The newest addition to ERNW, ERNW Insight which now hosts TROOPERS, is launching a new concept this year. Based on the successful TROOPERS Roundtable sessions, ERNW Insight will host a series events every year covering current and relevant topics in the field of IT Security. While the style of the events may vary the in-depth knowledge sharing that you have come to know from TROOPERS will not!
Continue reading “IoT Insight Summit November 15, 2016”
Category: Events
Black Hat 2016 Summary Part 2.1
A few months ago I had the opportunity to visit this year’s Black Hat in Las Vegas. Due to a few weeks of vacation following the conference here are my delayed 2 cents (part 1)
Abusing Bleeding Edge Web Standards For AppSec Glory – Bryant Zadegan & Ryan Lester (Slides)
Bryant and Ryan talked about new web standards which are already implemented in parts of the current browser jungle. Namely these standard were:
Continue reading “Black Hat 2016 Summary Part 2.1”
Continue readingAttacking BaseStations @Defcon24
Hello Guys,
back from my vacation I’d like to give you some impressions about Defcon 24 and our talk “Attacking BaseStations”. Defcon itself had a couple of great talks but was a very crowded location. Anyhow, we had a couple of great discussions with the people before and after our talk.
Continue reading “Attacking BaseStations @Defcon24”
Continue readingBSides LV 2016: Recap
Hey everyone,
Just a short recap from my side regarding this year’s BSide in Las Vegas, NV. It was my first time there and I pretty much enjoyed it. After entering the venue on the first con day (Tuesday) I was a little bit shocked, as the staff sent me to the “end of the line just around the corner” – the end being many corners and many floors away 😉 Speaking to some guys while standing in line, time quickly passed by and before finally hitting the registration desk, there were already some people from the staff giving away the conference badges to the waiting folks. The waiting time was no comparison to last year’s DEF CON, where I (and obviously all the other “humans”, how attendees at DEF CON are called) had to wait nearly _four_ hours to get a badge to enter the con. DEF CON staff already calls this the annual “Line Con”. Enough bashing, back to topic 😉
The opening keynote was held by Lorrie Cranor, who spoke first and Michael Kaiser, who did the second part. I enjoyed Lorrie’s part which was about frequent password changes in environments like companies or universities. She talked about studies that revealed, many people who have to change passwords frequently use patterns by changing their passwords, like shifting letters or iterating numbers. This behavior mostly provides only a little security benefit or could otherwise also decrease security, she said.
Continue reading “BSides LV 2016: Recap”
Continue readingSIGS DC Day
Today I had to give the pleasure to give a keynote at the SIGS DC Day on the need to evaluate Cloud Service Providers in a way that looks behind (or at least tries to) security whitepapers and certification reports. The slides can be found here.
I also particularly enjoyed the following two talks:
Sean O’Tool from Swisscom AG covered challenges of an infrastructure to cloud migration. Even though he only briefly touched the topic, I enjoyed his description of their firewalling model: Seeing that centralized firewall operation (or more precisely, rule design and approval) is limited/challenged by the understanding of the application, they transferred control over firewall rule sets (beyond a basic set of infrastructure/ground rules) to the application teams (using of features like OpenStack’s security groups, where he also talked about limitations of those). They compensated the loss of “centralized enforcement by a security group” with rule reviews — an approach that will become way more relevant (and necessary) in the future.
Marc Holitscher from Microsoft covered their “second line of defense”, which is a strong audit framework for controls they implement for their Azure/Office cloud environment. The relevant information (which was new for me too) was that they published a lot of audit information just recently. Details are described here.
Cheers,
Matthias
25th USENIX Security Symposium & WOOT Workshop
Last month the annual USENIX Security Symposium with its co-located workshops (WOOT, CSET, FOCI, ASE, and HotSec) was held in Austin, Texas. The program of the conference together with the published papers can be found here and information on the workshops can be found here.
The research topics were quite diverse and included subjects such as low-level attacks, cryptographic attacks, and vehicle attacks. To give you an impression on the research that has been presented at the conference, let us discuss some of the talks in the following:
Continue reading “25th USENIX Security Symposium & WOOT Workshop”
Continue readingMRMCD16 – diagnosis:critical
This year’s MRMCD16 had a topic that immediately let me submit a talk about medical device security: “diagnosis:critical”. Or to quote the official website:
Security issues in soft- and hardware have a low chance of healing, especially in medical IT.
Despite years of therapy using code reviews and programming guidelines, we still face huge amounts of vulnerable software that probably is in need of palliative treatment.
Security vulnerabilities caused by the invasion of IT in the medical sector are becoming real threats. From insulin pumps over analgesic pumps through to pace makers, more and more medical devices have been hacked already. This year's motto "mrmcd2016 - diagnosis:critical" stands summarizing for the current state of the whole IT sector.
Continue reading “MRMCD16 – diagnosis:critical”
Black Hat 2016 Summary
Just a few days ago I had a blast again at this year’s Black Hat. Some of the talks were really worth listening to, so I wanted to point them out and give a short summary.
USING UNDOCUMENTED CPU BEHAVIOR TO SEE INTO KERNEL MODE AND BREAK KASLR IN THE PROCESS – Anders Fogh & Daniel Gruss
They had the last slot at the last day of Black Hat which resulted in a kind of empty room, but in my opinion it was an awesome talk and I even had the pleasure to meet these two guys at our ERNW dinner.
The talk was about a very weirdly documented Intel instruction which does not check for privileges or throw exceptions:
Continue reading “Black Hat 2016 Summary”
Continue readingNot Sure Which Talks to Attend at BHUSA?
Hi,
I won’t be in Vegas for Black Hat this year as there’s a direct conflict with one of my kids’ birthdays, but I thought one or another reader might find it helpful to get some inspiration as for selecting the talks to catch (not least as there’s so many interesting ones). I hence decided to quickly write this post.
Continue reading “Not Sure Which Talks to Attend at BHUSA?”
Continue readingREcon 2016 – A Quick Recap
Some of us had the pleasure to visit this year’s REcon in Montreal, Canada. Unfortunately, work caught us just when we arrived back in Germany, so I haven’t had time to sit down and write down a few words so far. However, we think that what we’ve experienced at REcon is worth writing about.
Continue reading “REcon 2016 – A Quick Recap”