44CON revisited: Secure Design in Software is still a new Concept

René Pfeiffer/ September 20, 2017/ High Entropy, Interview, Security

We have been to 44CON, and we returned with lots of ideas and scary news about the state of security in devices and applications. Given the ever spreading Internet of Things (IoT) you can see why connecting random devices via a network with no second thoughts about design, updates, or quality control is a bad idea. Don Bailey illustrated this perfectly in the keynote titled The Internet of Us. His presentation touched all of information security, but IoT featured a prominent role. We are really surrounded by the Internet of SIM cards (sadly which we cannot call IoS). This opens up a new perspective and demystifies the IoT hype. You should watch Matt Wixey’s talk Hacking invisibly and silently with light and sound as soon as the videos are published. Matt discussed hardware hacking

Read More

Unicorns in the Wild – Information Security Skills and how to achieve them

René Pfeiffer/ July 27, 2017/ Discussion, High Entropy, Security

Everyone talks about information security, countering „cyber“ threats, endless feats of hackers gone wrong/wild, and more epic stories. Once you have realised that you are reading the news and not a script for a TV series, you are left with one question: What are information security skills? The next question will probably be: How do you train to be „information secure“? Let’s take a look at possible answers. First of all, yes, you can study information security or security-related topics. Universities, schools, and companies offer lectures, training, exercises, etc. Great. However it may not help you right away. We talked with top quality head hunters from a nameless big corporation. When they look for infosec specialists, they filter for anyone having worked in three different fields related to computer science (applied or otherwise) for

Read More

Malicious Software explores new Business Models – Politics

René Pfeiffer/ July 19, 2017/ Discussion, Internet, Security

Malicious software has become a major component of criminal business and geopolitics. In addition it is a convenient explanation for anything one does not want to investigate. Since code always come from somewhere you have to ask yourself many more questions when it comes to infected networks and compromised hosts. What is the agenda of the day? Journalist Erich Moechel has written an article about the arms race regarding malicious software. We have translated the original text from German to English. Expect the state of cyber in your network to rise in the course of the next years. Arms race with Malicious Software enters a dangerous Phase The enormous damage done by “Petya” and “WannaCry” can be traced back to a single, reworked tool from the leaked NSA pool of the “Shadow Brokers”. Experts

Read More

Digital Security of the Future: Technology and Algorithms alone are no Substitute for Strategy

René Pfeiffer/ July 14, 2017/ Conference, Security Intelligence

Unfortunately, you can not rely on antivirus programs when it comes to the security of your own business. Antivirus programs do not read newspapers, they do not attend lectures, they don’t protect you from social engineering or know the meaning of Facebook friends or Twitter tweets. False friends, indeed. The continuous monitoring and evaluation of threats is the next step in information security. This aspect has always been an important part of digital defense. Today’s discussion often centers around the term Security Intelligence, which unites different approaches. The DeepINTEL is Austria’s first event, which, since 2012, has been taking up this topic – in all its facets, because modern information security is interdisciplinary. Lectures by experts from various fields of science, defence and industry: At DeepINTEL you have the opportunity to strategically rethink your

Read More

BSidesLondon 2017 – Sharing is indeed Caring

René Pfeiffer/ June 20, 2017/ Discussion, High Entropy

When airport security meets information security it’s usually BSidesLondon time. It was a great experience. And since DeepSec sponsors the Rookie Track we had a very tough decision to make. It’s really hard to pick a winner. A lot of presentations were excellent, and the presenters made the most out of the 15 minutes. The winner is Thaís for her introduction to malware analysis by using satisfiability modulo theories (SMT). If you get the chance of seeing her presenting somewhere, take a seat and listen to her. We also like to recommend Colette‘s presentation titled ‘How the f**k do I get in? One woman’s struggle to break into cyber security!’. Despite the title it was not a rant, it was a clear and concise summary of the state of affairs for women in technology.

Read More

Biometrics and Failures in understanding Security – Copy & Paste Iris Scans

René Pfeiffer/ May 23, 2017/ High Entropy, Security

Biometrics has an irresistible attraction. Simply by mentioning the fact that you can measure parts (or surfaces) of the body and convert them to numbers a lot of people are impressed out of their mind. Literally. In theory biometric information serves as a second set of data to be used for any purposes. A common purpose is to use it for authentication. Most physical sources of biometric data are easily accessible. Fingers (for fingerprints), eyes (for your iris), limbs (for your veins), voice (for the Cloud), and other examples show this well. Where does the security come into play? Well, it doesn’t. For starters, passwords can be changed. Biometrics can’t unless you have a transplant. In contrast to passwords biometrics can be faked. The biometric source can be copied. In most cases this is

Read More

DeepSec welcomes SEC Consult as Sponsor for 2017!

René Pfeiffer/ May 12, 2017/ Conference, Security

Testing products, production code, security measures, or the overall security of infrastructure is hard work. The typical needs in term of information technology for a company or an organisation has become a variety of components that need to be maintained and hardened against attacks. The devil is in the details. In order to find critical weaknesses you need decades of experience, a thorough understanding of the technologies in use, in-depth knowledge of processes that touch information technology, and a decent portion of creativity to come up with ways around obstacles. SEC Consult, our long-time sponsor, has all of this – and more. They publish their findings and offer consulting for anyone needing extra security. Take a look at the House of Keys project, the IoT Inspector, or gaping holes in digital forensics software that

Read More

DeepSec welcomes Digital Guardian as Sponsor for 2017

René Pfeiffer/ May 11, 2017/ Conference, Security

No event can be done with supporters, and so we welcome Digital Guardian as sponsor for the upcoming DeepSec 2017 conference! If you have data in your organisation, then you might be interested in talking to Digital Guardian’s experts, because they know a lot about what data does, where it lives, what endpoints really are, how you protect it, and how you keep exclusive access to it. Since data is code on most computing architectures, there’s a double benefit. Digital Guardian is a next generation data protection platform purpose built to stop data theft. The Digital Guardian platform performs across the corporate network, traditional endpoints, mobile devices and cloud applications to make it easier to see and stop all threats to sensitive data. For more than 10 years, it has enabled data-rich organizations to

Read More

DeepINTEL 2017 – Modern Strategies for Information Security

Sanna/ March 13, 2017/ Conference, Security Intelligence, Veranstaltung

Seminar on Digital Defence with Experts. The news is full of reports covering attacks against networked systems and digital components. Every day there is new media coverage about stolen data, compromised accounts, the impact of malicious software, digital second strikes, cyber attacks between countries and new vulnerabilities in computer systems. All that leads to the impression that in the modern digital world we are almost helplessly vulnerable to attacks. Clever entrepreneurs benefit from the general uncertainty and sell countermeasures in the form of security software or other components, which, according to their praise, once installed will kill off every threat automatically. But the media don’t show the whole picture – hardly any report on “hacker attacks” could be called a realistic depiction of real life events. The consequence? It is not possible to build

Read More

DeepSec2016 Talk: Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets – Gerhard Klostermeier

Sanna/ November 3, 2016/ Conference, Internet, Security

Wireless desktop sets have become more popular and more widespread in the last couple of years. From an attacker’s perspective, these radio-based devices represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords. Wireless transmissions offer attackers a big advantage: you don’t have to be around to attack something or someone. Plus the victims often don’t know what it happening. At DeepSec 2016 Gerhard Klostermeier will present the results of research on the matter of wireless mouse/keyboard attacks. Furthermore you he will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities. We recommend this talk to anyone still using old-fashioned input devices for creating content. Gerhard is interested in all things

Read More

DeepSec2016 Talk: AMSI: How Windows 10 Plans To Stop Script Based Attacks and How Good It Does That – Nikhil Mittal

Sanna/ October 20, 2016/ Conference, Development, Security

In his talk Nikhil Mittal will focus on AMSI: In Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI), which is designed to target script based attacks and malware. Script based attacks have been lethal for enterprise security and with the advent of PowerShell, such attacks have become increasingly common. AMSI targets malicious scripts written in PowerShell, VBScript, JScript, etc. It drastically improves detection and the blocking rate of malicious scripts. When a piece of code is submitted for execution to the scripting host, AMSI steps in and scans the code for malicious content. What makes AMSI effective is that no matter how obfuscated the code is, it needs to be presented to the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before execution, it doesn’t

Read More

DeepSec 2016 Workshop: Fundamentals of Routing and Switching from a Blue and Red Team Perspective – Paul Coggin

Sanna/ October 12, 2016/ Security, Training

Penetrating networks has never been easier. Given the network topology of most companies and organisations, security has been reduced to flat networks. There is an outside and an inside. If you are lucky there is an extra network for exposed services. Few departments have retained the skills to properly harden network equipment – and we haven’t even talked about the Internet of Things (IoT) catastrophe where anything is connected by all means necessary. Time to update your knowledge. Luckily we have just the right training for you! In Paul Coggins’ intense 2 day class, students will learn the fundamentals of routing and switching from a blue and red team perspective. Using hands-on labs they will receive practical experience with routing and switching technologies with a detailed discussion on how to attack and defend the network

Read More

DeepSec2016 Talk: Cover Your SaaS: Protecting Your Cloud With Analytics and Machine Learning – Ian Thornton-Trump

Sanna/ September 24, 2016/ Conference, Security, Security Intelligence

Some people call military intelligence an oxymoron. This usually happens when something goes wrong. It might be due to sloppy reconnaissance, operations, or simply bad luck. While it’s always good to have someone or something to blame, things are not so easy in modern „cyberspace“. Improving your security means to have something to base this improvement on. Despite the fact that being lucky is never a bad thing, the selection of your defences and the assessment of the threats you are facing need to be based on something more solid. IT departments have been mining logs and other kind of raw materials that produce metrics for decades. Every once in a while there is a new trend. Now that we can store enormous amounts of data and can access it, we have a lot

Read More

Buy your ticket for 44CON – and go to prison for free!

René Pfeiffer/ August 31, 2016/ Administrivia, Conference, Security

Forget Winter! 44CON is coming! The conference will be 14 to 16 September 2016 in London. The schedule is online. Take a look! This year’s 44CON also features a Capture The Flag (CTF) contest. It is hosted by the UK Ministry of Justice. Your mission, should you decide to accept it, consists of breaking into a prison! 20 teams have announced to participate. Sounds terrific, if you ask us. We will be there as well. So grab a ticket, cross the Channel, and we’ll meet in the lobby or, better yet, at the registration desk. Spread the word!

Preliminary Schedule of DeepSec 2016 – almost done

René Pfeiffer/ August 20, 2016/ Administrivia, Call for Papers, Conference, Schedule

We got over 100 submissions for DeepSec 2016! This is a new record. Consider that we have only room for about 40% of the content. While you may be impatient to hear about the trainings and the talks, please bear with us. We are in the final round of reviews and will have the preliminary schedule ready the day after tomorrow. You will be able to enjoy reading the announcement during your morning coffee break. Promised. To give you a little sneak preview, here are the main topics we will be addressing with the content: cryptography, Internet of Things (IoT), social engineering, threat hunting, the current state of affairs in information security, networking stuff (both wired and wireless), penetration testing, exploit automation, attacking web applications, iOS exploits, physical security, world domination a.k.a. „cyber“ threats,

Read More