Support for BSidesLondon’s Rookie Track

We are proud to support the Rookie Track at BSidesLondon in 2018 again. This means that one of us will be present at the Rookie Track and that the winner will get to attend DeepSec in November. It’s hard to get a start, so we like to help the rookies with that. We also like to encourage everyone to share ideas, thoughts, code, and insights either at the Rookie Track or on the main stage. If you have never presented before, get a mentor and work on your presentation. Don’t be afraid. We like to hear your thoughts on infosec and related topics.

The same is true for our U21 presentation slot. We encourage young researchers to submit a presentation to DeepSec. We also offer mentoring and help you to get your content on stage. You just have to submit. ☻

Change of Ticket System for DeepSec and DeepINTEL

We have made some changes behind the scenes, as always when preparing the new events for the year. This time we decided to change the ticket shop for both DeepINTEL and DeepSec. The reason for the new shop is its focus on privacy and security. Most shops are part of a social media network or collect too much information (can be both, depends on the interaction and the platform). It doesn’t matter if the collected information is being protected by privacy procedures or not. Our intent was to streamline the process. For you this means that you can buy your tickets as easy as before. We still have vouchers, too. Ask our sponsors. Furthermore the payment is done directly to us, so we can manage your visit to DeepSec and DeepINTEL more efficiently. Also the new shop offers some more payment methods.

In case you need anything, have special requests, or need support with buying tickets via the ticket shops, then please let us know. Keep in mind that we still offer different rates. The earlier you book, the less money you spend!

DeepSec 2018 calls for Trainings and Content – Focus Mobility

The DeepSec 2018 Call for Papers is open. The focus for this year is mobility. Mobile networks and mobile devices have established themselves firmly in our society. And mobility doesn’t end here. Transport is transforming into new technologies by incorporating access to data networks (yes, that’s the „Cloud“), the power grid (think electric vehicles), drones, new propulsion systems, artificial intelligent (sometimes even both!) personal assistants and algorithms (mathematics has become mainstream). The ever growing number of dependencies between components are a fertile breeding ground for cascading errors that impact more than your new car or your latest order from your favourite online shop. Information security must become as mobile as home deliveries of goods and electric power. And it must become common. Infosec isn’t optional any more. Since bug logos have captured the minds of news readers, the message of information security should do this, too. Sadly the products we use and rely on don’t seem to catch up.

We are looking for content to address this aspect of our modern society. Mobility is the red line to guide you, but of course we are interested in anything that you are researching. We have become much more interconnected since the days of the first DeepSec conference. Let’s have a look at the consequences. There are many perfect tens out there, especially when you connect All teh Things.

We start early, because we want to get your submissions for trainings first! Since DeepSec is in the last week of November, we like to inform potential trainees as early as possible in order to facilitate the booking of tickets. Please send us your ideas! Don’t waste time!

Secret Router Security Discussion in Germany

Routers are the main component when it comes to connect sites, homes, and businesses. They often „just“ take care of the access to the Internet. The firewall comes after this access device. The German Telekom suffered an attack on their routers on 2016. The German Federal Office for Information Security now tries to create a policy for securing these critical systems. In theory this should add a set of documents on how to securely operate a router for the last mile access. Information security basically runs on checklists and policies. The trouble starts with the firmware. In Germany these is a discussion about using alternative devices as access components, enabling customers and organisations to use products of their own choice. Since firmware is the worst code on this planet, changing models and code is a good idea. The Association of German Cable Operators (ANGA) strictly opposes changes of software on modems. The working group discussion the new policy has held meetings in Bonn, but it’s complicated. Furthermore participants discuss the topic with a non-disclosure agreement.

Security and secrecy don’t play well together. In this case there is the question of supporting customer-operated software on access devices, but this can be solved. All companies already use software tailored to their needs. Few applications or devices are used off-the-shelf. A lot of IT departments bring devices and other components into a given state by applying patches and changes to the configuration. Surely the access to the Internet must not remain a mystery. Protocols are documented, the technology is not based on a need-to-know basis. Why not address this weak link by giving sysadmins the tools to take care of the network boundary? Especially in times of home offices and interconnected (business) applications this link must be taken into account when designing security. has an article describing the process in depth (and in German).

Save the Dates for DeepSec 2018 and DeepINTEL 2018

While everyone was busy with the holidays, Meltdown and Spectre, we did some updates behind the scenes. DeepSec 2018 will be held from 27 to 30 November 2018. We tried not to collide with Thanksgiving, so that you can come to Vienna after being with your family. As always, the first two days will be the trainings followed by two days of conference. DeepINTEL 2018 will be on 17 / 18 September 2018. We have a topical focus for both events and will present each of them in a separate article. There still some details to work out. Wordsmithing and administrivia are the equivalence of dependencies and patches in software development – necessary, but they take time. It’s worth it, you will see for yourself.

We have a special message for anyone who intends to conduct a training at DeepSec 2018: Please let us know as soon as possible! This year’s DeepSec is later than usual, and we try to inform interested parties, companies, and individuals in time about the topics. So if you have something in your mind, if you work on cutting edge content and want to share, let us know. The Call for Papers manager is the easiest way, but of course you can drop us an email as well.

In addition the videos of DeepSec 2017 have been published on Vimeo. Since the video platform abolished its tip jar for donations, we will free the videos in June for everyone. All attendees and speakers enjoy them already. The slides from the presentations are online as well. Plus we have published In Depth Security Vol. II: Proceedings of the DeepSec Conferences for you to read on your mobile device or in print. Volume I is available, too. Volume III is on its way.

Meltdown & Spectre – Processors are Critical Infrastructure too

Information security researchers like to talk about and to analyse critical infrastructure. The power grid belongs to this kind of infrastructure, so does the Internet (or networks in general). Basically everything we use has components. Software developers rely on libraries. Usually you don’t want to solve a problem multiple times. Computer systems are built with many components. Even a System on a Chip (SoC) has components, albeit smaller and close to each other. 2018 begins with critical bugs in critical infrastructure of processors. Meltdown and Spectre haunt the majority of our computing infrastructure, be it the Cloud, local systems, servers, telephones, laptops, tablets, and many more. Information security relies on the weakest link. Once your core components have flaws, then the whole platform may be in jeopardy. In 2017 malicious hypervisors in terms of bugs/backdoors in the Intel® Management Engine (for example, AMD™ has a similar technology) came to light. Coreboot is one way to replace the attack surface of your BIOS/UEFI firmware. These approaches can’t do much once the processor is affected.

Hindsight doesn’t help, but bugs in the processor core or its microcode have been happened before. There is the famous FDIV bug, F00F, and other CPU bugs have been around for decades. The reason is sometimes the security-performance trade-off, it may be due to an architectural design error, or just simple oversight. Debugging is hard, hence hardware. If you are lucky, you run a platform that is not vulnerable. The Raspberry Pi ARM core is not affected by Meltdown or Spectre. So if you run on Raspberrys, then you are fine. Building a cloud platform is tricky (we tried to install OpenStack on a number of Raspberry Pis, it almost worked, but 1 GB memory is barely enough for the controller node).

We haven’t even mentioned embedded devices and the notorious Internet of Things (IoT). The history of bugs is huge. Back in 2014 there was an article on how hard/impossible it is to fix this ecosystem. The recent DeepSec conference featured a talk about the Mirai botnet and possible successors. There is not much you can do about it unless you can change the design. Once upon a time there were approaches to have reduced instruction sets on processors. Inspecting all the feature sets of modern CPUs looks like a higher level language. Of course we want our code to run as fast as possible. Who wants to wait? However there are designs that take security into account, and when it comes to critical infrastructure we will have the patience. Otherwise we will have to say goodbye to the idea of a secure platform.

Let’s see how many bugs in hardware 2018 brings. If you find some, please let us know and submit a presentation. Submissions for trainings are welcome as well. The Call for Papers for DeepSec 2018 and DeepINTEL 2018 open soon.

DeepSec 2017 Presentation Slides

While the videos are on their way to the rendering farm, the presentation slides for DeepSec 2017 can already be downloaded. We put them online as soon as we get the final version from our speakers. If you do some guessing URL-wise you can also find the presentations of past conferences at the very same spot. Since we collect the final slides after the conference and not ask speakers to put USB sticks into their computers during the conference, the download repository will fill in time. Unfortunately we cannot speed up this process. So bear with us, we are as curious as you (especially since some of us never get the see any presentation at DeepSec because there is too much to do).

As for the videos, all speakers and attendees will also get a direct link with early access to the content within the next few days. You don’t have to reload our blog or Twitter feed. 😉

DeepSec 2017 thanks you and DeepSec 2018 is almost ready

We caught up on sleep and are right in the middle of post-processing DeepSec 2017. Thanks to you all for attending, presenting, sending feedback, and being part of a great event. The slides will be online soon. The videos are being converted. We will upload them as bandwidth permits. All speakers and attendees will get a code to access them early.

Thanks for your feedback as well! We listen, and we have some plans to address the issues you reported. 2018 will see a lot of improvements.

We will announce the dates for DeepSec and DeepINTEL 2018 soon. The events will stay in November and September. We just need to coordinate with the venue and will let you know as soon as possible. The Calls for Papers open early in 2018, as does the new ticket shop system.

Looking forward to see you (again) in 2018!

DeepSec2017 U21 Talk: Lessons Learned: How To (Not) Design Your Own Protocol – Nicolai Davidsson

“One of the first lessons of cryptography is “don’t roll your own crypto” but we were bold enough to ignore it”, says Nicolai. “Single Sign-On is so 2016 which is why we’d like to introduce its replacement, Forever Alone Sign-On – FASO. This talk will discuss one of the ugliest SSO solutions you’ll ever see, its updated, slightly less ugly, iteration, and, ultimately, FASO.

We’ll discuss the use cases, questionable decisions made during the planning process, the actual self-rolled, totally vulnerable, cryptography, and the even worse code architecture.

In all seriousness: The talk reflects on the design process of a SSO protocol and its first two iterations, going from a semi-functional workaround to an experimental OAuth-and-the-like alternative utilizing pre-shared keys, symmetric cryptography and implicit authentication.”


Nicolai is a security researcher at zyantific and a graduate student at Ruhr University Bochum where he’s also an avid member of the FluxFingers CTF team. He likes burgers, buffer overflows and bad crypto.

ROOTS: Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications – Sophia d’Antoine

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities, inherent to systems which share hardware resources, will become increasingly attractive targets to malicious software authors. In this talk, Sophia will introduce a novel side channel across virtual machines through the detection of out-of-order execution. She and her colleagues created a simple duplex channel as well as a broadcast channel. She’ll discuss possible adversaries for this channel and proposes further work to make this channel more secure, efficient and applicable in realistic scenarios. In addition, she considers seven possible malicious applications of this channel: theft of encryption keys, program identification, environmental keying, malicious triggers, denial of service attacks, determining VM co-location, malicious data injection, and side channels.

We asked Sophia a few questions about her talk.

Please tell us the top 5 facts about your talk.

  • We introduce a novel side channel across the Pipeline using Out-of-Order execution to alter and leak co-located process state.
  • We abstract out hardware side channels and apply a model to all shared hardware elements both in virtualized environments (the cloud) and on a standard computer.
  • This talk also explains some fundamental dynamic resource allocations used in the cloud that cause resource contentions.
  • From here, we theorize that optimizations are the root cause of many side channels both in the hardware and software layers.
  • We discuse several new optimizations in the x86 and ARMv8-A spec which could possibly lead to useful side channels.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Messing around with threads in university, I started to see a recordable pattern of erroneous results depending on other applications running in the background. Digging deeper into it I started learning about Out-of-Order execution, how by using it I could force a thread to receive incorrect results and how to deterministically leak system information.

Why do you think this is an important topic?

  • Shared resources in untrusted environments are becoming increasingly common. This leads to virtual allocations of physical resources and dynamic changes to resource distribution. These dynamic changes are the result of one process and may affect another process outside of its security boundary.
  • New hardware optimizations are also being introduced.

Is there something you want everybody to know – some good advice for our readers maybe?


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

In the future we’ll see more hardware solutions to software side channels. Case in point, recently ARM released extensions to the architecture for the purpose of mitigating cryptographic side channels in the multiply function. It is called Data Independent Timing and forces the upper bound execution time for all instructions (example: multiplications) when a specific flag is set. This means that 1×1 will take the same time as 2546483×245303. I think we will see more solutions like this to other security problems – not just side channels.

The implementation of these solutions may not be perfect however, and either may not completely solve the problem or introduce new vulnerabilities. For instance, this ARM constant time instruction flag does not enforce constant time loads and stores, depending on the memory being accessed. This could possibly be abused to bypass the solution.


Sophia d’Antoine is a senior security researcher at Trail of Bits in NYC and a graduate of Rensselaer Polytechnic Institute. She is a regular speaker at security conferences around the world, including RECon, HITB, and CanSecWest. Her present work includes techniques for automated software exploitation and software obfuscation using program analysis. She spends too much time playing CTF and going to noise concerts.


DeepSec 2017 Talk: OpenDXL In Active Response Scenarios – Tarmo Randel

Automating response to cyber security incidents is the trend which is – considering increasing amount of incidents organizations handle and ever-increasing attack surface – already becoming mainstream. In this talk Tarmo explores the options of using OpenDXL in real life situation of mixed environments, legacy solutions and multiple vendors for connecting existing (and future) cyber security system components for coordinated information exchange and orchestrating incident response action.

Tarmo is a researcher at NATO Cooperative Cyber Defence Center of Excellence, various research projects and developing for large scale cyber exercises. He’s also a developer at the Estonian eHealth Foundations, “Kickstarting” in-house development team. Tarmo’s creating supporting infrastructure, preparations and execution of plans for taking over selected external vendor development projects. He’s Head of Department at CERT-EE, Running Computer Emergency Response Team, Information security expert at CERT-EE, creating new tools and implementing existing to understand what is going on in networks. Tarmo’s detecting and mitigating cyberattacks, analysing malware, planning and executing public awareness raising campaigns and supporting building trusted information security community network.

System administrator at Tele2 & Trigger Software, Converting legacy systems to modern, expandable high availability systems. Coding in PHP, C. Looking for and eliminating performance bottlenecks. Supporting development infrastructure.


ROOTS: On The (In-)Security Of JavaScript Object Signing and Encryption – Dennis Detering

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web used for application configuration, cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity, authenticity and confidentiality of sensitive data, JavaScript Object Signing and Encryption (JOSE) was created to apply cryptographic mechanisms directly in JSON messages. We investigated the security of JOSE and present different applicable attacks on several popular libraries. We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed Burp Suite extension, which automatically performs security analysis on targeted applications. JOSEPH’s automatic vulnerability detection ranges from executing simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks breaking the confidentiality of encrypted JSON messages. We found severe vulnerabilities in six popular JOSE libraries. We responsibly disclosed all weaknesses to the developers and helped them to provide fixes.

We asked Dennis a few questions about his topic of choice.

Please tell us the top 5 facts about your talk.

  • In our talk we present our research on the new JavaScript Object Signing and Encryption (JOSE) standards, which were created to apply cryptographic mechanisms directly in JSON messages to protect integrity, authenticity and confidentiality of sensitive data.
  • We investigated the applicability of known attacks ranging from simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks breaking the confidentiality of encrypted JSON messages.
  • We found severe vulnerabilities in six popular JOSE libraries. We responsibly disclosed all weaknesses to the developers and helped them to provide fixes.
  • We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed open source Burp Suite extension, which performs (semi-)automatic security checks on targeted applications and aids in manual manipulation and inspection.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

This talk summarizes the results of our research, which was conducted as a Master’s thesis at the Ruhr University in Bochum in cooperation with the CSPi GmbH. The Extensible Markup Language (XML) already enjoys great popularity and allows for cryptographic mechanisms by applying the XML Signature and XML Encryption standards. XML implementations already suffered from several practically applicable attacks and we wanted to check whether JOSE implementations are more secure.

Why do you think this is an important topic?

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web and is used for application configuration, cross- and same-origin data exchange, as well as Single Sign-On (SSO) protocols such as OpenID Connect. Thus, JOSE implementations are used for sensitive processes and data, such as authentication mechanisms, password resets, confidential storage and sensitive data transfer. If those implementations contain weaknesses that allow for any bypass, this probably results in a compromise of user accounts, personal data or full systems.

Is there something you want everybody to know – some good advice for our readers maybe?

Usually, it’s not a good idea to implement your own cryptography. Most weaknesses in the field of cryptography result from implementation issues and missing knowledge of known and possible attacks. Especially companies should invest a lot more in security analyses and audits.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

There exist more known attacks against cryptographic systems and possible pitfalls. Such attacks are, for example, adaptive chosen-ciphertext attacks on the CBC mode and invalid curve attacks. With respect to future work, the analysis of such attacks on JOSE is considered essential. Furthermore, the usage of JOSE in complex systems like JSON-based web services and protocols like OpenID Connect should be in the scope of further researches. Similar to the security analysis of XML-based services an in-depth evaluation could lead to the discovery of completely new attacks. Additionally, JOSE’s advantages of being simple, self-contained and designed for usage in space constrained environments opens future use-cases in the field of the Internet of Things and Industry 4.0.


Dennis has a Master’s degree of IT security from the Ruhr-University Bochum and works as a penetration tester at the CSPi GmbH in Cologne. He has an avid interest in web, network and industrial security and loves to research and hunt for bugs.

DeepSec2017 Talk: Building Security Teams – Astera Schneeweisz

While ‘security is not a team’, you’ll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team – it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone’s concern. In this talk, Astera will review what the purposes of a security team can be, which challenges you’ll face, how you can make it scale beyond the team’s boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team or is currently distributing security demands across areas, you’ll be able to take away how to build (out) a dedicated security team and make your engineers (and, spoiler alert, other teams!) happy, healthy, and sustainable for the years to come.

 Please tell us the top 5 facts about your talk.

At a certain organizational size, you might (very likely) need a dedicated security team – but you shall never think of security as a team. You’ll need to consider the boundaries of responsibility for that team, or you won’t be able to scale. The way to get your products and users more secure, is through making security part of your company’s (engineering) culture. You want your teams across the org to work together, because they care about a common cause, and be happy doing so. There’s nothing magical-unicorn-y around security, and we should actively make people stop thinking that security engineers are more special than other people.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I often receive the same questions again and again from people (think VP of engineering more than security lead) working at other organizations, not about vulnerabilities or tools or some sort of snakeoil they might have heard of, but about how we managed to get our teams to work together as they do, and deliver the results they do. I figured I’d put the common questions (minus everything about compliance) into one handy talk.

Why do you think this is an important topic?

Because people >> technology, and we should talk more about how we meet what’s expected of us today with the teams we get to build.

Is there something you want everybody to know – some good advice for our readers maybe?

If I wanted attendees to at least remember one single thing from my talk, it would be: Hire people with empathy, not 0days.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

I’m afraid I don’t have an answer to that 😉

Astera has always been fascinated with machines and how to make them do her own bidding, working in defensive security for the past decade. More recently, she’s grown to love and prioritize the challenge of working with real humans in her life, and exciting others about this frontier. She works as the Director of Security at SoundCloud’s Berlin headquarters, overseeing the Security, User Auth, Anti-Abuse, and Corporate IT teams.


Notes on the ROOTS Schedule and the Conference

We are all set for the conference on Thursday. We did some last minute changes to the schedule due to some speakers running into issues, but we can confirm almost all presentations.You may have noticed the ROOTS schedule. It’s a bit shorter than DeepSec’s, but both events are not competing. The review for ROOTS is a lot harder, because the presentation is about a scientific publication. This means your submission gets peer-reviewed and voted by the programme committee. We received some content more suitable for, let’s say, standard events. This won’t do, and this is why you see the best submissions of ROOTS published in the schedule.

All in all we are very glad to present you high quality presentations from speakers who really know information security. Enjoy!

See you at DeepSec!

DeepSec 2017 Talk: How I Rob Banks – Freakyclown

You are in for an adventure at DeepSec this year. We have a tour on robbing banks for you:

A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line and useful illustrative slides, I will attempted to take you through the lessons to be learned from an ethical hacker with a penchant for breaking into the impossible. Let me take you on a rollercoaster ride of epic fails and grandiose plans and my Jason Bourne like adventures including Lockpicking, Kidnap, Police chases and multi-million pound bank heists.

FC is a well-known ethical hacker and social engineer. He has been working in the infosec field for over 20 years and excels at circumventing access controls. He has held positions in his career such as Senior Penetration Tester as well as Head of Social Engineering and Physical Assessments for renowned penetration companies. As Head of Cyber Research for Raytheon Missile Systems, and having worked closely alongside intelligence agencies, he has cemented both his skillset and knowledge as well as helped steer governments take correct courses of action against national threats.

As an ethical hacker and social engineer, FC ‘breaks into’ hundreds of banks, offices and government facilities in the UK and Europe. His work demonstrating weaknesses in physical, personnel and digital controls assists organisations to improve their security. He is motivated by a drive to make individuals, organisations and countries more secure and better-able to defend themselves from malicious attack.

Now Co-Founder and Head of Ethical Hacking at Redacted Firm, he continues to perform valuable research into vulnerabilities. His client list involves major high-street banks in the UK and Europe, FTSE100 companies and multiple government agencies and security forces. FC frequently gives talks at corporate events, security conferences, universities and schools and focuses on teaching people of all ages the art of security in an engaging and impactful way. He co-founded the Surrey and Hampshire Hackspace as well as Defcon 441452. He has co-hosted many podcasts, been featured in the press and regularly writes articles for journals and blogs.