DeepSec 2019 Talk: Abusing Google Play Billing for Fun and Unlimited Credits! – Guillaume Lopes

Sanna/ November 22, 2019/ Conference, Security

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it’s possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.). We asked Guillaume a few more questions about his talk. Please tell us the top 5 facts about your talk. The vulnerability presented is really easy to exploit Client side issues are not dead in 2019! It seems nobody cares about losing money in the game industry… Very few vendors fixed their implementation Real vulnerable applications will

Read More

DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

Sanna/ November 20, 2019/ Conference

Defences focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaries in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the “why?”. This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training

Read More

DeepSec 2019 Talk: Demystifying Hardware Security Modules – How to Protect Keys in Hardware – Michael Walser

Sanna/ November 20, 2019/ Conference

[Editorial note: Cryptography is one of our favourite topics. This is why we invited experts from sematicon AG to show some of their skills and help you navigate through the jungle of false promises by vendors, magic bullets, and misuse of the word „crypto“.] A secure crypto-algorithm is based on the fact that only the key needs to be kept secret, not the algorithm itself. The key is of high value and must be protected. In this talk we will have a look at how to protect keys and why a dedicated hardware is needed to make sure the key is kept secret and always under the control of the owner. Different use cases require different HSMs (Hardware Security Modules). We will have a look at data centres and cloud HSMs as well as

Read More

DeepSec 2019 Talk: 30 CVEs in 30 Days – Eran Shimony

Sanna/ November 12, 2019/ Conference

In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. We will present a complementary approach to fuzzing. By using this method, which is quite easy, we managed to get over 30 CVEs across multiple major vendors in only one month. Some things never die. In this session, we’ll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or to DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim of finding new vulnerabilities. Our mindset was – choose software that is prone to be vulnerable: Installers, update programs, and services. These types of software are often privileged. Therefore, they are

Read More

DeepSec 2019 Talk: S.C.A.R.E. – Static Code Analysis Recognition Evasion – Andreas Wiegenstein

Sanna/ November 11, 2019/ Conference, Security

Andreas Wiegenstein has expert advise for software security: Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results? The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found? This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algorithms. On a technical level, the following concepts are covered covert data flow deep call stacks circular calls source mining counter-encoding data laundering Based on this, I will provide some code snippets as proof of concept for the audience to

Read More

DeepSec 2019 Talk: Security Analytics and Zero Trust – How Do We Tackle That? – Holger Arends

Sanna/ November 8, 2019/ Conference, Security

For many years we’ve all been in an arms race, fighting daily against new malware varieties and new attack techniques that malicious actors use to fool us and compromise our systems. Many of us rely on state of the art safeguards and have invested tremendous amounts in defending our systems and networks, yet even so, important data is still leaked or important systems are compromised. Firewalls, IDS, IPS or SIEM systems are often unable to prevent or detect attacks. Questions are often raised: “why?” and “how?” is it possible these attacks stay undetected for long periods of time, considering the significant investments into cyber security. And so it seems obvious to say that with the introduction of IoT devices, unmanaged BYOD, combined with legacy systems and end to end encryption, the future will be

Read More

DeepSec 2019 Talk: Saving Private Brian – Michael Burke

Sanna/ November 5, 2019/ Conference

This talk will be given as the story of Brian, an aid worker operating in a hostile third country. When he’s stopped going in at the border he had his iPhone taken from him and then returned to him 15 minutes later. Now he can’t be sure if any malware was implanted on his device. Malware that could compromise him, his organisation and anyone who co-operates with him. He needs his phone to do his work but should he stop using it instead? Are all his contacts already compromised? Should he warn them and should he use his phone to do so? And will he and his phone be tracked to any in-person meetings? iOS malware is rare, advanced and difficult to detect when deployed. I will talk through the above scenario on the

Read More

DeepSec 2019 Talk: Lost in (DevOps) Space – Practical Approach for “Lightway” Threat Modeling as a Code – Vitaly Davidoff

Sanna/ November 4, 2019/ Conference, Development

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the software development life cycle (SDLC) process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scalable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We

Read More

DeepSec 2019 Talk: Setting up an Opensource Threat Detection Program – Lance Buttars

