DeepSec2020 Talk: Faulting Hardware from Software – Daniel Gruss

Sanna/ October 22, 2020/ Conference/ 0 comments

Fault attacks induce incorrect behavior into a system, enabling the compromise of the entire system and the disclosure of confidential data. Traditionally, fault attacks required hardware equipment and local access. In the past five years multiple fault attacks have been discovered that do not require local access, as they can be mounted from software. We will discuss the Rowhammer attack and how it can subvert a system. We then show that a new primitive, Plundervolt, can similarly lead to a system compromise and information disclosure. We asked Daniel a few more questions about his talk. Please tell us the top 5 facts about your talk. Software-based fault attacks, like Rowhammer, enables unprivileged attackers to manipulate hardware Hardware flaws can lead to privilege escalation and a full system compromise Plundervolt is another fault attack we

Read More

DeepSec Press Release: DeepSec and DeepINTEL 2020 as a hybrid conference. IT security in unusual times – events enable virtual access.

Sanna/ October 21, 2020/ Conference, DeepIntel/ 0 comments

There’s nothing like “business as usual” in information security. Vulnerabilities in software, malware, campaigns to attack companies and organizations as well as defending your own infrastructure know no break. In recent months, digital networking has been put to the test as the most important pillar of society and working life. It is often forgotten that not every chic app, every portal and digital trend is trustworthy. For security reasons the annual DeepSec and DeepINTEL conferences will run as a hybrid event. Virtual lectures and face-to-face presentations will be equally accessible to all participants and speakers. Digital protection has never been more important Digitization is quickly pronounced. Software is even faster labelled as secure. Unfortunately, the last few decades of security research have shown that weak points can only be reduced through consistent secure design

Read More

DeepSec2020 talk: Ransomware: Trends, Analysis and Solutions – Josh Pyorre

Sanna/ October 9, 2020/ Conference/ 0 comments

My talk on ransomware will be technical, but also tells the story of how it’s evolved, highlighting specific and interesting infections. I’ll walk through the history of ransomware, its relationship to cryptojacking, and the supporting software made up of malspam and exploit kits. We’ll also address the recent phase of ransomware data extortion. There will be demonstrations of current malware infections as well as unique methods and ideas for detection and hunting. We’ll end with multiple methods of prevention and mitigation, some using paid products, but with the focus primarily on opensource options. Since I work with approximately 15% of the internets DNS traffic in my job, I will be using some of that data to show statistics. Despite that, I’ve done my best to make sure this is not a talk about products from my company, and aim

Read More

Administrivia: DeepSec and DeepINTEL Preparations, Anti-Virus Issues, Schedule, and digital Conference

René Pfeiffer/ October 8, 2020/ Conference/ 0 comments

We have been stuck in administrative tasks for the past weeks. So to break the radio silence: Yes, DeepSec and DeepINTEL will happen. We currently prepare the hybrid configuration for the streams and the virtual platforms to bring speakers to the audience and vice versa. The conference hotel has confirmed that we can conduct the event at the usual location. Claiming that things look good is a bit of an exaggeration. Nevertheless we would like to go forward. Exchanging ideas and discussing current threats has never been more important than now. We hope to give you this opportunity, and we hope that you are able to participate. We have also created a couple of mailing lists for informal news, official press releases/articles, and future Calls for Papers to keep you informed. All lists are

Read More

DeepSec 2020 Talk: Scaling A Bug Bounty Program – Catalin Curelaru

Sanna/ October 8, 2020/ Conference/ 0 comments

Hacking, hackers and bug bounties are really getting constant headlines into the mainstream news. In the past few years we have seen an impressive growth in Bug Bounty Programs and at this point we really need to ask: Is a Bug Bounty Program a new layer to secure applications? Implementing a Bug Bounty Program can be challenging and requires some understanding of the nuances of how to make it successful or not. Actually, running a successful bug bounty program starts far before it is launched officially. What are the prerequisites and why can we consider a bug bounty program as a layer for your Application Security Program? How do you measure if you are successful or not and what are the KPIs? When are you ready to start such a program? Based on the

Read More

DeepSec 2020 Press Release: Digital information security has human weaknesses – DeepINTEL Security Intelligence Conference discusses strategic IT security in Vienna.

Sanna/ October 7, 2020/ DeepIntel/ 0 comments

In the last few decades, everyday professional and private life has been increasingly permeated by modern technologies and networked communication. In addition to many conveniences, this has also created difficult challenges for information security. Therefore more and more complex technical solutions are celebrated at many security conferences. The problem with the problems that are to be solved in this way: The human factor and its weak points, which can do totally without digitization. The DeepINTEL conference therefore deals with the interrelationships and strategic background of information security in order to minimize threats and improve protection in the long term. Errors in the System are part of the Foundation Reports of data leaks and spectacular break-ins appear in the news again and again. Unfortunately, only the results are shown. Of course, the search for clues

Read More

Translated Article: Urgent Warning of Back Doors in Citrix Systems

Sanna/ October 6, 2020/ Stories/ 0 comments

Dringende Warnung vor Hintertüren in Citrix-Systemen by Erich Moechel for fm4.ORF.at An unknown number of these VPN gateways, which protect important networks in Austria such as electronic official traffic, ministries, supermarket chains, etc., are infected with malware. Ransomware blackmailers are now attacking one network after another. After the huge security gap in Citrix dial-up systems (“Shitrix”) at the beginning of the year, the consequences are now coming to light. The German security consultants HiSolutions have recently discovered a number of encryption attacks that were carried out through back doors installed at the time. Large company and authority networks are affected, which, like the electronic file traffic of the Republic (ELAK), were open for weeks over the turn of the year. Almost all of these “VPN gateways” were backed up by software updates much too

Read More

DeepSec 2020 Training: Threat Modelling: The Ultimate “Shift Left” – Irene Michlin & Kreshnik Rexha

Sanna/ October 5, 2020/ Training/ 0 comments

The earlier in the life-cycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. The participants will learn the technique and gain practical skills through exercises. The curriculum of the training consists of : Threat modelling: introduction and motivation Data Flow Diagrams STRIDE Beyond STRIDE Prioritization Mitigations Integrating threat modelling in SDLC This training targets mainly blue teamers, as well as software developers, QA engineers, and architects; but will be also beneficial for scrum masters and product owners. We asked Irene and Kreshnik a few more questions about their training. Please tell us the top 5 facts about your training.  Lots of hands-on exercises and group work

Read More

DeepSec 2020 Talk: RedTeamOps – Mert Can Coskuner, Caglar Cakici

Sanna/ October 3, 2020/ Conference/ 0 comments

Red team operations involve many skills, the operation requires a lot of monitoring, consolidating and caution. In order to perform red team operations faster and stealthier, without thinking about the infrastructure, every team has its’ own habits and standards. However, there is a problem with those habits and standards: There are tons of tools but no operation management, No aggregation between these tools, When OPSEC fails due to problems above or any other reason, it’s essential to possess the capability of maintaining robust infrastructure which can be recreated if discovered, and more importantly, without any issues upon deployment. In this talk, infrastructure challenges we face as a red teamer will be discussed. Along with challenges, a solution will be proposed based on DevOps practices such as: Design your infrastructure based on the standards and

Read More

DeepSec 2020 Talk: Security of Home Automation Systems – A Status Quo Analysis For Austrian Households – Edith Huber, Albert Treytl

Sanna/ September 28, 2020/ Conference/ 0 comments

Home Automation System (HAS) are a growing market, which is very diverse ranging  from consumer electronics like TVs, mobile phones and gaming consoles via WLAN connected sensors, power plugs or lightbulbs to building automation devices for HVAC systems or access solutions. Beside “classical” network technologies IoT technologies gain increasing spread and importance. This paper presents results of a representative survey analysing the security awareness and perception as well as susceptibility to cybercrime of HAS users in Austria. The aim of this survey is to investigate the spread of the device types, cybercrime attacks and security risks. These results are compared with technical vulnerabilities of such devices to identify relevant security risks and countermeasures. Additionally, a concept to protect sensor values directly in the analogue circuit is presented as an outlook to ongoing research. We asked Edith and Albert a few more questions about their talk.   Please tell us the top facts about your talk. The most common HAS are Smart TV, voice assistants and surveillance cameras, but many other applications are on the rise. Respondents of the survey say

Read More

DeepSec 2020 Talk: Efficient Post-quantum Digital Signature – Maksim Iavich (DeepSec Scholar 2020)

Sanna/ September 25, 2020/ Conference/ 0 comments

Active work is being done to create and develop quantum computers. Traditional digital signature systems, which are used in practice, are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the alternatives are hash based digital signature schemes. Merkle digital signature scheme is the very promising alternative to the classical digital signature schemes. It must be emphasized, that the scheme has efficiency problems and can not be used in practice. Major improvements of the scheme lead to security vulnerabilities. I will show that Merkle uses hash functions many times. I will offer the improved implementation of the hash function. I

Read More

Administrivia: DeepSec 2020 will turn into a hybrid conference

René Pfeiffer/ September 22, 2020/ Administrivia, Conference/ 0 comments

The current travel warnings and COVID-19 statistics have an impact on the DeepSec 2020 conference. As we expected, travel is the major obstacle. This means that DeepSec 2020, ROOTS, and DeepINTEL will turn into a hybrid event. We will still be on-site at the conference hotel. Presentations will be on-site and available by our conference streaming platform in parallel. Speakers that cannot be in Vienna will stream their presentations. Everything will be live, and everyone attending physically and virtually can participate. Furthermore, we constantly update our COVID-19 health protection in order to keep you and everyone here in Vienna at the conference safe. Two trainings are already virtually (right from the start). We are exploring which trainings can switch to a virtual mode and will update the schedule accordingly. In case you are interested

Read More

DeepSec2020 Press Release: Industrial control systems put to the test. DeepSec conference organizes forum for the protection of Industrial Control Systems (ICS)

Sanna/ September 17, 2020/ Press/ 0 comments

When one talks about digitization, one usually means networked control and measurement systems. The associated technical term Industrial Control Systems (ICS) covers a wide area and extends into Industry 4.0, in which information security plays a very important role. The right design and secure code thus become part of critical infrastructure. This year’s DeepSec security conference offers a forum for the first time – the ICS Village – in which developers and security experts can exchange ideas and experience. The stated goal is to design control systems securely, to implement them robustly, to test them properly, and to protect these systems appropriately. Servant spirits of the infrastructure Control systems and automated process control normally lead an invisible existence. Production lines, building management, lighting control, traffic systems, industrial plants or power supply are indispensable parts

Read More

Administrivia: DeepSec 2020, Virtual Content, Travel Warnings, Trainings

René Pfeiffer/ September 16, 2020/ Conference/ 0 comments

Reading the news can be very frustrating these days. Not that it was ever fun. We are monitoring the current COVID-19 situation in Europe and abroad. Given the questionable start of the Corona Traffic Light system in Austria, we want to offer you some facts. The training Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation and Mobile Security Testing Guide Hands-On will be virtual. This has been our and the trainer’s decision from the start due to travel regulations. Depending on the travel situation other trainings may switch to a virtual training as well. It depends on the content, and the trainers need to agree. Some of the DeepSec 2020 presentations will be virtual. Again this is due to travel regulations. Most of the presentation will still be on-site

Read More

DeepSec2020 Talk: The Art Of The Breach – Robert Sell

Sanna/ September 16, 2020/ Conference/ 0 comments

The Art of the Breach is designed to be a journey for anyone interested in physical security. Robert takes the audience on a trip from the public sidewalk outside a target organization all the way through to the executive filing cabinet in the President’s office. While many physical security talks focus strictly on the information security aspect of breaching, Robert will combine this with techniques used by first responders to enter a building. While social engineering and lock picking will be discussed, Robert will also outline the third option of forced entry. During this adventure, Robert discusses everything from successful reconnaissance to ensuring an easy exit afterwards. Robert spends time at each step to go over the various options for moving forward. Some of these options are easy and straightforward while others require preparations

Read More