0209, 2020

DeepSec 2020 U21 Talk: Protecting Mobile Devices from Malware Attacks with a Python IDS – Kamila Babayeva, Sebastian Garcia

Sanna/ September 2, 2020/ Conference

[Editorial note: We are proud to publish the articles about the U21 presentation slot for young researchers. The U21 track is a tradition of DeepSec. We aim to support (young) talents and give them a place on the stage to present their ideas and to gain experience.] Technology poses a risk of cyber attacks to all of us, but mobile devices are more at risk because there are no good detection applications for phones, and because they are the target of many novel attacks. We still don’t have a good idea of what our phones are doing in the network. To be better protected, mobile devices need better detection solutions from our community. In this talk I will present the development of Slips, a Python-based, free software IDS using machine learning to detect attacks

0109, 2020

DeepSec 2020 Talk: Security Model Of Endpoint Devices – Martin Kacer

Sanna/ September 1, 2020/ Conference

Have you ever asked these questions? You are using the latest mobile and using your laptop with the latest and patched OS, running antivirus: Do you need to worry about security? Isn’t there still something broken in the entire security and permission model? Why can the desktop application, that is not an internet browser, access and communicate by using any IP address? Why can the application access your whole filesystem and collect the files from there? Why can an android app with internet permission communicate using any arbitrary IP, even a private one? Why can the app communicate by using different domains? Isn’t the app market ecosystem creating a friendly environment for botnets? This talk will shed some light on these issues and propose some mitigation strategy. We have asked Martin a few more

0109, 2020

Administrivia – DeepSec 2020 Schedule, in-depth Articles, and Tickets

René Pfeiffer/ September 1, 2020/ Administrivia, Conference

We have some news. The schedule for DeepSec is getting stable. 🎉 Juggling the presentations slots and keeping in touch with all speakers and trainers is always the most dynamic part of DeepSec events. The current situation puts an extra strain on the preparations. We intend to conduct as much on-site presentations as possible. So far only two trainings and selected talks will be virtual. The main part of the schedule will be physically on-site. Please note our updated counter COVID-19 measures document. We have some more features planned for anyone attending, because we want to keep you busy during the conference. The ticket shop is online and waiting for your orders. We know that most people book late. Usually this is not a problem. Nevertheless we like to ask you to book early

2808, 2020

Press Release: Intensive Courses for crisis-proof Digitisation taking place in Vienna

Sanna/ August 28, 2020/ Conference, Press

DeepSec security conference focuses thematically in depth on critical dangers for IT. As is well known, the digital world never sleeps. The last few months have shown that society and the economy are more dependent than ever on globally networked technology. The worldwide spread of SARS-CoV-2 has given telecommunications an enormous boost. The home office, already known before, teleconferencing systems and internet applications had to stand in for physical meetings and enable the exchange of information. As the use of these technologies increased sharply, security problems were of course discovered. Zoom is a prominent example. However, only the tip of the iceberg was analysed. Many vulnerabilities are still waiting to be discovered around the world. Anyone who demands more digitisation is actually talking about information security. Precisely for this reason, the DeepSec Security Conference

2208, 2020

DeepSec 2020 preliminary Schedule published

René Pfeiffer/ August 22, 2020/ Conference

In Summer time slows down considerably. This has nothing to do with the theory of relativity. It’s just hot, people take some time off, and messaging latency significantly increases. In turn we have to speed up the reviews and come up with a selection. As always, this has been very hard. You sent us very high quality submissions. Thanks for making the selection process hard for us. 😍 The preliminary schedule is where it has always been in the past years. Please note that two trainings will be virtual trainings. All other trainings will be on-site unless we are forced to conduct them virtually as well. With COVID-19 being the Corona elephant in the room for all events all over the world, we created a document to address the health situation. DeepSec and DeepINTEL

2507, 2020

Administrivia: DeepSec Mailing Lists and last Call for our CfPs

René Pfeiffer/ July 25, 2020/ Administrivia, Conference

Summer is always a bad time for getting things done. Usually people are on holiday, sweat, relax, or travel for recreation. Things are different due to the Covid-19 precautions. Unfortunately our Call for Papers ends on 31 July 2020. This means we have to remind you about the deadline. We plan to publish the schedule in mid-August, so we don’t have much choice to ask you again for research results, insights, incidents, weaknesses, helpful hints for defence, and more.. Tell us about your research. Keep our reviewers busy! We have some additional information. We added a mailing list system to our infrastructure. The server is run by our event partners, the Crowes. So you can get news by raven, not only figuratively. The mailing lists we created are a tool to keep you informed.

2207, 2020

Press Release: Digital Infrastructure should integrate Malware

Sanna/ July 22, 2020/ Conference, Press, Security

The German government wants to force Internet providers to install malicious software and intercept network traffic. Since the 1990s, there has been a constant struggle between authorities and security experts. One side wants to make digital infrastructure, especially data transport and communication, as secure as possible for business and society. The other side constantly strives for back doors to intercept data and correspondence. The fight for access to secure data transmissions, originally titled “Crypto Wars” is entering the next round. The German federal government has created a draft law that is intended to legally force Internet providers and companies with related activities to distribute malware and manipulate network traffic. In future, the installation of apps on smartphones or automatic software updates can compromise computer systems. This destroys the basis of digitalisation – with far-reaching

2107, 2020

Translated Article: EU Council of Ministers discusses Back Doors in Encryption again

Sanna/ July 21, 2020/ Security, Stories

EU-Ministerrat diskutiert wieder Hintertüren in Verschlüsselung by Erich Moechel for fm4.ORF.at Gilles de Kerchove, EU’s anti-terror coordinator, is once again working against secure encryption per se. Since these new demands by law enforcement officials on the EU Council of Ministers are nowhere openly accessible, this confidential Council document is published in full by FM4. The corona virus pandemic has led to a surge in teleworking worldwide. Instead of behind firewalls in secure corporate networks, millions of employees worldwide work from insecure home offices. The only real protection is the end-to-end encryption (E2E) of the data traffic. In the middle of this scenario, the “Five Eyes” secret service alliance is starting the next phase of its global campaign against secure encryption. Again, police law enforcement is used as a vehicle. After the United States, the European protagonist

2007, 2020

Token Hijacking via PDF – Dawid Czagan

Sanna/ July 20, 2020/ Training

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; 17/18 November) Tags:

1707, 2020

Translated Article: US bill against Secure Encryption of Chats

Sanna/ July 17, 2020/ Internet, Security, Stories

US-Gesetzesentwurf gegen sichere Verschlüsselung von Chats by Erich Moechel for fm4.ORF.at A new US law on “Access by law enforcement officers to encrypted data” is intended to force chat providers such as Signal or WhatsApp to incorporate back doors into their security architectures. In the United States, a bill is on its way to the Senate that has stunned the IT industry. The planned law on “Access by law enforcement officers to encrypted data” turns upside down all the rules that have been in force on the WWW for 25 years. Encrypted chats and data backup for a wide audience should therefore only be offered if the provider has duplicate keys. That would be the end of end-to-end encryption (E2E) from Signal, WhatsApp and others. The same applies to hardware manufacturers who have to provide access

1507, 2020

Press Release: Digitalisation without Information Security has no Future

Sanna/ July 15, 2020/ Conference, Development, Discussion

DeepSec conference warns of unsafe software and insufficient knowledge of professionals. The months in which we had to learn to deal with the effects of various quarantine measures on our everyday lives have decisively emphasized the importance of information technology. Although the Internet has long been an integral part of work and everyday life in many industries, the physical restrictions due to the Covid-19 pandemic could have been significantly more drastic for public authorities, the economy and society without modern telecommunications. Audio, video and chat platforms have prevented things getting worse. The call for more digitalisation, however, lacks the most important ingredient – information security. Published software is safe, isn’t it? In the world of software development, there is an unofficial saying that a product is ready when you can install it. The rest

0807, 2020

Administrivia: DeepSec/DeepINTEL/ROOTS Speaker Benefits extended to 2021

René Pfeiffer/ July 8, 2020/ Call for Papers, Conference

The Call for Papers of DeepSec, DeepINTEL, and ROOTS have a deadline. DeepSec and DeepINTEL have set he first deadline to 31 July 2020. We will accept submissions after this date, but everyone who submitted before the deadline will be reviewed first. Since all speakers are entitled to benefits which depend on their presence at the conference we decided to extend these offers. If you submit your presentation for the 2020 events and cannot attend, then all benefits such as entry to the conference, travel cost reimbursement, our famous speaker’s dinner, your stay at the hotel, and everything else will stay valid until DeepSec 2021. The only condition is that your content must be presented (either virtually or by proxy). The offer is valid for DeepSec and ROOTS. DeepINTEL is a special case, because

0707, 2020

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Sanna/ July 7, 2020/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

0107, 2020

Exploiting Race Conditions – Dawid Czagan

Sanna/ July 1, 2020/ Training

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading. As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. If you develop or use software connected to a network, then this is for you. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how this attack works and tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; mind the date

0107, 2020

Lectures on Information Security

René Pfeiffer/ July 1, 2020/ Discussion, High Entropy

It’s time for an editorial to end our premature Covid-19 induced Summer break. We (as in the staff behind DeepSec/DeepINTEL) were busy with projects, preparations, following the news about the pandemic, and collecting information for our event(s) in November. Personally I have been involved in teaching for decades. The past months have shifted the focus heavily on virtual presences in the form of teleconferences. Keeping hundreds of students busy while explaining how operating systems work and how secure code looks tends to take up some of your time. Good network connections and decent hardware helped a lot, but there are a couple of problems with conveying content, concepts, and ideas. Let me show you what I mean. Getting good tutorials is hard. The new agile way of computer science is to ditch good documentation

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: