DeepSec 2015 Talk: DDoS – Barbarians at the Gate(way) – Dave Lewis

There really is strength in numbers. It’s true for Big Data, high performance computing, cryptography, social media, and flooding the Internet with packets. The latter has been the method of choice for activists, „cyber“ warriors and criminals alike. Network interdiction (as military minds may call it) or Distributed Denial of Service (DDoS) attacks can be hard to counter due to the many sources of the attacking devices. Full pipes are full, no matter what you do. While you can deploy reverse proxies or rely on content distribution networks, the attack still persists. Packets keep coming until the sources are shut down. Flooding someone’s network is not a sophisticated attack. It’s gets the job done, it may be complex by nature, but it is not a stealth exploit sitting in your local network without being noticed. DDoS makes a lot of noise, and it is usually detected right away.

How does a DDoS look like? What happens before, during and after? Are there warning signs such as cloudy skies, light rain, and a steadily increasing wind? Since you can’t recreate DDoS conditions in the lab, it’s best to ask experts who have experience in weathering the storm. Dave Lewis from Akamai will tell you all about DDoS incidents of all sizes at DeepSec 2015:

This talk will look at the patterns of the DDoS attacks that are prevalent in the news headlines. We will take a deep dive into the motivations and rationale behind these attacks; examining the motivations of attackers as they move on from historical page defacement to incentivized DDoS attacks. The tools, methods and data behind these attacks will be unveiled.

Everyone dealing with networked applications should have a look at his talk. As with every attack method, it’s best to look at the tools being used against you before planning your defence. Even organisations relying on (probably outsourced) content distribution networks should learn about what really happens during a DDoS. Your application developers and network-facing sysadmins will benefit as well. Don’t let the barbarians will the battle!

Lewis_DaveDave Lewis has almost two decades of industry experience. He has extensive experience in IT operations and management. Currently, Lewis is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and cohost of the Liquidmatrix podcast. Lewis also serves on the (ISC)2 Board of Directors. He writes a column for CSO Online and Forbes.


Digital Naval Warfare – European Safe Harbor Decree has been invalidated

The global cargo traffic on the Internet needs to revise its routes. The Court of Justice of the European Union has declared the so-called „Safe Harbor“ agreement between the European Commission (EC) and US-American companies as invalid. The agreement was a workaround to export the EU Directive 95/46/EC on the protection of personal data to non-EU countries. The ruling was a result of the ‘Europe v Facebook’ lawsuit by Austrian law student and privacy activist Max Schrems. This means that European companies might violate the EU privacy laws when storing or processing personal data on US-American servers. Among the arguments was that the rights of the European data protection supervision authorities must not be constrained and that due to the NSA PRISM program the protection of personal data according to EU directives is not possible. The court was also aware of the National Securiy Letter problem which renders any legal protection ineffective.

Translated into a day at the office the court ruling does not allow any European companies to use resources outsourced to US-American companies provided they want to adhere to European privacy protection laws. This does not come as a surprise. Even without the news items trickling from the Snowden archives the „Safe Harbor“ agreement has never been more than a list of organisations promising to follow EU Directive 95/46/EC. Without being a law or a treaty it was basically a shopping list for people interested in outsourcing infrastructure and services. This has changed now, despite no one has publicly reacted in terms of modifying the outsourced resources and moving them back into privacy law compatible regions. It seems that despite the best „Cloud“ advertising it is not that easy to move „cloudy“ operations from one place to another when it comes to data protection.

Of course there are other ways. You can always sign an agreement such as standard contractual clauses or binding corporate rules (BCR) to solve inequalities. Given the potent threats to data privacy and security it won’t be stronger than the old „Safe Harbor“ agreement. The court’s decision raises some pretty fundamental questions about how and where (parts of) your infrastructure should be and data should be stored.

Information security needs to address these issues as well. The „Safe Harbor“ agreement was no technical solution. It was a hack, and now it is officially busted. However it was part of the information technology infrastructure of many companies. Thus it needs to be part of the security strategy. DeepSec 2015 has a focus on (industrial) espionage. Learn how to protect your digital assets from third parties – technically and legally.

DeepSec 2015 Talk: Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library – Bernhard Göschlberger & Sebastian Göttfert

Upgrading existing infrastructure and migrating from one architecture to another is often the way to keep your information technology up-to-date. Changing major revisions of software is not for the faint of heart. Many sysadmins sacrificed a good portion of their life force just to jump to the next version. Sometimes you are simply stuck. Code is not always maintained. Products might be obsolete. Developers might have abandoned the project. However the application is still in place and keeps on working. When changes hit this kind of environment, you can’t decline the challenge. Meet the legacy systems that will ruin your day. Bernhard Göschlberger and Sebastian Göttfert have spent thoughts on this problem. They will tell you all about it in their presentation at DeepSec 2015.

Well elaborated principles of software engineering foster interoperability between systems and their extensibility. However, a lot of software systems grew and developed over time without incorporating any of those design principles. According to Wikipedia, a legacy system is an old method, technology, computer system, or application program “of, relating to, or being a previous or outdated computer system.”

As we focus on authentication for web applications, we use the term legacy system to refer to web applications with custom user management that cannot be rewritten or replaced for some reason. Despite decades of security research and authentication standards there is still a vast amount of systems with custom authentication solutions and embedded user databases. Such systems are typically hard to be integrated with others in a secure manner. When forced to federate identities to other systems programmers tend to get creative and forget about security principles.

We analysed an existing system of an organisation with approximately 12.000 sensitive user data sets and uncovered severe vulnerabilities in their approach. Those vulnerabilities had been perceived as an acceptable trade off due to the alleged complexity of a clean solution. Unfortunately, we found that a lot of programmers are convinced that quick and dirty solutions are less complicated. We don’t think so!

Hence, we developed a minimal, secure Single-Sign-On-Solution and demonstrated the feasibility of implementing both a minimal Identity Provider and a minimal Service Provider with only a few lines of code. We provided a simple blueprint for an Identity Provider and an easy to use Service Provider Library. It is now possible to integrate arbitrary web based systems with the organisations legacy web application.

Our success story and open source blueprints should inspire others to follow the proposed approach and tailor similar solutions with minimal time effort and low cost.

We recommend this talk for everyone dealing with infrastructure and information technology architecture. We all love it when a plan comes together. More often than not this doesn’t happen. Then you might need the results discussed by Bernhard and Sebastian. Make sure you do not miss this opportunity!

goeschlberger_bernhardBernhard Göschlberger studied Software Engineering at the faculty of Informatics, Communication and Media of the University of Applied Sciences Upper Austria (Campus Hagenberg) and Legal and Business Aspects in Technics at the Johannes Kepler University Linz.
He is currently a PhD student in Computer Science at the institute of Telecooperation at the Johannes Kepler University Linz.
Since 2011 he has been working for the Research Studios Austria FG as a researcher in the field of technology enhanced learning.



goettfert_sebastianSebastian Göttfert studied Business Informatics at the Johannes Kepler University Linz and deepened his knowledge in network technologies at the Oxford Brookes University.
Currently, he is writing his Master’s thesis in Computer Science at the Institute of Telecooperation at the Johannes Kepler University Linz.

DeepSec 2015 Workshop: Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices – Alexander Bolshev & Boris Ryutin

The Internet of Things (IoT), more common known as the Internet of Stuff, is all around us. You don’t have to wait for it any more. Take a peek at the search results from Shodan and you will see that lots of devices are connected to the Internet. Since your refrigerator does not run high performance hardware, it is well worth to take a look at the hardware being used. For connected household devices and their controllers you need low power equipment. Think small, think embedded, not different. This is why we offer the Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices training to you at DeepSec 2015. Alexander Bolshev and Boris Ryutin will show you how to create exploits for the Internet of Things:

Embedded systems are everywhere. And all of them have a heart – microcontrollers (MCU) with specific firmwares. Atmel™AVR® is the of the most popular MCU platforms in the world. It became famous because of the amateur Arduino platform, however, its real usage goes much further. Today, you can find many devices based on AVR microcontrollers in home automation, automotive applications (in security, safety, powertrain and entertainment modules), industrial systems, RF-systems, and much more. Do you know that USB-based AVRs have been used in XBox? Also, many KNX (building automation) gateways have several Atmega128 or Atmega16 inside. Thus, sooner or later you will meet one of these systems in your security projects. You may find many talks about reversing and exploit development for AVR-based devices, however there is still a lack of a full-scale guide that answers the question: “I have an AVR device. I have firmware (?). I have found something that looks like a vulnerability. What should I do now?”. The goal of this workshop is to give an answer to this question.

During this workshop, you will learn AVR firmwares reversing and exploitation specifics. We will talk about tools and techniques, review AVR architecture, teach you how to write ROP chains for AVR, and use other methods that enforces MCU to do what wasn’t expected by firmware developers. Post-exploitation topics (like reflashing and altering the bootloader) will also be covered. We will start our journey with simple programs, quickly move on to popular Arduino libraries and finish it with a case of a real exploitation of an industrial gateway. We will talk about how to use Radare2 and (a bit) IDA Pro in reversing and exploiting AVR firmwares. And we will show you how to develop tools that help you with your task.

Here is a short abstract of the workshop:

Day 1:

* Introduction

* Part 1: AVR basics
– Harvard Architecture
– AVR features
– AVR assembly
– A word about AVR bootloaders
– Software and hardware tools
– Quick intro to radare2
– Examples & exercises

* Part 2: Pre-exploitation
– First steps
– Acquiring firmware
– Firmware reversing
– Function signatures and various system libs
– Small Real time OSes from security perspective
– Examples & exercises

Day 2:
* Part 3: Exploitation
– Basics
– Types of vulnerabilities
– Building ROP chains for AVR
– Interruption tricks
– Advanced methods
– Examples & exercises

* Part 4: Post-exploitation
– Reading Flash and EEPROM
– Staying persistent
– Examples & exercises

* Conclusion


IMG_0196Every attendee will receive a special kit that contains:

– Atmega128 training board with built-in Wi-Fi
– JTAG programmer
– Arduino board






This training is highly practical and contains various exercises, for example:
– Overflowing the UART to control another UART interface
– Building ROP-chain for controlling i2c transmission
– Reading protected AES key from the bootloader
– ROP-chain with watchdog evasion
– And much more!

To participate you need just a basic understanding of reverse engineering and buffer overflow/memory corruption vulnerabilities. Please bring a laptop with at least 4 GB RAM, 15 GB free hard drive space, two USB ports and installed VMWare/VirtualBox or Parallels virtual machine. You will be supplied with all required software (virtual machine image) and hardware (debuggers and AVR development boards).

Don’t miss this opportunity! Soon you will be surrounded by hardware not based on the trusty x86/x86_64 architecture. Attacking different architectures will become crucial for future penetration testing, security assessment, and even „cyber“ defence. Therefore we highly recommend this workshop for everyone.


bolshev_alexanderAlexander Bolshev is an information security researcher at Digital Security. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. His research interests lie in distributed systems, mobile, hardware and industrial protocol security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and ICS security. He spoke at the following conferences: Black Hat USA/EU/UK, ZeroNights,, CONFIdence, S4.




ryutin_borisBoris (@dukebarman) has graduated from the Baltic State Technical University “Voenmeh”, faculty of rocket and space technology. Currently he is a postgraduate student there, works as a security engineer at ZORSecurity and as a contributor to MALWAS post-exploitation framework. Boris is a recurring writer for the ][akep magazine, and a contributor and developer involved in several open-source information security projects. Radare2 evangelist. Multiple bug bounty awardee.

DeepSec 2015 Workshop: Crypto Attacks – Juraj Somorovsky & Tibor Jager

Fvcelsiuetwq lcv xlt hsyhv xd kexh yw pdp, tlkli? Well, yes and no. ITEzISqbI1ABITAhITAhLZzQFsQ6JnkhMTMhpNK5F5rF9dctkiExMyEv9Fh1ITMzIaX2VCJpEQc= , and that’s where it often goes wrong. Your cryptographic defence can be attacked just as any other barrier you can come up with. Attackers never sleep, you know. Crypto attacks are often facilitated by a simple psychological bias: Since cryptographic algorithms are so complicated (for me), no one can easily figure out how to break them. But this may be true for ASN.1 or Chinese (with apologies to all native speakers, it is meant as a metaphor). The fertile growth of CrypoParties all around the globe documents the interest in using cryptography as a means of protecting data, be it in transit or stored locally. Since you use encryption algorithms every day, regardless if you know about them or not, it’s time to deal with the knowledge about crypto. Dr. Juraj Somorovsky and Dr. Tibor Jager have prepared a two-day training all about crypto for you:

In the recent years, we saw an increasing deployment of cryptography. Cryptography is currently used in various scenarios, ranging from secure messaging or emails, to web services and JavaScript applications. This also forces many developers to implement new crypto applications and dive into this topic.

In our workshop, we give an overview of the most important cryptographic attacks. To our knowledge, this is the best (and funniest) way to learn proper crypto implementation, and how not to get a target of famous attacks.

The course is dedicated to developers and penetration testers, who are already familiar with basic cryptographic concepts (you should be familiar with modular exponentiation or basic principles behind RSA).

If you can’t decipher the two encrypted snippets in the introduction, then this workshop is for you. You  might want to watch the videos of the Stanford Cryptography Course found online. The lecture videos can be found on YouTube, and are freely available. We recommend Juraj’s and Tibor’s workshop to anyone working with and using cryptography – software engineers, sysadmins, project managers, IT architects, and – yes – managers. If you work for a financial institution, we strongly advise taking this training! We have our reasons for the latter recommendation, and we won’t talk about it publicly. At least not for now.

Juraj_SomorovskyDr. Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various cryptographic attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently, he works as a Postdoc at the Ruhr University Bochum, and as a security specialist for his co-founded company 3curity GmbH.

tibor jagerDr. Tibor Jager is an academic cryptographer, doing research in applied and theoretical cryptography. His work focuses on practical cryptographic constructions, attacks and countermeasures, and the design and formal analysis of cryptographic protocols. He teaches computer networks and IT-security at Ruhr University Bochum. Together with Juraj Somorovsky, he found and reported flaws in cryptographic standards and libraries, including W3C’s XML Encryption.


DeepSec 2015 Workshop: Practical Incident Handling – Felix Schallock

Things go wrong or break, it’s just a matter of time. Ask your sysadmin about this. Apart from wear and tear, there are information security incidents that tend to ruin your perfect day at the office. What happens next? What do you do when noticing that your infrastructure has been compromised? Where do you start? Who needs to be told? Few employees know the answers to these questions. While you might have policies in place that regulate everything one needs to know, the practice looks wildly different. Apart from having a plan, you need to test if your plan works. At DeepSec 2015 Felix Schallock will show you what to do when digital lightning strikes. During two days of training you will take a tour on how to address and handle incidents properly.

During the two days we will handle the why, what, who and how of incident handling (IH) including how to avoid common pitfalls. Furthermore we will use a case study to get hands-on with the phases of incident handling. Starting with why we will examine the benefits of having an incident process leading to the how to justify and right-size the efforts necessary to build and run it. The what will provide you information on what is necessary to be set up prior to your incidents. Then we will dive into more details on the phases of Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned (PICERL) and determine how we can thoroughly establish the IH process. A case study will support our hands-on thinking about typical incidents and what/how is necessary to handle them.

We recommend Felix’s workshop to anyone who is convinced to be prepared for security incidents or has a shiny policy regarding incidents hanging at the office wall. A proper response can save you a lot of headache and (digital) damage. The course is designed for all (IT) ages; managers, coders, sysadmins, pentesters, auditors, quality managers, et. al. may attend without parental guidance.

Felix_SchallockFelix Schallock is a Director at TIBITS Consulting GmbH, a Senior Partner at SEC4YOU Advanced IT-Audit Services GmbH and a SANS mentor for SEC504 and SEC506, providing IT consulting and auditing services. With more than 20 years of experience in IT / IS / IT Auditing and IT Forensics he has handled many incidents and supported others. Felix has the CISA, CISM, CISSP, GCUX, GCIH, GPEN and other certifications.

DeepSec 2015 Talk: Continuous Intrusion – Why CI Tools Are an Attacker’s Best Friend – Nikhil Mittal

In information security pessimism rules. Unfortunately. Extreme Programming might breed extreme problems, too. The short-lived app software cycle is a prime example. If your main goal is to hit the app store as soon and as often as possible, then critical bugs will show up faster than you can spell XCodeGhost. The development infrastructure has some nice features attackers will love and most probably exploit. In his presentation Nikhil Mittal will show you how Continuous Integration (CI) tools can be turned into a Continuous Intrusion.

Continuous Integration (CI) tools are part of build and development processes of a large number of organizations. I have seen a lot of CI tools during my penetration testing engagements. I always noticed the lack of basic security controls on the management consoles of such tools. On a default installation, many CI tools don’t even implement authentication for admin access! Couple this lack of security controls with the ability to execute commands and scripts on many machines (distributed and master-slave/agent build process) and you have the perfect attack surface to pwn an enterprise environment. Not only in the internal networks, CI tools are also regularly exposed to the Internet.

This talk takes a look at open source as well as proprietary/commercial CI tools from a hacker’s perspective. We will compare various tools on a common set of mis-configurations and security controls. We will show you how these tools can be compromised, how dangerous even unprivileged access to these tools is, talk about the OS level privileges (both Windows and Linux) and how they could result in a complete compromise of the target network. We will also show you how to defend against such attacks.
The talk will be full of live demonstrations.

If you are a developer or a project manager herding cats, you have to attend Nikhil’s presentation. Even if you do not develop software, you should know what the tools look like and how they can be abused. It’s easier to build a defence once you know what code does and how it “thinks”. Anticipation beats hindsight when it comes to exploits.

NikhNikhil_Mittalil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 6+ years of experience in Penetration Testing for his clients, including many global corporate giants. He is also a member of Red teams of selected clients.
He specializes in assessing security risks in secure environments which require novel attack vectors and an “out of the box” approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks. Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more. You can visit his blog


DeepSec 2015 Talk: Visualizing Wi-Fi Packets the Hacker’s Way – Milan Gabor

Silent service was the name many submarine services gave themselves. U-boats have the habit of hiding, usually in large bodies of water. How Not To Be Seen remains the prime directive of attackers throughout the age. For the submarines this changed with the introduction of ASDIC and SONAR. You know these technologies from the acoustic sounds of the ping. In the air one often uses radar instead. What do you use for the defence of your wireless networks? At DeepSec 2015 Milan Gabor will show you his idea of Wi-Fi radar, so your IT security admins can become air traffic controllers.

Imagine you could see more than console windows from aircrack-ng tools provide. Imagine you could have quick dashboards and deep into more details in short amount of time. And this without writing a single line of code. Come and see how this magic happens.

Today visualizing Wi-Fi traffic is more or less limited to console windows and analyze different logs from an aircrack-ng toolset. There are some commercial tools, but if we want to stay in the Open Source area we need to find better solutions. So we used ELK stack to gather, hold, index and visualize data and a modified version of an airodump tool for input. With this you can create amazing dashboards, correlate some interesting data and do some deep digging for Wi-Fi packets. It gives hackers and also administrators a quick view into Wi-Fi space and offers a range of new possibilities to get interesting data really fast.
One half of the talk will be dedicated to a presentation of how this can be done, telling you about some issues that we had and solutions to them, while the rest of the talk will be demonstrating the true power of our research.

Sounds neat, eh? Give it a try. You really should, since you very definitely use Wi-Fi network(s) in your organisation. Trust us, we know. So attend Milan’s presentation, and discover the U-boats lying in wait all around you!

gabor_milanMilan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security. He is security professional, pen-tester and researcher. He presented at various events at different security conferences around the World. He also does ethical hacking trainings. He is always on a hunt for new and uncovered things and he really loves and enjoys his job and dreams about parachute jumping.

DeepSec 2015 Workshop: Hacking Web Applications – Case Studies of award-winning Bugs in Google, Yahoo!, Mozilla and more – Dawid Czagan

Have you been to the pictures lately? If so, what’s the best way to attack an impenetrable digital fortress? Right, go for the graphical user interface. Or anything exposed to the World Wide Web. The history of web applications is riddled with bugs that enable attackers to do things they are not supposed to. We bet that you have something exposed on the Web and even probably don’t know about it. Don’t worry. Instead attend the DeepSec training session „Hacking Web Applications“ conducted by Dawid Czagan. He will teach you about what to look for when examining web applications with a focus on information security.

This hands-on web application hacking training is based on authentic, award-winning security bugs identified in some of the greatest companies (Google, Yahoo!, Mozilla, Twitter, etc.).

You will learn how bug hunters think and how to hunt for security bugs effectively. To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.

After completing this training, you will have learned about:
– tools/techniques for effective hacking of web applications
– non-standard XSS, SQLi, CSRF
– RCE via serialization/deserialization
– bypassing password verification
– remote cookie tampering
– tricky user impersonation
– serious information leaks
– browser/environment dependent attacks
– XXE attack
– bypassing authorization
– file upload vulnerabilities
– and more …

You will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What’s more, this environment is self-contained and when the training is over, you can take it home (after signing a non-disclosure agreement) to hack again at your own pace.

If you want to know what students from Oracle, Adobe, ESET, and other companies say about this training, visit this page to learn more.

More detailed information about the training can be found in the schedule for DeepSec 2015.

.The workshop is definitely very hands-on (also it is extremely wow!). Only participants get the VMware image with the testing environment. This image and all its accompanying material is not for public download, so don’t miss the opportunity!

We recommend this training for anyone doing web application development, penetration testing, or working on IT defence. Invest in two days of studies to save your web apps from serious harm.

Czagan_DawidDawid Czagan  has found security vulnerabilities in Google, Yahoo!, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing. Dawid shares his security bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute). To find out about the latest in Dawid’s work, you are invited to visit his blog and follow him on Twitter.

DeepSec2015 Talk: Hacking Cookies in Modern Web Applications and Browsers – a short Interview with Dawid Czagan

You don’t have to be the cookie monster to see cookies all around us. The World Wide Web is full of it. Make sure not to underestimate their impact on information security. Dawid Czagan will tell you why.

1) Please tell us the top 5 facts about your talk.

The following topics will be presented:
– cookie related vulnerabilities in web applications
– insecure processing of secure flag in modern browsers

– bypassing HttpOnly flag and cookie tampering in Safari
– problem with Domain attribute in Internet Explorer
– underestimated XSS via cookie
– and more

2) How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I noticed that cookie related problems are underestimated. People claim, for example, that XSS via cookie requires local access to machine of the victim, but it is not true (a number of remote attacks is possible). Developers tend to forget that multi-factor authentication does not help if cookies are insecurely processed. Quite many things can go wrong. There are also problems with secure cookie processing in different browsers and RFC 6265 (cookie processing is described in this RFC and modern browsers rely on this document).

3) Why do you think this is an important topic?

Since cookies store sensitive data (session ID, CSRF token, etc.), they are interesting from an attacker’s point of view. As it turns out, quite many web applications (including sensitive ones like Bitcoin platforms) have cookie related vulnerabilities, that lead, for example, to user impersonation, remote cookie tampering, XSS and more. Moreover, there are problems with the secure processing of cookies in modern browsers. That’s why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing.

4) Is there something you want everybody to know – some good advice for our readers maybe?

If readers want to play at DeepSec 2015 with authentic, award-winning web application bugs (including cookie hacks) identified in some of the greatest companies (Google, Yahoo, Mozilla, Twitter, …), then don’t hesitate and register for my training “Hacking Web Applications – Case Studies of award-winning bugs in Google, Yahoo, Mozilla and more”. More information about the training can be found in the detailed training description.

5) A prediction for the future – What do you think will be the next innovations or future downfalls when it comes to your particular field of expertise / the topic of your talk?

Security engineers/researchers should educate development teams, cooperate with browser vendors and discuss/improve RFC 6265 to make cookie processing more secure.


Czagan_DawidDawid Czagan  has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing. Dawid shares his security bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute). To find out about the latest in Dawid’s work, you are invited to visit his blog and follow him on Twitter.

DeepSec 2015 Talk: Cryptography Tools, Identity Vectors for „Djihadists“ – Julie Gommes

Some speak of Crypto Wars 2.0. For others the Crypto Wars have never ended. FBI Directory James Comey does not get tired of demanding back doors to IT infrastructure and devices (there is no difference between back door and front door, mind you). Let’s take a step back and look at the threats. We did this in 2011 with a talk by Duncan Campbell titled How Terrorists Encrypt. The audience at DeepSec 2011 was informed that encryption does not play a major role in major terror plots. What about today? Have terrorists adopted new means of communication? Since the authorities demanding access to protected information do not have statistics readily available, we turned to researchers who might answer this question. Julie Gommes will present the results of studies analysing the communication culture of criminal groups. In order to distinguish criminal acts from religion, we have put some words in quotes („“). We do not wish to whitewash crime by calling it religion. We ask you to bear this in mind when reading Julie’s summary and when attending her presentation.

Cryptography, social networks – today the use of online tools also serves to protect the communications of terrorists and to affirm their membership in terrorist organisations. The Internet is the method of choice for communication: the number of sites calling for a „jihad“ rose from 28 in 1997 to over 5,000 in 2005. The basic use of these sites for the purpose of basic classical communication began in the 2000s. It was replaced by that of social networks, allowing almost instant mass communication.

Studies of the Middle East Media Research Institute (MEMRI) show that Al-Qaeda uses encryption tools for a long time: „Since 2007, Al Qaeda’s use of encryption technology has been based on the platform Mujahideen Secrets, which has incorporated the support for mobile, instant messaging, and Macs.“ Encrypting communications was only done for emails and within the „Mujahideen Secrets“ platform itself.

However the year 2013 was a turning point in the spread of encryption: instant messaging in February with Pidgin, SMS in September with Twofish encryption, AES encrypted texts on web sites in December. Edward Snowden’s revelations, which began in June 2013, are not the starting point of the „cryptodjihad“ but seem to have acted as an accelerator.

MEMRI’s researchers demonstrated the use of public cryptographic tools stemming from the family of Free Software: Pidgin instant messaging tool similar to MSN allows the terrorist movement Asrar al Dardashan to encrypt their communications with OTR (for off the record).

By analyzing the adoption of new tools and the use of Free Software, we see that the focus is on cryptography for mobile tools.

Since everything that looks suspicious is branded as a nefarious cyber weapon (including calc.exe), we believe that everyone should listen to Julie’s talk. The field of information security entered the delicate terrain of politics a long time ago. It’s time to catch up. Start with encryption. While you are at it, don’t forget to follow the Crypto Wars to keep your front doors safe.

julie_gommesA journalist who is coding and speaks to her computer with a command line. Julie Gommes has worked for editorial print, web and radio before becoming a trainer in the drafting of a French newspaper in Laos, teaching journalism in Egypt and gaining Infosec experience during revolutions in Egypt and Syria. For several years she’s been studying the „jihadist“ movement and the rise of anonymisation and encryption techniques in the Middle East and is the author of a book about the revolutions in several of these countries “There were once revolutions” (Ed. The Seagull, 2012). Julie now works in particular studying international conflicts on the Internet, teaching security for journalists and participates in some groups in France fighting for NetNeutrality.

DeepSec 2015 Workshop: PowerShell for Penetration Testers – Nikhil Mittal

The platform you are working with (or against) determines the tools you can use. Of course, everyone loves to boot the operating system of choice and hack on familiar grounds. Occasionally you have no choice, and you have to use what’s available. This is especially true for penetration testing. You get to use what you find on the systems of your digital beachhead. And you are well advised to get familiar with the tools you most definitely will find on these systems. This is a reason to look at the PowerShell. It is available on the Microsoft® Windows platform, so it’s the way to go. In his workshop at DeepSec 2015 Nikhil Mittal will teach you all you need to know about the PowerShell.

PowerShell is the ideal tool for penetration testing of a Windows environment. With its tight integration with the Windows Operating System, access to components like .Net, WMI, Windows API, Domain Services, Registry, Filesystem, etc., and the trust countermeasures, OS and system administrators have on it, it is imperative to learn it, no matter if you are from a red team or a blue team. PowerShell is useful in not only the Post Exploitation phase but in all phases of a Penetration Test. In fact, it is an ideal tool for getting a foothold in a target environment.

There has been a lot of work recently on offensive techniques using PowerShell. Much of the attack research on Windows includes PowerShell usage. This training has been updated to cover (almost) all of the new techniques. The course is a mixture of demonstrations, exercises, hands-on and lecture. If you do red teaming, attend this training to sharpen your skills to attack a Windows Domain and if you do blue teaming, attend this training to understand the techniques of attackers.

We strongly recommend this training for anyone doing penetration testing or looking for tools to test their own defences. Most organisations have Microsoft® Windows systems running somewhere. With Nikhil’s expertise you can turn them into mean scripting machines which will do your bidding. Let the machines rise!


NikhNikhil_Mittalil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 6+ years of experience in Penetration Testing for his clients, including many global corporate giants. He is also a member of Red teams of selected clients.
He specializes in assessing security risks in secure environments which require novel attack vectors and an “out of the box” approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks. Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, DeepSec, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more. You can visit his blog

DeepSec 2015: The Early Bird Gets the Luxury Bed, Swimming Pool and a Royal Breakfast

DeepSec 2015 is drawing nearer and tickets sell like hot cakes!

Just an insider tip for all the smart birds out there: Get a DeepSec ticket for Early Birds and, while you’re at it book a room at our conference hotel straightaway – before they’re sold out!
We have arranged a very competitive conference rate for you (including the breakfast, swimming pool & leisure aerea). Free Internet will be provided in the conference area. For comparison, direct booking rates are more expensive, and typically don’t include breakfast or free Wi-Fi.

About the Hotel

The Imperial Riding School Renaissance Vienna Hotel is located in a historical building, the former military horse riding school, which was built and used by Emperor Franz Josef I in 1850. Today this exquisite neo-classical hotel features 339 Deluxe Rooms, a Club Lounge, a conference centre, bar, library, pool with adjacent garden, beer and wine pub as well as the Restaurant Borromaus with a large garden area for various Summer/Winter activities. The city centre, as well as opera houses, theatres, and museums are within walking distance of the hotel.

For DeepSec you can reserve a room online very easily. Please send us a short email to about your reservation, so that we can make sure everything is alright.


The Imperial Riding School Vienna – A Renaissance Hotel
Ungargasse 60
Vienna, Vienna 1030 Austria
Phone: +43.1.71175.0
Fax: +43.1.711758143
Toll-free: +43.800.200.288


DeepSec Talk 2015: Cryptographic Enforcement of Segregation of Duty within Work-Flows – Thomas Maus

Encryption is great. Once you have a secret key and an algorithm, you can safeguard your information. The trouble starts when you communicate. You have to share something. And you need to invest trust. This is easy if you  have a common agenda. If things diverge, you need something else. Thomas Maus will explain in his talk cryptographic methods that can help you dealing with this problem. Meet Alice and Bob, who might not be friends at all.

Workflows with segregation-of-duty requirements or involving multiple parties with non-aligned interests (typically mutually distrustful) pose interesting challenges in often neglected security dimensions. Cryptographic approaches are presented to technically enforce strict auditability, traceability and multi-party-authorized access control and thus, also enable exoneration from allegations.

These ideas are illustrated by challenging examples – constructing various checks and balances for telecommunications data retention, a vividly discussed and widely known issue.

Sometimes it doesn’t hurt not to know everything. In case you are interested in a slightly more complicated crypto reality,  we recommend attending Thomas’ presentation. There are more challenges ahead than post-quantum crypto.


Maus_ThomasThomas Maus holds a graduate in computer science. He is consulting in the areas of system security, the analysis, tuning, and prognosis of system performance, as well as the management of large, heterogenous, mission-critical installations since 1993. Projects range from architecture, implementation and operation of large application clusters over technical project management, organisational and technical trouble-shooting, security assessments, establishing of security governance processes, security policies and analysis for trading rooms and the like to training of international police special forces for combatting cyber-crime.

He started his computing career 1979, at the age of sixteen, when winning the computing equipment for his school in a state-wide competition. Soon followed the teamworked development of a comprehensive SW for school administration on behalf of the federal state – here a long lasting affection for questions of system security, performance and architecture started. Around 1984 he fell in love with UNIX systems and IP stacks and embraced the idea of Free Software.

DeepSec 2015 Talk: Legal Responses Against Cyber Incidents – Oscar Serrano

Like it or not, „cyber“ is here to stay. No matter what word you use, the networks have become a battlefield for various military operations. While you won’t be able to secure physical territory by keyboard (you still need boots on the ground for this), you can gain information, thwart hostile communications, and possibly sabotage devices (given the sorry state of the Internet of Stuff). When you deal  with actions in this arena, you might want to know what your options are. It’s worth to think about legal consequences. When it comes to mundane cyber crime, you usually have laws to deal with incidents. What is the response to a military cyber attack? And what counts as one? In his presentation at DeepSec 2015 Oscar Serrano will introduce you to the legal implications and options.

We will introduce briefly the Tallinn Manual on the International Law Applicable to Cyber Warfare and the different legal frameworks that could be used to respond to cyber-attacks, such as Jus ad Bellum, Jus in Bello, the Counter measures doctrine or Criminal International Law. Later we will propose a taxonomy of possible cyber-attacks and for each possible type of attack we will discuss the framework that most likely fits best the caused effect. The conclusion is, that, despite much talk in the media about Cyber War and possible National retaliations against cyber incidents, in reality the legal framework that best fits Cyber incidents is the International Criminal Law. A request for extradition is most likely that the application of the UN chapter 5 for most cases.

Thinking ahead is best done when not dealing with incidents. So attend Oscar’s presentation and learn what you can do when facing a serious attack or being caught in the middle.


Oscar Serrano has worked as Scientist and consultant for major international organizations such as the Austrian Research Centres, Siemens or Eurojust for the last 15 years. In his role as Senior Scientist in Cyber Defence, he currently advices a major international military organization about Cyber Security policy and Risk Management. He is author of several research papers and part of the program committee of the ACM Workshop on Information Sharing and Collaborative Security. His research interests include Threat Information Management, Cyber Law and Detection of Advanced Persistent Threats.