Well it’s been a few days since Deepsec 2011 finished, and I thought it was about time I wrote something about the actual conference.

Day 1

The first day started off with the usual 6am start to get to Vienna in time for registration. I arrived a few minutes late for the keynote, but quickly got into the swing of things. The keynote (How Terrorists Encrypt) was a discussion of how terrorist organisations (mostly Al Qaeda and connected cells) use encryption to communicate. Although you’d expect terrorists to have the basics of OPSEC down to a fine art by now, the presentation read more like a catalogue of failures and basic lack of skills/information. Instances such as the BA IT Expert, Rajib Karim and his refusal to use the Mujahideen Secrets tool (front-end for PGP/GPG?) in favour of a simple alphabetic replacement cipher.

The talk was definitely eye-opening on how badly the terrorists seem to be using encryption in general. However it does raise the question, are we only catching the stupid ones? Perhaps the better prepared are using encryption and simply staying below the radar!

I wrote a number of blog posts on the other talks from Day 1 :

• DEEPSEC: Reassemble or GTFO!
• DEEPSEC: Intelligent Bluetooth fuzzing – Why bother?
• DEEPSEC: Windows Pwn 7 OEM – Owned Every Mobile?
• DEEPSEC: SMS Fuzzing – SIM Toolkit Attack
• DEEPSEC: Extending Scapy by a GSM Air Interface

Day 1 ended with a discussion by Morgan on the changing face of the infocalypse. Definitely worth catching on video once it’s released.

Day 2

The second day of the conference started off with a presentation on Identity X.0, OAuth, OpenID and general security issues surrounding user-centric Identity technologies. An interesting overview of implementation issues.

As with day 1 I wrote a number of blog posts for talks on day 2 :

• DEEPSEC: How To Rob An Online Bank (and get away with it)
• DEEPSEC: Ground BeEF: Cutting, devouring and digesting the legs off a browser
• DEEPSEC: Your crown jewels online: Further Attacks to SAP Web Applications

After lunch I took some time to watch Kizz MyAnthia’s presentation on Bond Tech and had a long chat with him about Mobile Phone hacking and some issues he had getting his “toys” through UK Border Security.

Unfortunately the second SAP talk of the conference (Rootkits and Trojans on your SAP landscape) met with a slight issue as the presenters laptop fell on the floor as the talk began. Although he managed to complete the talk the demos weren’t possible due to data corruption. This was a pity as the content of the presentation itself was almost 100% the same as a presentation he gave in 2010. The demos would have been the saving grace here I think. Still, that’s life!

The final presentation of the conference was by Tom Mackenzie discussing some of the issues surround vulnerability research and coordination with vendors. The presentation touched on some interesting points and posed some open-ended questions, as well as showing some interesting examples of when things work and when they don’t!

Day 2 finished off with a late night party at Metalab… good music, club mate and good company. Oh and I once again lost to Kyrah at table football! One day I will prevail, oh yes, I will 😀

Conclusion

Overall I’d give Deepsec a 7/10 for a solid conference, with friendly people and good presentations. It will definitely be on my recommended list once I get around to writing one 😉

The Good

Nice mix of presentations

Great location / organisation

The Bad

No way to leave feedback for individual speakers

No lightning talks

The Ugly

At least 1 talk based on 12 month old research / vulnerabilities