DeepSec 2019 Talk: Saving Private Brian – Michael Burke

This talk will be given as the story of Brian, an aid worker operating in a hostile third country. When he’s stopped going in at the border he had his iPhone taken from him and then returned to him 15 minutes later. Now he can’t be sure if any malware was implanted on his device. Malware that could compromise him, his organisation and anyone who co-operates with him. He needs his phone to do his work but should he stop using it instead? Are all his contacts already compromised? Should he warn them and should he use his phone to do so? And will he and his phone be tracked to any in-person meetings?

iOS malware is rare, advanced and difficult to detect when deployed. I will talk through the above scenario on the basis of the threats that exist, how iOS malware is implanted, what its capabilities are and how it can be detected simply and quickly in future. This will increase the safety and security of the workers we rely on to make the world a better place.

We asked Michael a few more questions about his talk.

Please tell us the top 5 facts about your talk.

It’s a growing (but niche) threat; this is a way to detect it that takes no technical skill on behalf of the user; zero day exploits for iOS can sell for ~$1 million; it’s the first time I’ve given it; I’ll make it interesting!

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I came up with it reading about how sophisticated iOS zero days were being used against NGO workers, dissidents, journalists and other critical roles in our society. I thought that I could devise a new and easy method of detecting something that is very hard and normally involves digital forensic labs

Why do you think this is an important topic?

Lawful and measured iOS malware implants by governments can be a valuable tool to fight crime and terrorism. There are times however that people’s lives may be put at risk from malware implanted on iPhones/iPads by rogue governments, organisations or individuals. I want to help people who are targeted by those bad actors go about their business with safety and security.

Is there something you want everybody to know – some good advice for our readers maybe?

Depending on what you are working in security you may be more likely to be targeted by this type of attack – rare as they are – and just to be aware of that possibility and to take reasonable steps to prevent it (I’m sure as an industry professional you already update your phone soon after every OS release).

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I’m hoping that Checkm8/Checkra1n is released and stable by the time of my talk – it will make jailbreaking for iOS forensics much more interesting! I foresee more talks ahead…

I am Ireland’s most active digital forensic investigator working on a wide variety of cases for Grant Thornton but specialise in MacOS and iOS forensics.
I am an external expert for the EU in cybersecurity funding decisions.
I have lectured at third level, spoken at conferences and briefed the Irish national cybercrime unit on my research in digital forensics.
I hold Masters degrees in both Forensic Computing and International Security Studies.
I am a former member of the Irish national police service as well as a reformed member of the start up world.

DeepSec 2019 Talk: Lost in (DevOps) Space – Practical Approach for “Lightway” Threat Modeling as a Code – Vitaly Davidoff

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the software development life cycle (SDLC) process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scalable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We will discuss how to architect a robust Threat Modeling framework to be part of an Secure SDLC approach.

We asked Vitaly a few more questions about his talk.

Please tell us the top 5 facts about your talk.

Threat Modeling is a very important process, but not aligned with Agile development process and DevOps paradigm. Security specialists do not scale enough and don’t have time to run Threat Modeling exercises for every new feature or change in design – as a result, in some cases we just skip Threat Modeling or doing it partially. I’ll provide a practical solution to adopt this process into the software development life cycle. I’ll show you how we can use Threat Modeling outputs for automate security activities in the CI/CD pipeline.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I wanted to share my experience running Threat Modeling exercises in global companies. I’ve learned, that even security experts have a problem with building a mature Threat Modeling process and align it with current development strategies.

Why do you think this is an important topic?

Threat Modeling is the only way to identify potential threats and abuse-cases in design and define countermeasures. If we don’t have this process in place we lean on “intuitive” security. In this case we open a door for potential breaches and as a result, financial penalties and reputation loss.

Is there something you want everybody to know – some good advice for our readers maybe?

Threat Modeling process automation is a practical approach. I believe in “If it works for us – why can’t it work for you? ” – This process is very important, but only a part of a full Threat Modeling process! Feature based questionaries or diagrams will provide a first level for understanding the criticality and will be used as a base for an efficiently prioritized security investment in your project.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I think, we’ll see Risk Based Security Lifecycle Management systems/frameworks. At least two big vendors working on this approach these days and I hope to see holistic solution very soon (maybe next year … )


I have about 15 + years’ experience as a developer and more than 7 years in the application security field. Applications Products Security Expert at Citi Bank Innovations Lab TLV Israel. In this position I am responsible to provide Application Security solutions for many products, including analyzing security risks in multidisciplinary systems according to the customer system characterization, defining required security controls to handle identified security threats, perform code and design reviews, threat modelling and many other activities.

Certifications: CISSP, CSSLP

DeepSec 2019 Talk: Setting up an Opensource Threat Detection Program – Lance Buttars

Through the use of event detection monitoring and do it yourself monitoring techniques on a Linux Apache PHP MySQL stack, I will demonstrate how you can create different alarms and reporting surfaces that alert you when your application is being attacked. This case study will demonstrate the use of hacking tools as a defense strategy in a corporate network and will cover the story of the detection of insider threats from the internal application point of view. The entire presentation is a hands-on lab that can be used after the presentation as a guide for attendees to set up a Threat Detection program.

We asked Lance a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The talk covers ways of discovering insider threats.
  • It’s a starting point for understanding how honey pots work.
  • It’s a great way to go beyond standard threat detection.
  • It’s meant for IT personal who have zero to no budget.
  • It’s designed to be a hands-on lab.

How did you come up with it? Was there something like an initial the spark that set your mind on creating this talk?

I came up with this talk because I wanted to see what I could do using open source tools and techniques when it came to threat detection inside a production environment. My goal was to create a framework for detecting insider threats that would alert me when the system became compromised, or data was leaving my environment.

Why do you think this is an important topic?

I think this topic is essential because a lot of IT shops have limited funding and resources, and the talk guides you through setting up simple, easy to use threat detection techniques to help jump-start a threat detection program.

Is there something you want everybody to know – some good advice for our readers, maybe?

The presentation will be made available after the talk and should provide a type of guide for doing the techniques I will discuss at the presentation.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I imagine that threat detection will become more standard, and hopefully, more open source tools will be created to help address the need for better threat detection beyond standard IDS / WAF.


Lance works as a software engineer in the payment industry developing software that transfers money between banking systems. He is a founding member of 801 Labs; a hackerspace located in Salt Lake City and is an active member of his local Defcon group DC801. Lance has a BS in Computer Science and a Master’s Degree in Cybersecurity and Info Assurance.

DeepSec 2019 Talk: Oh! Auth: Implementation Pitfalls of OAuth 2.0 & the Auth Providers Who Have Fell in It – Samit Anwer

Since the beginning of distributed personal computer networks, one of the toughest problems has been to provide a seamless and secure SSO experience between unrelated servers/services. OAuth is an open protocol to allow secure authorization in a standard method from web, mobile and desktop application. The OAuth 2.0 authorization framework enables third-party applications to obtain discretionary access to a web service. Built on top of OAuth 2, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build functional and secure authentication systems. OpenID Connect can perform identity authorization and provide basic profile information for different clients, from web and mobile apps to JavaScript clients.

In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers.

The key to adding authorization or Single Sign-On (SSO) measures to your app is to ensure you are balancing security with usability. Developers likely make trade-offs when making decisions about specific implementation – and there are a lot of decisions to make. Developers still want to double down on security to avoid flaws in 2.0, paying attention to things like session management, encryption/obfuscation of stored data and IDs, and securing the source code of an app.

In this work we will discuss common malpractices that relying party devs perform when implementing OAuth/OpenID based relying party solutions. However, all is not in the hands of relying party developers, the authorization service providers have a big role to play as well.

There are mainly 4 entities involved in a typical OAuth setup: relying party/client, user/resource owner, resource provider, and authorization server. In this work, we discuss the goof-ups that each of these entities can introduce with special focus on vulnerabilities that the authorization server can introduce.

The highlight: We present our case study on OAuth authorization providers and detail the issues we found in their solutions. This includes a vulnerability in Microsoft’s authorization server – As can be seen in the PoC video the auth code can be replayed to generate fresh access tokens and id tokens. Moreover, the code verifier is not being validated which can lead to a compromise of the access/id tokens on native apps which use Microsoft’s identity provider –

We asked Samit a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. OAuth is an open standard for token based delegated access. It is widely used across platforms and is customizable to a great extent. In this talk we will learn what OAuth is and what it brings to the table. We will go over various grants OAuth offers and identify which one to use when.
  2. The talk also focuses on the security aspects of the protocol and highlights common implementation mistakes made by Client app/relying party and authorization server devs.
  3. In the talk I will be discussing some attacks on OAuth as a result of these mistakes and their mitigation as well.
  4. The talk will cover a demo of a vulnerability I found in Microsoft’s Identity server which results in the attacker gaining access to victim’s resources for as long as s/he likes.
  5. The talk also covers some best practices to reduce damage if access tokens/auth codes leak in order to facilitate defence in depth.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The spark was a vulnerability I found with Microsoft’s Identity Provider, which had a faulty PKCE implementation because of which the attacker could get life long access to a victim’s resources.

Why do you think this is an important topic?

OAuth is widely used by all platforms including web, desktop and native apps. Its security is a common concern for devs of auth servers, relying parties and end users. This makes it a very suitable and interesting topic to discuss.

Is there something you want everybody to know – some good advice for our readers maybe?

The talk will provide a good overview of OAuth from the need of it to various attacks observed in the wild. For anyone looking to implement or adopt OAuth this is definitely a must attend.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

A lot of work is happening with regards to doubling up on security for OAuth by weaving more layers into the basic OAuth mechanism. Token binding, PKCE and Claimed HTTPS scheme URI redirections are some examples. In the future I would expect some innovative attacks coming forth to counter these defenses.

Samit Anwer is a Web and Mobile Application security researcher. He joined Citrix as Security Engineer soon after completing his Master’s degree from IIIT Delhi in Mobile and Ubiquitous Computing in 2015. He is actively involved with vulnerability research in Web/Mobile apps and has responsibly disclosed several security vulnerabilities with Google Cloud Print API, XSS filter evasion on IE 11/MS Edge, code execution on Microsoft Windows 10, Microsoft’s OAuth 2.0 implementation and buffer overflows on MS Edge/IE 11.

He is an active member of the Null Bangalore Chapter, IEEE community and has spoken on various security topics at the following venues: DEFCON China, Beijing (2018), BlackHat Asia, Singapore (2018), AppSec USA, Orlando (2017), CodeBlue, Tokyo (2017), c0c0n X, Kerala (2017) and Null meets (2015, 2016, 2017, 2018)

His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms.

DeepSec 2019 Talk: Still Secure. We Empower What We Harden Because We Can Conceal – Yury Chemerkin

The launch of Windows 10 has brought many controversial discussions around the privacy factor of collecting and transmitting user data to Microsoft and its partners. But Microsoft was not the first, Apple did it many years ago and there was no public research on how much data were leaked out from MacOS. There is a statement in the Privacy Policy written by Apple: “Your device will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you, to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories… ‘Everything’ stores in iCloud service”.

Both cases are the same, designed in the same manner and driven by a similar idea to simplify the devices usage. It went even further with iOS and Android OS. Eventually, Microsoft and Apple have boldly described their OS as “the most secure OS ever.”

This research is based on three things: data leaks, hardening, and forensics.

Combining data leaks and hardening gives a data set with a goal and a vision of how to protect a system and make your use cases transparent. Forensics gives us excellent knowledge about valuable device security settings. Empowering the hardening with these anti-forensics techniques in terms of ‘anti-forensics hardening’ of a system makes it transparent what, when and why the whole device or its parts can or can not be accessed. To be entirely sure that all insecure gaps are closed and to verify how secure your system is, there is the option to rely on penetration testing additionally. Further more, we will talk about which insecure services are used to receive tracking data from your system, and which of them can be blocked without breaking the system and user use cases.


This talk will systematically review

  • Pentest to fix gaps of security & privacy. What tools to use and why you should perform pentesting, how to read and use security report.
  • Content Filtering. Mapping rogue sites, analytics and tracking services into granular activities to leverage privacy risks.
  • Easy exploitation & post exploitation. Limits of AV solutions, risk of one vs. many browsers, add-ons & firewalls.
  • Host & On-host network activities monitoring. Disassembling features of big enterprise solutions into lightweight tools and bring it to in-home/small companies.
  • Data Protection. The security & privacy features hidden across different OS editions and builds, plus overlapping features & dependences.
  • On the way to dedicated and centralized manageable solutions. Pentesting of dedicated solutions, automating security, whitelisting (native vs. vendor vs. third-party tools).
  • Profiling and Use cases. The Future of forensically protected OS & devices

We asked Yury a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The way how data is transferred directly strongly indicates the way how it is stored on servers
  • Dedicated (self-hosted) solutions prevent a data leakage if you don’t forget to harden your security
  • Forensic solutions give us excellent knowledge about valuable device security settings.
  • Forensic solutions have a hidden love for leaked data sets (with credentials, travel routes, etc.)
  • A real experiment with forensic solutions reveals many unexpected things, especially when it fails to break your security

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Experience in any field is like money-making in your life. At the beginning of a secure life, you have to use cheaper solutions to learn about their substantial background. Doing research gives you a knowledge of why this feature is here, why this protection technique works or doesn’t work, and if there is a correlation between them. Growing up, you tend to add one solution to another to increase your security level and reduce risk until you finish with almost all of them on your servers. Somewhere here, you continue to use cloud solutions, but you’re focused on reducing non-protected data sets and risks levels. Continuing to research you consider your risk level from a time viewpoint: each activity is bound to a time-frame when it actively and passively exists. If everything is supposed to be security, then daily use cases have a reduced risk level whatever you’re doing.

Why do you think this is an important topic?

This topic is aimed to show several things:

  • how to read security bulletins (patch notes, etc.) and release notes of breaking tools
  • how to shift the focus from daily software to forensic ones
  • does it make sense to stay in the cloud or is it better to move on to self-hosted solutions
  • a difference between On tools are bringing security and breaking security into the most real field: forensics vs. security

Is there something you want everybody to know – some good advice for our readers, maybe?

Many articles claim that forensic solutions are perfect in extracting your data and breaking into a system. Even though they are highly effective solutions, they fail when you’re ‘out of the box’ and have uncommon solutions or popular software & hardware that haven’t been supported for many years by forensic solutions.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I expect a lack of support of many applications and software solutions everyone uses daily; a little shift to several self-hosted solutions, they have become a bit popular. Also, the biggest issue in security now and in the future are services that cannot be limited by the amount data they store like good sellers, travel, and any healthy-ish and sport-ish apps; securing this data sets will be a new challenge.


Yury Chemerkin has ten years of experience in information security. He is a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance. He’s published many papers on mobile and cloud security, and speaks regularly at conferences such as CyberCrimeForum, DefCamp, HackerHalted, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence Sec, InfoSec NetSysAdmins, RootCon, PHDays, etc.

DeepSec 2019 Talk: Chinese Police and CloudPets – Abraham Aranguren

[In our Call for Papers we mentioned that DeepSec and specifically DeepINTEL will have a connection to geopolitics. Well, the following description of a presentation at DeepSec gives you an idea of what we meant.]

This talk is a summary of three different security audits with an interesting background:

First, CloudPets, their epic track record, what we found and what happened afterwards.
Next, two mobile apps by Chinese Police: “BXAQ” and “IJOP”, both related to surveillance of ethnic minorities, but in different ways. Stay tuned.

Part 1: CloudPets

Wouldn’t it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out of a soft toy that children can hug? That’s the idea of CloudPets. Children can even respond directly from the soft toy and communicate with their parents. What could possibly go wrong? Let your imagination go wild and you will still fall short 🙂

Database dumps, blackmailing, ransoms, millions of people affected, our findings and other intrigues, not to be missed!

Part 2: Chinese Police

This part talks about two mobile surveillance apps that Chinese authorities employ to spy on the Muslim minorities of China’s Xinjiang region, the applications: “IJOP” and “BXAQ”. These audits were sponsored by Human Rights Watch (HRW) and the Open Technology Fund (OTF). The Chinese government faced international criticism when the results of these audits became public.

While the audits focused on evidence gathering of the surveillance activities, which will be covered in this talk, we will also discuss some interesting vulnerabilities that we found along the way and which were not the focus of the audit itself. Also, for those interested in learning about mobile security we will talk about the challenges faced with these apps and how we overcame them.

This talk will be an interesting learning experience as it combines technical security vulnerabilities with political and commercial background implications.


After 13 years in Itsec and 20 in IT Abraham is now the CEO of 7ASecurity (, a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 ( and Version 1 ( Creator of “Practical Web Defense” – a hands-on eLearn security attack / defense course (, OWASP OWTF project leader of an OWASP flagship project (, major degree and diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or Some presentations, pentest reports and recordings can be found at

Scheduled Maintenance for Web Site and Blog

Rain cloud emojiToday there will be an interruption of power supply and network connectivity. The systems affected are our web site and our blog. While the downtime is scheduled and part of our maintenance, the reason for the downtime was not. It has to do with rain, pipes, and queues. To quote Marcus Ranum:

As security or firewall administrators, we’ve got basically the same concerns [as plumbers]: the size of the pipe, the contents of the pipe, making sure the correct traffic is in the correct pipes, and keeping the pipes from splitting and leaking all over the place. Of course, like plumbers, when the pipes do leak, we’re the ones responsible for cleaning up the mess, and we’re the ones who come up smelling awful.

Rain, gravitation, the size of pipes, and sediments came to visit our office a few months ago. Today we will put some serious firewalling in place in order to be on the safe side when it comes to our computing equipment. 🌧 🔌 😎

We’ll be right back after the break.

DeepSec 2019 Talk: Comparing GnuPG With Signal is like Comparing Apples with Smart Light Bulbs – Hans Freitag

GnuPG is not designed to be used only in E-Mail, it plays an important role in securing all sorts of mission critical data. In this talk I will show you applications of GnuPG that are not E-Mail or Instant Messaging.

We asked Hans a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • GnuPG is free software that can be used to encrypt and sign data.
  • Signal is not a free software but may be used to communicate with others.
  • You can’t compare apples with pears.
  • In German the term glowing pear is used for light bulb.
  • My Key ID is: 1553A52AE25725279D8A499175E880E6DC59190F

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I browsed the news and came across an article saying “We found a bug in an E-Mail program accidentally displaying unencrypted data as encrypted data and therefore you should ditch the use of GnuPG immediately and use Signal instead!” Spoiler Alert: It does not work!

Why do you think this is an important topic?

GnuPG is the tool on which almost all open source software relies on when delivering software to customers. It is embedded in almost any open Software and even usable from Android phones.

Is there something you want everybody to know – some good advice for our readers maybe?

Be nice to each other. Protect private data. Respect others.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The next innovation might be a better user interface with sane defaults for GnuPG keys. Also getting GnuPG support for user keys and smart cards into the OS at installation level is important.

I would love to see GnuPG available in company infrastructure. I believe this would boost usage a lot, as it means that confidential data can be stored end to end encrypted and signed on the servers with the push of a button.

Born in Celle, Germany in 1980.
Found out about Open Source around 1997.
Attended the first Chaos Communication Congress in 1999.
Self employed as consultant and developer since 2001.
CEO/CTO and owner of Conesphere GmbH since 2017.

DeepSec 2019 Training: Threat Hunting with OSSEC – Xavier Mertens

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points.

During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / … and add more contextual content with OSINT feeds.

We asked Xavier a few more questions about his talk.

Please tell us the top 5 facts about your training.

  1. It’s critical for organizations to be aware of what’s happening on their networks.
  2. The idea is to use information present on the Internet to increase the detection rates.
  3. Security controls can be implemented with free tools.
  4. The training has many labs and students will practice.
  5. Thee goal is to open the students’ eyes and make them have ideas to implement on their side.

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

I’m a big fan of OSSEC for years and already blogged a lot about it. I participated in the project (f.ex: I wrote the initial GeoIP support).
And, of course, I’m using it daily to monitor my infrastructure. Many (small) organizations do not have resources to implement or seem afraid to deploy solutions like OSSEC. I think it was time to wrap-up all this content and provide it as a training.

Why do you think this is an important topic?

Despite the fact that we deploy more and more security controls at our network boundaries, we still see compromised hosts, data leaks, etc. Keeping an eye on events is key to detect all suspicious activity as soon as possible.

Is there something you want everybody to know – some good advice for our readers maybe?

Sharing and integration of tools are a key point. Each of them has interesting data that can be reused by other tools to improve detection capabilities. The training could be interesting for Blue Team people or system/security engineers. Investing in tools like OSSEC will also raise your overall protection and, in case of an incident, you will already have some data to analyze.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

The problem with many organizations today: the business is running so fast that they can’t keep control of what’s deployed in their infrastructure. They loose the knowledge of what’s important. This is a key requirement to better protect yourself. With tools like OSSEC, you can at least collect information from your hosts and granularly implement  controls to detect / block bad guys at an early stage.


Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customers assets by applying “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, OSINT) but also “offensive” security (pentesting). However, his preferred domain is playing on the Blue Team side. Besides his daily job, Xavier is also a security blogger, a SANS Internet Storm Center handler and co-organizer of the BruCON security conference.

DeepSec 2019 Training: Pentesting Industrial Control Systems – Arnaud Soullie

In this intense two day training at DeepSec, you will learn everything you need to start pentesting Industrial Control Networks [also called Industrial Control Systems (ICS)].

We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems. And we will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.

The training will end with an afternoon dedicated to a challenging hands-on exercise: The first [Capture The Flag] CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.

We asked Arnaud a few more questions about his training.


Please tell us the top 5 facts about your training.

  • Industrial Control systems are everywhere
  • They are mostly insecure…
  • …and it is not really getting better…
  • You need to understand these specific systems if you want to hack into ICS
  • Understanding how to hack things is a great way to understand how to secure them

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

There are very few ICS security trainings at the moment, and they are mostly focused on defense and threat hunting. I strongly believe that it is valuable to have a pragmatic vision of offence to be better at defence, that is why I created this pentesting ICS training!

I also wanted people to work on realistic scenarios, that’s why the training ends with a half-day dedicated to a Capture-the-Flag using real ICS devices.

Why do you think this is an important topic?

We do not realize it, but Industrial Control Systems are everywhere, from your built-in heating system to nuclear power plants. Almost all critical infrastructures, vital for the countries, rely somehow on ICS.

The security level of these networks and components is still very low, despite awareness slowly raising the past fews years, so we need your help to assess and secure it!

Is there something you want everybody to know – some good advice for our readers maybe?

Please do not succumb to the hype. Start with the basics, build a security culture with people from operations. This new appliance is probably not gonna save you 😉

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

All industries already perform extensive risk management, let’s help them include cybersecurity threats and I’m sure the security level will improve.

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 9 years, he has been performing security audits and pentest on all type of targets. He specializes in Industrial Control Systems and Active Directory security. He has spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON…
He is also the creator of the DYODE project, an open-source data diode aimed at ICS.

Threats and Solutions for Supply Chain Attacks in IT – DeepSec conference sheds light on the concatenated logistics of information technology.

On the web you can find videos of very sophisticated constructions of many dominoes. If you knock over one domino, a whole cascade of breathtaking actions follows. The domino effect in your own IT infrastructure is much less entertaining. Even there, everything usually begins harmlessly with a small action – reading a message, forwarding a document, accessing a web server or receiving a short message from a supposed employee. It becomes particularly exciting when the dominoes are your own suppliers and business partners. This year’s DeepSec Security Conference offers rich content to analyze the interwoven situation of today’s companies and organizations.

In networks you need to trust

In theory, there is always an outside and an inside. Doors, network filters, access, …. Data management knows this approach. In all IT architectures, therefore, a division always takes place, which ultimately also maps the security zones. Outside often means untrustworthy. Once data, persons or activities have completed a series of security checks, they are considered trustworthy. This condition often remains unchanged because no further or at least fewer tests are performed. Trust is spreading. If you combine these elements through business relationships, you build your own personal street of dominoes. The more complex the processes, the more stones are on the table. A mix of service providers and outsourcing exponentiates the danger. Attackers now only have to pick the right domino to collapse the whole set up.

In the past 12 months, several attacks on suppliers affected the European aviation group Airbus. The group was attacked via smaller companies, apparently exploiting the relationship of trust. Security measures are not equal or the same in every company simply because of the different budgets in organizations. But size can also be deceiving, because the mere presence of data on a cloud platform doesn’t say anything about security. Business life is thus dominated by domino chains, at least from the point of view of information security.

Overview beats size of an organization

No hasty conclusions about supply chains and their importance for security should be drawn now, even if conclusions based on incomplete knowledge are currently fashionable. The size of a company or its budget for security is no guarantee against incidents. Of course, attackers always try to take the most efficient route to reach their destination. With smaller companies, there are many more ways to push the button. The best countermeasure is to clarify your own dependencies and to have a very good eye on them. As mentioned at the beginning, it is not possible to work without trust. Nevertheless, one should start with as few unaudited assumptions as possible when it comes to internal and external trust relationships.

This is why November’s DeepSec IT Security Conference offers a range of training sessions and lectures to help you to better understand your own dominoes. The two-day trainings specifically teach dealing with threats. In his training, Xavier Mertens demonstrates how to recognize threats by analyzing freely available data, to isolate them and to come up with results. In the technical training of Davy Douhine and Guillaume Lopes, mobile devices, in Dawid Czagan’s training, modern web applications are disassembled into their logical components from the point of view of information security  Both technologies are part of all domino chains in all sectors of the economy.

Lior Yaari’s device development training for the Internet of Things (IoT) is about pitfalls in product development and testing of IoT components. Arnauld Soullie teaches about weaknesses of Industrial Control Systems, which can be found in industrial plants throughout Europe and around the world. Peter Manev and Eric Leblond provide their expertise in the field of burglary analysis in networks in their training. Both are renowned experts who have been analyzing and detecting traces of attacks and anomalies in data transfers for more than 10 years.

And last but not least, Thomas Fischer and Craig Jones offer their practical experience in dealing with the most important steps in an emergency when a group of attackers has already set foot in your own infrastructure – or that of your supplier. Their training is focused on measures of information gathering, the finding of weak points in the own infrastructure, the course of the break-in and the detection of its traces.

Courage for technical understanding is essential

IT security, like information technology itself, struggles with the complexity of the hardware and software used. When collecting the necessary experience and learning the necessary knowledge, unfortunately, often technical relationships are omitted. However, these are an important tool to be able to correctly assess the technologies used in your own company and among your partners. Today, you may not exactly why a plane flies and how a car drives, but an examination of the respective topics inevitably requires knowledge of the technology. For this reason, the DeepSec conference has been titled In-Depth Security Conference since its founding, because security is always about details, never superficialities. The DeepSec conference attaches great importance to the expertise of trainers and lecturers, and it also supports research and teaching in order to provide new insights to the business community. Take the opportunity and don’t be a domino.

Programs and booking

The DeepSec 2019 conference takes place on 28 and 29 November. The DeepSec trainings will take place on the two previous days, the 26th and 27th of November.

The venue of the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Tickets for the DeepSec conference itself and the trainings can be ordered at any time at

DeepSec 2019 Training: Mobile Hacking – Davy Douhine and Guillaume Lopes

Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks with pentesters, bug bounty researchers or just the curious in a 100% “hands-on” training.

Their goal is to introduce tools(Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc.) and techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This is exactly the training that you would have liked to have before wasting your precious time trying and failing while testing.

Two days based mainly on practical exercises:
– Day 1: Android Hacking
– Day 2: iOS Hacking

Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide):
– Review the codebase of a mobile app (aka static analysis)
– Run the app on a rooted device (to check data security issues)
– Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
– MiTM all the network communications (aka inspect the traffic)

A VM will be provided to the attendees with the pre-installed tools to cover most of the labs.

We asked Davy and Guillaume a few more questions about their training.

Please tell us the top 5 facts about your training.

1. It’s an hands-on training! Less talk and more exercises.
2. The goal is to learn techniques that you can apply in real use cases.
3. There is content for 3 days so attendees will have exercises to do later if they want to go deeper
4. We’ll provide a VM set up with essentials tools to assess the security of Android and iOS mobile apps
5. iOS exercises are based on the famous Corellium virtualization solution

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk / course?

We started to introduce mobile hacking training as a chapter of our Advanced Pentesting workshop given at DeepSec last year. Then we’ve made a full training focused on this subject and gave it privately and at Hack In Paris in 2019.

Why do you think this is an important topic?

Mobile Security Testing is a quite recent subject in the very broad security testing field and the increase of the mobile usage will accelerate the need for the security testers but also the makers to shift towards this subject. Mobile risks are slightly different from traditional IT risks and a mobile ecosystem implies a completely different set of tools and techniques to be correctly tested.

Is there something you want everybody to know – some good advice for our readers maybe?

Unfortunately during the last years testers and makers had to struggle to find fresh and usable information. As a result, when dealing with mobile pentests, testers often focus on an extremely narrow spectrum of what could be really tested: they launched BurpSuite or ZAP (hoping that the app they assessed didn’t use certificate pinning) and analyzed the network communications and the distant API. But there’s also hope: one year ago the OWASP foundation disclosed the first official version of the OWASP Mobile Security Testing Guide. Clearly a game changer, this guide, released together with the Mobile AppSec Verification Standard and a checklist, has instantly become a reference by giving -for free- a step by step cookbook to help people check each important corner in mobile apps.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

Bad guys evolve and the threats don’t spare mobiles. White hats and developers should also be aware of the right ways to secure apps and assess them: this workshop’s aim is to train attendees to assess iOS and Android application security level on their own.


Davy Douhine (@ddouhine) founder of RandoriSec an infosec company has been working in the information security field since almost fifteen years. He mainly works for financial, banks and defense key accounts doing pentests and holding trainings to help them to improve their security. He enjoys climbing rocks in Fontainebleau or in the Bourgogne vineyards and practices Brazilian jiu-jitsu.





Guillaume Lopes (@Guillaume_Lopes) is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently working as a Senior Penetration Tester at RandoriSec he is also a member of the Checkmarx Application Security Research Team. He likes to play CTF (Hackthebox, Insomni’hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi’hack team.

L’Internet des faits et la peur dans la sécurité informatique – Les conférences DeepSec et DeepINTEL dévoilent leurs programmes – bits, bytes, sécurité et géopolitique

« No man is an island ». Cette citation (« Aucun homme n’est une île ») est de l’écrivain anglais John Donne. Si la phrase est devenue célèbre au XVIIe siècle, elle prend un tout autre sens à l’ère du numérique. La version moderne serait plutôt : il n’y a plus aucune île. De plus en plus de domaines du quotidien et de la société sont connectés. Cette année, les conférences sur la sécurité DeepSec et DeepINTEL souhaitent donc jeter un regard sobre sur l’Internet des faits et sur la peur sous l’angle de la sécurité de l’information. Actuellement, les systèmes sont moins isolés et bien plus complexes que ce qui est raisonnable du point de vue de la sécurité. La DeepSec se consacre donc aux nouvelles technologies et à leurs vulnérabilités au cours de deux journées de conférences et de formations. En parallèle, le séminaire DeepINTEL discutera de la relation entre la géopolitique et la sécurité informatique à l’aide d’exemples d’incidents.

L’Internet des attaques remplace l’Internet des objets

On s’en rend compte dès que l’on connecte un système à Internet. Les cibles intéressantes ou vulnérables sont immédiatement attaquées. Et c’est pareil lorsqu’on connecte des capteurs, des appareils ou des acteurs (les « objets » de l’Internet des objets) à un réseau. Cette année, les conférences de la DeepSec tenteront d’établir un lien entre différents aspects de la sécurité informatique dans ce contexte. Les appareils mobiles ont toujours été menacés. Les technologies sans fil d’aujourd’hui reposent sur les données. Pas étonnant donc que Luca Melette explique les attaques des systèmes mobiles exclusivement par le biais du protocole Internet. Aleksandr Kolchanov montrera comment compromettre et lire en masse certains appareils mobiles. Lior Yaari partagera son expérience dans le domaine de la construction auto. Il a analysé les composants de futures voitures qui ne sont pas encore sur le marché mais déjà en développement. Lior rendra compte des points faibles des technologies que l’on croisera peut-être sur nos routes dans quelques années.

Formation avec des experts en sécurité

La conférence DeepSec propose chaque année une formation continue par des experts en sécurité pour les experts de votre entreprise. L’échange de connaissances est la base de toute bonne défense, et pas que dans le numérique. En raison de la courte durée de vie de la technologie de l’information, le niveau de connaissances et la formation continue de chacun sont décisifs pour faire face aux attaques et à la connexion constante. Le programme offre par conséquent trois ateliers différents indiquant comment gérer les attaques. Xavier Mertens expliquera les dangers de l’Open Source Security. Il utilisera des sources accessibles à tous pour expliquer comment y faire face et comment mettre en place des processus internes. Il donnera des exemples permettant de détecter des schémas suspects à l’aide d’études de cas.

Peter Manev et Eric Leblond montreront dans leur atelier comment détecter les attaques et les processus suspects dans un réseau avec le logiciel de détection d’intrusion Suricata. Suricata est facile à mettre en place et offre énormément de fonctionnalités. Les deux formateurs sont également développeurs chez Suricata et donnent des précisions de première main sur les processus internes du logiciel. Les participants s’essayeront en outre à la création de règles pour un vrai trafic réseau. La formation privilégie une approche concrète et s’adresse à tous ceux qui travaillent dans la sécurité réseau.

Dans leur atelier, Thomas Fischer et Craig Jones montrent comment gérer des incidents de sécurité et retrouver les traces des hackers. Là aussi, la formation repose sur des cas réels et de vrais exemples d’utilisation des bons outils.

La technologie n’est pas une île non plus

Souvent, seul le point de vue technique est pris en compte lors de l’examen des problèmes de sécurité. Dans la technologie de l’information comme dans d’autres domaines, des facteurs externes déterminent certaines conditions. Le débat sur les portes dérobées dans les systèmes numériques et les réseaux de communication, récurrent depuis les années 1990, en est un exemple frappant. Ce qui a commencé avec le cryptage des réseaux mobiles et des e-mails se poursuit à présent avec la 5G, la messagerie instantanée et le développement de logiciels. En 2018, le gouvernement australien a adopté une loi qui peut forcer les entreprises spécialisées dans la technologie à intégrer des portes dérobées dans leurs produits. Ces points faibles prédéterminés seront aussi utilisés par les hackers.

Les mathématiques du cryptage sont implacables quand il s’agit de sécurité. Soit la communication est sûre, soit elle ne l’est pas. Les conflits commerciaux actuels affectent tout autant le monde de l’informatique et posent les jalons de la mise en place de nouvelles technologies dans les années à venir. Par conséquent, les DeepSec et DeepINTEL de cette année explorent les interactions entre la sécurité de l’information et les aspects géopolitiques. Les présentations de ces deux conférences ont été choisies pour approfondir ce sujet. Les moyens d’attaques, la classification des cibles et les conditions d’utilisation des mesures de sécurité y seront entre autres abordés. Nous recommandons à tous les responsables de la sécurité d’approfondir leurs connaissances dans ces domaines.

Programme et réservation

Les conférences DeepSec 2019 auront lieu les 28 et 29 novembre. Les formations DeepSec auront lieu les deux jours précédents, les 26 et 27 novembre.

La conférence DeepINTEL aura lieu le 27 novembre. Pour recevoir le programme, envoyez une demande à Les tickets sont disponibles sur

DeepSec et DeepINTEL auront lieu à l’hôtel Imperial Riding School Renaissance Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienne.

Le programme de la conférence DeepSec peut être consulté sur Le programme de DeepINTEL peut seulement être mis à disposition sur demande, car il s’agit d’une conférence privée.

