DeepSec 2017 Talk: How I Rob Banks – Freakyclown

Sanna/ November 14, 2017/ Conference, High Entropy, Security

You are in for an adventure at DeepSec this year. We have a tour on robbing banks for you: A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line and useful illustrative slides, I will attempted to take you through the lessons to be learned from an ethical hacker with a penchant for breaking into the impossible. Let me take you on a rollercoaster ride of epic fails and grandiose plans and my Jason Bourne like adventures including Lockpicking, Kidnap, Police chases and multi-million pound bank heists. FC is a well-known ethical hacker and social engineer. He has been working in the infosec field for over 20 years

Read More

The only responsible Encryption is End-to-End Encryption

René Pfeiffer/ October 30, 2017/ High Entropy, Security

Last week the Privacy Week 2017 took place. Seven days full of workshops and presentations about privacy. This also included some security content as well. We provided some background information about the Internet of Things, data everyone of us leaks, and the assessment of backdoors in cryptography and operating systems. It’s amazing to see for how long the Crypto Wars have been raging. The call for backdoors and structural weaknesses in encryption was never silenced. Occasionally the emperor gets new clothes, but this doesn’t change the fact that some groups wish to destroy crypto for all of us. The next battle is fought under the disguise of responsible encryption. Deputy Attorney General Rod J. Rosenstein invented this phrase to come up with a new marketing strategy for backdoors. Once you have backdoors in any

Read More

DeepSec Talk 2017: Normal Permissions In Android: An Audiovisual Deception – Constantinos Patsakis

Sanna/ October 17, 2017/ Conference, Security

The Marshmallow version was a significant revision for Android. Among the new features that were introduced one of the most significant is, without any doubt, the runtime permission. The permission model was totally redesigned, categorising the permissions into four main categories. The main concept of this categorisation is how much risk a user is exposed to when permissions are granted. Therefore, normal permissions imply the least risk for the user. However, in this case, there are some important issues. Firstly, these permissions are not actually displayed to the user; they are not displayed upon installation and the user needs to dig into several menus to find them for each app. Most importantly though, these permissions cannot be revoked. Unlike permissions categorized as dangerous, where the user can grant or revoke a permission whenever deemed

Read More

Science First! – University of Applied Sciences Upper Austria (FHOOe) supports DeepSec

René Pfeiffer/ October 12, 2017/ Conference, Security

The motto of DeepSec 2017 is „Science first!“. This is expressed by the co-located ROOTS workshop, many speakers from academics, topics fresh from the front lines of research, and a mindset that favours facts over fake content or showmanship. This is why we want to thank the University of Applied Sciences Upper Austria for their continued support of DeepSec! Their motto is Teaching and learning with pleasure – researching with curiosity, which fits nicely into the mindset of most information security researchers. They have a wide range of very interesting research projects. If you are interested in courses or collaboration as a company, let them now. We are happy to support you with your enquiry. Lest you forget: DeepSec offers a steep discount for anyone in academic research – be it student or professor.

Read More

DeepSec 2017 Talk: BITSInject – Control Your BITS, Get SYSTEM – Dor Azouri

Sanna/ October 8, 2017/ Conference, Internet, Security

Microsoft has introduced the Background Intelligent Transfer Service (BITS) into Windows 2000 and later versions of the operating system. Windows 7 and Windows Server 2008 R2 feature the version 4.0 of the protocol. BITS is designed to use idle bandwidth in order to transfer data to and from servers. BITS is an obedient servant, and it may be abused into doing transfers on behalf of others. Dor Azouri will present his findings regarding BITS at DeepSec 2007. Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? Current Windows software comes packaged with a mix of old and new features and components. New, shiny features and

Read More

DeepSec 2017 Talk: XFLTReaT: A New Dimension In Tunnelling – Balazs Bucsay

Sanna/ October 7, 2017/ Conference, Security

“Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter”, says Balazs. “It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic, and it is also worth mentioning that the framework was designed to be easy to configure, use and develop.” We asked Balazs Bucsay a couple more questions about his talk: Please tell us the top 5 facts about your talk. Tunnelling is not new at all, but

Read More

DeepSec 2017 Talk: Insecurity In Information Technology – Tanya Janca

Sanna/ October 6, 2017/ Communication, Conference, Security

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation is further strained. This silo-filled, tension-laced situation, coupled with short deadlines and mounting pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike. In this talk Tanya Janca will explain how people’s personal insecurities can be brought out by leadership decisions in the way we manage our application security programs, and how this can lead to real-life vulnerabilities in software and other IT products.  This is not a soft talk about “feelings”, this is a talk about creating

Read More

DeepSec 2017 Talk: Bypassing Web Application Firewalls – Khalil Bijjou

Sanna/ October 5, 2017/ Conference, Security

Everyone has firewalls or filters. They are now called application-level gateway (ALG) and have lots of features included. Algorithms, signatures, heuristics, protocol checks, verification; you name it. It’s all in there. But does it work? Obfuscation and evading technology has been around since the first filter was created. Anticipating what data might look like is hard, and some protocols were designed to be as ambivalent as possible, one might think. At DeepSec 2017 Khalil Bijjou will show you what can be done being evasive in the web. Security experts perform security assessments of web applications in order to identify vulnerabilities that could be exploited by malicious users. Web Application Firewalls add a second layer of protection to web applications in order to mitigate these vulnerabilities. The attempt to bypass Web Application Firewalls is an

Read More

DeepSec 2017 Talk: Next-Gen Mirai Botnet – Balthasar Martin & Fabian Bräunlein

Sanna/ September 27, 2017/ Conference, Internet, Security

While you were living in a cave, devices took over the world and got connected to the network. This is the state of affairs we live in right now. As long as nothing happens we don’t notice anything about it. The Mirai (未来) botnet changed this all of a sudden. Consumer devices were drafted into an army of bots. Thanks to the proliferation of networked devices such as cameras, home routers, and others the botnet was very successful. The code was designed to run on embedded devices and is even online for inspection. Let’s take a look at how to improve Mirai. Badly secured embedded devices enabled the largest DDoS attack on critical networks seen to date: The Mirai attacks in 2016 were largely pegged on Internet-exposed telnet with default credentials. While such telnet

Read More

44CON revisited: Secure Design in Software is still a new Concept

René Pfeiffer/ September 20, 2017/ High Entropy, Interview, Security

We have been to 44CON, and we returned with lots of ideas and scary news about the state of security in devices and applications. Given the ever spreading Internet of Things (IoT) you can see why connecting random devices via a network with no second thoughts about design, updates, or quality control is a bad idea. Don Bailey illustrated this perfectly in the keynote titled The Internet of Us. His presentation touched all of information security, but IoT featured a prominent role. We are really surrounded by the Internet of SIM cards (sadly which we cannot call IoS). This opens up a new perspective and demystifies the IoT hype. You should watch Matt Wixey’s talk Hacking invisibly and silently with light and sound as soon as the videos are published. Matt discussed hardware hacking

Read More

DeepSec 2017 Training: The ARM IoT Exploit Laboratory

René Pfeiffer/ August 29, 2017/ Conference, Security, Training

If the Internet of Things (IoT) will ever leave puberty, it has to deal with the real world. This means dealing with lies, fraud, abuse, exploits, overload, bad tempered clients (and servers), and much more. Analysing applications is best done by looking at what’s behind the scenes. IoT devices, their infrastructure, billions of mobile devices, and servers are powered by processors using the Advanced RISC Machine (ARM) architecture. This design is different from the (still?) widespread Intel® x86 or the AMD™ AMD64 architecture. For security researchers dealing with exploits the change of design means that the assembly language and the behaviour of the processor is different. Developing ways to inject and modify code requires knowledge. Now for everyone who has dealt with opcodes, registers and oddities of CPUs, this is nothing new. Grab the

Read More

DeepSec 2017 Talk: Malware Analysis: A Machine Learning Approach – Chiheb Chebbi

Sanna/ August 26, 2017/ Conference, Security

Software has a character. It can be beneficial. It can also be malicious. A networked business world and the Internet of connected individuals make life for malicious software, also known as malware, easier. Just like international travel facilitates the spread of diseases and parasites, the networked globe is a big advantage for malware. Researcher can hardly keep up with the numbers of detected viruses, worms, and trojan horses. So why not let machines look for malware on their own? Certainly automation already benefits the hunt for malicious code. Chiheb Chebbi has some ideas that can help. Threats are a growing problem for people and organizations across the globe. With millions of malicious programs in the wild it has become hard to detect zero-day attacks and polymorphic viruses.This is why the need for machine learning-based

Read More

DeepSec 2017 Keynote: Social Science First! – Dr. Jessica Barker

Sanna/ August 24, 2017/ Conference, High Entropy, Security

While the schedule is still preliminary, we have already some confirmations from our speakers. We are happy to announce Dr Jessica Barker as the keynote speaker for DeepSec 2017. Information security has a lot to do with interactions. Despite AI (a.k.a. Assisted Intelligence), „smart“ assistants (a.k.a. paper clips on steroids), and a metric ton of gadgets we still have a lot of contact with human beings. Marketing departments and tech people lost in code often forget this. Jessica will give you something to think about which you can’t discuss with Siri, Alexa, the Google AI, or even HAL 9000. Bruce Schneier popularised the concept in 1999: cyber security is about people, process and technology. Yet almost two decades later, the industry still focuses so much more on technology than the other two dimensions of

Read More

Decline of the Scientific Method: New (Austrian) “Trojan” Law without Technical Expertise

Sanna/ August 3, 2017/ Discussion, High Entropy, Security

The Crypto Wars are still raging despite everyone relying on secure communication. Everyone means everyone. The good thing is that mathematics still works, even though some people wouldn’t want it to. The latest cryptographic review comes from Amber Rudd, the current UK Home Secretary. She said recently: “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” The corollary in turn states that DeepSec conferences aren’t attended by real people. Since we are not yet a purely robot-based event, there is something wrong with this approach to secure communication. The common denominator is simply the lack of technical expertise. There is no surprise there. Ever since the Internet was discovered by the rest of the world (which was in the 1990s, don’t get fooled by web sites who

Read More

Unicorns in the Wild – Information Security Skills and how to achieve them

René Pfeiffer/ July 27, 2017/ Discussion, High Entropy, Security

Everyone talks about information security, countering „cyber“ threats, endless feats of hackers gone wrong/wild, and more epic stories. Once you have realised that you are reading the news and not a script for a TV series, you are left with one question: What are information security skills? The next question will probably be: How do you train to be „information secure“? Let’s take a look at possible answers. First of all, yes, you can study information security or security-related topics. Universities, schools, and companies offer lectures, training, exercises, etc. Great. However it may not help you right away. We talked with top quality head hunters from a nameless big corporation. When they look for infosec specialists, they filter for anyone having worked in three different fields related to computer science (applied or otherwise) for

Read More