Since DeepSec 2011 has ended and we still want to have a chat with you, let’s meet at the party! It takes place at the Metalab, a local hacker space next to the town hall. We have music, we have stuff to drink, we got access to the Intertubes, we got lots of nice people, and even more reasons to have some fun! Don’t miss it!
The DeepSec 2011 has ended. We enjoyed meeting all of you and hope to have fulfilled our role as a catalyst. We had some great talks, great discussions, and shared thoughts, insights and different views concerning security and insecurity alike. We hope your professional paranoia doesn’t keep you from getting sleep. We will follow the press coverage in our blog and link to articles. Golem has produced video interviews which will be published soon. Our own video team will retreat to the rendering farm and post-process the raw video data. As soon as we have collected all slides from our speakers, we will put them to the archive (and publish the link). We thank all the speakers for the superb material they presented! Without talks there would be no DeepSec at all. We thank
For all of you who frequently visits „hacking hot spots“ this should be familiar. For all others who blindly trust the Net it should be a wake-up call. Here’s a short and probably incomplete check-list in case you are preparing for DeepSec 2011 or any other event with a public Internet access (the CCC has a more complete list on their event web site). Secure your operating system (vendor and type doesn’t matter). Backup your data. Do run a firewall or a similar filter on your device (vendor and type doesn’t matter). The hostile network starts right at your antenna or Ethernet jack (again regardless of vendor and layer 1 technology). Try to use a VPN tunnel to a trusted network (such as your company or home network). Tunnel all traffic through your VPN
Du 15 au 18 novembre 2011, la cinquième édition de la conférence DeepSec réunira les plus grands spécialistes internationaux de la sécurité des réseaux et du piratage autour du thème de la sécurité informatique. Les principaux sujets abordés: techniques de cryptage des cellules terroristes, sécurité des systèmes de communication mobiles et de leurs utilisateurs et enfin, infrastructures de sécurité de la prochaine génération numérique. “Nous avons voulu, cette année encore, aborder des thématiques passionnantes et sujettes à controverse. Les sept workshops et les trente-quatre interventions de la conférence concernent directement ou indirectement une grande partie de la population” explique René Pfeiffer, organisateur du DeepSec. “C’est le cas notamment des tentatives de piratage constatées sur les réseaux GSM. C’est également le cas des problèmes de sécurité rencontrés sur IPv6 (Internet Protocol version 6), un protocole
We did an interview with Radio Netwatcher. You can listen to it on 25 October 2011 at 1800 CEST on radio ORANGE 94.0 (Austria and other countries where the content is syndicated). The interview is in German. It covers the 0zapftis trojan horse, malware in general, security (of course), DeepSec 2011 and the Austrian Big Brother Awards. Wir haben Radio Netwatcher ein Interview gegeben. Man kann es am 25. Oktober 2011 um 1800 (CEST) auf Radio ORANGE 94,0 hören (hier in Österreich und in anderen Ländern, wo der Inhalt auch ausgestrahlt wird). Der Interview wurde in deutscher Sprache gegeben. Es umfaßt den 0zapftis Staatstrojaner, Schadsoftware im Allgemeinen, Sicherheit (natürlich!), die DeepSec 2011 und die österreichischen Big Brother Awards.
Press release: From the 15th until the 18th of November international IT-security experts and hackers will meet again in Vienna, Austria, to discuss strategic security topics. The schedule is confirmed: At this year’s international IT-security conference DeepSec, the main focus lies on strategic security topics. DeepSec 2011 takes place from the 15th-18th of November, it’ll be the 5th time that world’s elite in network-security and hacking comes together. Encryption techniques used by terrorists, secure use of mobile devices and the security awareness of their users as well as future security-infrastructures are main topics of this year’s DeepSec. “As in the years before we want to present exciting and controversial topics which concern not only experts, but most of us directly or indirectly in 7 workshops and 34 talks.” says René Pfeiffer, organiser of DeepSec.
We’ve already published the preliminary schedule for DeepSec 2011. Most of the speakers have already confirmed their presence at the conference, but we are still waiting for e-mail. While preparing the schedule we’ve asked for more descriptions, and we will describe the talks and workshops in slightly more detail in the blog. We know that some of the titles deserve a closer look, especially since we got very interesting topics to talk about. During the next weeks we will dedicate a whole blog article to each and every slot in our schedule. Stay tuned! Please make sure that you don’t miss the early-bird rates. Tickets at reduced prices are still available until mid-September 2011!
Finally we have reviewed all your submissions, and we have published a preliminary schedule on our web site. We have not filled all workshop slots, because some of the workshop submissions are still under review and some submitters have been asked for further material. We wish to express our deepest thanks for your submissions! We received much more than we possibly can squeeze into the conference schedule, most of the material being absolutely new and of high interest. We had a hard time rejecting talks, so don’t be sad if you couldn’t make it this time. So, to everyone whose submission was rejected: We will contact you again. The topics range from encryption, attacking mobile devices, IT compliance management, SAP weaknesses (yes, SAP deployments can be attacked, really), cyber-peace (we’re curious as well), insights
In case you have not yet prepared a submission for DeepSec 2011, please consider to do so. The deadline is approaching! We have already received submissions, but we have a hard time believing that everything is secure out there. That can’t be, you know it, and we know it. Submit your in-depths talks and workshops, give our programme committee some work to do, and maybe we can even have some in-depth lulz, who knows. Speaking of security and design flaws, don’t forget the ubiquitous web interfaces. Everyone and everything has a web interface – your bank, your government, your routers, your servers, your average smart meter (measuring electricity/water/gas consumption), your printers, your household appliances, your TV set, your video/audio player and possibly a lot of devices you are unaware of. Of course, feel free
A few days ago we uploaded the keynote speech held by Matt Watchinski at DeepSec 2009. The title was: „Technology Won’t Save You, Only People Will“ This statement can be turned into the opposite: Technology won’t threaten you, people will. We’re not talking about threats from insiders turned rogue. We are talking about holes in your defence because of badly configured or mishandled security devices and software. This has nothing to do with being Bastard Operator from Hell and putting the blame on the users or colleagues. A modern company infrastructure has to deal with a lot of complexity all by itself. Adding security won’t reduce this complexity. Adding badly designed user interfaces (for security devices and options), confusing status/error messages and hardly comprehensible settings will most certainly increase the risk of security incidents.
The registration for DeepSec 2011 is now officially open. You can register for the conference, workshops or both. We offer three booking phases: Early Bird, Regular and Last Minute. Please keep in mind that the Early Bird tickets are the cheapest. The longer you wait, the more you have to pay. Since the Call for Papers is still running the workshop slots are empty, but you can buy workshop or conference+workshop tickets now and decide which workshop you want later (when we publish the schedule). If you have any questions, drop us a few lines.
Wir, Chris John Riley und René Pfeiffer, waren bei Radio Netwatcher zu Gast um etwas über Sicherheit, Datenpannen und die zunehmende Präsenz der eigenen Daten im Internet zu reden. Anlaß waren die Ereignisse der letzten Wochen in Sonys Playstation Netzwerk, bei den Auth Tokens der Facebook Apps sowie bei Googles Android Betriebssystem und vieles mehr. Hersteller und Behörden versprechen sehr viel, aber wenn man einige der vergangenen Katastrophen als Vergleich nimmt, dann fragt man sich zu Recht nach der Sicherheit. Wie sicher ist man im Internet? Das hängt davon ab, wie üblich, aber wir haben versucht einige Antworten zu geben (und da wir das Internet täglich benutzen, gibt es vielleicht etwas Hoffnung). Die Sendung ist auf Radio Orange am Freitag um 13:00 Uhr zu hören. Darüber hinaus möchten wir auf die bevorstehende BSidesVienna |
Have you lost track of the risks that may or may not impact your security? How good are the facts you base your security decisions on? Does your organisation follow defined procedures in terms of deploying, monitoring or evaluating security measures? Who decides what’s next and what’s being phased out? Is there a way to get more sleep while fencing off risk factors at the same time? It’s very easy to get lost in the details and drown in the various tools of the security trade. Every day something happens. A single 0day can ruin your meticulously designed schedule. It would be nice to get a grip on the dynamics and introduce more stability. CIOs need to address the Big Picture. That’s exactly why we mentioned security management in our CfP. We’d like to
Tomorrow we will present a review talk about the state of mobile network security. The talk will be held at the Linuxwochen in Eisenstadt. We will address results discussed in the past DeepSec conferences (including work of Karsten Nohl, Harald Welte, David A. Burgess, Sylvain Munaut, Dieter Spaar, Ralph-Philipp Weinmann and others). If you understand German we recommend listening to Chaosradio Express #179 where Karsten explain to Tim Pritlove the state of GSM security over a period of 130 minutes. Slides of our talk will be available after the Linuxwochen. Update: You can download the slides here. There’s a simple audio recording available as well (MP3 or OGG).
Recently we mentioned the topic of mobile security in this blog since it keeps being addressed by security researchers. Now there’s something that can be combined by networking, defective by design and mobile security. German security researcher from the University of Ulm have explored a flaw in Google’s ClientLogin protocol. The initial idea stems from Dan Wallach, who took a closer look at the transmissions of an Android smartphone. The authentication token is sent via unencrypted HTTP which means it can be seen by attackers on the same network. Since the token is your key to online services and is probably used by apps dealing with your calendar, contacts or private pictures, an attacker has full access to this data (or any other data an app deals with via the network). Reading, manipulating or