2010, 2021

DeepSec 2021 Talk: Firmware Surgery: Cutting, Patching and Instrumenting Firmware for Debugging the Undebuggable – Henrik Ferdinand Nölscher

Sanna/ October 20, 2021/ Conference

Embedded systems can be challenging to analyze. Especially on automotive systems, many things that we take for granted on other software such as debugging and tracing do not always work. This is further complicated by watchdogs and peripheral processors, that go haywire when strict timing and communication requirements are violated. On some systems, debugging is even impossible because debugging resources such as pins are either used for something else or they don’t exist at all! Assuming that code can be dumped, the solution for this can be emulation, however emulating a rich automotive system can be painful and many times, only few aspects of the system can be sufficiently modeled. What if there was an in-between? How can we debug, fuzz and tamper embedded firmware without access to real-time debugging or emulation? In this

1910, 2021

DeepSec 2021 Talk: When Ransomware fails – Sreenidhi Ramadurgam

Sanna/ October 19, 2021/ Conference

Ransomware is a piece of code that is written by an attacker to encrypt the victim’s files. Even though it has been around for many years, its popularity has increased since the outbreak of Wannacry which shook the whole cyber world. When the logic of the ransomware code is observed we can see a common pattern here. It is similar to how humans interact with the system. I.e, to access the files, the code has to access the logical drive first. Here each logical drive is assigned a letter by the operating system. For example, when a code has to access the files in D drive, it has to access the drive ‘D’ first. What if there is a logical drive in the system which doesn’t have any letter assigned to it? Well, now

1510, 2021

DeepSec 2021 Talk: Large-scale Security Analysis Of IoT Firmware – Daniel Nussko

Sanna/ October 15, 2021/ Conference

Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis. To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images

1310, 2021

DeepSec 2021 Talk: Post-quantum Encryption System for 5G – Maksim Iavich

Sanna/ October 13, 2021/ Conference

Nowadays, many leading scientists and experts are actively working on the creation of quantum computers. On October 23 2019, Google announced that it has achieved quantum supremacy. This means the great speedup of the quantum processors compared to the fastest classic computer. On December 06 2020, scientists in China also announced that they also achieved quantum supremacy. Quantum computers will probably destroy most cryptosystems that are widely used in practice. A variety of “resistant to quantum attacks,” alternatives are developed. These alternatives are hash-based, code-based, lattice-based and multivariate crypto schemes. However, to date a number of successful attacks is recorded on the given system. It is also shown that these schemes have efficiency problems. The amount of traffic carried over wireless networks and the number of mobile devices (including IoT) are growing rapidly and

2709, 2021

DeepSec 2021 Talk: I Will Hide, You Come And Seek – Discovering The Unknown in Known Malwares using Memory Forensics – Shyam Sundar Ramaswami

Sanna/ September 27, 2021/ Conference

Malware analysis is a key phase to extract IOCs like domains, ip, mutex and other signatures. What if malware knows what online sandboxes look for and what tools look for, decides to “showcase only 90%” and hide the rest? Well, Memory forensics comes to our rescue. This was tried and tested with a lot of samples during the pandemic phase and was aided in extracting a lot of hidden process, domains, urls and even ip. This is what the talk covers: Talk about the traditional malware analysis process Introduction to memory forensics and why Introducing tools like Volatility and Rekall Running Orcus RAT, Agent Tesla and Sodinobki Ransomware malwares usingt traditional methods like Any.run online sandbox and malware runs Playing a game by capturing memory of the infected machine by invoking WMI module and

2409, 2021

DeepSec 2021 Talk: Do you have a PlugX? Artem Artemov, Rustam Mirkasymov

Sanna/ September 24, 2021/ Conference

Deep overview of a tool used by the Chinese nation-state APTs based on a real-life Incident Response case with a big industrial company. Investigation yielded the presence of PlugX in the infrastructure. This presentation gives a full overview of the tools functionality, its past versions, and nowadays usage (Thor is a new version of plugX). We show why it is hard to find and why it’s important for big industrial companies. And also we talk about our assumption that all recent big attacks – first Sunburst and then Exchange exploits (proxylogon related to Hafnium) are links of one chain. We asked Artem and Rustam a few more questions about their talk. Please tell us the top 5 facts about your talk. It’s about pro-government APT The described threat is silent The threat target is

1709, 2021

DeepSec 2021 Talk: Revenge is Best Served over IOT – Chris Kubecka

Sanna/ September 17, 2021/ Conference

Welcome to the new Cold War in the Middle East. In 2012, Iran’s first Shamoon attacks almost crashed every world economy, nearly bringing the world to its knees. Since then, the game of spy vs. spy has intensified digitally with the pandemic accelerating connectivity. Join Chris on a 2.5 year Iranian espionage campaign attempting to recruit her for the most innocent of jobs: teaching critical infrastructure hacking with a focus on nuclear facilities. A journey of old school espionage with a cyber twist. Bribery, sockpuppets, recruitment handlers, propaganda VVIP luxury trip mixed with a little IOT camera revenge and 2021 police protection. We asked Chris a few more questions about her talk. Please tell us the top 5 facts about your talk. Our skills as ethical hackers are in high demand, especially by sanctioned

0209, 2021

DeepSec 2021 Talk: Real-Time Deep Packet Inspection Intrusion Detection System for Software Defined 5G Networks – Dr. Razvan Bocu

Sanna/ September 2, 2021/ Conference

The world of the Internet of Things apparently becomes fundamental for the envisioned always connected human society. The 5G data networks are expected to dramatically improve the existing 4G networks’ real world importance, which makes them particularly necessary for the next generation networks of IoT devices. This talk reports the authors experience, which was acquired during the implementation of the Vodafone Romania 5G networked services. Consequently, this blogpost about our talk describes a machine learning-based real time intrusion detection system, which has been effectively tested in the context of a 5G data network. The system is based on the creation of software defined networks, and it uses artificial intelligence based models for the deep inspection of the transferred data packets. It is able to detect unknown intrusions through the usage of machine learning-based software

