Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Sanna/ July 7, 2020/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

Exploiting Race Conditions – Dawid Czagan

Sanna/ July 1, 2020/ Training

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading.  As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. If you develop or use software connected to a network, then this is for you. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how this attack works and tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; mind the date

Read More

Lectures on Information Security

René Pfeiffer/ July 1, 2020/ Discussion, High Entropy

It’s time for an editorial to end our premature Covid-19 induced Summer break. We (as in the staff behind DeepSec/DeepINTEL) were busy with projects, preparations, following the news about the pandemic, and collecting information for our event(s) in November. Personally I have been involved in teaching for decades. The past months have shifted the focus heavily on virtual presences in the form of teleconferences. Keeping hundreds of students busy while explaining how operating systems work and how secure code looks tends to take up some of your time. Good network connections and decent hardware helped a lot, but there are a couple of problems with conveying content, concepts, and ideas. Let me show you what I mean. Getting good tutorials is hard. The new agile way of computer science is to ditch good documentation

Read More

Administrivia Update: Regulations, Ticket Shop, and DeepSec

René Pfeiffer/ May 29, 2020/ Administrivia, Conference

Clear guidelines for events and conferences slowly emerge here in Austria. We have some news on how DeepSec, DeepINTEL, and ROOTS will look like in November. We will compile the set of regulations in a separate document and publish it on our web site. The constraints set by the authorities contain no show-stoppers for the event and the trainings. We will carefully work out a concept which we will use in November for everything that is going on on site in Vienna. 😷 We have the full support of our conference hotel, and we are confident that we can increase health protection and decrease risks for everyone attending. In addition we found some bug in the ticket shop system. The tickets for DeepINTEL, DeepSec conference / training, and ROOTS can be bought via the

Read More

Update and Reminder – DeepSec/DeepINTEL Call for Papers is still open

René Pfeiffer/ May 27, 2020/ Call for Papers, Conference

We have added another training to the schedule. Irene Michlin (IBM) will teach you about threat modelling and how to integrate threats into your software development life cycle. Further details will be published in our blog. Speaking of content – the call for papers for both DeepSec and DeepINTEL are still open. We are looking for your contribution. And then there is the inevitable update on DeepSec and the current pandemic situation. A lot of countries discuss how to proceed in terms of regulations, health protection, and logistics such as travel. We would very much link to official information on travel, accommodation, additional procedures during our event, and how DeepSec will look like in November. Sadly we cannot do this yet. The facts are that the Austrian hotels open on 29 May 2020 again.

Read More

Administrivia for DeepSec, DeepINTEL, and trainings

René Pfeiffer/ May 13, 2020/ Administrivia, Conference

We cleared some administrative obstacles in the past weeks. The conference hotel has confirmed that DeepSec and DeepINTEL can happen in November. Of course, we cannot look into the future, but technically everything is in place. We still don’t know how the regulations for events will look like, but we definitely plan to have a traditional conference in November. DeepSec and especially DeepINTEL cannot be moved easily into a virtual venue. We rely on face-to-face communication, having groups of people chat in our lounge areas, and random encounters in the foyer. One way or another we are convinced that this can happen. We will let you know about any changes, but we will carefully proceed. In order to improve the way you can learn new things and practice your security skills we made some

Read More

Communiqué de presse traduit: Les applis COVID-19 dévoilent leur logiciel pendant la crise

Sanna/ May 13, 2020/ Conference, Press, Training

En novembre, la conférence sur la sécurité DeepSec mettra en lumière la mascarade des logiciels. On dit souvent, « il y a forcément une appli pour ça ! ». Cette formule toute faite est souvent prise à la légère, même en dehors du secteur informatique. La crise actuelle du COVID-19 a de nouveau désigné le code informatique comme solution universelle aux problèmes qui ne sont pas strictement liés à la technologie de l’information. La numérisation générique semble être la réponse à tous nos problèmes. Bien sûr, le traitement des données peut aider. À condition toutefois de posséder des données réelles, vérifiables et recueillies soigneusement. C’est là qu’échouent de nombreux projets. Téléphones magiques à l’intelligence infinie La demande d’applis n’a fait qu’augmenter ces dernières années. Ces visions n’ont rien à envier aux idées créatives des

Read More

Translated Article: Ten EU Countries already rely on decentralized Corona Virus Apps

Sanna/ May 12, 2020/ Security, Stories

Schon zehn EU-Staaten setzen auf dezentrale Coronavirus-Apps by Erich Moechel for fm4.orf.at Apple and Google also support the privacy-friendly, decentralized protocol DP-3T. Without technical support in the operating systems of these two groups, no app with Bluetooth tracing can deliver useful results. The decision by Austria and Switzerland to use a corona virus app with decentralized data storage (DP-3T) triggered a chain reaction. By Friday, ten EU countries had already left the large-scale “Pan-European Project for Data Protection-Compliant Person Tracing” (PEPP-PT). The centralized data collection of PEPP-PT leaves all possibilities for data mining open, a deanonymisation of the data is also included. Apple and Google, which support the DP-3T standard, are constantly publishing new specifications for the necessary app interfaces in Android and IOS. Without the support of these two companies, whose operating systems

Read More

Translated Press Release: Covid-19 Apps show Software Development in Crisis

Sanna/ May 8, 2020/ Conference, Press, Training

In November, the DeepSec security conference will highlight the software masquerade. In everyday language there is the saying “There’s an app for that!”. The phrase is often used as a joke, even outside the IT industry. The current Covid-19 crisis has once again addressed computer code as a universal solution to problems that are not exclusively related to information technology. Generic digitization seems to be the answer to all problems. Of course, data processing can help. The prerequisite for this, however, is the existence of real data that has also been collected in a comprehensible and careful manner. This is exactly why many projects fail. Magical phones with infinite Intelligence The call for apps has been repeated again and again in recent years. The visions are in no way inferior to the creative ideas

Read More

Update on DeepSec / DeepINTEL / ROOTS 2020 with regards to Covid-19

René Pfeiffer/ May 2, 2020/ Administrivia, Discussion, High Entropy

Lacking time travel we have no way to know what will happen in November 2020. That’s not news to us. We closely follow the development of the current Covid-19 crisis, and we constantly evaluate our plans for DeepSec, DeepINTEL, and ROOTS 2020. Given the current state of affairs and the experiments in various countries (including Austria) with lowering the restrictions for business and public life, we believe that our conferences can take place in November. There may be restrictions still present in November with regard to travel and protection measures at our venue. We have developed a schedule for keeping you informed. Additionally we have plans for changing the schedule in order to guarantee the minimum level of content required by our call for papers process. Updates regarding the state of our events in

Read More

First DeepSec 2020 Trainings confirmed

René Pfeiffer/ May 2, 2020/ Conference

We haven’t been idle in the past weeks. The Austrian government is reducing the lock-down rules to see how normal business and private life can go on. We take this as an opportunity to announce the first three confirmed trainings for DeepSec 2020. The preliminary descriptions can be found on our schedule web site. Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation – Dawid Czagan (Silesia Security Lab) Open Hardware Hacking – Paula de la Hoz Garrido (Telefónica Security Engineering) Defending Industrial Control Systems – Tobias Zillner & Thomas Brandstetter (Limes Security) Early Bird tickets are available. Given the unusual start into 2020 we ask you to consider buying Early Bird tickets (especially for the trainings). We are exploring special attendee tickets for remote attendance of the trainings. A

Read More

Contact Tracing and the Security of Things

René Pfeiffer/ April 17, 2020/ Call for Papers, Discussion

The spread of Sars-Cov-2 keeps everyone on their toes. Given the emotional state after weeks and months of physical distancing (which we recommend; social distancing has been the norm for decades). We have closed our office in March and heavily rely on telecommunication. Fortunately we did not need to reinvent the Internet. Many of you have probably done the same. We hope that you manage to stay healthy until things can get back to “normal”. Speaking of communication and normality, there are some aspects of the current situation we like to point out. Every security conference features presentations shedding light on important tools, libraries, applications, or protocols people rely on. Humans like to communicate. The degree varies, but essentially few can do without talking, writing, hearing, or seeing stuff (i.e. messages). This is even

Read More

It’s April Fool’s Day – 7/24 and 365 Days of the Year

René Pfeiffer/ April 1, 2020/ Discussion, High Entropy

The first day of April is typically the time where you hide well-written pieces of misinformation to trick people into believing something that isn’t true. We published our share of April Fool’s Day articles in the past. While this was and still is fun we believe that it is time to break with this tradition. Hiding something that isn’t true within a stream of informative articles or news items has become a major way of influencing opinion. Good comedy does the same, but the outcome is different. Satirical news are a means to criticise by exaggerating or focussing on an issue. The typical audience of comedy expects this. The distinction between satire and reality have almost disappeared in the past decade. So if you are looking for entertainment there are plenty of other sources

Read More

Status Update with regard to the current Sars-Cov-2 / Covid-19 Emergency

René Pfeiffer/ March 16, 2020/ Administrivia

We wrote in an earlier blog article about the current Sars-Cov-2 / Covid-19 emergency. Mathematics and biology didn’t stop, so you (hopefully) live in an area with restrictions regarding crowds and place where people can’t keep a safe distance. We, the organisation team of DeepSec, are in close contact with peers, members of the community, and reliable sources of information regarding countermeasures by the Austrian government. Given the current state of affairs the November dates of our events are still in the far future. This means that nothing has changed for our plans. Our calls for papers are still open. The only change will be no marketing messages and advertising for DeepSec and DeepINTEL. We don’t think that a crisis should be used for one’s own advantage. Please stick to facts and verified sources

Read More

Translated Article: Coup de grace beat Attackers of the Austrian Federal Ministry for European and International Affairs

Sanna/ March 12, 2020/ Security, Stories

Cyberhusarenstück schlug Angreifer im Außenministerium for fm4 by Erich Moechel [We translated this article, because DeepSec actively supports young talents and students. We are looking for organisation and companies that would like to help us in our support. Furthermore, we like to make Erich’s well-researched and well-written articles available for a wider audience.] It was young Technicians who fended off the dreaded cyber Troop Turla. After a short Time they cracked the tricky Encryption of the Turla Trojan. The National Security Council, which the NEOS party convened to discuss the cyberattack on the Federal Ministry for European and International Affairs, meets on Friday. NEOS criticize the cumbersome structures in cyber defence and, above all, that it is not ready to work properly. The quick defence of the notorious cyber troop (APT) Turla is rather

Read More