Products, Vendors, Security, and Bias

René Pfeiffer/ July 4, 2013/ Discussion, Mission Statement, Security

The DeepSec conference is meant to be a neutral event where security related topics can be discussed without bias. Periodically we have discussions with companies about this issue. Our web site states that DeepSec is a non-product, non-vendor-biased conference event. In short this simply means that the topics discussed at DeepSec are all about facts not ads. We are looking for honest talks about security: If something breaks, tell us about it. If you can repair it, tell us about it. If you discovered something, tell us about it. That’s our goal. The DeepSec conference is not a trade fair – but it’s a place to mention what you have researched or what you have created. We are all about information security and want everyone to talk about it. We invite everyone to share results of

Read More

How to defend against “Cyber” Espionage

René Pfeiffer/ June 6, 2013/ Discussion, Security

When it comes to defence and protection, don’t forget how your organisation treats data. The mindset plays an important role. This can be illustrated by a simple correlation. Organizations which take the protection of data privacy seriously have an edge when it comes to implementing IT security measures. We talked about this relation in an interview with ORF journalist Erich Moechel (article is in German, Google translation). The findings are not surprising. Auditors and penetration testers can tell if your IT staff takes the role of protecting digital assets seriously. The correlation is easily explained : Once you establish data protection guidelines, you also create a motivation to implement defensive procedures and measures against intrusion. Directly linking operational aspects to a reason makes sure that everyone understands why defence is important. Bear in mind

Read More

DeepSec 2012 Talk: The Interim Years of Cyberspace – Security in a Domain of Warfare

René Pfeiffer/ October 6, 2012/ Conference

In case you haven’t heard about it yet, officially that is, welcome to the fifth domain! As with space and other environments, the networked world has been discovered by various forces and groups for their advantage. The past years have shown that whatever happens in Cyberspace, doesn’t always stay in Cyberspace. It’s not always about the DDoS attacks, which have been blown out of proportion, but it’s about malicious software, reconnaissance, information extraction and other aspects which are less spectacular (watching less television helps to restore the perspective to normal). We’d like to set your perspective right and recommend listening to Robert M. Lee’s presentation about the Interim Years of Cyberspace. His talk focuses on the bigger picture in an effort to add a different view to the discussions taking place at DeepSec. The

Read More

DeepSec 2012 Talk: SAP Slapping

René Pfeiffer/ September 30, 2012/ Conference

DeepSec 2012 covers SAP in-depth, and we decided also to include a presentation on how to test/pen-test SAP installation. Dave Hartley will give you an overview about how to approach SAP, show you what you can do, and probably achieve complete compromise of insecure and misconfigured SAP environments by pressing buttons. ☺ SAP systems can incorporate many different modules ERP, ECC, CRM, PLM, SCM, SR, … that are installed on multiple operating systems (UNIX, HP-UX, Linux and Windows etc.) which in turn rely on many different back end databases (DB2, Sybase ASE, Oracle, MS SQL, MaxDB and Informix). There are also many different versions/application stacks (SAP Netweaver 7.1 ABAP AS, 7.2 ABAP/Java AS, 7.3 ABAP/Java AS, …). Basically SAP systems often consist of very complex architectures and employ a myriad of integration choices in order to

Read More

DeepSec 2012 Talk: AMF Testing Made Easy

René Pfeiffer/ September 28, 2012/ Conference

Protocols are fun. When it comes to security, protocols are both loved and loathed. Security researchers have fun breaking them. Developers have a hard time designing them (this is why short-cuts will be taken and weaknesses are introduced). Penetration testers are sent to discover broken protocols and to exploit them. Attackers usually know some bits about protocols, too. This is where you come in. Regardless on which side you are on, you need to know, too. It’s not always about security, though. Typical software deployment or development requires testing, too. Luca Carettoni has good news for you either way. Despite the popularity of Flex and the AMF binary protocol, testing AMF-based applications is still a manual and time-consuming activity. This research aimed at improving the current state of art, introducing a new testing approach

Read More

DeepSec 2012 Talk: Breaking SAP Portal

René Pfeiffer/ September 27, 2012/ Conference, Security

SAP products are very widespread in the corporate world. A lot of enterprises run SAP software for a whole variety of purposes. Since enterprises feature many levels of interconnection, there is also a great deal of exposing going on. Usually you do this by means of using portals. The term „portal“ is a trigger for penetration testers, because portals are the gateways to curiosity – and probably compromises. This may give an attacker access to systems that store all informations about your company and process all critical business transactions. You now have compelling reasons to attend DeepSec 2012 for we have a collection of SAP security talks and a workshop for you. Alexander Polyakov talks about how to attack SAP Portal. It is usually connected to the Internet. In turn the Internet is connected

Read More

DeepSec 2012 Training: Penetration Testing with Metasploit

René Pfeiffer/ September 25, 2012/ Training

Metasploit is one of the major tools used by security researchers and security administrators when it comes to testing security or verifying the operation of intrusion detection/prevention systems. It is also used by penetration testers when trying to circumvent defences and to insert payloads into compromised systems. Everyone dealing with the implementation of security measures is well advised to learn how Metasploit works, how it can be extended and how it can be used to its full potential. Point and click is a nice theory, but when it comes to information security you probably want to know what you are really doing. We therefore invite you to take a look at this workshop held at DeepSec 2012: In the Penetration Testing with Metasploit training you will learn hands on skills that come in to

Read More

Security in Serious Fun

René Pfeiffer/ August 30, 2012/ Discussion, High Entropy, Security

In case you keep track of our tweets, you may have noticed that we approach the topic of security humorously sometimes, and because there is a lot of potential for misunderstanding we’d like to explain why we do this. It’s not all about who scores the best puns. It has a serious background, and it helps to keep a minimum distance to problems you are dealing with. Security has a strong link to the agenda of a person, a group, a company or a nation. Consider a fatal flaw in a major software package. The typical actors connected to this bug are the group/person who found it, the group/person who published it (not necessarily the same as the discoverers), the developers of the software (could be a community or a company or both), the

Read More

Collateral Damage in Cyberspace

René Pfeiffer/ June 8, 2012/ High Entropy, Security

„In cyberspace, no one can hear you scream.“ System administrators know this already for a long time, as do security researchers. Everybody is talking about „cyberwar“ these days (elections are coming). No one is talking about the (digital) fallout from „cyberwar“ operations. Unless you solely rely on passive methods, there’s not much that can happen. As soon as you employ „offensive security“, which is just an euphemism for „breaking things“, there will be damage in terms of service disruption, compromised systems, modified/erased data, inserted attack code and possibly more. Attack tools such as Stuxnet, Duqu and now Flame have been discussed for years by security researchers. Especially anti-virus vendors have repeatedly promised to include malware of any origin in their databases. In theory this includes these „cyberweapons“ as well. In real life these weapons

Read More

Cloud Security Promises out of thin Air

René Pfeiffer/ May 15, 2012/ Discussion, Security

The „Cloud“ is a wonderful link between the BYOD disaster, data loss and broken security promises. Yet users of all kinds are lured into the web interfaces with eye candy. The German IT magazine Golem.de has published an article about the cloud security study of the Fraunhofer Institute for Secure Information Technology SIT. Researchers have put Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala under scrutiny. The results should be a wake-up call for businesses who blissfully shove all kinds of data out into the thin air of the „Cloud“. The quintessence of the study is that none of the listed „Cloud“ services can provide a basic security or even sensible encryption technology. Some registration forms do not verify the e-mail addresses entered. Some platforms do not use SSL/TLS. Some use their own

Read More

Data Loss Prevention

René Pfeiffer/ May 14, 2012/ Discussion, Security

None of us likes to lose data. Usually data loss is tied to defects of storage media. You can counter physical data loss by having sufficient and recent copies of your data. This is where the logical data loss kicks in – unauthorised copies. Espionage thrives on these copies, and since information can be sold so does crime. Establishing a proper data loss prevention strategy and implementing it, requires a combination throughout all branches of information security. First you need to define some classifications for all your data. Public, private and confidential is common. Then you must find all places where your data is stored. You noticed the small word „all“. Yes, that’s right, all places and every single bit of your data. If you start getting sloppy at this stage, your defence against

Read More

What is a Hacker Tool and how do you ban it?

René Pfeiffer/ April 25, 2012/ Discussion, Internet, Stories

What exactly is a hacker tool? The answer to this question depends on who you ask. To McGyver it would probably everything, to a hacker it would be any suitable tool and to a politician it would be anything that cannot be easily understood. The English Wikipedia has no entry on hacker tool. So what is it and why should we care? Care comes first. We have to care because the European Union is working on banning hacking tools. This is no news for some parts of Europe. Germany has tried to address the nebulous hacking tools issue in 2007. The law has drawn a lot of critic from security researchers. Some even moved their research abroad to avoid operating in a grey area of the law. There’s an open letter to the German

Read More

DeepSec 365 Conference Track and Disinformation

René Pfeiffer/ April 2, 2012/ Misc, Stories

We admit. We could not resist. Bazinga! Writing articles to be published on 1 April is fun, and you probably should not read any news on this day (or blog articles or anything, don’t even talk to people until 2 April). If you consider the disinformation practised on All Fools’ Day and connect it to security the fun stops. You rely on information and its accuracy to counter threats. So in turn disinformation can be regarded as a hacker tool. Social engineering people probably know this already. Since our CfPs for DeepINTEL and DeepSec 2012 are open: If you explore disinformation as a hacker tool and can show its impact on the security routine of potential targets/defenders, why not turn your findings into a presentation and send it to us? We want to know

Read More

Articles about DeepSec 2011

René Pfeiffer/ November 22, 2011/ Conference, Press

We have some more articles for you. Apparently the talks of our speakers raised a few eyebrows. Most of the articles are in German. Dradio: Das sichere Auto ist ein Mythos Interview with Mariann Unterluggauer about impressions from DeepSec 2011 and the myth of automobile security. Dradio: Nur scheinbare Datensicherheit This is a second article published on the Deutschlandfunk web site features Duncan’s talk and bugs in security software. Ö1: Können Hacker Autos fernsteuern? „Can hackers remotely control cars?“ Well, given the current design and lack of security they probably will do so in time for DeepSec 2012. Ö1: Make Cyberpeace, not Cyberwar. Ein Bericht von der DeepSec The topic of cyber warfare is still hot. Wie Terroristen verschlüsseln – Digitale Spuren kaum verwischt The Neuer Zürcher Zeitung (NZZ) has a comment about Duncan’s

Read More

Conference Network Survival Guide for DeepSec 2011

René Pfeiffer/ November 8, 2011/ Administrivia

For all of you who frequently visits „hacking hot spots“ this should be familiar. For all others who blindly trust the Net it should be a wake-up call. Here’s a short and probably incomplete check-list in case you are preparing for DeepSec 2011 or any other event with a public Internet access (the CCC has a more complete list on their event web site). Secure your operating system (vendor and type doesn’t matter). Backup your data. Do run a firewall or a similar filter on your device (vendor and type doesn’t matter). The hostile network starts right at your antenna or Ethernet jack (again regardless of vendor and layer 1 technology). Try to use a VPN tunnel to a trusted network (such as your company or home network). Tunnel all traffic through your VPN

Read More