DeepSec 2019 Talk: Chinese Police and CloudPets – Abraham Aranguren

[In our Call for Papers we mentioned that DeepSec and specifically DeepINTEL will have a connection to geopolitics. Well, the following description of a presentation at DeepSec gives you an idea of what we meant.]

This talk is a summary of three different security audits with an interesting background:

First, CloudPets, their epic track record, what we found and what happened afterwards.
Next, two mobile apps by Chinese Police: “BXAQ” and “IJOP”, both related to surveillance of ethnic minorities, but in different ways. Stay tuned.

Part 1: CloudPets

Wouldn’t it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out of a soft toy that children can hug? That’s the idea of CloudPets. Children can even respond directly from the soft toy and communicate with their parents. What could possibly go wrong? Let your imagination go wild and you will still fall short 🙂

Database dumps, blackmailing, ransoms, millions of people affected, our findings and other intrigues, not to be missed!

Part 2: Chinese Police

This part talks about two mobile surveillance apps that Chinese authorities employ to spy on the Muslim minorities of China’s Xinjiang region, the applications: “IJOP” and “BXAQ”. These audits were sponsored by Human Rights Watch (HRW) and the Open Technology Fund (OTF). The Chinese government faced international criticism when the results of these audits became public.

While the audits focused on evidence gathering of the surveillance activities, which will be covered in this talk, we will also discuss some interesting vulnerabilities that we found along the way and which were not the focus of the audit itself. Also, for those interested in learning about mobile security we will talk about the challenges faced with these apps and how we overcame them.

This talk will be an interesting learning experience as it combines technical security vulnerabilities with political and commercial background implications.


After 13 years in Itsec and 20 in IT Abraham is now the CEO of 7ASecurity (, a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 ( and Version 1 ( Creator of “Practical Web Defense” – a hands-on eLearn security attack / defense course (, OWASP OWTF project leader of an OWASP flagship project (, major degree and diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or Some presentations, pentest reports and recordings can be found at

Scheduled Maintenance for Web Site and Blog

Rain cloud emojiToday there will be an interruption of power supply and network connectivity. The systems affected are our web site and our blog. While the downtime is scheduled and part of our maintenance, the reason for the downtime was not. It has to do with rain, pipes, and queues. To quote Marcus Ranum:

As security or firewall administrators, we’ve got basically the same concerns [as plumbers]: the size of the pipe, the contents of the pipe, making sure the correct traffic is in the correct pipes, and keeping the pipes from splitting and leaking all over the place. Of course, like plumbers, when the pipes do leak, we’re the ones responsible for cleaning up the mess, and we’re the ones who come up smelling awful.

Rain, gravitation, the size of pipes, and sediments came to visit our office a few months ago. Today we will put some serious firewalling in place in order to be on the safe side when it comes to our computing equipment. 🌧 🔌 😎

We’ll be right back after the break.

DeepSec 2019 Talk: Comparing GnuPG With Signal is like Comparing Apples with Smart Light Bulbs – Hans Freitag

GnuPG is not designed to be used only in E-Mail, it plays an important role in securing all sorts of mission critical data. In this talk I will show you applications of GnuPG that are not E-Mail or Instant Messaging.

We asked Hans a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • GnuPG is free software that can be used to encrypt and sign data.
  • Signal is not a free software but may be used to communicate with others.
  • You can’t compare apples with pears.
  • In German the term glowing pear is used for light bulb.
  • My Key ID is: 1553A52AE25725279D8A499175E880E6DC59190F

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I browsed the news and came across an article saying “We found a bug in an E-Mail program accidentally displaying unencrypted data as encrypted data and therefore you should ditch the use of GnuPG immediately and use Signal instead!” Spoiler Alert: It does not work!

Why do you think this is an important topic?

GnuPG is the tool on which almost all open source software relies on when delivering software to customers. It is embedded in almost any open Software and even usable from Android phones.

Is there something you want everybody to know – some good advice for our readers maybe?

Be nice to each other. Protect private data. Respect others.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The next innovation might be a better user interface with sane defaults for GnuPG keys. Also getting GnuPG support for user keys and smart cards into the OS at installation level is important.

I would love to see GnuPG available in company infrastructure. I believe this would boost usage a lot, as it means that confidential data can be stored end to end encrypted and signed on the servers with the push of a button.

Born in Celle, Germany in 1980.
Found out about Open Source around 1997.
Attended the first Chaos Communication Congress in 1999.
Self employed as consultant and developer since 2001.
CEO/CTO and owner of Conesphere GmbH since 2017.

DeepSec 2019 Training: Threat Hunting with OSSEC – Xavier Mertens

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points.

During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / 
 and add more contextual content with OSINT feeds.

We asked Xavier a few more questions about his talk.

Please tell us the top 5 facts about your training.

  1. It’s critical for organizations to be aware of what’s happening on their networks.
  2. The idea is to use information present on the Internet to increase the detection rates.
  3. Security controls can be implemented with free tools.
  4. The training has many labs and students will practice.
  5. Thee goal is to open the students’ eyes and make them have ideas to implement on their side.

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

I’m a big fan of OSSEC for years and already blogged a lot about it. I participated in the project (f.ex: I wrote the initial GeoIP support).
And, of course, I’m using it daily to monitor my infrastructure. Many (small) organizations do not have resources to implement or seem afraid to deploy solutions like OSSEC. I think it was time to wrap-up all this content and provide it as a training.

