Creative Writing is beneficial for Information Security

René Pfeiffer/ June 19, 2024/ Security, Stories/ 0 comments

Do you like a good movie? Do you enjoy a good book? Your favourites most probably began as a piece of writing. There is a surprising overlap between creative writing, writing code, doing mathematics, and enjoying a well-defined information security configuration. Everything meets at the written word. IT documentation has a terrible reputation. Since it is always one or more steps behind the actual configuration, people prefer reading configurations instead. The magic is to keep changes in sync with your documentation. Another ingredient is to write concisely and to create the right structure. While documenting IT infrastructure is not like writing a script for a movie, it requires describing everything in the right order. You need to make sure people can look things up and find systems and controls required for security. An IT

Read More

Online Security is threatened by Politics in the EU

René Pfeiffer/ June 17, 2024/ Communication, Security/ 0 comments

A vote for the EU Chat Control disaster is scheduled again. If the vote passes, then this chat control system will destroy the security of communication platforms for all Internet users, organisation, and companies. Chat control basically disables end-to-end-encryption (E2EE). The proposals have been widely discussed, but it seems that the Belgian presidency decided to rush the topic right before the Summer break. Secure communications platforms such as Signal and Threema warned lawmakers. EuroISPA has published a statement of protest as well. E2EE is a cornerstone of information security. The chat control regulation would only affect citizens and businesses. Criminals will always have a way around this. The proposed mass surveillance is a security risk by itself. Nation state conducting espionage will welcome the weakening of the security posture and use it against the

Read More

Learn Incident Response by playing a Role-Playing Game

René Pfeiffer/ November 6, 2023/ Security

Simulations can be boring. What about combining a thought experiment with a game that brings fun? Enter role-playing games for incident response! Klaus Agnoletti will show you how this works. He will host an incident response role-playing session on the first conference day (16 November 2023) at 1900. The session will take place in the Third Person track. The game is heavily inspired by the (Advanced) Dungeons & Dragons games. You do not need to bring anything except your interest and some curiosity. The session simulates an incident in a fictitious company and players have roles like CMO, CISO, CFO, System architect, etc. The aspects of the incident gameplay are explored broadly and aren’t just limited to the technical parts of an incident. The session lasts about two to three hours, depending on your

Read More

Fight the EU Law for attacking Cryptography

René Pfeiffer/ November 4, 2023/ Security

The Crypto Wars have been one topic that DeepSec keeps addressing in public. The conference and our blog documents countless attempts to weaken algorithms, introduce mandatory back-doors, and compromise of operating systems. The European eIDAS (electronic IDentification, Authentication and trust Services) regulation is a proposal that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments. This destructively changes the IT security landscape. To quote from Mozilla’s open letter: These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust

Read More

Global Encryption Day 2023

René Pfeiffer/ October 21, 2023/ Security

Wshpq mu Fknadp Icuvaoshnq Hen. Wreqxoslsr xk spd ne ski fjapfhmf aosgzk sh hmenuqeiasp rdbtumxn. Omvgnts hrggqtvhnm, skivt oswkc ad qs att wjnor, mr wirmvg ldrrdkmcy, rq dkdbwvscag dzmjhqk, rd hvqsdbslsr dx wgbqdsv altf xtzmrehvvxfk cmc rsrvmcy mpenqldxmdf. HgdoRdf lehs pqmf sqdhmiasp ne roheoxfk km ezuryv dx gtxosnjveezc. Yd gzc ryv usmt rgzqh sj ejiudmszwmsck hgzkhmj amiz ftdzjhqk eaysthsglv ers xmpchmf ipelk mp sgdl. Wli umpn eqnmwep plxcbj ax wli Tmvqodzm Fsqbawuhnm nq irrjcrshnm ec esvmpf azbnhsdjw vn bnlpyrxuevhnm chzmrww ugnvr wlei kietqd brqqjfmezshnq mw cgx c fhudq vmvzx. Ks ltrw fi swjgmcdc wshpq, xqlnqqra, ecv mp sgd exxygw. Ipbqxowmsc xeedr sguieik, fqsg nkg ers fiy. Lzjd bsyg nskbd gddvh pfh vdkk hw xs izi ynqkc! Rv ftlxgq xds: Fsrijmdtsd slqi, uarcmbhzo wyehsts, nq tvi icuvaoshnq mr ejsftbsr dpp dx xjd shlh. Hikwpqodqr uipn

Read More

Training Teaser: Token Hijacking via PDF File – Video Tutorial

René Pfeiffer/ July 4, 2023/ Conference, Security, Training

Tokens make the world go around. Therefore, we want to share with you the next teaser about Dawid Czagan’s training at DeepSec 2023. PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? Dawid will show you in a free video step by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch the video and consider joining Dawid Czagan’s training Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access (14-15 November, DeepSec 2023).

#DeepSec Press Release: IT Security Has A Deficit In Defence

Sanna/ April 24, 2023/ Press, Security

[DeepSec traditionally leans more on the defence side of things. So we published this article.] Many people are now aware of the importance of information security, but how to operate secure systems is often not obvious. The reason lies in the deficit of real defence measures. This may sound paradoxical, but many products on the market deal with the activities after a successful attack. The prevention of attacks is mostly ignored. This year’s DeepSec conference therefore wants to provide some tuition in digital defence measures. Fire extinguishers instead of fire protection A simple scenario will serve as an illustration. Imagine that a company accumulates flammable material in its offices for historical reasons. Grown procedures lead to the fact that more and more hazardous materials are distributed throughout the premises. There is plenty of space.

Read More

Press Release: IT World in AI Mania

Sanna/ February 16, 2023/ Development, Legal, Press, Security

Artificial intelligence (AI) is on everyone’s lips, but its results fall short of all expectations. Wouldn’t it be nice if computers could effortlessly give meaningful results to all kinds of questions from all kinds of unstructured data collections? Periodically, algorithms that do incredible things are celebrated in information technology. At the moment, it is the turn of artificial intelligence algorithms. Search engines are retrofitting AI. But the supposed product is far from real cognitive performance. Many open questions remain. History of Algorithms The first experts to work with algorithms to emulate human thought processes came from the fields of mathematics and philosophy. They wanted to formalise analytical thinking from the subfield of logic and describe it in models. In the 1950s, the algorithms were implemented on the computers that were emerging at the time.

Read More

Translated Article: Regulation on “Chat Control” Launched in EU Parliament

Sanna/ December 19, 2022/ Security, Stories

Verordnung zur „Chat-Kontrolle“ im EU-Parlament gestartet by Erich Moechel for fm4.ORF.at [We have translated the article from Erich’s column, because end-to-end encryption is a fundamental part of IT security. Erich has researched a lot regarding the concerted attack on secure communication. He provides important background information to understand why the attack on encryption is presented in different countries at the same time.] At the same time as the EU regulation, the British “Online Safety Bill” and a US law on the safety of children online are on their way through the parliaments. A comparison shows astonishing parallels in terms of content and method. On Wednesday, work on the regulation on warrantless searches of social network users’ smartphones and PCs started in the EU Parliament’s Civil Liberties Committee (LIBE). In this first meeting, the timetable for this

Read More

DeepSec 2022 has started – two Days of Presentation about Information Security

René Pfeiffer/ November 17, 2022/ Conference, Security

The DeepSec Conference 2022 has started. We will be busy handling the presentation tracks, the TraceLabs OSINT CTF event, and the ROOTS track. We covered most of the presentations in brief interviews on this blog. There is more to come after the conference has ended. The live streams from the conference are available to registered attendees. The recordings will be published on our video platform after post-precessing. Updates from the event will be posted to our Twitter and Mastodon accounts. In case you want to be part of the conversation, please use the #DeepSec hashtag.

Reminder for virtual Training: Exploiting Race Conditions

René Pfeiffer/ November 15, 2022/ Security, Training

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multi-threading. Because of this attack, an attacker who has $1000 in his bank account can transfer more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and will tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s live online training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”- Because of our hybrid configuration of DeepSec for trainings and the conference, the Mastering Web Attacks with Full-Stack Exploitation

Read More

DeepSec 2022 Trainings have started

René Pfeiffer/ November 15, 2022/ Security, Training

The DeepSec trainings have started. Today is the first day. The topics cover attacking modern desktop applications, network threat hunting, incident response, creating malicious office documents for offensive tests, and secure code review. The spectrum covers a lot of content, and it will be very helpful for defending the information security landscape. One of our trainings can still be booked. The workshop titled “Web Hacking Expert: Full-Stack Exploitation Mastery” by Dawid Czagan has been postponed to 28/29 November 2022. It will be an online training. You can take part virtually. Bookings are still possible via our ticket shop.

Blockchain, bad data, and bad code

René Pfeiffer/ February 10, 2022/ Scuttlebutt, Security

[The scuttlebutt news are also available via the DeepSec scuttlebutt mailing list. This posting was sent to the list on 11 January 2022.] Dear readers, the pandemic is still not over. 2022 greets us with a new variant of SARS-CoV-2. I hope all of you stay safe and stay healthy. The organisation of DeepSec events continues. The wonderful world of IT has plenty of topics to research and check for security vulnerabilities. There is one issue I would like to describe in some more depth. DeepSec itself and parts of its staff and helpers have strong ties to cryptography. We supported the Crypto Party events in Vienna back in 2012. Back then, Bitcoin (₿) was three years old. It was regarded as a curiosity. For us, crypto still means cryptography. We considered accepting Bitcoin

Read More

DeepSec2021 Talk: QKD-based Security for 5G and Next Generation Networks – Sergiy Gnatyuk, PhD. DSc.

Sanna/ November 16, 2021/ Conference, Security

Modern information and communication technologies (ICT) implementation in all spheres of human activity, as well as the increasing number and power of cyber-attacks on them make the cyber security of the developed digital state vulnerable and weak. Cyber-attacks become targeted (so-called APT-attacks) and attackers carefully prepare them, analyzing the identified vulnerabilities and all possible ways of attack. The security and defense capabilities of the state are considered in an additional fifth domain titled cyberspace (after land, air, water and space). World`s leading states develop strategies to protect cyberspace, create cyber troops, develop and test cyber weapons. A significant number of cyber-attacks today are aimed at critical infrastructures and government organizations. Traditional security methods (in particular, cryptographic algorithms) do not fully protect against all currently known attacks, they are potentially vulnerable to attacks based on

Read More

Hardwear.io Interview: Teardown and feasibility study of IronKey – the most secure USB Flash drive

René Pfeiffer/ October 21, 2021/ Security

Portable storage devices are small and can be easily lost. Using security measures to protect the data on them is therefore a good idea. Vendors offer USB storage devices with built-in encryption capabilities. What happens if you analyse how they work? What are the attack modes on these devices? There will be a presentation at Hardwear.io regarding a specific brand of storage devices. We have asked the author Sergei Skorobogatov about the security properties of IronKey devices. HDD and SSD vendors have provided their devices with secure deletion and encryption features. How do IronKey devices compare to normal storage media? Some HDD and SSD devices do offer encryption and secure deletion, as well as vendors of other USB Flash drives. The fundamental difference is that IronKey devices are certified with FIPS140-2 Level 3. This

Read More