Breaking News: DeepSec preliminary Schedule available, some Reviews still continue, all Hardware & Software is still not completely safe to use

René Pfeiffer/ August 20, 2021/ Conference, Schedule/ 0 comments

We confess. Our review cycle was interrupted by a week of holiday. Our team takes turns before the fourth wave breaks. We will keep watching the regulations for travel and our conference hotel. This being said, the schedule for DeepSec 2021 is ready and is published on our web site. 🥳 The contributions from our speakers and trainers look very promising. We tried to select the submissions according to a mix of technical details, academic research, ways to improve your defence, and details of attack techniques which might be deployed against your organisation. The trainings cover a wide range of topics from attacks on modern desktops app, fallacies of mobile networks, penetration testing of industrial control systems, breaking single sign-on systems, and dealing with threats and defence. We hope to offer you in-depth knowledge

Read More

Murder Board Blog Series: Chapter 4 – Trojan Horses or: State Hacking

Sanna/ May 17, 2021/ Internet, Security, Stories/ 1 comments

Feeding Pigeons in the Park—Espionage Knowledge is power. Knowing nothing makes one envious when looking at the model of modern information societies. The natural application of networks that transport information is espionage. So the Internet early made acquaintance with it. The aspect of smuggling messages in and out of an area is obvious. It also involves breaking through security measures to gain access to protected information. Whereby large parts of our own information are much less protected than we would like or even be aware of. The e-mails mentioned above are always in plain text and therefore are visible to everyone. An unknown number of third parties read them on the way from sender to recipient and assess this information. And all the information we have in accounts on US platforms (photos, more or

Read More

Murder Board Blog Series: Chapter 3 – Serial Hackers: Organized Crime or Grand Theft Data

Sanna/ May 7, 2021/ Internet, Security, Stories/ 1 comments

Motivations and Motifs of the “Cosa Data” Elevate data to a valuable commodity and it gets automatically traded, hoarded, stolen and counterfeited. We can use digital processes both legally and illegally, just like the economy in the physical world. However, cyber crime is about much more than data. Accounts with certain privileges also represent value because they act as a multiplier. For example, a simple e-mail account with stored contacts (address book or even the contact data in existing e-mails). This has several properties at once: Identity, trust and an archive of messages. The archive can be searched directly for valuable data. The identity can be used for fraud with the help of the trust of the contacts to get further access to more accounts and data. Motivation is—on balance—always something like a benefit

Read More

Murder Blog Series: Chapter 2 – Investigations

Sanna/ April 30, 2021/ Stories/ 2 comments

Letters as Windows to the World When young people discover the world, they are often happy to receive mail. Who doesn’t like it when others think of you? Once the love letters from the crush have undergone the metamorphosis into heartless letters with windows, we realize: Money rules their content, just like in this story. Leon has a habit. When walking back from the mailbox, he likes to feel the meaning of the contents of letters with his fingers. Here, it’s the letter from the credit card bill. And it has grown to several meaty millimeters. Leon hopes for a change in the terms and conditions. However, after opening it, it turns out that, unfortunately; it is a list of payments. He can barely remember the individual items. There are just too many—and most

Read More

Murder Board Blog Series: Prequel

Sanna/ April 16, 2021/ Security, Stories/ 3 comments

[This is the first part of a five-part article series describing analogies between the world of IT security and research in other fields. Analogies are often used to deflect and conceal missing arguments. Didactics uses analogies as a powerful tool to explore your own understanding and to help you use your knowledge from other fields. Please use the articles of the Murderboard series (our name for the five-part article) for educating IT-affine people about information security. It’s never bad to have allies who understand what to look for in time of trouble.] It was a warm summer day when I got a call from an acquaintance who wanted to hire me for data protection coaching with one of his clients. Besides crime writing, I also work in data protection, helping self-employed people and small

Read More

Secure Operation of IT Systems requires Skills, no Shortcuts

René Pfeiffer/ March 19, 2021/ Discussion, High Entropy

The recent vulnerability in the Microsoft® Exchange server application has sparked many discussions. One of the topics is connected to the skills of IT departments responsible for patching systems in time. How can n weeks or months pass until upgrades are rolled out and in place? Well, the answer is easy. Some upgrades do not work flawlessly. In anticipation of problems during the change, IT departments need a copy of the live system and time to test the updates. This takes time, even if you have the budget to run additional copies of your systems. Furthermore, sometimes upgrades go wrong. Theoretically, these changes should just eliminate security problems and enable the application to work as before. IT departments bitten by the “this should not have happened but it did anyway” situation will hesitate to

Read More

Bug Disclosure Policies and the Eternal Discussion about Security ♨

René Pfeiffer/ March 15, 2021/ Discussion, High Entropy, Security

In theory, there is the evolution from bug over to weakness, vulnerability and finally the exploit. Errors in code and application behaviour are interesting for any serious developer. Security researchers also look for bugs and ways to make code do something it wasn’t designed for. In the absence of critical failures in applications, the process of reporting bugs and getting them fixed everything is smooth and less prone to heated discussions (YMMV, some software projects feature persons with very strong opinions). All of this changes when the code can be remotely exploited. Enter the recent CVEs regarding the Microsoft® Exchange server. CVE-2021-26855 is as bad as it sounds. It is a remote code execution with low complexity requiring no user interaction and no privileges. Disclosure of bugs impacting security has a long history. Knowing

Read More

DeepSec 2021 – Call for Papers is open

René Pfeiffer/ March 1, 2021/ Call for Papers, Conference

DeepSec 2021 is looking for your ideas, solutions, incident reports, insights, and expertise. The call for papers is open. You can submit your contribution via our call for papers manager online. If you have questions or want to submit additional material, please use the online form and send an email to us. DeepSec has always presented a mix of attack and defence presentations. The motto for 2021 connects both approaches. Studying how adversaries work, what tools they employ, how they plan their attack, and what they do once they get access is vital to your defence. IT infrastructure has grown over the years. Defence has a lot to take care of. If you have any ideas how to help the defenders, please let us know. Topics covering attacks should always contain some advice on

Read More

The Art of testing Code

René Pfeiffer/ February 4, 2021/ Discussion, High Entropy, Security

The Twitterverse, various blogs, and some news portals published discussions about a bug in libgcrypt. The code contained a loop which could read past the end of a buffer. The error condition was found by using a test suite. Given the C code base of libgcrypt cases like this can often be found by using the static code analysing features of modern compilers. If you read the ticket concerning the particular overrun bug, then you will notice that it contains more than just the error description. The reason for emotional discussion around bugs are the many ways to find them. Modern compilers contain a lot of helpful tools to audit your code. Even if the compiler lacks auditing/testing features, you can resort to other tools such as Valgrind (which turned 20 years of age

Read More

DeepSec 2020 Talk: Security of Home Automation Systems – A Status Quo Analysis For Austrian Households – Edith Huber, Albert Treytl

Sanna/ September 28, 2020/ Conference

Home Automation System (HAS) are a growing market, which is very diverse ranging  from consumer electronics like TVs, mobile phones and gaming consoles via WLAN connected sensors, power plugs or lightbulbs to building automation devices for HVAC systems or access solutions. Beside “classical” network technologies IoT technologies gain increasing spread and importance. This paper presents results of a representative survey analysing the security awareness and perception as well as susceptibility to cybercrime of HAS users in Austria. The aim of this survey is to investigate the spread of the device types, cybercrime attacks and security risks. These results are compared with technical vulnerabilities of such devices to identify relevant security risks and countermeasures. Additionally, a concept to protect sensor values directly in the analogue circuit is presented as an outlook to ongoing research. We asked Edith and Albert a few more questions about their talk.   Please tell us the top facts about your talk. The most common HAS are Smart TV, voice assistants and surveillance cameras, but many other applications are on the rise. Respondents of the survey say

Read More

DeepSec 2020 Talk: Efficient Post-quantum Digital Signature – Maksim Iavich (DeepSec Scholar 2020)

Sanna/ September 25, 2020/ Conference

Active work is being done to create and develop quantum computers. Traditional digital signature systems, which are used in practice, are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the alternatives are hash based digital signature schemes. Merkle digital signature scheme is the very promising alternative to the classical digital signature schemes. It must be emphasized, that the scheme has efficiency problems and can not be used in practice. Major improvements of the scheme lead to security vulnerabilities. I will show that Merkle uses hash functions many times. I will offer the improved implementation of the hash function. I

Read More

DeepSec 2020 Online Training: Mobile Security Testing Guide Hands-On – Sven Schleier & Ryan Teoh

Sanna/ September 3, 2020/ Conference, Training

This online course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven and Ryan will share their experience and many small tips and tricks to attack mobile apps. We asked Sven and Ryan a few more questions about their training. Please tell us the top 5 facts about your training. Learn a holistic methodology for testing the security of mobile apps A full Penetration Test against iOS apps can also be done on non-jailbroken devices! Learn how to bypass Anti-Frida security controls in a mobile app with Frida Focus on hands-on exercises during the training with vulnerable apps build by the trainers You just need to have a laptop (no Android or iOS devices

Read More

DeepSec 2020 Talk: Security Model Of Endpoint Devices – Martin Kacer

Sanna/ September 1, 2020/ Conference

Have you ever asked these questions? You are using the latest mobile and using your laptop with the latest and patched OS, running antivirus: Do you need to worry about security? Isn’t there still something broken in the entire security and permission model? Why can the desktop application, that is not an internet browser, access and communicate by using any IP address? Why can the application access your whole filesystem and collect the files from there? Why can an android app with internet permission communicate using any arbitrary IP, even a private one? Why can the app communicate by using different domains? Isn’t the app market ecosystem creating a friendly environment for botnets? This talk will shed some light on these issues and propose some mitigation strategy. We have asked Martin a few more

Read More

Press Release: Intensive Courses for crisis-proof Digitisation taking place in Vienna

Sanna/ August 28, 2020/ Conference, Press

DeepSec security conference focuses thematically in depth on critical dangers for IT. As is well known, the digital world never sleeps. The last few months have shown that society and the economy are more dependent than ever on globally networked technology. The worldwide spread of SARS-CoV-2 has given telecommunications an enormous boost. The home office, already known before, teleconferencing systems and internet applications had to stand in for physical meetings and enable the exchange of information. As the use of these technologies increased sharply, security problems were of course discovered. Zoom is a prominent example. However, only the tip of the iceberg was analysed. Many vulnerabilities are still waiting to be discovered around the world. Anyone who demands more digitisation is actually talking about information security. Precisely for this reason, the DeepSec Security Conference

Read More