DeepSec 2019 Training: IoT/Embedded Development – Attack and Defense Lior Yaari

Every developer makes mistakes. If you are unlucky, these mistakes result in a security vulnerability, an almost untraceable bug for the normal developer. Going around the world, helping developers to find and understand the vulnerabilities they’ve accidentally created, we learned that unlike bugs, vulnerabilities are invisible to the eye, mind and UT. No one teaches developers how an attacker thinks, what computers security mechanisms are capable of (and what not), and how to avoid creating possible security mistakes endangering your customers.

In this course we will teach you the basics of Embedded Devices security from the beginning: How vulnerabilities are created and how an attacker approaches a new device. From the internals, – physical manipulations, buffer overflows, memory corruptions, timing attacks, all the way to the solution: How to avoid common mistakes and even the uncommon ones. We will learn both how to detect such mistakes, and how to prevent them.

Don’t expect to learn the secure development basics you can find on Google. Meeting with dozens of developers we mapped development patterns and misconceptions that led to security issues, and hope to help you understand not just about the technical mistakes (“check the buffer size before coping”) but to develop a thinking pattern that will help you to detect the next security flaw, use it or close it. Each lab day will consist of lectures and hands on hacking exercises , vulnerability mitigation exercises, along with tips on how to avoid and detect security flaws.

We asked Lior a few more questions about his training.


Please tell us the top 5 facts about your training.

  1. I believe that for real and deep understanding of a subject you need to practice it – so every lesson I teach comes with hands on exercises.
  2. All materials are based on real stories and vulnerabilities I encountered during my work as an embedded security researcher. Join if you wish to hear the stories as well.
  3. This is the 5th training workshop I built, but the first commercial one. All past workshops are used by the military cyber training, and the oldest one of them is 5 years old and still rocking.
  4. I can talk about embedded security for a month, this training contains the top most important subjects I think people should begin with.
  5. Anyone interested in security can join! The workshop is built so that it would be interesting and beneficial for both new comers and experienced engineers. Lab materials differ so that each participant faces challenges that are relevant to him.


How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

As part of my line of work as a security researcher I perform “code security assessments” in which I met with developers from all around the world: India, Singapore, France, Germany, Romania and more. I was reviewing their source code, looking for vulnerabilities. Obviously I found many vulnerabilities, but that was not the interesting part of the job. What fascinated me most was the reaction of people discovering their system is not safe as they thought – grave sadness, uncontrollable laughter and most importantly a great spark of interest. Everyone I met was eager to learn more about security and to become a better developer, security manager, VP R&D, better for the next round.

Right before I would go the managers would ask me: “Lior, How can we teach everyone here to avoid those mistakes? To write safer code?” I did not have an answer, but now I do. Understanding the need for secure development training both for developers and researchers is what made me start my own business that offers end to end solutions – we find vulnerabilities, help you fix them, and teach you to avoid them.


Why do you think this is an important topic?

IoT and embedded devices is the fastest and biggest growing market of the technological industry, and their security standard is terrible. Vulnerability research for embedded devices is equivalent to Windows research in the 90’s.

If we don’t want our fridges, vehicles, medical devices and smart homes to be hacked – embedded security should concern us. I think every developer those days needs to understand the importance of security, and how to implement it in his code and that every researcher needs to understand the opportunities they face.


Is there something you want everybody to know – some good advice for our readers maybe?

Security is complicated. It is impossible to teach in two days, or even in two months. But a little is better than nothing, and every organization needs to think of security when planning its’ goals. So my advice would be – always plan for security. Otherwise you will regret it when things will go south.


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

There are plenty of great IoT and embedded startups, with some of whom I work closely. The biggest gap in IoT and embedded security is knowledge, but it could be partially closed by other means: means that would prevent a developer from creating a vulnerability, before the product is out. Some of these technologies are out: static code analyzers or library control tools. And some are on their way: Automated fuzzing, firmware analyzers and more. Sadly, these solutions have a major downfall – they are f***ing expensive. IoT giants might use them, but the little startups would struggle. And the results? A growing cyber threat, and a growing market for solutions.


Who Should Attend

  • Embedded/IoT engineers and developers who wish to understand security and avoid security coding mistakes
  • Web/Network security experts who with to get the basics of low level security
  • Everyone who is interested in embedded/IoT vulnerabilities, from the basics to advanced subjects.


Who Not Should Attend

  • Experienced low level vulnerability researchers
  • IoT advertisers


Prerequisite Knowledge

  • Knowledge in C/C++ and Python is recommended. If you miss one of them, it is OK. The workbook will guide you.
  • Basic knowledge in Linux command line


Hardware/Software Requirements

  • Laptop with 4GB+ RAM. Preferably with Windows OS
  • Installing the software pack that will be supplied a few days before the training.



Day 1:

Morning: Introduction to Cyber Security:
– What are vulnerabilities
– Famous attacks
– How a vulnerability is created
– Vulnerabilities types and classification
– The mind of an attacker

Noon: Memory Corruption Vulnerabilities
– Complied programs memory layout
– Buffer overflows + Lab
– Format string attacks + Lab
– Integer overflows + Lab
– Command Injections
– Summary – how to find and avoid

Day 2:

Morning: Cryptographic Security Mechanisms and How To Use Them
– Hashes
– Encryption
– Signatures
– Common usage mistakes
– Summary – how to find and avoid

Noon: Embedded Devices Attacks
– TOCTOU attacks + Lab
– SPI intrusion
– Memory swaps
– Gliching + Lab
– Summary – how to find and avoid
– Final exercise – finding and fixing vulnerabilities in large code


Lior is an expert in embedded security research. After more than six years as a technological officer in the Israeli military, he joined the cyber security industry as a vulnerability researcher for autonomous vehicles. More than 40 vulnerabilities later he decided to share his knowledge in order to help the world avoid the next security breach. His consulting company, Imperium Security, aims to teach every developer to secure his own code. Lior has been rated one of the top lecturers of Israeli military technological trainings for the past 5 years, every year.

About Imperium Security: Imperium is a consulting company that helps embedded devices companies globally to secure their products. The company performs security assessments – finding vulnerabilities in source codes, security design consulting, and secure development training’s for developers.

DeepSec 2019 Training: Analysing Intrusions with Suricata – Peter Manev & Eric Leblond

Defending your network starts with understanding your traffic. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this course, attendees will learn the skills required to identify, respond and protect against threats in their network day to day as well as to identify new threats through structured data aggregation and analysis. Hands-on labs consisting of real-world malware and network traffic will reinforce the course’s concepts while utilizing the latest Suricata features. Come and see what you’ve been missing in your network and unlock the full potential of network security, detection, and response with Threat Hunting with Suricata at the DeepSec 2019 training.

In this course, students will learn through a combination of lecture and approximately 15 hands-on labs (depending on workshop duration):

  • Identify key strategies for network security architecture and visibility
  • Learn the fundamentals of rule writing and rule comprehension
  • Understand how to manage rule sources and create effective rulesets
  • Develop methods for establishing network baselines
  • Recognize traffic anomalies
  • Use Suricata to capture network traffic and replay PCAPS
  • Utilize log aggregation and shipping services to build a complete picture
  • Perform traffic analysis and create visualizations with Kibana
  • Develop a custom network sensor with Suricata and ELK
  • Analyze suspicious traffic to determine maliciousness
  • Learn how to pivot off of key attack indicators using threat intelligence
  • Analyze true positive and false positive alerts
  • Leveraging rules specifically for threat hunting
  • Deploying honey tokens

We asked Peter and Eric a few more questions about their training.


Please tell us the top 5 facts about your talk.

  1. Attendees will analyze the major phases of malware operations, performing deep technical analysis and come away with experience for detecting and hunting for threat actors. This will form the basis of an effective threat hunting program, or provide ideas to help increase the efficiency of existing programs.
  2. Attendees will learn how much more Suricata can do outside of generating alerts. Protocol specific logs, file extraction, full packet capture and TLS fingerprinting are some of the primary features the latest version of Suricata offers. In addition, they will see how to build an extensive monitoring and analysis solution with open-source software for a comprehensive security solution.
  3. Students will learn how to formulate proactive threat hunting strategies to help reduce the time from compromise to detection. They will also be able to utilize these strategies to develop effective approaches for proactive threat hunting activities. Network monitoring creates a large amount of data, this course will help attendees be able to pick out key information from all of the noise.
  4. This class offers extensive hands-on experiences that will take Suricata users and developers, and those familiar with similar IDS systems, from the efficient and fast set-up of correct operations to successful threat hunting examples in massive traffic jams with Suricata.
  5. This class also offers a unique opportunity to bring in-depth use cases, questions, challenges, and new ideas directly to the Suricata team.


How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Protecting an enterprise network requires constant vigilance, deep technical understanding and effective security programs. With the number of breaches on the rise and the impact they have on not only the business, but also its customers, we felt that we can help the community by training them on how to perform threat hunting and develop effective strategies around it. This, in turn, can help increase an organizations ability to detect and respond to threats, minimizing the time between initial compromise and detection. This course was designed to cover the fundamental aspects of Suricata such as rule comprehension, managing rule sets, validating alerts, working through false positive/negatives and customizing rules to provide more visibility into your traffic. In-depth analysis of network traffic and the development of threat hunting strategies to detect anomalous or malicious activity will be accomplished with tools such as Moloch, Kibana and CyberChef. Hands-on real-world exercises will be used to reinforce the detection techniques and tactics explained throughout the course. Threat intelligence feeds and other online resources will also be explored to learn how to pivot between data sources while performing proactive threat hunting activities. This is an ideal course for security analysts, blue teams and malware researchers to get hands-on diving deep into malicious traffic.


Why do you think this is an important topic?

Closing the gap between when an infection occurs and when it is detected is a key goal of an effective threat hunting program. While many security solutions focus on detecting adversarial activity in real time, skilled threat actors have demonstrated the ability to bypass these security tools. This can leave an organization vulnerable to further compromise and data breaches. Having the right data available during an incident or when performing proactive threat hunting activities is crucial for success. More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this course, attendees will learn the skills required to identify, respond and protect against threats in their network day to day as well as identify new threats through structured data aggregation and analysis.


Is there something you want everybody to know – some good advice for our readers maybe?

Effective threat hunting programs can help provide greater visibility into what is going on in your networks and increase your ability to detect threat actors. This course will focus on utilizing open-source tools such as Suricata, Moloch and Kibana to generate data, perform exhaustive traffic analysis and develop comprehensive threat hunting strategies. The goal is to come away with ideas, strategies and tools to develop, implement and possibly refine a threat hunting program at your organization.


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

While adversary tactics change, the use of the network for such activities as command-and-control, lateral movement and data exfiltration remains. This makes monitoring a network a crucial piece of any organizations security and will remain a valuable source for detecting malicious activity. Therefore, network traffic analysis will remain a pillar on which effective security programs are built and learning how to properly defend them critical.


Peter Manev (aka pevma, in some countries also DonPedro / pevman)
Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA lead, currently a Suricata executive council member. Peter has 15 years experience in the IT industry, including enterprise and government level IT security practice. As an adamant admirer and explorer of innovative open source security software he is also one of the creators of SELKS – an open source threat detection security distro. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.



Eric Leblond (aka regit) is an active member of the security and open source communities. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He works on the development of Suricata, the open source IDS/IPS since 2009 and he is currently one of the Suricata core developers. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

DeepSec 2019 Talk: New Tales of Wireless Input Devices – Matthias Deeg

You can’t do much with computer without input devices. Microphones do not count, yet. This leaves the classic selection of human input. How secure are these devices? Did you ever wonder when typing, moving the mouse pointer, or attaching a presenting tool? Well, your questions will be answered at DeepSec 2019.

Matthias Deeg will hold a talk where new security tales of wireless input devices like mice, keyboards, presenters, and barcode scanners using different 2.4 GHz radio-based communication technologies will be presented that have been collected over the last two years.

Furthermore, SySS IT Security expert Matthias will present answers to unanswered questions of his previous wireless desktop set research and raise the awareness of security issues and practical attacks against vulnerable wireless input devices.


Matthias is interested in information technology – especially IT security – since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. Matthias successfully studied computer science at the university of Ulm and holds the following IT security certifications: CISSP, CISA, OSCP, OSCE.

Since 2007 he works as IT security consultant for the IT security company SySS GmbH and is head of R&D.

His research results concerning different IT security topics were presented on different international IT security conferences (Chaos Communication Congress, DeepSec, Hacktivity, ZeroNights, PHDays, Ruxcon,, BSidesVienna). He also published several IT security papers and security advisories.

DeepSec 2019 Talk: Lauschgerät – Gets in the Way of Your Victim’s Traffic and Out of Yours – Adrian Vollmer

The talk will present a new tool for pentesters called „Lauschgerät“. This python script acts as a convenient man-in-the-middle tool to sniff traffic, terminate TLS encryption, host malicious services and bypass 802.1X – provided you have physical access to the victim machine, or at least its network cable.

There are three ways to run it: Either on its own dedicated device like a Raspberry Pi or Banana Pi, in a virtual machine with two physical USB-NICs attached, or on your regular pentest system in its own network namespace. It will look like a completely transparent piece of wire to both victim systems you are getting in the middle of, even if they are using 802.1X because it is implementing the ideas presented in a talk by Alva Lease ‘Skip’ Duckwall IV.

The Lauschgerät operates with three interfaces: Two interfaces going to the victim client and the victim switch respectively, and one management interface which you can connect to and initiate the redirection of traffic, inject your own traffic, start and stop malicious services, and so forth. It comes with a few services included, such as a service that terminates TLS encryption (which will of course cause a certificate warning on the victim’s end) or a service that performs the classic “SSL strip” attack. And more to come!

An optional wireless interface can either be used as another management interface or for intercepting traffic of wireless devices. The management can be done via SSH or via a web application, making sure you can hit the ground running.

Details on its challenges regarding the implementation will be covered in the talk, focusing on the 802.1x bypass and the transparent TLS proxy, including a demo that shows how a man in the middle can modify traffic by flipping images in web pages.

We asked Adrian a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. The talk covers details of the development and usage of the Lauschgerät.
  2. The Lauschgerät allows you to easily observe, inject and modify traffic between two network devices
  3. It looks completely transparent to those devices and bypasses 802.1X by default.
  4. It is extensible and supports launching malicious services, for example TLS eraser, which terminates TLS and redirects the unencrypted traffic on a new interface for packet capturing.
  5. It’s free, open source, and written in Python and Bash.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The need for obtaining a man-in-the-middle position for encrypted connections arises regularly during penetration tests. Wanting to be able to handle differences in various network environments without having to adjust my own workflow led to the idea of creating a convenient “plug and play” solution.

Why do you think this is an important topic?

This has the potential to become a standard part in any pentesters toolbox. When pentesters become more efficient, customers benefit by receiving higher quality reports about the security of their systems. Also, it shows you quite plainly the limits of 802.1X network access control and why it may not be the panacea you might have hoped it is.

Is there something you want everybody to know – some good advice for our readers maybe?

The source code is available at If you are a pentester, I invite you take a look. It was developed with attacks on the client in mind, but attacks on the rest of the network are just as possible. I believe the talk is interesting because it covers all seven layers of the OSI model and how they are important when you want to truly man-in-the-middle a real life connection.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

My hope is that it becomes kind of a Swiss army knife for man-in-the-middle attacks, with the help of the community which can help by creating more modules.


Formerly an astrophysicist focusing on cosmology, Adrian Vollmer has been working as an IT security consultant for the Germany-based pentest company SySS since 2015. His specialty is hacking Windows networks and performing all kinds of man in the middle attacks.

Industrial Espionage and Data Tapping are commonplace in IT – DeepSec Conference provides Training for early Detection, Analysis and Mitigation

(C) Florian Stocker, 2019.The excitement used to be great when organizations, parties, celebrities, companies, or government agencies reported intrusions into their own or outsourced digital infrastructure. Meanwhile, reports of data leaks and compromised systems are almost a part of the weather forecast. Security applications on smartphones or portals offer this information to allow the user to check if they might be affected too. The networked world of everyday life makes it seemingly possible to present attack and defence in the same breath. Affected, attackers, defenders and beneficiaries move closer together. But anyone who has this impression has fallen victim to the looming simplification. Modern information technology has to deal with dangerous situations every day that have far more facets. This requires a good deal of specialist knowledge and experience.

First Responders, Analysis and Detection of Threats

All digital systems and networks now have a defence. The spectrum ranges from the minimum to hedging with great effort. During normal operation, you check the required functions and, if necessary, adjust the security measures if there are new messages. This changes abruptly when an actual breach is discovered. The so-called incident response is fundamentally different from the normal operation. It must be determined which systems, applications and data are affected. What have attackers changed? What evidence is there? Thomas Fischer and Craig Jones will be hosting a training session at this year’s DeepSec, where one can learn and try out the processes of Incident Response. Such situations require a very structured and careful approach. The exercises also teach how to spot vulnerabilities and potential threats in your own infrastructure or organization before they are found by potential attackers. In the two days of training, all aspects of this procedure will be performed. The participants also learn about the necessary tools that are needed in such cases.

Breaches go unnoticed for a long Time

Unfortunately, compromised systems are often not discovered immediately. Skillful opponents avoid being detected in order to benefit from the breach for as long as possible. The time between attack and discovery can range from weeks to many months. You can shorten this period by dealing in detail with the normal operation of your own infrastructure and trying to detect deviations. Peter Manev and Eric Leblond, specialists in network intrusion analysis, teach in a two-day training session how this works. Both have been involved in the development team of Network Intrusion Detection Software Suricata for over 10 years. Through their work, they have deep insight into the processes of network transfers and a great deal of experience in finding anomalies. The training will use real data from historical incidents to directly try out techniques. In addition to learning to deal with the tools for discovery, you also learn how to use bait to make it easier to discover attackers. It also teaches how to better distinguish between false positives and real alarms.

Use existing Data, detect new Attacks

Ways to detect events are often already there. Log data is available in all areas of IT. Systems and applications even generate data that is extremely helpful in defence. Xavier Mertens shows in his workshop how to raise these treasures. It will combine techniques for detecting anomalies on systems (OSSEC in particular) with externally available information to sharpen the image of the situation. These so-called Open Source Intelligence (OSINT) sources provide important data to supplement. Xavier Mertens will teach with examples how to properly integrate this data into your own defence. His workshop is for experienced IT administrators who want to increase the level of their defence efforts.

Guesses are always out of Place

When investigating security incidents, there should be no speculation. All findings must be based on facts that emerge from the analysis of the available data. This is an important point where serious mistakes are often made. Assumptions often sneak in, which solidify during the course of the incident. One then likes to develop a tunnel view and interprets information only one-sidedly. That is to be avoided. According to the General Data Protection Regulation (GDPR, DSGVO), incidents involving data of customers or third parties must of course be reported. This does not contradict the effort to avoid to spread any assumptions, but is necessary for the avoidance of speculation.There are numerous examples in current and past news releases. The data leak in 2017 from Equifax, a US financial services company headquartered in Atlanta, Georgia, is well documented. Without disclosing any details, individuals were asked to enter some part of their social security number on a website. The purpose was to determine if own data has been copied or not. But this hasty measure resulted in much greater uncertainty, which was not sustainably improved by rework and additional explanations. Answers that lead to more questions are not a meaningful explanation. They just might lead to  more media coverage, because the public can then speculate. In a serious context, this approach has no business.The offered training sessions for the DeepSec Conference are intended as an aid to gain experience in dealing with security incidents in a comfortable environment and to be able to design processes for emergencies in a meaningful way.

Programme and Booking

The DeepSec 2019 conference days are on 28 and 29 November. The DeepSec trainings will take place on the two previous days, the 26th and 27th of November.

The venue for the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Tickets for the DeepSec conference itself and the trainings can be ordered at any time at


(Original press release was published on 9 September 2019 via

DeepSec 2019 Talk: Once upon a Time in the West – A Story on DNS Attacks – Valentina Palacín, Ruth Esmeralda Barbacil

The Internet is the new frontier for some. So just like in Old West movies, we are going through a land riddled with well-known gunmen: OceanLotus, DNSpionage and OilRig, who roam at ease, while the security cowboys sleep. This presentation will uncover the toolset and techniques used by these gunmen, taking a closer look at their big guns and their behavioral patterns. We will explore the attacks involving DNS that took place during the last decade to examine the latest discovered techniques in order to improve detections to dodge the bullets they are firing in our direction.

We asked Valentina and Ruth a few more questions about their talk at the DeepSec conference. Please note that Valentine and Ruth will also speak the the DeepINTEL conference where you will get more in-depth information not suited for a public event.

Please tell us the top 5 facts about your talk.

  1. DNS was not designed having in mind that some people was going to abuse the protocol in these ways.
  2. This type of attack is carried out by intermediate, expert, advanced and strategic threat actors. There is no need of an spectacular level of expertise to be able to carry out a DNS attack.
  3. The motivations behind this type of attack are changing. We have seen a shift from financially motivated attacks with a wide range of targets, to a more targeted and  sometimes politically or military motivated attack.
  4. DNS queries are a very effective method of data exfiltration and C2 communications.
  5. You can implement different solutions to prevent this type of attack.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We noticed during our daily work investigations that more and more threat actors were using DNS queries both as C2 communications and preferred exfiltration method.

Why do you think this is an important topic?

DNS queries often go unmonitored. Reviewing DNS queries manually is tedious work that can be really exhausting for any analyst. Nevertheless, nowadays we have better solutions to tackle this type of issue, but it’s still not getting enough attention.

Is there something you want everybody to know – some good advice for our readers maybe?

Always monitor your DNS traffic.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

We believe attacks involving DNS will keep growing, and we hope that our talk and many others that are been given out there, will help to raise awareness of this problem.

Valentina is one of Deloitte’s Threat Intelligence Analysts, and she has specialized in tracking APTs worldwide, using ATT&CK Framework to analyze their tools, tactics and techniques. She is a self-taught developer with a degree in Translation and Interpretation from Universidad de Málaga (UMA), and a Cyber Security Diploma from the Universidad Tecnológica Nacional (UTN).






Ruth is an information systems engineering student from the Universidad Tecnológica Nacional (UTN). She has been working at Deloitte’s Argentina Cyber Threat Intelligence area as the Threat Library Team Leader. She has gained experience related to Tactics, Techniques and Procedures (TTPs) investigation, Advanced Persistent Threats (APTs), Campaigns, Incidents and Tools to help mitigation and defense.

DeepSec Press Release: Internet of Facts and Fear in the Name of IT Security – Bits, Bytes, Security and Geopolitics

(Original press release was published on 29 August 2019 via

Nobody is an island. This statement is attributed to the English writer John Donne. The sentence became known in the 17th century. In the meantime, this has changed as a result of digitization. The modern version of the statement should read: There are no more islands. Increasing networking is reaching more and more areas of everyday life and society. So this year’s DeepSec In-Depth Security Conference wants to look soberly at the Internet of facts and fear from an information security perspective. Systems are currently less isolated and much more complex than the theory of information security technically allows. The DeepSec conference therefore dedicates its two days of conference and two days of training to current technologies and their vulnerabilities. At the same time, at the DeepINTEL seminar conference, the relationship between geopolitics and IT security will be discussed on the basis of real life events.

Internet of Attacks instead of Things

Once you connect a system to the internet, you will feel it immediately. Worthwhile or vulnerable targets are automatically searched for and attacked. Connecting sensors, devices or actuators (known as “Things” in the Internet of Things) to a network is no different. The lectures at this year’s DeepSec conference seek to connect the different aspects of IT security with this background. Mobile devices have been threatened since their very existence. Modern mobile technologies rely on data. It is therefore no surprise that Luca Melette  shows how to attack mobile systems exclusively via the Internet protocol in his presentation. Aleksandr Kolchanov will present how to compromise and mass read certain mobile devices. Lior Yaari shares his experience in the automotive industry. He has analyzed future components of modern cars, components that are not yet on the market, but are already in development. Lior will report on vulnerabilities that may roam our streets in a few years.

Training with Security Experts

Every year DeepSec Conference offers training for security experts to experts of your company. Sharing knowledge is the foundation of every good defense, not just a digital one. Due to the short-lived nature of information technology, one’s own level of knowledge and training is crucial for dealing with attacks and constant networking. The program therefore includes three different workshops dealing with attackers. Xavier Mertens teaches solving threats with open source security, using publicly available sources to communicate with and build internal processes. In addition, case studies provide examples of detecting suspicious patterns. Peter Manev and Eric Leblond show in their workshop how to detect attacks and suspicious processes in the network with the Suricata intrusion detection tool. Suricata is easy to use and offers many features. Since both coaches are part of the development team of Suricata, one learns details directly from the source about the internal processes of the software. In addition, participants will practice creating rules in real network traffic. The training is practice-oriented and is aimed at all who need to do network security. Thomas Fischer and Craig Jones show in their workshop how to deal with security incidents and how to find traces of attackers. Here, too, real cases and real examples are used to demonstrate the handling of the right tools.

Technology is not an Island either

Often, when considering security issues, only the technical point of view is considered. But there are external factors in information technology, as in other areas, that set specific framework conditions. A prominent example is the, since the 1990s, ever-recurring discussion about backdoors in digital systems and communication networks. What started with mobile and email encryption is now continuing with 5G, Messenger and software development. The Australian government passed a law in 2018 that can force tech companies to incorporate backdoors into their products. These predetermined breaking points will also be used by attackers in the future. The mathematics of encryption is relentless when it comes to security. Either you have secure communication or you do not have it. The current trade wars affect the IT world with long lasting impact and set the course for the implementation of new technologies in the next few years. That is why this year’s DeepSec and DeepINTEL will examine the interactions of information security with geopolitical issues. The lectures of both events were chosen from this perspective. Among other things, ways and means of attack, the classification of goals and the conditions for the use of security measures are discussed. We strongly recommend that security officers broaden their horizons in order to incorporate these aspects.

Programs and Booking

The DeepSec 2019 conference takes place on 28 and 29 November,
the DeepSec trainings on the two previous days, the 26th and 27th of November.

The DeepINTEL conference will take place on November 27th.
We will gladly send you the program upon request to
Tickets are available on the website

The venue for DeepSec and DeepINTEL is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

The program of the DeepSec conference is available at

The DeepINTEL program will be provided upon request because DeepINTEL is a non-public conference.Tickets for the DeepSec conference as well as for the DeepINTEL event and DeepSec trainings can be ordered at any time at

DeepSec 2019 Talk: Well, That Escalated Quickly! – A Penetration Tester’s Approach to Windows Privilege Escalation – Khalil Bijjou

Since the early stages of operating systems, users and privileges were separated. Implemented security mechanisms prevent unauthorized access and usage of data and functions. These security mechanisms have been circumvented a number of times, which has led to steady improvements. Nevertheless, attackers find new vulnerabilities and security holes.

Security experts often encounter Mirosoft® Windows endpoints or systems and gain low privileged access. To fully compromise the system, privileges have to be escalated. Windows contains a great number of security concepts and mechanisms. These render privilege escalation attacks difficult. Penetration testers should have a sound knowledge base about Windows components and security mechanisms in order to understand privilege escalation concepts profoundly and to apply them properly.

Khalil’s presentation at DeepSec 2019 imparts knowledge on Windows required to understand privilege escalation attacks. It describes the most relevant privilege escalation methods, techniques and names suitable tools and commands. These methods and techniques have been categorized, included into an attack tree and have been tested and verified in a realistic lab environment. Based upon these results, a systematic and practical approach for security experts on how to escalate privileges was developed.


Khalil Bijjou is a passionate penetration tester and team leader with a big curiosity for technical topics, especially in the field of IT security. He performs security assessments in the field of web, infrastructure and SAP security. Placed 2nd in the German Post IT Security Cup 2015 and carries the Mint award 2016 in the field of Cybersecurity. Publisher of the open-source tool WAFNinja which is used by security experts world-wide.

DeepSec2019 Talk: SD-WAN Secure Communications Design and Vulnerabilities – Denis Kolegov

Hardening communication protocols against network attacks is hard. And yet a lot of products are available on the market that allow you to transport data and messages. Since virtualisation entered the world of technology all things software-definded (SD) have become popular. Denis Kolegov will explain at DeepSec 2019 what the state of affairs in terms of information security is.

The SD-WAN New Hope project targets the security of SD-WAN (software defined wide area network) products. It was started in December 2017, when a customer decided to buy a very secure and well-known SD-WAN product from one of the Top 5 vendors and wanted us to perform threat modelling and a vulnerability assessment. We were doing that for 6 months and found out that the product was awful from a security perspective. It had multiple critical vulnerabilities to RCE, XXE, SQLi, unpatched software, outdated packages, no access control, etc. It seemed that we were investigating an especially vulnerable application for a Capture The Flag (CTF) or security training. We decided to find out whether other SD-WAN products are like this.

It is the end of 2019 and SDx technologies are very popular. They are everywhere. SD-WAN is used as cloud security or network transport platform. Vendors are developing SD-LAN, SD-CORE, SD-VPN, SD-Access and SD-DC products. SD-News write AI-based routing, machine learning, secure network platform unification and state-of-the-art monitoring.At the time of writing, Metro Ethernet Forum (MEF) has unveiled its “Long-Awaited SD-WAN Standard”.

At the moment, we have examined the following products:

  • Versa
  • Citrix SD-WAN
  • Fortinet SD-WAN
  • SilverPeak
  • RiverBed
  • Brain4Net
  • Cisco / Viptela
  • Viprinet

In this talk, we describe most common classes of design flaws and vulnerabilities in SD-WAN secure communication mechanisms and disclose a set of reported and already patched vulnerabilities in popular SD-WAN products. We consider some technical details of secure and insecure designs, weak attestation, zero-touch provisioning vulnerabilities, and none-TLS related padding oracle attacks. We also present the results of SD-WAN large-scale scan for vulnerabilities to common attacks in TLS implementations on the Internet.

SD-WAN New Hop(e) results can be found on this link:


Denis Kolegov is a principal security researcher at BiZone LLC and an associate professor of Computer Security at Tomsk State University. His research focuses on network security, web application security, cryptography engineering, and covert communications. He holds a PhD and an associate professor degree. Denis presented at various international security conferences including Power of Community, Area41, SecurityFest, Zero Nights, Positive Hack Days, InsomniHack and SibeCrypt.

DeepSec2019 Talk: IPFS As a Distributed Alternative to Logs Collection – Fabio Nigi

Logging stuff is easy. You take a piece of information created by the infrastructure, systems, or applications and stash it away. The problems start once you want to use the stored log data for analysis, reference, correlation, or any other more sophisticated approach. At DeepSec 2019 Fabio Nigi will share his experience in dealing with log data. We asked him to explain what you can expect from his presentation.

We want access to as much logs as possible. Historically the approach is to replicate logs to a central location. The cost of storage is the bottleneck on security information and event management (SIEM) solution, hard to be maintained at scale, leading to reduce the amount of information at disposal. The state-of-the-art solutions today focus on to analyze the log on the endpoint. This can optimize the maintenance but add the problem on updating the rules or accessing raw data. Both of the approaches are inefficient and expensive.

What we want from logs collection:

  • Comparability
  • Accessibility
  • Inference and baselines
  • Replication on topics
  • On demand access and drilldown with hashable/forensic history of status
  • Ownership: data need to point 1:1 to endpoint/people

Granting access to all endpoints hosts logs, grant at least the requirements above, with 0 storage cost and low maintenance.

This can be achieved applying the logic of non-centralized web distribution used in IPFS/IPNS protocol to log collection.

What are you going to take away from the Talk?

  • IPFS protocol explanation and features
  • How to modify the FOSS ipfs client, to make it “log friendly” and transparent to the user
  • How to define a private cluster, key management, IPNS (DNS): This will grant encryption on transit and on storage
  • How to define a IPFS gateway to collect the information using classic HTTP API
  • How to integrate the solution via the SIEM solution you have in place: This will grant the possibility to use the playbook already designed

Properties assured by the protocol include:

  • Each log file and all of the blocks within it are given a unique fingerprint called a cryptographic hash.
  • IPFS removes duplicates across the network.
  • Each network node stores only content it is interested in, and some indexing information that helps figure out who is storing what.
  • When looking up files, you’re asking the network to find nodes storing the content behind a unique hash.
  • Every file can be found by human-readable names using a decentralized naming system called IPNS.

Fabio Nigi, head of security operation at Philip Morris Digital, former security investigator at Cisco CSIRT. During and after his engineering degree in Computer Science, Fabio focused on Ethical Hacking, spent 10 years researching, analyzing and solving ICT Governance, Risk, Compliance, Information Security and Privacy issues as SMEs in Enterprise global environments.
His Linkedin Profile can be found here:

DeepSec2019 Talk: Android Malware Adventures – Analyzing Samples and Breaking into C&C – Kürşat Oğuzhan Akıncı & Mert Can Coşkuner

Android malware is evolving every day and is everywhere, even in Google Play Store. Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions, and many alternative techniques to operate like Windows malware does. Using benign looking applications working as a dropper is just one of them. This talk is about android malware on Google Play Store targeting Turkey such as Red Alert, Exobot, Anubis, etc.

The presentation held at DeepSec 2019 will cover the following issues:

  1. Techniques to analyze samples: Unencrypted samples are often used to retrieve personal information to sell and do not have obfuscation. Encrypted samples however are used for sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account owned by the malware developer and operate by communicating with the Command & Control (C&C) channel. Also,most banking samples are using techniques like screen injection and dependency injection which is mostly used by android application developers.
  2. Bypassing Anti-* Techniques: To be able to dynamically analyze the samples, defeating anti-* techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common uses of anti-* checks malware.
  3. Extracting IoCs: Extracting twitter accounts as well as C&C from encrypted samples is often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active has been crucial for our research since we are also aiming to takeover C&Cs. We will introduce (known) automatization techniques to extract twitter account, decryption key and C&C address.
  4. Extract stolen information from C&Cs: In order to extract information from C&C, one should act swiftly. The speed of the extraction process is critical since the actors change C&Cs often. We will give a detailed walkthrough about how we approach C&Cs as a target and extract the informations.

The samples and information presented in the talk are the product of our research on many bankbots – such as Anubis, Red Alert and Exobot — as well as other Turkish malware developer actors’ samples. All IoCs in this talk have been shared with the relevant third parties and are now inactive.

We asked Kürşat and Mert Can to answer a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  • Google Play Store is not 100% secure.
  • There are 3.3 billion smartphone users around the world. Making the smartphone market one of the most valuable market for malware developers in terms of personal information and banking information harvesting.
  • Malware developers become more sophisticated every day and analysing TTPs becomes a necessity.
  • C&C is an integral part of mobile malware due to the fact that mobile malware, generally, aims to harvest PI.
  • Mobile malware as a service is evolving which results in malware in Google Play Store deployed in bulk. Fast analysis and infiltration needs automation.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I (Mert Can) was analysing android malware targeting Turkish users. As a red teamer by nature, Kürşat was asked if we can find and infiltrate it’s C&C to salvage the stolen data and report it to the authorities. Then and there, our research began.

Why do you think this is an important topic?

Except for power users, smartphone users are easy phishing targets i.e. malicious raffle apps and banking apps. Considering that the smartphone has become an integral part of our lives which means that much of our personal data resides on our smartphones, by preventing even one campaign you can protect a lot of personal information.

Is there something you want everybody to know – some good advice for our readers maybe?

Keep your smartphone updated and don’t just trust every app in the Google Play Store.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

As mobile malware is evolving constantly (and anti-virus solutions becoming less functional), mobile malware sandboxes and intelligence platforms will become an important part of the companies who use mobile device management (MDM).

Kürşat Oğuzhan Akıncı is a Penetration Tester at STM Defence and a lecturer at TOBB University of Economics and Technology. He is also a team leader of Blackbox Cyber Security which is Turkey’s first cyber security volunteer group, coordinator and mentor of Turkcell CyberCamp and Turkish Airlines CyberTakeOff. In his free time Kürşat is performing security research through bug bounties in which he has found several vulnerabilities in critical institutions such as the NSA as well as helping Mert Can to break into C&Cs.




Mert Can Coşkuner is a Mobile Malware Analyst at Trendyol. He is drafting mobile malware analysis reports for Trendyol. He is also maintaining a Penetration Testing and Malware Analysis blog at:

DeepSec2019 Talk: Mastering AWS Pentesting and Methodology – Ankit Giri

The Cloud (whatever it really is) is the future (of whomever taking advantage of it). This is how information security experts see the outsourcing technologies based on virtualisation and application containment. Ankit Giri explains at DeepSec 2019 what defenders need to be aware of and how you can test your security controls before your adversaries do this.

(Pen)Testing the Cloud

The intent here is to highlight the fact that pentesting cloud environment comes with legal considerations. AWS (Amazon Web Services) has established a policy that requires a customer to raise a permission request to be able to conduct penetration tests and vulnerability scans to or originating from the AWS environment. We can focus on user-owned entities, identity and access management, user permissions configuration and use of the AWS API integrated into the AWS ecosystem. Some of the examples would be targeting and compromising AWS Identity and Access Management (IAM) keys, establishing access through backdoor functions provisioned through different services, testing S3 bucket configuration and permission flaws and covering tracks by obfuscating CloudTrail logs.

The Question we are trying to answer, or the Problem we are trying to solve

The flaws reported in AWS environment have the highest impact. When we talk about vulnerabilities found in a cloud environment there seems to be not much information available, as there is no specific exploit scenario. These bugs vary drastically from one cloud vendor to another. These flaws are much more complex than they appear to be because one can’t completely rely on the AWS security implementation as a cloud environment works on a shared responsibility model. This can lead organisations to underestimate the risk that they are susceptible to. However, this is what makes the configuration of the AWS platform and the traditional application code or assets in the environment even more crucial from the security standpoint of an organizations point of view.

Takeaway for the Audience from the Talk

There is no standard methodology to pentest AWS environments, as it is dependent on the type and size of infrastructure being tested and the varied services of the AWS. Looking at a configuration/feature, it can be used to perform an action which is not expected. The security audit/assessment which includes these flaws discovered in the AWS environment is a value add for the application owners organization, as these vulnerabilities would not have been detected by any tool, basic pentesting (based only on OWASP Top 10 or WASC Classification), and/or scanner.
The attendees will get an overview of different tools available to aid in pentesting cloud-specific environments, a short demo about a couple of tools, what different aspects are covered by a different set of tools, and how to use all of this as an exhaustive toolset for a comprehensive pentest.

Session Objectives

  • Developing an approach towards pentesting a specific cloud environment
  • Different tools available for pentesting cloud-specific environments, short demo of a couple of tools.
  • Areas to look in an AWS for flaws and misconfigurations, understanding the shared responsibility model.

Looking forward to see you all for Ankit’s presentation!

Speaker, presenter, and a blogger, Ankit has a diverse background in writing informational blogs. A penetration tester by profession with 4+ years of experience. Part time bug bounty hunter. Featured in Hall of fame of EFF,GM,SONY, HTC, Pagerduty, HTC, AT&T,Mobikwik and  multiple other Hall Of Fames. He loves speaking at conferences, has given talks at RSA APAC 2018, BSides Delhi 2017, CSA, Dehradun, Cyber Square Summit, OWASP Jaipur and has been a regular feature at Infosec meetups like Null and OWASP Delhi Chapter. He also leads the show for Peerlyst Delhi-NCR chapter. He has an upcoming talk at RSA US 2019 on Mastering AWS pentesting and methodology.

Deadline for ROOTS 2019 Call for Papers extended

Original source: news for all academics haunted by perpetual deadlines: We have extended the Call for Papers of ROOTS 2019! We will accept late submissions for  the ROOTS review. However you have to submit your proposal until 23 September 2019! We need time to review, so don’t be late.

If you are working on a research project and want to share your efforts so far with us, please consider submitting a project presentation via email. Last year we started to assign free presentation slots for project status presentations and feedback session. Research is a team effort, so getting in touch with colleagues can be very beneficial for your work and the work of others. Let us know what you are working on!

Posted in Conference. No Comments

DeepSec Training: Black Belt Pentesting / Bug Hunting Secrets you’ve always wanted to know

Historical bug. Source: Web and its technologies have become the perfect frontier for security experts for finding bugs and getting a foothold when doing penetration tests. Everything has a web server these days. And everything web server will happily talk to web clients. The components involved are more than just simple HTML and JavaScript. The developer notion of doing things full stack requires security experts to do the same. This is where our DeepSec 2019 training session Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation by Dawid Czagan comes into play.

Dawid Czagan will show you how modern applications work, how they interact, and how you can analyse their inner workings. He will enable you to efficiently test applications, find bugs, and compile the set of information needed to fix the vulnerabilities. His workshop is targeted at software developers, security researchers, development team leaders, penetration testers, bug hunters, and software quality assurers.

You can register for Dawid’s course online. Please get your ticket as early as possible, because the number of seats is limited.

DeepSec Training: Black Belt Pentesting / Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

Source: applications are gateways for users and attackers alike. Web technology is used to grant access to information, public and sensitive alike. The latest example is the Biostar 2 software, a web-based biometric security smart lock platform application. During a security test the auditors were able to access over 1 million fingerprint records, as well as facial recognition information. How can you defend against leaks like this? Well, you have to understand all layers of the application stack. Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say no to classic web application hacking. Join the training session at DeepSec 2019 and take advantage of Dawid Czagan’s unique hands-on exercises and become a full-stack exploitation master.

Dawid is very experienced and will teach you everything you need to know. By booking his class you will also get access to six further online courses preparing you for web attack and defence. After completing this training, you will have learned about:

  • REST API hacking
  • AngularJS-based application hacking
  • DOM-based exploitation
  • Bypassing Content Security Policy
  • Server-side request forgery
  • Browser-dependent exploitation
  • DB truncation attack
  • NoSQL injection
  • Type confusion vulnerability
  • Exploiting race conditions
  • Path-relative stylesheet import vulnerability
  • Reflected file download vulnerability
  • Subdomain takeover

The list is not complete. Modern web technology uses a lot of components, data formats, protocols, and programming languages. Make sure you keep up by registering for Dawid’s training now.