Press Release: Modern Desktops as a Security Hole – DeepSec Conference offers Trainings and Tests for Secure Applications

Sanna/ June 1, 2021/ Press, Training/ 0 comments

What do a modern office application and a fancy oil pipeline have in common? A desktop that led to disaster. Graphical interfaces for operating computers go back to research in the 1960s and 1970s. At that time people thought about how computers can best support people. By the 1990s at the latest, the desktop became a battleground for market dominance. That has stayed the same, only there are additional security aspects. After all, the desktop is often the first step from an attacker to a company’s digital treasures. The annual DeepSec conference offers security experts and developers a two-day crash course on desktop security. No attack without interaction Many successful attacks on companies or infrastructure depend on cooperation with the victims. Malware is executed using tricks and only then does it compromise the system.

Read More

Press Release: Current Threats in Cellular Networks – DeepSec Security Conference offers Security Training in dealing with Current Cellular Technology

Sanna/ May 26, 2021/ Press, Training/ 0 comments

In the past 40 years, cellular technology has achieved a veritable triumph. Availability, stability and data rates have increased significantly compared to the origins of 1G / 2G networks. The enthusiasm for security research in this area is not quite as enthusiastic. There are still weak points and tradeoffs in information security. At the first DeepSec conference in 2007, the weaknesses of A5 encryption were revealed. This year’s conference therefore again offers a two-day workshop on the security of current cellular technology. Basis of the communication society Many of the conveniences of modern life are inconceivable without cellular networks. The internet is almost always available. Communication is very easy even outside of cities, during leisure activities or when going for a walk, reception is of course required. The evolution of the technological generations up

Read More

Press Release: Low-tech Attacks. Critical Infrastructure poorly secured – Attacks against Colonial Pipeline used Standard Access Tools

Sanna/ May 20, 2021/ Press, Training/ 0 comments

In May, the operator of the US Colonial Pipeline was the victim of a ransomware attack. After such reports, calls for better security and additional measures are always loud. In fact, analyzes of these attacks often reveal deficiencies in basic security. Often it is not even necessary to use complicated and sophisticated tools to attack critical infrastructure. Attackers like to use standard tools that are available everywhere so as not to attract attention. The lack of basic security makes it possible. Custom camouflage When defending your own systems and networks, it is necessary to know exactly what the infrastructure is like. Organized groups that attack companies research exactly what is being used at the target before the attack. According to this planning phase, only tools are used that are plausible to the victim and

Read More

First DeepSec 2021 Trainings published

René Pfeiffer/ May 12, 2021/ Conference, Training/ 0 comments

We dug through the submissions and selected trainings for the preliminary schedule. It’s just the trainings, and the intention is to give you some information for planning the rest of the year. We intend the trainings to be on site at the conference hotel. We will also explore ways to offer a virtual training or to attend the course virtually. The topics range from attacking modern desktop applications, in-depth network security (mobile networks and traffic analysis), penetration testing industrial control systems over to how to break and secure single-sign on systems. The entire collection of content aims to educate your IT department and your development team regarding the current state of affairs in companies with employees connected in home office. All technologies and tools are vital parts of the workplace. We included attacking industrial

Read More

DeepSec 2021: A lack of software security paralyzes the economy in times of crisis – visit DeepSec 2021 to train your developers

Sanna/ April 20, 2021/ Development, Press, Training/ 0 comments

In every crisis, one’s own infrastructure and logistics are put to serious tests. The COVID-19 pandemic illustrates this particularly drastically through the many structural failures in the past 12 months. They try to solve biological problems with smartphones, favor dead-end technologies such as blockchain, discover the lack of network expansion in recent decades and then panic and publish software applications that are only subjected to serious tests after they have been published. All these quick fixes are snapshots of a lack of sustainability. But the economy is dependent on stable solutions based on many years of experience, especially now. In November 2021, the DeepSec conference would like to give support to everyone who works with software through trainings and the transfer of experience from security researchers. Code rules the World The word digitization is

Read More

Call for IoT Trainings: Secure Development for embedded Devices

René Pfeiffer/ March 24, 2021/ Discussion, Training/ 0 comments

The world is much easier to handle without limits. If you have all your frameworks freely available and have the luxury of running your code with a multi-MB (or -GB) runtime environment, then you are in paradise. The world of embedded devices and the Internet of Things looks different. Saving energy is the prime directive. The power supply might be a battery or the connector pin of another device. Multiple cores are rare, memory is even rarer. If you are acquainted with the container and cloud lifestyle, then embedded systems will be a culture shock. Think kilo instead of mega or giga. Small devices run code, too. So this is where security comes into play. What can you do to design your embedded code to be small and secure? Secure design and coding have

Read More

DeepSec 2020 Training: Threat Modelling: The Ultimate “Shift Left” – Irene Michlin & Kreshnik Rexha

Sanna/ October 5, 2020/ Training

The earlier in the life-cycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. The participants will learn the technique and gain practical skills through exercises. The curriculum of the training consists of : Threat modelling: introduction and motivation Data Flow Diagrams STRIDE Beyond STRIDE Prioritization Mitigations Integrating threat modelling in SDLC This training targets mainly blue teamers, as well as software developers, QA engineers, and architects; but will be also beneficial for scrum masters and product owners. We asked Irene and Kreshnik a few more questions about their training. Please tell us the top 5 facts about your training.  Lots of hands-on exercises and group work

Read More

DeepSec 2020 Training: Open Source Intelligence Gathering on Human Targets – Robert Sell

Sanna/ September 10, 2020/ Training

Robert Sell conducts a two-day training at DeepSec. In his own words: „In this workshop I provide the class with real humans (missing persons) and while they are collaborating on this I provide tools and techniques for them to use to bring them closer to their goal. This is a hands on workshop where students will also have the opportunity to learn from each other. The beginning of the class will consist of a brief intro to OpSec considerations while the end will wrap up with report prep and intel safe guarding.“ We asked Robert a few more questions about his training. Please tell us the top 5 facts about your training. The Intelligence Community has been involved in open source intelligence (OSINT) for more than 50 years. The value of open source information

Read More

DeepSec 2020 Online Training: Mobile Security Testing Guide Hands-On – Sven Schleier & Ryan Teoh

Sanna/ September 3, 2020/ Conference, Training

This online course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven and Ryan will share their experience and many small tips and tricks to attack mobile apps. We asked Sven and Ryan a few more questions about their training. Please tell us the top 5 facts about your training. Learn a holistic methodology for testing the security of mobile apps A full Penetration Test against iOS apps can also be done on non-jailbroken devices! Learn how to bypass Anti-Frida security controls in a mobile app with Frida Focus on hands-on exercises during the training with vulnerable apps build by the trainers You just need to have a laptop (no Android or iOS devices

Read More

Token Hijacking via PDF – Dawid Czagan

Sanna/ July 20, 2020/ Training

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; 17/18 November)   Tags:

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Sanna/ July 7, 2020/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

Exploiting Race Conditions – Dawid Czagan

Sanna/ July 1, 2020/ Training

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading.  As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. If you develop or use software connected to a network, then this is for you. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how this attack works and tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; mind the date

Read More

Communiqué de presse traduit: Les applis COVID-19 dévoilent leur logiciel pendant la crise

Sanna/ May 13, 2020/ Conference, Press, Training

En novembre, la conférence sur la sécurité DeepSec mettra en lumière la mascarade des logiciels. On dit souvent, « il y a forcément une appli pour ça ! ». Cette formule toute faite est souvent prise à la légère, même en dehors du secteur informatique. La crise actuelle du COVID-19 a de nouveau désigné le code informatique comme solution universelle aux problèmes qui ne sont pas strictement liés à la technologie de l’information. La numérisation générique semble être la réponse à tous nos problèmes. Bien sûr, le traitement des données peut aider. À condition toutefois de posséder des données réelles, vérifiables et recueillies soigneusement. C’est là qu’échouent de nombreux projets. Téléphones magiques à l’intelligence infinie La demande d’applis n’a fait qu’augmenter ces dernières années. Ces visions n’ont rien à envier aux idées créatives des

Read More

Translated Press Release: Covid-19 Apps show Software Development in Crisis

Sanna/ May 8, 2020/ Conference, Press, Training

In November, the DeepSec security conference will highlight the software masquerade. In everyday language there is the saying “There’s an app for that!”. The phrase is often used as a joke, even outside the IT industry. The current Covid-19 crisis has once again addressed computer code as a universal solution to problems that are not exclusively related to information technology. Generic digitization seems to be the answer to all problems. Of course, data processing can help. The prerequisite for this, however, is the existence of real data that has also been collected in a comprehensible and careful manner. This is exactly why many projects fail. Magical phones with infinite Intelligence The call for apps has been repeated again and again in recent years. The visions are in no way inferior to the creative ideas

Read More

DeepSec 2019 Press Release: High-quality Randomness protects Companies

Sanna/ November 25, 2019/ Conference, Training

The ‘bugs’ of the’ 90s are still alive – hidden in IoT devices, integrated systems and industrial controls. Modern information security can’t manage without mathematics. It is less about statistics in the form of operational data or risk analysis. It’s about cryptography, which is constantly used in everyday life. It uses elements that build on high-quality random numbers to protect information from attacks. This year’s DeepSec Security Conference addresses key aspects of product implementation – data protection during transport and storage. Protecting the Digital Transformation Whether “intelligent” bulbs and illuminants, heating or building controls, tv-sets, industrial plants or entire production lines – the digital transformation covers all areas of our lives and leads to changes. On the one hand, digitization opens up opportunities such as the optimization of processes, the more efficient use of

Read More