DeepSec2017 Workshop: Mobile App Attack – Sneha Rajguru

The world’s gone mobile. Mobile devices have surpassed the standard computer (i.e. desktop) installation multiple times. In turn this means that you will encounter these devices most definitely when testing or implementing security measures. Usually adversaries do not use the platform itself. They use software to gain entry. This is why mobiles apps are the most preferred way of delivering the attacks today. Understanding the finer details of mobile app attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers. This is why we have a special training for you at DeepSec 2017.

So, if you are an Android or an iOS user, a developer, a security analyst, a mobile pen-tester, or just a mobile security enthusiast the training ‘Mobile App Attack’ is of definite interest to you, as the course familiarizes attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them, along with various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms.

With live demos using  real-world vulnerable Android and iOS apps intentionally crafted by the trainer, Sneha Rajgura, attendees shall look into some of the common ways of how malicious apps bypass the security mechanisms or misuse the given permissions.

Apart from that trainees shall have a brief understanding of what is so special about the latest Android 8 and iOS 10 security and the relating flaws. The course outline is a follows:

  • ARM basics and Android native code.
  • Reverse engineer Dex code for security analysis.
  • Jailbreaking/rooting of the device and also various techniques to detect jailbreak / root access.
  • Runtime analysis of the apps by active debugging.

Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, you will learn how to find and calculate the checksum of the code. The objective in this section will be to learn, reverse engineering an application, get its executable binaries, modify these binaries accordingly, and re-sign the application.

Runtime modification of code – the objective is to learn how the programs/codes can be changed or modified at runtime. You will learn how to perform introspection or overriding the default behaviour of the methods during runtime, and then you will learn how to identify if the methods have been changed). For iOS you can make use of tools such as Cycript, snoop-it etc.

By the end of training, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system, permissions and security model of both iOS and Android platform.

We recommend this training for anyone shepherding mobile devices or penetration testing environments where these devices get you an advantage.

Sneha works as Security Consultant with Payatu Software Labs LLP. Her areas of interest lies in web application and mobile application security and fuzzing. She has discovered various application flaws within open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided training at GNUnify, FUDCon, DefCamp, DefCon, BSidesLV, AppSec USA and Nullcon. She is also the chapter lead for null – Pune.

Science First! – University of Applied Sciences Upper Austria (FHOOe) supports DeepSec

The motto of DeepSec 2017 is „Science first!“. This is expressed by the co-located ROOTS workshop, many speakers from academics, topics fresh from the front lines of research, and a mindset that favours facts over fake content or showmanship. This is why we want to thank the University of Applied Sciences Upper Austria for their continued support of DeepSec! Their motto is Teaching and learning with pleasure – researching with curiosity, which fits nicely into the mindset of most information security researchers. They have a wide range of very interesting research projects. If you are interested in courses or collaboration as a company, let them now. We are happy to support you with your enquiry.

FHOOe LogoLest you forget: DeepSec offers a steep discount for anyone in academic research – be it student or professor. Contact us for your ticket code in order to enjoy the full spectrum of DeepSec with a discount!

DeepSec 2017 Workshop: Hunting The Adversary – Developing And Using Threat Intelligence – John Bambenek

The arsenal of components you can use for securing your organisation’s digital assets is vast. The market offers a sheer endless supply of application level gateways (formerly know as „firewalls“), network intrusion detection/prevention systems, anti-virus filters for any kind of platform (almost down to the refrigerator in the office), security tokens, biometrics, strong cryptography (just stay away from the fancy stuff), and all kinds of Big Data applications that can turn shoddy metrics into beautiful forecasts of Things to Come™ (possibly with a Magic Quadrant on top, think cherry). What could possibly go wrong? Well, it seems attackers still compromise systems, copy protected data, and get away with it. Why is that? Easy: You lack threat intelligence.

Creenkov raditation in a test reactore core.Security often doesn’t „add up“, i.e. you cannot improve your „security performance“ by buying fancy appliances/applications and piling them on top of each other. What you get is a heap of solutions solving very different problems. Your enemies of the day have patience, use superb reconnaissance, and employ sophisticated tools against you. Stealth is the key. Being not detected pays off. Before you panic and close shop, there may be a way to improve your defence – intelligence. John Bambenek (Bambenek Consulting / SANS Internet Storm Center) will conduct a training at DeepSec 2017 titled „Developing and Using Cybersecurity Threat Intelligence“.

There is a lot of theoretical talk about how you can boost your „security intelligence“. That’s great, but you cannot boost your defences by just thinking about the implementation of, well, stuff. Getting to know what the capabilities of your adversaries are and using all your options to detect and disclose their activities is the most crucial step. During the course of the two-day training you will learn which tools you can use to gain insight into the attacker’s mode(s) of operation, and – most important of all – how to integrate these capabilities into your existing infrastructure. Not everything you have done so far was in vain. The training will be a mixture of lecture and hands-on exercises. Mr Bambenek will show you that your chances of not getting hacked or to ward off an attack aren’t as bad as you might think.

The workshop is intended for everyone having digital assets and needs to defend them. If you have read this blog article, then there’s a high probability that you have sufficient digital assets to protect and a reason to attend the training.

Google supports DeepSec 2017

Google LogoYou have probably heard of Google. Well, you will be hearing more from them if you come to DeepSec 2017. They have agreed to support our conference. They will be on site, and you will be able to talk to them. Every year we aim to give you opportunities for a short-cut, for exchanging ideas, and for thinking of ways to improve information security. A big part of this process is fulfilled by vendors and companies offering service in the information security industry. This includes the many good people at CERTs and the countless brave individuals in the respective security team.

So we hope you take advantage of Google’s presence at DeepSec. See you in Vienna!

DeepSec2017 Workshop: SAP CTF Pentest : From Outside To Company Salaries Tampering – Yvan Genuer

The SAP business suite is widespread among enterprises. It is the heart of the operation, at least in terms of business logic, administration, accounting, and many other cornerstones of big companies. SAP itself was founded in 1972. Its software has now grown up and lives with the Internet and cloud platforms next door. Due to the SAP software being a platform itself, it is quite unwieldy for hackers to handle. If you believe this, then we recommend the SAP CTF Pentest training at DeepSec 2017! Yvan Genuer has something to show to you:

SAP is boring, too big or too complicated? What about learning SAP Security during a fun CTF workshop? Additionally we’ll provide you with a pre-configured attacker VM with all tools required to perform workshop activities. Attendees learn how to work against different SAP Systems targets with different configuration issues in  a ‘realistic’ environment. Few slides, lots of practice – that’s the leitmotiv of this guided SAP pentest workshop.

SAP is no longer an unknown black box for security community and SAP product appears more and more often in audit requests. This training is focused on SAP Netweaver. Because we can’t cover seriously all SAP software in two days, we decided to work on the most frequent vulnerabilities we faced during our pentests. We’ll provide different SAP Systems with different configuration issues in an ‘realistic’ environment, and also a pre-configured attacker VM with all tools required to perform training activities. SAP knowledge is not required.

General knowledge on pentesting.SAP knowledges is NOT required.

Target audience:
Pentesters or security professional. Anyone interested in to learn about SAP Security.

Material to bring by attendees:
A laptop capable of running virtual machine, with 10G free disk space and 1GB Ram for VM.

The course will teach you SAP Netweaver and the SAP platform from inside to outside and vice versa. Technical components such as SAProuter, interactions, the basics of SAP security, the attack surface, risks, the SAP Gui, and many more. If you do penetration testing in an enterprise environment, you cannot do without this knowledge!

Update: Unfortunately the trainer has cancelled the training. We will try to offer SAP related workshops for DeepSec 2018. However you can hack and pen-test enterprise systems/platforms with the knowledge of other trainings and the conference presentations as well.



Yvan has nearly 15 years of experience in SAP. Starting out as a SAP basis administrator for various well-known French companies, since 5 years, he focuses on SAP Security and is now the head of SAP assessment and pentesting at Devoteam security team. Although being a very discreet person, he received official acknowledgements from SAP AG for vulnerabilities he’s reported. Furthermore, he is a longtime member of the Grehack conference organization committee and has conducted a SAP pentest workshop at Clusir 2017, as well as a full training at Hack In Paris 2017.

DeepSec 2017 Talk: How To Hide Your Browser 0-days: Free Offense And Defense Tips Included – Zoltan Balazs

There is a famous thought experiment described in the book A Treatise Concerning the Principles of Human Knowledge. It deals with the possibility of unperceived existence; for example does a falling tree in the forest make a sound when no one is around to hear it? Given the many reports and mentions about zero-day exploits, the question might be rephrased. Does a zero-day exploit cause any effects when no one is able to detect its presence? Before we completely get lost in philosophy, the question has a real background. Zoltan Balazs wants to address the issue of zero-days in his DeepSec 2017 presentation. The idea seems somewhat contrary to intuition – protecting exploits from being disclosed.

Zero-day exploits targeting browsers are usually very short-lived. These zero-days are actively gathered and analyzed by security researchers. One example is when Ahmed Mansoor was targeted by an iOS 0-day exploit. The Citizen Lab analyzed the 0-day exploit, and Apple patched the vulnerability within days. Whoever targeted Mansoor, lost a precious 0-day exploit worth hundreds of thousands of dollars.

In my research, I propose a solution for law enforcement, 0-day brokers, and advanced attackers to protect their browser exploits. The key step is to establish key agreement between the exploit server and the victim browser. After a shared key is set up, attackers can encrypt the real exploit with AES. It is recommended to encrypt both the code to trigger the exploit and the shellcode. This idea was first published by me, and quickly adopted by exploit kit developers in-the-wild.

We recommend attending this talk, because it definitely opens a whole lot of questions for discussion, technical and philosophical.

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing. Before MRG Effitas, he had worked as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass) and the Sandbox tester tool to test Malware Analysis Sandboxes. He has been invited to give presentations worldwide at information security conferences including DEF CON, Hacker Halted USA, Botconf, AusCERT, Nullcon, Hackcon, Shakacon, OHM, Hacktivity and Ethical Hacking. Zoltan passed OSCE recently, and he is very proud of it.






DeepSec 2017 Talk: BITSInject – Control Your BITS, Get SYSTEM – Dor Azouri

Microsoft has introduced the Background Intelligent Transfer Service (BITS) into Windows 2000 and later versions of the operating system. Windows 7 and Windows Server 2008 R2 feature the version 4.0 of the protocol. BITS is designed to use idle bandwidth in order to transfer data to and from servers. BITS is an obedient servant, and it may be abused into doing transfers on behalf of others. Dor Azouri will present his findings regarding BITS at DeepSec 2007.

Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman?

Current Windows software comes packaged with a mix of old and new features and components. New, shiny features and capabilities are added, with none of the old components needing to give up their place. That’s why the Windows software landscape resembles a modern state-of-the-art office, with one or two pieces of refurbished furniture. One of these refurbished pieces of furniture is the BITS service. BITS has been with us since Windows XP and has since evolved through 5 major versions; the most recent release was in 2012. BITS facilitates transferring files over HTTP asynchronously in the background. Its most widespread use is to download Windows updates from Microsoft servers. Many other programs use it as well for downloading updates. In his talk, Dor identifies a new method and tool, called BITSInject, that allows a local administrator to completely control BITS jobs queue using an undocumented interface, and eventually run arbitrary programs as the LocalSystem account, within session 0.

Microsoft Windows administrators, take a look at Dor’s talk! Unprivileged users should also attend to elevate their status.

Dor’s a security professional, having 6+ years of unique experience with network security, malware research and infosec data analysis. Currently he’s doing security research @SafeBreach.

DeepSec 2017 Talk: XFLTReaT: A New Dimension In Tunnelling – Balazs Bucsay

“Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter”, says Balazs. “It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic, and it is also worth mentioning that the framework was designed to be easy to configure, use and develop.”

We asked Balazs Bucsay a couple more questions about his talk:

Please tell us the top 5 facts about your talk.

  1. Tunnelling is not new at all, but this framework is and it unites all the techniques into one.
  2. The talk includes some low level information as well, it can be easily understood because it will start with the basics and build upon that.
  3. Live demos will be presented and it will be revealed how easy it is to use the framework and to create working tunnels by selecting the appropriate protocol.
  4. I will give recommendations for both red and blue teams. Both teams can use the tool to discover and exploit vulnerabilities and misconfigurations on the network. The blue teams can try to detect the hidden data flow, red teams can tunnel connections and exfiltrate data with the framework.
  5. This framework is awesome.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I was in this situation so many times before where I needed unfiltered Internet access on a (filtered) network or just a reliable channel to exfiltrate data as a proof for the client. Unfortunately there were no proper solutions for this, or different tools had to be used. I got bored with this situation and started to play with the thought that there might be a way this could be modelled and coded into a framework. As of now, my original idea seems to be working and the same basic approach works with all the protocols, a module can be created just for tunnelling and all the other stuff is handled by the framework.

