2509, 2012

DeepSec 2012 Training: Penetration Testing with Metasploit

René Pfeiffer/ September 25, 2012/ Training

Metasploit is one of the major tools used by security researchers and security administrators when it comes to testing security or verifying the operation of intrusion detection/prevention systems. It is also used by penetration testers when trying to circumvent defences and to insert payloads into compromised systems. Everyone dealing with the implementation of security measures is well advised to learn how Metasploit works, how it can be extended and how it can be used to its full potential. Point and click is a nice theory, but when it comes to information security you probably want to know what you are really doing. We therefore invite you to take a look at this workshop held at DeepSec 2012: In the Penetration Testing with Metasploit training you will learn hands on skills that come in to

Read More

2409, 2012

DeepSec 2012 Workshop: Malware Forensics and Incident Response Education (MFIRE)

René Pfeiffer/ September 24, 2012/ Conference, Training

Malicious software is the major tool for attackers. It is used to deliver the payload so that compromised systems can be exploited and secured for executing further tasks by your adversaries. Getting to now this malicious software and finding traces of the breach is very important for dealing with a security event. Proper incident response must be part of every state-of-the-art defence strategy. So this is why we offer the Malware Forensics and Incident Response Education (MFIRE) training at DeepSec 2012. Ismael Valenzuela will be your teacher for this course. The workshop is a proactive weapon to help you normalize your environment after a negative event has occurred. Your opponents have increasingly sophisticated tools and backdoor programs at their disposal to steal your intellectual property and expose sensitive information – all with the ability

Read More

2409, 2012

DeepSec 2012 Workshop: Strategic Thinking and Assessing Risk

René Pfeiffer/ September 24, 2012/ Conference, Training

We have begun to address the increasing demand for strategic thinking by staging the first DeepINTEL event in 2012. Since we strongly believe in the importance of the „big picture“, we offer a workshop on strategic thinking and assessing risk at DeepSec 2012, too. The training will be conducted by Richard Hanson, who has a broad understanding of security concepts and best practices through both formal education and client experience. He will guide you through the two-day workshop. The training will equip you with the knowledge and tools to be able to think strategically though understanding what is important to a business and assess its risks. It will teach you techniques to conduct risks assessments and to prioritize the outcomes in a strategic roadmap. It’s not just theory. You will learn how to effectively

Read More

2009, 2012

DeepSec 2012 Workshop: Attacks on GSM Networks

René Pfeiffer/ September 20, 2012/ Conference

We are proud to follow the tradition of breaking hardware, software, code, ciphers or protocols. When it comes to mobile phone networks, you can break a lot. The workshop on Attacks on GSM Networks will show you the current state of affairs and some new tricks and developments. The attacks that will be discussed during the training are not theoretical, they are feasible and can be exploited to be used against you. Knowing about the capabilities of your adversaries is absolutely important since virtually no organisation or business runs without the use of mobile networks. What do you have to expect? Well, attendees will spend about half the time re-visiting the key aspects of GSM’s security features and their publicly known weaknesses. During the other half, attention is being paid to the hands-on practical

Read More

1909, 2012

DeepSec 2012 Schedule – In-Depth

René Pfeiffer/ September 19, 2012/ Administrivia, Conference

The schedule for DeepSec 2012 has now been online since August. The last two workshop slots have been filled with two superb training by McAfee/Foundstone. There are still some minor blind spots, but Your Favourite Editors work on this. We will start to describe every workshop in-depth with its own blog article, and we will do the same with every presentation. We will try to set every piece of DeepSec 2012’s content into perspective and context. We are really looking forward to the trainings and presentations of DeepSec 2012!

1106, 2012

Software Development and Security Training

René Pfeiffer/ June 11, 2012/ Security, Training

Prior to every DeepSec conference we offer two-day trainings, and we regularly advertise trainings on secure software development. Attending security-centric workshops is really not meant as a humiliation. Modern (and not so modern) software development deals with a lot of code and dependencies. Even if your code is clean and well-written there’s a chance that something you rely on isn’t. This happens a lot with library functions (think DLLs) and thus can happen in high level programming languages, too. A training focussing on security will sharpen your „spider sense“ and you will be able to detect sections of code that can go wrong more easily. This is also true for reading documentation. Take a look at CVE-2012-2122. In essence you can get access to some MySQL database servers by repeatedly trying to access an

Read More

1210, 2011

Workshop: Social Engineering for IT Security Professionals

René Pfeiffer/ October 12, 2011/ Conference

Social Engineering has been around for a long time and predates the Internet. The method of the Nigerian scams today dates back to the 16th century. It is much more widespread today. Social networking sites supply attackers with a rich source of information. They may even get hold of confidential information without any effort (as the Robin Sage experiment has shown). Directed attacks such as spear-phishing can have a high impact. The use of deception or impersonation to gain unauthorised access to sensitive information or facilities is a persistent threat to your company or organisation, provided you communicate with the outside world. Since computer security is becoming more sophisticated, hackers are combining their technical expertise with social engineering to gain access to sensitive information or valuable resources in your organisation. Social engineering attacks can

Read More

2809, 2011

Workshop: Social Engineering for IT Security Professionals

René Pfeiffer/ September 28, 2011/ Conference

Social Engineering engagements can appear to be easy, especially to someone who already has experience in the Information Security industry.  All InfoSec consultants have experienced situations where they’ve been let into a meeting or to perform an onsite engagement without the correct paperwork or permission, and we’ve all heard the stories of successful Social Engineering assignments.  Combined with frequent news stories on the success of spear phishing and „blagging“ it can seem as though the simplest of attacks will inevitably compromise a target. However selling, scoping, executing and reporting on regular Social Engineering engagements requires a thorough understanding of the processes, techniques and risks involved, as well as the concepts and issues around Social Engineering in general.  With that understanding you can ensure that you have those stories to tell to your peers, and

Read More

2309, 2011

Workshop: Web Hacking – Attacks, Exploits and Defence

René Pfeiffer/ September 23, 2011/ Conference

In 2011 we have seen a lot of articles about „cyber“ attacks in the media. Judging from the media echo it looks as if a lot of servers were suddenly compromised and exploited for intruding into networks. While attacks usually take advantage of weaknesses in software, servers do not develop vulnerabilities over night. Most are on-board by design, by accident or by a series of mistakes. The first line of defence are web applications. Every modern company has a web site or uses web portals. Attackers know this and look for suitable attack vectors. If you want to improve your security, you have to start right at this first line. This is why we recommend the workshop Web Hacking – Attacks, Exploits and Defence by Shreeraj Shah & Vimal Patel of Blueinfy Solutions. As

Read More

1209, 2011

Workshop: The Art of Exploiting Injection Flaws

René Pfeiffer/ September 12, 2011/ Conference

If you have ever developed a web application you know that attackers try to exploit requests to the web server in order to inject commands sent to a database server. This attack is called SQL injection. It is done by modifying data sent through web forms or parameters that are part of a request to a web server. In theory web developers learn to avoid mistakes leading to SQL injection. In practice not every developer has the skill or the tools to prevent SQL injection due to lack of knowledge. Validating data can be hard if the data is badly defined or if the building blocks of the web application do not offer ways to normalise or sanitise data. Most developers might not even know if the frameworks they are using protects them or

Read More

1009, 2011

Workshop: Attacks on GSM Networks

René Pfeiffer/ September 10, 2011/ Conference

The topic of GSM networks has been discussed at past DeepSec conferences right from the very first event in 2007. Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been demonstrated and exploited, several GPRS networks in Europe have been shown to be insecure, and an ever-growing number of Open Source projects in the area of GSM and GPRS are gaining significant attraction. Despite the availability of attack methods, the tools are often hard to use for security professionals due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks. This is exactly why DeepSec 2011 offers a two-day training on attacking GSM networks. Attendees will spend about half the time re-visiting the key aspects of GSM’s

Read More

0609, 2011

Talk/Workshop: IPv6 Security In-Depth

René Pfeiffer/ September 6, 2011/ Conference

The tale of two protocol suites has been being written for some time now. The IPv4 Internet has run out of fresh addresses. The IPv6 deployment has begun, but it will take some time before IPv4 is completely phased out (if ever). The work on the IPv6 protocol started in the early 1990s with the temporary IP Next Generation Working Group, collecting proposals. In theory IPv6 addresses many shortcomings of IPv4 and consists of a thoroughly well-designed protocol suite with security in mind. In practice you will neither just switch to IPv6 nor skip the step where you consider the security implications. There is no zero conf mechanism when it comes to security. All businesses need to know what the security impact of IPv6 really is. Some networks have already deployed IPv6, others think

Read More

2308, 2011

DeepSec 2011 Schedule and Description of Talks/Workshops

René Pfeiffer/ August 23, 2011/ Conference

We’ve already published the preliminary schedule for DeepSec 2011. Most of the speakers have already confirmed their presence at the conference, but we are still waiting for e-mail. While preparing the schedule we’ve asked for more descriptions, and we will describe the talks and workshops in slightly more detail in the blog. We know that some of the titles deserve a closer look, especially since we got very interesting topics to talk about. During the next weeks we will dedicate a whole blog article to each and every slot in our schedule. Stay tuned! Please make sure that you don’t miss the early-bird rates. Tickets at reduced prices are still available until mid-September 2011!

0106, 2011

Registration for DeepSec 2011 is now open!

René Pfeiffer/ June 1, 2011/ Administrivia, Conference

The registration for DeepSec 2011 is now officially open. You can register for the conference, workshops or both. We offer three booking phases: Early Bird, Regular and Last Minute. Please keep in mind that the Early Bird tickets are the cheapest. The longer you wait, the more you have to pay. Since the Call for Papers is still running the workshop slots are empty, but you can buy workshop or conference+workshop tickets now and decide which workshop you want later (when we publish the schedule). If you have any questions, drop us a few lines.

0208, 2010

Sneak Preview – your cellphone can be tapped

René Pfeiffer/ August 2, 2010/ Schedule, Security

You probably have a cellphone. Your company might even provide an additional one. Your boss most certainly uses a cellphone. What do you use it for? Do you share details about your private life via phone conversations? Did you ever talk to a business partner about confidential offers? Do you rely on cellphone when it comes to important messages? If so you might be interested in hearing some news about the state of security of mobile networks. Most of them are broken, outdated or both when it comes to security. Details of the security issues have been presented at DeepSec 2009 by Karsten Nohl. During Defcon18 in Las Vegas a security researcher successfully faked several attendees’ cell phones into connecting to his phony GSM base station during a live demonstration that had initially raised

Read More