Events

Troopers 2012 – First round of talks selected

We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again  😉

Here we go:

==================

Andreas Wiegenstein: Real SAP Backdoors

Abstract: In the past year the number of lecture sessions with traumatizing headlines about hacking SAP systems has dramatically risen. Their content, however, is usually the same. Insecure implementations of algorithms, side effects in commands, flawed business logic and designs that brilliantly miss the point of security. In essence, security defects built into the SAP framework by mistake.

This session, however, demonstrates several security defects in SAP NetWeaver that do not appear to have been created by mistake. In order to make a point, I will first discuss with the audience what exactly defines a backdoor. Then I will demonstrate several zero day security defects discovered by me & my team and finally discuss with the audience if these defects qualify as backdoors. All security defects shown are highly critical and have never been publically discussed before. They enable attackers to remotely execute arbitrary ABAP commands and arbitrary OS commands. In essence, full control over SAP NetWeaver Application Server ABAP.

Bio: Andreas Wiegenstein has been working as a professional SAP security consultant for 9 years. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. He leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications.

Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as BlackHat, HITB, Troopers and RSA. He is co-author of the first  book on ABAP security (SAP Press 2009). He is also a founding member of BIZEC.org, the Business Security community.

 

==================

Mike Ossmann: Welcome to Bluetooth Smart

Abstract: Bluetooth Smart, formerly known as Bluetooth Low Energy, is an entirely new wireless protocol that is not backward compatible with “classic” Bluetooth.  With consumer devices emerging in early 2012, this is the perfect time to review Bluetooth Smart and how it works.  Packet captures from actual devices will be dissected, and particular attention will be given to the new security procedures specified for Bluetooth Smart. Depending on what devices are commercially available by the time of the conference, I may or may not have a live demo prepared with actual consumer devices.  At the very least, I will be able to do a demo using development boards as targets.

Bio: Michael Ossmann is a wireless security researcher who makes hardware for hackers.  He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Previous work includes:

ShmooCon 2011: Project Ubertooth: Building a Better Bluetooth Adapter

ToorCon 2010: Real Men Carry Pink Pagers (with Travis Goodspeed)

ShmooCon 2010: Bluetooth Keyboards: Who Owns Your Keystrokes?

ShmooCon 2009: Building an All-Channel Bluetooth Monitor (with Dominic  Spill)

Black Hat USA 2008: Software Radio and the Future of Wireless Security

 

==================

Daniel Mende & Enno Rey: Protecting Voice-over-IP in 2012

Abstract: We’ve recently conducted a number of pentests in (mostly large) VoIP environments. While the fraction of “traditional VoIP attacks” (re-direct/sniff VoIP traffic, reconstruct VoIP calls) has decreased over time, we’ve been able to severely compromise pretty much every environment due to implementation flaws on the infrastructure or “supporting systems” level. Based on a number of warstories, in this talk we will lay out what went wrong in the respective cases and how to protect from the (types of) attacks we performed. Some demos will add spice to the talk. Furthermore a number of previously undisclosed severe vulnerabilities in the crypto architecture of a major vendor’s VoIP solution will be presented.

Bios: Daniel and Enno are long time network geeks who love to explore network devices & protocols and to break flawed ones.

 

==================

Graeme Neilson: DISCQO: “Discourse on Implications for Security and Cryptography from Quantum Oddness”

Abstract: Quantum computing is a fascinating, emerging technology with a potentially huge impact on security. This talk introduces the principles of quantum computing and the current state of the art. This is followed by a discussion on the uses of quantum based computer systems within security, the potential implications for cryptography, now and in the future, and the possibility of hacking current quantum based cryptography systems.

What is quantum computing?

What is quantum key exchange?

Can quantum key exchange be hacked?

Will a quantum computer be able to decrypt all my encrypted data?

Do I need a quantum computer?

Do quantum computers even exist?

What are the implications of quantum computing on my current cryptography?

 

Bio: Graeme Neilson is NOT a quantum physicist or any other kind of physicist…not in this universe anyway…

Still, he does think it’s probable that he can help illuminate the subject of quantum computing for other non-physicists in IT. With over 14 years of experience in IT security Graeme currently works as a security researcher / consultant for Aura Information Security with specialisations in cryptography, reverse engineering and networking. Based out of New Zealand he is a regular speaker at international conferences including Blackhat, H2HC, CanSecWest, DayCon and Troopers.

 

==================

Pete Herzog: Securing Robot Mosquitoes with Laser Beams for Eyes in the Enterprise

Abstract: One day employees start bringing robot mosquitoes into the office. They have robot mosquitoes at home and just they’re so damn useful for checking mail, making appointments, singing naptime songs, and spying over the neighbor’s fence. So why wouldn’t they? Your security policy doesn’t expressly forbid robot mosquitoes with laser beams for eyes or anything like it so here they are: riding the internal WiFi, carrying who knows what diseases and parasites from public, cyber ponds, melting the plastic plants, boiling the water cooler, and causing all sorts of other disruptions. Before you can ban them though you see that the CEO starts to bring his robot mosquito with laser beams for eyes in too. And he wants you not only support it but to make sure it doesn’t get hacked. Sounds familiar, right?

There will always be new technologies. Many of those new technologies pose new risks, perhaps even risks we hadn’t considered as risky to us before. So someone has to secure those new technologies. But how do we secure something we know so little about? Well, there’s a methodology for that. This talk will cover how to test new technologies, how to create the right policy for them, and how to control them, including robot mosquitoes with laser beams for eyes.

Bio: Pete Herzog is the Managing Director of the security research organization ISECOM and the creator of the OSSTMM.

 

==================

Chema Alonso: Excel (and Office apps) Kills the Citrix (or Terminal Services) Star

Abstract: Microsoft Office (and Excel) are common applications in big companies and in a big amount of cases they are published through Terminal Services or Citrix. However, securing that environment against malicious users is very complicated. In this talk you’ll see a lot of demos hacking Citrix and Terminal Services using Excel… and maybe you’ll be scared after having seen this session.

Bio: Chema Alonso is a Security Consultant with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politecnica de Madrid. During his more than six years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including BlackHat Briefings, Defcon, ShmooCon, HackCON, Ekoparty and RootedCon. He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA, the meta-data extraction tool which he co-authors.

Twitter: @chemaalonso

blog: http://www.elladodelmal.com

 

==================

Rene Graf & Enno Rey: BYOD – Does it work?

Abstract: In many organizations “Bring Your Own Device” (BYOD) approaches are either subject to intensive discussion or are already practiced (with or without “proper governance”). Usually two security controls are of particular interest in BYOD scenarios, that are container solutions and acceptable use policies (AUPs).

The speakers have contributed to BYOD “implementations” in several environments and – based on actual case studies – are going to discuss three main aspects in their talk:

– What’s the role of the supply chain of a device, in BYOD settings? Is it possible to securely process – e.g. by means of a container solution – sensitive data on a device that was acquired on ebay or that the VIP using it received “as a present during an industry fair in an emerging market country”?

– What level of security is actually provided by container solutions? Do they sufficiently secure data (incl. temporary data) and which user behavior might be required for this?

– When are good AUPs needed and which elements should be included in those?

The goal of the talk is to enable the audience to realistically assess the security approaches and risks in BYOD scenarios.

Bios: Rene Graf leads the “Mobile Security” team at ERNW and has performed a number of BYOD projects including pentests of container solutions and forensic analyses of devices used by CxOs. Enno Rey leads the “Risk and Security Management” team at ERNW and has undertaken the risk assessments in several BYOD projects and written the accompanying AUPs.

 

==================

More talks to follow next week, so stay tuned 😉

See you @Troopers, have a great sunday everybody

 

Enno

Continue reading
Events, Misc

“What’s so special about Troopers?”

This week I stayed some days in Zurich, to give a workshop and to meet both clients and fellow researchers (kudos again to C. for the awesome office tour @Google). In the course of one of those dinners somehow Troopers was mentioned and a guy asked: “I’ve heard of the conference. What’s so special about it?”

Funnily enough I didn’t even have to respond myself as a 2011 attendee coincidentally present at the table jumped in and started praising the event (“best con ever. great spirit, great talks”). Obviously this gave me a big grin… but it reminded as well me that some of you might ask themselves the very same question.

In my opening remarks of the 2011 edition I tried to describe the Troopers approach and spirit. You can find it here. As for the speakers’ perspective I’d like to point you to this blogpost that Chema (Alonso) wrote before the 2010 edition. It pretty much summarizes how we take care of “our rock stars”…

Btw: the CfP will be open in some days. As in the previous years, there are only few slots left (as most are already assigned to hand-selected speakers).

See you there in 2012, have a great weekend

Enno

Continue reading
Events

A Sneak Peek into TROOPERS12

TROOPERS11 Speaker badgesHere we go again: TROOPERS12 is scheduled for March 19th – 23rd 2012 in Heidelberg, Germany.

Those who attended TROOPERS before know for what we are up to. For all newcomers I’ll quickly outline what’s going to happen:

TROOPERS is your premium IT security event in Europe. Think of your usual IT educational event without annoying sales pitching and outdated topics. Now add a superb conference location, an elite line-up of international researchers and practitioners as well as an organizing team not dedicated to make a living doing this, but to celebrate our craftsmanship together with like-minded people.

Sounds good? Let’s see what we have planned for you:

Monday & Tuesday

We start with a great selection of workshops. You’ll have a bigger choice than ever before:

One-day workshops on Monday:

  • Advanced IPv6 Security
  • Android Security
  • CloudSec
  • ISECOM Workshop (to be announced shortly) 

One-day workshops on Tuesday:

  • Advanced Email Security
  • iOS Security
  • ISECOM’s “Smarter, Safer, Better” security awareness training
Special event on Tuesday:

We call it the “TelcoSec Day” – A workshop that assembles researchers and practitioners in the telecommunications operator security space. Invitation only. Please drop us an email, if you think you should be part of it.

Two-day boot camp on Monday and Tuesday:

Chema playing Minesweeper

  • Hacking 101 – Your personal preparation for PacketWars (and beyond…)

Wednesday & Thursday

These are the main conference days. Expect more than 20 international researchers coming in to present on their latest discoveries – ready to share their experience with you. In order to serve you with the latest and greatest we won’t announce a final agenda yet. Topics of already confirmed talks include:

  • Web Application Firewalls
  • iCloud
  • SAP Hacking
  • Quantum Cryptography
  • Bioinformatics

Friday

Orange TROOPERS flagWe’ll finish up with a bunch of roundtable sessions. This is the perfect place to recap the week’s happenings and look ahead on upcoming developments.

Something is missing right?

TROOPERS conference is more than a yearly get-together of some IT guys. This event is for enthusiasts, idealists and doers of all nationalities, age groups and sexes. Our common denominator is the passion for what we do and the strong belief that we will succeed in the daily battle of IT security. Professionals from various backgrounds are longing for an environment where their thoughts, work and experience is appreciated and amplified.

TROOPERS11 electronic badgeTherefore we spare no efforts to do just that. To name just a few highlights of your complimentary supporting program:

  • Shared dinner in the Old Town
  • PacketWars hacking contest
  • 10k Morning run to keep you going
  • [TOP SECRET] Competition

Registration

Registration is open now. Head over to the sign up page and make yourself familiar with all the deals we offer. Please contact us, if you need any assistance or guidance on your selection.

We’re looking forward to meet you soon,
Florian & the TROOPERS/ERNW crew

Continue reading
Events

Packetwars, Sun & Skills

During the last days, some of our guys (including me) had some great days in Dayton. Rene, Christopher, Hendrik, Sergej, and me flew in to give workshops and presentations at Day-Con as well as to compete in the infamous PacketWars game. While Day-Con is a one day event, the two days before the conference comprised workshops on secure iOS integration (given by Rene) and IPv6 security (given by Christopher). Since the overall topic of the conference was trust, Rene gave a keynote on broken trust which was based exemplary trust analysis, development of a trust metric, and different trust factors. Those trust factors were also used in my talk about evaluation methodologies for cloud service providers (regular followers will recognize some of the content of both talks from different posts 😉 ). There were also talks from Sergey Bratus, Graeme Neilson and Angus Blitter. While Sergey proposed a sound (not to say academic 😉 ) definition on the classification of vulnerabilities and their connection to turing complete input languages, Angus gave an introduction to PowerLine technologies and laid out, that these technologies still suffer from naive assumptions about trusted networks (he also refered to this). The day after the conference, the ERNW Allstars had to defend their championship title in PacketWars. Since the first battle was scheduled for 10AM, we had quite some time to tan in the sunny 30°C weather, recover from the conference and prepare the expected victory celebration (some of you might remember some “Champagne tradition” from Troopers). In face of this motivation, we rushed through the 3 battles and were able to score first place second year in a row. At this point, kudos to the two other participating teams who gave us a tough battle, especially during the reversing challenges.

 

Have a great week, Matthias

Continue reading
Events

HITB Aftermath

Hi,
didn’t find the time so far to post a short blog about HITB Amsterdam so far… but here we go.

Unfortunately I couldn’t arrive in AMS earlier than Thursday evening so I missed the first day (and – from what I heard – some great talks). However we went out for dinner that night with the likes of Andreas (Wiegenstein), Jim (Geovedi), Raoul (Chiesa), Travis (Goodspeed), Claudio (Criscione) and some more guys and I had some quite good conversations, both on technical matters and on Intra-European cultural differences ;-). Btw: thanks again to Martijn for taking care of the restaurant.

On Friday I listened to Travis’ talk on “Building a Promiscuous nRF24L01+ Packet Sniffer” (cool & scary stuff) and a part of this talk on iPhone data protection (well delivered as well). In the afternoon Daniel and I gave an updated version of the “Attacking 3G and 4G Telecommunication Networks ” presentation (the HITB version can be found here). Overall I can say that HITB was an excellently organized event with a great speaker line-up (not sure if we contributed to that one ;-)) and some innovative ideas (inviting a bunch of local hacker spaces among those). Dhillon is a fabulous host and I already regard HITB as one of the major European security events (next to Troopers, of course ;-)).
Have a great weekend everybody

Enno

Continue reading
Events

TROOPERS11 – Slides available

TROOPERS11 slides are available now! Please find them here: http://www.troopers.de/troopers11/downloads/

TROOPERS11 was a blast! We received great feedback from all attendees and speakers. This really pushes ourselves towards the next goals and an even better security conference in 2012.

We’re happy that everybody got home safely with new ideas and inspirations in mind. On a side note: The awesome TROOPERS badge caused trouble for some of you with the airport security 😉 I really hope everybody could find a way to take it back home. It will hopefully find its way to an adequate place right next to your old memorabilia (cup of the first won soccer match, your college degree or photos from your first ballet show). Regard it as the proof of your latest achievement and tell everybody proud and loud: WE ARE TROOPERS.

Best regards,
Florian

PS: Videos and photos are coming soon. Stay tuned.

Continue reading
Events

Troopers 2011 – First round of speakers selected

We’re delighted to announce the first speakers of next year’s Troopers edition. Looks like it’s going to be a great event again ;-).
Here we go:

==================

Ravishankar Borgaonkar & Kevin Redon: Femtocell: Femtostep to the Holy Grail  (Attacks & Research Track)

Abstract: Femtocells are now being rolled out across the world to enhance third generation (3G) coverage and to provide assurance of always best connectivity in the 3G telecommunication networks. It acts as an access point that securely connect standard mobile handset to the mobile network operator’s core network using an existing wired broadband connection.

In this talk, we will evaluate security mechanisms used in femtocells and discuss practical & potential misuse scenarios of the same. In particular, our talk will cover:

# Femtocell and Telecom business model
# Security architecture of the femtocell
# Location verification techniques and how to beat them for free roaming calls
# Hacking of the device
 -r00ting
 -accessing confidential information stored on the device
 -installing malicious applications on the device
 -accessing mobile network operator’s infrastructural elements
# Possible countermeasures
# Demo

Bios: Ravi received his joint master degree in Security and mobile computing from Royal Institute of Technology (KTH) and from Helsinki University of Technology (TKK). After finishing his master degree, he works as a researcher in the the Security in Telecommunications department at Deutsche Telekom Laboratories (T-labs) and is pursuing his PhD studies. His research themes are related to data security challenges in new telecommunication technologies. His research interest includes Wireless networking security (in particular, security in 2G/3G networks), M2M security, and malware & botnet analysis.
Kevin received bachelor of Computing from Napier University Edinburgh, Scotland. He is now finishing his Master degree in Computing with specialization in Communication Systems at the Technical University of Berlin. This is also where he joined the Security in Telecommunication work group in cooperation with the Deutsche Telekom Laboratories (T-labs). His research interest includes network security, in particular telecommunication network as GSM/UMTS, peer to peer networks, and smart cards.
==================

Mariano Nuñez Di Croce: Your crown jewels online – Attacks to SAP Web Applications  (Defense & Management Track)

Abstract: “SAP platforms are only accessible internally”. You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization’s SAP platform in order to perform espionage, sabotage and fraud attacks.
SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals.
Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting “hardened” SAP Enterprise Portal implementations will be detailed.

Bio: Mariano Nuñez Di Croce is the Director of Research and Development at Onapsis. Mariano has a long experience as a Senior Security Consultant, mainly involved in security assessments and vulnerability research. He has discovered critical vulnerabilities in SAP, Microsoft, Oracle and IBM applications.
Mariano leads the SAP Security Team at Onapsis, where he works hardening and assessing the security of critical SAP implementations in world-wide organizations. He is the author and developer of the first open-source SAP & ERP Penetration Testing Frameworks and has discovered more than 50 vulnerabilities in SAP applications. Mariano is also the lead author of the “SAP Security In-Depth” publication and founding member of BIZEC, the Business Security community.
Mariano has been invited to hold presentations and trainings in many international security conferences such as BlackHat USA/EU, HITB Dubai/EU, DeepSec, Sec-T, Hack.lu, Ekoparty and Seacure.it as well as to host private trainings for Fortune-100 companies and defense contractors. He has also been interviewed and quoted in mainstream media such as Reuters, IDG, NY Times, PCWorld and others.
==================

Friedwart Kuhn & Michael Thumann: Integration of the New German ID Card (nPA) in Enterprise Environments – Prospects, Costs & Threats    (Defense & Management Track)

Abstract: The talk will cover the new nPA and related software like the AusweisApp with a special focus on possible use cases in the enterprise (“have the government run your corporate PKI” ;-)). Besides outlining prerequisites for an integration of the nPA within an organization, it will also answer questions about legal aspects that have to be considered and threats and risks that must be controlled and mitigated. Furthermore we will give a short overview about our own security research of the AusweisApp.

Bios: Friedwart Kuhn is a senior security consultant, head of the ERNW PKI team and co-owner of ERNW. He is a frequent speaker at conferences and has published a number of whitepapers and articles. Besides the daily consulting and assessment work, Windows enterprise security and aspects of technical and organizational PKI related topics are areas of special interest for him. In his (sparse) free time Friedwart likes to play music and loves literature.
Michael Thumann is Chief Security Officer and head of the ERNW “Research” and “Pen-Test” teams. He has published security advisories regarding topics like ‘Cracking IKE Preshared Keys’ and buffer overflows in web servers/VPN software/VoIP software. Michael enjoys sharing his self-written security tools (e.g. ‘tomas—a Cisco Password Cracker’, ikeprobe—IKE PSK Vulnerability Scanner’ or ‘dnsdigger—a dns information gathering tool’) and his experience with the community. Next to numerous articles and papers he wrote the first German Pen-Test Book that has become a recommended reading at German universities. In addition to his daily pentesting tasks he is a regular conference speaker and has also contributed exploit code to the Metasploit Framework. With more than 10 years of experience in computer security Michael’s main interest is to uncover vulnerabilities and security design flaws from the network to the application level.

 
==================

Chema Alonso: I FOCA a .mil domain (Attacks & Research Track)

Abstract: FOCA is a tool to help you in the fingerprinting phase among a pentesting work. This tool helps you to find lost data, hidden information in public documents, fingerprinting servers, workstations, etc.
This talk will provide an extensive demo as a good example of the results which can be obtained using FOCA. The target domain? You’ll see in Troopers…

Chema is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant in the last ten years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a frequent speaker at security conferences and is currently working on his PhD thesis about Blind Techniques.
==================

Graeme Neilson: Tales from the Crypt0 (Defense & Management Track)

Abstract: Does the thought of SSL, HTTPS and S/MIME make you squeamish? Does PKI make you want to scream? Does encrypting data at rest make you want to bury yourself alive?
Cryptography is an important part of most web applications these days, and developers and admins need to understand how, why and when to employ the best and appropriate techniques to secure their servers, applications, data and the livelihoods of their users. Join Graeme Neilson (Aura Software Security) for a series of scary stories of real-world crypto failures and to learn how to do it the right way (with lots of code samples).

Bio: Graeme Neilson is lead security researcher at Aura Software Security based in Wellington, New Zealand. Originally from Scotland he has 10 years of
security experience. Graeme specialises in secure networks, network infrastructure, reverse engineering and cryptanalysis. Graeme is a regular presenter at international security conferences and has spoken at conferences in Australia, Europe and the US including Black Hat.
==================

More talks to follow soon. See you in Heidelberg next year,

thanks

Enno

Continue reading
Events

Back from Day-Con

… which was, as in the years before, an awesome event. Great talks, great people, great fun.
Bruce Potter gave a keynote which did exactly what a good keynote should do: make the audience think and entertain it at the same time.
[Those readers familiar with ERNW’s security model will certainly notice that we do not necessarily agree with everything he said. We still think that – in particular in times where infosec resources are scarce anyway – putting your bets on prevention provides a better cost/[security] benefit ratio than going for extensive detection capabilities.
Fix the doors first, then think about installing a CCTV.
Still, human nature tends to exchange “good security with low visibility” for “poor security with potentially good visibility” quite easily… as can be noted every day in many environments.]

Sergey provided an excellent & insightful piece on security in times of very large numbers of embedded devices (like smart meters).
And, last but not least: football is coming home. The “ERNW Troopers” team consisting of Rene Graf and Michael “Bob the Builder” Schaefer managed to win the event’s PacketWars contest. Congrats! Great job, guys.

have a great weekend everybody,

Enno

For the record: Graeme’s and my presentation on Supply Chain Security can be found here.

Continue reading
Events

Some recent presentations

Just a short notice today on some recent presentations from our team. As some of you might know we regularly give talks at conferences. This not only encompasses highly sophisticated security events like Black Hat or Troopers. Additionally – on our mission for a safer world – we try to spread the (security) word at various industry events that are usually focused on some aspect of the large and ramified IT world, not necessarily equipped with a strong focus on information security.
A number of such events took place in the last few weeks and here’s some links on presentations given there. While not being as technically deep as the average Black Hat or Troopers attendee might expect, we still hope that one or another valued reader finds them useful (pls note that some parts are in German).

This one is a talk given by myself on “Compliance in the Cloud” in the course of the “Azure Day” of BASTA which is one of the largest and most important developer events here in Germany. The presentation discusses what to keep in mind if compliance with some “regulatory frameworks” is strived for when going to “the [public] cloud”.

Here‘s a piece on virtualization security, namely the architectural changes on basic security principles induced by (server) virtualization. It was provided at the “IIR Admin Tech Talk 2010” and, again, I myself was the speaker.

Rene Graf, who’s a member of the “Architecture and Risk Team” at ERNW and a long-time large-environment security guy, gave this overview talk on “Industrial Firewalls” at the LANline TechForum “Industrial Ethernet” which took place in Stuttgart.

Last but not least, Matthias Luft (being another member of the same team and pursuing his academic career in parallel) delivered this talk on DLP at ISSE in Berlin, together with Thorsten Holz.

Have a great day everybody,

Enno

Btw: our next stop will be at fabulous Day-Con. If any of our readers from the US – very appropriately – is worried about missing it, pls shoot me an email. Given our long term friendship with Angus we might be able to provide you a ticket.

Continue reading
Events

ERNW at NinjaCon (fka PlumberCon)

Yesterday we made our way to Vienna to participate and contribute to NinjaCon (formerly known as PlumberCon, before Nintendo Inc. claimed their rights ;)).

After our arrival Oliver held a five hour workshop on Penetration Testing and did the finishing touches on his slides about ‘Attacking Cisco Enterprise WLANs‘, which he will deliver later today together with Daniel. And last but not least Daniel will be the Packet Master of PacketWars™ Vienna taking place in the evening.

As sponsor of this young and vibrant conference we’re proud to share our equipment and know-how to support the networks on site.

Talking about young and vibrant: Last week we held one of our beloved internal workshops at ERNW to discuss the latest in ITSec and teamwork – but also to chat with colleagues or listen to a rant on $some-broken-technology of Enno. When having dinner on Tuesday we went crazy on planning for TROOPERS11. I don’t like it too much to talk about ‘good energy in the room’, but there was something really enthusiastic and insanely creative about it – and whatever it was, we gonna use it to make it even more enjoyable, educating and unforgettable than this year.

As we’re progressing at Vienna I’m going to update this blog post. So stay tuned!
Cheers, Florian & the team

UPDATE: NinjaCon is over. Besides the usual small hiccups at such an event it was a really great conference for all of us. Excellent speakers, an exciting location and the overall perfect atmosphere to interact, chat and learn really made the deal here. Big applause to the host @astera and her team!

Continue reading