Author Archive

DeepSec2017 U21 Talk: Lessons Learned: How To (Not) Design Your Own Protocol – Nicolai Davidsson

November 15, 2017

“One of the first lessons of cryptography is “don’t roll your own crypto” but we were bold enough to ignore it”, says Nicolai. “Single Sign-On is so 2016 which is why we’d like to introduce its replacement, Forever Alone Sign-On – FASO. This talk will discuss one of the ugliest SSO solutions you’ll ever see, […]

Tags: , , , ,
Posted in Conference, Development, Security No Comments »

ROOTS: Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications – Sophia d’Antoine

November 15, 2017

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities, inherent to systems which share hardware resources, will become increasingly attractive targets to malicious software authors. In this talk, Sophia will introduce a novel side channel across virtual machines through the detection of out-of-order execution. She and her colleagues created a simple duplex channel […]

Tags: , , , ,
Posted in Conference, Security No Comments »

DeepSec 2017 Talk: OpenDXL In Active Response Scenarios – Tarmo Randel

November 15, 2017

Automating response to cyber security incidents is the trend which is – considering increasing amount of incidents organizations handle and ever-increasing attack surface – already becoming mainstream. In this talk Tarmo explores the options of using OpenDXL in real life situation of mixed environments, legacy solutions and multiple vendors for connecting existing (and future) cyber security […]

Tags: , , ,
Posted in Conference No Comments »

ROOTS: On The (In-)Security Of JavaScript Object Signing and Encryption – Dennis Detering

November 14, 2017

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web used for application configuration, cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity, authenticity and confidentiality of sensitive data, JavaScript Object Signing and Encryption (JOSE) was created to apply […]

Tags: , , , , , ,
Posted in Security No Comments »

DeepSec2017 Talk: Building Security Teams – Astera Schneeweisz

November 14, 2017

While ‘security is not a team’, you’ll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team – it becomes (and grows as) […]

Tags: , , , , , ,
Posted in Conference No Comments »

DeepSec 2017 Talk: How I Rob Banks – Freakyclown

November 14, 2017

You are in for an adventure at DeepSec this year. We have a tour on robbing banks for you: A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line […]

Tags: , , , , ,
Posted in Conference, High Entropy, Security No Comments »

DeepSec 2017 Workshop: Smart Lockpicking – Hands-on Exploiting Contemporary Locks and Access Control Systems – Slawomir Jasek

October 31, 2017

You can, quite reasonably, expect smart locks and access control systems to be free from alarming security vulnerabilities – such a common issue for an average IoT device. Well, this training will prove you wrong. After performing multiple hands-on exercises with a dozen of real devices and various technologies, you will never look at the […]

Tags: , , , , , , ,
Posted in Conference, Training No Comments »

DeepSec 2017 Talk: BitCracker – BitLocker Meets GPUs – Elena Agostini

October 25, 2017

Encryption and ways to break it go hand in hand. When it comes to the digital world, the method of rapidly using different keys may lead to success, provided you have sufficient computing power. The graphics processing units (GPUs) have come a long way from just preparing the bits to be sent to the display […]

Tags: , , , , ,
Posted in Conference No Comments »

DeepSec 2017 Talk: Who Hid My Desktop – Deep Dive Into hVNC – Or Safran & Pavel Asinovsky

October 17, 2017

Seeing is believing. If you sit in front of your desktop and everything looks as it should look, then you are not in the Matrix, right? Right? Well, maybe. Manipulating the surface to make something to look similar is a technique also used by phishing, spammers, and social engineers. But what if the attacker sitting […]

Tags: , , , , ,
Posted in Conference No Comments »

DeepSec Talk 2017: Normal Permissions In Android: An Audiovisual Deception – Constantinos Patsakis

October 17, 2017

The Marshmallow version was a significant revision for Android. Among the new features that were introduced one of the most significant is, without any doubt, the runtime permission. The permission model was totally redesigned, categorising the permissions into four main categories. The main concept of this categorisation is how much risk a user is exposed […]

Tags: , , , ,
Posted in Conference, Security No Comments »

DeepSec2017 Workshop: Mobile App Attack – Sneha Rajguru

October 16, 2017

The world’s gone mobile. Mobile devices have surpassed the standard computer (i.e. desktop) installation multiple times. In turn this means that you will encounter these devices most definitely when testing or implementing security measures. Usually adversaries do not use the platform itself. They use software to gain entry. This is why mobiles apps are the […]

Tags: , , , , , , ,
Posted in Conference, Training No Comments »

DeepSec2017 Workshop: SAP CTF Pentest : From Outside To Company Salaries Tampering – Yvan Genuer

October 10, 2017

The SAP business suite is widespread among enterprises. It is the heart of the operation, at least in terms of business logic, administration, accounting, and many other cornerstones of big companies. SAP itself was founded in 1972. Its software has now grown up and lives with the Internet and cloud platforms next door. Due to […]

Tags: , , , , ,
Posted in Conference, Training No Comments »

DeepSec 2017 Talk: How To Hide Your Browser 0-days: Free Offense And Defense Tips Included – Zoltan Balazs

October 9, 2017

There is a famous thought experiment described in the book A Treatise Concerning the Principles of Human Knowledge. It deals with the possibility of unperceived existence; for example does a falling tree in the forest make a sound when no one is around to hear it? Given the many reports and mentions about zero-day exploits, […]

Tags: , , , ,
Posted in Conference No Comments »

DeepSec 2017 Talk: BITSInject – Control Your BITS, Get SYSTEM – Dor Azouri

October 8, 2017

Microsoft has introduced the Background Intelligent Transfer Service (BITS) into Windows 2000 and later versions of the operating system. Windows 7 and Windows Server 2008 R2 feature the version 4.0 of the protocol. BITS is designed to use idle bandwidth in order to transfer data to and from servers. BITS is an obedient servant, and […]

Tags: , , , ,
Posted in Conference, Internet, Security No Comments »

DeepSec 2017 Talk: XFLTReaT: A New Dimension In Tunnelling – Balazs Bucsay

October 7, 2017

“Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter”, says Balazs. “It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol […]

Tags: , , , ,
Posted in Conference, Security No Comments »