0909, 2014

DeepSec 2014 Talk: MLD Considered Harmful – Breaking Another IPv6 Subprotocol

René Pfeiffer/ September 9, 2014/ Conference, Internet

In case you haven’t noticed, the Internet is getting crowded. Next to having billions of people online, their devices are starting to follow. Information security experts can’t wait to see this happen. The future relies on the Internet Protocol Version 6 (IPv6). IPv6 features a lot of improvements over IPv4. Since you cannot get complex stuff right at the first time, IPv6 brings some security implications with it. Past and present conferences have talked about this. DeepSec 2014 is no exception. Enno Rey of ERNW will talk about Multicast Listener Discovery (MLD) in his presentation. The presentation is the first time that the results of an ongoing research of MLD are published. MLD is a protocol belonging to the IPv6 family, and sadly it features insecurities. MLD (Multicast Listener Discovery), and its successor, MLDv2,

Read More

0809, 2014

DeepSec 2014 Keynote: The Measured CSO

René Pfeiffer/ September 8, 2014/ Conference

It’s good if your organisation has someone to take on information security. However it’s bad if you are the person in this position. Few are lucky enough to actually deal with improving information security. And some are caught in compliance fighting an uphill struggle against regulations and audits that have nothing to do with the threats to your business. The management of Information Security has become over-regulated and to some degree, over-focused on compliance to policy/regulation, architectural decisions, network access, and vulnerability management. As a result, many CISOs struggle to define success in terms that match the goals of their business, and struggle to make their risk management efforts relevant to senior executives. How do you achieve that? Alex Hutton will tell you in his keynote talk at DeepSec 2014. His goal is for

Read More

0509, 2014

EuroTrashSecurity Podcast – Microtrash37 : DeepSec 2014 Content

René Pfeiffer/ September 5, 2014/ Conference

Microtrash37 of the EuroTrashSecurity podcast is out! We had a little talk with Chris about the schedule of DeepSec 2014 and what to expect. It’s a teaser for the blog articles about the talks and the trainings to come. We will describe more details on the blog, but you get a good overview what to expect from the audio. We also got some inside information on the upcoming BSidesVienna 0x7DE. We will definitely attend and so should you! The BSidesVienna has some cool surprises for you. Don’t miss out on the chance to get together. The Call for Papers is still open! If you have something to share, please consider submitting a talk.

2708, 2014

Preliminary Schedule of DeepSec 2014 published

René Pfeiffer/ August 27, 2014/ Administrivia, Conference

After weeks of hard work we have now the preliminary schedule of DeepSec 2014 online! We received over hundred submissions, and we had to navigate through a lot of publications, abstracts and references. We hope that you like the mixture of topics. We especially hope that you will find the offered trainings interesting. We still wait for content and corrections, so bear with us while the schedule takes its final form. Contrary to the past years we had a lot more to do in terms of completing information about submitted talks and trainings. We will tell you more about this in the upcoming blog articles (which we will announce on our Twitter account, so you don’t miss anything). Looking forward to see you in Vienna in November!

0305, 2014

BSidesLondon 2014 Rookie Track Videos

René Pfeiffer/ May 3, 2014/ Conference

We are back from the BSidesLondon 2014, and we had a great time. It was good to meet everyone to get some new ideas and to work on old ideas too. The Rookie Track was a success. We had a hard time deciding which talk was best. We managed to find a winner which will be invited to attend DeepSec 2014. Congratulations to Georgi Boiko! The Rookie Track recordings will be published online depending on the choice of the speaker. Some are already online. Here is a list of talks you can already watch. More are being published in the coming weeks (we will update this list). A Look at Modern Warfare by @kaitlyn4495 The Joy of Passwords by Joseph Gwynne-Jones RFID Hacking – An Introduction by @d3sre Run-time tools to aid application security

Read More

3103, 2014

Talk about Cryptography and the NSA’s Capabilities

René Pfeiffer/ March 31, 2014/ Discussion, Security, Veranstaltung

The published documents about the NSA’s capabilities have led to a review of cryptographic tools. Mastering SSL/TLS by itself can be tricky. This is especially true if you have to deal with clients that do not take advantage of the latest TLS protocols. System administrators and developers are well advised to keep an eye on the capabilities of libraries and the algorithms available for securing network communication. We recommend to have a look at the publication of the Applied Crypto Hardening project in case you wish to review your crypto deployment. The standardisation of cryptographic methods has been criticised as well. Apart from the flawed Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) there is a lot of discussion going on where the practices of standardisation are being questioned. Given the design problem in

Read More

2702, 2014

DeepSec 2013 Video: Static Data Leak Prevention In SAP – The Next Generation Of DLP

René Pfeiffer/ February 27, 2014/ Conference, Stories

Leaks are problems you don’t want in your infrastructure. While this is clear for water pipes, it is not so clear for digital data. Copying is a part of the process, and copying data is what your systems do all day. A leak comes into existence when someone without access privileges gets hold of data. The industry has coined the term data leak/loss prevention (DLP) for products trying to stop intruders from ex-filtrating your precious files. Just like other defence mechanisms DLP systems cannot be bought and switched on. You have to know where your data lives, which software you use, what data formats need to be protected, and so on. We invited Andreas Wiegenstein to talk about data loss prevention in SAP systems. His presentation was held at the DeepSec 2013 conference and

Read More

2602, 2014

DeepSec 2013 Video: Using Memory, Filesystems And Runtime To App Pen iOS And Android

René Pfeiffer/ February 26, 2014/ Conference

Your iOS or Android smartphone can do a lot. „There’s an app for that!“ is also true for information security. So what can you do? We have seen smartphones used as an attack platform for penetration testing. You can use them for wardriving, and, of course, for running malicious software (next to „normal“ software which can do a lot too). At DeepSec 2013 Andre Gironda unlocked some of the mysteries of the iDevice and Android-device memory intrinsics, filesystem/process sandboxes, and the OO runtime by walking through the techniques, including common obfuscations. His talk is recommended to anyone interested in the capabilities of modern smartphones.

2502, 2014

DeepSec 2013 Video: Europe In The Carna Botnet

René Pfeiffer/ February 25, 2014/ Conference, Security

Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes of the botnet consist of virtually unsecured IPv4 devices – modems and other network equipment. Point of entry where mostly Telnet management interfaces exposed to the Internet. Analysing the devices that were part of the Carna Botnet is well worth the effort. This is why we invited Parth Shukla (Australian Computer Emergency Response Team, AusCERT) to present his findings about the Carna Botnet at DeepSec 2013. „A complete list of compromised devices that formed part of the Carna Botnet

Read More

2402, 2014

DeepSec 2013 Video: Future Banking And Financial Attacks

René Pfeiffer/ February 24, 2014/ Conference, Security

Predicting the future is very hard when it comes to information technology. However in terms of security analysis it is vital to keep your head up and try to anticipate what attackers might try next. You have to be as creative as your adversaries when designing a good defence. This is why we invited Konstantinos Karagiannis (BT) to DeepSec 2013.  Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.

2302, 2014

DeepSec 2013 Video: Pivoting In Amazon Clouds

René Pfeiffer/ February 23, 2014/ Conference

The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At DeepSec 2013 Andrés Riancho showed what attackers can do once they get access to the company Amazon’s root account. There is more to it than a simple login. You have to deal with EC2, SQS, IAM, RDS, meta-data, user-data, Celery, etc. His talk follows a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user. Regardless of how your

Read More

2202, 2014

DeepSec 2013 Video: Hack The Gibson – Exploiting Supercomputers

René Pfeiffer/ February 22, 2014/ Conference, Security

Hey, you! Yes, you there! Want to get root on thousands of computers at once? We know you do! Who wouldn’t? Then take a good look at supercomputers. They are not a monolithic and mysterious as Wintermute. Modern architecture links thousands of nodes together. Your typical supercomputer of today consists of a monoculture of systems running the same software. If you manage to break into one node, the chances are good that you have access to all nodes. That’s pretty neat. At DeepSec 2013 John Fitzpatrick and Luke Jennings of MWR InfoSecurity talked about their tests with supercomputers. Their presentation covers the research and demonstrates some of the most interesting and significant vulnerabilities they have uncovered so far. They also demonstrated exploits and previously undocumented attack techniques live so you can see how to

Read More

2102, 2014

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

René Pfeiffer/ February 21, 2014/ Conference, Internet

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It

Read More

1902, 2014

DeepSec 2013 Video: Risk Assessment For External Vendors

René Pfeiffer/ February 19, 2014/ Conference

CIOs don’t like words like „third party“ and „external vendor“. Essentially this means „we have to exchange data and possibly code with organisation that handle security differently“. Since all attackers go for the seams between objects, this is where you have to be very careful. The fun really starts once you have to deal with confidential or regulated data. So how do you cope with doing this and still keeping an eye open for risk, compliance, and efficiency? Good question. At DeepSec 2013 Luciano Ferrari (Kimberly-Clark Corporation) addressed these issues in his presentation. He has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. However: Data security can only be achieved if all units of an organization cooperate – and with a change

Read More

1802, 2014

DeepSec 2013 Video: From Misconceptions To Failure – Security And Privacy In The US Cloud Computing FedRAMP Program

René Pfeiffer/ February 18, 2014/ Conference, Security

The „Cloud“ is the Fiddler’s Green of information technology. It’s a perpetual paradise built high above the ground where mortal servers and software dwell. Everyone strives to move there eventually, because once you are in digital paradise, then all your sorrows end. So much for the theory. The reality check tell a different story. This is why we invited Mikhail A. Utin (Rubos, Inc.) to DeepSec 2013. He presented an in-depth analysis of the US government’s FedRAMP programme. „…However, regardless of numerous concerns expressed by information security professionals over CC services, US government developed the FedRAMP program and got funding for moving all federal information systems into a “cloud”. As we identified, all “cloud” misconceptions have successfully made it into FedRAMP documents. What should we expect from such a large scale experiment? What will

Read More