0609, 2022

DeepSec 2022 Talk: Identification of the Location in the 5G Network – Giorgi Akhalaia

Sanna/ September 6, 2022/ Conference

Mobile devices can provide the majority of everyday services: like emergency, healthcare, security services. The development of mobile devices itself triggered the 5G network deployment. The new telecom standard will create a new ecosystem with a variety of industries and will exceed the limit of telecom communication. With new standards, functionality, services, products always arise new cyber threats. The operating spectrum in the 5G Network is divided into 3 categories: Low, Middle and High Bands. Actually, the third category, high band, also known as mmWave provides majority benefits of the new standard. This band covers from 6 GHz to 100 GHz operating spectrums. Because of the limitation of this frequency range, devices connected to high-band have to be near to the cell-tower. Otherwise, buildings will interrupt the connection. So, when a user is connected

0509, 2022

DeepSec 2022 Focus Topics and an almost final Schedule

René Pfeiffer/ September 5, 2022/ Administrivia, Conference

If you are a regular visitor of our conference or our blog, then you probably know about the different phases of our schedule. We are now in the preliminary stage. Reviews are still being done, and we sort out questions to and answer from our speakers. You may have noticed the free slots. These are still under review. Hopefully, we will have everything sorted out in the course of the next weeks. DeepSec has some internal rules for reviewing presentation submissions. We usually do not accept persons of the same organisation, so that one organisation can have one presentation in the programme. This makes the reviews hard, because you always send us top quality material. We could easily conduct two or three conferences instead of one. For 2022, we have accepted multiple speakers from

0509, 2022

DeepSec 2022 Talk: Machine Learning Use in OSINT – Giorgi Iashvili

Sanna/ September 5, 2022/ Conference

Open source intelligence is one of the important aspects of cyber security activities as it relies on the publicly available sources, such as social networks, websites, blogs, etc. This includes data mining and gathering techniques, as well as data extraction and data analysis activities. Open source intelligence is widely used in different fields today. Mainly, this process runs manually and is fully managed by humans. Moving from a manual to automated processes in OSINT is vital, especially that we work with real-world operations. Different components must build a relevant system to provide automated open source-based activities together with training simulations for the Machine Learning. The structure of the ML approach is the following: Requirements: Information used from previous user experience; Collection: Web crawlers or / and scrapers; Processing exploration: Pattern recognition, Detection of the

3108, 2022

DeepSec 2022 Talk: Auditing Closed Source Trusted Applications for Qualcomm Secure Execution Environment (QSEE)- Hector Marco & Fernando Vano

Sanna/ August 31, 2022/ Conference

Smartphones have become essential devices for carrying out many daily activities, including security-sensitive tasks such as authentication and payments. The security of sensitive data in modern mobile devices relies on hardware-enabled Trusted Execution Environments, amongst which ARM TrustZone is one of the most widely used. Qualcomm Secure Execution Environment (QSEE) is one of the most widespread commercial TEE solutions in the smartphone space, used by many devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series. In order to audit the QSEE environment, security researchers have to face distinct challenges. On the one hand, the software components of QSEE (i.e., trusted operating system and trusted applications) are not open sourced and can be quite complex, which requires a considerable extent of reverse engineering efforts to conduct analysis and to

3008, 2022

DeepSec 2022 Talk: End-to-end Health Data Privacy Using Secure 5G Data Channels – Dr. Razvan Bocu

Sanna/ August 30, 2022/ Conference

The integrated collection of personal health data represents a relevant research topic, which is enhanced further by the development of next generation mobile networks that can be used in order to transport the gained medical data. The gathering of personal health data has become recently workable using relevant wearable personal devices. Nevertheless, these devices do not possess sufficient computational power, and do not offer proper local data storage capabilities. This paper presents an integrated personal health metrics data management system, which considers a virtualized symmetric 5G data transportation system. The personal health data is gained using a client application component, which is normally deployed on the user’s mobile device, regardless if it is a smartphone, smartwatch, or another kind of personal mobile device. The collected data is securely transported to the cloud data processing

2908, 2022

DeepSec 2022 Talk: Faking at Level 1 – How Digital Twins Save Your PLCs – Thomas Weber

Sanna/ August 29, 2022/ Conference

Every year, many big and small incidents in industrial environments, like power plants, factories, or food supply, find their way into newspapers. All those affected industries are backed by highly branched and historically grown Operational Technology (OT) networks. A sizeable portion of such incidents would have been avoidable, if network segmentation was done correctly and patches for user devices (not always possible in OT) were installed.Despite such known problems, that also lead to the compromise of traditional IT networks, a bunch of unknown vulnerabilities are unfortunately also present in OT infrastructure. OT in modern factories contains of networked (and smart) devices, especially on level 1, also called the control level, of the Purdue model. Devices, like PLCs, industrial router/switches, data diodes, and more, cannot be easily tested if they are in use by the

2608, 2022

DeepSec 2022 Talk: Post-quantum Verkle Signature Scheme – Maksim Iavich

Sanna/ August 26, 2022/ Conference

We expect mass production of quantum computers in the near future. Quantum computers can easily break cryptographic schemes that are used in practice. Thus, classical encryption systems become vulnerable to attacks using quantum computers. There are research efforts to find encryption schemes that are resistant to attacks using quantum computers. Digital signatures are an important technology in securing the Internet and other IT infrastructures. A digital signature provides the authenticity, integrity, and identification of data. We use digital signatures in identification and authentication protocols. So, these secure digital signature algorithms are crucial in terms of IT security. Today, in practice, digital signature algorithms such as RSA, DSA, ECDSA are used. However, they are not quantum stable, as their safety relies on large composite integers, complex factorization and the computation of discrete logarithms. We asked

2508, 2022

DeepSec 2022 Talk: GitHub Actions Security Landscape – Ronen Slavin

Sanna/ August 25, 2022/ Conference

GitHub Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration. As part of our research of the GitHub Actions security landscape, we discovered that in writing a perfectly secure GitHub Actions workflow, several pitfalls could cause severe security consequences. For example, many developers would use event input data to improve their workflow process. However, this data could be controlled by an attacker, and potentially compromise the build process. Unless the developers are proficient in the depths of GitHub best-practices documents, these workflows would have mistakes. Such mistakes are costly – and could cause a potential supply chain risk to the product. During the talk, we’ll walk you through our journey on how we found

2308, 2022

DeepSec 2022 Talk: Hey You! Get Off my Satellite! – Paul Coggin

Sanna/ August 23, 2022/ Conference

There are many components and systems that may be targeted in a space system by adversaries including ground station systems and satellites. In this presentation we will discuss ideas for providing cyber resiliency in zero-gravity. Both theoretical and real-world examples of cybersecurity issues concerning satellite systems will be covered. This presentation will step through attack trees for targeting satellite systems. Recommendations best practices for securing satellite systems will be discussed. In addition, new ideas industry is currently developing for improving the cyber resiliency of space systems will be presented. We asked Paul a few more questions about his talk. Please tell us the top 5 facts about your talk. Examples of real-world satellite hacking events will be covered. Recommended best practices for securing ground systems, and spacecraft will be discussed. Space ground systems are

1508, 2022

DeepSec and DeepINTEL 2022 Schedule – Reviews almost done

René Pfeiffer/ August 15, 2022/ Conference, Training

The yearly review of submissions is the hardest task of the year. Thanks a lot for your contributions. DeepSec would need to be a full week to accommodate all submitted material. Thanks a lot! We are still stuck in the final reviews, so it will take a week or two to fill all the slots. You may have noticed that the schedule on our website is already alive and kicking. There will be some more rearrangements regarding the presentation slots. The DeepINTEL schedule is available on request since DeepINTEL is a TLP:AMBER event. We have some interesting insights into current campaigns and the capabilities of selected adversaries for you. Effective defence needs well-prepared data and reconnaissance. So we highly recommend attending DeepINTEL 2022. Looking forward to see you in Vienna!

0108, 2022

DeepSec and DeepINTEL Schedule is currently in Review – Preliminary Schedule will be published soon

René Pfeiffer/ August 1, 2022/ Conference

Our calls for papers have official closed. We are currently in the final phase of reviewing all your submissions. Thanks for all your efforts to send us your material on time. Our goal is to publish the preliminary schedule within the next two weeks. In case you missed the deadline, we will still accept your submissions. You can use our call for papers manager to send us your proposal. We will review your contribution. We will just start with all earlier submissions first.

0807, 2022

DeepSec, DeepINTEL, and ROOTS Call for Papers still open!

René Pfeiffer/ July 8, 2022/ Conference

Did you find some interesting bugs lately? Have you broken something which wasn’t supposed to be broken? Can you hack a nation state just by using a phone call? Do you dream of writing a smartphone app in Malbolge just for fun? If the answer is yes, then you should definitely submit a presentation for DeepSec 2022! We are still looking for your contribution. Share your insights, enlighten our audience. We are also looking for talks for DeepINTEL 2022. We would like to explore the geopolitical side of information security again. Attacks on critical infrastructure, gauging capabilities of adversaries, digital operations in terms of disinformation, and strategic defence of digital infrastructure are the focus of our next security intelligence event. If you work in this field, please get in touch with us. Security research

2606, 2022

Preliminary Schedule DeepSec 2022 – Trainings

René Pfeiffer/ June 26, 2022/ Conference, Training

👨‍🎓 👩‍🎓 The „full preliminary“ schedule of DeepSec 2022 is due in mid-August. Until then, we have some training options for you. The remaining trainings will be published as soon as we have the confirmation from the trainers. The following courses have been confirmed: Hacking JavaScript Desktop apps: Master the Future of Attack Vector – The desktop is the entry to organisations and companies. Employees are connected to the resources attackers look for. The training illustrates how modern desktop applications work, how they connect to the outside world, and how you can use them to gain access to the internal networks (or the cloud platforms used by the code). Mobile Security Testing Guide Hands-On – This course tells you all you need to know about the desktop-to-go versions of applications. Mobiles devices are a

1406, 2022

Reminder DeepSec and DeepINTEL Call for Papers

René Pfeiffer/ June 14, 2022/ Administrivia, Call for Papers, Conference

We have been radio silent for quite a while. This is not because of the lack of content or ideas. Information security has long attained mainstream status. We all rely on software and hardware all the time. Instead, we were stuck in administrative tasks. We have found a new location for the conference. In addition, we are working behind the scenes on code updates of our web page. The call for papers manager, the functions that create the schedule and render the website have aged. Speaking of the call for papers, it is still open! We are looking for presentations about the current state of security. If you found a bug or a design flaw, let’s hear about it. There are lots of applications out there. There must be something that’s broken. CVE has

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: