0109, 2021

DeepSec 2021 Training: Mobile Security Testing Guide Hands-On – Sven Schleier

Sanna/ September 1, 2021/ Training

LIVE ONLINE TRAINING [Note: This training will be completely remote. This allows you to better plan your workshop commitments when booking tickets. You can also by a ticket for just attending this training (without access to the conference). In that case please write an e-mail to speaker@deepsec.net] Mobile apps are omnipresent in our lives and we are using more and more apps to support us, ranging from simple to complex daily tasks. Even though modern mobile operating systems like iOS and Android offer great functionalities to secure data storage and communication, these have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual

Read More

3108, 2021

DeepSec 2021 Talk: Web Cache Tunneling – Justin Ohneiser

Sanna/ August 31, 2021/ Conference

By using cache poisoning to store arbitrary data, we can use public web caches as open ephemeral storage to facilitate anonymous and evasive communication between network clients. We asked Justin a few more questions about his talk. Please tell us the top facts about your talk. Public web caches, when improperly configured, can be used as open ephemeral storage. Combined with a synchronization technique, this ephemeral storage can be used to tunnel arbitrary data between network clients. Tunneling data in this manner requires no listening service, as all endpoints behave as clients to the web cache server, allowing trivial use of anonymizing protocols. The conditions for this technique are present on several extremely popular websites, and the use of this technique by malware could make network detection nearly impossible. How did you come up

Read More

3008, 2021

DeepSec 2021 Training: Mobile Network Operations and Security – David Burgess

Sanna/ August 30, 2021/ Conference

This workshop describes security risks in mobile networks, both in the core network and in the radio network, based on case studies reported in the press. For each case, we will dig into the technical elements of what actually happened. The workshop will be especially useful for IT security people who are responsible for mobile devices but are not yet familiar with mobile network technology. The material will also be useful for anyone who works with individuals who have special security concerns, or who report on telecom security topics. The workshop will start with an overview of cellular technology in general and types of security flaws common to all mobile networks, and then proceed to specific examples for different network segments and technology types. The workshop will include demonstrations of some security failures and

Read More

2708, 2021

DeepSec 2021 Talk: Those Among Us – The Insider Threat facing Organizations – Robert Sell

Sanna/ August 27, 2021/ Conference

Organizations spend a considerable amount of time and money protecting themselves from external threats while practically ignoring the significant threats from within. Cybercrime has an estimated cost of $2 trillion in 2019 with an average cost per data breach of $3.9 million. This global cost is expected to grow to $6 trillion annually by 2021.  In 2018, 34% of those data breaches involved internal factors and this trend continues to grow. This hard on the outside but soft in the middle approach by Information Security departments leaves organizations susceptible to a variety of insider threats that could be avoided. In this talk, I will present the extent of the issue, the types of insider threats to expect and how organizations can mitigate these risks. We asked Robert a few more questions about his talk.

Read More

2608, 2021

DeepSec 2021 Talk: How to Choose your Best API Protection Tool? Comparison of AI Based API Protection Solutions – Vitaly Davidoff

Sanna/ August 26, 2021/ Conference

As the world becomes more and more connected, Application Security becomes an important concern. Especially regarding the Internet of Things (IoT), Application Programming Interface (API), and Microservices spaces. In addition, the proper access management needs to be seriously addressed to ensure company assets are securely distributed and deployed. There are many tools on the market providing AI based API protection and anomaly detection but what really works? How to choose the best solution? During my talk, I will share results from the research of reviewing different architecture approaches and AI solutions introduced by different favorite tools on the market, from WAF to workload protection systems. We asked Vitaly a few more questions about his talk. 1) Please tell us the top facts about your talk. This talk is a first try to dive deep

Read More

2508, 2021

DeepSec 2021 Talk: Hunting for LoLs (a ML Living of the Land Classifier) – Tiberiu Boros, Andrei Cotaie

Sanna/ August 25, 2021/ Conference

Living of the Land is not a brand-new concept. The knowledge and resources have been out there for several years now. Still, LoL is one of the preferred approaches when we are speaking about highly skilled attackers or security professionals. There are two main reasons for this: Experts tend not to reinvent the wheel Attackers like to keep a low profile/footprint (no random binaries/scripts on the disk) This talk focuses on detecting attacker activity/Living of the Land commands using Machine Learning, for both Linux and Windows systems. Most of the AV vendors do not treat the command itself (from a syntax and vocabulary perspective) as an attack vector. And most of the log-based alerts are static, have a limited specter and are hard to update. Furthermore, classic LoL detection mechanisms are noisy and somewhat

Read More

2308, 2021

DeepSec 2021 Training: How to Break and Secure Single Sign-On (OAuth and OpenID Connect) – Karsten Meyer zu Selhausen

Sanna/ August 23, 2021/ Training

Implementing single sign-on has huge benefits in general. It allows to design the registration and login process for users to be as simple as possible, and enables applications to be connected to social networks. Although OAuth and OpenID Connect are established as today’s common standards, serious attacks on them have been discovered within recent years. These attacks exploit the complexity of the underlying standards and implementation flaws, and allow attackers to authenticate themselves as arbitrary users or to access confidential user data. By doing so, attackers can potentially read, manipulate, or delete data of arbitrary users across these applications. Due to the critical role that single sign-on fulfills in applications nowadays, it is important to understand and address pitfalls when using OAuth and OpenID Connect. However, automatic security scanners are not able to properly

Read More

3007, 2021

DeepSec 2021 Press Release: Surveillance as Organized Crime – DeepSec Conference Criticizes Pegasus Spy Software as a legal Vacuum

Sanna/ July 30, 2021/ Conference, DeepIntel, Press

The information published by the Pegasus Project consortium on the systematic abuse of this monitoring software for smartphones clearly shows that rampant surveillance can hardly be distinguished from organized crime. Security experts are increasingly warning against the hoarding of unknown security vulnerabilities by companies that develop espionage products. Information security for society, authorities and the economy are incompatible with the existence of such tools. In addition, they represent a threat to the national security of every country. We can only maintain a real locational advantage for Europe through consistent IT security. Battle for Communication Content Since the first discussions about the availability of strong encryption for private individuals and companies, the security of digital communication has been hotly contested. In the 1990s, the US government wanted to enshrine access to messages and calls from

Read More

1207, 2021

Translated Article: Germany becomes the Federal Trojan Republic

Sanna/ July 12, 2021/ Security, Stories

Deutschland wird zur Bundestrojanerrepublik by Erich Moechel for fm4.ORF.at All 19 secret services now have a license to use malware. IT security vulnerabilities can therefore be kept open, preventive cyber attacks are the best defense – security expert Manuel Atug on the new German “cybersecurity strategy.” Since Friday, the “Law to Adapt the Constitutional Protection Law” has been in force in Germany. All 19 federal and state secret services are now allowed to use Trojan malware. Another law is already in the Federal Council, which authorizes the police authorities to use Trojans even before a criminal offense has occurred. German police and customs authorities have had a legal license to distribute such malware since 2017. At the same time, a new cybersecurity strategy is being worked out which, among other things, stipulates that newly discovered security

Read More

2106, 2021

Communiqué de Presse: Les Environnements de Bureau Modernes : Une Faille dans la Sécurité – La Conférence DeepSec propose des Formations et des Tests pour des Applications Sécurisées

Sanna/ June 21, 2021/ Conference, Press

Qu’est-ce qu’une application bureautique moderne a en commun avec un oléoduc en panne ? L’environnement de bureau qui a conduit à la catastrophe. Les interfaces utilisateur graphiques pour l’exploitation des ordinateurs remontent à des recherches menées dans les années 1960 et 1970. À l’époque, on réfléchissait à la manière dont les ordinateurs pourraient aider au mieux les gens. À partir des années 1990, le bureau est devenu un champ de bataille pour la domination du marché. Cela n’a pas changé, mais on retrouve désormais également des aspects liés à la sécurité. Après tout, l’environnement de bureau est souvent la première étape que les pirates informatiques franchissent pour accéder aux trésors numériques d’une entreprise. La conférence annuelle DeepSec propose aux professionnels de la sécurité et aux développeurs un cours intensif de deux jours consacré à la

Read More

1806, 2021

Press Release: Germany Stipulates Security Gaps by Law – DeepSec Conference Warns: Legal Anchoring of the State Trojans Destroys the Security of the Infrastructure.

Sanna/ June 18, 2021/ Conference, DeepIntel, Press

People on business trips are accustomed to take precautions against untrustworthy Internet access. Employees have been equipped with Virtual Private Network (VPN) technology in order to have secure access to company resources and internal systems. VPNs are also often used to circumvent the insecurity of the so-called last mile, i.e. the connection between your own computer and the actual systems on the Internet. The law, which was passed in the German Bundestag on June 10th, creates opportunities for the use of so-called State Trojans (term literally translated from the German Staatstrojaner, meaning a malicious piece of software provided and used by authorities). This institutionalizes security gaps so that state Trojans can be installed on end systems. The safe home office is a thing of the past. Comprehensive surveillance through digital intrusions The alterations to

Read More

1406, 2021

Communiqué de Presse: Menaces Actuelles sur les Réseaux Mobiles – La Conférence DeepSec sur la Sécurité propose une Formation à L’utilisation des Technologies Mobiles Actuelles

Sanna/ June 14, 2021/ Conference, Press

En 40 ans, la technologie des communications mobiles a connu un véritable essor. La disponibilité, la stabilité et les débits de données ont considérablement augmenté par rapport aux origines des réseaux 1G/2G. En revanche, la recherche sur la sécurité dans ce domaine n’a pas connu un succès comparable. Il existe encore des faiblesses et des lacunes en matière de sécurité de l’information. En 2007, la première conférence DeepSec a exposé les faiblesses du chiffrement A5. La conférence de cette année proposera donc à nouveau un atelier de deux jours sur la sécurité des technologies actuelles de communication mobile. La base de la société de communication De nombreuses commodités de la vie moderne seraient inconcevables sans les réseaux mobiles. L’Internet est presque toujours à notre disposition. La communication est également très facile en dehors des

Read More

0706, 2021

Communiqué de Presse: Attaques « low-tech »: Infrastructures Critiques mal Sécurisées – Les Attaques contre Colonial Pipeline reposaient sur des outils d’accès standard

Sanna/ June 7, 2021/ Conference, Press

En mai, l’entreprise américaine Colonial Pipeline a été victime d’une attaque par ransomware. Après de tels événements, il y a toujours une demande en sécurité accrue et en nouvelles mesures. Pourtant, l’analyse de ces attaques révèle souvent des lacunes dans la sécurité de base. Il n’est souvent pas nécessaire d’utiliser des outils compliqués et sophistiqués pour cibler des infrastructures critiques. Les attaquants aiment utiliser des outils standards, disponibles partout, pour éviter d’être détectés. Ceci est rendu possible par une sécurité de base insuffisante. Un camouflage adapté Pour défendre ses propres systèmes et réseaux, il est nécessaire de connaître en profondeur les particularités de son infrastructure. Les groupes organisés qui ciblent les entreprises recherchent exactement ce qu’utilise la cible avant d’attaquer. Suite à cette phase de planification, ils utilisent seulement des outils que la victime

Read More

0706, 2021

Translated Article: EU-US Negotiations on Cloud Monitoring started

Sanna/ June 7, 2021/ Stories

Verhandlungen EU-USA zur Cloud-Überwachung gestartet by Erich Moechel for fm4.ORF.at The EU has quietly started negotiations on direct data access for European law enforcement officers to data from Whatsapp, YouTube, Zoom and Co with the USA. The next round of negotiations is scheduled for June. The EU Council of Ministers has started negotiations behind the scenes with the USA on “cross-border access to electronic evidence”, according to a Council document classified as “sensitive” that ORF.at has. The first round at diplomatic and official level was held on March 26th. The declared aim of the council is direct access to data in the clouds from WhatsApp, YouTube, or Zoom. The EU directive of the same name on transnational data access within the EU is currently stuck in the trialogue negotiations between the Commission, Council and Parliament. There

Read More

0106, 2021

Press Release: Modern Desktops as a Security Hole – DeepSec Conference offers Trainings and Tests for Secure Applications

Sanna/ June 1, 2021/ Press, Training

What do a modern office application and a fancy oil pipeline have in common? A desktop that led to disaster. Graphical interfaces for operating computers go back to research in the 1960s and 1970s. At that time people thought about how computers can best support people. By the 1990s at the latest, the desktop became a battleground for market dominance. That has stayed the same, only there are additional security aspects. After all, the desktop is often the first step from an attacker to a company’s digital treasures. The annual DeepSec conference offers security experts and developers a two-day crash course on desktop security. No attack without interaction Many successful attacks on companies or infrastructure depend on cooperation with the victims. Malware is executed using tricks and only then does it compromise the system.

Read More