1511, 2017

ROOTS: Out-Of-Order Execution As A Cross-VM Side Channel And Other Applications – Sophia d’Antoine

Sanna/ November 15, 2017/ Conference, Security

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities, inherent to systems which share hardware resources, will become increasingly attractive targets to malicious software authors. In this talk, Sophia will introduce a novel side channel across virtual machines through the detection of out-of-order execution. She and her colleagues created a simple duplex channel as well as a broadcast channel. She’ll discuss possible adversaries for this channel and proposes further work to make this channel more secure, efficient and applicable in realistic scenarios. In addition, she considers seven possible malicious applications of this channel: theft of encryption keys, program identification, environmental keying, malicious triggers, denial of service attacks, determining VM co-location, malicious data injection, and side channels. We asked Sophia a few questions about her talk. Please tell us the top 5 facts

1511, 2017

DeepSec 2017 Talk: OpenDXL In Active Response Scenarios – Tarmo Randel

Sanna/ November 15, 2017/ Conference

Automating response to cyber security incidents is the trend which is – considering increasing amount of incidents organizations handle and ever-increasing attack surface – already becoming mainstream. In this talk Tarmo explores the options of using OpenDXL in real life situation of mixed environments, legacy solutions and multiple vendors for connecting existing (and future) cyber security system components for coordinated information exchange and orchestrating incident response action. Tarmo is a researcher at NATO Cooperative Cyber Defence Center of Excellence, various research projects and developing for large scale cyber exercises. He’s also a developer at the Estonian eHealth Foundations, “Kickstarting” in-house development team. Tarmo’s creating supporting infrastructure, preparations and execution of plans for taking over selected external vendor development projects. He’s Head of Department at CERT-EE, Running Computer Emergency Response Team, Information security expert at CERT-EE,

1411, 2017

ROOTS: On The (In-)Security Of JavaScript Object Signing and Encryption – Dennis Detering

Sanna/ November 14, 2017/ Security

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web used for application configuration, cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity, authenticity and confidentiality of sensitive data, JavaScript Object Signing and Encryption (JOSE) was created to apply cryptographic mechanisms directly in JSON messages. We investigated the security of JOSE and present different applicable attacks on several popular libraries. We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed Burp Suite extension, which automatically performs security analysis on targeted applications. JOSEPH’s automatic vulnerability detection ranges from executing simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks breaking the confidentiality of encrypted JSON messages.

1411, 2017

DeepSec2017 Talk: Building Security Teams – Astera Schneeweisz

Sanna/ November 14, 2017/ Conference

While ‘security is not a team’, you’ll find that most companies growing just beyond 60-80 people start employing a group of people focusing primarily on the topic. But the culture of secure engineering in a company does not only strongly correlate with when you start building a security team – it becomes (and grows as) a matter of how they connect with the rest of your organization, and make security, adversarial thinking, and the care for user safety and privacy part of everyone’s concern. In this talk, Astera will review what the purposes of a security team can be, which challenges you’ll face, how you can make it scale beyond the team’s boundaries; as well as proven good practices of running (fairly operational) engineering teams themselves. Whether your organization already has a security team

1411, 2017

Notes on the ROOTS Schedule and the Conference

René Pfeiffer/ November 14, 2017/ Administrivia, Conference, Discussion

We are all set for the conference on Thursday. We did some last minute changes to the schedule due to some speakers running into issues, but we can confirm almost all presentations.You may have noticed the ROOTS schedule. It’s a bit shorter than DeepSec’s, but both events are not competing. The review for ROOTS is a lot harder, because the presentation is about a scientific publication. This means your submission gets peer-reviewed and voted by the programme committee. We received some content more suitable for, let’s say, standard events. This won’t do, and this is why you see the best submissions of ROOTS published in the schedule. All in all we are very glad to present you high quality presentations from speakers who really know information security. Enjoy! See you at DeepSec!

1411, 2017

DeepSec 2017 Talk: How I Rob Banks – Freakyclown

Sanna/ November 14, 2017/ Conference, High Entropy, Security

You are in for an adventure at DeepSec this year. We have a tour on robbing banks for you: A light-hearted trip through security failures both physical and electronic that have enabled me over the years to circumvent security of most of the worlds largest banks. Through the use of tales from the front line and useful illustrative slides, I will attempted to take you through the lessons to be learned from an ethical hacker with a penchant for breaking into the impossible. Let me take you on a rollercoaster ride of epic fails and grandiose plans and my Jason Bourne like adventures including Lockpicking, Kidnap, Police chases and multi-million pound bank heists. FC is a well-known ethical hacker and social engineer. He has been working in the infosec field for over 20 years

0311, 2017

Screening of “The Maze” at DeepSec 2017

René Pfeiffer/ November 3, 2017/ Administrivia, Conference, High Entropy

We have some news for you. Everyone attending DeepSec 2017 will get a cinematic finish on the last day of the conference. We will be showing The Maze by Friedrich Moser. For all who don’t know Friedrich’s works: He is the director of A Good American which was screened at DeepSec 2015. The Maze is a documentary covering terrorism, counter-terrorism, surveillance, business, and politics. So it’s basically information security in a nutshell. Right after the closing of DeepSec you can enjoy The Maze – with popcorn and hopefully everyone who is attending DeepSec. We have seen the documentary before, and we highly recommend it! The Maze from Friedrich Moser on Vimeo.

3110, 2017

DeepSec 2017 Workshop: Smart Lockpicking – Hands-on Exploiting Contemporary Locks and Access Control Systems – Slawomir Jasek

Sanna/ October 31, 2017/ Conference, Training

You can, quite reasonably, expect smart locks and access control systems to be free from alarming security vulnerabilities – such a common issue for an average IoT device. Well, this training will prove you wrong. After performing multiple hands-on exercises with a dozen of real devices and various technologies, you will never look at the devices the same way. Smart lockpicking is something to scare you, not just on Halloween. We asked Slawomir a few questions about his training: Please tell us the top 5 facts about your workshop. Focused on hands-on, practical exercises with real devices Lots of various topics and technologies covered Regardless if you are a beginner or a skilled pentester, you will learn something new and have a good time Many exercises designed as “homework”, possible to repeat

3010, 2017

The only responsible Encryption is End-to-End Encryption

René Pfeiffer/ October 30, 2017/ High Entropy, Security

Last week the Privacy Week 2017 took place. Seven days full of workshops and presentations about privacy. This also included some security content as well. We provided some background information about the Internet of Things, data everyone of us leaks, and the assessment of backdoors in cryptography and operating systems. It’s amazing to see for how long the Crypto Wars have been raging. The call for backdoors and structural weaknesses in encryption was never silenced. Occasionally the emperor gets new clothes, but this doesn’t change the fact that some groups wish to destroy crypto for all of us. The next battle is fought under the disguise of responsible encryption. Deputy Attorney General Rod J. Rosenstein invented this phrase to come up with a new marketing strategy for backdoors. Once you have backdoors in any

2510, 2017

DeepSec 2017 Talk: BitCracker – BitLocker Meets GPUs – Elena Agostini

Sanna/ October 25, 2017/ Conference

Encryption and ways to break it go hand in hand. When it comes to the digital world, the method of rapidly using different keys may lead to success, provided you have sufficient computing power. The graphics processing units (GPUs) have come a long way from just preparing the bits to be sent to the display device. Nowadays GPUs are used for a lot of computational expensive tasks. At DeepSec 2017 you will hear about keys, encryption, and storage encryption – all with the use of GPUs, but forthe purpose of cracking keys. BitLocker (formerly BitLocker Drive Encryption) is a full-disk encryption feature available in recent Windows OS (Vista, 7, 8.1 and 10). It is designed to protect data by providing encryption for several types of memory units like internal hard disks or external removable

1710, 2017

DeepSec 2017 Talk: Who Hid My Desktop – Deep Dive Into hVNC – Or Safran & Pavel Asinovsky

Sanna/ October 17, 2017/ Conference

Seeing is believing. If you sit in front of your desktop and everything looks as it should look, then you are not in the Matrix, right? Right? Well, maybe. Manipulating the surface to make something to look similar is a technique also used by phishing, spammers, and social engineers. But what if the attacker sitting on your computer does not need to see what you see? Enter hidden virtual network computing where malicious software controls your system, and you don’t know about it. Since the past decade, financial institutions are increasingly faced with the problem of malware stealing hefty amounts of money by performing fraudulent fund transfers from their customers’ online banking accounts. Many vendors attempt to solve this issue by developing sophisticated products for classifying or risk scoring each transaction. Often, identifying legitimate

1710, 2017

DeepSec Talk 2017: Normal Permissions In Android: An Audiovisual Deception – Constantinos Patsakis

Sanna/ October 17, 2017/ Conference, Security

The Marshmallow version was a significant revision for Android. Among the new features that were introduced one of the most significant is, without any doubt, the runtime permission. The permission model was totally redesigned, categorising the permissions into four main categories. The main concept of this categorisation is how much risk a user is exposed to when permissions are granted. Therefore, normal permissions imply the least risk for the user. However, in this case, there are some important issues. Firstly, these permissions are not actually displayed to the user; they are not displayed upon installation and the user needs to dig into several menus to find them for each app. Most importantly though, these permissions cannot be revoked. Unlike permissions categorized as dangerous, where the user can grant or revoke a permission whenever deemed

1610, 2017

DeepSec2017 Workshop: Mobile App Attack – Sneha Rajguru

Sanna/ October 16, 2017/ Conference, Training

The world’s gone mobile. Mobile devices have surpassed the standard computer (i.e. desktop) installation multiple times. In turn this means that you will encounter these devices most definitely when testing or implementing security measures. Usually adversaries do not use the platform itself. They use software to gain entry. This is why mobiles apps are the most preferred way of delivering the attacks today. Understanding the finer details of mobile app attacks is soon becoming an essential skill for penetration testers as well as for the app developers & testers. This is why we have a special training for you at DeepSec 2017. So, if you are an Android or an iOS user, a developer, a security analyst, a mobile pen-tester, or just a mobile security enthusiast the training ‘Mobile App Attack’ is of definite

1210, 2017

Science First! – University of Applied Sciences Upper Austria (FHOOe) supports DeepSec

René Pfeiffer/ October 12, 2017/ Conference, Security

The motto of DeepSec 2017 is „Science first!“. This is expressed by the co-located ROOTS workshop, many speakers from academics, topics fresh from the front lines of research, and a mindset that favours facts over fake content or showmanship. This is why we want to thank the University of Applied Sciences Upper Austria for their continued support of DeepSec! Their motto is Teaching and learning with pleasure – researching with curiosity, which fits nicely into the mindset of most information security researchers. They have a wide range of very interesting research projects. If you are interested in courses or collaboration as a company, let them now. We are happy to support you with your enquiry. Lest you forget: DeepSec offers a steep discount for anyone in academic research – be it student or professor.

1210, 2017

DeepSec 2017 Workshop: Hunting The Adversary – Developing And Using Threat Intelligence – John Bambenek

René Pfeiffer/ October 12, 2017/ Conference, Security Intelligence, Training

The arsenal of components you can use for securing your organisation’s digital assets is vast. The market offers a sheer endless supply of application level gateways (formerly know as „firewalls“), network intrusion detection/prevention systems, anti-virus filters for any kind of platform (almost down to the refrigerator in the office), security tokens, biometrics, strong cryptography (just stay away from the fancy stuff), and all kinds of Big Data applications that can turn shoddy metrics into beautiful forecasts of Things to Come™ (possibly with a Magic Quadrant on top, think cherry). What could possibly go wrong? Well, it seems attackers still compromise systems, copy protected data, and get away with it. Why is that? Easy: You lack threat intelligence. Security often doesn’t „add up“, i.e. you cannot improve your „security performance“ by buying fancy appliances/applications and

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: