1410, 2016

Smart Homes are the battlefield of the future – DeepSec Conference examines the Internet of Things

Sanna/ October 14, 2016/ Conference, Internet, Press, Security, Veranstaltung

The Internet of Things is knocking at your door. Many businesses and private individuals have already admitted IoT to their offices and homes, unfortunately often without knowing what they’ve let themselves in for. A naive belief in progress opens all gates, doors and windows to attackers. This is a serious matter. Therefore, DeepSec Conference will focus on this topic on the occasion of its 10th anniversary. The program includes lectures and workshops about the components of smart devices, smart houses and smart networks. Not all products come with a solid security concept. How to test if your devices function properly? What consequences has the total conversion to “smart”? How to proceed correctly to select appropriate systems? Hacked by your fridge Spectacular burglaries have always been the best material for screenplays. We know the scene

Read More

1210, 2016

DeepSec 2016 Workshop: Fundamentals of Routing and Switching from a Blue and Red Team Perspective – Paul Coggin

Sanna/ October 12, 2016/ Security, Training

Penetrating networks has never been easier. Given the network topology of most companies and organisations, security has been reduced to flat networks. There is an outside and an inside. If you are lucky there is an extra network for exposed services. Few departments have retained the skills to properly harden network equipment – and we haven’t even talked about the Internet of Things (IoT) catastrophe where anything is connected by all means necessary. Time to update your knowledge. Luckily we have just the right training for you! In Paul Coggins’ intense 2 day class, students will learn the fundamentals of routing and switching from a blue and red team perspective. Using hands-on labs they will receive practical experience with routing and switching technologies with a detailed discussion on how to attack and defend the network

Read More

2107, 2016

Intelligence on the Silver Screen: A Good American Kickstarter Campaign

René Pfeiffer/ July 21, 2016/ Discussion, High Entropy, Security Intelligence

Surveillance has a bad reputation. No one likes to be watched. Yet infosec researchers, sysadmins, and developers talk a lot about log files. We need to watch stuff for various reasons. You got your mail logs, diagnostic messages, performance metrics, network addresses, and more painstakingly sorted by timestamps and maybe geolocation. Log data is part of information technology. It gets interesting once you store, process and mine this data. Some people like to collect it all and do all kinds of Big Data stuff with it. Others filter out the relevant bits of information and work with that. Opinion is divided, results may vary. Enter A Good American, the documentary which was screened in Vienna during the DeepSec 2015 conference. It has been shown all over the world. The film itself is fully funded,

Read More

1407, 2016

The Internet of Threats revisited

René Pfeiffer/ July 14, 2016/ Communication, High Entropy, Internet

Everyone is talking about the Internet of Things. Connecting household applications (yes, applications, appliances is so 1990s) to a network hasn’t been more fun than now. Also measuring things is great. Today most sensors are deployed to generate endless streams of data because we can, not because there is a need for it. And I haven’t even talked about the information security aspect yet. Let’s take a step back into 1995/1996. Those were the days of the first browser wars. Jamie Zawinski has a quote of the Law of Software Envelopment on his web site. Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can. The proof of concept was undertaken by creating the Netscape Mail and News client. Processing email once

Read More

0203, 2016

DeepSec Video: Remote Browser-Based Fingerprinting of Local Network Devices

René Pfeiffer/ March 2, 2016/ Conference, Internet, Security

Reconnaissance is first, then comes the attack. This is why fingerprinting devices is the first step. Manfred Kaiser (Josef Ressel Zentrum) explained at DeepSec 2015 how this can be done by the local web browser(s) in the locally connected network segment. Manfred discusses remote device fingerprinting techniques for SOHO routers and other network-connected devices offering a browser-based configuration interface. While consumer network devices provided to customers by their ISPs are typically based on very few different hardware platforms, they are equipped with highly customized firmwares and thus contain different vulnerabilities. The knowledge of a specific device’s vulnerabilities is vital to the success of a remote attack. In a live demo Manfred shows how a remote attacker can exploit the feature-richness of modern web technologies (HTML5, WebRTC, JavaScript, CSS) to perform device discovery and fine-grained

Read More

2302, 2016

DeepSec Video: DDoS – Barbarians at the Gate(way)

René Pfeiffer/ February 23, 2016/ Conference, Internet, Stories

Unfortunately the Internet doesn’t follow the rules of economic theory. Unlimited growth is a myth best kept for feeding your unicorns. Of course, the Internet has grown, but the mathematics and physics behind network flows stay the same. If your pipe is full, then you are going nowhere. This is why Distributed Denial of Service (DDoS) attacks still work. You can counter or evade these attacks, but they can happen. We invited Dave Lewis of Akamai to DeepSec 2015 to hear his view on the current state of affairs where DDoS is concerned. For the record: DDoS is not hacking and no hacking attack. Spread your „cyber“ somewhere else.

0511, 2015

Debugging Information Security: Self Defence for Entrepreneurs

Sanna/ November 5, 2015/ Conference, High Entropy, Internet, Security, Security Intelligence

In our economy data leaks are a constant companion. That’s the impression one gets when reading the news. Customer portals, online shops, digital communications, plans of products, personnel data, and more can be found in department stores throughout the shadow economy. Blind faith in global networks has indeed suffered in recent years, but companies and individuals still have a partially carefree attitude when it comes to the imminent risk their data is exposed to. “Who cares about our data?”, is often said. This year’s DeepSec IT Security Conference has some very specific answers to this question. Duncan Campbell and James Bamford open IT Security Conference in Vienna Duncan Campbell is a freelance British journalist, author, and television producer. Since 1975 he has specialized in intelligence and security services, defence, policing and civil liberty rights.

Read More

0302, 2015

Internet Protocol version 6 (IPv6) and its Security

René Pfeiffer/ February 3, 2015/ Internet, Security

Internet Protocol version 6 (IPv6) is not new. Its history goes back to 1992 when several proposals for expanding the address scheme of the Internet were discussed (then know by the name of IP Next Generation or IPng). A lot has happened since RFC 1883 has been published in 1996. Due to the deployment of IPv6 we see now implications for information security. Several vulnerabilities in the protocol suite have already been discussed. DeepSec 2014 features a whole training session and three presentations about the future protocol of the Internet. First Johanna Ullrich talked about a publication called IPv6 Security: Attacks and Countermeasures in a Nutshell. The paper gives you a very good view on the state of affairs regarding security and privacy weaknesses. It is strongly recommended for anyone dealing with the deployment

Read More

0909, 2014

DeepSec 2014 Talk: MLD Considered Harmful – Breaking Another IPv6 Subprotocol

René Pfeiffer/ September 9, 2014/ Conference, Internet

In case you haven’t noticed, the Internet is getting crowded. Next to having billions of people online, their devices are starting to follow. Information security experts can’t wait to see this happen. The future relies on the Internet Protocol Version 6 (IPv6). IPv6 features a lot of improvements over IPv4. Since you cannot get complex stuff right at the first time, IPv6 brings some security implications with it. Past and present conferences have talked about this. DeepSec 2014 is no exception. Enno Rey of ERNW will talk about Multicast Listener Discovery (MLD) in his presentation. The presentation is the first time that the results of an ongoing research of MLD are published. MLD is a protocol belonging to the IPv6 family, and sadly it features insecurities. MLD (Multicast Listener Discovery), and its successor, MLDv2,

Read More

2202, 2014

DeepSec 2013 Video: Hack The Gibson – Exploiting Supercomputers

René Pfeiffer/ February 22, 2014/ Conference, Security

Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems running the same software. If you manage to break into one node, the chances are good that you have access to all nodes. That’s pretty neat. At DeepSec 2013 John Fitzpatrick and Luke Jennings of MWR InfoSecurity talked about their tests with supercomputers. Their presentation covers the research and demonstrates some of the most interesting and significant vulnerabilities they have uncovered so far. They also demonstrated exploits and previously undocumented attack techniques live so you can see how to

Read More

2102, 2014

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

René Pfeiffer/ February 21, 2014/ Conference, Internet

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It

Read More

0902, 2014

DeepSec 2013 Video: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

René Pfeiffer/ February 9, 2014/ Conference, Security

Attacking fortified positions head on looks good on the silver screen. Real life attackers have no sense for drama and special effects. Battering closed doors will get you nowhere fast. Instead modern adversaries take a good look at open doors and exploit them to get what they want. Security specialists know about the dangers of management interfaces (also known as backends). This is one main focus of denying unauthorised access. Once a backend is exposed, the consequences can be very fatal to your digital assets. At the DeepSec 2013 conference Shay Chen (Hacktics ASC, Ernst & Young) explained how attacks originating from backends look like and what attackers can do once they gained foothold.

2701, 2014

DeepSec 2013 Video: Finux’s Historical Tour Of IDS Evasion, Insertions, and Other Oddities

René Pfeiffer/ January 27, 2014/ Conference, Security

Ever since intrusion detection systems were put into operation, attackers have found ways to evade discovery. So what can you expect from the wonderful tools that are designed to detect intrusions? If you are looking for metrics which can easily compared and have a connection to your typical production environment, then you are mistaken. There is no such thing as a magical box, ready to be installed to solve all your intrusion problems. Arron ‘Finux’ Finnon of Alba13 Labs held a presentation at DeepSec 2013 about this topic. He illustrated the evasion techniques used and discussed the history of IDS/IPS systems. If you follow the talk closely, you will understand why detection systems like IDS/IPS can work, but why they’re set to fail all at the same time.

1011, 2013

DeepSec 2013 Talk (U21): The Dark Side of the Internet

René Pfeiffer/ November 10, 2013/ Conference, Internet

You may have heard of background radiation. It’s the kind of ionizing radiation you are exposed when wandering around on this planet. The sources are radioactive isotopes in the air, the soil, our food, and the water. In addition there is cosmic radiation from outer space. So even without artificial radiation sources you will have a natural background radiation. The Internet has a similar phenomenon. The pendant of the fundamental particle in Nature is the packet. Internet traffic consists of data packets going from their source to a target address. Imagine a part of the Internet which isn’t used at all. Its address space isn’t advertised anywhere. It holds no services and no active hosts. This place is called Darknet. In theory there will be no packets. In practice there are. A student from

Read More

1510, 2013

DeepSec 2013 Talk: The Economics Of False Positives

René Pfeiffer/ October 15, 2013/ Conference

Ever since networks got attacked the victims have thought of ways to detect and prevent attacks. Packet filters were the first idea. Closing a port meant to worry less about applications listening on them. So the trouble of protecting moved to the services that were still exposed. Filtering got more complex, protocols were inspected, signatures were introduced, intrusion detection systems were born. Great – but the attacks didn’t disappear. Instead you got alerts, a lot of them. Some were caused by real attacks, some were false alerts. Enter false positives. Setting off false alarms is a tried and true military tactic. After a couple of false alarms the sentries will probably be less alert. Translated to information security this means that alerts (and log files) will be ignored after a couple of false alerts.

Read More