3108, 2021

DeepSec 2021 Talk: Web Cache Tunneling – Justin Ohneiser

Sanna/ August 31, 2021/ Conference

By using cache poisoning to store arbitrary data, we can use public web caches as open ephemeral storage to facilitate anonymous and evasive communication between network clients. We asked Justin a few more questions about his talk. Please tell us the top facts about your talk. Public web caches, when improperly configured, can be used as open ephemeral storage. Combined with a synchronization technique, this ephemeral storage can be used to tunnel arbitrary data between network clients. Tunneling data in this manner requires no listening service, as all endpoints behave as clients to the web cache server, allowing trivial use of anonymizing protocols. The conditions for this technique are present on several extremely popular websites, and the use of this technique by malware could make network detection nearly impossible. How did you come up

2708, 2021

DeepSec 2021 Talk: Those Among Us – The Insider Threat facing Organizations – Robert Sell

Sanna/ August 27, 2021/ Conference

Organizations spend a considerable amount of time and money protecting themselves from external threats while practically ignoring the significant threats from within. Cybercrime has an estimated cost of $2 trillion in 2019 with an average cost per data breach of $3.9 million. This global cost is expected to grow to $6 trillion annually by 2021. In 2018, 34% of those data breaches involved internal factors and this trend continues to grow. This hard on the outside but soft in the middle approach by Information Security departments leaves organizations susceptible to a variety of insider threats that could be avoided. In this talk, I will present the extent of the issue, the types of insider threats to expect and how organizations can mitigate these risks. We asked Robert a few more questions about his talk.

2608, 2021

DeepSec 2021 Talk: How to Choose your Best API Protection Tool? Comparison of AI Based API Protection Solutions – Vitaly Davidoff

Sanna/ August 26, 2021/ Conference

As the world becomes more and more connected, Application Security becomes an important concern. Especially regarding the Internet of Things (IoT), Application Programming Interface (API), and Microservices spaces. In addition, the proper access management needs to be seriously addressed to ensure company assets are securely distributed and deployed. There are many tools on the market providing AI based API protection and anomaly detection but what really works? How to choose the best solution? During my talk, I will share results from the research of reviewing different architecture approaches and AI solutions introduced by different favorite tools on the market, from WAF to workload protection systems. We asked Vitaly a few more questions about his talk. 1) Please tell us the top facts about your talk. This talk is a first try to dive deep

2508, 2021

DeepSec 2021 Talk: Hunting for LoLs (a ML Living of the Land Classifier) – Tiberiu Boros, Andrei Cotaie

Sanna/ August 25, 2021/ Conference

Living of the Land is not a brand-new concept. The knowledge and resources have been out there for several years now. Still, LoL is one of the preferred approaches when we are speaking about highly skilled attackers or security professionals. There are two main reasons for this: Experts tend not to reinvent the wheel Attackers like to keep a low profile/footprint (no random binaries/scripts on the disk) This talk focuses on detecting attacker activity/Living of the Land commands using Machine Learning, for both Linux and Windows systems. Most of the AV vendors do not treat the command itself (from a syntax and vocabulary perspective) as an attack vector. And most of the log-based alerts are static, have a limited specter and are hard to update. Furthermore, classic LoL detection mechanisms are noisy and somewhat

1811, 2020

ROOTs 2020: A survey on practical adversarial examples for malware classifiers – Daniel Park

Sanna/ November 18, 2020/ ROOTS

Machine learning based models have proven to be effective in a variety of problem spaces, especially in malware detection and classification. However, with the discovery of deep learning models’ vulnerability to adversarial perturbations, a new attack has been developed against these models. The first attacks based on adversarial example research focused on generating feature vectors, but more recent research shows it is possible to generate evasive malware samples. In this talk, I will discuss several attacks that have been developed against machine learning based malware classifiers that leverage adversarial perturbations to develop an adversarial malware example. Adversarial malware examples differ from adversarial examples in the natural image domain in that they must retain the original malicious program logic in addition to evading detection or classification. Adversarial machine learning has become increasingly popular and is

1811, 2020

ROOTs 2020: Exploiting Interfaces of Secure Encrypted Virtual Machines – Martin Radev

Sanna/ November 18, 2020/ ROOTS

Cloud computing is a convenient model for processing data remotely. However, users must trust their cloud provider with the confidentiality and integrity of the stored and processed data. To increase the protection of virtual machines, AMD introduced SEV, a hardware feature which aims to protect code and data in a virtual machine. This allows to store and process sensitive data in cloud environments without the need to trust the cloud provider or the underlying software. However, the virtual machine still depends on the hypervisor for performing certain activities, such as the emulation of special CPU instructions, or the emulation of devices. Yet, most code that runs in virtual machines was not written with an attacker model which considers the hypervisor as malicious. In this work, we introduce a new class of attacks in which

1811, 2020

DeepSec 2020 Talk: Old Pareto had a Chart: How to achieve 80% of Threat Modelling Benefits with 20% of the Efforts – Irene Michlin

Sanna/ November 18, 2020/ Conference

The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. However, it is often perceived by the organisations as too expensive to introduce, or too slow to fit modern lifecycles, be it Agile, Lean, or DevOps. This talk will show how to fit threat modelling in fast-paced software development, without requiring every developer to become an expert. The outcomes should be immediately applicable, hopefully empowering you to try it at work the day after the conference. We asked Irene a few more questions about his talk. Please tell us the top 5 facts about your talk. Based on my experience introducing threat modeling

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: