2111, 2018

DeepSec 2018 Talk: Attacks on Mobile Operators – Aleksandr Kolchanov

Sanna/ November 21, 2018/ Conference, Security

I’d like to talk about telecom security. My research contains information about security of mobile operators: classic and new (or very rare) attack vectors and vulnerabilities. This presentation will consist of three main parts: First, I will share information on the security of mobile operators in general. I’ll tell you a little bit about why it is important (usually, phone numbers are used as a key to social networks, messengers, bank accounts, etc). So, if an attacker can hack a mobile operator, he can gain access to a big amount of user data and money. Also, in this part, I will tell you about typical SS7 attacks (how to intercept SMS or send fake ones). During the second part, I will tell you about different vulnerabilities and security issues. All of the problems I

1911, 2018

Special Offer for “Mastering Web Attacks with Full-Stack Exploitation” Training – get 3 for the Price of 1

René Pfeiffer/ November 19, 2018/ Conference

The DeepSec training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation by Dawid Czagan has some seats left. Dawid has agreed to give away free access to two of his online courses for everyone booking tickets until Wednesday, 21 November 2018 (2359 CET). This gives you a perfect preparation for penetration testing, software development, and an edge for any bug bounty programmes out there. You can get a glimpse of the online trainings, well, online of course. Every penetration test and every attempt to defend your own assets can’t do without knowledge of web technologies. Since the Web has evolved from being simple HTML content, you absolutely have to know about all layers modern web applications use. The training will give you the means to understand what’s going on, to find bugs, and

0911, 2018

Last Call for your Web Application Security Training – Break all teh Web and enjoy it!

René Pfeiffer/ November 9, 2018/ Conference, Security

The Internet is full of web applications. Sysadmins used to joke that HTTP is short for Hypertext Tunnelling Protocol, because anything but web content is transported via HTTP these days. It’s the best way to break out of restricted environment, too. So the chances are good that you will need the skills for dealing with all kinds web. Fortunately our training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation conducted by Dawid Czagan has a few seats left. Don’t get distracted by the title. Focus on the phrase full-stack exploitation. It’s not just about sending HTTP requests and seeing what the application does. It’s all about using the full spectrum of components and technologies used for modern web applications. The training is not only suited for information security researchers. The course addresses REST

0211, 2018

DeepSec 2018 Talk: Suricata and XDP, Performance with an S like Security – Eric Leblond

Sanna/ November 2, 2018/ Conference, Security

extended Berkeley Packet Filter (eBPF) and eXtreme Data Path (XDP) technologies are gaining in popularity in the tracing and performance community in Linux for eBPF and among the networking people for XDP. After an introduction to these technologies, this talk proposes to have a look at the usage of the eBPF and XDP technology in the domain of security. A special focus lies on Suricata that uses this technology to enhance its performance and by consequence on the accuracy of its network analysis and detection. We asked Eric a few more questions about his talk. Please tell us the top 5 facts about your talk. Packet loss really matters. A threat detection engine like Suricata is losing 10% of IDS alerts if it misses 3% of traffic. And there are 10% of incomplete file

3110, 2018

DeepSec2018 Talk: Manipulating Human Memory for Fun and Profit – Stefan Schumacher

Sanna/ October 31, 2018/ Conference, Discussion

Manipulating the Human Memory for Fun and Profit, or: Why you’ve never met Bugs Bunny in DisneyLand Hacking is not limited to technical things — like using a coffee machine to cook a soup — but also makes use of social engineering. Social engineering is the (mis)use of human behaviour like fixed action patterns, reciprocity or commitment and consistency. Simple social engineering attacks like phishing mails do not require much preparation, but more complex ones do so. Especially when one wants to set up some kind of advanced persistent threat in the psychological domain. So, besides the psychological fundamentals of social engineering we also did research on human memory, how it works, how it pretty much fails to store what really happened, and how it can be misused for a sinister purpose. The fundamental

2910, 2018

DeepSec 2018 Talk: Drones, the New Threat from the Sky – Dom (D#FU5E) Brack

Sanna/ October 29, 2018/ Conference, Security

I will talk about drones (not military ones). Drone risks and countermeasures. Drones have become an inherent risk not just for critical infrastructure, but also public events (sports, concerts) and privacy. I will speak about the exclusive risk catalogue I have developed for a small highly specialised start-up called DroneGuard. The catalogue contains over 140 detailed drone related risks. From payload of drones (explosives, chemical etc.) to cyber risks like Signal Hacking & Disruption (WiFi, GSM, Bluetooth, RFID, etc.). Since Deepsec is a more technically oriented event I will highlight the risk management frame work, my experience with our personal payload drone and the cyberrisks. This talk will help you if you have to protect critical infrastructure from a physical perspective, or if you have to protect yourself or your company from privacy implications.

1710, 2018

DeepSec 2018 Talk: Security Response Survival Skills – Benjamin Ridgway

Sanna/ October 17, 2018/ Conference, Security

Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak “Hello?” barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong… Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds. Often these people are scared, angry, or otherwise emotionally impaired. Drawing from years of real-word experience,

0910, 2018

Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

René Pfeiffer/ October 9, 2018/ Conference, Discussion, Press, Security

DeepSec and Privacy Week highlight consequences of backdoors in IT Vienna (pts009/09.10.2018/09:15) – Ever since the first messages were sent, people try to intercept them. Today, our modern communication society writes more small, digital notes than one can read along. Everything is protected with methods of mathematics – encryption is omnipresent on the Internet. The state of security technology is the so-called end-to-end encryption, where only the communication partners have access to the conversation content or messages. Third parties can not read along, regardless of the situation. The introduction of this technology has led to a battle between security researchers, privacy advocates and investigators. Kick down doors with Horses In end-to-end encryption the keys to the messages, as well as the content itself, remain on the terminal devices involved in the conversation. This is

0510, 2018

DeepSec 2018 Talk: Leveraging Endpoints to Boost Incident Response Capabilities – Francisco Galian, Mauro Silva

Sanna/ October 5, 2018/ Conference, Security

The information technology world is full of terms and acronyms. You got servers, nodes, clients, workstations, mobile devices, lots of stuff talking via the network to even more stuff. And then you got security breaches. How do you detect the latter? Well, you look for things out of the ordinary. Error messages, anomalies in behaviour, activity outside the usual time slots as system is being used, and the like. What’s the best place to look? Answer: The systems directly in touch with all the interactions attackers are interested in – endpoints. Most organisations fail to properly detect or even respond to incidents. A factor that significantly contributes to this fact is the lack of visibility on endpoints. That being said, endpoint logging can be very noisy and most organizations don’t have infrastructure to cope

0410, 2018

DeepSec 2018 Talk: Dissecting The Boot Sector: The Hunt for Ransomware in the Boot Process – Raul Alvarez

Sanna/ October 4, 2018/ Conference, Security

Ransomware is as cyber as it gets these days. It’s all over the news, and it is a lucrative business case. Modern malicious software has been put to work for its masters. It is the platform of deployment for a whole variety of additional code. So why is ransomware not the same as any other malicious software? Raul Alvarez will explain this to you at DeepSec 2018: Ransomware slightly differs in their attack vectors, encryption algorithms, and selection of files to encrypt. A common ransomware technique is to encrypt files and hold it for ransom. Petya ransomware does the infection a bit different from the others. Instead of encrypting files, it encrypts the MFT, Master File Table, which contains the metadata and headers for each file in the system. Another trait of this malware

2809, 2018

DeepSec 2018 Training: Malware Analysis Intro – Christian Wojner

Sanna/ September 28, 2018/ Conference, Security, Training

With malware (malicious software) featuring crypto-trojans (ransomware), banking-trojans, information- and credential-stealers, bot-nets of various specifications, and, last but not least, industry- or even state-driven cyber espionage, the analysis of this kind of software ıs becoming more and more important these days. With a naturally strong focus on Microsoft Windows based systems this entertaining first-contact workshop introduces you to one of the most demanding but nonetheless compelling fields in IT-Security. We asked Christian a few more questions about his talk. Please tell us the main facts about your training. This training is for every IT (Security) person who wants/needs to have their first encounter with the stunning field of malware analysis. On the basis of an especially designed, exciting scenario blended with various technical detours packed into a 6-stages workshop, students will… learn how easy

2609, 2018

DeepSec 2018 Talk: IoD – Internet of Dildos, a Long Way to a Vibrant Future – Werner Schober

René Pfeiffer/ September 26, 2018/ Conference, Internet, Security

The Internet of Things has grown. Interconnected devices have now their own search engine. Besides power plants, air conditioning systems, smart (or not so smart) TV sets, refrigerators, and other devices there are a lot smaller and more personal things connected to the Internet. Your smartphone includes a lot of personal conversations, most probably pictures, sound recordings, and a treasure trove of data for profiling. Let’s get more personal. Let’s talk about teledildonics. Teledildonics is the art and technology of remote sex. Call it cybersex (apologies to William Gibson), cyberdildonics (again, sorry, Mr Gibson), or whatever you like. It’s been around for a long time, think decades. The term was used in 1975 by Ted Nelson in his book Computer Lib/Dream Machines. It even has its own conference, called Arse Elektronika (which was first

2409, 2018

DeepSec 2018 Training: Advanced Penetration Testing in the Real World – Davy Douhine & Guillaume Lopes

Sanna/ September 24, 2018/ Conference, Security, Training

Guillaume and Davy, senior pentesters, will share many techniques, tips and tricks with pentesters, red teamers, bug bounty researchers or even defenders during a 2-day 100% “hands-on” workshop. This is the very training you’d like to have instead of wasting your precious time trying and failing while pentesting. The main topics of the training are: Buffer overflow 101: Find and exploit buffer overflows yourself and bypass OS protections. (A lot of pentesters don’t even know how it works. So let’s have a look under the hood); Web exploitation: Manually find and exploit web app vulnerabilities using Burpsuite. (Yes, running WebInspect, AppScan, Acunetix or Netsparker is fine but you can do a lot more by hand); Network exploitation: Manually exploit network related vulnerabilities using Scapy, ettercap and Responder. (Because it works so often when doing

2109, 2018

DeepSec 2018 Talk: Information, Threat Intelligence, and Human Factors – John Bryk

Sanna/ September 21, 2018/ Conference, Security, Security Intelligence

“Across the ICS spectrum, organizations are gathering threat data (information) to protect themselves from incoming cyber intrusions and to maintain a secure operational posture.”, says John. “Organizations are also sharing information; along with the data collected internally, organizations need external information to have a comprehensive view of the threat landscape. Cyber threat information comes from a variety of sources, including sharing communities such as Information Sharing and Analysis Centers (ISACs), open-source, and commercial sources. Immediately actionable information is mainly low-level indicators of compromise, such as known malware hash values or command-and-control IP addresses, where an actionable response can be executed automatically by a system. Threat intelligence refers to more complex cyber threat information that has been subjected to the analysis of existing information. Information such as different Tactics, Techniques, and Procedures (TTPs) used over

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: