1410, 2014

DeepSec 2014 Workshop: Understanding x86-64 Assembly for Reverse Engineering and Exploits

René Pfeiffer/ October 14, 2014/ Training

Assembly language is still a vital tool for software projects. While you can do a lot much easier with all the high level languages, the most successful exploits still use carefully designed opcodes. It’s basically just bytes that run on your CPU. The trick is to get the code into position, and there are lots of ways to do this. In case you are interested, we can recommend the training at DeepSec held by Xeno Kovah, Lead InfoSec Engineer at The MITRE Corporation. Why should you be interested in assembly language? Well, doing reverse engineering and developing exploits is not all you can do with this knowledge. Inspecting code (or data that can be used to transport code in disguise) is part of information security. Everyone accepts a set of data from the outside

Read More

2509, 2014

DeepSec 2014 Workshop: Suricata Intrusion Detection/Prevention Training

René Pfeiffer/ September 25, 2014/ Conference, Internet, Training

Getting to know what’s going on is a primary goal of information security. There is even a name for it: intrusion detection. And there are tools to do this. That’s the easy part. Once you have decided you want intrusion detection or intrusion prevention, the implementation part becomes a lot more difficult. Well, if you need help with this issue, there is a two-day workshop for you at DeepSec 2014 – the Suricata Training Event. Suricata is a high performance Network Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Network Security Monitoring engine. It can serve pretty much all your needs. It’s Open Source (so it cannot be bought and removed from the market) and owned by a very active community. Suricata is managed by the non-profit foundation; the Open Information Security Foundation

Read More

0509, 2014

EuroTrashSecurity Podcast – Microtrash37 : DeepSec 2014 Content

René Pfeiffer/ September 5, 2014/ Conference

Microtrash37 of the EuroTrashSecurity podcast is out! We had a little talk with Chris about the schedule of DeepSec 2014 and what to expect. It’s a teaser for the blog articles about the talks and the trainings to come. We will describe more details on the blog, but you get a good overview what to expect from the audio. We also got some inside information on the upcoming BSidesVienna 0x7DE. We will definitely attend and so should you! The BSidesVienna has some cool surprises for you. Don’t miss out on the chance to get together. The Call for Papers is still open! If you have something to share, please consider submitting a talk.

2708, 2014

Preliminary Schedule of DeepSec 2014 published

René Pfeiffer/ August 27, 2014/ Administrivia, Conference

After weeks of hard work we have now the preliminary schedule of DeepSec 2014 online! We received over hundred submissions, and we had to navigate through a lot of publications, abstracts and references. We hope that you like the mixture of topics. We especially hope that you will find the offered trainings interesting. We still wait for content and corrections, so bear with us while the schedule takes its final form. Contrary to the past years we had a lot more to do in terms of completing information about submitted talks and trainings. We will tell you more about this in the upcoming blog articles (which we will announce on our Twitter account, so you don’t miss anything). Looking forward to see you in Vienna in November!

2610, 2013

DeepSec 2013 Workshop: Effective IDS/IPS Auditing And Testing With Finux

René Pfeiffer/ October 26, 2013/ Conference, Security, Training

A major part of information security is to deal with intrusions. It doesn’t matter if you have to anticipate them, detect them, or desperately wish to avoid them. They are a part of your infosec life. This is why gentle software developers, security researchers, and vendors have created intrusion detection/preventi0n systems. It’s all there for your benefit. The trouble is that once you buy and deploy and IDS/IPS system, its dashboard looks a lot like the one from the space shuttle or a fighter jet. You can do a lot, you can combine a lot more, and you see all kinds of blinking lights when you turn everything on. That’s probably not what you want. But there is help. Arron ‘Finux’ Finnon of Alba13 Research Labs will conduct a training on effective IDS/IPS auditing

Read More

2110, 2013

DeepSec 2013 Workshop: Hands On Exploit Development (Part 2)

René Pfeiffer/ October 21, 2013/ Conference, Stories

Unless you buy ready-made exploits or do security research (you know, the tedious task of testing systems and code, findings bugs and assessing their impact) you may wonder where they come from. To show you how to exploit a vulnerability and how to get to an exploit, we have asked Georgia Weidman for an example. She will be conducting the Hands On Exploit Development training. Early in my infosec education I took a class with a lab portion systems with known vulnerabilities. One system that I had difficulty exploiting was a Windows 7 host with HP Power Manager 4.2.6 which is subject to CVE-2009-2685. There is no Metasploit Module for this issue, but I was able to find some public exploit code on Exploit-db. The exploit calls out explicitly that it has been tested

Read More

2010, 2013

DeepSec 2013 Workshop: Hands On Exploit Development (Part 1)

René Pfeiffer/ October 20, 2013/ Conference, Training

Software bugs evolve, just like their animal counterparts. Lesser bugs impact usability or are simple malfunctions. Once a bug impacts the security it is called a vulnerability. This means that something major is broken and that the internal logic can be manipulated to produce undesirable effects. Vulnerabilities can be exploited to create deterministic effects such as bypassing security checks, elevating privileges or other things. Exploits are the biggest bugs around. They have to work every time (at least with the software version affected by the bug/vulnerability), they need to insert specific code with a given purpose, and they should not compromise the functionality of the software (since you don’t want to be noticed) – So there is software development involved. Georgia Weidman will teach you how to get from a bug via a vulnerability

Read More

1110, 2013

DeepSec 2013 Workshop: Exploiting Web Applications Protected By $WAFs

René Pfeiffer/ October 11, 2013/ Conference, Security, Training

We all use web applications on a daily basis. Search engines, portals, web sites, blogs, information pages and various other content accessible by web browsers accompany us every day. This means that web server are the first exposed systems you will have to protect when deploying web applications. Usually you would add filters to your network that inspect access to the software and block any malicious requests. Packet filters were the tool of choice. Now we have application level firewalls to deal with content and protocols used. In the case of web applications the market has introduced a new kind of device: the web application firewall (WAF). In theory WAFs understand HTTP and know how a web browser talks to a web server. In practice no two web applications are alike, because they may

Read More

0410, 2013

DeepSec 2013 Workshop: Attacks On GSM Networks

René Pfeiffer/ October 4, 2013/ Conference, Security, Training

Mobile phone networks have penetrated even the most remote areas of the Earth. You can send a tweet from Mount Everest if you like, the cell service is already there. In addition mobile phone networks feature 6 billion subscribers all over the world. Communication by mobile devices has entered the routine of daily life. It’s not all about talking. Smartphone, laptops, tablets and modems access the Internet by mobile phone networks. And as every security specialist knows: If there’s a network, then there are protocols, and these protocols can be attacked. True, it’s not as easy as TCP/IP since mobile phone networks feature sets of more complex protocols. Nevertheless these networks can be accessed, and you cannot block it. This is why you should get in touch with the threats to your organisation. DeepSec

Read More

2609, 2013

DeepSec 2013 Workshop: Developing and Using Cybersecurity Threat Intelligence

René Pfeiffer/ September 26, 2013/ Conference, Security Intelligence, Training

The arsenal of components you can use for securing your organisation’s digital assets is vast. The market offers a sheer endless supply of application level gateways (formerly know as „firewalls“), network intrusion detection/prevention systems, anti-virus filters for any kind of platform (almost down to the refrigerator in the office), security tokens, biometrics, strong cryptography (just stay away from the fancy stuff), and all kinds of Big Data applications that can turn shoddy metrics into beautiful forecasts of Things to Come™ (possibly with a Magic Quadrant on top, think cherry). What could possibly go wrong? Well, it seems attackers still compromise systems, copy protected data, and get away with it. Security often doesn’t „add up“, i.e. you cannot improve your „security performance“ by buying fancy appliances/applications and piling them on top of each other. What

Read More

2509, 2013

DeepSec 2013 Workshop: Social Engineering Awareness Training – Win A Free Ticket!

René Pfeiffer/ September 25, 2013/ Conference, Training

“If a tree falls in a forest and no one is around to hear it, does it make a sound?” You probably know this question. It’s a philosophical thought experiment questioning observation and knowledge of reality. There is a similar gedankenexperiment for information security: “If your organisation receives a spear phishing e-mail and no one is around to read it, does it create a security breach?” Communication is essential for everyone these days. If you run a business, you are forced to deal with communication on a daily basis. This didn’t start with the Internet. The telephone was first, and before there were letters and all kinds of ways to relay word from A to B. It’s a good idea to go back in time to avoid being distracted by technology but Trojan Horses

Read More

2309, 2013

DeepSec 2013 Workshop: Secure your Business by Business Continuity Plans

René Pfeiffer/ September 23, 2013/ Conference, Training

Quite a lot of companies stay in business, because they operate continuously and reliably. Few have the luxury to close shop for an extended period of time. If you do, then you are either fabulously successful or in deep trouble. Regardless of what you have in mind for your enterprise you should think of implementing a business continuity plan (BCP) sooner or later. Since designing and implementing a BCP is no piece of cake, we offer you a one day training at DeepSec 2013 where you can get started. The workshop will be conducted by Michel Wolodimiroff, who has over 25 years of experience in dealing with information technology. He will walk you through all bad dreams  of failing infrastructure, data loss, compromised systems, and worse catastrophes you might not even have thought of.

Read More

0211, 2012

DeepSec 2012 Training: SAP Security In-Depth

René Pfeiffer/ November 2, 2012/ Security, Training

Your SAP installation is probably the most critical system in your company’s infrastructure. At the same time the informations accessed and processed by SAP systems origin from many sources. Securing infrastructure with this complexity is not an easy task, and testing your security measures requires a great deal of knowledge and training. In addition your will probably run web services talking to your SAP system – which is quite handy for attackers. In case you are short on knowledge about your own SAP deployment, there’s help. There will be an SAP security workshop at DeepSec 2012! The SAP Security In-Depth training will show you how to find out if your SAP infrastructure is secured. Knowing about segregation of duties and securing roles and profiles is fine in theory, but you have to make sure

Read More

1110, 2012

DeepSec 2012 Workshop: Web Application Penetration Testing

René Pfeiffer/ October 11, 2012/ Conference, Training

If eyes are the window to your soul, then web applications are the gateways to your heart. Of course this is only a figure of speech, but once you take a look at security incidents and the role of web applications, then you get the idea of the analogy. Web applications are everywhere. It’s not always about your favorite intranet application. A lot of devices run web applications, too. And there are portals which really give you access to a whole variety of information and services. Speaking of services, you can have application programming interfaces (APIs), too. APIs usually do not talk to humans, but maybe they can be automated to do Bad Things™. This is where penetration testing comes in. Ari Elias-Bachrach will teach you how to approach web applications in the context

Read More

3009, 2012

DeepSec 2012 Workshop: The Exploit Laboratory – Advanced Edition

René Pfeiffer/ September 30, 2012/ Conference

Offensive security is a term often used in combination with defence, attack (obviously), understanding how systems fail and the ever popular „cyberwar“. Exploiting operating systems and applications is the best way to illustrate security weaknesses (it doesn’t matter if your opponents or pentesters illustrate this, you have a problem either way, and you should know about it). So where do exploits come from? Well, you can buy them, you can download them somewhere, or you can develop them. This is where The Exploit Laboratory comes in. Saumil Shah will teach you how exploits work – even on modern operating systems! Exploit Development is one of the hottest topics in offensive security these days. The Exploit Laboratory, in its sixth year, brings advanced topics in exploit development to Vienna this year. Arm yourself with skills

Read More