DeepSec 2023 Talk: Zero-Touch-Pwn: Abusing Zoom’s Zero Touch Provisioning for Remote Attacks on Desk Phones – Moritz Abrell

Sanna/ September 7, 2023/ Conference

Cloud communication platforms like Zoom have become a fundamental aspect of modern communication and are widely used in daily work. However, in certain scenarios, traditional endpoints such as desk phones or analog gateways are still required. Today, these devices can be integrated with most major cloud communication providers through the use of their provisioning services, which centralize configurations and firmware. This session is about a security analysis of the Zoom “Zero Touch Provisioning” method with certified hardware. It will reveal several vulnerabilities that, when combined, allow an attacker to remotely compromise arbitrary devices, enable massive eavesdropping on conversations or rooms, remote control of devices, or using them as a pivot point to attack the adjacent corporate network. Be curious about the details of hard-coded cryptographic material, improper authentication, lack of immutable root of trust,

Read More

DeepSec 2023 Talk: Automating Incident Response: Exploring the Latest Conversational AI Tools – Hagai Shapira

Sanna/ September 6, 2023/ Conference

As security incidents become increasingly complex, it’s crucial for SOC and incident response teams to focus on actual malicious investigations. However, their ability to do so is often limited by time-consuming human interactions with stakeholders. In this talk, we’ll explore different levels of automation approaches for incident response, culminating in the latest additions of conversational AI tools. These tools enable full investigations with human stakeholders to be performed automatically, with an analyst only as a silent observer/supervisor. We’ll discuss the benefits and limitations of using conversational AI tools in incident response, as well as real-world examples of how these tools have been used effectively. By the end of the talk, attendees will have a better understanding of how to leverage this technology to streamline their incident response processes and improve their overall security posture.

Read More

DeepSec 2023 Talk: Horror Stories from the Automotive Industry – Thomas Sermpinis

Sanna/ September 4, 2023/ Conference

In this talk, we will revisit some of the scariest stories we faced during over 50 penetration testing and security research projects, with a twist. In the ever-emerging industry of automotive, with old and new OEMs trying to get a share of the pie, many things are at stake, with many things getting overlooked, forgotten, or even deliberately covered. We will go through a journey of critical findings in different targets and the constant battle between penetration testers, developers, and mid to upper management. This will help the audience get an understanding of how the industry behaves right now, what they (and what we) are doing wrong, and how the future of automotive security should be shaped, not only for the sake of security but also for the sake of safety and reliability. This

Read More

DeepSec 2023 Talk: The Attacker Mindset: Practical Lessons from the Field – Yossi Sassi

Sanna/ September 1, 2023/ Conference

Occasionally we come across the expression “attacker mindset”, yet without properly understanding what it means in practice. What does it REALLY mean? Is it a different way of thinking? Planning? Improvising? Or execution? Or maybe all of the above? We’ll dive into some practical examples & hands-on demos to understand what this term actually means, from an engagement perspective. We asked Yossi a few more questions about his talk. Please tell us the top 5 facts about your talk. Based on real-world engagements at dozens of customers worldwide, four continents, including Fortune 100 companies. Learn how to “think” like an adversary, not just hear about tools & techniques. Various hands-on demos to demonstrate the session topic. Cool research and code from self exploration. Gain overall insights, whether you are a Red or Blue teamer

Read More

DeepSec 2023 Talk: Nostalgic Memory – Remembering All the Wins and Losses for Protecting Memory Corruption – Shubham Dubey

Sanna/ August 31, 2023/ Conference

Memory corruption, a vulnerability that emerged in the 1980s and gained prominence with the discovery of the first buffer overflow in the fingerd Unix application exploited by the Morris worm in 1988, has since become a significant concern in the field of information security. Its prevalence was further underscored by the influential Phrack edition 49 titled “Smashing the Stack for Fun and Profit” in 1996. Today, memory corruption remains one of the most pressing security challenges, compelling the entire defensive security industry to develop robust countermeasures. This session aims to delve into the progress made by the security industry in mitigating and protecting against different types of memory corruption, as well as the current state of these efforts. During the talk, I will explore various techniques that have been introduced worldwide to safeguard against

Read More

DeepSec 2023 Press Release: Language Models do no cognitive Work –

Sanna/ August 30, 2023/ Conference, Press

The term Artificial intelligence (AI) is in the media, but it consists only of language simulations. If one follows the logic of the products currently offered under the AI label, we could easily remedy the shortage of skilled workers in the information technology sector. Take random people and let them consume tutorials, code examples, training videos and other documents related to the field of application for a few months. After this learning phase, skilled workers would automatically be available. TThe DeepSec conference is asking why there is still a lack of qualified personnel in IT. Algorithmically, the problem already seems to have been solved. Large Language Models (LLMs) and AI The so-called generative AI, which is now on everyone’s lips, is mathematically assigned to the research field of artificial intelligence. GPT, LLaMa, LaMDA or

Read More

DeepSec 2023 Press Release: DeepSec 2023 publishes Programme – This year’s conference focuses on language models and infrastructure

Sanna/ August 30, 2023/ Conference, Press

  Everyone is discussing Artificial Intelligence language models that have vast amounts of learning data. Language models are supposed to revolutionise information technology overnight, but their first applications are actually digital attacks. TThe current state of deep fake detection, social engineering attacks, and security incident response benefits will be highlighted at the DeepSec security conference this year. Of course, there are many more presentations that are indispensable for digital defence. Language models do not think, they forge Attacks through phishing emails and social engineering bypass technical measures through communication. By imitating victims’ language, attackers try to get them to support the attack with their own actions. Artificial persuasion is the speciality of AI language models, as they are designed to simulate conversation. Alexander Hurbean discusses which tools are available for these attacks and how

Read More

DeepSec 2023 Training: Security Intelligence: Practical Social Engineering & Open-source Intelligence for Security Teams – Christina Lekati

Sanna/ August 25, 2023/ Conference, Interview, Training

Social engineering attacks remain at the top of the threat landscape and data breach reports. Reports tend to oversimplify breaches as just phishing attacks, but current research shows it’s more complex. Social engineering attacks have been evolving. Successful phishing emails are usually a result of a larger attack based on research and intelligence that identifies organizational vulnerabilities. But it doesn’t stop there. Weaponized psychology is still a powerful component of social engineering attacks. Security professionals and testers need to know how social engineering works and how to stop attacks. This class aims to provide participants with the necessary knowledge on open-source intelligence and social engineering, to help security teams build better protective measures (proactive & reactive) and to inform their security strategy. It also aims to help penetration testers improve their recommendations and provide

Read More

DeepSec 2023 preliminary Schedule published

René Pfeiffer/ August 25, 2023/ Administrivia, Conference

The schedule for DeepSec 2023’s first version has been published. We are still stuck in reviews, so there will be some more updates in the coming weeks. Especially the third track with technical sessions and presentations will see some updates. Read some more on the technical track in one of our next blog articles. We received a lot of submissions, so we are very grateful for your support and the great ideas you sent us. Because of the limitations of our schedule, the reviewers had a hard time making a selection. The final status of all submissions will be sent to all submitters within the next few days. The following weeks will feature every presentation in more detail with an interview or an article about the content. The mix of topics is definitely the

Read More

AI Content Harvesting without Opt-Out? Goodbye, Zoom!

René Pfeiffer/ August 7, 2023/ Conference

DeepSec has used the Zoom videoconferencing tool since 2020. It was really helpful for the 100% online conferences back then. Apparently, Zoom has changed its terms of service. The new version is completely unacceptable for any conference. This means we are leaving Zoom, and we recommend you do the same. The reason is the ongoing „AI pandemic“. Content is king, but content theft is the emperor these days. If you look at the Zoom terms of services and read chapter 10.4, you see that Zoom likes to use everything you do via the platform for any use the company can think of. There is no opt-out, it seems. We have ended our subscriptions and will delete our account. We will switch to OpenTalk, which is GDPR-compliant and hosted in European data centres. OpenTalk is

Read More

DeepSec Scuttlebutt: Fun with Fuzzing, LLMs, and Backdoors

René Pfeiffer/ July 31, 2023/ Call for Papers, Scuttlebutt

[This is the blog version of our monthly DeepSec Scuttlebutt musings. You can subscribe to the DeepSec Scuttlebug mailing list, if you want to read the content directly in your email client.] Dear readers, the Summer temperatures are rising. The year 2023 features the highest measured temperatures in measurement history. This is no surprise. The models predicting what we see and feel now have been created in the 1970s by Exxon. So far, the model has been quite accurate. What has this to do with information security? Well, infosec also uses models for attack and defence, too. The principles of information security has stayed the same, despite the various trends. These are the building blocks of our security models. They can be adapted, but the overall principles have little changed from two-hosts-networks to the

Read More

Helpful Hints for writing Presentations

René Pfeiffer/ July 31, 2023/ Call for Papers, Communication, Conference

Today the call for papers for DeepSec 2023 and DeepINTEL 2023 ends. If you have some ideas, please let us know by submitting a proposal. Since we have a lot of experience with reviewing presentation outlines. Before you create a brief description of your mind-blowing talk, please have a look at our suggestions. The title is important! Don’t go overboard with cryptic memes, insider jokes, or movie titles. Not everyone will have the knowledge of understanding what the presentation is about. Your title needs to reflect what you are talking about. You can always use subtitles or a tag line if you really want to mimic film posters. Also keep it short! The 80 letter limit is not only for Usenet veterans. Long titles are hard to memorise. Your title should not replace the

Read More

Reminder – Call for Papers DeepSec and DeepINTEL 2023

René Pfeiffer/ July 7, 2023/ Call for Papers, Communication

The Summer holidays may already be here, but we have something to think about over the weekend. The call for papers for both DeepSec and DeepINTEL 2023 is still open. It ends on 31 July 2023. The focus for DeepSec will be on the use of large language model algorithms (we don’t like the term artificial intelligence, because there are not cognitive functions involved in the current LLMs). How can these toys be used for offensive of defensive purposes? Can you improve existing security measures by adding LLMs? What are the dangers of these LLMs for your own digital assets? Let us know. DeepINTEL is looking for all things security intelligence. The focus is on detecting and analysing attacks. Estimating the capabilities of (y)our adversaries is also of interest. In case you have some

Read More

Training Teaser: Token Hijacking via PDF File – Video Tutorial

René Pfeiffer/ July 4, 2023/ Conference, Security, Training

Tokens make the world go around. Therefore, we want to share with you the next teaser about Dawid Czagan’s training at DeepSec 2023. PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? Dawid will show you in a free video step by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch the video and consider joining Dawid Czagan’s training Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access (14-15 November, DeepSec 2023).

DeepSec Scuttlebutt: Tech Monsters from Novels and the Call for Papers Reminder

René Pfeiffer/ July 3, 2023/ Call for Papers, Conference, Stories

[This message was published via our DeepSec Scuttlebutt mailing list. The text was written by a human. This is a repost via our blog and Mastodon. Our Call for Papers for DeepSec 2023 is still running. If you have interesting content, please submit your idea.] Dear readers, the wonderful world of computer science and teaching courses has kept me busy. The scuttlebutt mailing list has the aim of having at least one letter per month. It is now the end of June, and the Summer has begun here in Vienna. The university courses have finished. The grades are ready. More projects are waiting. In information society, it is never a good idea to wait until something happens. A lot of blue teams are busy improving defences, testing configurations, and rehearsing their processes. However, there

Read More