2208, 2020

DeepSec 2020 preliminary Schedule published

René Pfeiffer/ August 22, 2020/ Conference

In Summer time slows down considerably. This has nothing to do with the theory of relativity. It’s just hot, people take some time off, and messaging latency significantly increases. In turn we have to speed up the reviews and come up with a selection. As always, this has been very hard. You sent us very high quality submissions. Thanks for making the selection process hard for us. 😍 The preliminary schedule is where it has always been in the past years. Please note that two trainings will be virtual trainings. All other trainings will be on-site unless we are forced to conduct them virtually as well. With COVID-19 being the Corona elephant in the room for all events all over the world, we created a document to address the health situation. DeepSec and DeepINTEL

2507, 2020

Administrivia: DeepSec Mailing Lists and last Call for our CfPs

René Pfeiffer/ July 25, 2020/ Administrivia, Conference

Summer is always a bad time for getting things done. Usually people are on holiday, sweat, relax, or travel for recreation. Things are different due to the Covid-19 precautions. Unfortunately our Call for Papers ends on 31 July 2020. This means we have to remind you about the deadline. We plan to publish the schedule in mid-August, so we don’t have much choice to ask you again for research results, insights, incidents, weaknesses, helpful hints for defence, and more.. Tell us about your research. Keep our reviewers busy! We have some additional information. We added a mailing list system to our infrastructure. The server is run by our event partners, the Crowes. So you can get news by raven, not only figuratively. The mailing lists we created are a tool to keep you informed.

2207, 2020

Press Release: Digital Infrastructure should integrate Malware

Sanna/ July 22, 2020/ Conference, Press, Security

The German government wants to force Internet providers to install malicious software and intercept network traffic. Since the 1990s, there has been a constant struggle between authorities and security experts. One side wants to make digital infrastructure, especially data transport and communication, as secure as possible for business and society. The other side constantly strives for back doors to intercept data and correspondence. The fight for access to secure data transmissions, originally titled “Crypto Wars” is entering the next round. The German federal government has created a draft law that is intended to legally force Internet providers and companies with related activities to distribute malware and manipulate network traffic. In future, the installation of apps on smartphones or automatic software updates can compromise computer systems. This destroys the basis of digitalisation – with far-reaching

2107, 2020

Translated Article: EU Council of Ministers discusses Back Doors in Encryption again

Sanna/ July 21, 2020/ Security, Stories

EU-Ministerrat diskutiert wieder Hintertüren in Verschlüsselung by Erich Moechel for fm4.ORF.at Gilles de Kerchove, EU’s anti-terror coordinator, is once again working against secure encryption per se. Since these new demands by law enforcement officials on the EU Council of Ministers are nowhere openly accessible, this confidential Council document is published in full by FM4. The corona virus pandemic has led to a surge in teleworking worldwide. Instead of behind firewalls in secure corporate networks, millions of employees worldwide work from insecure home offices. The only real protection is the end-to-end encryption (E2E) of the data traffic. In the middle of this scenario, the “Five Eyes” secret service alliance is starting the next phase of its global campaign against secure encryption. Again, police law enforcement is used as a vehicle. After the United States, the European protagonist

2007, 2020

Token Hijacking via PDF – Dawid Czagan

Sanna/ July 20, 2020/ Training

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; 17/18 November) Tags:

1707, 2020

Translated Article: US bill against Secure Encryption of Chats

Sanna/ July 17, 2020/ Internet, Security, Stories

US-Gesetzesentwurf gegen sichere Verschlüsselung von Chats by Erich Moechel for fm4.ORF.at A new US law on “Access by law enforcement officers to encrypted data” is intended to force chat providers such as Signal or WhatsApp to incorporate back doors into their security architectures. In the United States, a bill is on its way to the Senate that has stunned the IT industry. The planned law on “Access by law enforcement officers to encrypted data” turns upside down all the rules that have been in force on the WWW for 25 years. Encrypted chats and data backup for a wide audience should therefore only be offered if the provider has duplicate keys. That would be the end of end-to-end encryption (E2E) from Signal, WhatsApp and others. The same applies to hardware manufacturers who have to provide access

1507, 2020

Press Release: Digitalisation without Information Security has no Future

Sanna/ July 15, 2020/ Conference, Development, Discussion

DeepSec conference warns of unsafe software and insufficient knowledge of professionals. The months in which we had to learn to deal with the effects of various quarantine measures on our everyday lives have decisively emphasized the importance of information technology. Although the Internet has long been an integral part of work and everyday life in many industries, the physical restrictions due to the Covid-19 pandemic could have been significantly more drastic for public authorities, the economy and society without modern telecommunications. Audio, video and chat platforms have prevented things getting worse. The call for more digitalisation, however, lacks the most important ingredient – information security. Published software is safe, isn’t it? In the world of software development, there is an unofficial saying that a product is ready when you can install it. The rest

0807, 2020

Administrivia: DeepSec/DeepINTEL/ROOTS Speaker Benefits extended to 2021

René Pfeiffer/ July 8, 2020/ Call for Papers, Conference

The Call for Papers of DeepSec, DeepINTEL, and ROOTS have a deadline. DeepSec and DeepINTEL have set he first deadline to 31 July 2020. We will accept submissions after this date, but everyone who submitted before the deadline will be reviewed first. Since all speakers are entitled to benefits which depend on their presence at the conference we decided to extend these offers. If you submit your presentation for the 2020 events and cannot attend, then all benefits such as entry to the conference, travel cost reimbursement, our famous speaker’s dinner, your stay at the hotel, and everything else will stay valid until DeepSec 2021. The only condition is that your content must be presented (either virtually or by proxy). The offer is valid for DeepSec and ROOTS. DeepINTEL is a special case, because

0707, 2020

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Sanna/ July 7, 2020/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

0107, 2020

Exploiting Race Conditions – Dawid Czagan

Sanna/ July 1, 2020/ Training

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading. As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. If you develop or use software connected to a network, then this is for you. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how this attack works and tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; mind the date

0107, 2020

Lectures on Information Security

René Pfeiffer/ July 1, 2020/ Discussion, High Entropy

It’s time for an editorial to end our premature Covid-19 induced Summer break. We (as in the staff behind DeepSec/DeepINTEL) were busy with projects, preparations, following the news about the pandemic, and collecting information for our event(s) in November. Personally I have been involved in teaching for decades. The past months have shifted the focus heavily on virtual presences in the form of teleconferences. Keeping hundreds of students busy while explaining how operating systems work and how secure code looks tends to take up some of your time. Good network connections and decent hardware helped a lot, but there are a couple of problems with conveying content, concepts, and ideas. Let me show you what I mean. Getting good tutorials is hard. The new agile way of computer science is to ditch good documentation

2905, 2020

Administrivia Update: Regulations, Ticket Shop, and DeepSec

René Pfeiffer/ May 29, 2020/ Administrivia, Conference

Clear guidelines for events and conferences slowly emerge here in Austria. We have some news on how DeepSec, DeepINTEL, and ROOTS will look like in November. We will compile the set of regulations in a separate document and publish it on our web site. The constraints set by the authorities contain no show-stoppers for the event and the trainings. We will carefully work out a concept which we will use in November for everything that is going on on site in Vienna. 😷 We have the full support of our conference hotel, and we are confident that we can increase health protection and decrease risks for everyone attending. In addition we found some bug in the ticket shop system. The tickets for DeepINTEL, DeepSec conference / training, and ROOTS can be bought via the

2705, 2020

Update and Reminder – DeepSec/DeepINTEL Call for Papers is still open

René Pfeiffer/ May 27, 2020/ Call for Papers, Conference

We have added another training to the schedule. Irene Michlin (IBM) will teach you about threat modelling and how to integrate threats into your software development life cycle. Further details will be published in our blog. Speaking of content – the call for papers for both DeepSec and DeepINTEL are still open. We are looking for your contribution. And then there is the inevitable update on DeepSec and the current pandemic situation. A lot of countries discuss how to proceed in terms of regulations, health protection, and logistics such as travel. We would very much link to official information on travel, accommodation, additional procedures during our event, and how DeepSec will look like in November. Sadly we cannot do this yet. The facts are that the Austrian hotels open on 29 May 2020 again.

1305, 2020

Administrivia for DeepSec, DeepINTEL, and trainings

René Pfeiffer/ May 13, 2020/ Administrivia, Conference

We cleared some administrative obstacles in the past weeks. The conference hotel has confirmed that DeepSec and DeepINTEL can happen in November. Of course, we cannot look into the future, but technically everything is in place. We still don’t know how the regulations for events will look like, but we definitely plan to have a traditional conference in November. DeepSec and especially DeepINTEL cannot be moved easily into a virtual venue. We rely on face-to-face communication, having groups of people chat in our lounge areas, and random encounters in the foyer. One way or another we are convinced that this can happen. We will let you know about any changes, but we will carefully proceed. In order to improve the way you can learn new things and practice your security skills we made some

1305, 2020

Communiqué de presse traduit: Les applis COVID-19 dévoilent leur logiciel pendant la crise

Sanna/ May 13, 2020/ Conference, Press, Training

En novembre, la conférence sur la sécurité DeepSec mettra en lumière la mascarade des logiciels. On dit souvent, « il y a forcément une appli pour ça ! ». Cette formule toute faite est souvent prise à la légère, même en dehors du secteur informatique. La crise actuelle du COVID-19 a de nouveau désigné le code informatique comme solution universelle aux problèmes qui ne sont pas strictement liés à la technologie de l’information. La numérisation générique semble être la réponse à tous nos problèmes. Bien sûr, le traitement des données peut aider. À condition toutefois de posséder des données réelles, vérifiables et recueillies soigneusement. C’est là qu’échouent de nombreux projets. Téléphones magiques à l’intelligence infinie La demande d’applis n’a fait qu’augmenter ces dernières années. Ces visions n’ont rien à envier aux idées créatives des

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: