DeepSec 2016 – expect 48 Hours of Failures and Fixes in Information Security

René Pfeiffer/ November 10, 2016/ Conference, Discussion

The conference part of DeepSec 2016 has officially started. During the workshops we already discussed a lot of challenges (to phrase it lightly) for infrastructure and all kinds of software alike. The Internet of Things (IoT) has only delivered major flaws and gigantic Distributed Denial of Service attacks so far. There is even a worm for LEDs these days. And we haven started the conference preparations yet. So we have plenty of reasons to talk about what went wrong, what will go wrong, and what we can do about it. The world of information security is not always about good news. Something has to break, before it can be repaired – usually. Systems administrators know this, for some it’s their daily routine. Nevertheless we hope everyone at DeepSec gets some new insights, fresh ideas,

Read More

DeepSec2016 Talk: Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets – Gerhard Klostermeier

Sanna/ November 3, 2016/ Conference, Internet, Security

Wireless desktop sets have become more popular and more widespread in the last couple of years. From an attacker’s perspective, these radio-based devices represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords. Wireless transmissions offer attackers a big advantage: you don’t have to be around to attack something or someone. Plus the victims often don’t know what it happening. At DeepSec 2016 Gerhard Klostermeier will present the results of research on the matter of wireless mouse/keyboard attacks. Furthermore you he will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities. We recommend this talk to anyone still using old-fashioned input devices for creating content. Gerhard is interested in all things

Read More

DeepSec2016 Workshop: Offensive PowerShell for Red and Blue Teams – Nikhil Mittal

Sanna/ October 14, 2016/ Conference, Security, Training

Penetration Tests and Red Team operations for secured environments need altered approaches, says Nikhil Mittal. You cannot afford to touch disks, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice. PowerShell has changed the way Windows networks are attacked – it is Microsoft’s shell and scripting language available by default in all modern Windows computers and can interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teams to learn PowerShell. Nikhil Mittals training is aimed towards attacking Windows networks using PowerShell. It is based on real world penetration tests and Red Team engagements for highly secured environments. We asked Nikhil

Read More

DeepSec2016 Workshop: Secure Web Development – Marcus Niemietz

Sanna/ September 21, 2016/ Development, Security, Training

The World Wide Web is everywhere. It has become the standard protocol for transferring data, accessing applications, configuring devices, controlling software, or even multimedia streaming. Most software development can’t be done without web applications. Despite the easy concept the technologies used in „HTTP/HTTPS“ have grown in very complex beasts. Few get it right, lots of developers make mistakes and end up at the wrong side of a security presentation at a conference. Fortunately there is help. We offer you a workshop at DeepSec 2016 to make your web software development great again! The “Secure Web Development” training by Marcus Niemietz systematically covers the OWASP Top 10 threats as well as threats, which may be important in the future (e.g. HTML5 and AngularJS attacks). At the end of the training each attendee will be able to create her/his

Read More

DeepSec 2016 Workshop: Hacking Web Applications – Case Studies of award-winning Bugs in Google, Yahoo!, Mozilla and more – Dawid Czagan

Sanna/ September 2, 2016/ Conference, Internet, Security, Training

Have you been to the pictures lately? If so, what’s the best way to attack an impenetrable digital fortress? Right, go for the graphical user interface! Or anything exposed to the World Wide Web. The history of web applications is riddled with bugs that enable attackers to do things they are not supposed to. We bet that you have something exposed on the Web and even probably don’t know about it. Don’t worry. Instead attend the DeepSec training session „Hacking Web Applications“ conducted by Dawid Czagan. He will teach you about what to look for when examining web applications with a focus on information security. This hands-on web application hacking training is based on authentic, award-winning security bugs identified in some of the greatest companies (Google, Yahoo!, Mozilla, Twitter, etc.). You will learn how bug hunters

Read More

Buy your ticket for 44CON – and go to prison for free!

René Pfeiffer/ August 31, 2016/ Administrivia, Conference, Security

Forget Winter! 44CON is coming! The conference will be 14 to 16 September 2016 in London. The schedule is online. Take a look! This year’s 44CON also features a Capture The Flag (CTF) contest. It is hosted by the UK Ministry of Justice. Your mission, should you decide to accept it, consists of breaking into a prison! 20 teams have announced to participate. Sounds terrific, if you ask us. We will be there as well. So grab a ticket, cross the Channel, and we’ll meet in the lobby or, better yet, at the registration desk. Spread the word!

DeepSec 2016 – Thank you for all your submissions!

René Pfeiffer/ August 6, 2016/ Conference, Security

The DeepSec Call for Papers closed on 31 July 2016. We are currently reviewing the content. Thank you very much for your participation! The talks and workshops look awesome. We have a hard time deciding what will be part of the schedule and what has to be postponed. For everyone who has missed the deadline, you can  still submit your talk or training. However we will consider all the others first. Prepare for a fantastic DeepSec 2016!

A Perspective on Code and Components – assert(), don’t assume()

René Pfeiffer/ July 21, 2016/ Development, Discussion, High Entropy

Have you ever looked closely at the tools you use on a daily basis? Taking things apart and putting them back together is an integral part of understanding the universe. Scientists do it all of the time (well, at least some do, there are things that can’t be put together easily once taken apart). So lets focus on components and how they interact. ASN.1 and libraries that deal with it are popular components. Few people get a kick out of ASN.1, so they use code that does it. It’s just an example for parts that handle data being sent to and received from other systems. We live in a networked world, so communication is a crucial part of modern software. So to use business lingo: Most software works by delegating tasks to third-party code.

Read More

Early Birds, save the Date! BSidesVienna has opened the Call for Papers!

René Pfeiffer/ June 24, 2016/ Call for Papers, Conference

Grab your calendars, you have to be in Vienna on 12 November 2016! BSidesVienna is accepting your submissions for an awesome community conference. The range of topics is wide, so don’t ask yourself “Is this interesting or not?” – just submit and come to Vienna in November! While you are preparing your submission, you might want to make some extra space in your calendar for DeepSec 2016. The submission we got so far look great. Crypto, the Internet of Stuff (IoT), exploit labs, pentesting training, and more waits for you. Make sure you get the Early Bird prices for your tickets!

BSides London 2016 – Schedule

René Pfeiffer/ June 4, 2016/ Conference, Security

In case you haven’t noticed, the London BSides schedule is up. The Rookie track starts right with the most important part of information security – opsec. Behaviour is on a par with expensive security hardware and your favourite protection software. Wearables, video games, hidden data, malware mythbusting, and more follow next. The main schedule features presentations about the impact of TOR/I2P traffic to your servers (think or best forget about CloudFlare), methods used by options advanced attackers, attacking Low Powered Wide Area Network (LPWAN) devices used for smart / IoT stuff, malicious software, static code analysis, threat analysis, the temptation of containers, and honey pots. There’s ample of content for everyone looking for new ideas. Don’t miss the opportunity!

DeepSec Video: Visualizing Wi-Fi Packets the Hacker’s Way

René Pfeiffer/ March 3, 2016/ Communication, Conference, Security, Stories

Like the Force wireless data/infrastructure packets are all around us. Both have a light and a dark side. It all depends on your intentions. Lacking the midi-chlorians we have to rely on other sources to get a picture of the wireless forces in and around the (network) perimeter. At DeepSec 2015 Milan Gabor held a presentation about visualisation of wi-fi packets: Today visualizing Wi-Fi traffic is more or less limited to console windows and analyze different logs from an aircrack-ng toolset. There are some commercial tools, but if we want to stay in the Open/Free Source Code (FOSS) area we need to find better solutions. So we used ELK stack to gather, hold, index and visualize data and a modified version of an airodump tool for input. With this you can create amazing dashboards,

Read More

DeepSec Video: HackingTeam – How They Infected Your Android Device By 0days

René Pfeiffer/ February 20, 2016/ Conference, Discussion, High Entropy, Security

Backdoors are very popular these days. Not only cybercrime likes extra access, governments like it too. There’s even a lucrative market for insecurity. You can buy everything your IT team defends against legally. Hacking Team is/was one of the companies supplying 0days along with intrusive software to take over client systems. Attila Marosi explained at DeepSec 2015 how products of Hacking Team were used to attack and compromise Android clients. There is no need to make a long introduction when speaking about the famous Remote Control System (RCS), the product of the Italian company Hacking Team. The huge amount – 400 GB – of leaked data gives rise to lengthy discussion and is extremely concerning for every part of the professionally, politically or even those superficially interested only. Enjoy Attila’s presentation. Be careful about

Read More

DeepSec Video: Hacking Cookies in Modern Web Applications and Browsers

René Pfeiffer/ February 9, 2016/ Conference, Internet, Security

Cookies are solid gold when it comes to security. Once you have logged in, your session is the ticket to enter any web application. This is why most web sites use HTTPS these days. The problem is that your browser and the web applications needs to store these bits of information. Enter cookie hacking. A lot has changed since 1994,  and Dawid Czagan of Silesia Security Lab held  presentation at DeepSec 2015 about what you can and cannot do with cookies in modern web applications and browsers. Learn about user impersonation, remote cookie tampering, XSS and more. .

DeepSec Video: File Format Fuzzing in Android – Giving a Stagefright to the Android Installer

René Pfeiffer/ February 6, 2016/ Conference, Security

The Stagefright exploit haunts the Android platform. The vulnerability was published in Summer 2015. It gives attackers a way to infect Android smartphones by using multimedia files such as pictures, text, and videos. This is a perfect vector since most people will look at media instantly. Dr. Aleksandr Yampolskiy gave a presentation at DeepSec 2010 about malicious software hidden in multimedia (the talk was aptly titled Malware goes to the Movies). So what if there are more bugs like this in the Android platform? Enter fuzzing technology. Alexandru Blanda spoke at DeepSec2015 about fuzzing on the Android platform. This approach can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. Since these vulnerabilities affect critical components of the Android system, the impact of the results will

Read More