2007, 2022

DeepSec 2022 Training: Token Hijacking via PDF File – Dawid Czagan

Sanna/ July 20, 2022/ Training

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video, Dawid Czagan (your DeepSec instructor) will show you step by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564)   Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is

Read More

1307, 2022

Translated Article: New EU Regulation makes securely encrypted Chats illegal

Sanna/ July 13, 2022/ Stories

Neue EU-Regulierung macht sicher verschlüsselte Chats illegal by Erich Moechel for fm4.orf.at [This article has been sitting in our translation queue for a while. We have translated the content, because Erich monitors the development of the war against encryption for many decades and has always deep insights into the processes behind the scenes.] The word “encryption” is hardly mentioned directly in the Commission’s draft, which aims to make end-to-end encryption illegal in general. Series, Part 1. The EU Commissioner Ylva Johansson’s Regulation on Combating Child Abuse on the Internet, which was presented on Wednesday, caused incredulous amazement in the professional world. “This will be the most sophisticated system of mass surveillance ever set up outside of Russia or China,” prominent cryptographer Matthew Green wrote in a first reaction on Twitter. Securely encrypted chats are de

Read More

1207, 2022

DeepSec 2022 Training: Mobile Security Testing Guide Hands-On (Hybrid edition) – Sven Schleier

Sanna/ July 12, 2022/ Training

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures. We asked Sven a few more questions about his training. Please tell us the top 5 facts about your training. Learn a holistic and consistent method for testing the security of mobile apps A full Penetration Test against iOS apps can also be done on a non-jailbroken device! Learn how to bypass Anti-Frida security controls in a mobile app with… FRIDA! Focus on hands-on exercises during the training with vulnerable apps build by the trainer You just need to

Read More

0807, 2022

DeepSec, DeepINTEL, and ROOTS Call for Papers still open!

René Pfeiffer/ July 8, 2022/ Conference

Did you find some interesting bugs lately? Have you broken something which wasn’t supposed to be broken? Can you hack a nation state just by using a phone call? Do you dream of writing a smartphone app in Malbolge just for fun? If the answer is yes, then you should definitely submit a presentation for DeepSec 2022! We are still looking for your contribution. Share your insights, enlighten our audience. We are also looking for talks for DeepINTEL 2022. We would like to explore the geopolitical side of information security again. Attacks on critical infrastructure, gauging capabilities of adversaries, digital operations in terms of disinformation, and strategic defence of digital infrastructure are the focus of our next security intelligence event. If you work in this field, please get in touch with us. Security research

Read More

0707, 2022

Press Release: Ransomware Attacks Are No Force Majeure

Sanna/ July 7, 2022/ Press

DeepSec security conference reminds you of basic IT protection and secure system architecture. Malware attacks that encrypt data of victims seem to have increased recently. In fact, these ransomware attacks are only part of an evolution among the attackers. Attack software moves with the times. An important reason for the accumulation is the standstill in defense. This year’s DeepSec security conference offers exchange with experts and high-quality further training for protecting your own IT. Basic Misunderstandings Comparing the reports of incidents involving ransomware attacks, one might conclude that these are inevitable natural events. Of course, that’s not the case. If one sticks to the biological analogy of the virus, a favorable combination of prerequisites for the infestation of ransomware results. In the beginning, there is always a deception in the form of a fake

Read More

2606, 2022

Preliminary Schedule DeepSec 2022 – Trainings

René Pfeiffer/ June 26, 2022/ Conference, Training

👨‍🎓 👩‍🎓 The „full preliminary“ schedule of DeepSec 2022 is due in mid-August. Until then, we have some training options for you. The remaining trainings will be published as soon as we have the confirmation from the trainers. The following courses have been confirmed: Hacking JavaScript Desktop apps: Master the Future of Attack Vector – The desktop is the entry to organisations and companies. Employees are connected to the resources attackers look for. The training illustrates how modern desktop applications work, how they connect to the outside world, and how you can use them to gain access to the internal networks (or the cloud platforms used by the code). Mobile Security Testing Guide Hands-On – This course tells you all you need to know about the desktop-to-go versions of applications. Mobiles devices are a

Read More

1406, 2022

Reminder DeepSec and DeepINTEL Call for Papers

René Pfeiffer/ June 14, 2022/ Administrivia, Call for Papers, Conference

We have been radio silent for quite a while. This is not because of the lack of content or ideas. Information security has long attained mainstream status. We all rely on software and hardware all the time. Instead, we were stuck in administrative tasks. We have found a new location for the conference. In addition, we are working behind the scenes on code updates of our web page. The call for papers manager, the functions that create the schedule and render the website have aged. Speaking of the call for papers, it is still open! We are looking for presentations about the current state of security. If you found a bug or a design flaw, let’s hear about it. There are lots of applications out there. There must be something that’s broken. CVE has

Read More

0404, 2022

Translated Article: EU Control Committee Blocks Regulation on Chat Surveillance

Sanna/ April 4, 2022/ Stories

EU-Kontrollausschuss blockt Verordnung zur Chat-Überwachung by Erich Moechel for fm4.orf.at [We have translated this article, because we have criticised client side scanning and introducing backdoors to circumvent encryption in past articles. Erich Möchel has an update on the current EU initiative to make encryption useless.]. A leaked report from the Commission’s control committee shows that officials from the Commission’s interior department have not presented a legally compliant draft in two years. The publication of the ordinance on the automated monitoring of chats, which was announced at the end of March, has already been postponed again. This ordinance, ostensibly aimed at combating child abuse, is now 18 months behind schedule. A recent leak now shows the reason for this series of postponements. The officials responsible for the Commission’s draft could not come up with a text

Read More

0104, 2022

IT Energy Security – Electric Power makes Cyber go around

René Pfeiffer/ April 1, 2022/ Conference

This is not a typical 1 April posting. We have stopped the habit of writing satirical articles, because the actual news stories are better than any comedy these days.  Instead of having a laugh, let’s look at the core of information technology – electrical power. The energy prices have been rising for a while now. Russia’s invasion of Ukraine has put Europe’s supply of fossil fuels into the spotlight, because it is used to force political decisions. Using renewable energy sources could have been sped up twenty years ago. It hasn’t. Now the price for electrical power is rising. Information technology relies on electrical power. Computers, servers, networks, smartphones, and display devices can’t do without. The same goes for information security. Adding countermeasures to defend your digital assets and to introduce secure coding requires

Read More

1703, 2022

Translated Article: Internet Traffic in Russia will be Rerouted

Sanna/ March 17, 2022/ Stories

Der Internetverkehr Russlands wird umgeroutet by Erich Moechel for fm4.orf.at With Lumen and Cogent, the leading transit carrier and the number three are just exiting the Russian market. Apparently, this doesn’t happen voluntarily and, above all, not as quickly as announced. After the media sector and the stock exchange, the western sanctions are now hitting the Russian IT industry with full force. With Cogent and Lumen, two of the top five international Internet carriers are in the process of cutting off their major customers in Russia one after the other. Market leader Rostelecom, all mobile phone companies and the Internet group Yandex are losing their strongest connections to the world. On Friday, the London Internet Exchange announced that Rostelecom traffic would no longer be routed. All of this is a first in the history of

Read More

1703, 2022

Information Warfare

René Pfeiffer/ March 17, 2022/ Conference

[This is the March update from our DeepSec scuttlebutt mailing list. Subscribers received this article already.] Filling a blog with articles is both hard and very easy these days. In theory, information security is more present in the news than ever. In practice, you will find few articles with in-depth content. A few days ago I had a discussion with a friend about the many web pages with the title scheme “n reasons why something is great” or “k ways to do web application filtering”. We both agreed that the title is a definite warning not to read the article. Also, most articles just give you a brief introduction into a topic and suddenly end after a few paragraphs. The term clickbait comes to mind. A lot of publishing systems use fancy techniques to

Read More

0203, 2022

Translated Article: CIA Data Mining in SWIFT Financial Data from Europe

Sanna/ March 2, 2022/ Stories

[Editor’s note: This article was translated before the invasion of Russian troops into Ukraine. It features SWIFT, and the discussed data mining methods still apply regardless of the sanctions.] Data-Mining der CIA in SWIFT-Finanzdaten aus Europa by Erich Moechel for fm4.orf.at Massive financial datasets are constantly being delivered from the EU to the US as part of the TFTP treaty against terrorist financing. The CIA receives this data. The fog is slowly clearing around the huge datasets in which the CIA claims to be data mining. The “foreign financial data platforms” from which the CIA “collects large amounts of structured financial data” to stop ISIS terrorist funding are the databases of payment processor SWIFT. Around 11,000 banks from 200 countries process their payment transactions via the SWIFT system, which currently processes around 40 million

Read More

0103, 2022

To Join or not to Join a Cyberwar – Hacking Back and Hack Attacks

René Pfeiffer/ March 1, 2022/ Conference

The Russian invasion of Ukraine has put the digital sidelines into the spotlight. The world of cyber is part of conflicts, politics, and military operations. This has become very clear if you look for preparations of the current military actions in Ukraine. Information warfare most likely predates the tanks and missiles by year or even decades. This is not the focus of this article. There have been calls to attack networked targets in order to help. Is this a good idea? Let’s see. Information warfare is one aspect of the digital domain. Then there are sabotage, disrupting networks, exploiting vulnerabilities, getting access to data, and many more aspects. Joining either side of a conflict is usually a bad idea. Everything starts with the targets. Who runs a system you have decided to attack? It’s

Read More

2302, 2022

Sven Guckes has died

René Pfeiffer/ February 23, 2022/ Conference

Sven Guckes has died. Sven was a constant companion of Free Software events throughout the years. He contributed to Free Software projects in many way. He ceaselessly connected people by organising meetings in restaurants prior to, during, and after conferences. The command line was his home. He helped improve Vim configurations for countless persons and enabled them to use this editor more efficiently. Sven was session chair at past DeepSec conferences. We mourn his loss, and we fondly remember his contribution to transferring knowledge and experience between everyone he connected. Thanks, Sven! Others have published their thoughts about Sven. You can find the texts by using the following links: Remember: Be More Like Sven Sven Juckes passed away Vim-Versteher und Kommandozeilenerklärer: Sven Guckes ist tot (German) Vim 9 will be dedicated to Sven Guckes

Read More

2202, 2022

DeepSec 2022 – Call for Papers is open

René Pfeiffer/ February 22, 2022/ Call for Papers

We have been busy behind the scenes, as always. The call for papers for DeepSec 2022 is open. We accept submissions for presentations and trainings. This also includes ROOTS 2022 and DeepINTEL 2022. The dates are the same as announced at the closing of DeepSec 2021. DeepSec 2022 Trainings – 15 / 16 November 2022 DeepINTEL 2022 – 16 November 2022 DeepSec 2022 / ROOTS 2022 Conference – 17 / 18 November 2022 We ask all trainers to submit proposals for trainings as early as possible. We will select submitted trainings and publish a preliminary schedule in April. Hope to see you in November!