Screening of “The Maze” at DeepSec 2017

We have some news for you. Everyone attending DeepSec 2017 will get a cinematic finish on the last day of the conference. We will be showing The Maze by Friedrich Moser. For all who don’t know Friedrich’s works: He is the director of A Good American which was screened at DeepSec 2015. The Maze is a documentary covering terrorism, counter-terrorism, surveillance, business, and politics. So it’s basically information security in a nutshell. Right after the closing of DeepSec you can enjoy The Maze – with popcorn and hopefully everyone who is attending DeepSec. We have seen the documentary before, and we highly recommend it!

The Maze from Friedrich Moser on Vimeo.

DeepSec 2017 Workshop: Smart Lockpicking – Hands-on Exploiting Contemporary Locks and Access Control Systems – Slawomir Jasek

You can, quite reasonably, expect smart locks and access control systems to be free from alarming security vulnerabilities – such a common issue for an average IoT device. Well, this training will prove you wrong. After performing multiple hands-on exercises with a dozen of real devices and various technologies, you will never look at the devices the same way. Smart lockpicking is something to scare you, not just on Halloween.



We asked Slawomir a few questions about his training:

Please tell us the top 5 facts about your workshop.

  • Focused on hands-on, practical exercises with real devices
  • Lots of various topics and technologies covered
  • Regardless if you are a beginner or a skilled pentester, you will learn something new and have a good time
  • Many exercises designed as “homework”, possible to repeat later at home
  • Includes hardware pack (about 100€ value) for each student, consisting of Raspberry Pi, NFC board, and Bluetooth Low Energy sniffer. The hardware will allow you to crack and clone NFC cards, sniff and analyse Bluetooth Low Energy connections


How did you come up with it? Was there something like an initial spark that set your mind on creating this Workshop?

I wanted to focus on devices everyone can encounter, yet common sense is that we can trust their security. Practical exercises debunking your „comfort zone“, performed hands-on yourself, are in my opinion one of best ways to effectively learn a given topic. Also, once you master assessment of the ones supposed to be most secure, other IoT devices will seem to you even more giant „jar of bugs”.

So, smart locks, electronic safety and access control systems were the natural choice here. Vendors’ claims on the security rendered them even more attractive for the task. And it soon turned out that in so many cases „the king is naked”. A significant number of such devices have serious security flaws that can be exploited even by non-highly skilled intruder. And as a result cause serious loss.

Why do you think this is an important topic?

I think a quick scroll through the recent headlines will do as an sufficient answer. Of course the media often overestimate the real risk, but you just can’t ignore the fact anymore that the smart devices are increasingly surrounding us, and their security level is usually still far from acceptable.

I am very enthusiastic about new technologies, but on the other hand I think before entrusting our lives to them, we should first understand and mitigate the associated risks.

Is there something you want everybody to know – some good advice for our readers maybe?

Did I mention the free Raspberry and other goodies – for NFC card cloning and BLE sniffing already?

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your training?

The digital revolution will not stop. And unless you hide in a cave, you will encounter the new smart devices responsible for your safety. Don’t let them catch you by surprise.

Slawomir is an IT security consultant with over 10 years of experience. He participated in many assessments of systems’ and applications’ security for leading financial companies and public institutions across the world, including a few dozen e-banking systems. Also he developed secure embedded systems certified for use by national agencies. Slawomir has an MSc in automation&robotics and loves to hack various devices, gadgets, home automation and industrial systems. Beside current research (BLE, HCE), he focuses on consulting secure solutions for various software and hardware projects. Speaker at BlackHat USA (new Bluetooth Smart Man-in-the-middle proxy tool), Appsec EU (insecurity of proprietary network protocols), HITB (HCE contactless payments), Confidence (IoT), Devoxx and other conferences for developers (SDLC, mobile application security). Trainer at Deepsec, Appsec EU, HackInParis, HackInTheBox, Confidence.


The only responsible Encryption is End-to-End Encryption

Last week the Privacy Week 2017 took place. Seven days full of workshops and presentations about privacy. This also included some security content as well. We provided some background information about the Internet of Things, data everyone of us leaks, and the assessment of backdoors in cryptography and operating systems. It’s amazing to see for how long the Crypto Wars have been raging. The call for backdoors and structural weaknesses in encryption was never silenced. Occasionally the emperor gets new clothes, but this doesn’t change the fact that some groups wish to destroy crypto for all of us. The next battle is fought under the disguise of responsible encryption. Deputy Attorney General Rod J. Rosenstein invented this phrase to come up with a new marketing strategy for backdoors.

Once you have backdoors in any technology, it ceases to be secure. Technology companies, academics, and information security researchers have all worked to improve hardware and software we use on a daily basis. Even governments rely on secure applications and protocols. It is technically impossible to have security in anything that is backdoored. It is really that simple. The discussion has been raging since the ill-advised Clipper Chip, basically ever since strong encryption was available for businesses and private persons in the world of IT.

Kurt Opsahl wrote an analysis which we highly recommend. In case you hear someone mumbling about responsible encryption, please make sure that you explain to this someone that strong crypto is the correct answer. Anyone not believing this should attend DeepSec. We love to discuss and analyse all different approaches. Warning: The discussion will probably get really short.

Update: Dear journalists, please refrain from using the terms responsible encryption and going dark as actual technologies of information technology. Always use quotes („“ or “”) to mark these terms as vague. It makes the job of the security researchers much easier. Thank you!

DeepSec 2017 Talk: BitCracker – BitLocker Meets GPUs – Elena Agostini

Encryption and ways to break it go hand in hand. When it comes to the digital world, the method of rapidly using different keys may lead to success, provided you have sufficient computing power. The graphics processing units (GPUs) have come a long way from just preparing the bits to be sent to the display device. Nowadays GPUs are used for a lot of computational expensive tasks. At DeepSec 2017 you will hear about keys, encryption, and storage encryption – all with the use of GPUs, but forthe purpose of cracking keys.

BitLocker (formerly BitLocker Drive Encryption) is a full-disk encryption feature available in recent Windows OS (Vista, 7, 8.1 and 10). It is designed to protect data by providing encryption for several types of memory units like internal hard disks or external removable memory devices (BitLocker To Go feature), offering a number of different authentication methods, like Trusted Platform Module, Smart Key, Recovery Key, password, and the like.

During this talk Elena will describe how the password authentication method works and the algorithms used during the decryption procedure; she’ll give an insight into the complex architecture of BitLocker’s keys, analyzing BDE format and metadata structures of an encrypted volume.

Finally Elena will present BitCracker, that is the first open source password cracking tool for memory units encrypted with BitLocker using the password authentication method. It aims at finding the right password doing a dictionary attack by means of GPUs. BitCracker is able to process up to 1400 passwords/second (about 2.900.000.000 SHA-256/second) on a NVIDIA GPU Tesla P100.

Currently, BitCracker is the OpenCL BitLocker format of John the Ripper, but there is also a standalone CUDA implementation available.

Elena Agostini received her PhD in Computer Science from the University of Rome “La Sapienza” in collaboration with the National Research Council of Italy. The main topics of her research are GPUs used both for cryptanalysis or communications and wireless network protocols.

Massimo Bernaschi is the second author of the talk Elena is going to present at DeepSec. He has been 10 years with IBM working in High Performance Computing. Currently he is with the National Research Council of Italy (CNR) as Chief Technology Officer of the Institute for Computing Applications. He is also an adjunct professor of Computer Science at “Sapienza”
University in Rome.

DeepSec 2017 Talk: Who Hid My Desktop – Deep Dive Into hVNC – Or Safran & Pavel Asinovsky

Seeing is believing. If you sit in front of your desktop and everything looks as it should look, then you are not in the Matrix, right? Right? Well, maybe. Manipulating the surface to make something to look similar is a technique also used by phishing, spammers, and social engineers. But what if the attacker sitting on your computer does not need to see what you see? Enter hidden virtual network computing where malicious software controls your system, and you don’t know about it.

Since the past decade, financial institutions are increasingly faced with the problem of malware stealing hefty amounts of money by performing fraudulent fund transfers from their customers’ online banking accounts. Many vendors attempt to solve this issue by developing sophisticated products for classifying or risk scoring each transaction. Often, identifying legitimate account holders is based on detecting whether the transaction is made from the legitimate user’s machine or from an untrusted endpoint.

Going back 10 years, and still today, some checks are based on the IP/Geolocation of the machine performing the transaction and comparing it with the user’s typical whereabouts. In order to overcome this identifier, malware authors easily turned the user’s machine into a proxy, making the transaction appear to originate from the same IP address.

Device identification became increasingly sophisticated over the years, adding many parameters of the user’s environment to fingerprint trusted devices. But cybercrime is an arms race, and malware developers did not stay behind. To completely disregard device fingerprinting, they have devised their own circumvention technique: hidden VNC (Virtual Network Computing) that enables them to commit the fraudulent transaction from the user’s own machine without ever being noticed.

In this lecture, Or and Pavel will talk about hVNC in general, but also present and demo the specific use case of Gozi’s proprietary hVNC tool which we reversed and broke in our labs. Gozi is one of the most advanced financial crime tools. It is operated by a cyber gang and sees constant innovation and upgrades.

In their talk at DeepSec 2017, Pavel and Or will elaborate on the following subjects:

  • What is VNC and its inherently legal uses?
  • What is hVNC and why is it used in crime?
  • Which financial malwares use hVNC?
  • Show some of the hVNC dirty tricks and explain them.
  • Explain the reversing of Gozi ISFB’s hVNC module (architecture & structure).
  • Live Demo [1/2] – execute the hVNC module and present a live session.
  • Live Demo [2/2] – Seeing the actual fraudster session (the hidden part) – script and demo.
  • Provide audience with detection/Mitigation advice.

This session is best suited for stakeholders who work in the anti-fraud departments of their organizations, malware researchers, analysts, and cybercrime investigators. The session requires basic understanding of what banking Trojans are, but does not require specific technical knowledge beyond an information security background.

Pavel Asinovsky is a malware researcher at IBM Trusteer for more than two years. Prior to that Pavel worked as a malware researcher for F5 networks
and as a malware analyst at RSA-EMC. Pavel has a wide experience and interest in malware analysis.





Or Safran has been a malware researcher at IBM Trusteer for three years and holds a Bachelor of Science degree in Computer Software Engineering. Or has keen interest in hardware and software reverse engineering.

DeepSec Talk 2017: Normal Permissions In Android: An Audiovisual Deception – Constantinos Patsakis

The Marshmallow version was a significant revision for Android. Among the new features that were introduced one of the most significant is, without any doubt, the runtime permission. The permission model was totally redesigned, categorising the permissions into four main categories. The main concept of this categorisation is how much risk a user is exposed to when permissions are granted. Therefore, normal permissions imply the least risk for the user. However, in this case, there are some important issues. Firstly, these permissions are not actually displayed to the user; they are not displayed upon installation and the user needs to dig into several menus to find them for each app. Most importantly though, these permissions cannot be revoked. Unlike permissions categorized as dangerous, where the user can grant or revoke a permission whenever deemed necessary, the normal permissions are automatically granted and cannot be revoked, unless the user uninstalls the app that uses them.
The research question that arises from this change is whether the apps that request only normal permissions are benign. Note that an app requesting only normal permissions will never request any alerting action from the user, hence the user is more probable to install it and not to worry about it. Furthermore, since these permissions are automatically granted, this means that any malicious action that could be made with such permissions can be ported to any installed app as they will not require any user interaction.

In his talk at DeepSec 2017 Constantinos Patsakis will show several attacks that can be launched by such applications ranging from overlays and tapjacking to recording audio without requesting any permission categorised as dangerous.

Update: Google has issued an update for some of the issues presented in this talk. The patch is only for „premium“ users as described in this security bulletin for the Pixel/Nexus models.

Assistant Professor Constantinos Patsakis holds a B.Sc. in Mathematics from the University of Athens, Greece and a M.Sc. in Information Security from Royal Holloway, University of London. He obtained his PhD in Cryptography and Malware from the Department of Informatics of University of Piraeus. His main areas of research include cryptography, security, privacy, data anonymization and data mining.

He has authored more than 70 publications in peer reviewed international conferences and journals and he has been teaching computer science courses in European universities for more than a decade. Dr Patsakis has been working in the industry as a freelance developer and security consultant. He has participated in several national (Greek, Spanish, Catalan and Irish) and European R&D projects. Additionally, he has worked as researcher at the UNESCO Chair in Data Privacy at the Rovira i Virgili University (URV) of Tarragona, Catalonia, Spain and as a research fellow at Trinity College, Dublin Ireland. Currently, he is Assistant Professor at University of Piraeus and adjunct researcher of Athena Research and Innovation Center.

DeepSec2017 Workshop: Mobile App Attack – Sneha Rajguru

The world’s gone mobile. Mobile devices have surpassed the standard computer (i.e. desktop) installation multiple times. In turn this means that you will encounter these devices most definitely when testing or implementing security measures. Usually adversaries do not use the platform itself. They use software to gain entry. This is why mobiles apps are the most preferred way of delivering the attacks today. Understanding the finer details of mobile app attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers. This is why we have a special training for you at DeepSec 2017.

So, if you are an Android or an iOS user, a developer, a security analyst, a mobile pen-tester, or just a mobile security enthusiast the training ‘Mobile App Attack’ is of definite interest to you, as the course familiarizes attendees with in-depth technical explanation of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them, along with various Android, iOS application analysis techniques, inbuilt security schemes and teaches how to bypass those security models on both the platforms.

With live demos using  real-world vulnerable Android and iOS apps intentionally crafted by the trainer, Sneha Rajgura, attendees shall look into some of the common ways of how malicious apps bypass the security mechanisms or misuse the given permissions.

Apart from that trainees shall have a brief understanding of what is so special about the latest Android 8 and iOS 10 security and the relating flaws. The course outline is a follows:

  • ARM basics and Android native code.
  • Reverse engineer Dex code for security analysis.
  • Jailbreaking/rooting of the device and also various techniques to detect jailbreak / root access.
  • Runtime analysis of the apps by active debugging.

Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, you will learn how to find and calculate the checksum of the code. The objective in this section will be to learn, reverse engineering an application, get its executable binaries, modify these binaries accordingly, and re-sign the application.

Runtime modification of code – the objective is to learn how the programs/codes can be changed or modified at runtime. You will learn how to perform introspection or overriding the default behaviour of the methods during runtime, and then you will learn how to identify if the methods have been changed). For iOS you can make use of tools such as Cycript, snoop-it etc.

By the end of training, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system, permissions and security model of both iOS and Android platform.

We recommend this training for anyone shepherding mobile devices or penetration testing environments where these devices get you an advantage.

Sneha works as Security Consultant with Payatu Software Labs LLP. Her areas of interest lies in web application and mobile application security and fuzzing. She has discovered various application flaws within open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided training at GNUnify, FUDCon, DefCamp, DefCon, BSidesLV, AppSec USA and Nullcon. She is also the chapter lead for null – Pune.

Science First! – University of Applied Sciences Upper Austria (FHOOe) supports DeepSec

The motto of DeepSec 2017 is „Science first!“. This is expressed by the co-located ROOTS workshop, many speakers from academics, topics fresh from the front lines of research, and a mindset that favours facts over fake content or showmanship. This is why we want to thank the University of Applied Sciences Upper Austria for their continued support of DeepSec! Their motto is Teaching and learning with pleasure – researching with curiosity, which fits nicely into the mindset of most information security researchers. They have a wide range of very interesting research projects. If you are interested in courses or collaboration as a company, let them now. We are happy to support you with your enquiry.

FHOOe LogoLest you forget: DeepSec offers a steep discount for anyone in academic research – be it student or professor. Contact us for your ticket code in order to enjoy the full spectrum of DeepSec with a discount!

DeepSec 2017 Workshop: Hunting The Adversary – Developing And Using Threat Intelligence – John Bambenek

The arsenal of components you can use for securing your organisation’s digital assets is vast. The market offers a sheer endless supply of application level gateways (formerly know as „firewalls“), network intrusion detection/prevention systems, anti-virus filters for any kind of platform (almost down to the refrigerator in the office), security tokens, biometrics, strong cryptography (just stay away from the fancy stuff), and all kinds of Big Data applications that can turn shoddy metrics into beautiful forecasts of Things to Come™ (possibly with a Magic Quadrant on top, think cherry). What could possibly go wrong? Well, it seems attackers still compromise systems, copy protected data, and get away with it. Why is that? Easy: You lack threat intelligence.

Creenkov raditation in a test reactore core.Security often doesn’t „add up“, i.e. you cannot improve your „security performance“ by buying fancy appliances/applications and piling them on top of each other. What you get is a heap of solutions solving very different problems. Your enemies of the day have patience, use superb reconnaissance, and employ sophisticated tools against you. Stealth is the key. Being not detected pays off. Before you panic and close shop, there may be a way to improve your defence – intelligence. John Bambenek (Bambenek Consulting / SANS Internet Storm Center) will conduct a training at DeepSec 2017 titled „Developing and Using Cybersecurity Threat Intelligence“.

There is a lot of theoretical talk about how you can boost your „security intelligence“. That’s great, but you cannot boost your defences by just thinking about the implementation of, well, stuff. Getting to know what the capabilities of your adversaries are and using all your options to detect and disclose their activities is the most crucial step. During the course of the two-day training you will learn which tools you can use to gain insight into the attacker’s mode(s) of operation, and – most important of all – how to integrate these capabilities into your existing infrastructure. Not everything you have done so far was in vain. The training will be a mixture of lecture and hands-on exercises. Mr Bambenek will show you that your chances of not getting hacked or to ward off an attack aren’t as bad as you might think.

The workshop is intended for everyone having digital assets and needs to defend them. If you have read this blog article, then there’s a high probability that you have sufficient digital assets to protect and a reason to attend the training.

Google supports DeepSec 2017

Google LogoYou have probably heard of Google. Well, you will be hearing more from them if you come to DeepSec 2017. They have agreed to support our conference. They will be on site, and you will be able to talk to them. Every year we aim to give you opportunities for a short-cut, for exchanging ideas, and for thinking of ways to improve information security. A big part of this process is fulfilled by vendors and companies offering service in the information security industry. This includes the many good people at CERTs and the countless brave individuals in the respective security team.

So we hope you take advantage of Google’s presence at DeepSec. See you in Vienna!

DeepSec2017 Workshop: SAP CTF Pentest : From Outside To Company Salaries Tampering – Yvan Genuer

The SAP business suite is widespread among enterprises. It is the heart of the operation, at least in terms of business logic, administration, accounting, and many other cornerstones of big companies. SAP itself was founded in 1972. Its software has now grown up and lives with the Internet and cloud platforms next door. Due to the SAP software being a platform itself, it is quite unwieldy for hackers to handle. If you believe this, then we recommend the SAP CTF Pentest training at DeepSec 2017! Yvan Genuer has something to show to you:

SAP is boring, too big or too complicated? What about learning SAP Security during a fun CTF workshop? Additionally we’ll provide you with a pre-configured attacker VM with all tools required to perform workshop activities. Attendees learn how to work against different SAP Systems targets with different configuration issues in  a ‘realistic’ environment. Few slides, lots of practice – that’s the leitmotiv of this guided SAP pentest workshop.

SAP is no longer an unknown black box for security community and SAP product appears more and more often in audit requests. This training is focused on SAP Netweaver. Because we can’t cover seriously all SAP software in two days, we decided to work on the most frequent vulnerabilities we faced during our pentests. We’ll provide different SAP Systems with different configuration issues in an ‘realistic’ environment, and also a pre-configured attacker VM with all tools required to perform training activities. SAP knowledge is not required.

General knowledge on pentesting.SAP knowledges is NOT required.

Target audience:
Pentesters or security professional. Anyone interested in to learn about SAP Security.

Material to bring by attendees:
A laptop capable of running virtual machine, with 10G free disk space and 1GB Ram for VM.

The course will teach you SAP Netweaver and the SAP platform from inside to outside and vice versa. Technical components such as SAProuter, interactions, the basics of SAP security, the attack surface, risks, the SAP Gui, and many more. If you do penetration testing in an enterprise environment, you cannot do without this knowledge!

Update: Unfortunately the trainer has cancelled the training. We will try to offer SAP related workshops for DeepSec 2018. However you can hack and pen-test enterprise systems/platforms with the knowledge of other trainings and the conference presentations as well.



Yvan has nearly 15 years of experience in SAP. Starting out as a SAP basis administrator for various well-known French companies, since 5 years, he focuses on SAP Security and is now the head of SAP assessment and pentesting at Devoteam security team. Although being a very discreet person, he received official acknowledgements from SAP AG for vulnerabilities he’s reported. Furthermore, he is a longtime member of the Grehack conference organization committee and has conducted a SAP pentest workshop at Clusir 2017, as well as a full training at Hack In Paris 2017.

DeepSec 2017 Talk: How To Hide Your Browser 0-days: Free Offense And Defense Tips Included – Zoltan Balazs

There is a famous thought experiment described in the book A Treatise Concerning the Principles of Human Knowledge. It deals with the possibility of unperceived existence; for example does a falling tree in the forest make a sound when no one is around to hear it? Given the many reports and mentions about zero-day exploits, the question might be rephrased. Does a zero-day exploit cause any effects when no one is able to detect its presence? Before we completely get lost in philosophy, the question has a real background. Zoltan Balazs wants to address the issue of zero-days in his DeepSec 2017 presentation. The idea seems somewhat contrary to intuition – protecting exploits from being disclosed.

Zero-day exploits targeting browsers are usually very short-lived. These zero-days are actively gathered and analyzed by security researchers. One example is when Ahmed Mansoor was targeted by an iOS 0-day exploit. The Citizen Lab analyzed the 0-day exploit, and Apple patched the vulnerability within days. Whoever targeted Mansoor, lost a precious 0-day exploit worth hundreds of thousands of dollars.

In my research, I propose a solution for law enforcement, 0-day brokers, and advanced attackers to protect their browser exploits. The key step is to establish key agreement between the exploit server and the victim browser. After a shared key is set up, attackers can encrypt the real exploit with AES. It is recommended to encrypt both the code to trigger the exploit and the shellcode. This idea was first published by me, and quickly adopted by exploit kit developers in-the-wild.

We recommend attending this talk, because it definitely opens a whole lot of questions for discussion, technical and philosophical.

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing. Before MRG Effitas, he had worked as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass) and the Sandbox tester tool to test Malware Analysis Sandboxes. He has been invited to give presentations worldwide at information security conferences including DEF CON, Hacker Halted USA, Botconf, AusCERT, Nullcon, Hackcon, Shakacon, OHM, Hacktivity and Ethical Hacking. Zoltan passed OSCE recently, and he is very proud of it.






DeepSec 2017 Talk: BITSInject – Control Your BITS, Get SYSTEM – Dor Azouri

Microsoft has introduced the Background Intelligent Transfer Service (BITS) into Windows 2000 and later versions of the operating system. Windows 7 and Windows Server 2008 R2 feature the version 4.0 of the protocol. BITS is designed to use idle bandwidth in order to transfer data to and from servers. BITS is an obedient servant, and it may be abused into doing transfers on behalf of others. Dor Azouri will present his findings regarding BITS at DeepSec 2007.

Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman?

Current Windows software comes packaged with a mix of old and new features and components. New, shiny features and capabilities are added, with none of the old components needing to give up their place. That’s why the Windows software landscape resembles a modern state-of-the-art office, with one or two pieces of refurbished furniture. One of these refurbished pieces of furniture is the BITS service. BITS has been with us since Windows XP and has since evolved through 5 major versions; the most recent release was in 2012. BITS facilitates transferring files over HTTP asynchronously in the background. Its most widespread use is to download Windows updates from Microsoft servers. Many other programs use it as well for downloading updates. In his talk, Dor identifies a new method and tool, called BITSInject, that allows a local administrator to completely control BITS jobs queue using an undocumented interface, and eventually run arbitrary programs as the LocalSystem account, within session 0.

Microsoft Windows administrators, take a look at Dor’s talk! Unprivileged users should also attend to elevate their status.

Dor’s a security professional, having 6+ years of unique experience with network security, malware research and infosec data analysis. Currently he’s doing security research @SafeBreach.

DeepSec 2017 Talk: XFLTReaT: A New Dimension In Tunnelling – Balazs Bucsay

“Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter”, says Balazs. “It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic, and it is also worth mentioning that the framework was designed to be easy to configure, use and develop.”

We asked Balazs Bucsay a couple more questions about his talk:

Please tell us the top 5 facts about your talk.

  1. Tunnelling is not new at all, but this framework is and it unites all the techniques into one.
  2. The talk includes some low level information as well, it can be easily understood because it will start with the basics and build upon that.
  3. Live demos will be presented and it will be revealed how easy it is to use the framework and to create working tunnels by selecting the appropriate protocol.
  4. I will give recommendations for both red and blue teams. Both teams can use the tool to discover and exploit vulnerabilities and misconfigurations on the network. The blue teams can try to detect the hidden data flow, red teams can tunnel connections and exfiltrate data with the framework.
  5. This framework is awesome.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I was in this situation so many times before where I needed unfiltered Internet access on a (filtered) network or just a reliable channel to exfiltrate data as a proof for the client. Unfortunately there were no proper solutions for this, or different tools had to be used. I got bored with this situation and started to play with the thought that there might be a way this could be modelled and coded into a framework. As of now, my original idea seems to be working and the same basic approach works with all the protocols, a module can be created just for tunnelling and all the other stuff is handled by the framework.

Why do you think this is an important topic?

I rather think that this part of IT-Security had to be fixed. If you take a look at the conferences, talks, researches etc., they always try to find new things, new ways to bypass protections or to exploit vulnerabilities but not many people try to improve existing topics. I do not always agree with that approach. I think it is more important to create stable baselines and do research with those rather than creating useless Proof of Concepts. Tunnelling is certainly not a new thing, but have you ever tried to do tunnelling over several protocols? Or use a transport protocol, which is not a typical one? I can tell you, it was a pain and I think I helped on this, now it is a bit easier than it was, and this is what matters to me.

Is there something you want everybody to know – some good advice for our readers maybe?

Do not come to my talk. Just kiddin’. I am Hungarian, I can be bribed with beers, club mate and/or good chats. Come and see me, have your questions and hopefully your answers, join the development, make requests and create issues on Github.

A prediction for the future –  what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

The world gets more and more digitalised, there will be more breaches all around. We already got used to it and I do not think this will change in a good way. The only thing that we can do is that we try to take care of our own little sweepings to make sure we are not the ones who get breached.


Balazs Bucsay (@xoreipeip) is a Senior Security Consultant at NCC Group in the United Kingdom who does research and penetration testing for various companies. He has presented at many conferences around the world including Honolulu, Atlanta, London, Oslo, Moscow, and Vienna on multiple advanced topics relating to the Linux kernel, NFC and Windows security. Moreover he has multiple certifications (OSCE, OSCP, OSWP, GIAC GPEN) related to penetration testing, exploit writing and other low-level topics; and has degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things in life, so he always shares his experience and knowledge with his colleagues and friends. Because of his passion for technology, he starts his second shift in the evenings, right after work, to do further research.

DeepSec 2017 Talk: Insecurity In Information Technology – Tanya Janca

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation is further strained. This silo-filled, tension-laced situation, coupled with short deadlines and mounting pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.

In this talk Tanya Janca will explain how people’s personal insecurities can be brought out by leadership decisions in the way we manage our application security programs, and how this can lead to real-life vulnerabilities in software and other IT products.  This is not a soft talk about “feelings”, this is a talk about creating programs, governance and policies that ensure security throughout the entire SDLC.

No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioural influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal clear expectations.

We asked Tanya a few questions about her topic of interest.

Please tell us the top 5 facts about your talk.

The way many companies run their security and development programs causes serious friction between the two teams. This “friction” can cause job insecurity. When people feel job insecurity they act out in predictably negative ways. Those ways of acting out negatively often result in insecure software. We must fix this problem.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I have seen similar behaviour in my different places that I have worked. As I started speaking at conferences and meeting many, many people in InfoSec, it turns out that it’s happening all over, not just the places I have worked. It’s systemic. And I love fixing problems, so I decided I would create this talk in hopes that I can help.

Why do you think this is an important topic?

I’m passionate about application security. I was a developer a long time, and dealing with the security team was unpleasant at times. We are going to have secure software any time soon if we don’t fix the system issues. I feel this issue is systemic.

Approximately 27% of security incidents are caused by insecure software. That’s quite a bit. This issue should be important to everyone.

Is there something you want everybody to know – some good advice for our readers maybe?

We need to stop blaming each other and pointing fingers when things happen and instead focus on how to ensure we fix issues so that we are more secure in the future. We need to take responsible and do better, and put our egos aside. It’s time to get to work.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I predict that there are going to be quite a few new jobs in the application security field, until we start figuring out how to make creating secure software a lot easier. Right now it’s very difficult. It has to get easier.

Tanya Janca is an application security evangelist, technical advisor, web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP DevSlop Project Leader, Chapter Leader of OWASP Ottawa, Effective Altruist and has been developing software since the late 90’s. She has worn many hats and done many things, including; Web App PenTesting, Technical Training, Custom Apps, Ethical Hacking, COTS, Incident Response, Enterprise Architect, Project and People Management, and even Tech Support. She can currently be found helping the Government of Canada secure their web applications.