2308, 2021

DeepSec 2021 Training: How to Break and Secure Single Sign-On (OAuth and OpenID Connect) – Karsten Meyer zu Selhausen

Sanna/ August 23, 2021/ Training

Implementing single sign-on has huge benefits in general. It allows to design the registration and login process for users to be as simple as possible, and enables applications to be connected to social networks. Although OAuth and OpenID Connect are established as today’s common standards, serious attacks on them have been discovered within recent years. These attacks exploit the complexity of the underlying standards and implementation flaws, and allow attackers to authenticate themselves as arbitrary users or to access confidential user data. By doing so, attackers can potentially read, manipulate, or delete data of arbitrary users across these applications. Due to the critical role that single sign-on fulfills in applications nowadays, it is important to understand and address pitfalls when using OAuth and OpenID Connect. However, automatic security scanners are not able to properly

Read More

2208, 2021

Scuttlebutt – Summer in the city, reviews, and more security content

René Pfeiffer/ August 22, 2021/ Scuttlebutt

Dear readers, gossip has been a bit rare in the past weeks. This was because of the intense summer heat here in Vienna. The opposite of the chill factor made working in the hot city extremely difficult. Additionally, we tackled dealing with backend archaeology. A part of our internal application for managing the call for papers, the reviews, and the schedule celebrates its 10th birthday. I like code that runs smoothly despite platform updates, but now is the time for some changes. And no, we do not expose the code to the Internet. You can stop looking for it. 😉 We just finished the major part of reviews of the submissions. It always takes a while, given that we start with the final review in August. Contacting people during Summer adds extra round trip

Read More

2008, 2021

Breaking News: DeepSec preliminary Schedule available, some Reviews still continue, all Hardware & Software is still not completely safe to use

René Pfeiffer/ August 20, 2021/ Conference, Schedule

We confess. Our review cycle was interrupted by a week of holiday. Our team takes turns before the fourth wave breaks. We will keep watching the regulations for travel and our conference hotel. This being said, the schedule for DeepSec 2021 is ready and is published on our web site. 🥳 The contributions from our speakers and trainers look very promising. We tried to select the submissions according to a mix of technical details, academic research, ways to improve your defence, and details of attack techniques which might be deployed against your organisation. The trainings cover a wide range of topics from attacks on modern desktops app, fallacies of mobile networks, penetration testing of industrial control systems, breaking single sign-on systems, and dealing with threats and defence. We hope to offer you in-depth knowledge

Read More

0208, 2021

Thanks for your submission! We are working on final reviews.

René Pfeiffer/ August 2, 2021/ Conference

In the past months we kept blogging about various issues in information security and news regarding our event in November. The Summer months are hard on the process of following news with articles. A lot of things happen, and software still has security-relevant bugs. It’s just that fewer people (than usual) care. We care, and therefore we will complete the reviews of your submissions. The preliminary schedule will be published soon. Thanks for taking your time! We appreciate your contributions. You have made the reviews very hard, as every year. 😉 If you still have some ideas, feel free to submit them!

3007, 2021

DeepSec 2021 Press Release: Surveillance as Organized Crime – DeepSec Conference Criticizes Pegasus Spy Software as a legal Vacuum

Sanna/ July 30, 2021/ Conference, DeepIntel, Press

The information published by the Pegasus Project consortium on the systematic abuse of this monitoring software for smartphones clearly shows that rampant surveillance can hardly be distinguished from organized crime. Security experts are increasingly warning against the hoarding of unknown security vulnerabilities by companies that develop espionage products. Information security for society, authorities and the economy are incompatible with the existence of such tools. In addition, they represent a threat to the national security of every country. We can only maintain a real locational advantage for Europe through consistent IT security. Battle for Communication Content Since the first discussions about the availability of strong encryption for private individuals and companies, the security of digital communication has been hotly contested. In the 1990s, the US government wanted to enshrine access to messages and calls from

Read More

2707, 2021

Reminder +++ DeepSec and DeepINTEL 2021 Call for Papers +++ Reminder

René Pfeiffer/ July 27, 2021/ Conference

The call for papers of DeepSec and DeepINTEL 2021 have their first deadline on 31 July 2021. Use the remaining days to send us your idea for your presentation. We are interested in your research, your ideas, and your reports about new threats. If you can’t find the time for writing your submission in the scorching heat, let the Pegasus malware take care of your personal communication for a while. We passed on the opportunity to write about surveillance gone out of control, because we wrote about security failures regularly since 2007. That being said, the Pegasus malware is of course a hot topic for DeepINTEL. High-powered and unchecked surveillance software can do a lot of damage to businesses and national security. Code has a significant impact on society and politics alike. Let’s hear

Read More

2007, 2021

Secure Communication as an endangered Species

René Pfeiffer/ July 20, 2021/ Conference

Communication is a vital part of modern life and business processes around the world. The rise of the Internet has put sending and receiving information at the centre of most activities. Anyone who has access to personal messages can use them to a significant advantage. Messengers live on billions of smartphones around the world. A compromised telephone opens the door to a treasure trove of highly valuable data. Welcome to the world of information warfare! Repeatedly we issued press articles covering broken secure communication and backdoors to devices. The most recent publications cover the initiative of the German government for mandatory security vulnerabilities in digital infrastructure. Information security cannot distinguish between the purpose of how technology is used. Especially the integrity of computer systems is either preserved or destroyed. There is no middle ground.

Read More

1207, 2021

Translated Article: Germany becomes the Federal Trojan Republic

Sanna/ July 12, 2021/ Security, Stories

Deutschland wird zur Bundestrojanerrepublik by Erich Moechel for fm4.ORF.at All 19 secret services now have a license to use malware. IT security vulnerabilities can therefore be kept open, preventive cyber attacks are the best defense – security expert Manuel Atug on the new German “cybersecurity strategy.” Since Friday, the “Law to Adapt the Constitutional Protection Law” has been in force in Germany. All 19 federal and state secret services are now allowed to use Trojan malware. Another law is already in the Federal Council, which authorizes the police authorities to use Trojans even before a criminal offense has occurred. German police and customs authorities have had a legal license to distribute such malware since 2017. At the same time, a new cybersecurity strategy is being worked out which, among other things, stipulates that newly discovered security

Read More

0807, 2021

2021 – The Year of the Supply Chain

René Pfeiffer/ July 8, 2021/ Conference

Logistics and supplies are the fuel that keeps modern society rolling. The COVID-19 pandemic has shown that delivery of goods, medical supplies, and work place administration is a part of our daily lives. The container ship Ever Given blocking the Suez Canal serves as an illustration of how important these lifelines are. Even the digital world is based on supply chains. The computer you use receives updates regularly. Chances are high that you even have some data in online platforms (a.k.a. The Cloud™) somewhere. Thinking in terms of information security, these dependencies are a natural target for attackers. Swedish supermarket customers currently suffer from a digital attack on the US-American company Kaseya. The company develops software for managing IT infrastructure. The REvil malware hit them and disabled clients using the VSA remote managing software

Read More

0607, 2021

Reminder: DeepSec and DeepINTEL 2021 Call for Papers is still open!

René Pfeiffer/ July 6, 2021/ Conference

The year 2021 features some milestone anniversaries. Some of these anniversaries are tragedies. Others are milestones for change. A lot of them affect the world of information security. Technologies come and go, because more often than not we find better solutions. Implementations mature. Some don’t. So let’s take the anniversary of the RSA SecureID faux pas and combine it with the deleted tweet suggesting to replace TCP/IP with Something Based On Blockchain™. In order to grow and develop better applications, we should strife to improve how we approach the challenges of information security. Here is how we will do this. Read on. The DeepSec and DeepINTEL 2021 call for papers are still open. If you have in-depth content or have some observations to share, please submit your ideas! DeepSec is a 100% blockchain-free zone,

Read More

2106, 2021

Communiqué de Presse: Les Environnements de Bureau Modernes : Une Faille dans la Sécurité – La Conférence DeepSec propose des Formations et des Tests pour des Applications Sécurisées

Sanna/ June 21, 2021/ Conference, Press

Qu’est-ce qu’une application bureautique moderne a en commun avec un oléoduc en panne ? L’environnement de bureau qui a conduit à la catastrophe. Les interfaces utilisateur graphiques pour l’exploitation des ordinateurs remontent à des recherches menées dans les années 1960 et 1970. À l’époque, on réfléchissait à la manière dont les ordinateurs pourraient aider au mieux les gens. À partir des années 1990, le bureau est devenu un champ de bataille pour la domination du marché. Cela n’a pas changé, mais on retrouve désormais également des aspects liés à la sécurité. Après tout, l’environnement de bureau est souvent la première étape que les pirates informatiques franchissent pour accéder aux trésors numériques d’une entreprise. La conférence annuelle DeepSec propose aux professionnels de la sécurité et aux développeurs un cours intensif de deux jours consacré à la

Read More

1806, 2021

Deadline for Scholarship Program extended until 31 July 2021

René Pfeiffer/ June 18, 2021/ Conference

Being curious is the first step of answering a question. DeepSec has a long history of pushing the results of research on a public stage. Information security is a branch of computer science. Therefore, the scientific approach is the best way to tackle digital security. Past conferences have featured presentations about the work of dedicated groups of curious people. Now it’s your turn to get some extra support for your project. We have extended the deadline for the DeepSec scholarship program until the end of July 2021. We felt that having some extra time is never a bad idea. So if you have an idea for a research project, please let us know. Drop us an email or a message in a bottle.

1806, 2021

Press Release: Germany Stipulates Security Gaps by Law – DeepSec Conference Warns: Legal Anchoring of the State Trojans Destroys the Security of the Infrastructure.

Sanna/ June 18, 2021/ Conference, DeepIntel, Press

People on business trips are accustomed to take precautions against untrustworthy Internet access. Employees have been equipped with Virtual Private Network (VPN) technology in order to have secure access to company resources and internal systems. VPNs are also often used to circumvent the insecurity of the so-called last mile, i.e. the connection between your own computer and the actual systems on the Internet. The law, which was passed in the German Bundestag on June 10th, creates opportunities for the use of so-called State Trojans (term literally translated from the German Staatstrojaner, meaning a malicious piece of software provided and used by authorities). This institutionalizes security gaps so that state Trojans can be installed on end systems. The safe home office is a thing of the past. Comprehensive surveillance through digital intrusions The alterations to

Read More

1406, 2021

Communiqué de Presse: Menaces Actuelles sur les Réseaux Mobiles – La Conférence DeepSec sur la Sécurité propose une Formation à L’utilisation des Technologies Mobiles Actuelles

Sanna/ June 14, 2021/ Conference, Press

En 40 ans, la technologie des communications mobiles a connu un véritable essor. La disponibilité, la stabilité et les débits de données ont considérablement augmenté par rapport aux origines des réseaux 1G/2G. En revanche, la recherche sur la sécurité dans ce domaine n’a pas connu un succès comparable. Il existe encore des faiblesses et des lacunes en matière de sécurité de l’information. En 2007, la première conférence DeepSec a exposé les faiblesses du chiffrement A5. La conférence de cette année proposera donc à nouveau un atelier de deux jours sur la sécurité des technologies actuelles de communication mobile. La base de la société de communication De nombreuses commodités de la vie moderne seraient inconcevables sans les réseaux mobiles. L’Internet est presque toujours à notre disposition. La communication est également très facile en dehors des

Read More

0706, 2021

Communiqué de Presse: Attaques « low-tech »: Infrastructures Critiques mal Sécurisées – Les Attaques contre Colonial Pipeline reposaient sur des outils d’accès standard

Sanna/ June 7, 2021/ Conference, Press

En mai, l’entreprise américaine Colonial Pipeline a été victime d’une attaque par ransomware. Après de tels événements, il y a toujours une demande en sécurité accrue et en nouvelles mesures. Pourtant, l’analyse de ces attaques révèle souvent des lacunes dans la sécurité de base. Il n’est souvent pas nécessaire d’utiliser des outils compliqués et sophistiqués pour cibler des infrastructures critiques. Les attaquants aiment utiliser des outils standards, disponibles partout, pour éviter d’être détectés. Ceci est rendu possible par une sécurité de base insuffisante. Un camouflage adapté Pour défendre ses propres systèmes et réseaux, il est nécessaire de connaître en profondeur les particularités de son infrastructure. Les groupes organisés qui ciblent les entreprises recherchent exactement ce qu’utilise la cible avant d’attaquer. Suite à cette phase de planification, ils utilisent seulement des outils que la victime

Read More