Security

DeepSec2017 U21 Talk: Lessons Learned: How To (Not) Design Your Own Protocol – Nicolai Davidsson

Posted by on November 15, 2017 at 3:15 pm

“One of the first lessons of cryptography is “don’t roll your own crypto” but we were bold enough to ignore it”, says Nicolai. “Single Sign-On is so 2016 which is why we’d like to introduce its replacement, Forever Alone Sign-On – FASO. This talk will discuss one of the ugliest SSO solutions you’ll ever see, […]

ROOTS: Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications – Sophia d’Antoine

Posted by on November 15, 2017 at 11:15 am

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities, inherent to systems which share hardware resources, will become increasingly attractive targets to malicious software authors. In this talk, Sophia will introduce a novel side channel across virtual machines through the detection of out-of-order execution. She and her colleagues created a simple duplex channel […]

ROOTS: On The (In-)Security Of JavaScript Object Signing and Encryption – Dennis Detering

Posted by on November 14, 2017 at 5:45 pm

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web used for application configuration, cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity, authenticity and confidentiality of sensitive data, JavaScript Object Signing and Encryption (JOSE) was created to apply […]

DeepSec 2017 Talk: How I Rob Banks – Freakyclown

Posted by on November 14, 2017 at 11:23 am

You are in for an adventure at DeepSec this year. We have a tour on robbing banks for you: A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line […]

The only responsible Encryption is End-to-End Encryption

Posted by on October 30, 2017 at 5:02 pm

Last week the Privacy Week 2017 took place. Seven days full of workshops and presentations about privacy. This also included some security content as well. We provided some background information about the Internet of Things, data everyone of us leaks, and the assessment of backdoors in cryptography and operating systems. It’s amazing to see for […]

DeepSec Talk 2017: Normal Permissions In Android: An Audiovisual Deception – Constantinos Patsakis

Posted by on October 17, 2017 at 8:01 am

The Marshmallow version was a significant revision for Android. Among the new features that were introduced one of the most significant is, without any doubt, the runtime permission. The permission model was totally redesigned, categorising the permissions into four main categories. The main concept of this categorisation is how much risk a user is exposed […]

Science First! – University of Applied Sciences Upper Austria (FHOOe) supports DeepSec

Posted by on October 12, 2017 at 5:00 pm

The motto of DeepSec 2017 is „Science first!“. This is expressed by the co-located ROOTS workshop, many speakers from academics, topics fresh from the front lines of research, and a mindset that favours facts over fake content or showmanship. This is why we want to thank the University of Applied Sciences Upper Austria for their […]

DeepSec 2017 Talk: BITSInject – Control Your BITS, Get SYSTEM – Dor Azouri

Posted by on October 8, 2017 at 8:30 am

Microsoft has introduced the Background Intelligent Transfer Service (BITS) into Windows 2000 and later versions of the operating system. Windows 7 and Windows Server 2008 R2 feature the version 4.0 of the protocol. BITS is designed to use idle bandwidth in order to transfer data to and from servers. BITS is an obedient servant, and […]

DeepSec 2017 Talk: XFLTReaT: A New Dimension In Tunnelling – Balazs Bucsay

Posted by on October 7, 2017 at 8:05 am

“Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter”, says Balazs. “It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol […]

DeepSec 2017 Talk: Insecurity In Information Technology – Tanya Janca

Posted by on October 6, 2017 at 8:05 am

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation is further strained. This silo-filled, tension-laced […]

DeepSec 2017 Talk: Bypassing Web Application Firewalls – Khalil Bijjou

Posted by on October 5, 2017 at 1:43 pm

Everyone has firewalls or filters. They are now called application-level gateway (ALG) and have lots of features included. Algorithms, signatures, heuristics, protocol checks, verification; you name it. It’s all in there. But does it work? Obfuscation and evading technology has been around since the first filter was created. Anticipating what data might look like is […]

DeepSec 2017 Talk: Next-Gen Mirai Botnet – Balthasar Martin & Fabian Bräunlein

Posted by on September 27, 2017 at 10:17 am

While you were living in a cave, devices took over the world and got connected to the network. This is the state of affairs we live in right now. As long as nothing happens we don’t notice anything about it. The Mirai (未来) botnet changed this all of a sudden. Consumer devices were drafted into […]

44CON revisited: Secure Design in Software is still a new Concept

Posted by on September 20, 2017 at 8:51 am

We have been to 44CON, and we returned with lots of ideas and scary news about the state of security in devices and applications. Given the ever spreading Internet of Things (IoT) you can see why connecting random devices via a network with no second thoughts about design, updates, or quality control is a bad […]

DeepSec 2017 Training: The ARM IoT Exploit Laboratory

Posted by on August 29, 2017 at 5:25 pm

If the Internet of Things (IoT) will ever leave puberty, it has to deal with the real world. This means dealing with lies, fraud, abuse, exploits, overload, bad tempered clients (and servers), and much more. Analysing applications is best done by looking at what’s behind the scenes. IoT devices, their infrastructure, billions of mobile devices, […]

DeepSec 2017 Talk: Malware Analysis: A Machine Learning Approach – Chiheb Chebbi

Posted by on August 26, 2017 at 2:13 pm

Software has a character. It can be beneficial. It can also be malicious. A networked business world and the Internet of connected individuals make life for malicious software, also known as malware, easier. Just like international travel facilitates the spread of diseases and parasites, the networked globe is a big advantage for malware. Researcher can […]