years were definitely on the fast lane, breaking all speed limits and no data-highway patrol was there to stop them from speeding. The traditional approach to define security mechanisms (let’s call them technical controls) doesn’t really seem right to me any more: Raise the bar to a level, where the remaining risk is acceptable for the next “X” years, assuming that technology advances at a certain rate. (Use a reasonable number of years for

2008, 2010

Schedule for DeepSec 2010 published

René Pfeiffer/ August 20, 2010/ Schedule

Reviewing the submissions took us a while longer than anticipated. The reason was the high-quality content you submitted. We had to make some tough decisions and could have easily filled three or four days of In-Depth security talks and many more workshops. We hope that the schedule we published yesterday satisfies your interest and gives some CIOs something to think about. We tackle the security of the GSM network (which is failing, as was reported at DeepSec 2009 already). We also show you how to probe the security of GSM networks (there’s a whole two-day workshop if you want to dive into the gory details). Watch out for remote binary planting! Just yesterday Mitja Kolsek reveiled that about 200 Microsoft Windows applications are vulnerable to remote code execution. We deal with SAP security by

1108, 2010

CfP revision is almost done

René Pfeiffer/ August 11, 2010/ Administrivia, Schedule

We’re almost finished with the review of presentations and trainings submitted via the Call for Papers form. Everyone will get a notification during the next couple of days. You really sent us a lot of high-quality content, and we are proud to set the stage for your research results. Some vendors might not be as happy as we, but let’s see what happens. Expect the preliminary schedule soon.

0208, 2010

Sneak Preview – your cellphone can be tapped

René Pfeiffer/ August 2, 2010/ Schedule, Security

You probably have a cellphone. Your company might even provide an additional one. Your boss most certainly uses a cellphone. What do you use it for? Do you share details about your private life via phone conversations? Did you ever talk to a business partner about confidential offers? Do you rely on cellphone when it comes to important messages? If so you might be interested in hearing some news about the state of security of mobile networks. Most of them are broken, outdated or both when it comes to security. Details of the security issues have been presented at DeepSec 2009 by Karsten Nohl. During Defcon18 in Las Vegas a security researcher successfully faked several attendees’ cell phones into connecting to his phony GSM base station during a live demonstration that had initially raised

0108, 2010

Hole196 debunked?

Mika/ August 1, 2010/ Security

(Warning: some technical details, not suited for the TL;DR type of audience) “WPA2 vulnerability discovered” was a headline that caught my attention for several reasons: Someone detected a security flaw in 802.11 RSNA (vulgo “WPA2”) that slipped Chuck Norris’ attention for 3 years (replace the name with any respected security researcher). It’s from a Best-of-breed, Award-winning, World-market-leader etc… company. Reminds me of the CfP submission we received from Ligatt Security. But maybe (hopefully) I’m wrong. Virtually all results of the search engine you prefer point to a copy&paste of the press release without any details (as of Jul 28th). Is this just a result of our copy&paste journalism? I have the impression, that nobody verified the possibility in detail. For example JJ from “Security Uncorked” writes (although expressing clear doubt about the impact): “Without

2807, 2010

How to secure Wireless Networks

René Pfeiffer/ July 28, 2010/ Security

You have probably followed the news and heard about AirTight Networks’ demonstration of the WPA2 design flaw. What does this mean for operators of wireless networks? Do you have to care? Do you feel threatened? Is there a way to feel better again? First take a look what the design flaw means and what the attack looks like. Hole 196 means that „an insider can bypass WPA2 private key encryption and authentication to sniff and decrypt data from other authorized users as well as scan their Wi-Fi devices for vulnerabilities, install malware and possibly compromise those Wi-Fi devices”. So an attacker has to be authenticated before she can use the exploit. This does not mean that „WPA2” is compromised entirely (yet). It just means that we (maybe) deal with a design flaw. Attacking „WPA2”

1707, 2010

In-Depth Security Conference DeepSec Tackles Mobile Data Assaults

René Pfeiffer/ July 17, 2010/ Press

Vienna – it’s the 4th time that the international IT security conference DeepSec calls the world’s elite from the sectors Network-Security and Hacking together. From the 23rd until the 26th of November 2010 the conference focuses on mobile security (for users and gadgets alike) and Next Generation Infrastructure. „After the success of DeepSec 2009 we try once again to present exciting and controversial topics. It’s our aim as a neutral platform to bring Hacker-Community, IT- and Security companies, users, government agencies and researchers together to interact and exchange experience and thoughts in workshops and talks.”, prompts René Pfeiffer – one of DeepSec’s organisers. The call for papers is still going until the 31st of July and young security researchers can register for special support in this year’s U21 programme (U21 means under 21 years

0107, 2010

Sneak Preview – Workshop about Advanced PHP Security

René Pfeiffer/ July 1, 2010/ Schedule

Our CfP ends on 31 July 2010, so we start publishing information about some of the submissions in advance. We got the confirmation from Laurent Oudot, founder of TEHTRI-Security, concerning the Advanced PHP Hacking training. The workshop will deal with breaking into PHP environments, methods of attackers once they are inside, defense against intruders and real hack simulations. This is a hands-on exercise guided by TEHTRI Security experts. Everyone running, developing or auditing PHP web applications should attend. Knowing how attacks work is the first step of avoiding them. When it comes to web applications, there is no silver bullet. You have to deal with the hosting environment, known about possible vulnerabilities, learn about the tools attackers use and then you can tune your defenses. Code analysis, filters, fuzzing, NIDS and hardening alone are

2406, 2010

Native Code Protection and Security

René Pfeiffer/ June 24, 2010/ Development, Internet

The Mozilla vice president of products announced that Firefox doesn’t need to run native code anymore when it comes to plugins. The idea is called crash protection for it aims to keep the web browser alive when a plugin fails to run correctly. At the same time the magical words about the future being in the hands of (open) web standards and HTML5 are uttered. What does this imply in terms of security? Is there any benefit? The thought of having more reliable web browsers is certainly tempting. It is also true that overloading the browser with plugins increases the „angle of attack” to the point of stalling or most probably catching some malware floating around on the Web. The message seems to be that seperating vulnerable plugins from the browser doesn’t rule out

1906, 2010

Call for Papers – Reminder

René Pfeiffer/ June 19, 2010/ Schedule

Our Call for Papers is still running until 31 July 2010. We already have some very interesting talk and workshop submissions. Two experts cover the black magic of the last mile and network backbones. Clearly this is critical infrastructure and is often neglected when implementing security measures. Few administrators put their firewalls in front of the ISP’s modem. There are attacks against infrastructure. Wireless networks illustrate this problem very well. Strangely when it comes to wired networks people think of them as more secure. True, wired connections cannot be accessed through thin air, but this doesn’t immunise them against threats on the infrastructure level. Routing protocols, administrative interfaces, unpatched firmware, bugs, noisy broadcasts and network design errors can lead to a fertile ground for a compromised network well before your firewall kicks in. So

0406, 2010

Hello, Internet!

DeepSec Organisation/ June 4, 2010/ Administrivia

The DeepSec organisation team has started their own blog! We try to publish some information around our conference and about all things related to security (or simply everything related to broken things). Stay tuned!

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: