• RuhrSec 2019

  • RuhrSec 2018

  • RuhrSec 2017

  • RuhrSec 2016

Ruhr's IT security conference

Since 2016, RuhrSec is the annual English speaking non-profit IT security conference with cutting-edge security talks by renowned experts. The conference is hosted at the Ruhr University Bochum in Germany, directly in the heart of Bochum near the river Ruhr. RuhrSec provides academic and industry talks, the typical University feeling, and a highly recommended social event.

Get the latest RuhrSec news on Twitter or by subscribing to our newsletter!
Please consider that we offer free child care for RuhrSec 2020 attendees.

In 2020, all profits from the conference ticket income will be donated to a local non-profit organization again. Do you want to recommend one? Contact us!

Call for Presentations

The call for presentations is closed now.
Thank you to all the participants! We received a record number of submissions this year.
The program committee will start to evaluate all submissions now and inform the participants soon.
The program committee of RuhrSec 2020 consists of:

  • Cornelius Aschermann, Tim Blazytko, Thorsten Eisenhofer, Dennis Felsch, Martin Grothe, Sebastian Lauer, Vladislav Mladenov, Dominik Noß, Paul Rösler, and Moritz Schlögel (Ruhr University Bochum)
  • Christian Mainka, Karsten Meyer zu Selhausen, Marcus Niemietz, and Juraj Somorovsky (Hackmanit)

Program

Trainings (Mercure Hotel Bochum City): Tuesday–Wednesday, 05.-06.05.20

Advanced Client-Side Web Security, Marcus Niemietz (Hackmanit)
ChameleonMini and NFC Security, Kasper & Oswald GmbH (KAOS)
Kubernetes Security, Thomas Fricke (Endocode)

08:00 – 09:00Registration and Biscuits/Coffee
09:00 – 13:00Training
13:00 – 14:00Tuesday/Wednesday: Lunch
14:00 – 18:00Training
19:30 – 22:30Only on Wednesday: Speakers' Dinner

Conference (Ruhr University Bochum): Thurday, 07.05.20

08:00 – 09:00Registration and Biscuits/Coffee
09:00 – 09:15Opening, Marcus Niemietz
09:15 – 10:00Keynote: TBA, Prof. Tim Güneysu
10:00 – 10:30Coffee Break
10:30 – 11:15TBA, TBA
11:15 – 12:00TBA, TBA
12:00 – 13:30Lunch
13:30 – 14:15TBA, TBA
14:15 – 15:00TBA, TBA
15:00 – 15:45Coffee Break
15:45 – 16:30TBA, TBA
16:30 – 17:15TBA, TBA
17:15 – Open EndSocial Event (incl. Dinner)

Conference (Ruhr University Bochum): Friday, 08.05.20

08:45 – 09:15Biscuits/Coffee
09:15 – 10:00Keynote: TBA, TBA
10:00 – 10:30Coffee Break
10:30 – 11:15TBA, TBA
11:15 – 12:00TBA, TBA
12:00 – 13:30Lunch
13:30 – 14:15TBA, TBA
14:15 – 15:00TBA, TBA
15:00 – 15:30Coffee Break
15:30 – 16:15TBA, TBA
16:15 – 17:00TBA, TBA
17:00 – 17:15Closing

Talks & Trainings

Advanced Client-Side Web Security

Training by Marcus Niemietz (Hackmanit)

Training. Advanced Client-Side Web Security

Abstract. In the training for client-side web security, we use real-life examples to teach you how an attacker finds and exploits client-side security vulnerabilities in modern web applications. By going far beyond the usual scope, this training will show you in-depth knowledge about topics, such as cross-site scripting and UI redressing. The goal of this intensive training is to enable you to conduct smaller audits and penetration tests within the field of client-side web security on your own. In addition, you will be able to understand and evaluate common attacks and to continually secure your web application regarding to these topics.

Course Outline.

  • Short Introduction: HTTP, HTML, CSS, XML and DOM
  • Same-Origin Policy & Cross-Origin Resource Sharing
  • Social Engineering
  • Information Disclosure
  • Logical Flaws
  • Cross-Site Request Forgery
  • Cross-Site Scripting
    • Non-persistent XSS
    • Persistent XSS
    • DOM-based XSS
    • Self-XSS
    • Mutation-based XSS
    • Scriptless Attacks
  • Session Hijacking and Session Fixation
  • UI Redressing and Clickjacking
  • DOM Clobbering
  • Secure Coding
    • Content Security Policy
    • Pentesting Tools
    • Security Requirements

What to bring? Laptop, VirtualBox

Prerequisites. The course is designed for people who wish to familiarize themselves with web hacking. It is helpful if you have knowledge of web languages, such as HTML.

Who Should Attend? Web developers, heads of web development departments, and inter alia information security officers.

What to expect? The training will address the following questions, among others:

  • How do attackers proceed when looking for client-side vulnerabilities in a web application? Which tools and procedures are used?
  • How well is my web application protected against client-side attacks?
  • How can I harden my web application against these attacks?
  • Which measures are necessary to prevent future attacks against my web application?

What not to expect? One-fits-all solutions, because it is totally dependent on your use case and threat model.

About the trainer. For over a decade Dr.-Ing. Marcus Niemietz has been working as a penetration tester and web security trainer. As a co-founder of Hackmanit, he has been responsible for web security since 2014. In addition, he is also actively researching at the Ruhr University Bochum to prevent both UI redressing and cross-site scripting attacks. He is a regular speaker at numerous international IT security conferences, including the USENIX Security, Black Hat, and Microsoft‘s renowned hacker conference BlueHat. Marcus Niemietz is the publishing author of a book in the field of web security.

ChameleonMini and NFC Security

Training by Kasper & Oswald GmbH (KAOS)

Training. ChameleonMini and NFC Security

Abstract. The hands-on training course about RFID (Radio Frequency Identification) in general and NFC (Near Field Communication) in particular covers the basics of RFID (e.g., working principle, classification, use cases, transponder types) and summarizes attacks on commercial NFC systems (e.g., key recovery, side-channel attacks). During the course, our NFC tool ChameleonMini is introduced and its usage for practical security analyses of NFC access control systems is trained, e.g., reading and emulating (cloning) contactless cards, sniffing, cracking keys with card-only or reader-only attacks, logging and interpreting the communication. The successful participants obtain a ChameleonMini RevG. and a participation certificate.
What is ChameleonMini?!
https://github.com/emsec/ChameleonMini/wiki, https://shop.kasper.it/chameleonmini/

Note: This training requires a minimum number of 5 participants.

Course Outline.

  • Basics of RFID and related Security Threats
  • Tools for NFC Security (ChameleonMini, libnfc)
  • Details about ISO14443 / ISO15693 / NFC
  • Security Vulnerabilities in Commercial NFC Systems
    • Mifare Ultralight
    • Mifare Classic
    • Mifare DESfire

What to bring? Laptop

Prerequisites. More information will be added soon.

Who Should Attend? More information will be added soon.

What to expect? More information will be added soon.

What not to expect? More information will be added soon.

About the trainers. Kasper & Oswald GmbH (KAOS) are the inventors of the versatile NFC Tool ChameleonMini and have many years of experience with NFC Security.

Kubernetes Security

Training by Thomas Fricke (Endocode)

Training. Kubernetes Security

Abstract. Hidden under the hood of Kubernetes are a lot of security features. Starting from the Linux namespaces used in containers to the network there are a lot of configurations with many bells and whistles supporting or totally annealing the security of a cluster. Some of them are obvious, some are byzantine and cause bizarre and unexpected side effects in combination with the flaws of the Linux kernel.
The workshop gives a general comprehensive overview of the security of the container ecosystem. The two-day course introduces the most important topics of Kubernetes Security. It is intended to raise awareness on the security features built-in or missing. The training shows which problems are obvious and need to be addressed first in daily security problems.

Course Outline.
Day One:

  • Recap
    • Introduction: Top findings - what is really running in production
    • Containers: The Linux Heritage
      • Namespaces
      • Containers are just apps sorted in namespaces
      • Capabilities
      • Understanding the basic privileges of applications
      • SecComp, AppArmor, SELinux
      • Advanced security
      • Containers or hypervisor
      • Use both on bare metal
      • Spectre and Meltdown
      • The missing kernel feature
    • Pods: The Fundamental Concept
      • Creating and updating applications
      • Container pattern, designing containers for security
      • Checks, quotas, and limits
      • Basic necessities
      • Least privileges: Necessary and dangerous settings
      • Port 80 and beyond port 1024
    • Services: Connecting Applications to the Internet
      • Exposing services
      • Ports, hostports and external load balancers
      • Avoiding privileged ports
      • Remapping ports multiple times
      • Pitfalls in definitions
    • Ingress: Integrating of Services to a Site
      • Defining a complex website
      • Multiple services under one site
      • Managing keys and secrets with ingress
      • Secrets for certs
      • Complexity and pitfalls of ingress
      • How many ingresses should you use
      • Let's Encrypt
      • How to automate certs completely
  • Container Patterns for Security
    • Container Pattern Introduction: Definition and examples
    • Sidecars: Protecting insecure applications from sidecars
    • Proxies: Controlling the traffic of an application
  • Images: Docker and Beyond
    • Building images securely: Alternatives to Docker - containerd and cri-o
    • Running your own registries: Internal vs. public registries
    • Limits of metadata: Not every vulnerability is packaged
    • Images from scratch: Minimize the image footprints and make them undebugable
    • Best practices: Secure, but wait, where is the cert team?

Day two:

  • AdmissionControllers: Check Everything
    • Definition: Concept and most important examples
    • PodSecurity
      • Basics
      • Role-Based Access Control (RBAC)
    • Clear project and role structure: Avoid confusing yourselves with complex rules
    • Worst practice examples: The internet ruins your installation
      • Helm: stable != secure
      • Helm 2: Don't use, move to Helm v3 (trivial exploit, cloudbombs reloaded)
    • OpenPolicyAgent: Policies for security
  • Scripting: Simplest Way of Analyzing Clusters
    • Templates: Templates with go and JsonPath templates
    • Checking clusters with scripts: Checking for images, security contexts, roles, -bindings, etc.
    • How many scripts: Alternatives
  • Network Security: Control Every Connection in the Cluster
    • Network Policies
      • Network Implementations: The Container Network Interface (CNI)
      • Implementations: Cilium, Calico
      • Examples
      • Testing Network Policies: Netcat for testing
      • Limits: Liquid services
    • Service Meshs
      • Definition
      • Distributed firewalls
      • Envoy
      • Implementations: Linkerd, Istio
    • Istio
      • Installation: Default installation
      • Use case: Trust nothing! Really?
      • Implementation: Inside the proxy
      • Scripting against Istio: initContainers
      • Sidecars vs. the Container Network Interface: Privileges in userspace vs. central management
  • Misc
    • Audit Logs: Cluster auditing with Stackdriver, Elasticsearch, and Splunk
    • Disc encryption: Securing data at rest
    • Kubernetes in critical infrastructure: Resilience and encryption of connections
    • Linux without the GNU stuff: Kernel and kubelet only
    • Latest developments
    • Your topics: Bring your own observations, questions, and proposals

There might be minor changes to the topics according to the latest developments in Kubernetes and its security.

What to bring? Laptop with your preferred operating system or access to a non-productive Kubernetes cluster, some examples can be harmful. If using your laptop, RAM of at least 16GB is more important than CPU power.
Please preinstall the latest versions of Minikube, Kubectl, Helm, and Docker. A Linux-based Laptop is a plus, but not necessary.

Prerequisites. Good Linux knowledge, basic knowledge of Kubernetes. A good preparation is the book
Kubernetes: Up and Running: Dive into the Future of Infrastructure, 2nd edition by Kelsey Hightower, Brendan Burns, Joe Beda.
A full read is not necessary.

Who Should Attend? Developers, system and security engineers and architects, who work with Kubernetes microservices. Especially, if Kubernetes shall be used in security-critical environments.

What to expect? An introduction to the most relevant topics. There will some punctual deep dives, but generally, the examples are on a scripting level. We might find exploits, but this cannot be guaranteed or is intended. At the end, the participants should be able to judge typical Kubernetes setups and rate their security settings.

What not to expect? Full coverage of every aspect of Kubernetes security is not possible within two days. Sophisticated exploits, where several minor glitches are chained are possible, but not disclosed until today. They are not part of this workshop. Kubernetes code security, cluster resilience and side-channel attacks like Spectre, Meltdown and related are mentioned, but not covered.

About the trainers. Thomas Fricke is partner, member of the advisory board and former CTO of Endocode. He is a cloud architect, focussing on system automation, DevOps, now SecDevOps and is a cloud, database and software architect. He is doing audits and giving workshops and trainings on Kubernetes, with focus on container and network security.


Prof. Tim Güneysu

(Ruhr University Bochum) – Keynote

Talk. More information will be added soon.

Abstract. More information will be added soon.

Biography. More information will be added soon.

Aurore Fass

(CISPA Helmholtz Center for Information Security) – Talk

Talk. HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs

Abstract. Given the popularity of the Web platform, attackers abuse JavaScript to mount different attacks on their victims. Due to the plethora of such malicious scripts, detection systems rely on static analysis to quickly process JavaScript inputs, sending only suspicious scripts to dynamic components. For an accurate detection of previously unseen JavaScript files, static approaches combine an abstraction of the source code at a lexical or syntactic level (based on the Abstract Syntax Tree (AST)) with machine learning algorithms.

In this talk, we present HideNoSeek, a novel and generic camouflage attack, which evades the entire class of detectors based on syntactic and lexical features, without needing any information about the system it is trying to evade. Our attack consists of automatically rewriting the ASTs of malicious JavaScript files into existing benign ones, while keeping the initial malicious semantics. In particular, HideNoSeek uses malicious seeds and searches for similarities at the AST level between the seeds and traditional benign scripts. Specifically, it replaces benign sub-ASTs by identical malicious ones and adjusts the benign data dependencies--without changing the AST--, so that the malicious semantics is kept after execution.

In practice, we leveraged 23 malicious seeds to generate 91,020 malicious scripts, which perfectly reproduce ASTs of Alexa top 10k web pages. Overall and by construction, a standard trained classifier has 99.98% false negatives on such crafted inputs, while a classifier trained on such samples has over 88.74% false positives, rendering the targeted static detectors unreliable. Similar to Android malware in repackaged applications, HideNoSeek could automatically alter benign JavaScript libraries and present them as an improved version of the original ones, for malicious purpose. In particular, such a modification of jQuery 1.12.4 would affect over 30% of the websites.

Biography. Aurore Fass is a third-year Ph.D. student at the CISPA Helmholtz Center for Information Security (Germany), jointly supervised by Michael Backes and Ben Stock. Her areas of interest include static malware analysis and detection (with special focus on JavaScript code), machine learning, and adversarial attacks. She presented her research work at several academic and non-academic venues like CCS, ACSAC, DIMVA, MADWeb, and Blackhoodie.

Twitter: @AuroreFass

Lars Hermerschmidt

(AXA Konzern AG) – Talk

Talk. LangSec – The View on Software Security from the Tower of Babel

Abstract. This talk gives an introduction to Language-theoretic Security (LangSec) for pragmatists. Fundamental results from LangSec are applied to real world security problems and give a clear direction on how to (not) solve these problems. The talk does not require you to have knowledge in theoretical computer science in order to take away results you can apply in daily security life.
LangSec regards the Internet insecurity epidemic, which started with the discovery of buffer overflows, as a consequence of ad hoc programming of input handling code. To overcome this ongoing crises Lansec postulates to create trustworthy software, i.e. (un)parser, that take untrusted input and treat it by means of formal language theory.

Biography. Lars Hermerschmidt is Security Champion guide elder at AXA Konzern AG and strives to integrate Security into DevOps. In LangSec he researches unparser to solve injection vulnerabilities for arbitrary languages. In addition, he worked in the field of security architecture modeling languages and developed an approach to perform automated threat modeling. Since 2009 he is working in the field of Software Security, and since 2000 running his own Server; lately with Ansible and Docker.

Twitter: @bob5ec

Chloé Messdaghi

(Point3 Security) – Talk

Talk. The Hacker Hippocampus: Meet your brain on games

Abstract. Always on the edge of your seat when it comes to new exploits and tricks. From bug bounties, CTFs, live hacking events, simulations, and interactive educational modules, they have been proven to stimulate and enforce new tools and knowledge to become stronger red teamers, blue teamers, and purple teamers. But how did gamification come into play and in infosec? And how does our brain process gamification and threats as hackers? This gamified/interactive talk shares the history of gamification in infosec, how our brains are stimulated by them, and how it’s transforming lives.

Biography. Chloé Messdaghi is the VP of Strategy at Point3 Security. She is a security researcher advocate who supports safe harbor and strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to change the statistics of women in InfoSec. She is the President and cofounder of Women of Security (WoSEC) and heads the SF Bay Area chapter. As well, she created WomenHackerz, a global online community that provides support and resources for hundreds of women hackers at all levels.

Twitter: @chloemessdaghi

Sebastian Roth

(CISPA Helmholtz Center for Information Security) – Talk

Talk. Restricting the scripts, you're to blame, you give CSP a bad name

Abstract. In a current research project, we investigated the longitudinal evolution of the Content Security Policy header over the course of the last seven years. Throughout this analysis of the 10.000 highly ranked sites, we conducted case studies that illustrate the struggle of Web sites that try to deploy a CSP in a secure fashion and examples of sites that give up on CSP. In addition to that, we shed light on the other security capabilities of CSP, especially regarding framing control and TLS enforcement.

The CSP can be used to enforce that resources are only loaded via TLS secured connections. This can be achieved by either forbid the loading of HTTP resources by specifying the block-all-mixed-content directive in CSP or by using the upgrade-insecure-requests directive. This directive forces the automatic rewriting of all HTTP URLs to HTTPS upon page loading. This is useful to gracefully implement a transition from HTTP to HTTPS while preventing warnings and breakage due to the use of mixed content. Based on an analysis of live Web sites, we show that most sites could deploy upgrade-insecure-requests right now to avoid any mixed content without errors.

In case of framing control, we have investigated that within the Top 10K sites 3,253 made use of XFO, whereas only 409 used frame-ancestors. Due to the inconsistencies of the XFO header, the protection of the 3,253 sites might be weaker in comparison to the protection offered by the frame-ancestors Web sites. The ALLOW-FROM mode of XFO is not supported in some of the major browsers (including Google Chrome). Thus, an operator that uses this mode would not secure all user of this browser, because unsupported headers will be ignored. In addition to that, the SAMEORIGIN mode of XFO is in some cases susceptible to so-called Double Framing attacks. This is caused by the fact that the XFO standard does not define whether the top-most frame, the parent frame, or even all frame ancestors (like the CSP directive) have to be hosted within the same origin.

Due to this inconsistencies, we send notifications to 2,700 Web sites that suffer from this problem. By investigating the responses, we were able to get valuable information regarding the roadblocks of CSP deployment in the wild. While most of the Web developers were aware of the protection that CSP can offer, they are massively intimidated by the complexity of CSPs content restriction. Due to this complexity or because of the unawareness of the additional capabilities of CSP, they do not consider framing control or TLS enforcement as legitimate use cases of the CSP.

In this talk, we want to raise the awareness regarding issues of some of the widely used security header as well as presenting and explaining the more secure CSP alternatives for them. Furthermore, we want to involve the audience to discuss with us about their “horror stories” and roadblocks for CSP deployment such that we can build better tools and improve informational material regarding the CSP.

Biography. Sebastian Roth is a first-year PhD student in the Information Security and Cryptography Group at the CISPA Helmholtz Center for Information Security, where he is supervised by Michael Backes. His research interest is focused on client-side Web Security as well as Usable Security for developers. Thus his work is done in collaboration with the Secure Web Applications Group headed by Ben Stock. Currently, he is specifically looking into the prevalence and the usage of security header present in Web applications.

Twitter: @s3br0th

Ben Stock

(CISPA Helmholtz Center for Information Security) – Talk

Talk. Restricting the scripts, you're to blame, you give CSP a bad name

Abstract. In a current research project, we investigated the longitudinal evolution of the Content Security Policy header over the course of the last seven years. Throughout this analysis of the 10.000 highly ranked sites, we conducted case studies that illustrate the struggle of Web sites that try to deploy a CSP in a secure fashion and examples of sites that give up on CSP. In addition to that, we shed light on the other security capabilities of CSP, especially regarding framing control and TLS enforcement.

The CSP can be used to enforce that resources are only loaded via TLS secured connections. This can be achieved by either forbid the loading of HTTP resources by specifying the block-all-mixed-content directive in CSP or by using the upgrade-insecure-requests directive. This directive forces the automatic rewriting of all HTTP URLs to HTTPS upon page loading. This is useful to gracefully implement a transition from HTTP to HTTPS while preventing warnings and breakage due to the use of mixed content. Based on an analysis of live Web sites, we show that most sites could deploy upgrade-insecure-requests right now to avoid any mixed content without errors.

In case of framing control, we have investigated that within the Top 10K sites 3,253 made use of XFO, whereas only 409 used frame-ancestors. Due to the inconsistencies of the XFO header, the protection of the 3,253 sites might be weaker in comparison to the protection offered by the frame-ancestors Web sites. The ALLOW-FROM mode of XFO is not supported in some of the major browsers (including Google Chrome). Thus, an operator that uses this mode would not secure all user of this browser, because unsupported headers will be ignored. In addition to that, the SAMEORIGIN mode of XFO is in some cases susceptible to so-called Double Framing attacks. This is caused by the fact that the XFO standard does not define whether the top-most frame, the parent frame, or even all frame ancestors (like the CSP directive) have to be hosted within the same origin.

Due to this inconsistencies, we send notifications to 2,700 Web sites that suffer from this problem. By investigating the responses, we were able to get valuable information regarding the roadblocks of CSP deployment in the wild. While most of the Web developers were aware of the protection that CSP can offer, they are massively intimidated by the complexity of CSPs content restriction. Due to this complexity or because of the unawareness of the additional capabilities of CSP, they do not consider framing control or TLS enforcement as legitimate use cases of the CSP.

In this talk, we want to raise the awareness regarding issues of some of the widely used security header as well as presenting and explaining the more secure CSP alternatives for them. Furthermore, we want to involve the audience to discuss with us about their “horror stories” and roadblocks for CSP deployment such that we can build better tools and improve informational material regarding the CSP.

Biography. Ben Stock is a Tenure-Track Faculty at the newly founded CISPA-Helmholtz Center for Information Security. In his PhD, Ben focussed on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he worked closely with SAP Research and interned with Microsoft Research. After his PhD, he joined CISPA as a postdoc, focussing on both Web Security as well as Usable Security research. He currently heads the Secure Web Applications Group at CISPA and is a regular speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat, and OWASP AppSec.

Twitter: @kcotsneb

Mathy Vanhoef

(New York University Abu Dhabi) – Talk

Talk. Attacking the Dragonfly handshake of WPA3 and EAP-pwd

Abstract. In this talk, we show that the Dragonfly handshake of WPA3 and EAP-pwd is affected by several design and implementations flaws. Most prominently, we present side-channel leaks that allow an adversary to perform brute-force attacks on the password. Additionally, we present invalid curve attacks against all EAP-pwd and one WPA3 implementation. These implementation-specific attacks enable an adversary to bypass authentication. Finally, we briefly discuss countermeasures that have been incorporated into the Wi-Fi standard.

Biography. Mathy Vanhoef is a postdoctoral researcher at New York University Abu Dhabi. He is most well known for his KRACK attack against WPA2, the RC4 NOMORE attack against RC4, and the Dragonblood attack against WPA3. His research interest is in computer security with a focus on network security, wireless security (e.g. Wi-Fi), network protocols, and applied cryptography. Currently, his research is about analyzing security protocols to automatically discover (logical) implementation vulnerabilities. Apart from research, he is also interested in low-level security, reverse engineering, and binary exploitation.

Twitter: @vanhoefm

Conference location

Trainings

Address: Mercure Hotel Bochum City, Massenbergstraße 19-21, 44787 Bochum

Google Maps: Link to the hotel

Directions: The trainings will be held at the Mercure Hotel Bochum City (website). The hotel is located close to the main train station "Bochum Hauptbahnhof" (aka. "Bochum Hbf").


Conference

Address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum

Google Maps: Link to the conference building

Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in our event center ("VZ" or "Veranstaltungszentrum"). You can find parking spaces for your car directly under the conference location (University Center/"Universität Mitte", parking space P9). Otherwise, you can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building.

Flight and Train Information

The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "Sky Train" from the airport to the train station "Düsseldorf Flughafen". Afterwards, you should take a train to "Bochum Hauptbahnhof" (aka. "Bochum Hbf"). From there we recommend to take a taxi to the conference center (about 10 euro). Otherwise, you can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building.

Please notice:

  • Please pay for the sky train (about 2 euro).
  • To get your train tickets, you can use a ticket machine after the sky train. They allow you to choose English for the UI and you can (often) pay with your credit cards. Please be sure to bring enough cash (euro) with you, because it is possible that the ticket machine does not accept your credit card. The ticket price should be about 2 euro (SkyTrain) and 20 euro (train).
  • Please do not forget to validate your train ticket with one of the stamp machines. Otherwise, it is not valid.

If you want to check when your train will arrive you can use this web page: https://reiseauskunft.bahn.de/bin/query.exe/en

Accommodation

We do not offer any hotel room reservation service. From our experience, it is cheaper to use common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.

Directly in the heart of Bochum and near the central station, we recommend two hotels:

Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous "Bermuda Dreieck" - with a lot of good bars and German beer.

Child Care

We want to enable everyone interested in attending RuhrSec to be able to attend it. Therefore, we offer professional child care for our attendees at both the training and conference venue - free of cost! The child care will be provided in cooperation with the ProKids family service of the Ruhr University Bochum. It will take place in a room at the training/conference venue to ensure you will be close to your child or children at all times. The child care service will provide toys fitting for the age of the registered children.

If you want to register your child or children for the child care service please fill in the information needed for the registration to the registration form (German, English) and sent it to Linda Schwarzl and Karsten Meyer zu Selhausen until the 3rd of April 2020.
If you have any questions feel free to contact us!

Social Event

TBA

Every participant with a valid conference ticket is invited to be our guest at the social event. Feel free to join us and to talk with other security interested people, including the speakers.

Details

Location:TBA

How to get there: TBA

German way description: TBA

Time: After the first conference day (>=17:00 o'clock)