0409, 2019

DeepSec 2019 Talk: Well, That Escalated Quickly! – A Penetration Tester’s Approach to Windows Privilege Escalation – Khalil Bijjou

Sanna/ September 4, 2019/ Conference, Security

Since the early stages of operating systems, users and privileges were separated. Implemented security mechanisms prevent unauthorized access and usage of data and functions. These security mechanisms have been circumvented a number of times, which has led to steady improvements. Nevertheless, attackers find new vulnerabilities and security holes. Security experts often encounter Mirosoft® Windows endpoints or systems and gain low privileged access. To fully compromise the system, privileges have to be escalated. Windows contains a great number of security concepts and mechanisms. These render privilege escalation attacks difficult. Penetration testers should have a sound knowledge base about Windows components and security mechanisms in order to understand privilege escalation concepts profoundly and to apply them properly. Khalil’s presentation at DeepSec 2019 imparts knowledge on Windows required to understand privilege escalation attacks. It describes the most

3008, 2019

DeepSec2019 Talk: IPFS As a Distributed Alternative to Logs Collection – Fabio Nigi

Sanna/ August 30, 2019/ Conference

Logging stuff is easy. You take a piece of information created by the infrastructure, systems, or applications and stash it away. The problems start once you want to use the stored log data for analysis, reference, correlation, or any other more sophisticated approach. At DeepSec 2019 Fabio Nigi will share his experience in dealing with log data. We asked him to explain what you can expect from his presentation. We want access to as much logs as possible. Historically the approach is to replicate logs to a central location. The cost of storage is the bottleneck on security information and event management (SIEM) solution, hard to be maintained at scale, leading to reduce the amount of information at disposal. The state-of-the-art solutions today focus on to analyze the log on the endpoint. This can

2908, 2019

DeepSec2019 Talk: Android Malware Adventures – Analyzing Samples and Breaking into C&C – Kürşat Oğuzhan Akıncı & Mert Can Coşkuner

Sanna/ August 29, 2019/ Conference, Security

Android malware is evolving every day and is everywhere, even in Google Play Store. Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions, and many alternative techniques to operate like Windows malware does. Using benign looking applications working as a dropper is just one of them. This talk is about android malware on Google Play Store targeting Turkey such as Red Alert, Exobot, Anubis, etc. The presentation held at DeepSec 2019 will cover the following issues: Techniques to analyze samples: Unencrypted samples are often used to retrieve personal information to sell and do not have obfuscation. Encrypted samples however are used for sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account owned by the malware developer and operate by communicating with

2505, 2019

Use Handshake Data to create TLS Fingerprints

René Pfeiffer/ May 25, 2019/ Discussion, Security

While the whole world busily works on the next round of the Crypto Wars, the smart people work on actual information security. TLS has always been in the focus of inspection. Using on-the-fly generated certificates to look inside is a features of many gadgets and filter applications. Peeking at the data is moot if you control either the server or the client. If you have to break TLS on purpose (hopefully) inside your own network, you probably have to deal with software or system you cannot control. In this case TLS is the least of your security problems. Dealing with a lot of network traffic often uses a metadata approach in order not to process gigantic amounts of data. Enter TLS fingerprinting. The TLS handshake contains a lot of parameters such as version numbers,

1402, 2019

Supporting BSidesLondon “My Machine is not Learning” 2019

René Pfeiffer/ February 14, 2019/ Conference

This year’s BSidesLondon is pondering the most important question of machine learning. What is my machine doing and learning? Well, it might be that “My Machine is not Learning” at all. Sounds a lot like the intelligence we all know from living beings. So, armed with this new motto, BSidesLondon is turning 9, and we will support the Rookie Track again. The winner gets a trip to Vienna and free entry to DeepSec 2019. Get going and get started with your presentation! It’s worth it, and we love to welcome you in Vienna! Ask @5w0rdFish about it. If you are looking for research topics, please drop us a line. We have some ideas about good questions and things to explore. See you in London!

1112, 2018

Need something to read? – First Batch of DeepSec 2018 Presentation Slides online

René Pfeiffer/ December 11, 2018/ Administrivia, Conference

Do you fear reading the news? Fancy some facts? Well, we have something different for you to read. We have collected presentation slides from DeepSec 2018 and put the first batch online. You can find them in this rather nostalgic directory listing. We have renamed the files with their title and the name of the presenters. They are mostly PDF, but two presentations consist of a HTML slideshow. We have created a PDF document containing the link to the original presentation for your convenience. The directory will be filled with the remaining documents as soon as we get them.

2211, 2018

ROOTS 2018 Talk: Kernel-Assisted Debugging of Linux Applications – Tobias Holl, Philipp Klocke, Fabian Franzen

Sanna/ November 22, 2018/ Conference, ROOTS

On Linux, most—if not all—debuggers use the ptrace debugging API to control their target processes. However, ptrace proves unsatisfactory for many malware analysis and reverse engineering tasks: So-called split-personality malware often adapts its behavior in the presence of a debugger, yet ptrace makes no attempt to hide from a target process. Furthermore, ptrace enforces a strict one-to-many relation meaning that while each tracer can trace many tracees, each tracee can only be controlled by at most one tracer. Simultaneously, the complex API and signal-based communications provide opportunities for erroneous usage. Previous works have identified the newer uprobes tracing API as a candidate for building a replacement for ptrace, but ultimately rejected it due to lack of practical use and documentation. Building upon uprobes, we introduce plutonium-dbg, a Linux kernel module providing debugging facilities independent

2111, 2018

DeepSec 2018 Talk: Attacks on Mobile Operators – Aleksandr Kolchanov

Sanna/ November 21, 2018/ Conference, Security

I’d like to talk about telecom security. My research contains information about security of mobile operators: classic and new (or very rare) attack vectors and vulnerabilities. This presentation will consist of three main parts: First, I will share information on the security of mobile operators in general. I’ll tell you a little bit about why it is important (usually, phone numbers are used as a key to social networks, messengers, bank accounts, etc). So, if an attacker can hack a mobile operator, he can gain access to a big amount of user data and money. Also, in this part, I will tell you about typical SS7 attacks (how to intercept SMS or send fake ones). During the second part, I will tell you about different vulnerabilities and security issues. All of the problems I

2011, 2018

DeepINTEL 2018 Talk: Framing HUMINT as an information gathering technique – Ulrike Hugl

Sanna/ November 20, 2018/ DeepIntel, Security Intelligence

NATO defines human intelligence (HUMINT) or hyoo-mint as “a category of intelligence derived from information collected and provided by human sources” (NATO Glossary of terms and definitions, APP-6, 2004) focusing on different kinds of information, for example data on things related to a human, information about a human’s specific knowledge of a situation, and other issues. HUMINT is differentiated into several categories like clandestine and overt collection. And: It is one of several other traditional intelligence collection disciplines, so called INTs; examples are SIGINT (signals intelligence), OSINT (open source intelligence), MASINT (measurements and signatures intelligence), GEOINT (geospatial intelligence), TECHINT (technical intelligence), SOMINT (social media intelligence), FININT (financial intellicence, gathered from analysis of monetary transactions), as well as CYBINT/DNINT (cyber intelligence/digital network intelligence, gathered from cyberspace). Intelligence Services deal with the analysis and collection of

1411, 2018

DeepSec 2018 Talk: RFID Chip Inside the Body: Reflecting the Current State of Usage, Triggers, and Ethical Issues – Ulrike Hugl

Sanna/ November 14, 2018/ Conference

Chipping humans can be seen as one of the most invasive biometric identification technologies. RFID (Radio Frequency Identification) as the key technology in the field of the Internet of Things produces many applications. For example, human implants are used by scientists in the fields of cyborgism, robotics, biomedical engineering and artificial intelligence, by hobbyists for identification reasons to start their computers, cars, for smart home applications or to pay by credit card, by hospitals for the control of human biological functions of patients, but also by companies to tag their employees for security reasons and workplace surveillance. All in all, worldwide human implants are mainly used for security, healthcare, and private (individual) reasons. Beside some positive individual or organizational outcomes, implants may compromise privacy and raise manifold ethical questions. For example, research in the

1311, 2018

ROOTS 2018 Talk: The Swift Language from a Reverse Engineering Perspective – Malte Kraus & Vincent Haupert

Sanna/ November 13, 2018/ Conference, ROOTS

Over the last decade, mobile devices have taken over the consumer market for computer hardware. Almost all these mobile devices run either Android or iOS as their operating systems. In 2014, Apple introduced the Swift programming language as an alternative to Objective C for writing iOS and macOS applications. The rising adoption of this new language has to some extent obsoleted existing techniques for program analysis for these platforms, like method swizzling and “class-dump”. In this paper we discuss features of Swift binaries that help in reverse engineering the functionality of the contained code: We document the memory layout of compound data types and the calling convention used by the Swift compiler, as well as the runtime type information that is used by runtime and debugger when data types are not known statically. This

0911, 2018

ROOTS 2018: How Android’s UI Security is Undermined by Accessibility – Anatoli Kalysch

Sanna/ November 9, 2018/ Conference, ROOTS

Android’s accessibility API was designed to assist users with disabilities, or temporarily preoccupied users unable to interact with a device, e.g., while driving a car. Nowadays, many Android apps rely on the accessibility API for other purposes, including apps like password managers but also malware. From a security perspective, the accessibility API is precarious as it undermines an otherwise strong principle of sandboxing in Android that separates apps. By means of an accessibility service, apps can interact with the UI elements of another app, including reading from its screen and writing to its text fields. As a consequence, design shortcomings in the accessibility API and other UI features such as overlays have grave security implications. This talk will provide a critical perspective on the current state of Android accessibility and selected UI security features.

0811, 2018

DeepINTEL 2018 Talk: Risk Management in Complex Scenarios – Oscar Serrano

Sanna/ November 8, 2018/ Conference, DeepIntel, Security

ICT risk management is a well-stabilized practice and as such is supported by international security standards and guidelines. But, despite advances in the legal and policy areas and the maturation of standardized frameworks for efficient risk management, it has still not become a controlled, systematic process in the cyber security domain of most organizations. One of the problems preventing organizations from having an enterprise approach to cyber security risk management is that these efforts have not been supported by commensurate investment to produce robust, technical implementations of suitable risk management methodologies and supporting systems. Although some tools do exist, such as PILAR, CRAMM, Ebios, Mehari, or Octave, they all implement different risk management methodologies and all of them are implemented to satisfy the need of specific users. None of them is a truly enterprise

0511, 2018

DeepINTEL 2018 Talk: Cyber Threat Intelligence – The Next Era of Cyber Security? – Markus Auer

Sanna/ November 5, 2018/ DeepIntel, Security Intelligence

The DeepINTEL security intelligence conference focuses on threats, indicators of compromise, and strategic counter measures. Information security is more than superficial. This is why we have asked Markus Auer to hold a presentation at DeepINTEL (28 November 2018). He explains his ideas in short: We are tired of adding new products to our ever-growing security structure. Although this has been a common practice for years, it does not bring lasting success. Attacks continue to occur – faster, more comprehensively and with much greater impact and rising costs. Despite all protection levels and measures, the current security approach fails. We want to stop the expansion and purchase of more reactive products that are targeted to the recent attack. Instead, security operations should be improved by aligning existing security technologies and teams and using the information

0211, 2018

DeepSec 2018 Talk: Suricata and XDP, Performance with an S like Security – Eric Leblond

Sanna/ November 2, 2018/ Conference, Security

extended Berkeley Packet Filter (eBPF) and eXtreme Data Path (XDP) technologies are gaining in popularity in the tracing and performance community in Linux for eBPF and among the networking people for XDP. After an introduction to these technologies, this talk proposes to have a look at the usage of the eBPF and XDP technology in the domain of security. A special focus lies on Suricata that uses this technology to enhance its performance and by consequence on the accuracy of its network analysis and detection. We asked Eric a few more questions about his talk. Please tell us the top 5 facts about your talk. Packet loss really matters. A threat detection engine like Suricata is losing 10% of IDS alerts if it misses 3% of traffic. And there are 10% of incomplete file

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: