The fully virtual DeepSec conference was very different from the usual configuration and setting. While we learned a lot over the years, there is one constant: What’s the difference between hardware and software? Well, hardware can be kicked. There is always one converter, one computer, one network devices, one USB device, or something else that doesn’t quite fit into the ensemble. Then there are the many desktop oddities and multimedia formats. So we had to do some damage control during the first day of streaming (having damage control teams and replacement parts ready is not just for ships). Networking did its own magic by introducing delays between the speaker’s feed and the live stream. Fortunately the stream connections held, and we had no losses in terms of connectivity. Mission control at the office used
The past four days were quite busy for the DeepSec Organisation Team. We had to prepare the realspace implementation of our mission control in our office. We had to fight some gremlins in hardware and software, but we managed to create the stream feeds. We hope you enjoyed the presentations! The streams were recorded, and we will start with the post-processing. Due to the dual-track – and the ROOTS event – one always has to decide which presentation to watch. In our long-time tradition attendees and speakers will get to watch the videos first (for quality assurance), and then we will release the whole DeepSec 2020 collection. We recommend your favourite lounge, drink, and company for watching the recordings later. A very big thanks go to everyone contributing content, being part of the events,
The stream link for the DeepSec 2020 Right Pirouette track has changed. Somehow the cloud ate our old link (end event). No recordings were lost, just the link to the streaming platform. We apologies for this change, but there is not much we can investigate. The password is the same. For a complete list: DeepSec 2020 Right Pirouette track – https://vimeo.com/481384818 DeepSec 2020 Left Pirouette track – https://vimeo.com/event/475468 The closing presentation will be after the last presentation in the Right Pirouette (as always when on-site at the conference hotel).
DeepSec 2020 Talk: Old Pareto had a Chart: How to achieve 80% of Threat Modelling Benefits with 20% of the Efforts – Irene Michlin
The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. However, it is often perceived by the organisations as too expensive to introduce, or too slow to fit modern lifecycles, be it Agile, Lean, or DevOps. This talk will show how to fit threat modelling in fast-paced software development, without requiring every developer to become an expert. The outcomes should be immediately applicable, hopefully empowering you to try it at work the day after the conference. We asked Irene a few more questions about his talk. Please tell us the top 5 facts about your talk. Based on my experience introducing threat modeling
We have verified the DeepSec schedule and did some changes. The layout looks a bit shifted. The reason is a time-shift between the two DeepSec main tracks Left Pirouette and Right Pirouette (named after the rooms in our long-time conference hotel). Since we have set up our mission control in our office and lack the space to have two session chairs use the stage and the camera feed simultaneously the two tracks need to be time-shifted. The presentations in the Left Pirouette start 20 minutes later than the presentations in the Right Pirouette. We tried hard to avoid this, but the current configuration requires adding this feature to the schedule. The two tracks overlap any way, so if you are interested in either talk, then you have to make up your mind with or
Technology is evolving. This is especially true for computer science and the related information technology branch. When everything is outdated after a couple of months, the wind of change turns into a storm. It also affects the way we work, processes which enable us to get work done, and changes perspectives how we see the world, code, and its applications. Dev, DevOps, and DevSecOps is a good example how these changes look like at the top of the iceberg. Subjectively information security is always a few steps behind the bleeding edge. The word „bleeding“ is a good indication of why this is the case. However, security professionals cannot turn back time and ignore the way the world works. New technology will always get pushed into all areas of our lives until its creators realise
Like every year, DeepSec and DeepINTEL get to the bottom of the current state of information security. So far, 2020 has shown that surprises and critical events are always to be expected. Information security still knows no break. On the contrary: weak points in software, hardware, legislature and infrastructure are a permanent threat to digital information. So that those affected still have better chances against constant attacks, the DeepSec and DeepINTEL conferences will take place this year completely digitally via the Internet. Security can only be achieved through joint efforts. Therefore, this November, as every year, there will be an exchange between experts, users, software developers, administrators and those responsible! Solving problems instead of postponing them Hardly any other area is constantly inventing new terms like information technology. Unfortunately, misunderstandings and obscuring their meaning
Effective end-to-end encryption is a critical component in everyday and business life. Over 300 years ago, cryptanalysis, i.e. the method for decrypting secret codes, had its heyday in Europe. In so-called black chambers or black cabinets (also known as cabinet noir) in post offices all letters from certain people were secretly opened, viewed, copied and closed again. The letters intercepted in this way were then delivered. The purpose was to find dangerous or harmful news for the regents of the time. The most active and efficient chamber in Europe was the Secret Cabinet Chancellery in Vienna. This early form of wiretapping was only ended in the 19th century. And this scenario of the imperial and royal courts is now facing all European companies and individuals. End-to-end encryption is to be provided with back doors
Auf den Terroranschlag folgt EU-Verschlüsselungsverbot by Erich Moechel for fm4.ORF.at In the EU Council of Ministers, a resolution was made ready within five days, obliging platform operators such as WhatsApp, Signal and Co to create master keys for monitoring E2E-encrypted chats and messages. The terrorist attack in Vienna is used in the EU Council of Ministers to enforce a ban on secure encryption for services such as WhatsApp, Signal and many others in a fast track procedure. This emerges from an internal document dated November 6th from the German Presidency to the delegations of the member states in the Council, which ORF.at has received. This should now be understood as the “further steps against terrorism” that French President Emmanuel Macron wants to discuss with Federal Chancellor Sebastian Kurz (ÖVP) in a video conference at
We wish to express our deepest condolences and sympathies to the families of the victims and wish a speedy recovery to the injured of last nights attacks in Vienna. Our thoughts are with them and the many women and men protecting the everyday life in the city. Vienna is one of the safest cities in Europe. Since 2007 the DeepSec team enjoys bringing you all to this wonderful city. We will continue to do this. Information security is a team effort and so is creating safe places for everyone. Don’t give the extremists the stage. Ignore them and care about the ones deserving your attention. Stay safe, stay healthy!
DeepSec 2020 Talk: TaintSpot: Practical Taint Analysis and Exploit Generation for Java – Dr. – Ing. Mohammadreza Ashouri
“In this talk I will introduce a scalable and practical security analysis and automatic exploit generation approach, which is called TaintSpot. It works based on an optimized hybrid taint analysis technique that combines static and dynamic vulnerability analysis. TaintSpot generates concrete exploits based on concolic testing for programs written for the Java Virtual Machine (JVM) ecosystem.TaintSpot is specially designed for operating on large-scale proprietary executable binaries with multiple external dependencies. TaintSpot is under development system; for now, it targets JVM binaries, but I plan to extend it to android applications.” We asked Mohammadreza a few more questions about his talk. Please tell us the top 5 facts about your talk. Static and dynamic taint analysis have various advantages and disadvantages; I consider consolidating the best of these techniques to improve the effectiveness and scalability
On 31 October 2020 at 1730 the Austrian government held a press release to announce new COVID-19 regulations. Since this press release was only the political message and the actual legally binding regulation is still not published we cannot give you an update yet. We don’t know when the regulation will be published. Given these circumstances we cannot give you any more details, but we are working on it. We hope to have more details on Tuesday/Wednesday. We assure you that we have contingency plans, because we expected this situation a few months ago.
Today begins the „darker half“ of the year. The harvesting season has ended. The year ends as well (depending on how you count the days and mark the start of the year). People celebrate Samhain, Halloween, or other festive days. In information security there is always a harvest season, and there is no darker half of the year. 2020 is no exception despite the extraordinary situation given the SARS-CoV-2 outbreak. So how do you decide what exceptions look like? What is a trick? What’s the difference between a trick and a threat? If you supervise any kind of digital infrastructure or set of systems, then these questions are very important. Metrics is a hot topic – an euphemism for a dirty word – in computer science. It is used in other fields as well.
DeepSec2020 Talk: What’s Up Doc? – Self Learning Sandboxes to Defeat Modern Malwares Using RSA: Rapid Static Analysis – Shyam Sundar Ramaswami
“Catch me if you can!” is the right phrase to describe today’s malware genre. Malwares have become more stealthy, deadly and authors have become more wiser too. What if sandboxes started performing rapid static analysis on malware files and passed on the metadata to spin a sandbox environment based on malware attributes and the malware does not evade? Well, the talk deals with about how to do RSA (Rapid Static Analysis, i coined it), pass on the attributes and how we defeat modern malwares by dynamically spinning sandboxes. RSA embedded in “H.E.L.E.N” and “Dummy” and how we extracted the real IOC from Ryuk forms the rest of the talk and story! The talk also covers how these key “attributes” that are extracted are used for ML, how we build bipartite graphs, build instruction based
DeepSec 2020 Talk: “I Told You So!” – Musings About A Blameless Security Culture – Tim Berghoff, Hauke Gierow
The concept of a blameless culture is familiar to agile software development teams the world over. Going blameless has lots of merits, yet in many organizations and management teams true blamelessness is far from being the norm. This is especially true for the security sector, where the thinking is perhaps even more linear than elsewhere in an organization. This way of thinking is not necessarily bad, but not always helpful. On the other hand, sugarcoating any shortcoming will not help things along either. In truth, the security industry is still facing a lot of work when it comes to dealing with people. This talk will address and explore some of the fundamental problems of corporate security culture and why it keeps companies from moving forward. We asked Tim and Hauke a few more questions