DeepINTEL - Preliminary Schedule

SexyDefense – maximizing the Home-Field Advantage

Iftach Ian Amit

Offensive talks are easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that’s hard. Usually after the pen-testers/auditors (or worst – red team) leaves, there’s a whole lot of mess of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time – can you fix this so your security posture will actually be better the next time these guys come around?
This talk focuses mainly on what should be done (note – not what should be bought – you probably have most of what you need already in place and you just don’t know it yet). Methodically, defensively, decisively. Just like the red-team can play ball cross-court, so should you!

Ian Amit is an IOActive Director of Services with over a decade of experience in both hands-on and strategic roles, working fluently in all manner of security-related fields: business, industry, technical, and research. Currently positioned to represent IOActive in the EMEA, Ian brings our customers the benefit of his proven leadership, innovative management style, and established expert media presence while overseeing engagements for technical, financial, and government clients. He speaks publicly on security topics that include the technical and strategic, as well as marketing, strategy, and policies, working at the highest levels of corporate and multi-national engagements.
A skilled researcher, Mr. Amit also has deep technical knowledge around programming, operating systems (particularly Unix and Win32), applications (including most network server applications), databases, and networking/infrastructures. He founded the Tel-Aviv DefCon chapter (DC9723) and also was a founding member of the Penetration Testing Execution Standard (PTES).

Better Breach Disclosure = Better Risk Management

Andrew Barratt

The focus is to enable open discussion about what sort of information should be shared in relation to security breaches, how this could be shared and to solicit ideas from the community about how this could work in proactive for the information security industry. Many other industries are capable of sharing incident data, insurance companies can easily see how many car accidents there are every year and all the stats that relate to the root cause. The healthcare industry is capable of giving a n% chance of obtaining cancer, or certain deformities or other illnesses. This is all possible because professionals in those sectors are capable of sharing information that relates to the cause of the issue in the first instance.
The presenter will share personal experiences in relation to RISK in general and aim to show that the information security industry can work together to collate this data and extrapolate sensible values and likelihood data for risk management purposes.

Facebook and You

Jonathan Deutsch

In order to understand why the social media has has become an actual threat to the corporate landscape, we must first understand how an attacker operates when he sets out to attack an organization. In order to have a complete attack scenario, an attacker must gain some actionable intelligence on the organization. The information that he seeks can be split into two main categories:

  • Technical Intel (TecInt) – the organizational surface attack. When launching an attack, the attacker needs to have a proper understanding of what sort of implementation he is attacking.
  • Attack Group – closed social targets – if we were to analyze what are the main methods of launching a successful and stealthy attack on large scale organization, we see that one of the major ways is via the usage of spear phishing. This method includes sending out targeted personal e-mails crafted and fitted for an exact recipient, with the usage of customized vulnerabilities that were attained from the TecInt phase.
Understanding the attack target is a critical element of any successful attack. As mentioned earlier, an attacker must map out the connections of related entities on the social networks, which differ from organization to organization.
In our talk we will discuss the potential damage of the over expose that social networks pose to users, and how this data can be of use to an attacker. Our tool helps the audience understand the unbearable simple way that our data is exposed to external powers, and how easy they could be turned against us. The topic of social networks has been discussed over and over, yet users have yet to have seen working tools that actually demonstrate visually the problem at hand.

Johnny Deutsch is a manager in the Advisory Services practice of Ernst & Young LLP. Johnny leads the cyber warfare and crime section at Ernst & Young's Hacktics Advanced Security Center (HASC) based in Tel Aviv, Israel. This cutting-edge security team is dedicated to conducting attack and penetration assessments for EY clients. In this role Johnny is in charge of developing new methodologies and performs cyber vulnerability assessments for HASC clients. Johnny has over 10 years of experience in the field of IT systems and security specializing in large scale VoIP systems, data networking and intelligence gathering. Prior to Johnny`s employment at HASC, he was a consultant at the Israeli Ministry of Defense and managed large scale projects in the field of IRM (Information Rights Management) and NAC (Network Access Control) systems. Prior to the MoD, Johnny was employed by an American sub contractor for the American Department of Defense and managed projects in the field of cellular communication and its integration of VoIP based PBXs. Prior to the DoD, Johnny served in the Israeli Defense Force as a military intelligence officer for 6 years in numerous officer roles in the cyber domain. Johnny is an active reserve duty officer in the Israeli army at the rank of Lieutenant.

Tuning to a different Key - Introducing Weaknesses into Security Devices

Arron "finux" Finnon

When security devices such as NIDS/NIPS (Network Intrusion Detection/Prevention Systems) are developing their rules/signatures, exploit PoC's tend to be used to develop and test those rules. Sometimes there is lots of PoC code around for a single exploit. Not too much of leap of faith to suggest that those people developing those rules will stick to what they know, and obtain those PoC from the favourite place. What happens if an exploit from one PoC is very subtlety different from other ALL the other PoC's available? What happens if this subtly different PoC is more popular than the rest? What happens if the PoC is not a clear baseline of the threat? What happens if you introduce a "quirk" in to your NIDS analysis?
This talk looks at the situation where the choice of PoC for NIDS/NIPS signature could have massive and wide ranging implications. In lack of a better term, what happens if a security rule writer inadvertently codes a very subtle quirk into the rules. This can lead to a situation where the same exploit using a different PoC might well be sufficiently different from the rule writers sample as to evade detection. The reality of this is in play in the real world, and security devices have been tuned to a slightly different key. I intend to show an example of how security devices have been developed using a unclean sample and how an exploit's original PoC can pass NIDS detection.
The aim of the talk is to raise awareness into carefully verifying an exploit prior to developing rules, a practice that is clearly not happening.

Cybercrime – Who are the offenders?

Dr. Edith Huber (Danube University Krems)

During the past years typologies of crime and offenders have changed enormously as well as rapidly. State-of-the-art techniques increasingly find their way into criminal investigations. New types of criminal phenomena tend to substitute the well-known types of crime. Common crimes range from the classical online fraud to cyber terrorism. Online crime has come to be a million dollar business.
Within the frame of this paper three aspects will be examined by reference to a meta survey based on the whole german spekaing area. As first step the penologic options fighting online crime will be considered. Then the different types of crime will be illustrated as well as the consequences of their exposure. The objective is to depict offender profiles as precisely as possible.

Edith Huber obtained her doctorate with distinction at the Faculty of Social Sciences at the University of Vienna. For over 10 years she has been very active in the field of security research. In addition to the KIRAS-Prize for the best national security research project and the Dr. Maria-Schaumayer-Prize she looks back on numerous projects and publications. Her key activities are: offender profiling, security research, cyberstalking, stalking, global change.

Wargames in the Fifth Domain

Karin ‘kyrah’ Kosina

Ms Kosina presents a critical look at the cyberwar debate (the result of her master thesis). “The United States is fighting a cyber-war today, and we are losing”, Mike McConnell, former US Director of National Intelligence, has claimed. Well, sir, I don’t think so. The term “cyberwar” is way over-used in the media. But if you look at the cyber incidents that we have seen from the perspective of the law of armed conflict, none of them qualifies as an act of war. Rather than focusing on military cyber defense (and offense), we need to work on a better civilian response to the (very real) IT security threats we are facing. The militarisation of the debate does nothing to address the actual problems, and creates a whole range of new problems instead.

Defending the crown jewels - Incident Response against APTs

Avi Kravitz

The game has changed. Less and less it is the opportunistic attackers that present the greatest risk. Determined adversaries target organizations with trained, high-skilled specialists, often with large financial budget and linked, opaque mafia-like structures. Incidents with targeted Advanced Persistent Threats (APTs) are difficult to handle in numerous ways. First, the goal of an APT is to stay as clandestine as possible on its victim’s environment until the adversary’s mission is fulfilled. Second, the combination of different attack methodologies is often highly sophisticated, combining various techniques to cover their tracks and infect multiple important and strategic gateways in the company network infrastructure. Generally the full spectrum of intrusion technologies is utilized and will bypass firewalls, antivirus software and all other traditional security mechanisms that are in place. Next, most of the affected organizations only recognize such breaches after months or years, mostly followed by a huge impact on their business. Once a breach is identified, affected organizations need to quickly identify existing threats and loopholes into the network and adapt according to the attacker’s changing plans. Through our Incident Response dealing with APTs we are always using the following approach as immediate steps:

  1. Get the attacker out of your network and close their original entry points
  2. Identify and close new entry points
  3. Hardening of critical systems
  4. Implement strategic changes
Experience has shown that adversaries will continue to pursue their individual objectives regardless of the implemented countermeasures, so it is indispensable and vital to change our mindset and way of thinking about intrusions and reevaluate our security priorities to identify future APT attacks in a timely manner.

Avi Kravitz is working as a senior security consultant for SEC Consult, the leading international company for information and application security. After years of thorough technical and information security related academic background (technical college, bachelor in IT-Security and master in Information Security on the University of Applied Science St. Pölten) he started his career as technical security consultant with focus on penetration testing back in 2009 after working as IT-Security expert for several years. Within the following years he switched his focus on incident response and security management related topics leading his customers through all remediation phases after an identified security breach.

Massive Storage

Richard Perlotto (Shadowserver Foundation)

Shadowserver has been collecting data in ever growing quantities over the last seven years. We have seen the growth of megabytes to terabytes of security related data and now are faced with having to store and analyze petabytes of data. This talk will lead you through the history of the different storage and growth methods we have suffered through up until today. We will review what is the most current for us and where we see storage going to in the future. We will offer specific technology suggestions and rules of thumb on deployment of that technology. Learn from our mistakes on what it took to plan to handle and plan for Petabytes of data and still get value and reports out of the data.

Richard Perlotto is one of three directors running the Shadowserver Foundation, an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud.
Mr. Perlotto runs the technology and operational side of the organization with a focus on streamlining the processes and information gathering techniques.
Personal: Richard Perlotto is an Information Security Adviser for Cisco Systems providing assistance and guidance on Information, Internet Risks and Threats to Cisco and their Customers. Previously he ran Security Operations worldwide for all of Cisco for almost four years. He is a 14-year Cisco veteran.

Bringing the Cyber-Peace - Introducing the Global Cyber Defence Initiative

Stefan Schumacher (President of the Magdeburg Institute for Security Research)

Cyber-war, cyber-crime and cyber-security are hot topics nowadays and discussed even in mainstream media. As information technology spreads and emerges into new fields - from smart meter and intelligent homes, intelligent cars and supervisory control and data acquisition system - IT security becomes more and more a vitally important part of our society.
Since discussing Carl von Clausewitz and "cyber war" does not resolve security problems itself, I introduced and discussed the concept for a cyber peace at last year's DeepSec conference.
To resolve security problems and getting things done, we founded the Global Cyber Defence Initiative - an interdisciplinary network of security experts (researchers, consultants, trainers, hacker…) and other organisations (corporations, chambers of commerce, scientific institutes…) who are interested in solving security problems.
Besides setting up the GCDI as a cluster of competence, we also work on a doctrine (including strategy and tactics) to resolve some of the IT security problems. Those include:

  • getting more interdisciplinary research and work in IT security, esp. psychological and pedagogical
  • setting up security awareness campaigns and evaluating their succes
  • creating a didactics of security including methods and tools to teach security
  • professionalising the field of IT security, e.g. with new job trainings and degree programmes
  • eliminate the buffer overflow - buffer overflows are easy to prevent, yet they still exist
  • making Operating Systems more resiliant against malware
  • raise security awareness among end users and developers of industrial systems
  • find methods to counter spear phishing
  • make cryptography usable, making computer more usable in general
  • stopping governments to undermine security with data retention, computer surveillance and other BS
  • finally: make security sexy :-)

Stefan Schumacher is president of the Magdeburger Institut für Sicherheitsforschung (Magdeburg Institute for Security Research) and co-editor of the institute's journal on security research. He has been a hacker for almost 20 years and even a NetBSD developer for some time. He studied educational science and psychology and researches information and organisational security with a focus on cyber war/cyber peace, security awareness and social engineering.

Preventing and Detecting Mass-Malware and Advanced Threats

Tom “c-APT-ure” Ueltschi

Your organization has firewalls, network IDS/IPS, anti-virus on multiple layers, maybe even HIPS, hardening and patching done and feels pretty safe and secure. But lots of companies and organisations who got breached had all that too. So maybe that’s not enough for today’s threats any more? This speech should give you lots of new intelligence resources to know who are the different threat actors, what are their motivations and techniques, what vulnerabilities are exploited by what threat actors, and some (maybe more or less unconventional) methods for prevention or detection of these threats. Most resources used are freely available, some need free registration and some are from personal work experience.

Tom Ueltschi received his Bachelors and Masters of Science in Computer Science and Engineering from University of Texas at Arlington. After about 6 years working in Software development he switched to IT Security five years ago. Hunting for and analyzing new malware is part of his job and hobby as well. He's an (in-)frequent blogger about APT resources and malware/botnet research ( and believes in sharing threat and malware intelligence using Twitter (@c_APT_ure), Storify, CIF feeds and IOCs.

Intelligence Gathering in a Changing Strategical Framework

Günter K. Weiße

Based upon the recent decision made by the Government of the United States of America to shift their main political and military interests from Europe to the Pacific and the increasing significance of the Peoples Republic of China and their military and economical influence in this region,Europe must reconsider its military and economic vulnerabilities in light of multi – threats , posed by International Terrorism,International Organized Crime and Cyber Operations against Critical Infrastructures , military and other conflicts in the vicinity of Europa and their possible implications. Therefore,the gathering of Intelligence will be an imperative aspect of the future architecture of Intelligence and Security Agencies among the European States in times of shrinking military and civilian budgets.

  • Present threats to Europe
  • The actual status of Intelligence gathering within the States of the European Union
  • Future developments of Intelligence structures and capabilities among selected States

After a career in the German Armed Forces in his capacity as an Intelligence Specialist with the German Air Force Signals Intelligence and postings to the Supreme Headquarters Allied Powers Europe -SHAPE,Reaction Forces Air Staff- RFAS ,Federal Armed Forces Intelligence Office- FAFIO and its successor, he served in the German Ministry of Defence and the German Embassy at Vienna. After his retirement, he joined the staff of the “Sicherheitsmelder” a net-based information periodical of the Boorberg-Verlag Stuttgart,Germany .He is ordinary member of the Gesprächskreis Nachrichtendienste Deutschlands (GKND,Berlin, International Intelligence History Association (IHHA),Austrian Center for Intelligence,Propaganda and Security Studies (ACIPSS), Graz & Armed Forces Communications & Electronic Association (AFCEA). He is the author of:

  • Geheime Funkaufklärung in Deutschland 1945-1989, Stuttgart, 2005 (Secret Communications Intelligence in Germany)
  • Informationskrieg + Cyberwar, Stuttgart, 2007
  • Geheime Nachrichtendienste und Funkaufklärung im Zweiten Weltkrieg-Deutsche und alliierte Agentenfunkdienste in Europa 1939-1954, Graz, 2009 (Secret Intelligence Services and Communications Intelligence in the Second World War - German and Allied clandestine Communications Services in Europe 1939-1945)
  • Totale Überwachung – Staat,Wirtschaft und Geheimdienste im Informationskrieg des 21.Jahrhunderts, Graz, 2011 (Total Surveillance – States,Business and Secret Intelligence Services in the Information War of the Century)
Presently he is preparing “NATO Intelligence at the Supreme Headquarters Allied Powers Europe 1985 - 1989”.

Stop the Bleeding - a Call to Action

Adrian Wiesmann

To exchange information, security professionals can choose from many options. They can either work with a commercial organisation, join conferences to meet and learn to know their colleagues or subscribe to one of the many security mailing lists which exist out there.
Many of these options leave a lot to be desired:

  • Often commercial entities are involved, although there is no direct need for them. We pay them for data which already is out there. For example, organisations like the Shadowserver foundation give such data away for free.
  • Invitation only private mailing lists grow over time and it is unclear how many unwanted recepients are reading along. Although registered members need to vouch for newcomers, the world keeps turning, even angels fall.
This talk is a call to action. An invitation to talk about this problem. How can we build up trust? How can we as security professionals discuss cases, share intelligence and do so in strict confidence? Let's find out.