Why do you think this is an important topic?

I rather think that this part of IT-Security had to be fixed. If you take a look at the conferences, talks, researches etc., they always try to find new things, new ways to bypass protections or to exploit vulnerabilities but not many people try to improve existing topics. I do not always agree with that approach. I think it is more important to create stable baselines and do research with those rather than creating useless Proof of Concepts. Tunnelling is certainly not a new thing, but have you ever tried to do tunnelling over several protocols? Or use a transport protocol, which is not a typical one? I can tell you, it was a pain and I think I helped on this, now it is a bit easier than it was, and this is what matters to me.

Is there something you want everybody to know – some good advice for our readers maybe?

Do not come to my talk. Just kiddin’. I am Hungarian, I can be bribed with beers, club mate and/or good chats. Come and see me, have your questions and hopefully your answers, join the development, make requests and create issues on Github.

A prediction for the future –  what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

The world gets more and more digitalised, there will be more breaches all around. We already got used to it and I do not think this will change in a good way. The only thing that we can do is that we try to take care of our own little sweepings to make sure we are not the ones who get breached.


Balazs Bucsay (@xoreipeip) is a Senior Security Consultant at NCC Group in the United Kingdom who does research and penetration testing for various companies. He has presented at many conferences around the world including Honolulu, Atlanta, London, Oslo, Moscow, and Vienna on multiple advanced topics relating to the Linux kernel, NFC and Windows security. Moreover he has multiple certifications (OSCE, OSCP, OSWP, GIAC GPEN) related to penetration testing, exploit writing and other low-level topics; and has degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things in life, so he always shares his experience and knowledge with his colleagues and friends. Because of his passion for technology, he starts his second shift in the evenings, right after work, to do further research.

DeepSec 2017 Talk: Insecurity In Information Technology – Tanya Janca

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation is further strained. This silo-filled, tension-laced situation, coupled with short deadlines and mounting pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.

In this talk Tanya Janca will explain how people’s personal insecurities can be brought out by leadership decisions in the way we manage our application security programs, and how this can lead to real-life vulnerabilities in software and other IT products.  This is not a soft talk about “feelings”, this is a talk about creating programs, governance and policies that ensure security throughout the entire SDLC.

No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioural influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal clear expectations.

We asked Tanya a few questions about her topic of interest.

Please tell us the top 5 facts about your talk.

The way many companies run their security and development programs causes serious friction between the two teams. This “friction” can cause job insecurity. When people feel job insecurity they act out in predictably negative ways. Those ways of acting out negatively often result in insecure software. We must fix this problem.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I have seen similar behaviour in my different places that I have worked. As I started speaking at conferences and meeting many, many people in InfoSec, it turns out that it’s happening all over, not just the places I have worked. It’s systemic. And I love fixing problems, so I decided I would create this talk in hopes that I can help.

Why do you think this is an important topic?

I’m passionate about application security. I was a developer a long time, and dealing with the security team was unpleasant at times. We are going to have secure software any time soon if we don’t fix the system issues. I feel this issue is systemic.

Approximately 27% of security incidents are caused by insecure software. That’s quite a bit. This issue should be important to everyone.

Is there something you want everybody to know – some good advice for our readers maybe?

We need to stop blaming each other and pointing fingers when things happen and instead focus on how to ensure we fix issues so that we are more secure in the future. We need to take responsible and do better, and put our egos aside. It’s time to get to work.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I predict that there are going to be quite a few new jobs in the application security field, until we start figuring out how to make creating secure software a lot easier. Right now it’s very difficult. It has to get easier.

Tanya Janca is an application security evangelist, technical advisor, web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP DevSlop Project Leader, Chapter Leader of OWASP Ottawa, Effective Altruist and has been developing software since the late 90’s. She has worn many hats and done many things, including; Web App PenTesting, Technical Training, Custom Apps, Ethical Hacking, COTS, Incident Response, Enterprise Architect, Project and People Management, and even Tech Support. She can currently be found helping the Government of Canada secure their web applications.




DeepSec 2017 Talk: Bypassing Web Application Firewalls – Khalil Bijjou

Everyone has firewalls or filters. They are now called application-level gateway (ALG) and have lots of features included. Algorithms, signatures, heuristics, protocol checks, verification; you name it. It’s all in there. But does it work? Obfuscation and evading technology has been around since the first filter was created. Anticipating what data might look like is hard, and some protocols were designed to be as ambivalent as possible, one might think. At DeepSec 2017 Khalil Bijjou will show you what can be done being evasive in the web.

Security experts perform security assessments of web applications in order to identify vulnerabilities that could be exploited by malicious users. Web Application Firewalls add a second layer of protection to web applications in order to mitigate these vulnerabilities.

The attempt to bypass Web Application Firewalls is an important aspect of a security assessment and is necessary to ensure accurate results. This talk describes bypass techniques and offers a systematic approach for security experts on how to bypass Web Application Firewalls based on these techniques.

In order to facilitate this approach, the tool WAFNinja will be introduced. The outcomes of this tool have significantly contributed to finding multiple bypasses as these bypasses have been reported to the particular Web Application Firewall vendors and were fixed.

We recommend this presentation for anyone dealing with HTTP/HTTPS. Or the web. Or web applications.

Khalil Bijjou is an enthusiastic ethical hacker, bug hunter and penetration tester for the german IT security consulting firm EUROSEC. He performs security assessments for major companies especially in the field of web, mobile and SAP security. Khalil reached the 2nd place in the German Post IT Security Cup 2015 and was a speaker at PHDays, Moscow and DefCamp Bucharest.

DeepSec 2017 Talk: Hacking The Brain For Fun And Profit – Stefan Hager

You are what you think. At least we think so. Is this mental model the right way to explore our surroundings and our interconnected world? Well, let’s find out by thinking about it.

When we’re talking and thinking about security, we very often have a rather fixed mindset and keep using what we think are proven methods. We tend not to question our decisions and thoughts, and the way how our brains work reaffirms our bias and our mediocre choices. In this talk we take a closer look at how we are thinking, and how we can change or expand this as well as our perception, by hacking into our own brains in order to get a clearer picture of what we really want and need. New ways of thinking and creativity can be a vital new asset for blue and red teams.

We asked Stefan Hager a few questions about his topic of interest:

Please tell us the top 5 facts about your talk.

  1. Your brain is not telling you the whole truth (and it never will).
  2. Perception can be hacked.
  3. The mind can be treated like a black box system and it’s fun to experiment with it.
  4. New ways of thinking give creativity a boost and can give red and blue teams (everyone, really) an edge in their work.
  5. Reality is what you can get away with.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The perception of an individual reality as opposed to consensus reality has fascinated me since ages, and for me it is one of the most intriguing subjects. It’s also quite nice that humans are so meta that they can think about how they think; and in my opinion it inevitably broadens one’s mind. My professional background is not in psychology or something similar, but Infosec. Although maybe not obvious at the first glance, there are similarities between huge modern networks and their defence mechanisms and the way our perceptions and subconscious interact with the conscious parts of our brains.

Why do you think this is an important topic?

Creative and new ways of doing things is the difference between a mediocre pentest and something that’s more useful to the client, or a run-of-the-mill network setup and a well-defended one. Thinking outside the box is such an overused term, but thinking about the box itself -the way we think- doesn’t come naturally. We tend to take our perceptions for granted and rarely question our daily decisions. I think it’s important to become aware of some of the firewalls and defence mechanisms of our brain and to start fitting them to our personal needs.

Is there something you want everybody to know – some good advice for our readers maybe?

Change yourself by closely observing yourself (without judging yourself) and analyse what happens. Some recursion involved.

Breaking out of behavioural patterns by thinking in new ways can help to overcome a bit of ego, and thus create a bit less misery for oneself and those around us.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Tricky – I think that human mind-computer interfaces will be very hard to establish without being able to think in uncommon ways. The human mind seems to be able to adapt more easily to new situations than an API, no matter how advanced. Security Awareness and Security Thinking are topics which are going to get even more important in the near future.


Stefan is a member of the Internet Security team at the software company DATEV eG. After starting out as a programmer in the nineties he switched to cybersecurity shortly afterwards. Since 2000 he has been securing networks and computers for various enterprises in Germany and Scotland. His main focus nowadays is threat research, raising security awareness and discussing new ideas concerning threat mitigation. When not trying to do any of the stuff mentioned above, he is either travelling, fiddling around with hardware or trying to beat some hacking challenge. Stefan also writes blog posts (in English and German) on his site

DeepSec 2017 Talk: Essential Infrastructure Interdependencies: Would We Be Prepared For Significant Interruptions? – Herbert Saurugg

How would your day look without electrical power? Given the fact that we rely on information technology every single minute of our lives (well, mostly), this would be a very dark outlook indeed. Knocking out the power grid is a tactic used by the military. They have even special tools for disabling power lines and transformer stations. Progress has enabled network access for power plants and other parts of the grid. It’s not all about hacking stuff. There is a lot more involved when it comes to critical infrastructure, and this is why we have asked Herbert Saurugg, a renowned specialist on this topic, to conduct a presentation at DeepSec 2017.

Cyber Security and Critical Infrastructure Protection (CIP) are major topics almost everywhere. Its priority has also increased during recent years because of rising incidents, even if the focus is still on a sectoral approach and on prevention. And there’s the issue of delayed detection. How to cope with significant infrastructure interruptions if protection efforts fail and possible cascading effects occur is hardly public knowledge, nor do people have the necessary capabilities to deal with them. The shared belief that it won’t happen is still overwhelming. But it could be a Turkey-Illusion. DDoS, IoT-attacks, ransomware, vulnerabilities, unpatchable IT-systems, … the list of current IT-problems and challenges is endless. Every security expert daily fights an unwinnable battle. But what would it mean to our society, if infrastructure systems fail on a broad scale? How can we reduce these risks? And how can we make infrastructures more robust and people resilient?

This talk will look at cyber security from a different perspective and open your eyes to a hardly recognised danger to our modern and heavily interconnected world.

Herbert Saurugg has been a career officer in the ICT-Security Section of the Austrian Armed Forces until 2012. Since then he has been on leave and is engaged in raising awareness about the increasing systemic risks due to the rising interconnections and dependencies between many Critical Infrastructures, which is contributing to extreme events. He is known as an expert on the topic of blackout: a Europe-wide power-cut and infrastructure collapse. He is also a founding member of the association Cyber Security Austria which is the mastermind behind the European Cyber Security Challenge. As a result of his systemic reflections he is calling for more efforts to raise awareness and resilience throughout our societies to face major extreme events in the foreseeable future.

DeepSec 2017 Talk: Uncovering And Visualizing Botnet Infrastructure And Behavior – Andrea Scarfo & Josh Pyorre

When you read about information security, then you might get the impression that there are lots of nameless threats Out There™. Especially when it comes to networked malicious software, i.e. malware, that forms robot armies, the picture gets a lot more vague and foggy. So you need to get some details to sharpen your view. There are some means how to do this, and you will be told at DeepSec 2017 by Andrea Scarfo and Josh Pyorre.

How much information about a botnet can one find using a single IP address, domain name or indicator of compromise (IOC)? What kind of behavior can be determined when looking at attacker and victim infrastructure?

In an attempt to discover and analyze the infrastructure behind large-scale malware activity, Andrea and Josh began their research with known indicators from popular botnets, such as Necurs.

This presentation will highlight co-occurring malicious activities observed on the infrastructure of popular botnets. Andrea and Josh will demonstrate practical techniques for analyzing botnet and malware traffic to provide context that can be used in identifying actor and victim infrastructure and to discover additional IOC’s. They will also show how political and societal world events may influence specific types of malware activity based on locations and times of malware events. Finally, Andrea and Josh will demonstrate a visualization framework that can be used to better understand the connections between infrastructure, threats, victims, and malicious actors.

Josh and Andrea are Security Researchers with Cisco Umbrella (formerly OpenDNS).

Andrea began her career in Support and worked as a Sysadmin for 12 years. She has worked with Hewlett Packard and the Town of Danville, California. Security has always been her passion. She began working with OpenDNS as a Security Researcher on the Security Research team in 2015 and spends her days working to make the Internet a safer place by hunting attackers and malware. She presented at B Sides Las Vegas in 2016 and BSides Amsterdam in 2017.




Josh has worked in security for around 14 years. He’s been a threat analyst at NASA, where he was part of the team that built the NASA Security Operations Center. He also helped to build the SOC at Mandiant. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible. Josh has presented at Defcon, B Sides Austin, Chicago, San Francisco, Los Angeles, Amsterdam and Vienna, Source Boston, Source Seattle, Derbycon, InfoSecurity World Europe, DeepSec Vienna and Qbit Prague. He hosted season 1 of

DeepSec 2017 Talk: Next-Gen Mirai Botnet – Balthasar Martin & Fabian Bräunlein

While you were living in a cave, devices took over the world and got connected to the network. This is the state of affairs we live in right now. As long as nothing happens we don’t notice anything about it. The Mirai (未来) botnet changed this all of a sudden. Consumer devices were drafted into an army of bots. Thanks to the proliferation of networked devices such as cameras, home routers, and others the botnet was very successful. The code was designed to run on embedded devices and is even online for inspection. Let’s take a look at how to improve Mirai.

Badly secured embedded devices enabled the largest DDoS attack on critical networks seen to date: The Mirai attacks in 2016 were largely pegged on Internet-exposed telnet with default credentials. While such telnet accounts are hopefully on their way out, Balthasar and Fabian had a look at the next available hacking options to compromise masses of IoT devices. It turns out that IP cameras can still be compromised remotely in many other ways – even if they are not exposed directly to the internet. In particular, they found issues in communication protocols, control servers and infrastructure design. Balthasar Martin and Fabian Bräunlein found such next-gen Mirai vulnerabilities, and they will demonstrate a number of them. After seeing what we saw, they say, you will have little doubt that there will always be a bot army of compromised embedded devices.

We asked Balthasar and Fabian a few questions about their topic of interest.

Please tell us the top 5 facts about your talk.

Without disclosing all interesting discoveries, here are four that we are really proud of:

  1. Cloud services expose our devices to the Internet, even if we put them behind a firewall.
  2. Cameras come in many shapes and brands, but most of them use one of few cloud services.
  3. It’s 2017 and people still invent proprietary protocols with big security holes.
  4. We learned two things from Mirai that turn out to be insufficient: “do not expose your device directly to the Internet” and “change any default credentials”.

How did you come up with it? was there something like an initial spark that set your mind on creating this talk?

The Mirai attacks last year caught our attention. Given that they were based on open telnet with default passwords, we were curious to know what else was hidden behind the complexity of those devices.

Why do you think this is an important topic?

The discrepancy between what is exploited (consumer devices) and who suffers from attacks (big companies, targeted individuals) is interesting to think about. Device owners usually don’t notice that they are being hacked. On the other end, the victims of DDoS attacks don’t control the device’s security. We think public awareness is especially important here.

Is there something you want everybody to know – some good advice for our readers maybe?

You may want to stay away from cloud-connected devices. In the case of cloud IP cameras, even when everything is properly secured, the vendors can still access your camera feeds, as all information is transmitted via their servers without end-to-end encryption.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Following the current trend, we think there will be device choices with solid security. Hopefully consumers start considering security more and if so, are able to recognize secure choices. Keeping track of current discussions about stricter liability of the manufacturer will be interesting, but globally, there will always be cheaper, less secure options. We need to keep thinking about DDoS mitigations, too.

Balthasar lives in Berlin where he pursues a Masters in IT-Systems engineering while working at SRLabs. He is fascinated by a world populated by “smart” devices that turn out to be as smart as a slice of bread. After the DDoS on Brian Krebs, he got curious about additional ways to disturb the global Internet matrix.






Fabian studied IT-Systems Engineering at HPI in Potsdam, but was always more curious about taking such systems apart. He now works as a Security Researcher and Consultant at Berlin-based hacker collective SRLabs. Fabians previous talks include hacking payment systems at 32c3 and travel systems at HEUREKA.

DeepSec 2017 Schedule Update, Review Status, Disputes, and Trainings

The DeepSec 2017 schedule is still preliminary. We are almost done, and we have a small update. Some of you have noticed that the schedule featured a training about mobile security. The outline as shown as in the schedule was identical to a different course from a different trainer. We received a complaint, we got the course materials to compare, and it turned out that only the outline of the workshop as shown online was identical, and the original table of contents was not part of the submission we received during the call for papers. The dispute has been settled. The trainer has apologised to the creator of the original table of contents. Nevertheless the trainer has asked to withdraw his submission. This means we will try to replace the slot in the schedule with a similar workshop. Stay tuned.

Please make sure that you do not use any material subject to copyright without permission. The motto of DeepSec 2017 is Science First!. This means that we want to foster the scientific method when people present their research and when they teach. Always use proper citations. Always ensure that everything you say and do can be backed up. We all have seen the presentations with images copied from search engine hits, but you have to check out the source and the legal issues before using them. This saves you and us a lot of trouble.

Thank you for observing all safety procedures. We are looking forward to see you all at DeepSec 2017!