Why do you think this is an important topic?

Despite the fact that we deploy more and more security controls at our network boundaries, we still see compromised hosts, data leaks, etc. Keeping an eye on events is key to detect all suspicious activity as soon as possible.

Is there something you want everybody to know – some good advice for our readers maybe?

Sharing and integration of tools are a key point. Each of them has interesting data that can be reused by other tools to improve detection capabilities. The training could be interesting for Blue Team people or system/security engineers. Investing in tools like OSSEC will also raise your overall protection and, in case of an incident, you will already have some data to analyze.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

The problem with many organizations today: the business is running so fast that they can’t keep control of what’s deployed in their infrastructure. They loose the knowledge of what’s important. This is a key requirement to better protect yourself. With tools like OSSEC, you can at least collect information from your hosts and granularly implement  controls to detect / block bad guys at an early stage.


Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customers assets by applying “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, OSINT) but also “offensive” security (pentesting). However, his preferred domain is playing on the Blue Team side. Besides his daily job, Xavier is also a security blogger, a SANS Internet Storm Center handler and co-organizer of the BruCON security conference.

DeepSec 2019 Training: Pentesting Industrial Control Systems – Arnaud Soullie

In this intense two day training at DeepSec, you will learn everything you need to start pentesting Industrial Control Networks [also called Industrial Control Systems (ICS)].

We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems. And we will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC
), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.

The training will end with an afternoon dedicated to a challenging hands-on exercise: The first [Capture The Flag] CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.

We asked Arnaud a few more questions about his training.


Please tell us the top 5 facts about your training.

  • Industrial Control systems are everywhere
  • They are mostly insecure

and it is not really getting better

  • You need to understand these specific systems if you want to hack into ICS
  • Understanding how to hack things is a great way to understand how to secure them

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

There are very few ICS security trainings at the moment, and they are mostly focused on defense and threat hunting. I strongly believe that it is valuable to have a pragmatic vision of offence to be better at defence, that is why I created this pentesting ICS training!

I also wanted people to work on realistic scenarios, that’s why the training ends with a half-day dedicated to a Capture-the-Flag using real ICS devices.

Why do you think this is an important topic?

We do not realize it, but Industrial Control Systems are everywhere, from your built-in heating system to nuclear power plants. Almost all critical infrastructures, vital for the countries, rely somehow on ICS.

The security level of these networks and components is still very low, despite awareness slowly raising the past fews years, so we need your help to assess and secure it!

Is there something you want everybody to know – some good advice for our readers maybe?

Please do not succumb to the hype. Start with the basics, build a security culture with people from operations. This new appliance is probably not gonna save you 😉

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

All industries already perform extensive risk management, let’s help them include cybersecurity threats and I’m sure the security level will improve.

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 9 years, he has been performing security audits and pentest on all type of targets. He specializes in Industrial Control Systems and Active Directory security. He has spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON

He is also the creator of the DYODE project, an open-source data diode aimed at ICS.

Threats and Solutions for Supply Chain Attacks in IT – DeepSec conference sheds light on the concatenated logistics of information technology.

On the web you can find videos of very sophisticated constructions of many dominoes. If you knock over one domino, a whole cascade of breathtaking actions follows. The domino effect in your own IT infrastructure is much less entertaining. Even there, everything usually begins harmlessly with a small action – reading a message, forwarding a document, accessing a web server or receiving a short message from a supposed employee. It becomes particularly exciting when the dominoes are your own suppliers and business partners. This year’s DeepSec Security Conference offers rich content to analyze the interwoven situation of today’s companies and organizations.

In networks you need to trust

In theory, there is always an outside and an inside. Doors, network filters, access, 
. Data management knows this approach. In all IT architectures, therefore, a division always takes place, which ultimately also maps the security zones. Outside often means untrustworthy. Once data, persons or activities have completed a series of security checks, they are considered trustworthy. This condition often remains unchanged because no further or at least fewer tests are performed. Trust is spreading. If you combine these elements through business relationships, you build your own personal street of dominoes. The more complex the processes, the more stones are on the table. A mix of service providers and outsourcing exponentiates the danger. Attackers now only have to pick the right domino to collapse the whole set up.

In the past 12 months, several attacks on suppliers affected the European aviation group Airbus. The group was attacked via smaller companies, apparently exploiting the relationship of trust. Security measures are not equal or the same in every company simply because of the different budgets in organizations. But size can also be deceiving, because the mere presence of data on a cloud platform doesn’t say anything about security. Business life is thus dominated by domino chains, at least from the point of view of information security.

Overview beats size of an organization

No hasty conclusions about supply chains and their importance for security should be drawn now, even if conclusions based on incomplete knowledge are currently fashionable. The size of a company or its budget for security is no guarantee against incidents. Of course, attackers always try to take the most efficient route to reach their destination. With smaller companies, there are many more ways to push the button. The best countermeasure is to clarify your own dependencies and to have a very good eye on them. As mentioned at the beginning, it is not possible to work without trust. Nevertheless, one should start with as few unaudited assumptions as possible when it comes to internal and external trust relationships.

This is why November’s DeepSec IT Security Conference offers a range of training sessions and lectures to help you to better understand your own dominoes. The two-day trainings specifically teach dealing with threats. In his training, Xavier Mertens demonstrates how to recognize threats by analyzing freely available data, to isolate them and to come up with results. In the technical training of Davy Douhine and Guillaume Lopes, mobile devices, in Dawid Czagan’s training, modern web applications are disassembled into their logical components from the point of view of information security  Both technologies are part of all domino chains in all sectors of the economy.

Lior Yaari’s device development training for the Internet of Things (IoT) is about pitfalls in product development and testing of IoT components. Arnauld Soullie teaches about weaknesses of Industrial Control Systems, which can be found in industrial plants throughout Europe and around the world. Peter Manev and Eric Leblond provide their expertise in the field of burglary analysis in networks in their training. Both are renowned experts who have been analyzing and detecting traces of attacks and anomalies in data transfers for more than 10 years.

And last but not least, Thomas Fischer and Craig Jones offer their practical experience in dealing with the most important steps in an emergency when a group of attackers has already set foot in your own infrastructure – or that of your supplier. Their training is focused on measures of information gathering, the finding of weak points in the own infrastructure, the course of the break-in and the detection of its traces.

Courage for technical understanding is essential

IT security, like information technology itself, struggles with the complexity of the hardware and software used. When collecting the necessary experience and learning the necessary knowledge, unfortunately, often technical relationships are omitted. However, these are an important tool to be able to correctly assess the technologies used in your own company and among your partners. Today, you may not exactly why a plane flies and how a car drives, but an examination of the respective topics inevitably requires knowledge of the technology. For this reason, the DeepSec conference has been titled In-Depth Security Conference since its founding, because security is always about details, never superficialities. The DeepSec conference attaches great importance to the expertise of trainers and lecturers, and it also supports research and teaching in order to provide new insights to the business community. Take the opportunity and don’t be a domino.

Programs and booking

The DeepSec 2019 conference takes place on 28 and 29 November. The DeepSec trainings will take place on the two previous days, the 26th and 27th of November.

The venue of the DeepSec event is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Tickets for the DeepSec conference itself and the trainings can be ordered at any time at

DeepSec 2019 Training: Mobile Hacking – Davy Douhine and Guillaume Lopes

Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks with pentesters, bug bounty researchers or just the curious in a 100% “hands-on” training.

Their goal is to introduce tools(Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc.) and techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This is exactly the training that you would have liked to have before wasting your precious time trying and failing while testing.

Two days based mainly on practical exercises:
– Day 1: Android Hacking
– Day 2: iOS Hacking

Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide):
– Review the codebase of a mobile app (aka static analysis)
– Run the app on a rooted device (to check data security issues)
– Inspect the app via instrumentation and manipulate the runtime (aka runtime analysis)
– MiTM all the network communications (aka inspect the traffic)

A VM will be provided to the attendees with the pre-installed tools to cover most of the labs.

We asked Davy and Guillaume a few more questions about their training.

Please tell us the top 5 facts about your training.

1. It’s an hands-on training! Less talk and more exercises.
2. The goal is to learn techniques that you can apply in real use cases.
3. There is content for 3 days so attendees will have exercises to do later if they want to go deeper
4. We’ll provide a VM set up with essentials tools to assess the security of Android and iOS mobile apps
5. iOS exercises are based on the famous Corellium virtualization solution

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk / course?

We started to introduce mobile hacking training as a chapter of our Advanced Pentesting workshop given at DeepSec last year. Then we’ve made a full training focused on this subject and gave it privately and at Hack In Paris in 2019.

Why do you think this is an important topic?

Mobile Security Testing is a quite recent subject in the very broad security testing field and the increase of the mobile usage will accelerate the need for the security testers but also the makers to shift towards this subject. Mobile risks are slightly different from traditional IT risks and a mobile ecosystem implies a completely different set of tools and techniques to be correctly tested.

Is there something you want everybody to know – some good advice for our readers maybe?

Unfortunately during the last years testers and makers had to struggle to find fresh and usable information. As a result, when dealing with mobile pentests, testers often focus on an extremely narrow spectrum of what could be really tested: they launched BurpSuite or ZAP (hoping that the app they assessed didn’t use certificate pinning) and analyzed the network communications and the distant API. But there’s also hope: one year ago the OWASP foundation disclosed the first official version of the OWASP Mobile Security Testing Guide. Clearly a game changer, this guide, released together with the Mobile AppSec Verification Standard and a checklist, has instantly become a reference by giving -for free- a step by step cookbook to help people check each important corner in mobile apps.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

Bad guys evolve and the threats don’t spare mobiles. White hats and developers should also be aware of the right ways to secure apps and assess them: this workshop’s aim is to train attendees to assess iOS and Android application security level on their own.


Davy Douhine (@ddouhine) founder of RandoriSec an infosec company has been working in the information security field since almost fifteen years. He mainly works for financial, banks and defense key accounts doing pentests and holding trainings to help them to improve their security. He enjoys climbing rocks in Fontainebleau or in the Bourgogne vineyards and practices Brazilian jiu-jitsu.





Guillaume Lopes (@Guillaume_Lopes) is a pentester with 10 years of experience in different fields (Active Directory, Windows, Linux, Web applications, Wifi, Android). Currently working as a Senior Penetration Tester at RandoriSec he is also a member of the Checkmarx Application Security Research Team. He likes to play CTF (Hackthebox, Insomni’hack, Nuit du Hack, BSides Lisbon, etc.) and gives a hand to the Tipi’hack team.

L’Internet des faits et la peur dans la sĂ©curitĂ© informatique – Les confĂ©rences DeepSec et DeepINTEL dĂ©voilent leurs programmes – bits, bytes, sĂ©curitĂ© et gĂ©opolitique

« No man is an island ». Cette citation (« Aucun homme n’est une Ăźle ») est de l’Ă©crivain anglais John Donne. Si la phrase est devenue cĂ©lĂšbre au XVIIe siĂšcle, elle prend un tout autre sens Ă  l’Ăšre du numĂ©rique. La version moderne serait plutĂŽt : il n’y a plus aucune Ăźle. De plus en plus de domaines du quotidien et de la sociĂ©tĂ© sont connectĂ©s. Cette annĂ©e, les confĂ©rences sur la sĂ©curitĂ© DeepSec et DeepINTEL souhaitent donc jeter un regard sobre sur l’Internet des faits et sur la peur sous l’angle de la sĂ©curitĂ© de l’information. Actuellement, les systĂšmes sont moins isolĂ©s et bien plus complexes que ce qui est raisonnable du point de vue de la sĂ©curitĂ©. La DeepSec se consacre donc aux nouvelles technologies et Ă  leurs vulnĂ©rabilitĂ©s au cours de deux journĂ©es de confĂ©rences et de formations. En parallĂšle, le sĂ©minaire DeepINTEL discutera de la relation entre la gĂ©opolitique et la sĂ©curitĂ© informatique Ă  l’aide d’exemples d’incidents.

L’Internet des attaques remplace l’Internet des objets

On s’en rend compte dĂšs que l’on connecte un systĂšme Ă  Internet. Les cibles intĂ©ressantes ou vulnĂ©rables sont immĂ©diatement attaquĂ©es. Et c’est pareil lorsqu’on connecte des capteurs, des appareils ou des acteurs (les « objets » de l’Internet des objets) Ă  un rĂ©seau. Cette annĂ©e, les confĂ©rences de la DeepSec tenteront d’Ă©tablir un lien entre diffĂ©rents aspects de la sĂ©curitĂ© informatique dans ce contexte. Les appareils mobiles ont toujours Ă©tĂ© menacĂ©s. Les technologies sans fil d’aujourd’hui reposent sur les donnĂ©es. Pas Ă©tonnant donc que Luca Melette explique les attaques des systĂšmes mobiles exclusivement par le biais du protocole Internet. Aleksandr Kolchanov montrera comment compromettre et lire en masse certains appareils mobiles. Lior Yaari partagera son expĂ©rience dans le domaine de la construction auto. Il a analysĂ© les composants de futures voitures qui ne sont pas encore sur le marchĂ© mais dĂ©jĂ  en dĂ©veloppement. Lior rendra compte des points faibles des technologies que l’on croisera peut-ĂȘtre sur nos routes dans quelques annĂ©es.

Formation avec des experts en sécurité

La confĂ©rence DeepSec propose chaque annĂ©e une formation continue par des experts en sĂ©curitĂ© pour les experts de votre entreprise. L’Ă©change de connaissances est la base de toute bonne dĂ©fense, et pas que dans le numĂ©rique. En raison de la courte durĂ©e de vie de la technologie de l’information, le niveau de connaissances et la formation continue de chacun sont dĂ©cisifs pour faire face aux attaques et Ă  la connexion constante. Le programme offre par consĂ©quent trois ateliers diffĂ©rents indiquant comment gĂ©rer les attaques. Xavier Mertens expliquera les dangers de l’Open Source Security. Il utilisera des sources accessibles Ă  tous pour expliquer comment y faire face et comment mettre en place des processus internes. Il donnera des exemples permettant de dĂ©tecter des schĂ©mas suspects Ă  l’aide d’Ă©tudes de cas.

Peter Manev et Eric Leblond montreront dans leur atelier comment dĂ©tecter les attaques et les processus suspects dans un rĂ©seau avec le logiciel de dĂ©tection d’intrusion Suricata. Suricata est facile Ă  mettre en place et offre Ă©normĂ©ment de fonctionnalitĂ©s. Les deux formateurs sont Ă©galement dĂ©veloppeurs chez Suricata et donnent des prĂ©cisions de premiĂšre main sur les processus internes du logiciel. Les participants s’essayeront en outre Ă  la crĂ©ation de rĂšgles pour un vrai trafic rĂ©seau. La formation privilĂ©gie une approche concrĂšte et s’adresse Ă  tous ceux qui travaillent dans la sĂ©curitĂ© rĂ©seau.

Dans leur atelier, Thomas Fischer et Craig Jones montrent comment gĂ©rer des incidents de sĂ©curitĂ© et retrouver les traces des hackers. LĂ  aussi, la formation repose sur des cas rĂ©els et de vrais exemples d’utilisation des bons outils.

