1809, 2011

Talk: How To Rob An Online Bank And Get Away With It

René Pfeiffer/ September 18, 2011/ Conference

We’ve all heard of – or have even been a victim of – attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules’ accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims’ accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult. From the attacker’s point of view this is very undesirable. These factors create incentive for criminals to focus on online banking servers. Incidentally, that’s where – as famous bank robber Willie Sutton might say – all the money is. Now, Mr. Sutton lived in the times of physical currency and had

Read More

1409, 2011

Talk: An online Game Trojan Framework from China Underground Market

René Pfeiffer/ September 14, 2011/ Conference

Malware infecting computers always serves a purpose. Zombies, as infected systems are called, usually connect to a Command & Control channel and receive their orders from the owners of the zombie herd. Malicious software can also be used as a tool for retrieving information. Some of these tools are specialised and look for specific data such as login credentials. At DeepSec 2011 Hermes Li will explain how a trojan horse designed for stealing user information is installed, how it works and give a short introduction into the Chinese underground market. The talk will also discuss parts of the code, DLL injection and the packer encryption. There is a market for most stolen data. When it comes to games there is even real money in data trafficking. In-game goods (items, currencies, …) can be sold,

Read More

0709, 2011

Talk: Insight Into the Russian Black Market

René Pfeiffer/ September 7, 2011/ Conference

You have all heard the term cybercrime, and you have heard about all things cybercrime – stolen credentials, data theft, fraud, blackmail and more. You may have heard the there are markets for goods connected to computer crime. You may have heard that there’s a lot of money in it (enough to pay off the national debts of most states including the USA, if you total all reports on damages by cybercrime). As usual the problems lie in connecting the dots. What are the mechanisms behind these black markets? What are the goods? Who pays for them and by which means? Surely you cannot just walk into a chat room, drop your credit card number and part with the digital loot, or can you? What if you end up being a trade object yourself?

Read More

0609, 2011

Talk/Workshop: IPv6 Security In-Depth

René Pfeiffer/ September 6, 2011/ Conference

The tale of two protocol suites has been being written for some time now. The IPv4 Internet has run out of fresh addresses. The IPv6 deployment has begun, but it will take some time before IPv4 is completely phased out (if ever). The work on the IPv6 protocol started in the early 1990s with the temporary IP Next Generation Working Group, collecting proposals. In theory IPv6 addresses many shortcomings of IPv4 and consists of a thoroughly well-designed protocol suite with security in mind. In practice you will neither just switch to IPv6 nor skip the step where you consider the security implications. There is no zero conf mechanism when it comes to security. All businesses need to know what the security impact of IPv6 really is. Some networks have already deployed IPv6, others think

Read More

0509, 2011

Talk: The Management of IT Threats. European Digital Agenda’s Weakness

René Pfeiffer/ September 5, 2011/ Conference

In case you haven’t heard about it, there is a digital agenda for the coming decade, developed by the European Commission. Cited from the web site: Europe 2020 is the EU’s growth strategy for the coming decade. In a changing world, we want the EU to become a smart, sustainable and inclusive economy. These three mutually reinforcing priorities should help the EU and the Member States deliver high levels of employment, productivity and social cohesion. Concretely, the Union has set five ambitious objectives – on employment, innovation, education, social inclusion and climate/energy – to be reached by 2020. Each Member State has adopted its own national targets in each of these areas. Concrete actions at EU and national levels underpin the strategy. The strategy includes a strong coordination between public and private institutions, located

Read More

3108, 2011

Talk/Workshop: SAP Security In-Depth

René Pfeiffer/ August 31, 2011/ Conference

No two SAP deployments are the same. If you run an SAP environment, then you will most certainly use customisations and a multi-tier architecture. You will have tied your SAP deployment to your assets. The typical setup features Development, Quality Assurance and Production (which is the minimal amount of tiers, you may have more). While the development and IT staff mainly interacts with Development and Quality Assurance environments, the organisation’s end-user only connects to the Production systems in order to undertake the required business processes. As soon as security considerations come into play you will probably audit your infrastructure. Since auditors cost money most SAP deployments won’t be scrutinised completely. And then you are in trouble despite passing tests with flying colours. Using short-cuts is the best way to run into trouble. Consider your multi-tier

Read More

2308, 2011

DeepSec 2011 Schedule and Description of Talks/Workshops

René Pfeiffer/ August 23, 2011/ Conference

We’ve already published the preliminary schedule for DeepSec 2011. Most of the speakers have already confirmed their presence at the conference, but we are still waiting for e-mail. While preparing the schedule we’ve asked for more descriptions, and we will describe the talks and workshops in slightly more detail in the blog. We know that some of the titles deserve a closer look, especially since we got very interesting topics to talk about. During the next weeks we will dedicate a whole blog article to each and every slot in our schedule. Stay tuned! Please make sure that you don’t miss the early-bird rates. Tickets at reduced prices are still available until mid-September 2011!

0708, 2011

Explaining Security to non-technical Audiences

René Pfeiffer/ August 7, 2011/ Discussion, Report

A few days ago we had the opportunity to present a review of vulnerabilities in mobile phone networks and typical attack vectors to a non-technical audience (we announced the event in a previous blog posting, the event language was German). The background of the attendees was a spectrum of social sciences, political sciences, different technical science (but not information science), governmental agencies (again non-technical) and journalists. We adapted the slides in order to reduce the complexity and the technical details. The reaction was positive, but most of the questions were aimed at how to defend against the risks. Thus our reduction only lasted until the QA section. If you really want to defend yourself, you have to deal with the details. If you don’t dive into the details, you can give superficial answers at

Read More

0107, 2011

Veranstaltung zum Thema Informationstechnologie und Sicherheitspolitik

René Pfeiffer/ July 1, 2011/ Veranstaltung

Zwischen dem 28. und 31. Juli 2011 findet in Berlin die 1. Sicherheitspolitische Aufbauakademie des Bundesverbandes Sicherheitspolitik an Hochschulen statt. Sie trägt den Titel „Informationstechnologie und Sicherheitspolitik – Wird der 3. Weltkrieg im Internet ausgetragen?“. Die DeepSec Konferenz wird bei dieser Veranstaltung mit zwei Vorträgen zum Thema „Angriffe gegen Funknetze – wie verwundbar ist das GSM-Netz?“ und „Ausgewählte Angriffsvektoren — Zombies, Botnetze und dDoS-Attacken“ mitwirken. Wir versuchen damit Auszüge und Zusammenfassungen der vergangenen DeepSec Konferenzen komprimiert und auch für Nichttechniker zu vermitteln. Das volle Programm ist als PDF herunterladbar. Im Rahmen der Veranstaltung sollen die Themen Sicherheitspolitik und Informationstechnologie miteinander verbunden werden. „Cyberwar“ ist in aller Munde und hat schon Eingang in Militärdoktrine gefunden. Es stellen sich daher die Fragen: Was ist „Cyberwar“? Welche Bedrohungen sind relevant? Wie kann eine Auseinandersetzung mit Mitteln der

Read More

1506, 2011

See you at Ninjacon 2011 / BSidesVienna!

René Pfeiffer/ June 15, 2011/ Conference, Security

On June 18th the Ninjacon 2011 and the B Sides Vienna will take place. We will be present, help with the organisation, watch as many talks as possible and blog about it (at least we’ll send some tweets). If you got some time to spare, drop by (make sure you get a ticket first) or come to the party afterwards!

0106, 2011

Registration for DeepSec 2011 is now open!

René Pfeiffer/ June 1, 2011/ Administrivia, Conference

The registration for DeepSec 2011 is now officially open. You can register for the conference, workshops or both. We offer three booking phases: Early Bird, Regular and Last Minute. Please keep in mind that the Early Bird tickets are the cheapest. The longer you wait, the more you have to pay. Since the Call for Papers is still running the workshop slots are empty, but you can buy workshop or conference+workshop tickets now and decide which workshop you want later (when we publish the schedule). If you have any questions, drop us a few lines.

1603, 2011

Reminder: Mind2Mind Event I/2011 – „Wir werden Sie belauschen!“

René Pfeiffer/ March 16, 2011/ Communication, Veranstaltung

This is a short reminder of our local Mind2Mind event about the technology means of espionage in companies and organisations. The talk will be held by Wolfgang K. Meister of VOXCOM (and will be in German). Mr. Meister will address eavesdropping devices, microphones, attacks on telephone communication (VoIP, ISDN, analogue, 2G/3G), peculiarities of mobile phone networks and attacks on Internet communication, local computer systems and IT infrastructure. He will also discuss countermeasures. Dies ist eine kurze Erinnerung an unseren lokalen Mind2Mind Event „Wir werden Sie belauschen!“, der die Technologie von Spionage und Lauschangriff an Unternehmen und Organisationen beleuchtet. Der am Abend stattfindende Vortrag von Herrn Wolfgang K. Meister der Firma VOXCOM beschäftigt sich mit Wanzen, Mikrofonen, Aufnahme von Körperschall, Funk, Angriffen auf Telefone (VoIP, ISDN, analog, 2G/3G), Eigenheiten von Mobilfunknetzwerken und Attacken auf IKT

Read More

0107, 2010

Sneak Preview – Workshop about Advanced PHP Security

René Pfeiffer/ July 1, 2010/ Schedule

Our CfP ends on 31 July 2010, so we start publishing information about some of the submissions in advance. We got the confirmation from Laurent Oudot, founder of TEHTRI-Security, concerning the Advanced PHP Hacking training. The workshop will deal with breaking into PHP environments, methods of attackers once they are inside, defense against intruders and real hack simulations. This is a hands-on exercise guided by TEHTRI Security experts. Everyone running, developing or auditing PHP web applications should attend. Knowing how attacks work is the first step of avoiding them. When it comes to web applications, there is no silver bullet. You have to deal with the hosting environment, known about possible vulnerabilities, learn about the tools attackers use and then you can tune your defenses. Code analysis, filters, fuzzing, NIDS and hardening alone are

Read More