Some outright rants from a bunch of infosec practitioners.

TAG | conferences


Today’s focus in our blog series will cover large-scale environments: Cryptography in Cloud environments and Network Automation. Since these topics will only become more important over time stay tuned for our TROOPERS16’s developing agenda to see what new talks will be available (or submit your own talk during our Call for Papers starting in August via our new CFP Submission tool!) (more…)

, , , , , | Post your comment here.



Beyond the Thunderdome:
A Review of TROOPERS15


Here in Heidelberg we are already gearing up for TROOPERS16 (taking place from 14th to 18th March 2016!). While you are preparing for our Call for Papers or waiting eagerly to sign up for your spot in one of our legendary trainings take a look at our newest blog series “Beyond the Thunderdome: A Review of TROOPERS15”. It may offer some inspiration, help you kill time while waiting for next year’s TROOPERS,  or for those that are new to our conference,  give you a taste for what TROOPERS is all about. See you soon at TROOPERS16!

The first of our series is a combination of talks from our Management Track with the focus on Defense topics. Each summary comes complete with video and slides for your viewing pleasure. 😉


, , , , , , | Post your comment here.


5 2015


I attended this really nice conference in Slovenia on April 16th. It was a smaller conference, but very memorable for the people (students, IT sec professionals and managers alike) who attended.
I also had the pleasure to present on How secure am I with EMET? and Evaluating the APT armor and wanted to share the slides with you — feel free to approach me for any kind of feedback or discussion.

I’m looking forward to go to Ljubljana again! 😉


| Post your comment here.



SSL Tidbits at the BASTA.NET

A while a go Dominik and I gave an introductory presentation about SSL at the BASTA.NET conference, a developer-oriented event held in Darmstadt twice a year. At that time there were quite some enthusiastic participants but recently we’ve also gotten some inquiries asking for the relevant materials. Although there’s no recording of the session, we’ve decided to put the slides here for those interested who didn’t make it to the talk.

“Who should have a look at the slides?” you ask, well, if you’ve been wanting to get a sense for what the idea behind SSL is, where it is used, how it is usually leveraged and what problems could arise when poorly employed, you will certainly find the slide-deck interesting. Although the session was meant to slowly get participants up to speed in matters SSL, it’s still likely that more informed folks will still find it interesting, even if just as a refresher about key and certificate formats, PKI 101, SSL stripping, secure cookies, and other topics.

Without further, here’s slide deck.

For the hungry, here are some other interesting resources we suggested to attendees willing to go a bit deeper on the topic after the talk.

OWASP – SSL für Alle
OWASP – Transport Layer Protection Cheat Sheet
Mozilla – Server Side TLS

For those attending to the BASTA.NET next autumm, we’re looking forward to meeting you. But for the time being, that’s going to be pretty much it.

Thanks for reading and let us know what you think.

, | Post your comment here.



Protocol Properties & Attack Vectors

Next week, at DeepSec, we’re going to give a talk about Multicast Listener Discovery (MLD), a component of IPv6 which is realized by means of ICMPv6 messages. There are two versions of MLD (mainly specified in RFC 2710 and RFC 3810 respectively) and while MLD is technically implemented by ICMPv6 exchanges, these specifications describe a whole set of rules and communication formats, hence we can safely talk about “the MLD protocol”.

Now, you might ask: how does one tackle the task of examining the security “of a protocol”?


, , | Post your comment here.



Power of Community 2014

I had the pleasure to participate in this year’s Power of Community and was invited to talk about the insecurity of medical devices. The conference is based in Seoul, Korea and started in 2006. It has a strong technical focus and it is a community driven event. For me it was great to participate as mostly hackers from Asia were there and I got the chance to talk to a lot of nice folks that I wouldn’t be able to meet otherwise. This is especially true for the host, vangelis.


| Post your comment here.

Hello Everybody and greetings from Sao Paulo,

We’re currently enjoying the Brazilian sunshine, waiting for H2H2 11’s closing remarks and decided to give you a few details on the past three days. The conference was opened by a short welcome by our fellow Trooper Rodrigo Rubira Branco and stuffed with loads of great talks. This year’s keynotes came from Daniel J. Bernstein and Halvar Flake and gave yet another insight into the ever changing world of InfoSec. The international lineup also included Travis Goodspeed, Sergej Bratus and Fernando Gont. H2HC was a great chance for us to talk to various Hackers from around the world and share our opinions and knowledge. (more…)

, , | Post your comment here.



North American IPv6 Summit 2014

Hello everyone,

I know I am a bit late with this post, but I was speaking on the North American IPv6 Summit in Denver three weeks ago. The focus of my talk was on Why IPv6 Security is hard – Structural Deficits of IPv6 & Their Implications (slightly modified/updated from the Troopers IPv6 Security Summit).  We consider the NA IPv6 Summit as one of the most important IPv6 events at all and we were happy to contribute to the overall success. The conference was organized for the 7th time by the Rocky Mountain IPv6 Task Force and took place in the Grand Hyatt Denver (37th floor ;-)). Luckily the weather was perfect, and the view of the landscape from the conference rooms was just amazing. I really enjoyed the time in Denver, as the organizer sdid all they could to treat the speaker well J. The talks were of mix of regular research or case-study type talks and some sponsored talks ranging from deployment experience, security and statistics to SDN (Yes, I said it ;)) and the Internet of Things (I said it again ;)). The line-up was nicely put together.


, | Post your comment here.



“Hacking for a B33r” at Ghent

This is a guest post by Antonios Atlasis.

This week I had the pleasure to attend BruCON 2014. While participating at the Brucon 5×5 program, I had also the chance to attend this well-known European Con which is held in the beautiful city of Ghent.


, | Post your comment here.



ERNW @BlackHat US 2014

Last week we had the opportunity and pleasure to present some of our research results at BlackHat US 2014 (besides of meeting a lot of old friends and having a great researchers’ dinner).

Enno and Antonios gave their presentation on IDPS evasion by IPv6 Extension Headers, described here.

The material can be found here: Slides, tools (the main tool used was Chiron, authored by Antonios) & whitepaper.

Ayhan and me presented our results of the security analysis of Cisco’s EnergyWise protocol. The protocol enables network-wide power monitoring and control (ie turning servers off or on, putting phones to standby — basically controlling the power state of all EnergyWise-enabled or PoE devices). The main problem (besides a DoS vulnerability we found in IOS, see official Cisco advisory) is its PSK-based authentication model, which enables an attacker to cause large-scale blackouts in data centers if the deployment is lacking certain controls (for example our good old favorite, segmentation…). There will be a longer blogpost/newsletter on this topic soon.
The material can be found here: Slides & tools



, , | Post your comment here.

Older posts >>


Mail | Twitter | Imprint

©2010-2013 ERNW GmbH
To top