La technologie n’est pas une Ăźle non plus

Souvent, seul le point de vue technique est pris en compte lors de l’examen des problĂšmes de sĂ©curitĂ©. Dans la technologie de l’information comme dans d’autres domaines, des facteurs externes dĂ©terminent certaines conditions. Le dĂ©bat sur les portes dĂ©robĂ©es dans les systĂšmes numĂ©riques et les rĂ©seaux de communication, rĂ©current depuis les annĂ©es 1990, en est un exemple frappant. Ce qui a commencĂ© avec le cryptage des rĂ©seaux mobiles et des e-mails se poursuit Ă  prĂ©sent avec la 5G, la messagerie instantanĂ©e et le dĂ©veloppement de logiciels. En 2018, le gouvernement australien a adoptĂ© une loi qui peut forcer les entreprises spĂ©cialisĂ©es dans la technologie Ă  intĂ©grer des portes dĂ©robĂ©es dans leurs produits. Ces points faibles prĂ©dĂ©terminĂ©s seront aussi utilisĂ©s par les hackers.

Les mathĂ©matiques du cryptage sont implacables quand il s’agit de sĂ©curitĂ©. Soit la communication est sĂ»re, soit elle ne l’est pas. Les conflits commerciaux actuels affectent tout autant le monde de l’informatique et posent les jalons de la mise en place de nouvelles technologies dans les annĂ©es Ă  venir. Par consĂ©quent, les DeepSec et DeepINTEL de cette annĂ©e explorent les interactions entre la sĂ©curitĂ© de l’information et les aspects gĂ©opolitiques. Les prĂ©sentations de ces deux confĂ©rences ont Ă©tĂ© choisies pour approfondir ce sujet. Les moyens d’attaques, la classification des cibles et les conditions d’utilisation des mesures de sĂ©curitĂ© y seront entre autres abordĂ©s. Nous recommandons Ă  tous les responsables de la sĂ©curitĂ© d’approfondir leurs connaissances dans ces domaines.

Programme et réservation

Les conférences DeepSec 2019 auront lieu les 28 et 29 novembre. Les formations DeepSec auront lieu les deux jours précédents, les 26 et 27 novembre.

La conférence DeepINTEL aura lieu le 27 novembre. Pour recevoir le programme, envoyez une demande à Les tickets sont disponibles sur

DeepSec et DeepINTEL auront lieu Ă  l’hĂŽtel Imperial Riding School Renaissance Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienne.

Le programme de la confĂ©rence DeepSec peut ĂȘtre consultĂ© sur Le programme de DeepINTEL peut seulement ĂȘtre mis Ă  disposition sur demande, car il s’agit d’une confĂ©rence privĂ©e.

Vous pouvez commander vos tickets pour la conférence DeepSec, DeepINTEL et les formations DeepSec sur

DeepSec 2019 Talk: What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs – Mikhail Egorov

WebSocket protocol is many times more efficient than HTTP. In recent years we can observe that developers tend to implement functionality in the form of WebSocket APIs instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplify the building of efficient WebSocket APIs. We can name GraphQL subscriptions or Websocket APIs supported in Amazon API Gateway.

WebSockets APIs have a different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account.

WebSockets in browsers do not use the same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: A handshake and data transfer phase. Most of the time authentication and authorization logic is implemented in the handshake phase, while the subsequent data transfer doesn’t have such mechanisms. Usually, this leads to severe security issues.

We will talk about CSRF issues, authorization bypass and IDOR issues, found in real web applications and disclosed through Bug Bounty programs.

We asked Mikhail a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • WebSocket is a super efficient protocol for communication.
  • Over the years we observe increasing usage of WebSocket API and protocols based on WebSockets instead of traditional REST API and HTTP.
  • The security model of WebSocket API is different from REST API and quite often misunderstood by developers.
  • Security researchers and bug hunters should give more attention to WebSocket protocol and its applications.
  • I’ll talk about CSWSH, authentication and authorization logic bypass, and IDOR vulnerabilities I’ve found in real web applications.


How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I’m a full-time bug hunter. And observe WebSocket API participating in Bug Bounty programs. In my talk I want to share my unique experience and some ideas regarding how to test the security of WebSocket API.


Why do you think this is an important topic?

WebSocket API becomes more and more widespread. All major browsers support WebSocket protocol. Major cloud providers (AWS, Google, Azure) added support for WebScokets on their platforms recently as well. Protocols such as wamp and stomp built on top of WebSocket protocol are quite popular. At the same time there are “grey” areas related to WebSockets protocol security that are not well-understood by developers like the origin-based model, authentication and authorization, or the reverse proxying of WebSocket connections.

Is there something you want everybody to know – some good advice for our readers maybe?

My talk will be interesting in particular to pentesters, bug hunters, application security experts and developers. I created WebSocket challenge on You can come and try to hack it. There will be more challenges soon. During the talk I’ll explain the intended solutions.


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I hope to see more great researches and unique vulnerabilities related to WebSocket security in the future.


Here you can find CTF challenges related to Mikhails Talk:

Good luck!


Whitehat, security researcher, bug hunter, conference speaker. Active on Bugcrowd and H1 platforms. Researching security of clouds, web and mobile applications. Acknowledged by Microsoft, Adobe, RedHat, SAP, AT&T, Atlassian, Uber, Netflix, Tesla, General Motors, Western Union, Sophos, Netgear, etc. for reported vulnerabilities. Gave technical talks at LevelUp, Troopers, Hack In The Box, Hacktivity, ZeroNights, PHDays, and HighLoad conference.

DeepSec 2019 Talk: “The Daily Malware Grind” – Looking Beyond the Cybers – Tim Berghoff, Hauke Gierow

Given the noise generated around all the “sexy” and no doubt interesting topics like 0days, APT, and nation state-sponsored threat actors it is easy to miss what is really going on out there, in the world of Joe Average. Actual telemetry data paints a picture that is in many respects different from what happens in a lot of the news coverage. Much of the malware out there, including some that is attributed to some sort of APT, is nowhere near anything that might be considered “sophisticated”. In this talk we will shine a light on different aspects of the realities of home users as well as companies, and offer some interesting data about the malware that actually does the most damage, while precious few get all the press.

We asked Tim and Hauke a few more questions about their talk.


Please tell us the top 5 facts about your talk.

We will take a look at what happens beyond the media frenzy. This should allow us a glimpse into the real daily grind of the malware industry. There will be some over- and maybe rather underwhelming revelations. We will break down some of the internal workings of the malware industry and defuse a couple of myths that are still being propagated in the public.


How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Following our talk after DeepSec 2018 “How not to get the Cybers”, we were wondering what we could do to dive deeper into the topic of media coverage versus actual events. In early 2019, we received some new telemetry data about types of malware that were woefully underreported in the public. This gave us the idea of looking into the topic further and continue last year’s talk by expanding on who is getting all the press compared to what is going on in the background.


Why do you think this is an important topic?

There is a general tendency to always pay attention to “latest and loudest”. While this may be a valid approach in some cases, it tends to distract from the fact that stories go on even after they have faded from mainstream headlines. We want to change this.


Is there something you want everybody to know – some good advice for our readers maybe?

To correct own misconceptions about users. Some really try to install malware really hard.


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

George Santayana once said “Those who cannot remember the past are doomed to repeat it”. This quote, while close to 60 years old is now more current than ever, especially in the infused community. As many tend to focus on what is in front of them – as they should – they easily forget what lies behind them. And more often than not, past news that seemed long forgotten come back to haunt us.


Tim is a Security Evangelist at G DATA Software AG and frequently speaks about security at conferences and gatherings.He previously consulted companies and the public sector on IT-security questions.








Hauke is a spokesperson for G DATA Software AG. Before, he worked as a journalist with as well as Head of Internet Freedom Desk at Reporters Without Borders Germany and a China Think Tank in Berlin.

DeepSec Scholar Program – Call for Applications

ACOD LogoDeepSec has a past of supporting research projects and the researchers themselves. For 2019 and the years to come we have teamed up with partners to foster research in information security. We already support the BSidesLondon Rookie Track, support the Reversing and Offensive-oriented Trends Symposium (ROOTS), publish the DeepSec Chronicles, and support individuals in their research. Now we want to go one step further.

Purpose: To encourage research by young professionals and academics on new and emerging cyber security issues, information security, new ways to use technology, defence, offence, and weaknesses in hardware/software/designs.

Suggested Topics: Vulnerabilities in mobile devices, vulnerabilities in IoT, advances in polymorphic code, software attacks on hardware wallets, side channel attacks, hacking industrial control systems and smart cities, quantum and post quantum computing, penetration testing – defining what it means and standardization, and related topics. Let your creativity run free.

Application Requirements:

  • Submit a proposal with a unique cybersecurity related topic in paragraph or outline form
  • CV / Resume
  • One paragraph on how your research will advance or contribute to the research and understanding of your topic and your own professional interests
  • Confirmed availability to attend and speak at the DeepSec Conference in November; talk slots are 45 minutes + 5 minutes of Q&A so plan accordingly
  • Applications must be received by 31 January 2020 to

Scholar Benefits:

  • Work will be published in DeepSec Journal “In Depth Security: Proceedings of the DeepSec Conferences”; Published works for this section of the journal are expected to be more raw, cutting edge research ideas, as a precursor to a future peer reviewed work. The published work will be guided by the Scholar Mentors but not subject to full peer review.
  • Opportunity to present at DeepSec Conference
  • Six months of mentorship and assistance in research from DeepSec Scholar Mentors
  • Full admission ticket including lodging for DeepSec Conference held in Vienna, Austria
  • EURO 5.000 for travel and research costs. Half paid 31 July, second half paid week of DeepSec Conference
  • Mentors will work with Scholars on a defined timeline for mentoring sessions, research drafts any in person meetings or discussions and final paper submission dates


René Pfeiffer

  • Background in physics, system administration, and software/infrastructure design
  • Working in the field for over 20 years
  • Teaches secure design, secure coding, and information security

 Jim Swiatko

  • More than ten years in cybersecurity with a focus on data protection
  • Has worked in both consulting and executive roles
  • Licensed attorney with experience in writing, reviewing and negotiating highly technical contacts related to software and hardware as well as international legal review of varied laws effected data transfer and privacy

** Current accepting interest from seasoned professionals for a third Mentor position

ROOTS 2019 Invited Talk: Please, Bias Me! – Pauline Bourmeau

Anyone doing research, audits, code reviews, or development will most probably use her or his brain. Have you ever considered what can influence your decisions and thinking processes? We asked Pauline Bourmeau to explain and to share her thoughts on this matter.

Cognitive bias influences our decisions and affects many part of our daily life. We will explore how it affects our security responses, and how we can identify it and be more effective. From Red-team to Forensic experts to incident responders, we see what we expect to encounter in our field, based on our range of past experiences. Adversary tactics make gold out of these loopholes in our predictable thinking.

This talk aims to invite the audience to step back from our daily routine and challenges us to understand what cognitive bias is. We will show how our thinking process may lead us to make mistakes that change the reality we perceive and create illusions.

The goal is to provide a guide of tricks to use to learn to be more careful; fact checking our decision processes and creating space for training these skills without disrupting your team work.


Working as a Threat analyst at a small French business, Cookie has spent a long time fixing languages and bikes with very little money and great ingenuity, squatting university benches and corrupting teachers for beers. She runs with friends the Parisian DEF CON Group DC11331.

DeepSec 2019 Workshop: Attacks on the Diffie-Hellman Protocol – Denis Kolegov & Innokentii Sennovskii

This workshop is a hands-on task-based study of the Diffie-Hellman protocol and its modern extensions focusing on vulnerabilities and attacks. It is not a full day training, but it will be held during the conference. Everyone interested in applied cryptography and attacks connected to this topics should attend. Seats are limited!

Some of the topics that will be highlighted:
Diffie-Hellman key exchange
Elliptic-curve Diffie-Hellman
Variants of Diffie-Hellman protocol: Ephemeral, static, anonymous, authenticated Diffie-Hellman
X3DH, Noise and SIGMA protocols
Forward secrecy and post-compromise security
Small-subgroup attack
Pollard’s rho and lambda algorithms
Invalid curve attack
Curve twist attack
Protocol attacks (MitM, replay, KCI, UKS)

Small subgroup attack against multiplicative group DH
Invalid curve attack against ECDH
Twist attack
KCI attack
Key Takeaways
Learn about Diffie-Hellman key exchange
Learn about applying Diffie-Hellman in modern protocols
Hands-on experience in implementation of the classic attacks

Target Audience
Anyone who has a strong interest in cryptography and prefers “learning by doing” approach.The workshop is suitable for software developers, penetration testers, reverse engineers, quality assurance engineers and students.No specific background or explicit knowledge of group theory or number theory is required.Attendees should be familiar with Python or Golang. Some experience with programming or hacking is recommended.

Skill Level

What Students Should Bring
A laptop prepared with Python 3, Sage, Docker and Golang 1.12.



Innokentii Sennovskii has 5 years of information security experience primarily in the fields of reverse engineering and system programming. He is a senior computer forensics specialist at BiZone LLC and a visiting lecturer at Harbour.Space University for Technology and Design (Barcelona, Spain). His primary interests lie in the fields of cryptography, reverse engineering, and exploitation. He discovered a vulnerability in Intel CPUs (Meltdown Variant 3a, CVE-2018-3640). Innokentiy is a part of LCBC CTF team; before joining BiZone, he won first place as part of this team in CTFZone competition. This year he won Insomnihack CTF as a part of the LCBC team. He was also placed second in PHDays VI car hacking competition as well as the latest PHDays’ HackBattle competition.


Denis Kolegov is a principal security researcher at BiZone LLC and an associate professor of Computer Security at Tomsk State University. His research focuses on network security, web application security, cryptography engineering, and covert communications. He holds a PhD and an associate professor degree. Denis presented at various international security conferences including Power of Community, Area41, SecurityFest, Zero Nights, Positive Hack Days, InsomniHack, and SibeCrypt.

DeepSec 2019 Talk: What Has Data Science Got To Do With It? – Thordis Thorsteins

In this talk I want to shed some light on data science’s place within security. You can expect to learn how to see through common data science jargon that’s used in the industry, as well as to get a high level understanding of what’s happening behind the scenes when data science is successfully applied to solve complex security problems.

The talk is aimed at anyone who’s been curious or had questions about the rise of things like “machine learning” or “big data” in the context of security. No prior data science knowledge is required.

We asked Thordis a few more questions about her talk which will be held at DeepSec 2019.


Please tell us the top 5 facts about your talk.

  1. It will give an insight into the exciting (and sometimes terrifying) world of data science and into its applications in cyber security. After this talk buzz words such as “machine learning” will sound a lot less cryptic.
  2. It will provide the audience with practical tools to decode statements that rely on data science jargon. Think “Our cutting edge AI solution will solve [insert your favourite security problem here]”.
  3. It is based on a shorter talk that I presented at BSides London earlier this year.
  4. No previous data science knowledge is required from attendees.
  5. It might include a live demonstration of how easy creating a model can be and that this is not where the true value lies.


How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Terms like “artificial intelligence” and “data driven” are used casually with all sorts of meanings. In many cases the objective seems to be to impress while giving little to nothing away. This can be quite deceiving but there are simple techniques that anyone can apply to see through it. The idea of this talk came about as I wanted to make such techniques available to the security audience.


Why do you think this is an important topic?

Because ML, AI etc. are powerful tools, but are only useful when applied correctly and are by no means magical solutions that will solve any given problem (like coverage often makes them sound like they are). It’s important to be able to see through claims that rely heavily on these without further explanations (not just for data scientists) – both in security and more generally in a world where data science plays an increasingly large role.


Is there something you want everybody to know – some good advice for our readers maybe?

Data science is more accessible than you might think. You don’t need to be a data scientist to grasp the key concepts that matter for people that work in a field where data science is applied widely. Don’t tell too many people though – us data scientists still like to feel special.


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Defining a problem correctly and well enough so that a model can be developed to solve the problem is currently a complex part of the overall process. I think that in the future machines will become better at suggesting meaningful problems (meaningful being the key part here) that we could solve given the data we have access to. This could prove very useful when it comes to tackling big problems of the world. Complex problems often require innovative thinking and a machine that has a lot more memory than a person does is well equipped to look into a wide range of ideas before coming up with an ideal suggestion.


A background from mathematics and an interest in computer science led me into a field that sits nicely in the intersection of the two – data science. Before applying data science to security I worked in risk management, but a year and a half ago I joined Panaseer where I work with the rest of the team to derive useful insights for customers from their security data.

DeepSec 2019 Talk: Techniques and Tools for Becoming an Intelligence Operator – Robert Sell

In this talk at DeepSec 2019, Robert will introduce the various operations that Trace Labs has performed to help illustrate Open-Source Intelligence (OSINT) techniques used in finding details on real human subjects. Trace Labs is a non-profit organization that crowdsources open source intelligence to help law enforcement find missing persons. Trace Labs is non-theoretical and its members are conducting OSINT on real people. Robert lifts the curtain on successful OSINT techniques that can be used to pull up important information on individuals. Many of the slides show specific tools and techniques that can immediately be used to improve your OSINT results.

The talk starts with a brief introduction to Trace Labs and its mission of helping law enforcement through a crowdsourced, open source intelligence. It then moves into a technical discussion on how to setup and operate. The presentation includes real world examples of subjects that the Trace Labs team searched for. It will also go over the tools and techniques used to find valuable details on subjects. Various tools are recommended and shown as a base, but the techniques are most important, as new and better tools are continually being introduced. Robert will also show various techniques that were used by subjects to evade being detected. Robert will wrap up the talk with the ethical questions around using these techniques so attendees can consider this as they proceed. The talk is for anyone interested in OSINT. It will provide value to everyone, from seasoned intelligence operators to people, who just want to OSINT their potential date or tenant.

We asked Robert a few more questions about his talk.


Please tell us the top 5 facts about your talk.

  • Fact One: My talk is the result of monitoring hundreds of people conducting OSINT during the Trace Labs operations.
  • Fact Two: Most people conducting OSINT Operations make the same mistakes.
  • Fact Three: OpSec remains to be an important but often overlooked factor in OSINT Operations.
  • Fact Four: Beginners often get wrapped up a linear approach to the answer whereas experts follow the path where ever it takes them to collect all sorts of information to eventually achieve actionable intelligence.
  • Fact Five: Results are important. As OSINT Operators, we often get carried away with adventure and forget we must delivery a concise report containing actionable intelligence.


How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

As the president of Trace Labs (a non profit organization that conducts crowd sourcing to find real missing persons), I see a lot of OSINT operations. Based on this volume, I am in a unique position to report my findings on what I see happening. I felt a need to report this to help our industry.

Why do you think this is an important topic?

OSINT is the first step to all operations. The first thing we want to do is find out more about our target. Conducting efficient and effective OSINT is vital for all InfoSec professionals.

Is there something you want everybody to know – some good advice for our readers maybe?

We are often in a competitive environment. It might be a job interview, a project proposal or maybe just trying to stand out in your company. The advantage often goes to those who are best informed. OSINT can be used to aid anyone wanting to have an advantage in these situations. However, knowing how to be an effective OSINT Operator is important to prevent wasting time.


A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The intelligence industry is moving from espionage to the garage. Now we want to know everything about everyone. I predict this trend will continue to become a huge market. It will quickly go commercial allowing me to buy whatever information I want on anyone and receive this in real time via augmented reality. For example, I will be able to look at you and pull up all your information as I speak to you. This will allow us to make faster decisions and likely lead to automated decisions. We talk about AI as though it will be a singular creation but I predict it will rather be a blend of technologies that is born from our drive to know more.



Robert is the founder and president of the Trace Labs Organization which organizes crowdsourced OSINT for locating missing persons. Robert defines Trace Labs as the catalyst which will change the industry and how we solve problems at a larger scale. Robert is also Senior IT Manager in the aerospace industry. He works at an international level and spends most of his time managing information security teams. While these teams focus on traditional risk mitigation, most of Robert’s focus is on finding better ways of securing the business. Robert has spent an increasing amount of time building defenses against social engineering. He has spoken about the rising social risk at numerous events and on different security podcasts.
In 2017 and 2018 he competed at the Social Engineering Village Capture the Flag contest. He was placed third in this contest (both years) and since then has been teaching organizations how to defend against social attacks and how to reduce their OSINT footprint. In 2018 he actually managed a CTF while participating in a CTF at Defcon Vegas.
Robert is also a ten year volunteer with Search & Rescue in British Columbia, Canada. In his SAR capacity, Robert is a Team Leader, Trainer, Marine Rescue Technician, Swift Water Technician and Tracker.