DeepSec 2023 Talk: Zero-Touch-Pwn: Abusing Zoom’s Zero Touch Provisioning for Remote Attacks on Desk Phones – Moritz Abrell

Sanna/ September 7, 2023/ Conference

Cloud communication platforms like Zoom have become a fundamental aspect of modern communication and are widely used in daily work. However, in certain scenarios, traditional endpoints such as desk phones or analog gateways are still required. Today, these devices can be integrated with most major cloud communication providers through the use of their provisioning services, which centralize configurations and firmware. This session is about a security analysis of the Zoom “Zero Touch Provisioning” method with certified hardware. It will reveal several vulnerabilities that, when combined, allow an attacker to remotely compromise arbitrary devices, enable massive eavesdropping on conversations or rooms, remote control of devices, or using them as a pivot point to attack the adjacent corporate network. Be curious about the details of hard-coded cryptographic material, improper authentication, lack of immutable root of trust,

Read More

DeepSec 2023 Talk: Automating Incident Response: Exploring the Latest Conversational AI Tools – Hagai Shapira

Sanna/ September 6, 2023/ Conference

As security incidents become increasingly complex, it’s crucial for SOC and incident response teams to focus on actual malicious investigations. However, their ability to do so is often limited by time-consuming human interactions with stakeholders. In this talk, we’ll explore different levels of automation approaches for incident response, culminating in the latest additions of conversational AI tools. These tools enable full investigations with human stakeholders to be performed automatically, with an analyst only as a silent observer/supervisor. We’ll discuss the benefits and limitations of using conversational AI tools in incident response, as well as real-world examples of how these tools have been used effectively. By the end of the talk, attendees will have a better understanding of how to leverage this technology to streamline their incident response processes and improve their overall security posture.

Read More

DeepSec 2023 Talk: Horror Stories from the Automotive Industry – Thomas Sermpinis

Sanna/ September 4, 2023/ Conference

In this talk, we will revisit some of the scariest stories we faced during over 50 penetration testing and security research projects, with a twist. In the ever-emerging industry of automotive, with old and new OEMs trying to get a share of the pie, many things are at stake, with many things getting overlooked, forgotten, or even deliberately covered. We will go through a journey of critical findings in different targets and the constant battle between penetration testers, developers, and mid to upper management. This will help the audience get an understanding of how the industry behaves right now, what they (and what we) are doing wrong, and how the future of automotive security should be shaped, not only for the sake of security but also for the sake of safety and reliability. This

Read More

DeepSec 2023 Talk: The Attacker Mindset: Practical Lessons from the Field – Yossi Sassi

Sanna/ September 1, 2023/ Conference

Occasionally we come across the expression “attacker mindset”, yet without properly understanding what it means in practice. What does it REALLY mean? Is it a different way of thinking? Planning? Improvising? Or execution? Or maybe all of the above? We’ll dive into some practical examples & hands-on demos to understand what this term actually means, from an engagement perspective. We asked Yossi a few more questions about his talk. Please tell us the top 5 facts about your talk. Based on real-world engagements at dozens of customers worldwide, four continents, including Fortune 100 companies. Learn how to “think” like an adversary, not just hear about tools & techniques. Various hands-on demos to demonstrate the session topic. Cool research and code from self exploration. Gain overall insights, whether you are a Red or Blue teamer

Read More

DeepSec 2023 Talk: Nostalgic Memory – Remembering All the Wins and Losses for Protecting Memory Corruption – Shubham Dubey

Sanna/ August 31, 2023/ Conference

Memory corruption, a vulnerability that emerged in the 1980s and gained prominence with the discovery of the first buffer overflow in the fingerd Unix application exploited by the Morris worm in 1988, has since become a significant concern in the field of information security. Its prevalence was further underscored by the influential Phrack edition 49 titled “Smashing the Stack for Fun and Profit” in 1996. Today, memory corruption remains one of the most pressing security challenges, compelling the entire defensive security industry to develop robust countermeasures. This session aims to delve into the progress made by the security industry in mitigating and protecting against different types of memory corruption, as well as the current state of these efforts. During the talk, I will explore various techniques that have been introduced worldwide to safeguard against

Read More

DeepSec 2023 Press Release: Language Models do no cognitive Work –

Sanna/ August 30, 2023/ Conference, Press

The term Artificial intelligence (AI) is in the media, but it consists only of language simulations. If one follows the logic of the products currently offered under the AI label, we could easily remedy the shortage of skilled workers in the information technology sector. Take random people and let them consume tutorials, code examples, training videos and other documents related to the field of application for a few months. After this learning phase, skilled workers would automatically be available. TThe DeepSec conference is asking why there is still a lack of qualified personnel in IT. Algorithmically, the problem already seems to have been solved. Large Language Models (LLMs) and AI The so-called generative AI, which is now on everyone’s lips, is mathematically assigned to the research field of artificial intelligence. GPT, LLaMa, LaMDA or

Read More

DeepSec 2023 Press Release: DeepSec 2023 publishes Programme – This year’s conference focuses on language models and infrastructure

Sanna/ August 30, 2023/ Conference, Press

  Everyone is discussing Artificial Intelligence language models that have vast amounts of learning data. Language models are supposed to revolutionise information technology overnight, but their first applications are actually digital attacks. TThe current state of deep fake detection, social engineering attacks, and security incident response benefits will be highlighted at the DeepSec security conference this year. Of course, there are many more presentations that are indispensable for digital defence. Language models do not think, they forge Attacks through phishing emails and social engineering bypass technical measures through communication. By imitating victims’ language, attackers try to get them to support the attack with their own actions. Artificial persuasion is the speciality of AI language models, as they are designed to simulate conversation. Alexander Hurbean discusses which tools are available for these attacks and how

Read More

DeepSec 2023 Training: Security Intelligence: Practical Social Engineering & Open-source Intelligence for Security Teams – Christina Lekati

Sanna/ August 25, 2023/ Conference, Interview, Training

Social engineering attacks remain at the top of the threat landscape and data breach reports. Reports tend to oversimplify breaches as just phishing attacks, but current research shows it’s more complex. Social engineering attacks have been evolving. Successful phishing emails are usually a result of a larger attack based on research and intelligence that identifies organizational vulnerabilities. But it doesn’t stop there. Weaponized psychology is still a powerful component of social engineering attacks. Security professionals and testers need to know how social engineering works and how to stop attacks. This class aims to provide participants with the necessary knowledge on open-source intelligence and social engineering, to help security teams build better protective measures (proactive & reactive) and to inform their security strategy. It also aims to help penetration testers improve their recommendations and provide

Read More

DeepSec 2023 preliminary Schedule published

René Pfeiffer/ August 25, 2023/ Administrivia, Conference

The schedule for DeepSec 2023’s first version has been published. We are still stuck in reviews, so there will be some more updates in the coming weeks. Especially the third track with technical sessions and presentations will see some updates. Read some more on the technical track in one of our next blog articles. We received a lot of submissions, so we are very grateful for your support and the great ideas you sent us. Because of the limitations of our schedule, the reviewers had a hard time making a selection. The final status of all submissions will be sent to all submitters within the next few days. The following weeks will feature every presentation in more detail with an interview or an article about the content. The mix of topics is definitely the

Read More

AI Content Harvesting without Opt-Out? Goodbye, Zoom!

René Pfeiffer/ August 7, 2023/ Conference

DeepSec has used the Zoom videoconferencing tool since 2020. It was really helpful for the 100% online conferences back then. Apparently, Zoom has changed its terms of service. The new version is completely unacceptable for any conference. This means we are leaving Zoom, and we recommend you do the same. The reason is the ongoing „AI pandemic“. Content is king, but content theft is the emperor these days. If you look at the Zoom terms of services and read chapter 10.4, you see that Zoom likes to use everything you do via the platform for any use the company can think of. There is no opt-out, it seems. We have ended our subscriptions and will delete our account. We will switch to OpenTalk, which is GDPR-compliant and hosted in European data centres. OpenTalk is

Read More

Helpful Hints for writing Presentations

René Pfeiffer/ July 31, 2023/ Call for Papers, Communication, Conference

Today the call for papers for DeepSec 2023 and DeepINTEL 2023 ends. If you have some ideas, please let us know by submitting a proposal. Since we have a lot of experience with reviewing presentation outlines. Before you create a brief description of your mind-blowing talk, please have a look at our suggestions. The title is important! Don’t go overboard with cryptic memes, insider jokes, or movie titles. Not everyone will have the knowledge of understanding what the presentation is about. Your title needs to reflect what you are talking about. You can always use subtitles or a tag line if you really want to mimic film posters. Also keep it short! The 80 letter limit is not only for Usenet veterans. Long titles are hard to memorise. Your title should not replace the

Read More

Training Teaser: Token Hijacking via PDF File – Video Tutorial

René Pfeiffer/ July 4, 2023/ Conference, Security, Training

Tokens make the world go around. Therefore, we want to share with you the next teaser about Dawid Czagan’s training at DeepSec 2023. PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? Dawid will show you in a free video step by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch the video and consider joining Dawid Czagan’s training Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access (14-15 November, DeepSec 2023).

DeepSec Scuttlebutt: Tech Monsters from Novels and the Call for Papers Reminder

René Pfeiffer/ July 3, 2023/ Call for Papers, Conference, Stories

[This message was published via our DeepSec Scuttlebutt mailing list. The text was written by a human. This is a repost via our blog and Mastodon. Our Call for Papers for DeepSec 2023 is still running. If you have interesting content, please submit your idea.] Dear readers, the wonderful world of computer science and teaching courses has kept me busy. The scuttlebutt mailing list has the aim of having at least one letter per month. It is now the end of June, and the Summer has begun here in Vienna. The university courses have finished. The grades are ready. More projects are waiting. In information society, it is never a good idea to wait until something happens. A lot of blue teams are busy improving defences, testing configurations, and rehearsing their processes. However, there

Read More

Training Teaser: Token Hijacking via PDF File – Video Tutorial

René Pfeiffer/ June 15, 2023/ Conference, Training

Portable documents are nice. It’s always an advantage to read and process documents on different platforms. The Portable Document Format (PDF) is a common format. Unfortunately, PDF can be abused to attack you. PDF files are everywhere and these files can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video, Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and how you can check if your web application is vulnerable to this attack. Dawid has prepared a free video for you. Have

Read More

DeepSec 2023 Talk: Deepfake vs AI: How To Detect Deepfakes With Artificial Intelligence – Dr. Nicolas Müller

Sanna/ June 6, 2023/ Conference

Artificial intelligence is developing at a breathtaking pace, already surpassing humans in some areas. But with opportunity comes potential for abuse: generative models are getting better at creating deceptively real deepfakes – audio or video recordings of people that are not real, but entirely digitally created. While the technology can be used legitimately for film and television, it has great potential for abuse. This lecture illustrates this problem using audio deepfakes, i.e. fake voice recordings. The technical background of synthesis will be highlighted, and current research on countermeasures will be presented: Can we use AI to expose deepfakes? Can we learn to recognise deepfakes, and if so, how? We asked Dr. Nicolas Müller a few questions about his talk. Please tell us the top 5 facts about your talk. We will listen to Angela

Read More