[This message was published via our DeepSec Scuttlebutt mailing list. The text was written by a human. This is a repost via our blog and Mastodon. Our Call for Papers for DeepSec 2023 is still running. If you have interesting content, please submit your idea.] Dear readers, the wonderful world of computer science and teaching courses has kept me busy. The scuttlebutt mailing list has the aim of having at least one letter per month. It is now the end of June, and the Summer has begun here in Vienna. The university courses have finished. The grades are ready. More projects are waiting. In information society, it is never a good idea to wait until something happens. A lot of blue teams are busy improving defences, testing configurations, and rehearsing their processes. However, there
Portable documents are nice. It’s always an advantage to read and process documents on different platforms. The Portable Document Format (PDF) is a common format. Unfortunately, PDF can be abused to attack you. PDF files are everywhere and these files can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video, Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and how you can check if your web application is vulnerable to this attack. Dawid has prepared a free video for you. Have
We updated our schedule. There are already some workshops for you. In addition, we have a video tutorial for you, provided by our trainer Dawid Czagan. It explains how race conditions work. A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multi-threading. Because of this attack, an attacker who has $1000 in his bank account can transfer more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and will tell you how to prevent this attack from happening. You can find the video online. The full two-day training session has much more
A passive stance to IT security doesn’t always work. The same is true for “social” media. The DeepSec Twitter account is scheduled for deletion. We have saved all tweets and will publish them as an archive. Meanwhile you can follow updates from DeepSec and DeepINTEL on Mastodon, our blog, or our LinkedIn company site. No, we won’t join BlueSky until it is out of its pre-gamma prototype phase. So, please join us or subscribe to our mailing list(s).
Hypes and trends are great. You can talk a lot about s specific topic without really understanding the underlying technology. Ever since the AI train has left the station, everyone is talking about it and is trying to solve all kinds of problem with a single algorithmic approach. Large language models (LLMs) are apparently the best invention since division and multiplication. While there is nothing wrong with exploring how technology can be used, the current discussion about the use of AI algorithms has drifted to shamanism. Companies want to feature one of these new algorithms for good luck, promising business models and to save all kinds of effort when dealing with data. Let’s take a step back and review the history of artificial intelligence in computer science. In the 1970s and 1980s expert systems
[This article is part of the monthly publication on our scuttlebutt mailing list. Not all the scuttlebutt messages are published on our blog. You are encouraged to subscribe to our mailing list.] Dear readers, the world of information technology and information security is driven by trends. This is very similar to the fashion industry or other aspects of our society. However, the impact on all of us is much bigger when a trend shifts the attention of the whole IT industry. Let me give you an example from the world of physics. During my time at the university, I read two books with anecdotes from the life of Richard Feynman. In the context of his work at the Manhattan Project, he told the story that someone from the US government asked him about the
There will be no more automatic updates on our Twitter account. The synchronisation between our blog and Twitter has been deactivated. The reason is the erratic course Twitter is on. All social media platform benefit from their users and the content that these platforms receive free of charge. We do not want to contribute to a forum any longer that doesn’t respect the efforts of journalists working on fact-based articles. There are a lot more reasons for stopping to use Twitter as a publication platform. Our motivation was the article titled „Danke für den Fisch!“ (translated “Thanks for the fish!”) by Michael Seemann, a German journalist. The article is in German, so you probably need to translate it. Michael explains some strong points for leaving Twitter. Synchronised content and more news about DeepSec and
The call for papers of DeepSec 2023 and DeepINTEL 2023 is open! You can submit your ideas for presentations and trainings via our CfP manager form. Content for DeepINTEL should be sent to use directly (but you can use the same web form, just mention what you have in mind). This year’s focus will be on the wonderful world of artificial intelligence, machine learning, and related algorithms. The GPT language models have gained notoriety in the media. All the shiny algorithms still lack cognitive skills, but they are decent simulations of communication. Big companies rush to add dumb conversation simulators to their products. What does this mean from the information security perspective? If you have found weaknesses in chat simulators or AI/ML filters, please let us know. It’s your turn to tell HAL 9000
Our traditional Winter break has been a bit longer than anticipated. We are working on the call for papers for DeepSec and DeepINTEL 2023 (14 to 17 November 2023). The location has not changed, so we can focus on the content of the conferences. This is a good time to check if you are on our call for papers mailing list. If you like our regular reminders and updates, please subscribe or tell us what email address we should add. Speaking of communication, the sabotage of Twitter continues. Today the APIs for posting content are limited to paid subscribers. This deliberately stops cross-posting content to Twitter from other sources. It affects updates from our blogs and updates via mobile phones, because we never used the official Twitter app (and will not in the future).
A couple of days ago the Talon app we use for reading and writing on Twitter stopped working. Code that stops working or APIs that turn into bouncers at the nightclub is normal operation in some fields of IT. As for Twitter, it has turned into a personal playground of one person. The platform has nothing to do with the microblogging service it once was. Decisions are made random or with a questionable agenda. It’s time to leave. And no, we are not going to Mars like Ryba Zhfx promised the public over ten years ago. You can find links to our articles on our Mastodon account. We have this blog, and we have our mailing lists. We will try to turn our Twitter postings into an archive and publish it on our servers
Usually we are under high load after the conference because of the administrative tasks. 2022 was no exception, but the change of location still requires some attention. So this is a much delayed thank you for attending our events and speaking at DeepSec and DeepINTEL 2022! It was great to meet all of you in person. We also enjoyed talking about experiences with IT security, exchanging insights, sharing stories, and gathering inspiration for the next year. While virtual meetings can save time and help a lot, some things are best discussed face to face. The videos are nearly fully post-processed. We will inform our attendees and speakers first. In January 2023, you can enjoy the videos on our Vimeo account. The slides of the presentations can be downloaded from our DeepSec 2022 slide collection.
We are a bit late with the summaries from our event. Let’s start with some public information from DeepINTEL 2022. The conference is a closed event where security experts can openly discuss updates on threats, capabilities of potential adversaries, and all kinds of intelligence information related to information security. Steph Shample, an expert from the Middle East Institute (MEI), gave an update on Iran’s capabilities in past and present APT, cybercrime, ransomware, and cryptocurrency. The connections of Iran with China and Russia were discussed, too. Given the invasion of Ukraine, Russia is trying to get support for its digital operations. Mohammed Soliman, also from the Middle East Institute, presented his research on the technology containment strategy by the US administration. The stance regarding 5G serves as a blueprint. It is important to emphasise that
The DeepSec Conference 2022 has started. We will be busy handling the presentation tracks, the TraceLabs OSINT CTF event, and the ROOTS track. We covered most of the presentations in brief interviews on this blog. There is more to come after the conference has ended. The live streams from the conference are available to registered attendees. The recordings will be published on our video platform after post-precessing. Updates from the event will be posted to our Twitter and Mastodon accounts. In case you want to be part of the conversation, please use the #DeepSec hashtag.
We often abuse the term big picture as an analogy for a better perspective on things. With security intelligence, this is true. The DeepINTEL conference covers the strategic aspects of IT security, analyses the capabilities of potential (and actual) adversaries, and helps to bridge the gap between individual experiences of security researchers and targets. DeepINTEL 2022 has started. Topic-wise advanced persistent threats, the current geopolitical situation, psychological warfare with digital means, and techniques of malicious software in attacks are the primary focus. Selected aspects will be published in articles on this blog after the conference, because the DeepINTEL is a TLP:AMBER event.
A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multi-threading. Because of this attack, an attacker who has $1000 in his bank account can transfer more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and will tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s live online training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”- Because of our hybrid configuration of DeepSec for trainings and the conference, the Mastering Web Attacks with Full-Stack Exploitation