ROOTS 2019 Talk: Automatic Modulation Parameter Detection In Practice – Johannes Pohl

Internet of Things (IoT) devices have to be small and energy efficient so that resources for security mechanisms tend to be limited. Due to the lack of open source or license free standards, device manufacturers often use proprietary protocols. Software Defined Radios (SDR) provide a generic way to investigate wireless protocols because they operate on nearly arbitrary frequencies, but they output sine waves that have to be demodulated. This demodulation process slows down security investigations because it forces researchers to start on the physical layer while the real reverse-engineering is performed on the logical layer.

We contribute an auto-detection system that estimates all demodulation parameters of a wireless signal and, additionally, explicitly returns all these parameters so that they can be fine-tuned afterwards. This allows security researchers to skip the physical layer and work with the bits and bytes instead of sine waves. The contributed system is evaluated with both simulated signals and ten real-world signals captured from various IoT devices with SDRs. Furthermore, we show how parameters can be estimated during recording time and evaluate this technique by attacking an AES secured wireless door lock. Our solution is available as part of the open source software Universal Radio Hacker and follows the ergonomic philosophy of the main application.


Johannes Pohl studied Computer Science at the University of Applied Sciences Stralsund and received his Master of Science in 2013. Since then he works there as a PhD student and conducts research in the area of Location Privacy and Wireless Security. He worked for two years in DevOps research at Boreus Data Center, Germany. Since March 2017 he works as a Scientific Co-Worker at the University of Applied Sciences, Stralsund.

ROOTS 2019 Talk: Harzer Roller: Linker-Based Instrumentation for Enhanced Embedded Security Testing – Katharina Bogad

Due to the rise of the Internet of Things, there are many new chips and platforms available for hobbyists and industry alike to build smart devices. The software development kits (SDKs) for these new platforms usually include closed-source binaries comprising wireless protocol implementations, cryptographic implementations, or other library functions, which are shared among all user code across the platform. Leveraging such a library vulnerability has a high impact on a given platform. However, as these platforms are often shipped ready-to-use, classic debug infrastructure like JTAG is often times not available.

In this paper, we present a method, called Harzer Roller, to enhance embedded firmware security testing on resource-constrained devices. With the Harzer Roller, we hook instrumentation code into function call and return. The hooking not only applies to the user application code but to the SDK used to build firmware as well. While we keep the design of the Harzer Roller’s general architecture independent, we provide an implementation for the ESP8266 Wi-Fi IoT chip based on the xtensa architecture.

We show that the Harzer Roller can be leveraged to trace execution flow through libraries without available source code and to detect stack-based buffer-overflows. Additionally, we showcase how the overflow detection can be used to dump debugging information for later analysis. This enables better usage of a variety of software security testing methods like fuzzing of wireless protocol implementations or proof-of-concept attack development.


There’s nothing much to say about myself, I’ve spent my school years hacking and reverse engineering Pokemon games instead of paying attention in geography, later found out that people actually have hacking competitions where one can capture flags and started participating. Currently I’m pursuing my master’s degree in computer science at TUM and doing what some people apparently call „research“ 😉 as a research assistant at Fraunhofer AISEC.

DeepSec 2019 Talk: 30 CVEs in 30 Days – Eran Shimony

In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using this method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month.

Some things never die. In this session, we’ll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or to DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim of finding new vulnerabilities.

Our mindset was – choose software that is prone to be vulnerable: Installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We’re only scratching the surface and we are positive that there are additional attack vectors that could be widely implemented to achieve similar results.

We asked Eran a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • It is an innovative look into vulnerability searching.
  • Almost anyone with some Windows internals knowledge can do it.
  • Exploit code is straightforward to develop.
  • A lot more than 30 vulnerabilities where discovered, more like 60.
  • There is a blog series in that showcases the research.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Logical bugs were always an interest of me. So after discovering several vulnerabilities in products with a similar nature, I tried to generalize the issue by creating an automated system.

Why do you think this is an important topic?

Having privilege escalation vulnerabilities often  means an attacker can abuse the domain environment\personal computer as much as he wants since security products are very permissive regarding privileged users.

All the vulnerabilities that were discovered in the research are about escalating your privileges on the Windows platform using security holes in drivers, services, and installers.

Is there something you want everybody to know – some good advice for our readers maybe?

Think before doing every privileged file operation on Windows. There might be a chance it would allow an attacker to escalate her/his privileges. Sometimes getting CVEs and bounty rewards are not that difficult 🙂

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I believe many vulnerabilities similar in nature will pop up soon, hoping it will cause vendors to improve their security standards.

