0411, 2019

DeepSec 2019 Talk: Lost in (DevOps) Space – Practical Approach for “Lightway” Threat Modeling as a Code – Vitaly Davidoff

Sanna/ November 4, 2019/ Conference, Development

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the software development life cycle (SDLC) process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scalable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We

0111, 2019

DeepSec 2019 Talk: Setting up an Opensource Threat Detection Program – Lance Buttars

Sanna/ November 1, 2019/ Conference, Security

Through the use of event detection monitoring and do it yourself monitoring techniques on a Linux Apache PHP MySQL stack, I will demonstrate how you can create different alarms and reporting surfaces that alert you when your application is being attacked. This case study will demonstrate the use of hacking tools as a defense strategy in a corporate network and will cover the story of the detection of insider threats from the internal application point of view. The entire presentation is a hands-on lab that can be used after the presentation as a guide for attendees to set up a Threat Detection program. We asked Lance a few more questions about his talk. Please tell us the top 5 facts about your talk. The talk covers ways of discovering insider threats. It’s a starting

3110, 2019

DeepSec 2019 Talk: Oh! Auth: Implementation Pitfalls of OAuth 2.0 & the Auth Providers Who Have Fell in It – Samit Anwer

Sanna/ October 31, 2019/ Conference

Since the beginning of distributed personal computer networks, one of the toughest problems has been to provide a seamless and secure SSO experience between unrelated servers/services. OAuth is an open protocol to allow secure authorization in a standard method from web, mobile and desktop application. The OAuth 2.0 authorization framework enables third-party applications to obtain discretionary access to a web service. Built on top of OAuth 2, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build functional and secure authentication systems. OpenID Connect can perform identity authorization and provide basic profile information for different clients, from web and mobile apps to JavaScript clients. In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild

3010, 2019

DeepSec 2019 Talk: Still Secure. We Empower What We Harden Because We Can Conceal – Yury Chemerkin

Sanna/ October 30, 2019/ Conference, Security

The launch of Windows 10 has brought many controversial discussions around the privacy factor of collecting and transmitting user data to Microsoft and its partners. But Microsoft was not the first, Apple did it many years ago and there was no public research on how much data were leaked out from MacOS. There is a statement in the Privacy Policy written by Apple: “Your device will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you, to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories… ‘Everything’ stores in iCloud service”. Both cases are the same, designed in the same manner and driven by a similar idea to simplify

2910, 2019

DeepSec 2019 Talk: Chinese Police and CloudPets – Abraham Aranguren

Sanna/ October 29, 2019/ Conference, Security

[In our Call for Papers we mentioned that DeepSec and specifically DeepINTEL will have a connection to geopolitics. Well, the following description of a presentation at DeepSec gives you an idea of what we meant.] This talk is a summary of three different security audits with an interesting background: First, CloudPets, their epic track record, what we found and what happened afterwards. Next, two mobile apps by Chinese Police: “BXAQ” and “IJOP”, both related to surveillance of ethnic minorities, but in different ways. Stay tuned. Part 1: CloudPets Wouldn’t it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out of a soft toy that children can hug? That’s the idea of CloudPets. Children can even respond directly from

2810, 2019

DeepSec 2019 Talk: Comparing GnuPG With Signal is like Comparing Apples with Smart Light Bulbs – Hans Freitag

Sanna/ October 28, 2019/ Conference, Security

GnuPG is not designed to be used only in E-Mail, it plays an important role in securing all sorts of mission critical data. In this talk I will show you applications of GnuPG that are not E-Mail or Instant Messaging. We asked Hans a few more questions about his talk. Please tell us the top 5 facts about your talk. GnuPG is free software that can be used to encrypt and sign data. Signal is not a free software but may be used to communicate with others. You can’t compare apples with pears. In German the term glowing pear is used for light bulb. My Key ID is: 1553A52AE25725279D8A499175E880E6DC59190F How did you come up with it? Was there something like an initial spark that set your mind on creating this talk? I browsed the

2510, 2019

Threats and Solutions for Supply Chain Attacks in IT – DeepSec conference sheds light on the concatenated logistics of information technology.

Sanna/ October 25, 2019/ Conference

On the web you can find videos of very sophisticated constructions of many dominoes. If you knock over one domino, a whole cascade of breathtaking actions follows. The domino effect in your own IT infrastructure is much less entertaining. Even there, everything usually begins harmlessly with a small action – reading a message, forwarding a document, accessing a web server or receiving a short message from a supposed employee. It becomes particularly exciting when the dominoes are your own suppliers and business partners. This year’s DeepSec Security Conference offers rich content to analyze the interwoven situation of today’s companies and organizations. In networks you need to trust In theory, there is always an outside and an inside. Doors, network filters, access, …. Data management knows this approach. In all IT architectures, therefore, a division

1710, 2019

L’Internet des faits et la peur dans la sécurité informatique – Les conférences DeepSec et DeepINTEL dévoilent leurs programmes – bits, bytes, sécurité et géopolitique

Sanna/ October 17, 2019/ Conference, DeepIntel

« No man is an island ». Cette citation (« Aucun homme n’est une île ») est de l’écrivain anglais John Donne. Si la phrase est devenue célèbre au XVIIe siècle, elle prend un tout autre sens à l’ère du numérique. La version moderne serait plutôt : il n’y a plus aucune île. De plus en plus de domaines du quotidien et de la société sont connectés. Cette année, les conférences sur la sécurité DeepSec et DeepINTEL souhaitent donc jeter un regard sobre sur l’Internet des faits et sur la peur sous l’angle de la sécurité de l’information. Actuellement, les systèmes sont moins isolés et bien plus complexes que ce qui est raisonnable du point de vue de la sécurité. La DeepSec se consacre donc aux nouvelles technologies et à leurs vulnérabilités au cours de deux journées de conférences

1610, 2019

DeepSec 2019 Talk: What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs – Mikhail Egorov

Sanna/ October 16, 2019/ Conference, Security

WebSocket protocol is many times more efficient than HTTP. In recent years we can observe that developers tend to implement functionality in the form of WebSocket APIs instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplify the building of efficient WebSocket APIs. We can name GraphQL subscriptions or Websocket APIs supported in Amazon API Gateway. WebSockets APIs have a different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account. WebSockets in browsers do not use the same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: A handshake and data transfer phase. Most of the time authentication and authorization logic is implemented

0810, 2019

DeepSec 2019 Talk: “The Daily Malware Grind” – Looking Beyond the Cybers – Tim Berghoff, Hauke Gierow

Sanna/ October 8, 2019/ Conference

Given the noise generated around all the “sexy” and no doubt interesting topics like 0days, APT, and nation state-sponsored threat actors it is easy to miss what is really going on out there, in the world of Joe Average. Actual telemetry data paints a picture that is in many respects different from what happens in a lot of the news coverage. Much of the malware out there, including some that is attributed to some sort of APT, is nowhere near anything that might be considered “sophisticated”. In this talk we will shine a light on different aspects of the realities of home users as well as companies, and offer some interesting data about the malware that actually does the most damage, while precious few get all the press. We asked Tim and Hauke a

0810, 2019

DeepSec Scholar Program – Call for Applications

Jim Swiatko/ October 8, 2019/ Call for Papers, Conference

DeepSec has a past of supporting research projects and the researchers themselves. For 2019 and the years to come we have teamed up with partners to foster research in information security. We already support the BSidesLondon Rookie Track, support the Reversing and Offensive-oriented Trends Symposium (ROOTS), publish the DeepSec Chronicles, and support individuals in their research. Now we want to go one step further. Purpose: To encourage research by young professionals and academics on new and emerging cyber security issues, information security, new ways to use technology, defence, offence, and weaknesses in hardware/software/designs. Suggested Topics: Vulnerabilities in mobile devices, vulnerabilities in IoT, advances in polymorphic code, software attacks on hardware wallets, side channel attacks, hacking industrial control systems and smart cities, quantum and post quantum computing, penetration testing – defining what it means and

0110, 2019

ROOTS 2019 Invited Talk: Please, Bias Me! – Pauline Bourmeau

Sanna/ October 1, 2019/ Conference, ROOTS

Anyone doing research, audits, code reviews, or development will most probably use her or his brain. Have you ever considered what can influence your decisions and thinking processes? We asked Pauline Bourmeau to explain and to share her thoughts on this matter. Cognitive bias influences our decisions and affects many part of our daily life. We will explore how it affects our security responses, and how we can identify it and be more effective. From Red-team to Forensic experts to incident responders, we see what we expect to encounter in our field, based on our range of past experiences. Adversary tactics make gold out of these loopholes in our predictable thinking. This talk aims to invite the audience to step back from our daily routine and challenges us to understand what cognitive bias is.

2709, 2019

DeepSec 2019 Workshop: Attacks on the Diffie-Hellman Protocol – Denis Kolegov & Innokentii Sennovskii

Sanna/ September 27, 2019/ Conference, Security

This workshop is a hands-on task-based study of the Diffie-Hellman protocol and its modern extensions focusing on vulnerabilities and attacks. It is not a full day training, but it will be held during the conference. Everyone interested in applied cryptography and attacks connected to this topics should attend. Seats are limited! Some of the topics that will be highlighted: Diffie-Hellman key exchange Elliptic-curve Diffie-Hellman Variants of Diffie-Hellman protocol: Ephemeral, static, anonymous, authenticated Diffie-Hellman X3DH, Noise and SIGMA protocols Forward secrecy and post-compromise security Small-subgroup attack Pollard’s rho and lambda algorithms Invalid curve attack Curve twist attack Protocol attacks (MitM, replay, KCI, UKS) Labs: Small subgroup attack against multiplicative group DH Invalid curve attack against ECDH Twist attack KCI attack Key Takeaways Learn about Diffie-Hellman key exchange Learn about applying Diffie-Hellman in modern protocols Hands-on

2609, 2019

DeepSec 2019 Talk: What Has Data Science Got To Do With It? – Thordis Thorsteins

Sanna/ September 26, 2019/ Conference, Security

In this talk I want to shed some light on data science’s place within security. You can expect to learn how to see through common data science jargon that’s used in the industry, as well as to get a high level understanding of what’s happening behind the scenes when data science is successfully applied to solve complex security problems. The talk is aimed at anyone who’s been curious or had questions about the rise of things like “machine learning” or “big data” in the context of security. No prior data science knowledge is required. We asked Thordis a few more questions about her talk which will be held at DeepSec 2019. Please tell us the top 5 facts about your talk. It will give an insight into the exciting (and sometimes terrifying) world

2309, 2019

DeepSec 2019 Talk: Techniques and Tools for Becoming an Intelligence Operator – Robert Sell

Sanna/ September 23, 2019/ Conference, Security Intelligence

In this talk at DeepSec 2019, Robert will introduce the various operations that Trace Labs has performed to help illustrate Open-Source Intelligence (OSINT) techniques used in finding details on real human subjects. Trace Labs is a non-profit organization that crowdsources open source intelligence to help law enforcement find missing persons. Trace Labs is non-theoretical and its members are conducting OSINT on real people. Robert lifts the curtain on successful OSINT techniques that can be used to pull up important information on individuals. Many of the slides show specific tools and techniques that can immediately be used to improve your OSINT results. The talk starts with a brief introduction to Trace Labs and its mission of helping law enforcement through a crowdsourced, open source intelligence. It then moves into a technical discussion on how to

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: