BSidesLondon – Mentors wanted!

Meme "How To Draw an Owl"You may have heard of the BSides London Rookie Track. It’s the track with the 15 minutes presentation slots where people who have never presented at a security conference before can give it a try. Take me word for it, preparing these 15 minutes is hard work. Even if you had your share of presentations you still have to put some thought into the structure, the material, and the way you want to make your point(s). It’s easier for veterans. It’s hell for rookies. Even with a moderately cleaned pile of information the first drafts of your presentation take ages. In addition you probably make all the mistakes we all made before. This is where the mentors come in. Mentors are experts in their field and have presented before. And mentors we want!

Why mentors? Well, Niels Bohr put it nicely: „An expert is a man who has made all the mistakes which can be made, in a narrow field.“ Rookies need some guidance to get on track. While you have experience, they are still gaining it. So if you have some time to spare and want to help someone, rush to the registration site and get involved! Don’t worry! It’s called BSides London Mentor Application 2020, not BSides London Mental Application 2020. You are safe.

Rookie Track Registration BSidesLondon – don’t miss the deadlines!

Photograph of presentation at DeepSec 2018, © 2018 Joanna Pianka, has opened the Rookie Track registration. Submit your project ideas. Get a chance to present at an information security event. Let mentors guide you to the stage. We are pretty sure that you have something to share with us.

This won’t be the last reminder. Deadlines are closer than you think, quite similar to objects in the rear view mirror. We enjoyed many Rookie presentations at BSidesLondon, and your content is valuable to the audience. The fact that seats get scarce very quickly is a good indicator that your contribution should be submitted to the Rookie Track registration before the call for presentation closes.

The best two rookies will get the opportunity to travel to Vienna in November and attend DeepSec 2020. The first rookie can relax and enjoy our conference. The second place requires a bit more work, because we offer to present your content in a full presentation slot (that’s 45 minutes). As for the Rookie Track we also offer support and guidance. Don’t be intimidated! Everything has to start somewhere. So grab your calendar, mark the deadline, and submit to the Rookie Track registration!

DeepSec 2020 Scholar Program – Call for Applications

ACOD LogoDeepSec 2020 wants to support your project. We have teamed up with partners to foster research in information security. We already support the BSidesLondon Rookie Track, support the Reversing and Offensive-oriented Trends Symposium (ROOTS), publish the DeepSec Chronicles, and support individuals in their research. Now we want to go one step further.

Purpose: To encourage research by young professionals and academics on new and emerging cyber security issues, information security, new ways to use technology, defence, offence, and weaknesses in hardware/software/designs.

Suggested Topics: Vulnerabilities in mobile devices, vulnerabilities in the Internet of Things (IoT), advances in polymorphic code, software attacks on hardware wallets, side channel attacks, hacking industrial control systems and smart cities, quantum and post quantum computing, penetration testing – defining what it means and standardization, and related topics. Let your creativity run free.

Application Requirements:

  • Submit a proposal with a unique cybersecurity related topic in paragraph or outline form
  • CV / Resume
  • One paragraph on how your research will advance or contribute to the research and understanding of your topic and your own professional interests
  • Confirmed availability to attend and speak at the DeepSec Conference in November; talk slots are 45 minutes + 5 minutes of Q&A so plan accordingly
  • Applications must be received by 31 January 2020 to

Scholar Benefits:

  • Work will be published in DeepSec Journal “In Depth Security: Proceedings of the DeepSec Conferences”; Published works for this section of the journal are expected to be more raw, cutting edge research ideas, as a precursor to a future peer reviewed work. The published work will be guided by the Scholar Mentors but not subject to full peer review.
  • Opportunity to present at DeepSec Conference
  • Six months of mentorship and assistance in research from DeepSec Scholar Mentors
  • Full admission ticket including lodging for DeepSec Conference held in Vienna, Austria
  • EURO 5.000 for travel and research costs. Half paid 31 July, second half paid week of DeepSec Conference
  • Mentors will work with Scholars on a defined time-line for mentorship sessions, research drafts any in person meetings or discussions and final paper submission dates

We will follow-up the call for applications here in this blog with introductions of your potential mentors.

Secure Design – Combining Information Security with Software Development

Amateurs' rocket bursts, taken from security researchers usually see software fail. Sometimes they try to make software fail on purpose. The result is a bug description, also called vulnerability report in case the bug has a security impact. The the best case scenario this information reaches the software developers who in turn fix the problem. Then the cycle continues. This process is fun for the first iterations. After a while it gets boring. Even a while after that you ask yourself why integer overflow, injection attacks, and basic cross-anything is still an issue. Some bug classes are well over 40 years old. Polio is far older, and yet we got rid of it (mostly). What’s different in the field of software creation?

The answers are simple, endless, and change depending on the current trend. Just as computing changed from the first mainframes to personal computing and back again the methods in software development have their mix of temporary fashion and solid implementation choices. Additionally you have more programming languages now than decades before – the agony of choice. Who wants to Rust before you go Go? Of course, we are wiser now and have invented skills such as secure coding. The problems seem to stay the same (take a look at the yearly top n CVE entries).

If you take a look behind the scenes of some software projects and unveil the core design of the application, sometimes the reason for security defects become more obvious. Software projects have a history. Code usually was for to solve a set of problems or perform certain tasks. The early design choices follow the production code. Mistakes in the design can lead to implementations that will never be more secure or suffer from vulnerability classes for all eternity. Getting the design right is critical. The credo of „ship early, ship often“ or „ra(p|b)id prototyping“ can lead to the point where working code is favoured over a sound design that doesn’t tip over easily. Secure Design is a nice thing to have. Where do you find it? This is where the soon-to-be-announced DeepSec 2020 Call for Papers comes in. We would like to take a stab at software development. If you teach/develop/test/implement secure design or secure coding, then we want to hear about it. Presentations are welcome. In case you have a training in mind, please drop us an email.

DeepSec Support for BSidesLondon Rookie Track 2020

Union Jack with Brexit, © 2020 Florian Stocker, will support the BSidesLondon 2020 Rookie Track again. Talents need our support, and information security research knows no borders and no perimeter (ask the pentesters!). So we would like to keep up the tradition of lending a hand, hopefully beyond 2020. The best rookies will get the chance to attend DeepSec and to hold a presentation there. If you want to be one of the rookies, then head to the Rookie Track CFP 2020. Submit your idea! Present your project!

In case you have a lot of experience and want to share this treasure with others, consider becoming a mentor for the rookies. The BSidesLondon Mentor Application 2020 is open. Presenting must be practised. However practice without proper training is quite difficult. This is where the mentors come in. To quote from the mentor application form: As a Mentor, you will be there to help the a Rookie take their initial idea from concept into a full 15 minute presentation. You are not there to write it for them but to help with things like presentation style (not 100 words per page at 8pt comic sans) and general support in things like how to practice before hand and what to do when they get on stage.

Mentorship is very rewarding, because you get to work with people who bring their own perspective into the play. Nothing is more dangerous for an open mind than stewing in your own grease. Being a mentor will give you an edge to fight the daily routine. It’s not just for boosting the rookie’s confidence.

In case you want to present, both the normal Call for Papers and the Rookie Track CFP are open. Looking forward to see you in London!

DeepSec, DeepINTEL, and ROOTS in 2020

The CERN datacenter with World Wide Web and Mail servers.We took some time off to deal with the administrative side of running the DeepSec conference. Additionally some of us were engaged in project work. 2020 started early this time. There is a lot to do behind the scenes, especially in times where reading the news doesn’t help you to navigate the rest of the year. We also finished the travel plans for the year, so we will have some information where and when to connect to DeepSec.

The most important information for you: There will be a DeepSec & DeepINTEL conference in 2020. There will also be a Reversing and Offensive-oriented Trends Symposium (ROOTS) again in 2020. The call for papers are in preparation and will open in two weeks. The dates are as follows:

  • DeepSec Trainings 17/18 November 2020
  • DeepINTEL Conference 18 November 2020
  • DeepSec Conference 19/20 November 2020
  • Reversing and Offensive-oriented Trends Symposium (ROOTS) 19/20 November 2020

We picked an earlier week not to clash with Thanksgiving again. This will also be the case for 2021, so you can enjoy your family dinner without having to think about information security (at least it won’t be our fault).

As for the calls for papers and our ongoing support of researchers: There will be a Call for Applications for our DeepSec Scholar Program. If you have an idea for a research project or an interesting approach for a topic related to information security, then let us know. Applicants will be supported financially, get an opportunity to speak at DeepSec, and will be included in the “In Depth Security: Proceedings of the DeepSec Conferences” journal.

You can send us your submissions for the DeepSec training sessions right away by email, if you like. We intend to publish the trainings slots as early as possible to give our company attendees some room to manoeuvre. Unfortunately getting the green light to attend a training takes some weeks or months for some of us.

Save the date: DeepINTEL / DeepSec 2020 – 17 to 20 November

Hex dump from /boot/vmlinuz-5.4.3We fixed the dates for DeepINTEL and DeepSec 2020. As promised there will be no collision with Thanksgiving. DeepINTEL 2020 will be on 18 November 2020. The DeepSec trainings will be on 17/18 November 2020. The DeepSec conference will be on 19/20 November 2020.

The Calls for Papers will open in February 2020.

Have a rest and enjoy the holidays! We are looking forward to see you in Vienna (again)!

DeepSec 2019 Keynote: Computer Security is simple, the World is not – Raphaël Vinot and Quinn Norton

Information security is too often seen as a highly technical field in computer science, and one where the more technical someone is, the more right they are likely to be. But security is part of systems of life, that not only include computers and phones, but systems of living, cultures, history, politics, and interpersonal relationships. Technical knowledge is important in those systems, but on its own, it accomplishes very little — as the sorry state of the computer security in the world demonstrates. Knowing how computers work doesn’t gives us an empirical knowledge of what people do with their devices, what their job is, what context they live in, what their adversaries want from them, what their capabilities or resources are.
In this talk we will explain why listening is the most important part of practical security, and how to listen effectively and efficiently.
We will touch on practical examples from our own life experience, from helping journalists, activists, and lawyers, to students, sex workers, and survivors of partner abuse. We will explain why in the end, information security may have more in common with anthropology — investigation and analysis of practices in the real world — than it does with math and software.

We asked Raphaël and Quinn a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  • More technology will not necessarily solve the problems caused by technology.
  • Information security is part of a wider culture and not an end in itself.
  • Investigating your user’s needs is the important, and understanding their context is the whole game.
  • This means good security involves anthropology.
  • Diversity of approach and background (and especially the lack of) is a limiting factor in the effectiveness of a security culture

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Both of us have worked with activists and journalists in kinetic and dangerous situations, relying on terrible technology security and security practices. Security punditry was telling them what to do, but that advice was almost never relevant. Over the years we’ve watched people jailed and driven from their homes, unable to get help from a security community that doesn’t know how to listen.

On a wider scale, we keep hearing the same stories of data leaks, system compromise, and terrible operational security that weren’t sophisticated and didn’t have to happen, if we saw the human element as part of security and not a detriment to it.

Why do you think this is an important topic?

Humans are infinitely creative. Forcing people to use specific tools or techniques will never improve security. That’s why we need a responsive security community and digital literacy education instead of more access control barriers.

Is there something you want everybody to know – some good advice for our readers maybe?

Listen to your users. Earn their trust. Meet their needs. Nothing else will keep you safe.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Less people running from one fire to the next, more communication between user and administrative communities and spreading digital literacy.


Quinn Norton is a writer who likes to hang out in the dead end alleys and rough neighborhood of the Internet, where bad things can happen to defenseless little packets. They are also places were new freedoms and poetries are born, and run riot over the network. She started studying hackers in 1995, after a wasted youth of Usenet and BBSing. These days, Quinn is a journalist, published in Wired, The Atlantic, Maximum PC, and more. She covers science, technology, copyright law, robotics, body modification, and medicine, but no matter how many times she tries to leave, she always comes back to hackers.



Raphaël Vinot is a security researcher at the Computer Incident Response Center Luxembourg (CIRCL) since 2012. Raphaël wants to increase the IT consciousness of the human beings populating the internet in order to make it safer for everyone. His day job is a mixture of forensic and malware analysis with a lot of Python on top of it to glue all the pieces together. He loves sharing and thinks everyone should contribute to open source projects.

Tags: , , , , , , ,
Posted in Conference. Comments Off on DeepSec 2019 Keynote: Computer Security is simple, the World is not – Raphaël Vinot and Quinn Norton

DeepSec 2019 Talk: How To Create a Botnet of GSM Devices – Aleksandr Kolchanov

There are different types of GSM-devices: from GSM-alarms for homes and cars to industrial controllers, remote-controlled electric sockets and smartwatches for kids. Also, often they are vulnerable, so GSM-devices are interesting targets for hackers and pranksters. But it is easier to hack a device than to find these devices (usually, you should make a call, send SMS with a command to the phone number of this device, so it is necessary for an attacker to know or find this number).

