Author Archive

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

July 7, 2020

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be […]

Tags: , , , ,
Posted in Training No Comments »

Exploiting Race Conditions – Dawid Czagan

July 1, 2020

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading.  As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it […]

Tags: , , ,
Posted in Training No Comments »

Communiqué de presse traduit: Les applis COVID-19 dévoilent leur logiciel pendant la crise

May 13, 2020

En novembre, la conférence sur la sécurité DeepSec mettra en lumière la mascarade des logiciels. On dit souvent, « il y a forcément une appli pour ça ! ». Cette formule toute faite est souvent prise à la légère, même en dehors du secteur informatique. La crise actuelle du COVID-19 a de nouveau désigné le […]

Tags: , , , ,
Posted in Conference, Press, Training No Comments »

Translated Article: Ten EU Countries already rely on decentralized Corona Virus Apps

May 12, 2020

Schon zehn EU-Staaten setzen auf dezentrale Coronavirus-Apps by Erich Moechel for fm4.orf.at Apple and Google also support the privacy-friendly, decentralized protocol DP-3T. Without technical support in the operating systems of these two groups, no app with Bluetooth tracing can deliver useful results. The decision by Austria and Switzerland to use a corona virus app with […]

Tags: , , , , , ,
Posted in Security, Stories No Comments »

Translated Press Release: Covid-19 Apps show Software Development in Crisis

May 8, 2020

In November, the DeepSec security conference will highlight the software masquerade. In everyday language there is the saying “There’s an app for that!”. The phrase is often used as a joke, even outside the IT industry. The current Covid-19 crisis has once again addressed computer code as a universal solution to problems that are not […]

Tags: , , , ,
Posted in Conference, Press, Training No Comments »

Translated Article: Coup de grace beat Attackers of the Austrian Federal Ministry for European and International Affairs

March 12, 2020

Cyberhusarenstück schlug Angreifer im Außenministerium for fm4 by Erich Moechel [We translated this article, because DeepSec actively supports young talents and students. We are looking for organisation and companies that would like to help us in our support. Furthermore, we like to make Erich’s well-researched and well-written articles available for a wider audience.] It was […]

Tags: , , , ,
Posted in Security, Stories No Comments »

DeepSec 2019 Keynote: Computer Security is simple, the World is not – Raphaël Vinot and Quinn Norton

November 27, 2019

Information security is too often seen as a highly technical field in computer science, and one where the more technical someone is, the more right they are likely to be. But security is part of systems of life, that not only include computers and phones, but systems of living, cultures, history, politics, and interpersonal relationships. […]

Tags: , , , , , , ,
Posted in Conference Comments Off on DeepSec 2019 Keynote: Computer Security is simple, the World is not – Raphaël Vinot and Quinn Norton

DeepSec 2019 Talk: How To Create a Botnet of GSM Devices – Aleksandr Kolchanov

November 26, 2019

There are different types of GSM-devices: from GSM-alarms for homes and cars to industrial controllers, remote-controlled electric sockets and smartwatches for kids. Also, often they are vulnerable, so GSM-devices are interesting targets for hackers and pranksters. But it is easier to hack a device than to find these devices (usually, you should make a call, […]

Tags: , , , ,
Posted in Conference Comments Off on DeepSec 2019 Talk: How To Create a Botnet of GSM Devices – Aleksandr Kolchanov

DeepSec 2019 Press Release: High-quality Randomness protects Companies

November 25, 2019

The ‘bugs’ of the’ 90s are still alive – hidden in IoT devices, integrated systems and industrial controls. Modern information security can’t manage without mathematics. It is less about statistics in the form of operational data or risk analysis. It’s about cryptography, which is constantly used in everyday life. It uses elements that build on […]

Tags: , , , , , ,
Posted in Conference, Training Comments Off on DeepSec 2019 Press Release: High-quality Randomness protects Companies

DeepSec 2019 Talk: Abusing Google Play Billing for Fun and Unlimited Credits! – Guillaume Lopes

November 22, 2019

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games […]

Tags: , , , ,
Posted in Conference, Security Comments Off on DeepSec 2019 Talk: Abusing Google Play Billing for Fun and Unlimited Credits! – Guillaume Lopes

ROOTS 2019 Talk: Shallow Security: on the Creation of Adversarial Variants to Evade ML-Based Malware Detectors – Fabricio Ceschin

November 22, 2019

The use of Machine Learning (ML) techniques for malware detection has been a trend in the last two decades. More recently, researchers started to investigate adversarial approaches to bypass these ML-based malware detectors. Adversarial attacks became so popular that a large Internet company (ENDGAME Inc.) has launched a public challenge to encourage researchers to bypass […]

Tags: , , , , ,
Posted in ROOTS Comments Off on ROOTS 2019 Talk: Shallow Security: on the Creation of Adversarial Variants to Evade ML-Based Malware Detectors – Fabricio Ceschin

ROOTS 2019 Talk: RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly – Marcus Botacin

November 21, 2019

Malware analysis is a key process for knowledge gain on infections and cyber security overall improvement. Analysis tools have been evolving from complete static analyzers to partial code decompilers. Malware decompilation allows for code inspection at higher abstraction levels, facilitating incident response procedures. However, the decompilation procedure has many challenges, such as opaque constructions, irreversible […]

Tags: , , , ,
Posted in ROOTS Comments Off on ROOTS 2019 Talk: RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly – Marcus Botacin

DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

November 20, 2019

Defences focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaries in your infrastructure? IR detection […]

Tags: , , , , , ,
Posted in Conference Comments Off on DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

DeepSec 2019 Talk: Demystifying Hardware Security Modules – How to Protect Keys in Hardware – Michael Walser

November 20, 2019

[Editorial note: Cryptography is one of our favourite topics. This is why we invited experts from sematicon AG to show some of their skills and help you navigate through the jungle of false promises by vendors, magic bullets, and misuse of the word „crypto“.] A secure crypto-algorithm is based on the fact that only the […]

Tags: , , , , , , ,
Posted in Conference Comments Off on DeepSec 2019 Talk: Demystifying Hardware Security Modules – How to Protect Keys in Hardware – Michael Walser

ROOTS 2019 Talk: Automatic Modulation Parameter Detection In Practice – Johannes Pohl

November 19, 2019

Internet of Things (IoT) devices have to be small and energy efficient so that resources for security mechanisms tend to be limited. Due to the lack of open source or license free standards, device manufacturers often use proprietary protocols. Software Defined Radios (SDR) provide a generic way to investigate wireless protocols because they operate on […]

Tags: , , , ,
Posted in ROOTS Comments Off on ROOTS 2019 Talk: Automatic Modulation Parameter Detection In Practice – Johannes Pohl