0510, 2020

DeepSec 2020 Training: Threat Modelling: The Ultimate “Shift Left” – Irene Michlin & Kreshnik Rexha

Sanna/ October 5, 2020/ Training

The earlier in the life-cycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. The participants will learn the technique and gain practical skills through exercises. The curriculum of the training consists of : Threat modelling: introduction and motivation Data Flow Diagrams STRIDE Beyond STRIDE Prioritization Mitigations Integrating threat modelling in SDLC This training targets mainly blue teamers, as well as software developers, QA engineers, and architects; but will be also beneficial for scrum masters and product owners. We asked Irene and Kreshnik a few more questions about their training. Please tell us the top 5 facts about your training. Lots of hands-on exercises and group work

0310, 2020

DeepSec 2020 Talk: RedTeamOps – Mert Can Coskuner, Caglar Cakici

Sanna/ October 3, 2020/ Conference

Red team operations involve many skills, the operation requires a lot of monitoring, consolidating and caution. In order to perform red team operations faster and stealthier, without thinking about the infrastructure, every team has its’ own habits and standards. However, there is a problem with those habits and standards: There are tons of tools but no operation management, No aggregation between these tools, When OPSEC fails due to problems above or any other reason, it’s essential to possess the capability of maintaining robust infrastructure which can be recreated if discovered, and more importantly, without any issues upon deployment. In this talk, infrastructure challenges we face as a red teamer will be discussed. Along with challenges, a solution will be proposed based on DevOps practices such as: Design your infrastructure based on the standards and

2809, 2020

DeepSec 2020 Talk: Security of Home Automation Systems – A Status Quo Analysis For Austrian Households – Edith Huber, Albert Treytl

Sanna/ September 28, 2020/ Conference

Home Automation System (HAS) are a growing market, which is very diverse ranging  from consumer electronics like TVs, mobile phones and gaming consoles via WLAN connected sensors, power plugs or lightbulbs to building automation devices for HVAC systems or access solutions. Beside “classical” network technologies IoT technologies gain increasing spread and importance. This paper presents results of a representative survey analysing the security awareness and perception as well as susceptibility to cybercrime of HAS users in Austria. The aim of this survey is to investigate the spread of the device types, cybercrime attacks and security risks. These results are compared with technical vulnerabilities of such devices to identify relevant security risks and countermeasures. Additionally, a concept to protect sensor values directly in the analogue circuit is presented as an outlook to ongoing research. We asked Edith and Albert a few more questions about their talk. Please tell us the top facts about your talk. The most common HAS are Smart TV, voice assistants and surveillance cameras, but many other applications are on the rise. Respondents of the survey say

2509, 2020

DeepSec 2020 Talk: Efficient Post-quantum Digital Signature – Maksim Iavich (DeepSec Scholar 2020)

Sanna/ September 25, 2020/ Conference

Active work is being done to create and develop quantum computers. Traditional digital signature systems, which are used in practice, are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the alternatives are hash based digital signature schemes. Merkle digital signature scheme is the very promising alternative to the classical digital signature schemes. It must be emphasized, that the scheme has efficiency problems and can not be used in practice. Major improvements of the scheme lead to security vulnerabilities. I will show that Merkle uses hash functions many times. I will offer the improved implementation of the hash function. I

2209, 2020

Administrivia: DeepSec 2020 will turn into a hybrid conference

René Pfeiffer/ September 22, 2020/ Administrivia, Conference

The current travel warnings and COVID-19 statistics have an impact on the DeepSec 2020 conference. As we expected, travel is the major obstacle. This means that DeepSec 2020, ROOTS, and DeepINTEL will turn into a hybrid event. We will still be on-site at the conference hotel. Presentations will be on-site and available by our conference streaming platform in parallel. Speakers that cannot be in Vienna will stream their presentations. Everything will be live, and everyone attending physically and virtually can participate. Furthermore, we constantly update our COVID-19 health protection in order to keep you and everyone here in Vienna at the conference safe. Two trainings are already virtually (right from the start). We are exploring which trainings can switch to a virtual mode and will update the schedule accordingly. In case you are interested

1709, 2020

DeepSec2020 Press Release: Industrial control systems put to the test. DeepSec conference organizes forum for the protection of Industrial Control Systems (ICS)

Sanna/ September 17, 2020/ Press

When one talks about digitization, one usually means networked control and measurement systems. The associated technical term Industrial Control Systems (ICS) covers a wide area and extends into Industry 4.0, in which information security plays a very important role. The right design and secure code thus become part of critical infrastructure. This year’s DeepSec security conference offers a forum for the first time – the ICS Village – in which developers and security experts can exchange ideas and experience. The stated goal is to design control systems securely, to implement them robustly, to test them properly, and to protect these systems appropriately. Servant spirits of the infrastructure Control systems and automated process control normally lead an invisible existence. Production lines, building management, lighting control, traffic systems, industrial plants or power supply are indispensable parts

1609, 2020

Administrivia: DeepSec 2020, Virtual Content, Travel Warnings, Trainings

René Pfeiffer/ September 16, 2020/ Conference

Reading the news can be very frustrating these days. Not that it was ever fun. We are monitoring the current COVID-19 situation in Europe and abroad. Given the questionable start of the Corona Traffic Light system in Austria, we want to offer you some facts. The training Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation and Mobile Security Testing Guide Hands-On will be virtual. This has been our and the trainer’s decision from the start due to travel regulations. Depending on the travel situation other trainings may switch to a virtual training as well. It depends on the content, and the trainers need to agree. Some of the DeepSec 2020 presentations will be virtual. Again this is due to travel regulations. Most of the presentation will still be on-site

1609, 2020

DeepSec2020 Talk: The Art Of The Breach – Robert Sell

Sanna/ September 16, 2020/ Conference

The Art of the Breach is designed to be a journey for anyone interested in physical security. Robert takes the audience on a trip from the public sidewalk outside a target organization all the way through to the executive filing cabinet in the President’s office. While many physical security talks focus strictly on the information security aspect of breaching, Robert will combine this with techniques used by first responders to enter a building. While social engineering and lock picking will be discussed, Robert will also outline the third option of forced entry. During this adventure, Robert discusses everything from successful reconnaissance to ensuring an easy exit afterwards. Robert spends time at each step to go over the various options for moving forward. Some of these options are easy and straightforward while others require preparations

1509, 2020

Reminder for your Training @ DeepSec 2020: Exploiting Race Conditions – Dawid Czagan

René Pfeiffer/ September 15, 2020/ Conference

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading. As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. If you develop or use software connected to a network, then this is for you. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how this attack works and tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; mind the date

1509, 2020

Administrivia: COVID-19 and Schedule Update

René Pfeiffer/ September 15, 2020/ Conference

We have been busy working on the schedule, the preparations for DeepSec/DeepINTEL, and our COVID-19 protection plan. As you may know, Austria has introduced a Corona „traffic light“ system to mark the spread of COVID-19 cases. We have added a section to our COVID-19 countermeasures describing what the traffic light colours mean. Since we rely on our own protection measures based on guidelines by health experts, DeepSec and DeepINTEL can happen unless a total lock-down is in place. The schedule has some updates. We have added two new presentations. Denis Kolegov will dissect IPSec UDP, a custom undocumented VPN protocol. It lacks the cryptographic strength and perfect forward secrecy. The protocol has severe flaws which allows attackers to reconstruct the keys and decrypt the whole network traffic. In addition Paula de la Hoz will

1409, 2020

DeepSec 2020 Talk: Abusing Azure Active Directory: Who Would You Like To Be Today? – Dr. Nestori Syynimaa

Sanna/ September 14, 2020/ Conference

This will be one of the few online talks held at DeepSec. Dr. Nestori Syynimaa covers the wonderful world of Azure AD and third-party code. Azure AD is used by Microsoft Office 365 and over 2900 third-party apps. Although Azure AD is commonly regarded as secure, there are serious vulnerabilities regarding identity federation, pass-through authentication, and seamless single-sign-on. In this session, using AADInternals PowerShell module, I’ll demonstrate the exploitation of these vulnerabilities to create backdoors, impersonate users, and bypass MFA. The purpose of this session is to raise awareness of the importance of the principle of least privilege and the role of on-prem security to cloud security. We asked Dr. Nestori Syynimaa a few more questions about his talk. Please tell us the most important facts about your talk. Azure AD acts as an

1109, 2020

Reminder for your Training @ DeepSec 2020: Bypassing CSP via ajax.googleapis.com – Dawid Czagan

René Pfeiffer/ September 11, 2020/ Conference

Content Security Policy (CSP) is the number one defensive technology in modern web applications. A good CSP offers a lot of possibilities, but it is hard to develop. Mistakes are common, too. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular content distributions network (CDN) in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web

1009, 2020

DeepSec 2020 Training: Open Source Intelligence Gathering on Human Targets – Robert Sell

Sanna/ September 10, 2020/ Training

Robert Sell conducts a two-day training at DeepSec. In his own words: „In this workshop I provide the class with real humans (missing persons) and while they are collaborating on this I provide tools and techniques for them to use to bring them closer to their goal. This is a hands on workshop where students will also have the opportunity to learn from each other. The beginning of the class will consist of a brief intro to OpSec considerations while the end will wrap up with report prep and intel safe guarding.“ We asked Robert a few more questions about his training. Please tell us the top 5 facts about your training. The Intelligence Community has been involved in open source intelligence (OSINT) for more than 50 years. The value of open source information

0909, 2020

Administrivia: Updated COVID-19 counter measures document

René Pfeiffer/ September 9, 2020/ Conference

In software development and system administration some data sets are periodically updated. This is true for our COVID-19 counter measures document. We updated some sections and whacked our reverse proxy a bit (i.e. reduced the caching limits). We can’t do much about the travel regulations and your company policy, but we gone through great efforts to make your stay at DeepSec and DeepINTEL as safe as possible. 1918 is the new 1984. Stay healthy! Keep yourself air-gapped!

0909, 2020

Reminder for your Training @ DeepSec 2020: Token Hijacking via PDF – Dawid Czagan

René Pfeiffer/ September 9, 2020/ Conference

PDF files are everywhere. No day goes by without someone having used a PDF document. This is why PDF files are the perfect hacking tool. They can even be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: