1010, 2013

Changes to the DeepSec 2013 Schedule – two new Talks

René Pfeiffer/ October 10, 2013/ Administrivia, Conference

We had to change the schedule for the DeepSec 2013 conference slightly. Unfortunately two talks were cancelled, because the speakers could not confirm their presence. We are sorry to hear that, but every one of us know Real Life Interference™ can bust the best of plans. We have replaced the talk slots with submissions by other speakers. We will hear about Uncovering your trails – Privacy issues of Bluetooth Devices by Verónica Valeros & Garcia Sebastian. Bluetooth capabilities are pretty widespread and can be found in devices all over the world – and your workplace, of course. To quote Sheldon Cooper: „Everything is better with Bluetooth.“ And so is attacking devices and leaking information about users and devices. The second talk is pending a description and will be announced in short on our Twitter

1010, 2013

DeepSec 2013 Talk: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

René Pfeiffer/ October 10, 2013/ Conference, Security

In past centuries attackers used battering rams to break down doors and siege artillery to blast holes into solid fortification walls. These were very tedious undertakings, so using alternate routes – possibly back-doors – were always highly regarded. Nowadays wonderful World of „Cyber“™ is no exception. The modern web-obsessed infrastructure has seen web browsers in local networks being compromised to access web-based back-end systems (through DNS rebinding attacks for example). Management consoles are a prime target, because once you gain access you probably can make the most out of elevated privileges. What about turning the back-end around and attack applications by it? Shay Chen has explored this attack vector and will present details in his talk at DeepSec 2013. Applications security mechanisms, secure software development processes, web application firewalls – collections of countermeasures that turn hacking

0310, 2013

DeepSec 2013 Keynote: Geopolitics and the Internet – the Meaning of “Hegemony”

René Pfeiffer/ October 3, 2013/ Conference, Discussion, Internet

Most of us think of the Internet as a place where the world virtually gathers and communicates without boundaries. It is regarded as a „virtual“ space where the confinement by borders of nation states is blurred by digital connectivity. People from all over the globe communicate with each other and form a truly cosmopolitan community. The trouble in paradise starts when countries switch off access to the Internet or prosecute whistle-blowers. Given the ever present notion of „cyber“ war we need to discuss geopolitics. It seems that the USA heavily dominates the Internet and regards it as its territory. Marcus Ranum will address the idea of hegemony and the USA with regards to the Internet in his keynote for the DeepSec 2013 conference: So, the topic is “the meaning of hegemony” – what does

2109, 2013

DeepSec 2013 Talk: Europe In The Carna Botnet – Telnet’s Threat To The Largest Economy

René Pfeiffer/ September 21, 2013/ Conference, Security

Botnets have been around since 1999. These herds of networked and compromised systems (called zombies) are the tool of the trade for many groups. It’s the zombie outbreak of the information age. The analysis of existing botnets is an important task of security researchers around the globe. The study of the malware involved, the infection process and the inter-node communication of the infected systems is crucial for the dismantling of the botnet. Therefore we are happy to present Parth Shukla’s talk on the Carna botnet. It was created by an anonymous hacker to create a census of the (IPv4) Internet. Parth has been analysing the devices that formed part of the Carna Botnet. The data concerning the devices was provided by the anonymous researcher. He has distributed the relevant data to many CERTs and

2009, 2013

DeepSec 2013 Talk: Static Data Leak Prevention In SAP – The Next Generation Of Data Loss Prevention

René Pfeiffer/ September 20, 2013/ Conference, Security

Once you use information technology you will have to worry about leaks. Applications can leak data when attached to the network (any network!). That’s no breaking news, but it might be bad news for you and your data. Fortunately there are good news, too. There is a talk by Andreas Wiegenstein about ways of data leak/loss prevention (DLP) and a new methodology which might help your organisation: In the age of digital industrial espionage, protecting intellectual property has become a key topic in every company. In the past, companies addressed data leaks by implementing so called content-aware Data Loss/Data Leak Prevention (DLP) software. Such software analyzes data moving through an IT landscape and reports unauthorized transfer of critical data, i.e. transfers beyond the company’s network borders. The key purpose of this methodology is to

1609, 2013

DeepSec 2013 Talk: Top 10 Security Mistakes In Software

René Pfeiffer/ September 16, 2013/ Conference, Security

Software Development and information security are tightly tied together. A bug attracts vulnerabilities and bugs and vulnerabilities combined can be turned into exploits to compromise systems. In an ideal world security starts at the design or development stage. While you probably will never be able to completely eliminate bugs in (your) code due to the complexity of modern applications and their dependencies, you still can improve the security record by paying attention. So where do you get started? What are the most common mistakes made during the software development process that leads to security problems in the finished product? Peter af Geijerstam will address the top 10 security mistakes in his talk at DeepSec 2013. Mistakes during software development do not always have to be caught at the quality assurance stage. You can catch

3008, 2013

DeepSec 2013 Talk: Automation in Android & iOS Application Security Review

René Pfeiffer/ August 30, 2013/ Conference, Security

Even if you do not want to follow the Bring Your Own Device (BYOD) hype you might have to deal with mobile operating systems and applications running on them. Once you have a need to deploy a system, you need to know how to review the security. Hemil Shah will explain in his talk how you can deal with this problem. Mobile application hacking and its security is becoming a major concern in today’s world – especially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI jacking, tab jacking, traffic redirection, logical attacks,

3008, 2013

DeepINTEL Schedule Update: New Talk – “Advanced Security through Network Intelligence”

René Pfeiffer/ August 30, 2013/ Administrivia, Conference, Security Intelligence

Due to personal reasons one of our DeepINTEL speakers had to unfortunately cancel his appearance. Therefore we present a new talk held by Caroline Krohn. The title is “Advanced Security through Network Intelligence”. „Network Intelligence“ is the sum of findings extracted from people’s activities in the internet. Information related to people can be either, restricted and protected by any kind of encryption, or public and available to everybody. Nowadays, it is almost sufficient to collect data from open sources to put together a precise profile on a person of interest. Transparency does not only occur through own postings on so-called social networks, such as Facebook, Xing, LinkedIn, Twitter. Third party mentions and pictures other people post and tag, etc. also help following people’s activities outside the internet. Even the decision not to appear on

1108, 2013

DeepINTEL 2013 – New Talk: “Hackers NG” – Dealing with the Security Skills Shortage

René Pfeiffer/ August 11, 2013/ Conference, Security Intelligence

Cooling temperatures in Vienna bring new talks to DeepINTEL. We are proud to announce a talk by Colin McLean, lecturer in Computing at the University of Abertay Dundee in Scotland. He discussed the problem of finding hackers with security skills (and who probably do not possess the attributes Mr Hayden sees in his own IT staff). The abstract reads as follows: There is a cyber security skills shortage and it’s becoming a world-wide concern with many stakeholders warning of impending doom. Browsing the Internet shows that this concern is not only expressed from the USA, and the UK, but all over the world. Mark Weatherford of the US Department of Homeland Security has stated “The lack of people with cyber security skills requires urgent attention. The DoHS can’t find enough people to hire.”. The

0508, 2013

DeepINTEL 2013 – New Talk „Mutually Assured Pwnage“

René Pfeiffer/ August 5, 2013/ Conference, Security Intelligence

We have added a new talk to the DeepINTEL 2013 schedule. Karin Kosina will talk about „Mutually Assured Pwnage“ and critically explore what Cold War analogies can and cannot teach us about war in the 5th domain. “Cyberwar” has become a thing (never mind that no-one seems to really know what that thing really is). Along with the militarisation of cyberspace – or “the fifth domain of warfare” – there has been a flurry of attempts to draw analogies to other models of conflict. While this is understandable to a certain extent – What worked in the past may work again in the future, right? And let’s not be so cynical here to speak about hammers and things that look like nails… –, it has in many cases only added to the confusion around an already confused

1112, 2012

Apology – “Bad Things in Good Packages”

René Pfeiffer/ December 11, 2012/ Administrivia, Conference

We’re almost back to daily routine after having a wonderful DeepSec 2012. Given the feedback from speakers and attendees they loved the atmosphere at the conference and at the hotel. We are happy to hear about this and keep an open ear for further comments on your DeepSec experience. However, things can go wrong and they often will. There’s no way around this as every organisation team will confirm. Most of the problems were dealt with by our own damage control teams at the conference. There’s one issue that we wish to discuss openly. We received complaints via Twitter about the slides of the talk „Bad Things in Good Packages – Creative Exploit Delivery“ published by the speaker on Slideshare on 30 November 2012. The complaint was about the offensive portrayal of women. The

2511, 2012

DeepSec 2012 Talk: When I Grow up I want to be a Cyberterrorist

René Pfeiffer/ November 25, 2012/ Conference

We have asked Mike Kemp to give an overview of what to expect from his talk When I Grow up I want to be a Cyberterrorist: Terrorism is not big. It is not clever. It is definitely not funny (unless it involves pies in the face). It can however (like so much in life), be utterly absurd. To clarify, the reactions to it can be. The UK is the most surveiled place on earth (outside of Disneyland). The United Kingdom has lots of cameras, lots of privately collected and held data, lots of asinine legislation, and lots of panic. The media and political classes have conspired to protect the once freedom loving residents of the UK against themselves (and we are not alone in living the Panopticon dream). Frankly, it’s pissing me off. In

0811, 2012

DeepSec 2012 Talk: Pentesting iOS Apps – Runtime Analysis and Manipulation

René Pfeiffer/ November 8, 2012/ Conference, Security

Since one of the focus topics of DeepSec 2012 deals with mobile computing and devices, we asked Andreas Kurtz to elaborate on his presentation about pentesting iOS apps: „Apple’s iPhone and iPad are quite trendy consumer devices, and have become increasingly popular even in enterprises nowadays. Apps, downloaded from the AppStore or developed in-house, are supposed to completely change and optimize the way of work. Suddenly, managers have access to business intelligence information, data warehouses and financial charts on their mobile devices: Apps are used as front ends to executive information systems and, thus, are carrying around loads of sensitive data. At a first glance it seems, that there’s nothing new on it. Indeed, it is quite common to remotely access critical business data. However, the popularity of mobile devices, combined with the sensitive

0511, 2012

Talk about Data Loss Prevention

René Pfeiffer/ November 5, 2012/ Security

We will be presenting a talk about data loss prevention (DLP) on 9 November 2012 at the IT-Security Community Xchange 2012 (IT-SecX 2012) in St. Pölten, Lower Austria. DLP is a good example for measuring the security of your IT infrastructure. Keeping data in is as important as keeping attackers out these days. The tricky part is to know what data you have and where it lives. We will discuss how to approach DLP in terms of preparation, planning and implementation. In case you are in Austria you can meet us at the IT-SecX 2012. The event is organised by the University of Applied Sciences St. Pölten.

0211, 2012

DeepSec 2012 Talk: Wargames in the Fifth Domain

René Pfeiffer/ November 2, 2012/ Conference

We asked Karin Kosina to illustrate her talk Wargames in the Fifth Domain: “This is a pre-9/11 moment. The attackers are plotting.” These are the words of U.S. Secretary of Defense Leon Panetta addressing business executives on the dangers of cyberwar two weeks ago in New York. And just in case this did not leave the audience scared enough, Panetta also warned about the possibility of an upcoming “cyber-Pearl Harbor”. A massively destructive cyberwar, it seems, is imminent. Or is it? Is the world really on the brink of cyberwar? Time to panic and hide in our cyber shelters? – Well, I think things are slightly more complicated than that. Before you dismiss me as a peace-loving hippie who views the world through rose-tinted glasses: There is no doubt that our emerging information society

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: