3110, 2022

We have a Mastodon account – please come and follow us!

René Pfeiffer/ October 31, 2022/ Conference

The swinging moods of billionaires have hit Twitter. 230 million users have switched ownership and now follow the erratic decisions of a single person. „Mars first!”, or something. DeepSec is using Twitter as a channel to link to blog posts and to share information about ongoing events. This will not change for the moment. However, we have created a new Mastodon account to be on the safe side. The account name is already visible on our Twitter profile page. Please follow us, if you want to receive further news without interruption. DeepSec is fond of decentralised communication channels. While this means more effort to filter and selecting sources, it is true to the original character of the Internet. We also maintain our own mailing lists which cover press releases, random scuttlebutt behind the scenes,

2810, 2022

DeepSec 2022 Talk: Fighting Fire with Fire – Detecting DNS-Tunneling with DNS – Artsiom Holub

Sanna/ October 28, 2022/ Conference

DNS tunneling used as a covert-channel method to bypass security policies has ballooned in the landscape of Ransomware attacks in recent years. This can be attributed to CobaltStrike post exploitation tools becoming modus operandi of cybercrime syndicates operating with ransomware. Most of the detections rely on packet inspection, which suffers from scalability performance when an extensive set of sockets should be monitored in real time. Aggregation-based monitoring avoids packet inspection, but has two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field). Our approach uses statistical analysis coupled with behavioral characteristics applied directly in the DNS resolver. This presentation will cover examples of the malicious tools used by threat actors and detections designed to protect from such tools.

2610, 2022

DeepSec 2022 Talk: Attacking Developer Environment Through Drive-by Localhost Attacks – Joseph Beeton

Sanna/ October 26, 2022/ Conference

There is a widespread belief that services that are only bound to localhost are not accessible from the outside world. Developers for convenience sake will run services they are developing configured in a less secure way compared to how they would (hopefully!) do in higher environments. By compromising websites developers use, just injecting JS into adverts served on those sites or just a phishing attack that gets the developer to open a web browser on a compromised page, it is possible to reach out via non pre-flighted http requests to those services bound to localhost, by exploiting common misconfigurations in Spring, or known vulnerabilities found by myself and others. I’ll demonstrate during the talk, it is possible to generate a RCE on the developer’s machine or other services on their private network. As developers

2410, 2022

DeepSec 2022 Online-Onsite Training: Hacking JavaScript Desktop Apps: Master the Future of Attack Vector – Abraham Aranguren

Sanna/ October 24, 2022/ Conference

This course is the culmination of years of experience gained via practical penetration testing of JavaScript Desktop applications as well as countless hours spent doing research. We have structured this course around the OWASP Security Testing Guide, it covers the OWASP Top Ten and specific attack vectors against JavaScript Desktop apps. This course provides participants with actionable skills that can be applied immediately from day 1. Please note our courses are 100% hands-on, we do not lecture students with boring bullet points and theories, instead we give you practical challenges and help you solve them, teaching you how to troubleshoot common issues and get the most out of this training. Training then continues after the course through our frequently updated course material, for which you keep lifetime access, as well as unlimited email support.

1910, 2022

DeepSec 2022 Talk: Ukrainian-Russian Warfare In Cyberspace: Technological And Psychological Aspects – Sergiy Gnatyuk

Sanna/ October 19, 2022/ Conference

On 24th of February, 2022, the life of Ukrainians has changed fundamentally. Russian troops attacked peaceful Ukrainian cities and civilian infrastructure, using all possible means and bridgeheads – land, sea, air and cyberspace. Predictably, given the technological conditions, the cyberspace has become one of the main arenas of combat in this war. Powerful cyber-attacks (more than 1,100 attacks so far) on the state’s critical information infrastructure were accompanied by destructive information and psychological effects and special psychological operations (PSYOP). However, as in other domains, Ukraine persevered in cyberspace, fought back and counterattacked the enemy. At DeepSec up-to-date information on the specifics of cyber-attacks on the technological infrastructures (DoS-attacks, malicious software, unauthorized data collection, etc.) will be presented and analyzed, as well as attacks on the population (mis- and disinformation, deep fakes, etc.). Current initiatives

1810, 2022

DeepSec 2022 Talk: Signature-based Detection Using Network Timing – Josh Pyorre

Sanna/ October 18, 2022/ Conference

Malware often has behaviors that can be used to identify other variants of the same malware families, typically seen in the code structure, IP addresses and domains contacted, or in certain text strings and variable names within the malware. However, it may be possible to identify malware, or anomalous behavior by analyzing the timing in between network transactions. My presentation will explore this idea using network captures of malicious activity amongst potentially normal network traffic, analyzed quickly with Python. We’ll explore this on network data with full visibility into the transactions as well as noisier encrypted traffic, where we’ll attempt to identify unusual activity based only on bandwidth. We asked Josh Pyorre a few more questions about his talk. Please tell us the top 5 facts about your talk. Signatures are the primary method

1710, 2022

DeepSec 2022 Talk: Iran: A Top Tier Threat Actor – Steph Shample

Sanna/ October 17, 2022/ Conference

This presentation, conducted hundreds of times throughout the United States on Wall Street, at various American universities, and throughout the US Defense sector, will go into detail on the evolution of the Iranian cyber program, its current state and most common malware, as well as what geopolitical events and relationships influence Iranian cyber actors. It will also detail why Iran needs to be taken seriously as a digital threat, as they indeed operate at the same level as malicious Russian and Chinese threat actors. We asked Steph Shample a few more questions about her talk. Please tell us the top facts about your talk. Iran continues to quickly gain sophistication in Cyber. Its state sponsored (military and civilian) and cybercriminal operations have worldwide impact and deserve attention. Iran’s relationships with other adversaries like China

1010, 2022

DeepSec 2022 Talk: Working in Warzones in Theory and in Practice – Enno Lenze

Sanna/ October 10, 2022/ Conference

The difference between theory and practice is much smaller in theory than in practice. This also applies to physical and digital security in war zones. While those at home imagine journalists driving certified armored vehicles and using special encrypted devices, in practice, it is often a Toyota Corolla and WhatsApp. Why is that the case? I will try to explain the different aspects and reasoning behind the decisions on digital and physical security based on real-world experiences and examples. We asked Enno Lenze a few more questions about his talk. Please tell us the top 5 facts about your talk. How IT Nerds think you should prepare for a war zone and what it‘s like in reality Threat analysis and the question if you need a bulletproof vest What to pack when going to

0710, 2022

DeepSec 2022 Talk: Protecting Your Web Application/API With CrowdSec – Klaus Agnoletti

Sanna/ October 7, 2022/ Conference

Protecting your web applications and APIs are more important than ever. Especially these days where one can deploy their application in the cloud, where everything but the application itself is a standardized application constantly updated for you by continuous patch processes, it is more evident than ever that the biggest risk is present in the code you produce yourself and expose to the internet. But what are the risks? And how to mitigate them? And is it true that APIs don’t need to be secured as much as your website? All competent security professionals know that there’s no such thing as a silver bullet, so obviously creating an AppSec program is inevitable to achieve a sufficient security posture. But how do we handle the remaining risks? CrowdSec is a FOSS security tool that can

0510, 2022

DeepSec Talk 2022: Anticipating Damage Control: Communicating About Cybersecurity Within And Outside Organizations – Prof. Matthieu J. Guitton

Sanna/ October 5, 2022/ Conference

Although cybersecurity aims at protecting individuals and organizations from the threats emerging from the massive use of and dependency upon digitalized spaces, the efforts of cybersecurity experts unfortunately do not always succeed in doing so. Therefore, integrated cybersecurity strategies of large organizations should minimally include a plan for damage control. Damage control strategies are typically handled by public relations experts and tend to follow a classical narrative, combining a mix of both apologizing and reassuring discourses. However, in an age of communication technologies, efficient narrative strategies have to be multi-layered. Indeed, while damage control is typically conceptualized as taking place after the occurrence of a damage causing event, it should also include an anticipatory component, both dealing with communication planning and pre-event communication. Furthermore, a damage control narrative can not exclusively focus on a

0410, 2022

DeepSec 2022 Talk: Malware And Exfiltration : A Telegram Story – Godwin Attigah

Sanna/ October 4, 2022/ Conference

Exfiltration and command and control are essential parts of the adversary’s kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted. As a result, several attackers have opted for third-party services typically sanctioned for most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command-and-control tool of choice. We have observed the usage of Telegram in different malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that is primarily interested in gathering information on a host. Recent examples of Telegram in

2809, 2022

DeepSec Talk 2022: Automatic Recovery Of Cyber Physical Systems Applications Against Known Attacks – Dr M Taimoor Khan

Sanna/ September 28, 2022/ Conference

Recovering a software application against an arbitrary attack is an intractable problem because of inadequate information available about compromised components of the application. Therefore, to this end, we have developed a method and supporting tools that can automatically detect and recover the execution of a cyber-physical system application against known attacks. The method can detect and recover the application against cyber, physical, and cyber-physical attacks. However, based on the availability of adequate information about the compromised components, the method supports three different recovery strategies, e.g., “full recovery” – recovers the last secure state of the application, “partial recovery” – recovers a specific state of the application and “no recovery” – recovers application by a user-provided action. Specifically, the method is based on program verification that allows the specifying of various attacks and their recovery

2609, 2022

DeepSec Talk 2022: We Are Sorry That Your Mouse Is Admin – Windows Privilege Escalation Through The Razer Co-installer – Oliver Schwarz

Sanna/ September 26, 2022/ Conference

Device-specific co-installers have repeatedly allowed for Windows privilege escalation. Through Windows’ plug’n’play concept, attackers don’t need to rely on any pre-installed software on the victim client. All they need is a peripheral device associated with the vulnerable driver – or simpler, a hacking device that simply impersonates such device. In this talk, I’ll will report on his responsible-disclosure journey for a DLL hijacking in the Razer Synapse service for gaming devices. The journey starts with me trying to fake a vulnerability and suddenly realizing that the vulnerability is actually real. It continues with a support team that apologized to me for my escalated privileges. You will also learn about a number of fixing attempts and insights about Windows’ access control that helped to circumvent these attempts. The final twist: we recently discovered that the

1609, 2022

Scuttlebutt – Musings about the Energy Cost of Information Security

René Pfeiffer/ September 16, 2022/ Conference, Discussion, High Entropy, Scuttlebutt

[Of course, this is the August 2022 article from the DeepSec Scuttlebutt mailing list. We publish the postings one month later on our blog. For timely scuttlebutt, please subscribe to the mailing list.] Dear readers, the Summer is burning Europe and other parts of the world. The climate is changing and poses the biggest challenge to all aspects of our society. And this is without other man-made catastrophes, such as war, lack of raw materials, logistics, health protection, and many more trouble spots. DeepSec is about information security, so I will stick to the digital parts of the story. There are already too much “experts” on social media. No need to add more. Have you ever wondered what amount of energy is used for digital security measures? Have you ever tried an estimate? I

1609, 2022

DeepSec 2022 Talk: Wireless Keystroke Injection As An Attack Vector During Physical Assessments – Simonovi Sergei

Sanna/ September 16, 2022/ Conference

A lot of wireless input devices are vulnerable to keystroke injection due to the lack of security mechanisms, which makes it a perfect attack vector. During the attack, an attacker can send any text string to the victim machine acting as a remote keyboard, which can lead to quick and stealthy compromise of the system. No antivirus software shall spot the attack, as the keyboard, even remotely, is not malicious by itself and is always trusted. We asked Simonovi Sergei a few more questions about his talk. How did you come up with it? Was there something like an initial spark that set your mind on creating this talk? I came up with the idea of using a wireless keystroke injection during one unfortunate physical engagement, during which my team could not get any

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: