My Talks at DeepSec and DeepIntel

I have been a regular speaker at the DeepSec In Depth Security Conference in Vienna and the DeepIntel from 2008-2019. Here you can find a list of my talks and workshops given, including the slides I used for the talks and links to video recordings of my talk (if available).

All slides can be cloned from my git repo at Codeberg: https://codeberg.org/0xKaishakunin/Publikationen/src/branch/main/Vortr%C3%A4ge/DeepSec

DeepSec 2019: Practical Security Awareness - Lessons Learnt and Best Practices

This talk will show lessons learnt from awareness campaigns I ran in several organisations. The focus lies on the instructional design of staff training to motivate the staff, enable them to work with complexity and helping them to transfer the new knowledge to their job. Some practical examples with regards to teaching password rules will be shown.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since, he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec, DeepIntel, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

Slides etc.

DeepSec 2018: Manipulating Human Memory for Fun and Profit

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) The human memory is very volatile and not really trustworthy. Judges, interrogators and scientists know that humans often mix up or straight up create new false memories. In this talk I will show what we know about how the human memory works, which factors lead to a loss of quality of stored memories and how they can be altered or manipulated for social engineering attacks. Since, ethically, this is a very controversial topic, I will also speak about the ethics behind this. And be advised that I will not talk about NLP (Neuro Linguistic Programming), as this stuff is unsubstantiated, unscientific esoteric charlatanry.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since, he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec, DeepIntel, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

Slides etc.

DeepSec 2017: Making Security Awareness Measurable

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) Security awareness campaigns aim at educating and training your workforce with regards to IT security. Those trainings take time and can be rather complex - which makes them also expensive. However, we still lack the scientific base of how to design a successful security awareness campaign and how to evaluate it’s success. Especially when it comes to elaborate social engineering attacks. In this talk I will introduce scientific sound methods and tools from industrial and organisational psychology and industrial education to measure the success of security awareness campaigns. I will show human factors that enable or limit the success of training campaigns and how to enhance future campaigns based on lessons learned from former campaigns. All while keeping in mind that humans are not the weakest link in a security system, but the only defensive measure we have.

  • Why awareness is not enough
  • how to use modern didactical methods
  • how to use the model of security competent action
  • how to design a training programme
  • how to train your users sustainable, effective and efficient
  • how to test and measure your training programme

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec, DeepIntel, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

Slides etc.

DeepSec 2016: Assessing the Hacking Capabilities of institutional and Non-institutional Players

Cyberwar, Cyberterror and Cybercrime have been buzzwords for several years now. Despite the problem of finding useful definitions for modern IT security threats and so much criclejerking bullshit bingo going on, we have to think about the assessment of capabilities in the IT field.

Besides institutional actors like states and their military and intelligence communities we also have to assess the capabilities of non-institutional actors like terrorist groups or organised crime.

However, unlike the assessment of classic military strength, assessing the capabilities and powers of actors in the IT field is much more complicated and complex. In this talk I will introduce the first tools, methods and statistics to compare hacking capabilites and assess the »cyber fighting power« of different actors.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

Slides etc.

DeepSec 2015: The German Data Privacy Laws and IT Security

Hesse introduced the first data privacy law in the world in 1970. Since then, the German data privacy laws evolved over time and led to the creations of several tools and methods to protect private data. Though it is aimed at data protection it can be utilized for IT security. This talk introduces the data privacy law and it’s main ideas. I will also show how it can be used to further IT security especially in the SME sector. This mostly refers to the identification and description of processes that work with data and therefore have to be protected.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the research results regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

Slides etc.

DeepSec 2015: Social Engineering and Security Awareness (Workshop)

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung) Social Engineering is a great method for hacking systems. Instead of attacking technical devices social engineers manipulate people to get what they want. Defending your organisation against social engineering attacks is vital, yet very hard to achieve. This workshop focuses on the psychological fundamentals of social engineering. I will show you how social engineering works, how psychology can be used to manipulate people and how social engineers use these skills to lever out security measurements. The second part of the workshop will focus on defence measures against social engineering attacks. I’ll teach didactical methods and other skills required to train your users in a succesful, scientifically sound and empirically grounded security awareness campaign. Practical knowledge from human factors and organisational development research will top the workshop off.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he’s leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the research results regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec Vienna, DeepIntel Salzburg, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

DeepSec 2014: Why IT Security Is Fucked Up And What We Can Do About It

IT Security is in a miserable state. The problems have been discussed again and again without advancing IT Security.

Discussing the key length of AES is necessary, but not the peak of IT Security, as long as users chose weak passwords, developers implement buffer overflows and vendors deliver faulty banana software.

IT Security research did not adapt well to the challenges of IT security. Instead of focusing on fields like man-machine interaction, perception of security by users and developers or political measures like producer’s liability the same simple problems are discussed again and again. This is not surprising, since Computer Science is a trivial science and only successful because it ignores hard problems like human behaviour.

This rant will give an overview about what’s wrong in IT Security and Security Research. I will show you why cryptosystems really fail, what Psychology knows about security and what IT Sec has to do if it ever wants to break the current circle jerk and start generating more security.

Stefan Schumacher is head of the Magdeburger Institut für Sicherheitsforschung (Magdeburg Institute for Security Research) and currently running a research programme about the psychology of security. This includes social engineering, security awareness and qualitative research about the perception of security.

Slides etc.

DeepSec 2013: The Psychology of Security – a Research Programme

IT Security is often considered to be a technical problem. However, IT Security is about decisions made by humans and should therefore be researched with psychological methods. Technical/Engineering methods are not able to solve security problems.

In this talk I will introduce the Institute’s research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including:

  • How do people experience IT security?
  • How are they motivated?
  • How do they learn?
  • Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)?
  • What can we do to prevent security incidents?
  • Which curricula should be taught about IT security?

Stefan Schumacher is head of the Magdeburger Institut für Sicherheitsforschung (Magdeburg Institute for Security Research) and currently running a research programme about the psychology of security. This includes social engineering, security awareness and qualitative research about the perception of security.

Slides etc.

DeepSec 2011: On Cyber-Peace

Slides etc.

DeepIntel 2013: Psychological Profiling for Social Engineering Attacks

Social engineering attacks exploit psychological behaviors and use tricks to make the victim do something for the attacker. The basic principles of these behaviors are extensively researched and well documented, for example by R. Cialdini: Influence Science and Practice. Social engineering attacks are easier and more successful if you scout the victim and his environment in the run and analyze his personality.

Based on this psychological profile, the attack can be better tailored or even custom-made. Therefore, the talk discusses several scientifically sound methods and tools to analyze the personality of the victim. Also some possibilities of organizational analysis are presented to analyse the closer environment. Finally, I will show which methods can be used electronically, for example in spear phishing.

Slides etc.

DeepIntel 2012: On Cyber-Peace

DeepSec 2012: The Vienna Programme: A Global Strategy for Cyber Security by the Global Cyber Defence Initiative

Slides etc.

DeepSec 2010: Cyberwar on the Horizon?

Slides etc.

DeepSec 2010: Security Awareness (Ersatz-Talk)

DeepSec 2009: The Developmental Psychology of Intrusion Detection Systems

Slides etc.

DeepSec 2008: Two Day Workshop: Social Engineering and Security Awareness

Social Engineering is a great method for hacking systems. Instead of attacking technical devices social engineers manipulate people to get what they want. Defending your organisation against social engineering attacks is vital, yet very hard to achieve. This workshop focuses on the psychological fundamentals of social engineering. I will show you how social engineering works, how psychology can be used to manipulate people and how social engineers use these skills to lever out security measurements. The second part of the workshop will focus on defence measures against social engineering attacks. I’ll teach didactical methods and other skills required to train your users in a succesful, scientifically sound and empirically grounded security awareness campaign. Practical knowledge from human factors and organisational development research will top the workshop off.

DeepSec 2008: The Psychological Fundamentals of Social Engineering

Slides etc.