DeepSec 2023 Training: Terraform: Infrastructure as Remote Code Execution – Michael McCabe

Sanna/ October 2, 2023/ Conference/ 0 comments

This workshop will focus on ways to abuse the use of Terraform to elevate privileges, expose data, and gain further footholds in environments from a developer’s perspective. We’ll cover the common uses of Terraform and how a malicious actor could abuse Terraform. This talk will include multiple demos. We asked Michael a few more questions about his training. Please tell us the top 5 facts about your training. It will be very hands-on and great for folks that aren’t familiar with Terraform or have some experience. People will start with basic Terraform implementations in the cloud (AWS) and move up to more complex scenarios. We’ll cover multiple ways to hack via Terraform pipelines. You’ll learn how to use tools to prevent these abuses. You’ll have access to the lab code and can continue working

Read More

DeepSec Training: Improve your Pen-Testing Skills for Mobile Devices

René Pfeiffer/ September 29, 2023/ Conference, Training

Mobile devices are a common tool for businesses and private users. We have become accustomed to carry Internet-enabled devices with us. How do you test if your device is secure? What is the best way to find security weaknesses? Mobile security testing requires different tools and different knowledge of the platform and the applications involved. DeepSec 2023 offers a training to get you started with pen-testing all things mobile. The focus is on Android and iOS apps. Sven Schleier will help you to analyse apps, intercept network traffic, and to identify weaknesses that can be turned into exploits. The course is a deep-dive into mobile technology. It also helps you when you need to bypass SSL pinning, Touch ID, Face ID, or similar barriers. Circumventing anti-jailbreaking technologies are covered, too. The skills are absolutely

Read More

DeepSec 2023 Talk: The Evolution of Linux Binary Exploitation: From Outdated Techniques to Sophisticated Modern Attacks – Ofri Ouzan & Yotam Perkal

Sanna/ September 28, 2023/ Conference

In the ever-evolving realm of cybersecurity, the cat-and-mouse game between attackers and defenders continues to intensify. To safeguard critical systems against malicious exploitation, the hardening of binary files has emerged as a fundamental security measure. However, no security measure remains impervious to threats, and binary hardening techniques face ongoing challenges. This talk aims to shed light on the significance of binary hardening as a countermeasure against growing vulnerabilities. Through a comprehensive examination, we explore both traditional and contemporary binary exploitation techniques, providing real-world insights into modern exploiting methodologies that bypass protective mechanisms implemented through binary hardening. Our research addresses the lack of accurate and complete sources of information on binary hardening, emphasizing the importance of understanding ELF file structure and attacker avoidance strategies. By encouraging vigilance among developers and defenders, we aim to raise

Read More

DeepSec 2023 Talk: Using RPA to Simulate Insider Threats – Andrei Cotaie & Cristian Miron

Sanna/ September 27, 2023/ Conference

In a world where trust is a currency, and information is power, meet Jim, the innocent accountant, with access to many financial secrets. When his dream promotion slips through his fingers, Jim crosses the line from hero to rogue, unleashing a hidden fury fueled by betrayal. Lacking any technical skills but armed with insider knowledge, he becomes the ultimate insider threat. He can steal data without a trace, eluding the watchful eyes of the very firm that underestimated him. As colleagues celebrate their achievements, Jim orchestrates a daring heist of classified information, and security tools can’t detect him. He is the insider threat. Can he be caught as he employs ChatGPT knowledge and just google searches to grab and exfiltrate data from his company? In a thrilling tale of vengeance and deception, witness how

Read More

DeepSec 2023 Talk: RansomAWARE in 2023 – Steph Shample

Sanna/ September 26, 2023/ Conference

Ransomware’s explosion has been sustained for years. As tech changes, so too do the actor TTPs. It’s imperative to explore the 2023 mindset of ransomware actors: they are going after “target rich, cyber poor” industries that will make them money by selling data, exploiting the victims they hit as well as the partners and third party services linked to the victims. While double-, triple-, and quadruple- extortion practices are still around, actors are also adapting/changing their encryption processes to better emulate protective services such as anti-virus and file scanning software to blend in and provide no red flags to technical and cyber practitioners. This allows for a long-term, stealth presence in networks, which facilitates lateral movement to collect as much information as possible. We asked Steph a few more questions about her talk. Please

Read More

DeepSec 2023 Talk: I Just Wanted to Learn the Water Temperature… – Imre Rad

Sanna/ September 25, 2023/ Conference

The story started as a hobby project: I was about to retrieve the current temperature of a non-smart water heater in my apartment. To not void the warranty, I was looking for a non-intrusive solution that purely relies on off-the-shelf smart home gadgets only. Understanding the undocumented APIs of these IoT devices required reverse engineering the corresponding official mobile applications and eavesdropping on the network communication between them and the cloud management services. Researching this uncovered design flaws in the pairing protocol and vulnerabilities in the implementation that allowed attackers to steal victim sessions and to impersonate these devices for a life-time. We asked Imre a few more questions about his talk. Please tell us the top 5 facts about your talk. Recognizing digits on a still picture is far from easy (regardless the

Read More

DeepSec 2023 Talk: I’m Ok, You’re Ok, We’re Ok: Living with AD(H)D in Infosec – Klaus Agnoletti

Sanna/ September 22, 2023/ Conference

[This is a different topic than information security. Klaus’ presentation was included in the DeepSec 2023 schedule, because it deals with the way some of us are dealing with the individual thought processes. The work environment doesn’t fit for everyone.] I was diagnosed with AD(H)D almost three years ago, aged 44. Getting the diagnosis and being able to get proper medicine meant the world to me; suddenly I understood all those symptoms and I could function remarkably better. Better understanding also meant that I got more insight to why it was becoming increasingly harder for me to get and keep a job. So something had to happen. I’ve been an InfoSec professional for almost 20 years but after my diagnosis I moved to community marketing which basically meant doing the spare-time thing I love

Read More

DeepSec 2023 Press Release: Digitalisation Requires More Than Just Technology – DeepSec Conference Combines Digitalisation With IT Security Trainings

Sanna/ September 20, 2023/ Conference, Press

Digitalisation is a great opportunity and has arrived in all areas of society. However, there is more to it than using digital data and computer systems. Processes and ways of working need to be adapted. In addition, information security must be considered throughout, from design to implementation. The DeepSec conference again has extensive training on this topic in its programme. Digitalisation generates opportunities and markets The basic idea of digitalised processes in companies and administration is simplification through the use of IT infrastructure. Data is more easily available. Documents can be searched and found more easily. This also means that more information is available in digital form. The opportunities and markets generated by this are not all legal. In 2022, data from one billion Chinese nationals was copied. In 2018, the Indian government reported

Read More

DeepSec 2023 Talk: WEFF : p2p Communication without Third Party – Nikolaos Tsapakis

Sanna/ September 19, 2023/ Conference

References in public available literature pertaining to a completely serverless connection method between two peers behind routers implementing NAT are scarce. In this talk, we are describing a more generic method for NAT traversal that requires no intermediate server and relies on a multiple port testing method which resembles a brute force attack. We have created a proof of concept for verifying and showing our results. This talk relates to p2p communication without the need for a third party (intermediate server or other) for initiating the communication. We asked Nikolaos a few more questions about his presentation. Please tell us the top 5 facts about your talk. Privacy Decentralized communications Secure communications Easy to implement Fun to use How did you come up with it? Was there something like an initial spark that set

Read More

DeepSec 2023 Talk: Skynet wants your Passwords! The Role of AI in Automating Social Engineering – Alexander Hurbean & Wolfgang Ettlinger

Sanna/ September 18, 2023/ Conference

We techies love solving problems with cool technology, to where we attempt to implement the economy in code. Although important in general, we know that, for example, blockchain, cryptography, and Secure Software Development Life Cycle (SSDLC) are irrelevant when the user enters their credentials on a phishing site. From an attacker’s point of view, though, we see that modern technologies such as artificial intelligence are immensely beneficial to attack one of the weakest links in security – humans. We will explore how modern technologies, for instance DeepFakes, Deep Neural Networks (DNNs), and Transformers, can be misused by bad actors. We will explore some interesting ideas for attacks, discuss their practical feasibility and show implementations of some of these attacks. We will also look at approaches to detect and defend against AI-powered attacks. We asked

Read More

Early Bird Tickets turn into „Last of Us“ – get them while available

René Pfeiffer/ September 15, 2023/ Conference

Grab your early bird tickets quickly before they run out! Our ticket shop will switch to the regular tickets soon (on Tuesday). If you still need out to sort your budget, here is a way to save money. You can also send us your order before the deadline in order to get the early bird tariff. Join DeepSec 2023 in November and improve your odds in beating security incidents. A good defence rests on knowledge and exchange of information. Get in contact with security experts from all over the world! See you in Vienna!

DeepSec 2023 Streaming Tickets available

René Pfeiffer/ September 12, 2023/ Conference

COVID-19 forced us to explore the wonderful world of streaming and to review our video equipment. Since 2020, all DeepSec conferences feature live streams. The processes behind the streams are now mature. This means that you can attend DeepSec virtually. Our ticket shop now has streaming video tickets for you. This ticket allows you to watch the live streams and to get early access to the post-processed presentation videos once we have uploaded them. The live streams also offer you to get into contact with the speakers by asking questions. You just use the chat function and ask what you want to know. Click and join us!

DeepSec 2023 Talk: !CVE: A New Platform for Unacknowledged Cybersecurity !Vulnerabilities – Hector Marco & Samuel Arevalo

Sanna/ September 11, 2023/ Conference

In the ever-evolving cybersecurity landscape, the identification and acknowledgment of vulnerabilities through the Common Vulnerabilities and Exposures (CVE) system plays a crucial role. However, vendor discretion in determining whether a security issue warrants a CVE assignment often results in overlooked vulnerabilities that pose significant risks. This presentation introduces the !CVE initiative, a groundbreaking platform that addresses this critical gap by identifying, tracking, and sharing unacknowledged cybersecurity vulnerabilities. Our presentation begins with an overview of the CVE system and the challenges security researchers face in dealing with unacknowledged vulnerabilities. We discuss real-world examples of security issues ignored by vendors and explore the potential consequences of these hidden threats. We then delve into the !CVE platform, detailing its mission, features, and collaborative approach to empower the security community. Through case studies, we show the value of

Read More

DeepSec 2023 Talk: Introducing CS2BR – Teaching Badgers New Tricks – Moritz Thomas & Patrick Eisenschmidt

Sanna/ September 8, 2023/ Conference

Staying under the radar and remaining undetected is one of our priorities during Red Teaming assessments. After all, we’re simulating real threat actors and want to reach our objectives without raising any suspicion. This becomes a more and more challenging task as new defences are implemented, requiring us to add new tools and techniques to our tool belt. Occasionally, though, there is a new technique that brings a broad set of features and doesn’t leave countless traces. This talk is about one such technique: beacon object files (BOFs)! BOFs aren’t exactly the new hot stuff, as a matter of fact, they’ve been around for more than two years now. In those two years, a de-facto BOF standard has been adapted by many C2 frameworks out there. But what happens when your C2 doesn’t support

Read More

DeepSec 2023 Talk: 1h Talk – LeaveHomeSafe: The Good, the Bad, the Ugly – Abraham Aranguren

Sanna/ September 7, 2023/ Conference

The COVID-19 pandemic has led to the development and deployment of various contact tracing apps worldwide, including the Hong Kong government’s LeaveHomeSafe app. In this talk, we will present the findings of our comprehensive security assessment of LeaveHomeSafe, which uncovered a range of vulnerabilities from minor to critical. We will discuss the overall app design and functionality, the uncovered issues related to data privacy and security, as well as interesting edge-case scenarios. We will delve into the technical details of the vulnerabilities we found, demonstrating the tools and techniques used to identify and exploit them. Our talk will also cover the disclosure process, as well as the subsequent press and official Hong Kong government reactions, which garnered international attention. The talk will break down the good, the bad and the ugly of this security

Read More