DeepSec 2022 Talk: Protecting Your Web Application/API With CrowdSec – Klaus Agnoletti

Sanna/ October 7, 2022/ Conference

Protecting your web applications and APIs are more important than ever. Especially these days where one can deploy their application in the cloud, where everything but the application itself is a standardized application constantly updated for you by continuous patch processes, it is more evident than ever that the biggest risk is present in the code you produce yourself and expose to the internet. But what are the risks? And how to mitigate them? And is it true that APIs don’t need to be secured as much as your website? All competent security professionals know that there’s no such thing as a silver bullet, so obviously creating an AppSec program is inevitable to achieve a sufficient security posture. But how do we handle the remaining risks? CrowdSec is a FOSS security tool that can

Read More

DeepSec Talk 2022: Anticipating Damage Control: Communicating About Cybersecurity Within And Outside Organizations – Prof. Matthieu J. Guitton

Sanna/ October 5, 2022/ Conference

Although cybersecurity aims at protecting individuals and organizations from the threats emerging from the massive use of and dependency upon digitalized spaces, the efforts of cybersecurity experts unfortunately do not always succeed in doing so. Therefore, integrated cybersecurity strategies of large organizations should minimally include a plan for damage control. Damage control strategies are typically handled by public relations experts and tend to follow a classical narrative, combining a mix of both apologizing and reassuring discourses. However, in an age of communication technologies, efficient narrative strategies have to be multi-layered. Indeed, while damage control is typically conceptualized as taking place after the occurrence of a damage causing event, it should also include an anticipatory component, both dealing with communication planning and pre-event communication. Furthermore, a damage control narrative can not exclusively focus on a

Read More

DeepSec 2022 Talk: Malware And Exfiltration : A Telegram Story – Godwin Attigah

Sanna/ October 4, 2022/ Conference

Exfiltration and command and control are essential parts of the adversary’s kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted. As a result, several attackers have opted for third-party services typically sanctioned for most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command-and-control tool of choice. We have observed the usage of Telegram in different malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that is primarily interested in gathering information on a host. Recent examples of Telegram in

Read More

DeepSec Talk 2022: Automatic Recovery Of Cyber Physical Systems Applications Against Known Attacks – Dr M Taimoor Khan

Sanna/ September 28, 2022/ Conference

Recovering a software application against an arbitrary attack is an intractable problem because of inadequate information available about compromised components of the application. Therefore, to this end, we have developed a method and supporting tools that can automatically detect and recover the execution of a cyber-physical system application against known attacks. The method can detect and recover the application against cyber, physical, and cyber-physical attacks. However, based on the availability of adequate information about the compromised components, the method supports three different recovery strategies, e.g., “full recovery” – recovers the last secure state of the application, “partial recovery” – recovers a specific state of the application and “no recovery” – recovers application by a user-provided action. Specifically, the method is based on program verification that allows the specifying of various attacks and their recovery

Read More

DeepSec Talk 2022: We Are Sorry That Your Mouse Is Admin – Windows Privilege Escalation Through The Razer Co-installer – Oliver Schwarz

Sanna/ September 26, 2022/ Conference

Device-specific co-installers have repeatedly allowed for Windows privilege escalation. Through Windows’ plug’n’play concept, attackers don’t need to rely on any pre-installed software on the victim client. All they need is a peripheral device associated with the vulnerable driver – or simpler, a hacking device that simply impersonates such device. In this talk, I’ll will report on his responsible-disclosure journey for a DLL hijacking in the Razer Synapse service for gaming devices. The journey starts with me trying to fake a vulnerability and suddenly realizing that the vulnerability is actually real. It continues with a support team that apologized to me for my escalated privileges. You will also learn about a number of fixing attempts and insights about Windows’ access control that helped to circumvent these attempts. The final twist: we recently discovered that the

Read More

DeepSec 2022 Training: Practical Secure Code Review – Seth Law, Ken Johnson

Sanna/ September 23, 2022/ Training

Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing source code for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit your development of a custom secure code review process by gleaning from Seth & Ken’s past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language. We asked Seth and Ken

Read More

DeepSec 2022 Talk: Wireless Keystroke Injection As An Attack Vector During Physical Assessments – Simonovi Sergei

Sanna/ September 16, 2022/ Conference

A lot of wireless input devices are vulnerable to keystroke injection due to the lack of security mechanisms, which makes it a perfect attack vector. During the attack, an attacker can send any text string to the victim machine acting as a remote keyboard, which can lead to quick and stealthy compromise of the system. No antivirus software shall spot the attack, as the keyboard, even remotely, is not malicious by itself and is always trusted. We asked Simonovi Sergei a few more questions about his talk. How did you come up with it? Was there something like an initial spark that set your mind on creating this talk? I came up with the idea of using a wireless keystroke injection during one unfortunate physical engagement, during which my team could not get any

Read More

DeepSec 2022 Talk: OPSEC – The Discipline Of The Grey Man – Robert Sell

Sanna/ September 14, 2022/ Conference

During operations, it is not unusual for us to get excited about the target and to prematurely begin before we have adequately prepared. As a result, this can not only spoil an operation but can cause dire life-threatening consequences. This talk goes over why OpSec is so important, failures people often make and how we can greatly improve our operational security during intelligence gathering and operations. While I will cover sock puppets and other techniques in detail, I will also cover physical considerations, habits and other areas where risks can be generated unless the operator is careful and diligent. We asked Robert Sell a few more questions about his talk. Please tell us the top 5 facts about your talk.  I start by providing a better definition of OpSec Then, we look at why

Read More

DeepSec 2022 Training: Deep Dive Into Malicious Office Documents For Offensive Security Professionals – Didier Stevens

Sanna/ September 13, 2022/ Conference

Malicious Office documents have been on the radar for many years now. But do you know how to create and tailor them efficiently to achieve successful red team engagements? This training will first teach you how to analyse MS Office files (both “old” OLE and “new” XML formats) and PDF files, to better understand how to create them and evade detection. MS Office documents that execute code via macros. And we will take a very quick look at PDF too. Didier Stevens will teach you how to use his Python tools to analyse MS Office documents and PDF documents. Then we will move on to the creation of malicious documents, and Didier will teach you how to use his tools for Microsoft Office and PDF creation for offensive security. Several of these tools are

Read More

DeepSec 2022 Talk: Vanquish: Analysis Everywhere with Smartphones – Hiroyuki Kakara

Sanna/ September 9, 2022/ Conference

I couldn’t sleep well until I developed the “Vanquish.” I couldn’t fully enjoy Disneyland until I developed the “Vanquish.” I was always thinking about 2nd and subsequent payloads of malware of my interest. I was always hoping that C2 servers are available until I reached my malware analysis desktop. But the Vanquish changed my life. He tries to collect all the samples that appear in twitter accounts of your interests. He analyzes those samples and tries to get the next stage samples when I am in bed. And I can ask him to analyze malware from your iPhone even while I’m in Disneyland. The core of the Vanquish is the system which crawls specified twitter accounts every specified minute, parses hashes from the tweet bodies or web sites tweeted, downloads the sample from malware

Read More

DeepSec 2022 Talk: Cypher Query Injection – The New “SQL Injection” We Aren’t Aware Of – Noy Pearl

Sanna/ September 8, 2022/ Conference

How often do you hear about injections? Probably a lot. And probably most of them are familiar to you and chances are that you are tired of hearing about another SQL injection that was recently found. Graph Databases (e.g. Neo4j, RedisGraph, Amazon Neptune) which are becoming increasingly popular don’t use SQL, but you can still achieve an injection and even go beyond that. We are going to learn how by manipulating legitimate database functionalities we are able to leverage an injection in Cypher Query to attack the database (DoS), leak sensitive files (RFI) , access protected endpoints (SSRF)  and leverage our attack to perform lateral movement and escalate to other machines as well. We’ll sum up with remediation & mitigation steps and show a ready-to-use open-source playground that was created so you could exploit Graph Databases

Read More

Press Release: Attacks On IT Through Desktop And Mobile Devices

Sanna/ September 7, 2022/ Press

DeepSec conference focuses on everyday devices as a risk for corporate IT. Attacks on the digital infrastructure of companies, authorities and organizations are often staged as a cinema spectacle in the reporting. Unfortunately the opposite is the case. A burglary in digital infrastructure happens without any broken glass or smashed doors. Attackers can only be successful if superficially everything continues as before. They don’t come through the windows or the underground car park, but via everyday applications on the desktop or smartphone. This year’s DeepSec security conference is therefore trying to sharpen the view on everyday life in the office and at the workplace. Two-day training sessions are offered focusing on workplace hazards, as well as two days of lectures to bring you up to speed. War for the desktop and personal devices Few

Read More

DeepSec 2022 Talk: Melting the DNS Iceberg – Taking Over Your Infrastructure Kaminsky Style – Dipl.-Ing. Timo Longin BSc

Sanna/ September 7, 2022/ Conference

What does DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is… even more ice. However, beneath the DNS there are hiding unexpected vulnerabilities! If you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A commonly used open DNS resolver is Google’s resolver with the IP address 8.8.8.8. However, not every system is using such an open resolver. Hosting providers, ISPs and the like, are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers. In my previous research “Forgot password? Taking over user accounts Kaminsky style,” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these

Read More

DeepSec 2022 Talk: Identification of the Location in the 5G Network – Giorgi Akhalaia

Sanna/ September 6, 2022/ Conference

Mobile devices can provide the majority of everyday services: like emergency, healthcare, security services. The development of mobile devices itself triggered the 5G network deployment. The new telecom standard will create a new ecosystem with a variety of industries and will exceed the limit of telecom communication. With new standards, functionality, services, products always arise new cyber threats. The operating spectrum in the 5G Network is divided into 3 categories: Low, Middle and High Bands. Actually, the third category, high band, also known as mmWave provides majority benefits of the new standard. This band covers from 6 GHz to 100 GHz operating spectrums. Because of the limitation of this frequency range, devices connected to high-band have to be near to the cell-tower. Otherwise, buildings will interrupt the connection. So, when a user is connected

Read More

DeepSec 2022 Talk: Machine Learning Use in OSINT – Giorgi Iashvili

Sanna/ September 5, 2022/ Conference

Open source intelligence is one of the important aspects of cyber security activities as it relies on the publicly available sources, such as social networks, websites, blogs, etc. This includes data mining and gathering techniques, as well as data extraction and data analysis activities. Open source intelligence is widely used in different fields today. Mainly, this process runs manually and is fully managed by humans. Moving from a manual to automated processes in OSINT is vital, especially that we work with real-world operations. Different components must build a relevant system to provide automated open source-based activities together with training simulations for the Machine Learning. The structure of the ML approach is the following: Requirements: Information used from previous user experience; Collection: Web crawlers or / and scrapers; Processing exploration: Pattern recognition, Detection of the

Read More