Science Fictions meets Large Language Models

René Pfeiffer/ May 25, 2024/ Conference/ 0 comments

Given the advertising of the manufacturers using a Large Language Model (LLM) is just like having a conversation with a person. The reality looks different. Google’s AI search has recently recommended to glue pizza together, eats rocks, or jump off the Golden Gate bridge when being depressed. This is clearly bad advice. Apparently these answers are or were part of the learning process. Incidents like this and the hallucinations of LLM algorithms have been discussed already. Science fictions fans will recall conversations with computer or AI simulations where someone tries to trick the machine do override security checks. The Open Worldwide Application Security Project (OWASP) created a list of threats to LLM applications. The target audience are developers, designers, architects, managers, and organizations. Marc Pesce wrote an article about tests with different LLM implementations.

Read More

Ross Anderson has died

René Pfeiffer/ March 30, 2024/ High Entropy, Misc/ 0 comments

We mourn the loss of security researcher Ross Anderson. His contribution to information security and digital privacy was significant. His book Security Engineering is a cornerstone for everyone diving into the complex world of digital security. Ross taught at the University of Cambridge and Edinburgh University. He was a very prolific writer and published insights into the technological aspects of information security. He will be missed.

DeepSec and DeepINTEL 2024 Call for Papers is open

René Pfeiffer/ March 29, 2024/ Call for Papers/ 0 comments

The call for papers is open! DeepSec and DeepINTEL are waiting for your input. We are looking for your talks and trainings. Tell us what you found and tell our trainees how to defend against attacks. Please submit proposals for trainings as early as possible. We try to fill at least half of the trainings slots before the Summer, so interested persons have some more time to plan their attendance. Our main aim for 2024 is to examine the weaknesses of Large Language Models (LLMs) and explore their potential for exploitation. The obvious way is to use the prompt, but there are ways to influence of poison the training data. We have seen publications and nascent source code doing this. The less obvious way of weaponising these algorithms is to spread disinformation. Generated content

Read More

Memory Safety revisited

René Pfeiffer/ March 4, 2024/ Conference/ 0 comments

Memory safety is the most important problem in information security. This is something the White House and the NSA want you to believe. The recommendation is to use a different programming language, and all our problems will magically disappear. The proposal sounds a lot like the typical magical bullet solution, just like one of the many marketing promises of vendors since the 1990s. Attacks on memory buffers is the least of your current problems. Attackers use „living off the land“ attacks which use memory-safe scripting languages. If you look at the CWE statistics, then there are lots and lots of input validation errors that will bring down the security of many applications. Most web applications use questionable frameworks that are neither mature nor well-tested. Access to storage systems (SQL or NoSQL) still feature injections

Read More

Encryption refreshed, Plans for 2024

René Pfeiffer/ February 6, 2024/ Conference/ 0 comments

Computer science is all about automation. Repetitive tasks are best done by machines. This is true for our TLS certificate, but maybe you noticed it expired a few days ago. As always, this was because of an automated task that didn’t do what it was supposed to do. We changed parts of our infrastructure, so a few lines of code were not running on the new hardware. Blame it on ChatGPT, but your browser can trust our certificate again. Last year’s DeepSec conference had a focus on the zoo of artificial intelligence algorithms. The AI revolution has so far only pushed the Large Language Model (LLM) algorithms and a discussion about copyright. The battlefield is real. Researchers from the University of Chicago have published the Glaze and Nightshade algorithms to counter unrestricted harvesting by

Read More

DeepSec wishes a Happy New Year 2024!

René Pfeiffer/ December 31, 2023/ Administrivia, Communication/ 0 comments

We have been radio-silent throughout the December, because post-processing DeepSec and DeepINTEL 2023 took longer than usual. For everyone doing system maintenance, the month of December is also a wonderful opportunity to do some work behind the scenes. Thanks to the security bulletin about SMTP smuggling, there were some additional workarounds that needed attention. There will be another pause until we announce the next call for papers in February 2024. We have not yet decided on the focus. If you have some ideas, let us know. Enjoy the quiet days, and have a good transition into the new year 2024!

Thanks for attending DeepSec and DeepINTEL 2023!

René Pfeiffer/ November 24, 2023/ Administrivia, Conference, DeepIntel

DeepSec 2023 ended a week ago, and it was amazing! We shout out a big thanks to all the speakers and all the attendees that made the conference memorable! Usually there is a period of several days after the conference where you hear nothing from us. We are not hibernating; we are in full post-production mode. Office life has caught up. The video material is currently being prepared for upload. Everyone who attended the conference will get early access to the presentations. Bear with us. We will send a notification once everything is ready. For everyone who missed the closing presentation, here are the dates for our events in 2024. Open your calendar, mark the dates. Also, do not forget to book early! We have a limit because of the conference venue safety regulations.

Read More

DeepSec 2023 Talk and Breakout Session: Let’s Prepare for the Unexpected – Erlend Andreas Gjære

Sanna/ November 15, 2023/ Conference

What happens when a large group of more or less connected individuals need to deal with a cyber incident, together? In this interactive hands-on session, we will try to experience – first-hand – just how challenging it can be to keep information flowing, make the right decisions and protect our assets while dealing with a simulated crisis. We asked Erlend a few more questions about his talk and breakout session. Please tell us the top 5 facts about your talk and workshop. This will be an interactive session, and everyone can join! We are going to prepare for a cyber incident, together People share anonymous inputs via their phones Participants also receive individual updates on their phones There will be a breakout session afterwards for a deep-dive tabletop How did you come up with

Read More

DeepSec 2023 – ENOMEM/EFBIG – Tickets sold out!

René Pfeiffer/ November 8, 2023/ Administrivia, Conference

This is the first time for us. The tickets for attending DeepSec on-site at the conference hotel are exhausted. We have no room to spare. You can only book training tickets (i.e. training without the conference) or tickets for accessing the live streams. Existing orders are still valid and will be processed. We have to take this step, because the space at the conference hotel gets too crowded. Furthermore, we have some limits regarding event security, and contrary to cloud platforms, we cannot sell more capacity than we have. Please consider accessing the live streams if you want to follow the presentations. You will also have the means to comment and ask questions. The stream access will also give you full access to all the recordings once we finished post-processing.

DeepSec 2023 Press Release: Open Source Intelligence Training for Companies – DeepSec Conference offers OSINT Training in IT Security Skills.

Sanna/ November 7, 2023/ Conference

In information security, the focus is often placed on technical solutions and ready-made security products. Successful attacks always start with the reconnaissance of information from freely available sources. This so-called Open Source Intelligence (OSINT) is closely interwoven with social engineering methods, which are an indispensable part of successful attacks. The DeepSec conference offers a two-day intensive training course on this topic. A head start through the right information Reports on data leaks at companies rarely reflect the actual process. Although it is often simplistically mentioned that social engineering was used in a phishing attack, the methods have changed considerably in recent years. The path to a successful phishing message involves many steps and enormous preparation. Any publicly available information is collected and analysed by the attackers. Most companies and organisations have weak points in

Read More

Learn Incident Response by playing a Role-Playing Game

René Pfeiffer/ November 6, 2023/ Security

Simulations can be boring. What about combining a thought experiment with a game that brings fun? Enter role-playing games for incident response! Klaus Agnoletti will show you how this works. He will host an incident response role-playing session on the first conference day (16 November 2023) at 1900. The session will take place in the Third Person track. The game is heavily inspired by the (Advanced) Dungeons & Dragons games. You do not need to bring anything except your interest and some curiosity. The session simulates an incident in a fictitious company and players have roles like CMO, CISO, CFO, System architect, etc. The aspects of the incident gameplay are explored broadly and aren’t just limited to the technical parts of an incident. The session lasts about two to three hours, depending on your

Read More

DeepSec on Air – Live on Radio Orange, 1000 (CEST), 6 November 2023

René Pfeiffer/ November 4, 2023/ Communication, Conference

We do not maintain a podcast or a video streaming channel. It’s hard to keep up with writing texts. On Monday, 6 November 2023, at 1000 (CEST) there will be a live broadcast. We will talk about the upcoming DeepSec and DeepINTEL events, the topics on the DeepSec schedule, and many more aspects. If you can spare an hour of your time, you can listen to us. The conversation will be in German, though. Maybe some stochastic parrot with a filter can produce a transcript later. The show announcement can be found on the Radio Orange web site. For the sake of convenience, here is a quote: 14. bis 17. November findet die DeepSec 2023 statt, am 15. folgt die DeepINTEL, dazwischen treibt der Third-Person-Track sein Wesen. Vier Tage, an denen im Rahmen von

Read More

Fight the EU Law for attacking Cryptography

René Pfeiffer/ November 4, 2023/ Security

The Crypto Wars have been one topic that DeepSec keeps addressing in public. The conference and our blog documents countless attempts to weaken algorithms, introduce mandatory back-doors, and compromise of operating systems. The European eIDAS (electronic IDentification, Authentication and trust Services) regulation is a proposal that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments. This destructively changes the IT security landscape. To quote from Mozilla’s open letter: These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust

Read More

DeepSec 2023 Talk: Oil – But at What Cost: Azerbaijan and the EU’s Murky Partnership – Pavle Bozalo

Sanna/ November 3, 2023/ Conference

Since Russia’s invasion of Ukraine, the European Union has rightfully sought to reduce its dependence on Russian oil with the ultimate aim of completely eliminating it. In this quest for trustworthy oil suppliers, Brussels has turned to countries such as Azerbaijan who, although wealthy in oil, have dubious human rights records and who, in many ways, are at the forefront of cyber surveillance and cyberwarfare. This quest has come at a cost, with the EU keeping mum on Azerbaijan’s armed invasion of the Nagorno-Karabakh territories southwards of Armenia – a scenario otherwise eerily similar to Russia’s armed invasion. As it cracks down on spyware within the EU, the European Commission buys Azeri President Aliyev’s oil, apparently unaware of hackers from Baku rolling out spyware and remote access trojans. Not only do Armenian officials find

Read More

Global Encryption Day 2023

René Pfeiffer/ October 21, 2023/ Security

Wshpq mu Fknadp Icuvaoshnq Hen. Wreqxoslsr xk spd ne ski fjapfhmf aosgzk sh hmenuqeiasp rdbtumxn. Omvgnts hrggqtvhnm, skivt oswkc ad qs att wjnor, mr wirmvg ldrrdkmcy, rq dkdbwvscag dzmjhqk, rd hvqsdbslsr dx wgbqdsv altf xtzmrehvvxfk cmc rsrvmcy mpenqldxmdf. HgdoRdf lehs pqmf sqdhmiasp ne roheoxfk km ezuryv dx gtxosnjveezc. Yd gzc ryv usmt rgzqh sj ejiudmszwmsck hgzkhmj amiz ftdzjhqk eaysthsglv ers xmpchmf ipelk mp sgdl. Wli umpn eqnmwep plxcbj ax wli Tmvqodzm Fsqbawuhnm nq irrjcrshnm ec esvmpf azbnhsdjw vn bnlpyrxuevhnm chzmrww ugnvr wlei kietqd brqqjfmezshnq mw cgx c fhudq vmvzx. Ks ltrw fi swjgmcdc wshpq, xqlnqqra, ecv mp sgd exxygw. Ipbqxowmsc xeedr sguieik, fqsg nkg ers fiy. Lzjd bsyg nskbd gddvh pfh vdkk hw xs izi ynqkc! Rv ftlxgq xds: Fsrijmdtsd slqi, uarcmbhzo wyehsts, nq tvi icuvaoshnq mr ejsftbsr dpp dx xjd shlh. Hikwpqodqr uipn

Read More