Vous pouvez commander vos tickets pour la conférence DeepSec, DeepINTEL et les formations DeepSec sur

DeepSec 2019 Talk: What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs – Mikhail Egorov

WebSocket protocol is many times more efficient than HTTP. In recent years we can observe that developers tend to implement functionality in the form of WebSocket APIs instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplify the building of efficient WebSocket APIs. We can name GraphQL subscriptions or Websocket APIs supported in Amazon API Gateway.

WebSockets APIs have a different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account.

WebSockets in browsers do not use the same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: A handshake and data transfer phase. Most of the time authentication and authorization logic is implemented in the handshake phase, while the subsequent data transfer doesn’t have such mechanisms. Usually, this leads to severe security issues.

We will talk about CSRF issues, authorization bypass and IDOR issues, found in real web applications and disclosed through Bug Bounty programs.

We asked Mikhail a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • WebSocket is a super efficient protocol for communication.
  • Over the years we observe increasing usage of WebSocket API and protocols based on WebSockets instead of traditional REST API and HTTP.
  • The security model of WebSocket API is different from REST API and quite often misunderstood by developers.
  • Security researchers and bug hunters should give more attention to WebSocket protocol and its applications.
  • I’ll talk about CSWSH, authentication and authorization logic bypass, and IDOR vulnerabilities I’ve found in real web applications.


How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I’m a full-time bug hunter. And observe WebSocket API participating in Bug Bounty programs. In my talk I want to share my unique experience and some ideas regarding how to test the security of WebSocket API.


Why do you think this is an important topic?

WebSocket API becomes more and more widespread. All major browsers support WebSocket protocol. Major cloud providers (AWS, Google, Azure) added support for WebScokets on their platforms recently as well. Protocols such as wamp and stomp built on top of WebSocket protocol are quite popular. At the same time there are “grey” areas related to WebSockets protocol security that are not well-understood by developers like the origin-based model, authentication and authorization, or the reverse proxying of WebSocket connections.

Is there something you want everybody to know – some good advice for our readers maybe?

My talk will be interesting in particular to pentesters, bug hunters, application security experts and developers. I created WebSocket challenge on You can come and try to hack it. There will be more challenges soon. During the talk I’ll explain the intended solutions.


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I hope to see more great researches and unique vulnerabilities related to WebSocket security in the future.


Here you can find CTF challenges related to Mikhails Talk:

Good luck!


Whitehat, security researcher, bug hunter, conference speaker. Active on Bugcrowd and H1 platforms. Researching security of clouds, web and mobile applications. Acknowledged by Microsoft, Adobe, RedHat, SAP, AT&T, Atlassian, Uber, Netflix, Tesla, General Motors, Western Union, Sophos, Netgear, etc. for reported vulnerabilities. Gave technical talks at LevelUp, Troopers, Hack In The Box, Hacktivity, ZeroNights, PHDays, and HighLoad conference.

DeepSec 2019 Talk: “The Daily Malware Grind” – Looking Beyond the Cybers – Tim Berghoff, Hauke Gierow

Given the noise generated around all the “sexy” and no doubt interesting topics like 0days, APT, and nation state-sponsored threat actors it is easy to miss what is really going on out there, in the world of Joe Average. Actual telemetry data paints a picture that is in many respects different from what happens in a lot of the news coverage. Much of the malware out there, including some that is attributed to some sort of APT, is nowhere near anything that might be considered “sophisticated”. In this talk we will shine a light on different aspects of the realities of home users as well as companies, and offer some interesting data about the malware that actually does the most damage, while precious few get all the press.

We asked Tim and Hauke a few more questions about their talk.


Please tell us the top 5 facts about your talk.

We will take a look at what happens beyond the media frenzy. This should allow us a glimpse into the real daily grind of the malware industry. There will be some over- and maybe rather underwhelming revelations. We will break down some of the internal workings of the malware industry and defuse a couple of myths that are still being propagated in the public.


How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Following our talk after DeepSec 2018 “How not to get the Cybers”, we were wondering what we could do to dive deeper into the topic of media coverage versus actual events. In early 2019, we received some new telemetry data about types of malware that were woefully underreported in the public. This gave us the idea of looking into the topic further and continue last year’s talk by expanding on who is getting all the press compared to what is going on in the background.


Why do you think this is an important topic?

There is a general tendency to always pay attention to “latest and loudest”. While this may be a valid approach in some cases, it tends to distract from the fact that stories go on even after they have faded from mainstream headlines. We want to change this.


Is there something you want everybody to know – some good advice for our readers maybe?

To correct own misconceptions about users. Some really try to install malware really hard.


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

George Santayana once said “Those who cannot remember the past are doomed to repeat it”. This quote, while close to 60 years old is now more current than ever, especially in the infused community. As many tend to focus on what is in front of them – as they should – they easily forget what lies behind them. And more often than not, past news that seemed long forgotten come back to haunt us.


Tim is a Security Evangelist at G DATA Software AG and frequently speaks about security at conferences and gatherings.He previously consulted companies and the public sector on IT-security questions.








Hauke is a spokesperson for G DATA Software AG. Before, he worked as a journalist with as well as Head of Internet Freedom Desk at Reporters Without Borders Germany and a China Think Tank in Berlin.