1210, 2012

DeepSec 2012 Talk: Own the Network – Own the Data

René Pfeiffer/ October 12, 2012/ Conference

We all use networks every day. This is obvious when it comes to the Internet, but there are more networks if you use phones and other gadgets. Like it or not, these networks are a part of your infrastructure. Now you know, but attackers (and security people) knew this before. So, what can happen to your data if the network is compromised? The short answer: a lot! The long answer is given by Paul Coggin in his presentation at DeepSec 2012. Paul’s presentation discusses the security issues with the critical network architectures being deployed by service providers and utilities to support next generation network services such as IPTV, 3G/4G, smart grid, and more. There’s a lot happening behind the scenes. Once new products are announced, the stage has already been prepared. Network infrastructure security

0610, 2012

DeepSec 2012 Talk: The Interim Years of Cyberspace – Security in a Domain of Warfare

René Pfeiffer/ October 6, 2012/ Conference

In case you haven’t heard about it yet, officially that is, welcome to the fifth domain! As with space and other environments, the networked world has been discovered by various forces and groups for their advantage. The past years have shown that whatever happens in Cyberspace, doesn’t always stay in Cyberspace. It’s not always about the DDoS attacks, which have been blown out of proportion, but it’s about malicious software, reconnaissance, information extraction and other aspects which are less spectacular (watching less television helps to restore the perspective to normal). We’d like to set your perspective right and recommend listening to Robert M. Lee’s presentation about the Interim Years of Cyberspace. His talk focuses on the bigger picture in an effort to add a different view to the discussions taking place at DeepSec. The

0510, 2012

DeepSec 2012 Talk: Evolution of E-Money

René Pfeiffer/ October 5, 2012/ Conference

The concept of electronic money has been around long before BitCoin entered the stage. The main characteristic is its electronic storage and exchange. This is both convenient and dangerous since digital goods can be stolen by copying data or cracking codes, depending on the design of the e-money system (which often will involve cryptographers). Jon Matonis will give you an overview about both the goals and the scary aspects of the cashless society. While the talk will focus on BitCoin, which is a peer-to-peer crypto-currency, you will get a deeper insight into how electronic currencies work, what challenges existing designs have solved (or haven’t), and which opportunities the use of digital currencies poses in the future. The phenomenon is quite young, but it is popular, even among criminals who already robbed a BitCoin bank.

0510, 2012

DeepSec 2012 Talk: The Vienna Programme – A Global Strategy for Cyber Security

René Pfeiffer/ October 5, 2012/ Conference

In case you ever felt frustrated by the countless ways digital systems can fail, you should consider listening to Stefan Schumacher‘s talk about a global strategy for cyber security. It’s not about silver bullets or throwing rings into volcanoes, it’s meant as a roadmap leading to an improved security level in our digital landscape. Information technology and therefore IT security play a bigger role in everyday life than 20 years ago. However, even since IT security becomes more and more important, yet we are still discussion the same old problems: rootkits, viruses and even buffer overflows. Unfortunately, IT security still revolves about the same problems as it did 20-30 years ago. Instead of fighting the same battles again and again we have to take a look at the strategic level to coordinate efforts. This

3009, 2012

DeepSec 2012 Talk: SAP Slapping

René Pfeiffer/ September 30, 2012/ Conference

DeepSec 2012 covers SAP in-depth, and we decided also to include a presentation on how to test/pen-test SAP installation. Dave Hartley will give you an overview about how to approach SAP, show you what you can do, and probably achieve complete compromise of insecure and misconfigured SAP environments by pressing buttons. ☺ SAP systems can incorporate many different modules ERP, ECC, CRM, PLM, SCM, SR, … that are installed on multiple operating systems (UNIX, HP-UX, Linux and Windows etc.) which in turn rely on many different back end databases (DB2, Sybase ASE, Oracle, MS SQL, MaxDB and Informix). There are also many different versions/application stacks (SAP Netweaver 7.1 ABAP AS, 7.2 ABAP/Java AS, 7.3 ABAP/Java AS, …). Basically SAP systems often consist of very complex architectures and employ a myriad of integration choices in order to

2709, 2012

DeepSec 2012 Talk: Breaking SAP Portal

René Pfeiffer/ September 27, 2012/ Conference, Security

SAP products are very widespread in the corporate world. A lot of enterprises run SAP software for a whole variety of purposes. Since enterprises feature many levels of interconnection, there is also a great deal of exposing going on. Usually you do this by means of using portals. The term „portal“ is a trigger for penetration testers, because portals are the gateways to curiosity – and probably compromises. This may give an attacker access to systems that store all informations about your company and process all critical business transactions. You now have compelling reasons to attend DeepSec 2012 for we have a collection of SAP security talks and a workshop for you. Alexander Polyakov talks about how to attack SAP Portal. It is usually connected to the Internet. In turn the Internet is connected

1909, 2012

DeepSec 2012 Schedule – In-Depth

René Pfeiffer/ September 19, 2012/ Administrivia, Conference

The schedule for DeepSec 2012 has now been online since August. The last two workshop slots have been filled with two superb training by McAfee/Foundstone. There are still some minor blind spots, but Your Favourite Editors work on this. We will start to describe every workshop in-depth with its own blog article, and we will do the same with every presentation. We will try to set every piece of DeepSec 2012’s content into perspective and context. We are really looking forward to the trainings and presentations of DeepSec 2012!

2103, 2012

Use Key Content for your Key Notes

René Pfeiffer/ March 21, 2012/ Administrivia, Security

There is some discussion about certain key note talks in the blogosphere and on mailing lists. Apparently there has been too much mentioning of mayhem and company ads lately. We will judge about this as soon as we have watched the video recordings of these talks. Until we have done that we’d like to point out that all our key note presentations go through the same Call for Papers mechanism as the „regular“ talks. This is true for DeepINTEL and DeepSec alike. It has also been true for all past DeepSec conferences. While we don’t mind provocative content, we still like our speakers to present high quality content. Paid content on the contrary is not always of high quality. As soon as you enter the realm of sponsored talks you’ll suddenly realise that presentations

1111, 2011

Talk: Advances in IDS and Suricata

René Pfeiffer/ November 11, 2011/ Conference

Intrusion Detection Systems were very much in demand over 10 years ago. The widely known Snort IDS software is a prominent tool. Other vendors have their own implementations and you can readily buy or download thousands of rules distributed in various rule sets. Cranking up the sensitivity will then easily give you more alerts than you will ever be able process sensibly. This is the mindset that settles once they hear „IDS“ or „IPS“. We don’t think this view is still true. That’s why Victor Julien and Eric Leblond, Open Information Security Foundation, will talk about Advances in IDS and Suricata at DeepSec 2011. You have probably heard of Suricata, the next generation intrusion detection engine. Development of Suricata started in 2008 and war first released as stable in December 2009. Past DeepSec conferences featured

0411, 2011

Talk: On Cyber-Peace – Towards an International Cyber Defense Strategy

René Pfeiffer/ November 4, 2011/ Conference

While UK is preparing for war we’ll try something completely different at DeepSec 2011. We will talk about peace („cyber-peace“ to be exact). The ill-defined term cyber-war is haunting media, security communities, politics and the military for a while now. We already had talks about this at past DeepSec conferences. Cybersecurity is currently a big hype even in mainstream media like the Frankfurter Allgemeine Zeitung, The Guardian or The New Yorker. Exploits and Vulnerabilities like Stuxnet or the German Trojan Rootkit for Lawful Interception are discussed in prime time news. Hackers like the Chaos Computer Club offer technical advice to the German Parliament and the highest court, the Federal Constitutional Court. Due to the constant work of security experts, researchers and hackers (including some really cool media fnords and stints), the level of security

0311, 2011

Talk: Laws, Compliance and real Life

René Pfeiffer/ November 3, 2011/ Conference

If you believe that computer security is all about having the right tools and an expert staff, then you are mistaken. Never forget why you have computers in the first place – because of your business. Mikhail Utin will shed light on the corporate side of security by talking about laws, compliance and real life (full title of his talk is US experience – laws, compliance and real life – when everything seems right but does not work). While information security can be improved in a number of ways, one powerful approach is continually overlooked by security researchers. This approach constitutes a collective effort by masses of computer users, where each individual has a very limited understanding of information security and is frequently forced to improve security by various laws and regulations. Pressure coming from

0211, 2011

Talk: Defeating BlackBerry Malware & Forensic Analysis

René Pfeiffer/ November 2, 2011/ Conference

Mobile phones have caught up on the malware side. Your phone can most probably now be infected by malicious software and be part of a botnet in the worst case. How do you analyse compromised devices? Do you have the right tools at hand? Maybe you don’t need any tools for you won’t find anything. Sheran A. Gunasekera explains in his talk Defeating BlackBerry Malware & Forensic Analysis at DeepSec 2011 how the forensic analysis of malware can be defeated. In the recent years, more prominence has been given to BlackBerry malware either in the wild or to commercially available kinds. Traditionally, using signature based malware scanners have been the way to detect and remove these malicious programs. Most smartphones can be fitted with anti-virus/-malware scanners these days. However Sheran will look at a different

3010, 2011

Talk: Bond Tech – I Want More Than Movie Props

René Pfeiffer/ October 30, 2011/ Conference

I watched „Bolt“ with my daughter yesterday. She’s still young and needed some time to distinguish fiction from reality, just like Bolt himself. If you regularly use (security) tools, then you might get a bit jealous about all these super-science skills and gadgets. This is especially true when it comes to the toys of James Bond. These questions arise: Does your software think it has super-powers, and when do we get these cineastic power tools on steroids just like in the films? Kizz MyAnthia of Halock Security Labs will address both questions in his talk at DeepSec 2011. There’s no doubt about it, you want these super-tools. We all do. So when do we get them? Well, soon or maybe never, but if you deal with information security (or vice versa) you have to

2710, 2011

Talk: The Security of non-executable Files

René Pfeiffer/ October 27, 2011/ Conference

Recent security incidents push the imagination of some people to the limits. On today’s menu are U.S. Government satellites (done before albeit with a different vector), insulin pumps, automatic teller machines, smartphones linked to cars, and even vending machines in wilderness resort parks. What’s next? Executing code by the use of postcards or printed newspapers? Exactly! You probably recognise this phrase: „This is a data file, it can never be executed as code.“ It’s nice to think of bits and bytes neatly separated into code and data. In fact some security models encourage this approach. In practice data tells a different story. You have very elaborate document and data formats with thousands of pages of specification. PDF, rich media and office documents are way more complex than you might think. This is why Daniel

2610, 2011

Talk: FakeAntiVirus – Journey from Trojan to a Persisent Threat

René Pfeiffer/ October 26, 2011/ Conference

You run the latest software defending you against malicious code. You have your best filters deployed. Your firewalls are tight as granite. Your crypto is flawless. Your authentication is watertight. But you’re still being attacked and have probably been compromised. What happened? There’s always the attack vector through social engineering. Combine this with a web site or a dialogue box that warns your staff about a potential security breach and tricks them into installing code manually, most commonly by disguising as Anti Virus software (hence the name FakeAntiVirus). Infection can be done by browser plug-in / add-on (think toolbars or other convenient items) or more complex means. Once the tool is installed, it takes control of your system(s), phones home or does other tasks as told by its new owner. Provided the cover is

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: