1610, 2019

DeepSec 2019 Talk: What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs – Mikhail Egorov

Sanna/ October 16, 2019/ Conference, Security

WebSocket protocol is many times more efficient than HTTP. In recent years we can observe that developers tend to implement functionality in the form of WebSocket APIs instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplify the building of efficient WebSocket APIs. We can name GraphQL subscriptions or Websocket APIs supported in Amazon API Gateway. WebSockets APIs have a different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account. WebSockets in browsers do not use the same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: A handshake and data transfer phase. Most of the time authentication and authorization logic is implemented

0810, 2019

DeepSec 2019 Talk: “The Daily Malware Grind” – Looking Beyond the Cybers – Tim Berghoff, Hauke Gierow

Sanna/ October 8, 2019/ Conference

Given the noise generated around all the “sexy” and no doubt interesting topics like 0days, APT, and nation state-sponsored threat actors it is easy to miss what is really going on out there, in the world of Joe Average. Actual telemetry data paints a picture that is in many respects different from what happens in a lot of the news coverage. Much of the malware out there, including some that is attributed to some sort of APT, is nowhere near anything that might be considered “sophisticated”. In this talk we will shine a light on different aspects of the realities of home users as well as companies, and offer some interesting data about the malware that actually does the most damage, while precious few get all the press. We asked Tim and Hauke a

2309, 2019

DeepSec 2019 Talk: Techniques and Tools for Becoming an Intelligence Operator – Robert Sell

Sanna/ September 23, 2019/ Conference, Security Intelligence

In this talk at DeepSec 2019, Robert will introduce the various operations that Trace Labs has performed to help illustrate Open-Source Intelligence (OSINT) techniques used in finding details on real human subjects. Trace Labs is a non-profit organization that crowdsources open source intelligence to help law enforcement find missing persons. Trace Labs is non-theoretical and its members are conducting OSINT on real people. Robert lifts the curtain on successful OSINT techniques that can be used to pull up important information on individuals. Many of the slides show specific tools and techniques that can immediately be used to improve your OSINT results. The talk starts with a brief introduction to Trace Labs and its mission of helping law enforcement through a crowdsourced, open source intelligence. It then moves into a technical discussion on how to

2009, 2019

DeepSec 2019 Talk: The Turtle Gone Ninja – Investigation of an Unusual Crypto-Mining Campaign – Ophir Harpaz

Sanna/ September 20, 2019/ Conference, Security

Despite the absence of blockchain and „crypto“ at DeepSec we have some content which covers security incidents connected to both terms. Ophir Harpaz will present her insights into an attack that is used to do „crypto“ mining. She describes what to expect in her own words: At first sight, Nansh0u is yet another attack campaign aiming to mine a marginal crypto-currency named TurtleCoin. However, things get much more interesting once you gain full access to the attacker’s infrastructure. Our investigation revealed a complete picture of how the Nansh0u campaign operates, who the infected victims are and what advanced tools are used in the attacks. Port scanner, brute-force module, remote-code execution tool, verbose log files and tens of different malware payloads – these are only a portion of the attacker’s assets we managed to put

1309, 2019

DeepSec 2019 Talk: New Tales of Wireless Input Devices – Matthias Deeg

Sanna/ September 13, 2019/ Conference

You can’t do much with computer without input devices. Microphones do not count, yet. This leaves the classic selection of human input. How secure are these devices? Did you ever wonder when typing, moving the mouse pointer, or attaching a presenting tool? Well, your questions will be answered at DeepSec 2019. Matthias Deeg will hold a talk where new security tales of wireless input devices like mice, keyboards, presenters, and barcode scanners using different 2.4 GHz radio-based communication technologies will be presented that have been collected over the last two years. Furthermore, SySS IT Security expert Matthias will present answers to unanswered questions of his previous wireless desktop set research and raise the awareness of security issues and practical attacks against vulnerable wireless input devices. Matthias is interested in information technology – especially

1109, 2019

DeepSec 2019 Talk: Lauschgerät – Gets in the Way of Your Victim’s Traffic and Out of Yours – Adrian Vollmer

Sanna/ September 11, 2019/ Conference, Security

The talk will present a new tool for pentesters called „Lauschgerät“. This python script acts as a convenient man-in-the-middle tool to sniff traffic, terminate TLS encryption, host malicious services and bypass 802.1X – provided you have physical access to the victim machine, or at least its network cable. There are three ways to run it: Either on its own dedicated device like a Raspberry Pi or Banana Pi, in a virtual machine with two physical USB-NICs attached, or on your regular pentest system in its own network namespace. It will look like a completely transparent piece of wire to both victim systems you are getting in the middle of, even if they are using 802.1X because it is implementing the ideas presented in a talk by Alva Lease ‘Skip’ Duckwall IV. The Lauschgerät operates

0909, 2019

DeepSec 2019 Talk: Once upon a Time in the West – A Story on DNS Attacks – Valentina Palacín, Ruth Esmeralda Barbacil

Sanna/ September 9, 2019/ Conference

The Internet is the new frontier for some. So just like in Old West movies, we are going through a land riddled with well-known gunmen: OceanLotus, DNSpionage and OilRig, who roam at ease, while the security cowboys sleep. This presentation will uncover the toolset and techniques used by these gunmen, taking a closer look at their big guns and their behavioral patterns. We will explore the attacks involving DNS that took place during the last decade to examine the latest discovered techniques in order to improve detections to dodge the bullets they are firing in our direction. We asked Valentina and Ruth a few more questions about their talk at the DeepSec conference. Please note that Valentine and Ruth will also speak the the DeepINTEL conference where you will get more in-depth information not

0409, 2019

DeepSec 2019 Talk: Well, That Escalated Quickly! – A Penetration Tester’s Approach to Windows Privilege Escalation – Khalil Bijjou

Sanna/ September 4, 2019/ Conference, Security

Since the early stages of operating systems, users and privileges were separated. Implemented security mechanisms prevent unauthorized access and usage of data and functions. These security mechanisms have been circumvented a number of times, which has led to steady improvements. Nevertheless, attackers find new vulnerabilities and security holes. Security experts often encounter Mirosoft® Windows endpoints or systems and gain low privileged access. To fully compromise the system, privileges have to be escalated. Windows contains a great number of security concepts and mechanisms. These render privilege escalation attacks difficult. Penetration testers should have a sound knowledge base about Windows components and security mechanisms in order to understand privilege escalation concepts profoundly and to apply them properly. Khalil’s presentation at DeepSec 2019 imparts knowledge on Windows required to understand privilege escalation attacks. It describes the most

3008, 2019

DeepSec2019 Talk: IPFS As a Distributed Alternative to Logs Collection – Fabio Nigi

Sanna/ August 30, 2019/ Conference

Logging stuff is easy. You take a piece of information created by the infrastructure, systems, or applications and stash it away. The problems start once you want to use the stored log data for analysis, reference, correlation, or any other more sophisticated approach. At DeepSec 2019 Fabio Nigi will share his experience in dealing with log data. We asked him to explain what you can expect from his presentation. We want access to as much logs as possible. Historically the approach is to replicate logs to a central location. The cost of storage is the bottleneck on security information and event management (SIEM) solution, hard to be maintained at scale, leading to reduce the amount of information at disposal. The state-of-the-art solutions today focus on to analyze the log on the endpoint. This can

2908, 2019

DeepSec2019 Talk: Android Malware Adventures – Analyzing Samples and Breaking into C&C – Kürşat Oğuzhan Akıncı & Mert Can Coşkuner

Sanna/ August 29, 2019/ Conference, Security

Android malware is evolving every day and is everywhere, even in Google Play Store. Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions, and many alternative techniques to operate like Windows malware does. Using benign looking applications working as a dropper is just one of them. This talk is about android malware on Google Play Store targeting Turkey such as Red Alert, Exobot, Anubis, etc. The presentation held at DeepSec 2019 will cover the following issues: Techniques to analyze samples: Unencrypted samples are often used to retrieve personal information to sell and do not have obfuscation. Encrypted samples however are used for sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account owned by the malware developer and operate by communicating with

2505, 2019

Use Handshake Data to create TLS Fingerprints

René Pfeiffer/ May 25, 2019/ Discussion, Security

While the whole world busily works on the next round of the Crypto Wars, the smart people work on actual information security. TLS has always been in the focus of inspection. Using on-the-fly generated certificates to look inside is a features of many gadgets and filter applications. Peeking at the data is moot if you control either the server or the client. If you have to break TLS on purpose (hopefully) inside your own network, you probably have to deal with software or system you cannot control. In this case TLS is the least of your security problems. Dealing with a lot of network traffic often uses a metadata approach in order not to process gigantic amounts of data. Enter TLS fingerprinting. The TLS handshake contains a lot of parameters such as version numbers,

1402, 2019

Supporting BSidesLondon “My Machine is not Learning” 2019

René Pfeiffer/ February 14, 2019/ Conference

This year’s BSidesLondon is pondering the most important question of machine learning. What is my machine doing and learning? Well, it might be that “My Machine is not Learning” at all. Sounds a lot like the intelligence we all know from living beings. So, armed with this new motto, BSidesLondon is turning 9, and we will support the Rookie Track again. The winner gets a trip to Vienna and free entry to DeepSec 2019. Get going and get started with your presentation! It’s worth it, and we love to welcome you in Vienna! Ask @5w0rdFish about it. If you are looking for research topics, please drop us a line. We have some ideas about good questions and things to explore. See you in London!

1112, 2018

Need something to read? – First Batch of DeepSec 2018 Presentation Slides online

René Pfeiffer/ December 11, 2018/ Administrivia, Conference

Do you fear reading the news? Fancy some facts? Well, we have something different for you to read. We have collected presentation slides from DeepSec 2018 and put the first batch online. You can find them in this rather nostalgic directory listing. We have renamed the files with their title and the name of the presenters. They are mostly PDF, but two presentations consist of a HTML slideshow. We have created a PDF document containing the link to the original presentation for your convenience. The directory will be filled with the remaining documents as soon as we get them.

2211, 2018

ROOTS 2018 Talk: Kernel-Assisted Debugging of Linux Applications – Tobias Holl, Philipp Klocke, Fabian Franzen

Sanna/ November 22, 2018/ Conference, ROOTS

On Linux, most—if not all—debuggers use the ptrace debugging API to control their target processes. However, ptrace proves unsatisfactory for many malware analysis and reverse engineering tasks: So-called split-personality malware often adapts its behavior in the presence of a debugger, yet ptrace makes no attempt to hide from a target process. Furthermore, ptrace enforces a strict one-to-many relation meaning that while each tracer can trace many tracees, each tracee can only be controlled by at most one tracer. Simultaneously, the complex API and signal-based communications provide opportunities for erroneous usage. Previous works have identified the newer uprobes tracing API as a candidate for building a replacement for ptrace, but ultimately rejected it due to lack of practical use and documentation. Building upon uprobes, we introduce plutonium-dbg, a Linux kernel module providing debugging facilities independent

2111, 2018

DeepSec 2018 Talk: Attacks on Mobile Operators – Aleksandr Kolchanov

Sanna/ November 21, 2018/ Conference, Security

I’d like to talk about telecom security. My research contains information about security of mobile operators: classic and new (or very rare) attack vectors and vulnerabilities. This presentation will consist of three main parts: First, I will share information on the security of mobile operators in general. I’ll tell you a little bit about why it is important (usually, phone numbers are used as a key to social networks, messengers, bank accounts, etc). So, if an attacker can hack a mobile operator, he can gain access to a big amount of user data and money. Also, in this part, I will tell you about typical SS7 attacks (how to intercept SMS or send fake ones). During the second part, I will tell you about different vulnerabilities and security issues. All of the problems I

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: