2101, 2016

DeepSec Video: A Case Study on the Security of Application Whitelisting

René Pfeiffer/ January 21, 2016/ Conference, Discussion, Security

Application whitelisting is a method where you create a baseline selection of software on a system. You then freeze the state, and after this point any code not being part of your original „white list“ is considered dangerous and blocked from execution. In theory this should prevent the execution of malware and therefore protect against the pesky advanced persistent threat (APT) attacks everyone is talking about. What does this mean for your daily business? René Freingruber of SEC Consult talked about a case study at DeepSec 2015. This should save you some time and pain. Theory is not always the same when deployed in the field. René’s presentation even contains vendor names, so you can talk to the sales executive of your favourite brand of security products. This presentation is also a prime example

Read More

2001, 2016

DeepSec Video: A Death in Athens – The inherent Vulnerability of “Lawful Intercept” Programs

René Pfeiffer/ January 20, 2016/ Conference, Discussion

In politics it is en vogue to create new words by connecting them. The words „cyber“ and „lawful“ come to mind. You can add „crime“ and „intercept(ion)“, and then you got something. Actually you can combine both of the latter words with the first two. Either combination makes sense if you take a look at the Athens Affair. More than ten years ago the lawful interception modules of Vodaphone Greece were used to eavesdrop on the Greek government. Kostas Tsalikidis (Κώστας Τσαλικίδης) , Vodaphone’s network planning manager, was found dead in his apartment. At DeepSec 2015 James Bamford talked about what the Athens Affair really was and shed light on the many uses of the lawful intercept systems which are mandatory for most telecommunications equipment. We don’t know how many Athens Affairs are still

Read More

2001, 2016

DeepSec 2015 Videos are being published!

René Pfeiffer/ January 20, 2016/ Administrivia, Conference

As you may have noticed, we have sorted out the problems with the DeepSec 2015 recordings. Handling heavy multimedia files isn’t for the faint of heart – especially if one forgets to turn off the Twitter notifications while uploading broken video files. We have fixed this. Apparently the new uploader code took us (and our browser settings) by surprise. Now everything is whitelisted sorted out. The show can go on! We will accompany most videos with a short blog posting to put the content into perspective. Due to many publications in December it’s good to connect the dots. The Big Picture beats Big Data every time.

2001, 2016

Here be Dragons – SIGINT won’t go away in 2016 (or later)

René Pfeiffer/ January 20, 2016/ Conference

The new year is a couple of weeks old. Not much has changed from the perspective of information security. The word „cyber“ is still alive and kicking (just as the „cloud“ is, despite Safe Harbour not being safe any more). Crypto is being used as a scapegoat for major intelligence failures – again and again. Blaming mathematics is really easy, because few understand how cryptography protects the infrastructures all around us. Big Data and collecting intel is still going strong. In fact Signals Intelligence (SIGINT) is now part of our society; some say it’s even a part of our culture. Want to know what SIGINT in big scale looks like? Well, Duncan Campbell explained the SIGINT monster in depth at the DeepSec conference in 2015. Have a look at the video recording. 2016 promises

Read More

0302, 2015

Internet Protocol version 6 (IPv6) and its Security

René Pfeiffer/ February 3, 2015/ Internet, Security

Internet Protocol version 6 (IPv6) is not new. Its history goes back to 1992 when several proposals for expanding the address scheme of the Internet were discussed (then know by the name of IP Next Generation or IPng). A lot has happened since RFC 1883 has been published in 1996. Due to the deployment of IPv6 we see now implications for information security. Several vulnerabilities in the protocol suite have already been discussed. DeepSec 2014 features a whole training session and three presentations about the future protocol of the Internet. First Johanna Ullrich talked about a publication called IPv6 Security: Attacks and Countermeasures in a Nutshell. The paper gives you a very good view on the state of affairs regarding security and privacy weaknesses. It is strongly recommended for anyone dealing with the deployment

Read More

0202, 2015

Encrypted Messaging, Secure by Design – RedPhone and TextSecure for iOS

René Pfeiffer/ February 2, 2015/ Communication, Security

Encrypted communication is periodically in the news. A few weeks ago politicians asked companies and individuals all over the world to break the design of all secure communication. Demanding less security in an age where digital threats are increasing is a tremendously bad idea. Cryptographic algorithms are a basic component of information security. Encryption is used to protect data while being transported or stored on devices. Strong authentication is a part of this as well. If you don’t know who or what talks to you, then you are easy prey for frauds. Should you be interested in ways to improve the security of your messaging and phone calls, we recommend watching the presentation of Dr. Christine Corbett Moran. She is the lead developer of the iOS team at Open WhisperSystems. She talks about bringing

Read More

1912, 2014

DeepSec 2014 Video – “The Measured CSO”

René Pfeiffer/ December 19, 2014/ Discussion, Schedule, Stories

The first recording of DeepSec 2014 has finished post-processing. Just in time for the holidays we have the keynote presentation by Alex Hutton ready for you. Despite its title “The Measured CSO” the content is of interest for anyone dealing with information security. Alex raises questions and gives you lots of answers to think about. Don’t stay in the same place. Keep moving. Keep thinking.

0305, 2014

BSidesLondon 2014 Rookie Track Videos

René Pfeiffer/ May 3, 2014/ Conference

We are back from the BSidesLondon 2014, and we had a great time. It was good to meet everyone to get some new ideas and to work on old ideas too. The Rookie Track was a success. We had a hard time deciding which talk was best. We managed to find a winner which will be invited to attend DeepSec 2014. Congratulations to Georgi Boiko! The Rookie Track recordings will be published online depending on the choice of the speaker. Some are already online. Here is a list of talks you can already watch. More are being published in the coming weeks (we will update this list). A Look at Modern Warfare by @kaitlyn4495 The Joy of Passwords by Joseph Gwynne-Jones RFID Hacking – An Introduction by @d3sre Run-time tools to aid application security

Read More

2702, 2014

DeepSec 2013 Video: Static Data Leak Prevention In SAP – The Next Generation Of DLP

René Pfeiffer/ February 27, 2014/ Conference, Stories

Leaks are problems you don’t want in your infrastructure. While this is clear for water pipes, it is not so clear for digital data. Copying is a part of the process, and copying data is what your systems do all day. A leak comes into existence when someone without access privileges gets hold of data. The industry has coined the term data leak/loss prevention (DLP) for products trying to stop intruders from ex-filtrating your precious files. Just like other defence mechanisms DLP systems cannot be bought and switched on. You have to know where your data lives, which software you use, what data formats need to be protected, and so on. We invited Andreas Wiegenstein to talk about data loss prevention in SAP systems. His presentation was held at the DeepSec 2013 conference and

Read More

2602, 2014

DeepSec 2013 Video: Using Memory, Filesystems And Runtime To App Pen iOS And Android

René Pfeiffer/ February 26, 2014/ Conference

Your iOS or Android smartphone can do a lot. „There’s an app for that!“ is also true for information security. So what can you do? We have seen smartphones used as an attack platform for penetration testing. You can use them for wardriving, and, of course, for running malicious software (next to „normal“ software which can do a lot too). At DeepSec 2013 Andre Gironda unlocked some of the mysteries of the iDevice and Android-device memory intrinsics, filesystem/process sandboxes, and the OO runtime by walking through the techniques, including common obfuscations. His talk is recommended to anyone interested in the capabilities of modern smartphones.

2502, 2014

DeepSec 2013 Video: Europe In The Carna Botnet

René Pfeiffer/ February 25, 2014/ Conference, Security

Botnets serve a variety of purposes. Usually they are used to send unsolicited e-mail messages (a.k.a. spam), attack targets by sending crafted data packets, or to perform similar activities. The Carna Botnet was created by an anonymous researcher to scan the IPv4 Internet. The creator called the botnet the Internet Census of 2012. The nodes of the botnet consist of virtually unsecured IPv4 devices – modems and other network equipment. Point of entry where mostly Telnet management interfaces exposed to the Internet. Analysing the devices that were part of the Carna Botnet is well worth the effort. This is why we invited Parth Shukla (Australian Computer Emergency Response Team, AusCERT) to present his findings about the Carna Botnet at DeepSec 2013. „A complete list of compromised devices that formed part of the Carna Botnet

Read More

2402, 2014

DeepSec 2013 Video: Future Banking And Financial Attacks

René Pfeiffer/ February 24, 2014/ Conference, Security

Predicting the future is very hard when it comes to information technology. However in terms of security analysis it is vital to keep your head up and try to anticipate what attackers might try next. You have to be as creative as your adversaries when designing a good defence. This is why we invited Konstantinos Karagiannis (BT) to DeepSec 2013.  Konstantinos has specialized in hacking banking and financial applications for nearly a decade. Join him for a look at the most recent attacks that are surfacing, along with coming threats that financial organizations will likely have to contend with soon.

2302, 2014

DeepSec 2013 Video: Pivoting In Amazon Clouds

René Pfeiffer/ February 23, 2014/ Conference

The „Cloud“ is a great place. Technically it’s not a part of a organisation’s infrastructure, because it is outsourced. The systems are virtualised, their physical location can change, and all it takes to access them is a management interface. What happens if an attacker gains control? How big is the impact on other systems? At DeepSec 2013 Andrés Riancho showed what attackers can do once they get access to the company Amazon’s root account. There is more to it than a simple login. You have to deal with EC2, SQS, IAM, RDS, meta-data, user-data, Celery, etc. His talk follows a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user. Regardless of how your

Read More

2102, 2014

DeepSec 2013 Video: Prism Break – The Value Of Online Identities

René Pfeiffer/ February 21, 2014/ Conference, Internet

Everything you do online creates a stream of data. Given the right infrastructure this data trails can be mined to get a profile of who you are, what you do, what your opinions are and what you like or do not like. Online profiles have become a highly desirable good which can be traded and used for business advantages (by advertising or other means). In turn these profiles have become a target for theft and fraud as well. In the digital world everything of value gets attacked eventually. Time for you to learn more about it. In his talk at DeepSec 2013 Frank Ackermann explained the value of online identities. We recommend his presentation, because it illustrates in an easily comprehensible way the value of online identities in our modern Internet relying society. It

Read More

1902, 2014

DeepSec 2013 Video: Risk Assessment For External Vendors

René Pfeiffer/ February 19, 2014/ Conference

CIOs don’t like words like „third party“ and „external vendor“. Essentially this means „we have to exchange data and possibly code with organisation that handle security differently“. Since all attackers go for the seams between objects, this is where you have to be very careful. The fun really starts once you have to deal with confidential or regulated data. So how do you cope with doing this and still keeping an eye open for risk, compliance, and efficiency? Good question. At DeepSec 2013 Luciano Ferrari (Kimberly-Clark Corporation) addressed these issues in his presentation. He has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. However: Data security can only be achieved if all units of an organization cooperate – and with a change

Read More