Sanna/ November 1, 2019/ Conference, Security

Through the use of event detection monitoring and do it yourself monitoring techniques on a Linux Apache PHP MySQL stack, I will demonstrate how you can create different alarms and reporting surfaces that alert you when your application is being attacked. This case study will demonstrate the use of hacking tools as a defense strategy in a corporate network and will cover the story of the detection of insider threats from the internal application point of view. The entire presentation is a hands-on lab that can be used after the presentation as a guide for attendees to set up a Threat Detection program. We asked Lance a few more questions about his talk. Please tell us the top 5 facts about your talk. The talk covers ways of discovering insider threats. It’s a starting

Read More

DeepSec 2019 Talk: Oh! Auth: Implementation Pitfalls of OAuth 2.0 & the Auth Providers Who Have Fell in It – Samit Anwer

Sanna/ October 31, 2019/ Conference

Since the beginning of distributed personal computer networks, one of the toughest problems has been to provide a seamless and secure SSO experience between unrelated servers/services. OAuth is an open protocol to allow secure authorization in a standard method from web, mobile and desktop application. The OAuth 2.0 authorization framework enables third-party applications to obtain discretionary access to a web service. Built on top of OAuth 2, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build functional and secure authentication systems. OpenID Connect can perform identity authorization and provide basic profile information for different clients, from web and mobile apps to JavaScript clients. In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild

Read More

DeepSec 2019 Talk: Still Secure. We Empower What We Harden Because We Can Conceal – Yury Chemerkin

Sanna/ October 30, 2019/ Conference, Security

The launch of Windows 10 has brought many controversial discussions around the privacy factor of collecting and transmitting user data to Microsoft and its partners. But Microsoft was not the first, Apple did it many years ago and there was no public research on how much data were leaked out from MacOS. There is a statement in the Privacy Policy written by Apple: “Your device will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you, to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories… ‘Everything’ stores in iCloud service”. Both cases are the same, designed in the same manner and driven by a similar idea to simplify

Read More

DeepSec 2019 Talk: Chinese Police and CloudPets – Abraham Aranguren

Sanna/ October 29, 2019/ Conference, Security

[In our Call for Papers we mentioned that DeepSec and specifically DeepINTEL will have a connection to geopolitics. Well, the following description of a presentation at DeepSec gives you an idea of what we meant.] This talk is a summary of three different security audits with an interesting background: First, CloudPets, their epic track record, what we found and what happened afterwards. Next, two mobile apps by Chinese Police: “BXAQ” and “IJOP”, both related to surveillance of ethnic minorities, but in different ways. Stay tuned. Part 1: CloudPets Wouldn’t it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out of a soft toy that children can hug? That’s the idea of CloudPets. Children can even respond directly from

Read More

DeepSec 2019 Talk: Comparing GnuPG With Signal is like Comparing Apples with Smart Light Bulbs – Hans Freitag

Sanna/ October 28, 2019/ Conference, Security

GnuPG is not designed to be used only in E-Mail, it plays an important role in securing all sorts of mission critical data. In this talk I will show you applications of GnuPG that are not E-Mail or Instant Messaging. We asked Hans a few more questions about his talk. Please tell us the top 5 facts about your talk. GnuPG is free software that can be used to encrypt and sign data. Signal is not a free software but may be used to communicate with others. You can’t compare apples with pears. In German the term glowing pear is used for light bulb. My Key ID is: 1553A52AE25725279D8A499175E880E6DC59190F How did you come up with it? Was there something like an initial spark that set your mind on creating this talk? I browsed the

Read More

DeepSec 2019 Training: Threat Hunting with OSSEC – Xavier Mertens

Sanna/ October 26, 2019/ Training

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points. During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / … and add more contextual content with OSINT feeds. We

Read More

DeepSec 2019 Training: Pentesting Industrial Control Systems – Arnaud Soullie

Sanna/ October 25, 2019/ Training

In this intense two day training at DeepSec, you will learn everything you need to start pentesting Industrial Control Networks [also called Industrial Control Systems (ICS)]. We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems. And we will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them. The training will end with an afternoon dedicated to a challenging hands-on exercise: The first [Capture The Flag] CTF in which you capture

Read More