During this talk, I will give a short overview of types of devices and common vulnerabilities, then I will tell about different methods, which can be used to find the phone number of the device. Also, I will show some funny ideas, which allows hackers to create small (or huge, who knows?) botnet of GSM-alarms and smart homes controllers.


Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs (PayPal, Facebook, Yahoo, Coinbase, Protonmail, Yandex, Privatbank). Aleksandr is interested in uncommon security issues, telecom problems, privacy, and social engineering.

Tags: , , , ,
Posted in Conference. Comments Off on DeepSec 2019 Talk: How To Create a Botnet of GSM Devices – Aleksandr Kolchanov

DeepSec 2019 Press Release: High-quality Randomness protects Companies

The ‘bugs’ of the’ 90s are still alive – hidden in IoT devices, integrated systems and industrial controls. Modern information security can’t manage without mathematics. It is less about statistics in the form of operational data or risk analysis. It’s about cryptography, which is constantly used in everyday life. It uses elements that build on high-quality random numbers to protect information from attacks. This year’s DeepSec Security Conference addresses key aspects of product implementation – data protection during transport and storage.

Protecting the Digital Transformation

Whether “intelligent” bulbs and illuminants, heating or building controls, tv-sets, industrial plants or entire production lines – the digital transformation covers all areas of our lives and leads to changes.

On the one hand, digitization opens up opportunities such as the optimization of processes, the more efficient use of own and external resources, the networking of value chains or digital maintenance.

At the same time, however, there are risks that should not be underestimated. Ensuring data security and authenticity as well as compliance with required security standards present many companies with major challenges. Cryptography and the associated protection of cryptographic keys play a fundamental role – who owns the keys is in control.

At this year’s DeepSec Security Conference in Vienna, experts from sematicon AG are ready to show the risks and dangers of current implementations. In addition, they will use practical examples to prove that there are suitable and simple solutions and tools for all areas of this new technology in order to drastically increase security through the use of strong cryptography. Such implementations don’t have to pass up on usability or maintainability. As a side effect, properly implemented solutions even increase speed and save power, which is of great interest for decentralized, battery or solar powered systems.

Why you should leave IT Security to Chance

Since Edward Snowden’s reports on the pervasiveness of communications surveillance, the use of encryption on the Internet has greatly increased. Hardly a well-known website still does without it. Encryption is also indispensable today for systems beyond the desktop, from intelligent sensors to large industrial plants. These keys must be generated randomly, so they can not be easily guessed. High quality random numbers are necessary. Randomness is not a “function” of a software solution, but uses special physical effects to ensure a high quality of the random numbers. If they could be guessed or comprehended the calculation of the key is not far away. The generation of the keys worth protecting is based on the principle of qualitative randomness – also known as entropy. If you need a lot of keys or you want to increase their quality, you are looking for suitable sources such as hardware security modules, also known as hardware security modules (HSMs).

At this year’s DeepSec Security Conference in Vienna, in cooperation with the Munich-based company sematicon AG, it will be shown that there are suitable solutions for all areas of technology, and that the fear of using it in one’s own company is unfounded.

Side Channel Attacks – or how to extract Crypto Keys from protected Hardware

During the DeepSec conference sematicon AG will show, among other things, how easy it is to gain access to entire company networks with Microsoft® Windows on-board tools and an incorrectly configured PKI, or how to extract cryptographic keys from supposedly protected IoT or embedded devices and thus can manipulate the firmware. In this way simple household appliances such as incandescent lamps become a gateway for hackers. It will also briefly be discussed how secrets of industrial equipment can be obtained if security has not been properly implemented from the beginning. These are by no means specially prepared systems, but rather classical implementations as they are found in the economy. It is not about “live hacking”, but about the technical expertise of crypto experts who have been working in the industry for many years and have a wealth of experience. This demonstration is intended for anyone who needs to install secure data transmission in their own infrastructure, no matter at what level.

Cryptography made easily accessible

Despite the thematic part of higher mathematics, the DeepSec Conference and the sematicon AG are concerned to communicate the importance of the methods and technologies used for practical use to a broad professional audience. The demonstrations and lectures are aimed not only at technicians, but also at project managers, managers and designers of products. All levels should be integrated as information security is an interdisciplinary undertaking. Fear of the matter is therefore completely unfounded. The lectures and events during the conference offer several ways to get started and to further training through exchange with experts. Take advantage of this opportunity.

Schedule and Booking

The DeepSec 2019 conference takes place on 28 and 29 November. The two-day DeepSec trainings will take place on the two preceding days, 26th and 27th November.

The venue for the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Tickets for the DeepSec conference itself and the trainings can be ordered at any time at

Tags: , , , , , ,
Posted in Conference Training. Comments Off on DeepSec 2019 Press Release: High-quality Randomness protects Companies

DeepSec 2019 Talk: Abusing Google Play Billing for Fun and Unlimited Credits! – Guillaume Lopes

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it’s possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.).

We asked Guillaume a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The vulnerability presented is really easy to exploit
  • Client side issues are not dead in 2019!
  • It seems nobody cares about losing money in the game industry…
  • Very few vendors fixed their implementation
  • Real vulnerable applications will be presented during the talk 🙂

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

At BSides Lisbon, in 2017, I was following a talk from Jérémy Matos about abusing an Android In-app Billing feature thanks to a misunderstood integration. In his talk, he presented an Android app (PandaPop if I remember correctly) having a misconfiguration on the Play Billing implementation. It was possible to bypass the payment by using specific test keywords, normally reserved when developing the application. From this point on I started digging on how the Google Play billing API was working and found that in fact many Android apps implement The Google Play Billing in an unsecure way.

Why do you think this is an important topic?

First, because payment transactions are important. If an attacker can easily bypass payments in order to obtain the product, it is basically game over for your app. Then, it shows that access control performed on the client side can not be trusted and should be prevented.

Is there something you want everybody to know – some good advice for our readers maybe?

Don’t trust the client! If your security relies on control implemented on the client side, it’s going to be breached at some point.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I hope Google is going to review the Google Play Billing API in order to prevent people implementing security protections locally.


Guillaume Lopes is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently he’s working as a Senior Penetration Tester at RandoriSec and also as a member of the Checkmarx Application Security Research Team. He also likes to play CTF (Hackthebox, Insomni’hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi’hack team.

Tags: , , , ,
Posted in Conference Security. Comments Off on DeepSec 2019 Talk: Abusing Google Play Billing for Fun and Unlimited Credits! – Guillaume Lopes

ROOTS 2019 Talk: Shallow Security: on the Creation of Adversarial Variants to Evade ML-Based Malware Detectors – Fabricio Ceschin

The use of Machine Learning (ML) techniques for malware detection has been a trend in the last two decades. More recently, researchers started to investigate adversarial approaches to bypass these ML-based malware detectors. Adversarial attacks became so popular that a large Internet company (ENDGAME Inc.) has launched a public challenge to encourage researchers to bypass their (three) ML-based static malware detectors. Our research group teamed to participate in this challenge in August/2019 and accomplishing the bypass of all 150 tests proposed by the company. To do so, we implemented an automatic exploitation method which moves the original malware binary sections to resources and includes new chunks of data to it to create adversarial samples that not only bypassed their ML detectors, but also real AV engines as well (with a lower detection rate than the original samples). In this talk, we detail our methodological approach to overcome the challenge and report our findings. With these results, we expect to contribute to the community and provide better understanding on ML-based detectors weaknesses. We also pinpoint future research directions toward the development of more robust malware detectors against adversarial machine learning.

Fabrício Ceschin is a Ph.D. student and master’s degree in informatics at Federal University of Parana, Brazil (UFPR). Currently interested in machine learning and deep learning applied to security. Supported student by the program Google LARA (Latin America Research Awards) 2017.


Tags: , , , , ,
Posted in ROOTS. Comments Off on ROOTS 2019 Talk: Shallow Security: on the Creation of Adversarial Variants to Evade ML-Based Malware Detectors – Fabricio Ceschin

ROOTS 2019 Talk: RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly – Marcus Botacin

Malware analysis is a key process for knowledge gain on infections and cyber security overall improvement. Analysis tools have been evolving from complete static analyzers to partial code decompilers. Malware decompilation allows for code inspection at higher abstraction levels, facilitating incident response procedures. However, the decompilation procedure has many challenges, such as opaque constructions, irreversible mappings, semantic gap bridging, among others.

In this talk, we propose a new approach that leverages the human analyst expertise to overcome decompilation challenges.

We name this approach “DoD—debug-oriented decompilation”, in which the analyst is able to reverse engineer the malware sample on his own and to instruct the decompiler to translate selected code portions (e.g., decision branches, fingerprinting functions, payloads etc.) into high level code. With DoD, the analyst might group all decompiled pieces into new code to be analyzed by other tools, or to develop a novel malware sample from previous pieces of code and thus exercise a Proof-of-Concept (PoC). To validate our approach, we propose RevEngE, the Reverse Engineering Engine for malware decompilation and reassembly, a set of GDB extensions that intercept and introspect into executed functions to build an Intermediate Representation (IR) in real-time, enabling any-time de-compilation. We evaluate RevEngE with x86 ELF binaries collected from VirusShare, and show that a new malware sample created from the decompilation of independent functions of five known malware samples is considered “clean” by all VirusTotal’s AVs.

Marcus is a Computer Engineer (UNICAMP, Brazil), Master in Computer Science (UNICAMP, Brazil) and CS PhD Student (UFPR,Brazil). His research interests are reverse engineering, malware analysis and systems security.


Tags: , , , ,
Posted in ROOTS. Comments Off on ROOTS 2019 Talk: RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly – Marcus Botacin

DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

Defences focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaries in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the “why?”. This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training will introduce the basics so that a participant will be able to take this knowledge and build up a programme in their own organisation. Using tools like ELK or HELK, Grr, Sysmon, and osquery, we will explore how to deploy and use these tools as basic free options to build the foundations of the threat hunting programme. The labs will look at how Mitre ATT&CK and things like sigma rules are used to help identify indicators of attack. With interactive labs on a simulated corporate infrastructure of both Windows and Linux client, we’ll explore the capabilities provided by these tools to hunt for common techniques used by Malware and threat actors.  Participants will walk away with a basic understanding of threat hunting and the tools needed to develop a hunting practice in their own organisation through the following agenda:

  • Intro to threat hunting

  • Threat hunting and the IR process

  • Understanding the requirements

  • Backend Tools

  • Detection/Reporting tools like Mitre ATT&CK and Sigma

  • Endpoint tools: osquery and sysmon

  • Hands on exercise will be spread across the 2 days

Participant Requirements

  • Working knowledge of Windows (no OSQuery experience required);

  • Working knowledge of the Linux shell (no OSQuery experience required);

  • Basic SQL,

  • Laptop with a SSH client

We asked Thomas and Craig a few more questions about their training.

Please tell us the top 5 facts about your training.

The training will provide the participant a forum to learn:

  • Some basic foundations of incident response versus threat hunting setting the picture for the days activities
  • Basics of what is key to building an incident response and threat hunting programme
  • Understanding of the importance of TTPs, IOCs and frameworks like ATT&CK
  • The open source tools that available for gathering data to start the hunting process
  • Deep dive into tools including osquery to gather and find threats

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

The original thought process started with both Thomas’ and Craig’s personal desire to learn about opensource tools that were becoming more common in the incident response field and to get more hands on experience. Both Thomas and Craig work in the field of incident response and regularly have to see what tools are available to improve workflows. The focus was on tools being promoted by organisations like SANS as well as tools developed by large companies like OSQuery.

Why do you think this is an important topic?

There is an increasing presence of sophisticated attacks in the wild from either criminal organisations or state actors. More and more attacks are hitting organisations and they need to be able to deal with this. Multiple reports have highlighted that over 60% of victims may not detect intrusion from 90 days to months and attackers can remain undetected for as many as 99 days if not more. So organisations need to find the right tools that fit their environment to be able to deal with intrusions and reduce the time to detect and how long organisations dwell in the infrastructure.

Is there something you want everybody to know – some good advice for our readers maybe?

There are many tools out there including some very expensive commercial ones. Press and marketing reference EDR as the way forward, this training takes a slightly different approach and looks at opensource tools or simple solutions that can help you improve your incident response posture.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise the topic of your training in particular?

As the level of attacks get more frequent and more complex, we are going to see a drive towards more and more automation. If you can leverage automated response for the known-knowns, you will be able to drive faster containment. At the same time allowing your SOC analysts, responders and threat hunters to concentrate on the more dangerous and advanced attacks. An important part of that strategy will be the endpoint whether the user’s computer or a server in your data centre or a cloud solution.

Having a clear picture of the organisation’s assets is going to be a big priority. Solutions that allow you to discover all of the organisation’s assets including those that are not managed will become an important part of the ability for InfoSec teams to respond.

Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.

Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.


Craig Jones is Senior Manager of Security Engineering in Sophos, responsible for detection engineering, IR and security infrastructure.​@albanwr​​​

Tags: , , , , , ,
Posted in Conference. Comments Off on DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

DeepSec 2019 Talk: Demystifying Hardware Security Modules – How to Protect Keys in Hardware – Michael Walser

[Editorial note: Cryptography is one of our favourite topics. This is why we invited experts from sematicon AG to show some of their skills and help you navigate through the jungle of false promises by vendors, magic bullets, and misuse of the word „crypto“.]

A secure crypto-algorithm is based on the fact that only the key needs to be kept secret, not the algorithm itself. The key is of high value and must be protected. In this talk we will have a look at how to protect keys and why a dedicated hardware is needed to make sure the key is kept secret and always under the control of the owner. Different use cases require different HSMs (Hardware Security Modules). We will have a look at data centres and cloud HSMs as well as at desktops and embedded solutions like industrial equipment or IoT-Devices.

Afterwards you can visit us at our booth to see market leading HSMs in action and you will have the possibility to discuss features and functions with long-term crypto experts.

We asked Michael a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • Isolate keys and secrets from users
  • always isolate keys from applications and firmware
  • operate with keys only in isolated environments
  • take care about standards
  • encryption is not an universal problem-solver

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

After more than a decade in the IT-Security Business with strong focus on cryptography it is still an unpleasant truth, that most people do not care about crypto-keys at all. Everybody knows that encryption is important but it is curious that the job seems to be done when the data is encrypted. Crypto-Keys are most of the time stored in software represented by a key file that can be easily copied and lost. These keys are copied every day in backups and are distributed all over the infrastructure.
The reason is simple: they must be available to access the encrypted data for work.

Why do you think this is an important topic?

The biggest breaches in the last years did not happened because something was “hacked”. The reality is that something was “lost” most probably the key to the data. It is if you have the best alarm-system and somebody just steals the key to open the front door. It is important that people start thinking about the fact that the key  represents the value of the data and there is a need for strong protection.

Is there something you want everybody to know – some good advice for our readers maybe?

There are solutions to answer the question about how to protect keys and keep them available. It does not matter where: Cloud, IT, IoT or Industrial Systems. There are many types of hardware security modules to use. It just depends on the use case you will have. It is not a rocket science but a question of the right tools available.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Crypto is very much complex when it comes to practical use cases. This is the reason why there are so many easy-to-use tools (including HSMs) do exist for the IT-Industry. But what about industrial systems and IoT-solutions? We do our best to provide the same toolset also for embedded and industrial systems. I really hope, that making things easier will bring more people and engineers on track with strong authentication and cryptography.

Michael Walser is a member of the executive board and CTO of the Munich based security company sematicon AG. In this function, he is responsible for the company’s technical business strategy and advises customers how to securely implement the digital transformation in industry and IT.
After graduating in electrical engineering, he was working as a consultant and advisor on successful IT security and digital payment projects – always focusing on cryptography – for many years. He supported many customers worldwide and was also responsible for the projects’ implementation.

sematicon AG is a Munich-based company specialised in IT security and cryptography. We support our customers in mastering digital transformation successfully and securely in their operations. With a focus on IT, industry and electrical engineering, we offer highly specialised security solutions, which have been developed on the basis of industrial and IoT requirements. For example, our solution for secure and isolated remote access to industrial plants and systems has been declared to be innovative by our customers. Furthermore, we support and advise you in the planning and implementation processes of your security concepts. In our in-house training centre – the sematicon academy – we aim at qualifying employees in all relevant IT security areas. Thus, we offer comprehensive security services for the industrial and electronics sectors from a single source.


Tags: , , , , , , ,
Posted in Conference. Comments Off on DeepSec 2019 Talk: Demystifying Hardware Security Modules – How to Protect Keys in Hardware – Michael Walser