[ISN] DeepSec 2013 – Call for Papers

Forwarded from: DeepSec Conference DeepSec 2013 “Seven Seas” – Call for Papers Dear Researchers, Hackers, Developers, dear Members of the IT-Security Community: This is our call for papers for DeepSec 2013, the seventh DeepSec In-Depth Security Conference. Our annual event will take place from November 19th to 22th at the Imperial Riding School Renaissance Hotel in Vienna. It consists of two days of workshops followed by a two day long conference. Our speakers and trainers traditionally come from the security community, companies, hacker spaces, journalism and academic organisations, talking about different topics and aspects of IT-Security: current threats and vulnerabilities, social engineering and psychological aspects as well as security management and philosophy. Content For DeepSec 2013 we’re not looking for talks about the latest trending technologies, gadgets and behaviours, no, DeepSec 2013 is all about secrets, failures and visions! We are looking for talks that will enable us to see things from another perspective and hopefully give us a lot to think about. We still talk about technology, exploits, bug, vulnerabilities, defence (hopefully in-depth), software, hardware, infrastructure, procedures and everything. We just think it’s important to put your findings into perspective with the real world – which in turn consists of secrets, failures and vision on a daily basis. Secrets Every person, every group, every enterprise and every government has them. Secrets are the very reason why information security uses encryption, access control, even doors and locks (physical and otherwise). You wouldn’t need all of this if it wasn’t for safeguarding these secrets. How do you protect your secrets? And are secrets still secret once they escape? Failures Sometimes things go wrong. Often not only by malicious action, but by bad design or bad implementation. Human error contributes as well to major and minor catastrophes. All it takes is a missed state (or states or bugs or anything) during quality assurance or changes to an already “perfect” system to start the chain reaction. Failures are always an option. So how do you deal with failures? How do you detect them? Do you dare to talk about them? And what do you (not) learn from them? Visions In an ideal world nothing stays bad forever. While sometimes it can get worse, there are lots of ideas for improvement. That’s what upgrades and changes in behavior are for (learning helps too). If you have ideas how to improve the current state of affairs, then visions are for you. We want to hear them! You can put all hot topics of IT security into either one of these categories. Really good lessons touch all three. Categories – You can submit content for three categories: – Talks for the conference (45 minute slots) – Two day workshops – U21 (a special category for young security researchers) https://deepsec.net/cfp.html Talks Talks should be up-to-date, of high quality and preferably exclusive. We’re looking for the vanguard and lateral thinkers – No Rock Stars, no Marketing, no panic creating, no 2nd hand opinions – we want you to introduce us to new ideas and we do like a bit of controversy: We’re keen on unconventional thoughts that challenge the mainstream. Speaker privileges: – Free entrance to the conference – Hotel accommodation for three nights (single/double room) – Travel expenses (please have your ticket up to EUR 800,- approved) – Invitation to our famous Speaker’s Dinner with traditional Austrian food Workshops Again: It’s quality that counts. We’re looking for novel, challenging lectures for a sophisticated audience with a very high level of technical understanding, deeply involved with security management, implementation, operation and research. There’s no need to keep it simple but we like you to be precise. Don’t try to cover too much ground, focus! Two days may sound a lot but it isn’t. Trainer privileges: – Free entrance to the conference – Invitation to our famous Speaker’s Dinner with traditional Austrian food – 50% of the net profit of your class U21 DeepSec will sponsor young security researchers by providing an opportunity to attend the conference for free. In order to take advantage of this offer your have to submit a description of your own security research project. Please don’t copy & paste, be creative! Be original! There’s no need to be shy: Viennese people may look grumpy, but they don’t bite and we’re really looking forward to introduce some brand new faces to the IT security community. If you get accepted your work will be an exhibit during the breaks at the conference, optionally you can do a lightning talk about your work (roughly 5 minutes). The offer is intended for everyone with a maximum age of 21 (or slightly more, depending on your social engineering skills). U21 privileges: – A 5 minute lightning talk on the conference – Free entrance to the conference – Invitation to the Speaker’s Dinner, but no alcohol without age check 😉 – We help you with your travel expenses to Vienna, but cannot cover the full speakers allowance, if in doubt talk to us we can work something out. Formal Requirements All CfP submissions must go through the form on our web site: https://deepsec.net/cfp.html Please make sure that you read http://blog.deepsec.net/?p=294 before submitting your ideas. Practice is never a bad thing. 🙂 We will support anyone if you have question, need clarification or whatever comes to your mind, just contact us for additional questions: cfp (at) deepsec.net We invite you to send us your submissions for talks and trainings and we’re looking forward to it! Keep secrets, failures and visions in mind! Yours truly, the DeepSec Organisation Team. ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Will New Hires Impede Future Security?

http://www.bankinfosecurity.com/interviews/will-new-hires-impede-future-security-i-1883 By Eric Chabrow Bank Info Security April 16, 2013 The rush to find qualified IT security professionals to meet current cyber-threats could jeopardize IT systems’ security in the not-too-distant future, say two leading IT security experts, Eugene Spafford and Ron Ross. Spafford, a Purdue University computer science professor, and Ross, a leading IT security and information risk management expert at the National Institute of Standards and Technology, presented differing views, at times, on the role cloud computing performs in helping mitigate information risk in the first of a two-part interview [see Can Moving Data to Cloud Reduce Risk?]. Here, in part two, both experts generally agree about the threat posed to organizations in recruiting IT security personnel for existing challenges – including securing the cloud – because the new hires might not be prepared to address future cyber-threats. Are the U.S. federal government and others being too short sighted in the way they recruit IT security personnel today? Perhaps, Spafford suggests in the discussion with Ross, moderated by Information Security Media Group. By attempting to “shorten the pipeline” to find qualified IT security personnel, the types of people being hired might not have the wherewithal to meet future cybersecurity needs. [Check out InfoSec Jobs @ http://jobs.infosecnews.org/ -WK] […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Three simple steps to determine risk tolerance

http://www.csoonline.com/article/731833/three-simple-steps-to-determine-risk-tolerance- By Craig Shumard CSO April 16, 2013 For CISOs, in addition to deciding what policies, processes, or technology an organization should have in place, an even more significant challenge is successfully negotiating disputed risk issues. But, the process for determining risk tolerance is fraught with organizational politics, and it goes without saying that each organization’s circumstance needs a customized fit. When determining a process, the most important aspects to take into account include: how an organization decides on risk tolerance, security risk assumption decision-making, and who has the authority to assume security risks. How to determine risk tolerance within your organization Every organization has a risk tolerance model, ranging from a formal documented process to an undocumented process, or more often than not something in between. To solve the problem, first you need to determine where on this spectrum your organization lies. Found in organizations with mature enterprise risk management (ERM) processes, a formal documented risk tolerance and assumption process clearly defines risk assumption authority level and specifies who can assume and sign-off on the risks. This process establishes a “governance procedure” and is often based on quantifying the risks and exposures. Even in these organizations, however, the ERM processes often do not adequately simplify the resolution of contested security issues. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Oracle slaps critical patch on insecure Java

http://www.theregister.co.uk/2013/04/17/oracle_java_security_update/ By Jack Clark in San Francisco The Register 17th April 2013 Oracle has issued a critical update patch for Java as the database giant works to shore up confidence in the widely used code. The security update fixes 42 security flaws, 19 of which merit a 10 (most severe) rating acording to the CVVS metric the company uses to evaluate the software. Along with this, Oracle has also sought to give users more information about the Java apps that want to execute code within the browser. The patch comes at a time when many security pros are questioning the value of Java, with many seeing its presence in user’s browsers as a liability rather than a benefit. Of the 42 security flaws patched by Oracle in April, 39 of them “may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle wrote in the patch notes. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers Attack N.Korean Websites Again

http://english.chosun.com/site/data/html_dir/2013/04/17/2013041700511.html The Chosun Ilbo April 17, 2013 International hackers’ collective Anonymous has broken into North Korean propaganda website Uriminzokkiri again and released the personal information of about 100 more subscribers on Tuesday. The hackers earlier released the personal information of thousands of subscribers to the website. The group said it had hacked five North Korean propaganda websites on nation founder Kim Il-sung’s 101st birthday Monday. Others are minjok.com, jajusasang.com and paekdu-hanna.com. The information disclosed this time includes subscribers’ self-written profiles. The last batch contained only names and e-mail addresses, and many ostensible subscribers claimed their personal information had been stolen. “If anybody subscribes to a pro-Communist group and posts an article in praise of North Korea, they may have acted to benefit the enemy,” a spokesman for the National Police Agency said. “They have to be charged with violating the National Security Law.” ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail