Usually we are under high load after the conference because of the administrative tasks. 2022 was no exception, but the change of location still requires some attention. So this is a much delayed thank you for attending our events and speaking at DeepSec and DeepINTEL 2022! It was great to meet all of you in person. We also enjoyed talking about experiences with IT security, exchanging insights, sharing stories, and gathering inspiration for the next year. While virtual meetings can save time and help a lot, some things are best discussed face to face. The videos are nearly fully post-processed. We will inform our attendees and speakers first. In January 2023, you can enjoy the videos on our Vimeo account. The slides of the presentations can be downloaded from our DeepSec 2022 slide collection.
DeepSec 2022 Talk: Industrial-Security vs. IT-Security – What Can We Learn From Each Other? – Michael Walser
In the age of digitalisation, classic IT and industry are moving ever closer together. Devices are being networked and more and more smart devices are flooding the production hall. However, IT security is often disregarded in the process. Every device in the network can be compromised and requires an adapted strategy. Experience from 30 years of IT security gives the industry an orientation – but does not solve its problems. The challenges are often completely different, and the situation often requires completely different approaches. We try an approach and show experiences from the work with our customers and partners and give food for thought on what an IT security strategy for industry can look like and what both worlds can learn from each other. We asked Michael Walser a few more questions about his
DeepSec 2022 Talk: Cyber Maturity Doesn’t Just Happen. True Tales Of A Cyber Maturity Concept – Uğur Can Atasoy
Having a proper(!) security posture is more challenging than ever. Implementing the bare necessities for usability and security is scalable (literally), but the reality is always full of surprises. Dozens of assets, services, tools, requirements, workforce, risks and threats. How to keep the balance between usability, security and reputation while being honest with yourself? Many enterprises suffer from “keywords” and “trends” and have to pretend to be “proactive” by implementing the “latest” trends and approaches instead of solving the problems on “bits” that need “change”. When you look at enterprise-level security incidents, you can quickly notice that they have the latest tools, technologies and services, implemented the “Zero Trust Security” model, achieved base standards and compliance requirements, and hired the experts. Literally, they are prepared for almost all possible risks and threats, but they
Crisis communication is probably the hardest part of communication to get right – and the most important. Combine this with a successful attack attempt on a company’s network that completely shatters operation and you have all the ingredients for disaster. But especially in situations like this, it is imperative to stay calm and remain in contact with the outside world. In this talk, we will relay best practices for crisis communication and how they specifically apply to IR situations. We will show the best and the worst attempts to manage a crisis – and show that situations like this can reposition a company and build trust rather than loosing it. We asked Hauke Gierow and Paul Gärtner a few more questions about their talk. Please tell us the top 5 facts about your talk.
Complex systems is not a term indicating that you have stopped to understand something. The colloquial phrase „it’s complicated“ is often used as a joke. Complex systems have their own science. Information technology has managed to make our daily life easier. Applications manage vast amount of data, communication protocols transport countless numbers of messages, systems just work, and everything is fine. The problem is that code usually grows and never shrinks. This has implication for software development and for information security. The keynote will take you on a tour through complex systems, complexity, the limits of growth, and how the consequences can be managed in a sane way. The presentation will also try to remind you to ask questions, think twice about selecting appropriate metrics, and how to apply this approach to the tools
DeepSec Press Release: Analysis IT Security – DeepSec conference offers rich education for digital defence
Defending one’s digital infrastructure has never been more important. The fundamental problem of many defensive structures is the lack of an overview. Penetration tests help little if you don’t know exactly how your systems are connected to the rest of the world. This year’s DeepSec security conference offers rich support and content to sustainably increase one’s own security. On board is our supporter, the company NVISO, focusing specially on companies and organisations in critical areas. Security landscape requires collaboration Modern information technology is based on complex and extensive architectures. How do you determine the state of your own security? Many companies are not familiar with the different approaches of testing methods. The term “penetration test” has already entered the minds of many, but what findings and facts are obtained during such tests is often
DNS tunneling used as a covert-channel method to bypass security policies has ballooned in the landscape of Ransomware attacks in recent years. This can be attributed to CobaltStrike post exploitation tools becoming modus operandi of cybercrime syndicates operating with ransomware. Most of the detections rely on packet inspection, which suffers from scalability performance when an extensive set of sockets should be monitored in real time. Aggregation-based monitoring avoids packet inspection, but has two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field). Our approach uses statistical analysis coupled with behavioral characteristics applied directly in the DNS resolver. This presentation will cover examples of the malicious tools used by threat actors and detections designed to protect from such tools.
DeepSec 2022 Talk: Attacking Developer Environment Through Drive-by Localhost Attacks – Joseph Beeton
There is a widespread belief that services that are only bound to localhost are not accessible from the outside world. Developers for convenience sake will run services they are developing configured in a less secure way compared to how they would (hopefully!) do in higher environments. By compromising websites developers use, just injecting JS into adverts served on those sites or just a phishing attack that gets the developer to open a web browser on a compromised page, it is possible to reach out via non pre-flighted http requests to those services bound to localhost, by exploiting common misconfigurations in Spring, or known vulnerabilities found by myself and others. I’ll demonstrate during the talk, it is possible to generate a RCE on the developer’s machine or other services on their private network. As developers
Reminder for your Training @DeepSec 2022: Bypassing Content Security Policy via ajax.googleapis.com – Dawid Czagan
Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564) Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the top hackers at HackerOne. Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies.
PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2022; 15-16 November; https://deepsec.net/speaker.html#WSLOT564) Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed
DeepSec 2022 Talk: Ukrainian-Russian Warfare In Cyberspace: Technological And Psychological Aspects – Sergiy Gnatyuk
On 24th of February, 2022, the life of Ukrainians has changed fundamentally. Russian troops attacked peaceful Ukrainian cities and civilian infrastructure, using all possible means and bridgeheads – land, sea, air and cyberspace. Predictably, given the technological conditions, the cyberspace has become one of the main arenas of combat in this war. Powerful cyber-attacks (more than 1,100 attacks so far) on the state’s critical information infrastructure were accompanied by destructive information and psychological effects and special psychological operations (PSYOP). However, as in other domains, Ukraine persevered in cyberspace, fought back and counterattacked the enemy. At DeepSec up-to-date information on the specifics of cyber-attacks on the technological infrastructures (DoS-attacks, malicious software, unauthorized data collection, etc.) will be presented and analyzed, as well as attacks on the population (mis- and disinformation, deep fakes, etc.). Current initiatives
Malware often has behaviors that can be used to identify other variants of the same malware families, typically seen in the code structure, IP addresses and domains contacted, or in certain text strings and variable names within the malware. However, it may be possible to identify malware, or anomalous behavior by analyzing the timing in between network transactions. My presentation will explore this idea using network captures of malicious activity amongst potentially normal network traffic, analyzed quickly with Python. We’ll explore this on network data with full visibility into the transactions as well as noisier encrypted traffic, where we’ll attempt to identify unusual activity based only on bandwidth. We asked Josh Pyorre a few more questions about his talk. Please tell us the top 5 facts about your talk. Signatures are the primary method
This presentation, conducted hundreds of times throughout the United States on Wall Street, at various American universities, and throughout the US Defense sector, will go into detail on the evolution of the Iranian cyber program, its current state and most common malware, as well as what geopolitical events and relationships influence Iranian cyber actors. It will also detail why Iran needs to be taken seriously as a digital threat, as they indeed operate at the same level as malicious Russian and Chinese threat actors. We asked Steph Shample a few more questions about her talk. Please tell us the top facts about your talk. Iran continues to quickly gain sophistication in Cyber. Its state sponsored (military and civilian) and cybercriminal operations have worldwide impact and deserve attention. Iran’s relationships with other adversaries like China
The difference between theory and practice is much smaller in theory than in practice. This also applies to physical and digital security in war zones. While those at home imagine journalists driving certified armored vehicles and using special encrypted devices, in practice, it is often a Toyota Corolla and WhatsApp. Why is that the case? I will try to explain the different aspects and reasoning behind the decisions on digital and physical security based on real-world experiences and examples. We asked Enno Lenze a few more questions about his talk. Please tell us the top 5 facts about your talk. How IT Nerds think you should prepare for a war zone and what it‘s like in reality Threat analysis and the question if you need a bulletproof vest What to pack when going to