Press Release: Modern Desktops as a Security Hole – DeepSec Conference offers Trainings and Tests for Secure Applications
What do a modern office application and a fancy oil pipeline have in common? A desktop that led to disaster. Graphical interfaces for operating computers go back to research in the 1960s and 1970s. At that time people thought about how computers can best support people. By the 1990s at the latest, the desktop became a battleground for market dominance. That has stayed the same, only there are additional security aspects. After all, the desktop is often the first step from an attacker to a company’s digital treasures. The annual DeepSec conference offers security experts and developers a two-day crash course on desktop security.
No attack without interaction
Many successful attacks on companies or infrastructure depend on cooperation with the victims. Malware is executed using tricks and only then does it compromise the system. Fake e-mails with manipulated documents or websites are used to persuade the victims. The actual attack then exploits known vulnerabilities, with the help of which the local computer is taken over. In the heydays of home office you will always find some easy prey. The desktop is only the surface on which the used applications are executed. To prepare for these attacks, you need to know the components that do the actual work and that represent the content. Ultimately, there is no difference to the procedure for attacks against server systems or networks. The tools are just different.
Server technologies in the desktop
Nowadays, applications should be available on different platforms. During the implementation, certain software libraries are used that make it easier to adapt to desktops from different manufacturers. Prominent examples of this are JavaScript, HTML and layout components that were originally intended for web servers. The so-called electron framework uses web technology to implement portable applications for various graphical interfaces. The application then becomes a website with content that is generated locally. This saves you from having to convert the peculiarities of the respective platform into program code. In terms of security, numerous attacks that can be used on web applications can of course also be carried out on programs on the local desktop. Common applications such as Microsoft® Teams, Skype, Bitwarden, Slack or Discord use Electron, which makes them susceptible to these attacks.
Of course, there are other components in modern surfaces that can be used as well. Security researchers have been dealing with this for years.
Two-day security training
In November, the DeepSec conference will again offer trainings on attack and defense. One of the workshops is dedicated exclusively to the properties of the modern desktop. It is not about exploiting unknown vulnerabilities. Rather, one learns from practical examples which security models desktops use, what has to be observed and how the surface can be secured against attacks. In between, one can experience directly from examples the negative impact of a lack of security. The content is suitable for both beginners with basic knowledge and advanced users. The target audience is everyone who has to deal with the topic from a security point of view, as well as developers of desktop applications – especially users of desktops in critical infrastructure.
The knowledge imparted is essential for security tests, development or protection of the desktop through particularly secure configuration. This is to give companies a tool to better protect their own employees. After all, just like server systems, desktops are directly entrusted with the processing of potentially dangerous data. Protection must be able to be depicted on the screen from start to finish.
Lifetime updates
The documents and test systems for the course are made available to participants digitally. Access does not expire after training, but can be used indefinitely. This includes the current course and any subsequent expansion. The trainers Abraham Aranguren and Anirudh Anand also offer access to their many years of experience in dealing with penetration tests in the field of desktops.
The two-day training is designed for face-to-face and virtual lessons. It can therefore take place in any case.
Programs and booking
The DeepSec 2021 conference days are on November 18th and 19th. The DeepSec trainings will take place on the two preceding days, November 16 and 17. All trainings (with a few exceptions) and lectures are intended as face-to-face events, but because of future COVID-19 measures, they can take place partially or completely virtually.
The DeepINTEL Security Intelligence Conference will take place on November 17th. Since this is a closed event, we ask for direct inquiries about the program. We provide strong end-to-end encryption for communication: https://deepsec.net/contact.html
You can order tickets for the DeepSec conference and the trainings online at any time under the link https://deepsec.net/register.html. Sponsor discount codes are available. If you are interested, please contact deepsec@deepsec.net. Please note that we are dependent on timely ticket orders due to the security of planning.