Deepsec

Tuesday, November 19, 2013 3 years ago ,

A conference "centered on the concepts of secrets, failures and visions".

Calendar

I recently visited DeepSec 2013 and wanted to highlight some of the more interesting talks that I saw. The event was hosted in Vienna and was centered on the concepts of secrets, failures and visions. The talks were spread over two days and covered a diverse range of interesting topics within cyber security. Unfortunately, having two sets of talks running in parallel meant I couldn’t see them all but I never the less got to see some of the great work that is currently being undertaken in the industry.

Andres Riancho presented on how he exploited weaknesses in the Amazon cloud in order to pivot through their backend systems. By exploiting known issues within the open source software used by Amazon, Andres managed to take control of key elements of Amazon’s local cloud infrastructure. His talk guided us through the steps he took to achieve his goal and concluded by providing a tool that performed the entire process automatically. He gave a really interesting presentation leaving plenty for us to tinker with on our own! More information on his work can be found at the following URLs:

http://andresriancho.github.io/nimbostratus/
http://andresriancho.github.io/nimbostratus/pivoting-in-amazon-clouds.pdf
https://github.com/andresriancho/nimbostratus-target

Konstantinos Karagiannis talked about ‘Future Banking and Financial Attacks’. He identified a relaxed security model in applications used within sensitive financial systems. One of the primary reasons for their insecurity and fragility was due to a requirement for extremely high performance, the computers are even placed physically closer together to reduce latency across the wire. This requirement unfortunately causes an adversity to implementing extra security controls that could impact performance. Konstantinos went on to predict that in the next decade, quantum computers will severely impact the integrity of the world’s encryption. The performance of quantum computers will allow for encrypted messages to be decrypted in a feasible amount of time, requiring the implementation of sufficient protections at a hardware level. His points highlighted the importance of thinking ahead of current paradigms and being prepared for the challenges that we will face in our technologically immersed future.

Karin Kosina argued that the term ‘cyber war’ does not refer to war at all and that the term has been used in the media as a hyperbole. Her primary argument was that the definition of war does not encompass cyber-attacks, which are often undertaken by non-state actors and do not cause direct harm to human beings. Her arguments were interesting and highlight the media’s current view of cyber-attacks. Only the future will tell if definitions need to be revised or whether advanced software, such as Stuxnet, will evolve into more sinister weapons. Karin’s website contains her detailed thesis on the subject – http://kyrah.net/.

Parth Shukla from AusCERT presented his analysis of a dataset containing information regarding the compromised devices that were used to conduct the internet census in 2012. The botnet used to conduct the scan was named ‘Carna’ and there were a number of interesting statistics that came out of the talk. Carna exploited default and insecure configurations in around 1.3 million devices worldwide to effectively scan the internet. 420,000 of these devices were used to perform the scan in under 3 hours! The analysed data can be used to see how susceptible different demographics are to being compromised. China, interestingly, accounted for 56% of all compromised devices worldwide. Shukla’s work can be found at the following URLs:

http://bit.ly/census-thesis
https://docs.google.com/file/d/0BxMgdZPXsSLBaGs1Skl0aXFPSkU/edit

Chris John Riley gave a brilliant talk on breaking ‘secure’ containers in android. He used the backup functionality and android’s debugging interface to brute force pins and break into password storage applications, compromising their data. His blog post details his research into the subject:

http://blog.c22.cc/2013/09/05/a-sneak-peak-into-android-secure-containers-2/

Paul Amar, a student, was given a chance to present his work on building a framework to deliver Cross Site Request Forgery attacks efficiently. His project has promising applications in offensive security testing through its ability to automate multiple actions on the behalf of an unsuspecting user from a single click. I especially appreciated his use of NodeJS in building the framework although I feel there are still a few more people who require convincing of its superiority as a scripting language. His work can be found at https://github.com/PaulSec/csrft_deepsec_2013

The event was perfectly rounded off with a party hosted by the awesome people at Metalabs. Their hacker space evoked a substantial amount of envy, especially seeing their two 3D-printers! More information on all the cool stuff they’re up to can be found at their website – https://metalab.at/wiki/English. A truly creative space tucked away in Vienna’s already captivating streets; I would encourage anyone to check it out if given the chance. A big thanks to the event’s organisers for putting on another great cyber security conference, I’m still unsure what the cloud is though.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.