Eran Shimony is a security researcher at CyberArk
Eran has an extensive background in security research, that includes years of experience in malware analysis and vulnerability research on multiple platforms. With a growing interest in logical vulnerabilities he has made lots of disclosures across multiple vendors.

DeepSec 2019 Talk: S.C.A.R.E. – Static Code Analysis Recognition Evasion – Andreas Wiegenstein

Andreas Wiegenstein has expert advise for software security:

Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results?

The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found?

This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algorithms.

On a technical level, the following concepts are covered

  • covert data flow
  • deep call stacks
  • circular calls
  • source mining
  • counter-encoding
  • data laundering

Based on this, I will provide some code snippets as proof of concept for the audience to test at home.

This talk focuses on general weaknesses of SCA tools. I am not going to point the finger at specific vendors.

We asked Andreas a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The talk explains how SCA tools technically work and which compromises vendors have to make.
  • The talk points out general weaknesses in SCA algorithms.
  • The talk does not intend to point the finger at specific vendors.
  • I will show multiple code examples in different languages that trick scanner logic.
  • I will also show how to trick human code reviewers.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I am engaged in malware research in SAP environments. Since most code in SAP is source code, I came up with the challenge to hide malware from code scanners. Later I expended these techniques to other programming languages.

Why do you think this is an important topic?

Many companies have to deal with vast amounts of source code and limited security budget. They rely on automated code analysis and are therefore vulnerable to SCA evasion techniques.

Is there something you want everybody to know – some good advice for our readers maybe?

If your application security defenses are based on Static Code Analysis alone, you have a problem.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Next generation malware will be able to trick / bypass code scanners.

Andreas is an experienced SAP security researcher. He discovered a substantial number of zero-days in SAP software and supported development of a market leading ABAP SCA tool. He has spoken at multiple security conferences such as Black Hat, DeepSec, HITB, IT Defense, RSA and Troopers. His current research is focused on malware.

DeepSec 2019 Talk: Security Analytics and Zero Trust – How Do We Tackle That? – Holger Arends

For many years we’ve all been in an arms race, fighting daily against new malware varieties and new attack techniques that malicious actors use to fool us and compromise our systems. Many of us rely on state of the art safeguards and have invested tremendous amounts in defending our systems and networks, yet even so, important data is still leaked or important systems are compromised.

Firewalls, IDS, IPS or SIEM systems are often unable to prevent or detect attacks. Questions are often raised: “why?” and “how?” is it possible these attacks stay undetected for long periods of time, considering the significant investments into cyber security. And so it seems obvious to say that with the introduction of IoT devices, unmanaged BYOD, combined with legacy systems and end to end encryption, the future will be a difficult place to stay safe and secure in.

In late 2017, we asked ourselves the following questions. Is it possible to defend our networks and systems by relying mainly on traffic-related analytics and related prevention? Are we able to achieve knowledge and certainty about endpoints and their associated technologies? Furthermore, does this allow us to distinguish attacks and/or malicious activities from benign activities, even on encrypted channels? We also explored if it was possible for a Telco / Enterprise to integrate such analytics, considering high traffic throughput, into traditional security defences. These questions were and are our motivation to run the project for the last 2 years and we would like to share our insights here at Deepsec 2019.

In our talk, we will brief you about our lessons learned, and discuss

  • Which technologies and practices work well in combination, and where it makes sense to introduce log-less and agent-less security analytics
  • How it looks to combine deep protocol analytics, big data, polyglot persistence and machine learning and what challenges we faced
  • How well the detection and mapping of technologies works on different protocol layers and encrypted sessions
  • What interesting insights we gained about attackers, their tools, tactics and how they utilised infrastructure for their attacks
  • How often a simple handshake reveals the nature of any following data stream
  • What kind of defensive capabilities and safeguard improvements / tunings can be achieved

Finally, we would like to speak about ethics; discussing the potential of DPI and what this means for all of us, ranging from privacy concerns to potential misuse of such technologies against a free society.

Being a lifelong enthusiast for computer security and emerging technologies, Holger started his IT Security career in the German army in 1997. Since then, Holger has continued to strengthen his professional skill set by being involved in many security projects around the globe. While working with industry leaders such as Microsoft, he’s had several years of experience running his own IT Security business. Holger has always been passionate about innovating and developing new security solutions, and this has led him to Telstra where he is the Principal Security Domain Cyber Security expert at the Centre of Excellence, Technology & Innovation. His current role focuses on futuristic and real-world security analytics solutions in the fields of IoT and Cyber Security.

Deconstruction and Analysis of modern IT Threats – DeepINTEL Security Intelligence Conference disenchants Complexity of Security Threats

The modern digital world is constantly threatened. Unfortunately, only a few understand what this actually means. Information security is always presented in distorting stereotypes that have nothing to do with reality. No attack is hammered into a keyboard in minutes. The most dangerous threats can not be detected by watching out for guys in hooded shirts or face masks. Nothing in the digital world can be defused with a simple click. The opposite is the case because domestic and foreign policy have global implications for the digital infrastructure of all organizations. The DeepINTEL Security Intelligence Conference, which takes place every year in Vienna, therefore aims to provide a platform where authorities, businesses, researchers and hackers can productively discuss threats’ characteristics and countermeasures within a closed group.

Striking Examples

Economic espionage is often cited as an example of information threats. Attacks on information systems often have the goal of copying data in order to either deal with them or use them otherwise. Espionage exists at all levels. In May 2019 it became publicly known that one can infect smartphones via WhatsApp calls. Answering the call was not necessary. This vulnerability was exploited by a commercial espionage software produced in Israel. No companies were spied on, but civil rights activists in the Middle East. The software could be unleashed on business executives as well. The customers of the Israeli company are not just located in the Middle East. They are also in western states.

The sticking point is finding vulnerabilities to break or bypass the defence. The knowledge of such gaps is rewarded and traded with a lot of money. The analogy with weapons is obvious, even if there are major technological differences. Malicious code is more related to biological weapons. The attacks by the malicious software Petya and Wannacry in the years 2016 and 2017 underline this thesis, as the exploitation of the vulnerability, which both programs used to penetrate, was most likely developed by the US National Security Agency (NSA). Concrete evidence about the actual escape of the vulnerability is missing. The developed theories range from the action of a whistleblower to perpetrators from Russia. There will be no certainty.

For security officers in companies these speculations play no role. The facts show that the digital world is moving directly in geopolitical areas of tension. It is therefore high time to integrate this fact into internal processes.

Geopolitics has long been Part of corporate Decisions

The economy is often perceived as aloof from politics. This is especially true for digital services. When it comes to streaming, internal document filing, e-mail communication, social media platforms or data filing only a few organizations still have their own infrastructure. Cloudy service providers manage external digital goods. The very popular concept of digital sovereignty loses all meaning when management can no longer say where exactly all company data is located and who manages it. You can not protect anything whose whereabouts you do not know. This applies in particular to prototypes such as the Gaia-X infrastructure proposed by the German Ministry of Economic Affairs. It should provide an alternative to data storage and processing outside the borders of Europe. The core of the matter? Geopolitics has become part of everyday life in the economy. Thus, the software as well as the hardware can becoming entangled in commercial wars – or worse.

The examples illustrate conclusively that business leaders must now finally deal with issues that have hitherto occupied foreign policy and the military. IT security has long since recognized this and created the area of security intelligence. There one deals with the strategic view on threats and the abilities of the opponents against which one must defend oneself. The technical details are armoury but secondary. It is about clarifying the identities, capacities and intentions of opposing organizations that can attack your own data and your own infrastructure. Classic information security provides the tools, but analysts need to piece together the puzzle pieces correctly. This is exactly where the annual Viennese DeepINTEL conference comes in – exchange of insights in a closed group.

Exchange at the living Object

If one wants to talk about real incidents and concrete break-ins, it is advisable to do so in a focused manner within the framework of discussions among experts. The exchange of experience is invaluable and will sustainably improve your defence. The DeepINTEL is such a platform. This year’s focus is on attacks on energy suppliers, infrastructure cut-offs (networks, power), analysis of network traffic to protect autonomous systems, global network intelligence (Internet, Domain Name Service), and the detection of hidden communication channels.

The focus is on the relationships between incidents and the use of certain types of attack. For example, one usually learns from conventional reporting which malicious software has struck. But you learn very little about the actual infection routes, which parts of the infrastructure are affected and what was actually the goal. These details can best be discussed in a closed group with focus on strategy. In the digital world in particular, relationships are often difficult to recognize because the Internet is available globally. The clear classification of perpetrators – whether individuals, organizations or states – is very difficult, if not impossible. Also in these considerations, the DeepINTEL wants to give assistance to all its participants.

The necessary data for a strategic consideration of your own information technology is critical for a meaningful analysis. There are many service providers in the market that combine collected data and and complement it with sensor networks. But nobody can replace your knowledge about your own processes and internal organization. Therefore, the DeepINTEL conference will also discuss the collection, assessment and evaluation of the information already available.

Schedule and Booking

The DeepINTEL Conference will take place on November 27, 2019 in Vienna. We will gladly send you the program upon request to after review. Tickets are available on the website

The venue for DeepSec and DeepINTEL Conference is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

The program of the subsequent DeepSec conference is available at The DeepINTEL program will only be made available upon request because the DeepINTEL is a non-public conference.

Tickets for the DeepSec conference as well as for the DeepINTEL event and DeepSec trainings can be ordered at any time at or via e-mail to

DeepSec 2019 Talk: Saving Private Brian – Michael Burke

This talk will be given as the story of Brian, an aid worker operating in a hostile third country. When he’s stopped going in at the border he had his iPhone taken from him and then returned to him 15 minutes later. Now he can’t be sure if any malware was implanted on his device. Malware that could compromise him, his organisation and anyone who co-operates with him. He needs his phone to do his work but should he stop using it instead? Are all his contacts already compromised? Should he warn them and should he use his phone to do so? And will he and his phone be tracked to any in-person meetings?

iOS malware is rare, advanced and difficult to detect when deployed. I will talk through the above scenario on the basis of the threats that exist, how iOS malware is implanted, what its capabilities are and how it can be detected simply and quickly in future. This will increase the safety and security of the workers we rely on to make the world a better place.

We asked Michael a few more questions about his talk.

Please tell us the top 5 facts about your talk.

It’s a growing (but niche) threat; this is a way to detect it that takes no technical skill on behalf of the user; zero day exploits for iOS can sell for ~$1 million; it’s the first time I’ve given it; I’ll make it interesting!

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I came up with it reading about how sophisticated iOS zero days were being used against NGO workers, dissidents, journalists and other critical roles in our society. I thought that I could devise a new and easy method of detecting something that is very hard and normally involves digital forensic labs

Why do you think this is an important topic?

Lawful and measured iOS malware implants by governments can be a valuable tool to fight crime and terrorism. There are times however that people’s lives may be put at risk from malware implanted on iPhones/iPads by rogue governments, organisations or individuals. I want to help people who are targeted by those bad actors go about their business with safety and security.

Is there something you want everybody to know – some good advice for our readers maybe?

Depending on what you are working in security you may be more likely to be targeted by this type of attack – rare as they are – and just to be aware of that possibility and to take reasonable steps to prevent it (I’m sure as an industry professional you already update your phone soon after every OS release).

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I’m hoping that Checkm8/Checkra1n is released and stable by the time of my talk – it will make jailbreaking for iOS forensics much more interesting! I foresee more talks ahead…

I am Ireland’s most active digital forensic investigator working on a wide variety of cases for Grant Thornton but specialise in MacOS and iOS forensics.
I am an external expert for the EU in cybersecurity funding decisions.
I have lectured at third level, spoken at conferences and briefed the Irish national cybercrime unit on my research in digital forensics.
I hold Masters degrees in both Forensic Computing and International Security Studies.
I am a former member of the Irish national police service as well as a reformed member of the start up world.

DeepSec 2019 Talk: Lost in (DevOps) Space – Practical Approach for “Lightway” Threat Modeling as a Code – Vitaly Davidoff

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the software development life cycle (SDLC) process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scalable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We will discuss how to architect a robust Threat Modeling framework to be part of an Secure SDLC approach.

We asked Vitaly a few more questions about his talk.

Please tell us the top 5 facts about your talk.

Threat Modeling is a very important process, but not aligned with Agile development process and DevOps paradigm. Security specialists do not scale enough and don’t have time to run Threat Modeling exercises for every new feature or change in design – as a result, in some cases we just skip Threat Modeling or doing it partially. I’ll provide a practical solution to adopt this process into the software development life cycle. I’ll show you how we can use Threat Modeling outputs for automate security activities in the CI/CD pipeline.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I wanted to share my experience running Threat Modeling exercises in global companies. I’ve learned, that even security experts have a problem with building a mature Threat Modeling process and align it with current development strategies.

Why do you think this is an important topic?

Threat Modeling is the only way to identify potential threats and abuse-cases in design and define countermeasures. If we don’t have this process in place we lean on “intuitive” security. In this case we open a door for potential breaches and as a result, financial penalties and reputation loss.

Is there something you want everybody to know – some good advice for our readers maybe?

Threat Modeling process automation is a practical approach. I believe in “If it works for us – why can’t it work for you? ” – This process is very important, but only a part of a full Threat Modeling process! Feature based questionaries or diagrams will provide a first level for understanding the criticality and will be used as a base for an efficiently prioritized security investment in your project.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I think, we’ll see Risk Based Security Lifecycle Management systems/frameworks. At least two big vendors working on this approach these days and I hope to see holistic solution very soon (maybe next year … )


I have about 15 + years’ experience as a developer and more than 7 years in the application security field. Applications Products Security Expert at Citi Bank Innovations Lab TLV Israel. In this position I am responsible to provide Application Security solutions for many products, including analyzing security risks in multidisciplinary systems according to the customer system characterization, defining required security controls to handle identified security threats, perform code and design reviews, threat modelling and many other activities.

Certifications: CISSP, CSSLP

DeepSec 2019 Talk: Setting up an Opensource Threat Detection Program – Lance Buttars

Through the use of event detection monitoring and do it yourself monitoring techniques on a Linux Apache PHP MySQL stack, I will demonstrate how you can create different alarms and reporting surfaces that alert you when your application is being attacked. This case study will demonstrate the use of hacking tools as a defense strategy in a corporate network and will cover the story of the detection of insider threats from the internal application point of view. The entire presentation is a hands-on lab that can be used after the presentation as a guide for attendees to set up a Threat Detection program.

We asked Lance a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The talk covers ways of discovering insider threats.
  • It’s a starting point for understanding how honey pots work.
  • It’s a great way to go beyond standard threat detection.
  • It’s meant for IT personal who have zero to no budget.
  • It’s designed to be a hands-on lab.

How did you come up with it? Was there something like an initial the spark that set your mind on creating this talk?

I came up with this talk because I wanted to see what I could do using open source tools and techniques when it came to threat detection inside a production environment. My goal was to create a framework for detecting insider threats that would alert me when the system became compromised, or data was leaving my environment.

Why do you think this is an important topic?

I think this topic is essential because a lot of IT shops have limited funding and resources, and the talk guides you through setting up simple, easy to use threat detection techniques to help jump-start a threat detection program.

Is there something you want everybody to know – some good advice for our readers, maybe?

The presentation will be made available after the talk and should provide a type of guide for doing the techniques I will discuss at the presentation.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I imagine that threat detection will become more standard, and hopefully, more open source tools will be created to help address the need for better threat detection beyond standard IDS / WAF.


Lance works as a software engineer in the payment industry developing software that transfers money between banking systems. He is a founding member of 801 Labs; a hackerspace located in Salt Lake City and is an active member of his local Defcon group DC801. Lance has a BS in Computer Science and a Master’s Degree in Cybersecurity and Info Assurance.

DeepSec 2019 Talk: Oh! Auth: Implementation Pitfalls of OAuth 2.0 & the Auth Providers Who Have Fell in It – Samit Anwer

Since the beginning of distributed personal computer networks, one of the toughest problems has been to provide a seamless and secure SSO experience between unrelated servers/services. OAuth is an open protocol to allow secure authorization in a standard method from web, mobile and desktop application. The OAuth 2.0 authorization framework enables third-party applications to obtain discretionary access to a web service. Built on top of OAuth 2, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build functional and secure authentication systems. OpenID Connect can perform identity authorization and provide basic profile information for different clients, from web and mobile apps to JavaScript clients.

In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers.

The key to adding authorization or Single Sign-On (SSO) measures to your app is to ensure you are balancing security with usability. Developers likely make trade-offs when making decisions about specific implementation – and there are a lot of decisions to make. Developers still want to double down on security to avoid flaws in 2.0, paying attention to things like session management, encryption/obfuscation of stored data and IDs, and securing the source code of an app.

In this work we will discuss common malpractices that relying party devs perform when implementing OAuth/OpenID based relying party solutions. However, all is not in the hands of relying party developers, the authorization service providers have a big role to play as well.

There are mainly 4 entities involved in a typical OAuth setup: relying party/client, user/resource owner, resource provider, and authorization server. In this work, we discuss the goof-ups that each of these entities can introduce with special focus on vulnerabilities that the authorization server can introduce.

The highlight: We present our case study on OAuth authorization providers and detail the issues we found in their solutions. This includes a vulnerability in Microsoft’s authorization server – As can be seen in the PoC video the auth code can be replayed to generate fresh access tokens and id tokens. Moreover, the code verifier is not being validated which can lead to a compromise of the access/id tokens on native apps which use Microsoft’s identity provider –

We asked Samit a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. OAuth is an open standard for token based delegated access. It is widely used across platforms and is customizable to a great extent. In this talk we will learn what OAuth is and what it brings to the table. We will go over various grants OAuth offers and identify which one to use when.
  2. The talk also focuses on the security aspects of the protocol and highlights common implementation mistakes made by Client app/relying party and authorization server devs.
  3. In the talk I will be discussing some attacks on OAuth as a result of these mistakes and their mitigation as well.
  4. The talk will cover a demo of a vulnerability I found in Microsoft’s Identity server which results in the attacker gaining access to victim’s resources for as long as s/he likes.
  5. The talk also covers some best practices to reduce damage if access tokens/auth codes leak in order to facilitate defence in depth.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The spark was a vulnerability I found with Microsoft’s Identity Provider, which had a faulty PKCE implementation because of which the attacker could get life long access to a victim’s resources.

Why do you think this is an important topic?

OAuth is widely used by all platforms including web, desktop and native apps. Its security is a common concern for devs of auth servers, relying parties and end users. This makes it a very suitable and interesting topic to discuss.

Is there something you want everybody to know – some good advice for our readers maybe?

The talk will provide a good overview of OAuth from the need of it to various attacks observed in the wild. For anyone looking to implement or adopt OAuth this is definitely a must attend.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

A lot of work is happening with regards to doubling up on security for OAuth by weaving more layers into the basic OAuth mechanism. Token binding, PKCE and Claimed HTTPS scheme URI redirections are some examples. In the future I would expect some innovative attacks coming forth to counter these defenses.

Samit Anwer is a Web and Mobile Application security researcher. He joined Citrix as Security Engineer soon after completing his Master’s degree from IIIT Delhi in Mobile and Ubiquitous Computing in 2015. He is actively involved with vulnerability research in Web/Mobile apps and has responsibly disclosed several security vulnerabilities with Google Cloud Print API, XSS filter evasion on IE 11/MS Edge, code execution on Microsoft Windows 10, Microsoft’s OAuth 2.0 implementation and buffer overflows on MS Edge/IE 11.

He is an active member of the Null Bangalore Chapter, IEEE community and has spoken on various security topics at the following venues: DEFCON China, Beijing (2018), BlackHat Asia, Singapore (2018), AppSec USA, Orlando (2017), CodeBlue, Tokyo (2017), c0c0n X, Kerala (2017) and Null meets (2015, 2016, 2017, 2018)

His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms.

DeepSec 2019 Talk: Still Secure. We Empower What We Harden Because We Can Conceal – Yury Chemerkin

The launch of Windows 10 has brought many controversial discussions around the privacy factor of collecting and transmitting user data to Microsoft and its partners. But Microsoft was not the first, Apple did it many years ago and there was no public research on how much data were leaked out from MacOS. There is a statement in the Privacy Policy written by Apple: “Your device will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you, to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories… ‘Everything’ stores in iCloud service”.

Both cases are the same, designed in the same manner and driven by a similar idea to simplify the devices usage. It went even further with iOS and Android OS. Eventually, Microsoft and Apple have boldly described their OS as “the most secure OS ever.”

This research is based on three things: data leaks, hardening, and forensics.

Combining data leaks and hardening gives a data set with a goal and a vision of how to protect a system and make your use cases transparent. Forensics gives us excellent knowledge about valuable device security settings. Empowering the hardening with these anti-forensics techniques in terms of ‘anti-forensics hardening’ of a system makes it transparent what, when and why the whole device or its parts can or can not be accessed. To be entirely sure that all insecure gaps are closed and to verify how secure your system is, there is the option to rely on penetration testing additionally. Further more, we will talk about which insecure services are used to receive tracking data from your system, and which of them can be blocked without breaking the system and user use cases.


This talk will systematically review

  • Pentest to fix gaps of security & privacy. What tools to use and why you should perform pentesting, how to read and use security report.
  • Content Filtering. Mapping rogue sites, analytics and tracking services into granular activities to leverage privacy risks.
  • Easy exploitation & post exploitation. Limits of AV solutions, risk of one vs. many browsers, add-ons & firewalls.
  • Host & On-host network activities monitoring. Disassembling features of big enterprise solutions into lightweight tools and bring it to in-home/small companies.
  • Data Protection. The security & privacy features hidden across different OS editions and builds, plus overlapping features & dependences.
  • On the way to dedicated and centralized manageable solutions. Pentesting of dedicated solutions, automating security, whitelisting (native vs. vendor vs. third-party tools).
  • Profiling and Use cases. The Future of forensically protected OS & devices

We asked Yury a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • The way how data is transferred directly strongly indicates the way how it is stored on servers
  • Dedicated (self-hosted) solutions prevent a data leakage if you don’t forget to harden your security
  • Forensic solutions give us excellent knowledge about valuable device security settings.
  • Forensic solutions have a hidden love for leaked data sets (with credentials, travel routes, etc.)
  • A real experiment with forensic solutions reveals many unexpected things, especially when it fails to break your security

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Experience in any field is like money-making in your life. At the beginning of a secure life, you have to use cheaper solutions to learn about their substantial background. Doing research gives you a knowledge of why this feature is here, why this protection technique works or doesn’t work, and if there is a correlation between them. Growing up, you tend to add one solution to another to increase your security level and reduce risk until you finish with almost all of them on your servers. Somewhere here, you continue to use cloud solutions, but you’re focused on reducing non-protected data sets and risks levels. Continuing to research you consider your risk level from a time viewpoint: each activity is bound to a time-frame when it actively and passively exists. If everything is supposed to be security, then daily use cases have a reduced risk level whatever you’re doing.

Why do you think this is an important topic?

This topic is aimed to show several things:

  • how to read security bulletins (patch notes, etc.) and release notes of breaking tools
  • how to shift the focus from daily software to forensic ones
  • does it make sense to stay in the cloud or is it better to move on to self-hosted solutions
  • a difference between On tools are bringing security and breaking security into the most real field: forensics vs. security

Is there something you want everybody to know – some good advice for our readers, maybe?

Many articles claim that forensic solutions are perfect in extracting your data and breaking into a system. Even though they are highly effective solutions, they fail when you’re ‘out of the box’ and have uncommon solutions or popular software & hardware that haven’t been supported for many years by forensic solutions.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I expect a lack of support of many applications and software solutions everyone uses daily; a little shift to several self-hosted solutions, they have become a bit popular. Also, the biggest issue in security now and in the future are services that cannot be limited by the amount data they store like good sellers, travel, and any healthy-ish and sport-ish apps; securing this data sets will be a new challenge.


Yury Chemerkin has ten years of experience in information security. He is a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance. He’s published many papers on mobile and cloud security, and speaks regularly at conferences such as CyberCrimeForum, DefCamp, HackerHalted, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence Sec, InfoSec NetSysAdmins, RootCon, PHDays, etc.

DeepSec 2019 Talk: Chinese Police and CloudPets – Abraham Aranguren

[In our Call for Papers we mentioned that DeepSec and specifically DeepINTEL will have a connection to geopolitics. Well, the following description of a presentation at DeepSec gives you an idea of what we meant.]

This talk is a summary of three different security audits with an interesting background:

First, CloudPets, their epic track record, what we found and what happened afterwards.
Next, two mobile apps by Chinese Police: “BXAQ” and “IJOP”, both related to surveillance of ethnic minorities, but in different ways. Stay tuned.

Part 1: CloudPets

Wouldn’t it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out of a soft toy that children can hug? That’s the idea of CloudPets. Children can even respond directly from the soft toy and communicate with their parents. What could possibly go wrong? Let your imagination go wild and you will still fall short 🙂

Database dumps, blackmailing, ransoms, millions of people affected, our findings and other intrigues, not to be missed!

Part 2: Chinese Police

This part talks about two mobile surveillance apps that Chinese authorities employ to spy on the Muslim minorities of China’s Xinjiang region, the applications: “IJOP” and “BXAQ”. These audits were sponsored by Human Rights Watch (HRW) and the Open Technology Fund (OTF). The Chinese government faced international criticism when the results of these audits became public.

While the audits focused on evidence gathering of the surveillance activities, which will be covered in this talk, we will also discuss some interesting vulnerabilities that we found along the way and which were not the focus of the audit itself. Also, for those interested in learning about mobile security we will talk about the challenges faced with these apps and how we overcame them.

This talk will be an interesting learning experience as it combines technical security vulnerabilities with political and commercial background implications.


After 13 years in Itsec and 20 in IT Abraham is now the CEO of 7ASecurity (, a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 ( and Version 1 ( Creator of “Practical Web Defense” – a hands-on eLearn security attack / defense course (, OWASP OWTF project leader of an OWASP flagship project (, major degree and diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or Some presentations, pentest reports and recordings can be found at

Scheduled Maintenance for Web Site and Blog

Rain cloud emojiToday there will be an interruption of power supply and network connectivity. The systems affected are our web site and our blog. While the downtime is scheduled and part of our maintenance, the reason for the downtime was not. It has to do with rain, pipes, and queues. To quote Marcus Ranum:

As security or firewall administrators, we’ve got basically the same concerns [as plumbers]: the size of the pipe, the contents of the pipe, making sure the correct traffic is in the correct pipes, and keeping the pipes from splitting and leaking all over the place. Of course, like plumbers, when the pipes do leak, we’re the ones responsible for cleaning up the mess, and we’re the ones who come up smelling awful.

Rain, gravitation, the size of pipes, and sediments came to visit our office a few months ago. Today we will put some serious firewalling in place in order to be on the safe side when it comes to our computing equipment. 🌧 🔌 😎

We’ll be right back after the break.

DeepSec 2019 Talk: Comparing GnuPG With Signal is like Comparing Apples with Smart Light Bulbs – Hans Freitag

GnuPG is not designed to be used only in E-Mail, it plays an important role in securing all sorts of mission critical data. In this talk I will show you applications of GnuPG that are not E-Mail or Instant Messaging.

We asked Hans a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  • GnuPG is free software that can be used to encrypt and sign data.
  • Signal is not a free software but may be used to communicate with others.
  • You can’t compare apples with pears.
  • In German the term glowing pear is used for light bulb.
  • My Key ID is: 1553A52AE25725279D8A499175E880E6DC59190F

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

I browsed the news and came across an article saying “We found a bug in an E-Mail program accidentally displaying unencrypted data as encrypted data and therefore you should ditch the use of GnuPG immediately and use Signal instead!” Spoiler Alert: It does not work!

Why do you think this is an important topic?

GnuPG is the tool on which almost all open source software relies on when delivering software to customers. It is embedded in almost any open Software and even usable from Android phones.

Is there something you want everybody to know – some good advice for our readers maybe?

Be nice to each other. Protect private data. Respect others.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

The next innovation might be a better user interface with sane defaults for GnuPG keys. Also getting GnuPG support for user keys and smart cards into the OS at installation level is important.

I would love to see GnuPG available in company infrastructure. I believe this would boost usage a lot, as it means that confidential data can be stored end to end encrypted and signed on the servers with the push of a button.

Born in Celle, Germany in 1980.
Found out about Open Source around 1997.
Attended the first Chaos Communication Congress in 1999.
Self employed as consultant and developer since 2001.
CEO/CTO and owner of Conesphere GmbH since 2017.

DeepSec 2019 Training: Threat Hunting with OSSEC – Xavier Mertens

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points.

During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / … and add more contextual content with OSINT feeds.

We asked Xavier a few more questions about his talk.

Please tell us the top 5 facts about your training.

  1. It’s critical for organizations to be aware of what’s happening on their networks.
  2. The idea is to use information present on the Internet to increase the detection rates.
  3. Security controls can be implemented with free tools.
  4. The training has many labs and students will practice.
  5. Thee goal is to open the students’ eyes and make them have ideas to implement on their side.

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

I’m a big fan of OSSEC for years and already blogged a lot about it. I participated in the project (f.ex: I wrote the initial GeoIP support).
And, of course, I’m using it daily to monitor my infrastructure. Many (small) organizations do not have resources to implement or seem afraid to deploy solutions like OSSEC. I think it was time to wrap-up all this content and provide it as a training.

Why do you think this is an important topic?

Despite the fact that we deploy more and more security controls at our network boundaries, we still see compromised hosts, data leaks, etc. Keeping an eye on events is key to detect all suspicious activity as soon as possible.

Is there something you want everybody to know – some good advice for our readers maybe?

Sharing and integration of tools are a key point. Each of them has interesting data that can be reused by other tools to improve detection capabilities. The training could be interesting for Blue Team people or system/security engineers. Investing in tools like OSSEC will also raise your overall protection and, in case of an incident, you will already have some data to analyze.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

The problem with many organizations today: the business is running so fast that they can’t keep control of what’s deployed in their infrastructure. They loose the knowledge of what’s important. This is a key requirement to better protect yourself. With tools like OSSEC, you can at least collect information from your hosts and granularly implement  controls to detect / block bad guys at an early stage.


Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customers assets by applying “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, OSINT) but also “offensive” security (pentesting). However, his preferred domain is playing on the Blue Team side. Besides his daily job, Xavier is also a security blogger, a SANS Internet Storm Center handler and co-organizer of the BruCON security conference.