2308, 2021

DeepSec 2021 Training: How to Break and Secure Single Sign-On (OAuth and OpenID Connect) – Karsten Meyer zu Selhausen

Sanna/ August 23, 2021/ Training

Implementing single sign-on has huge benefits in general. It allows to design the registration and login process for users to be as simple as possible, and enables applications to be connected to social networks. Although OAuth and OpenID Connect are established as today’s common standards, serious attacks on them have been discovered within recent years. These attacks exploit the complexity of the underlying standards and implementation flaws, and allow attackers to authenticate themselves as arbitrary users or to access confidential user data. By doing so, attackers can potentially read, manipulate, or delete data of arbitrary users across these applications. Due to the critical role that single sign-on fulfills in applications nowadays, it is important to understand and address pitfalls when using OAuth and OpenID Connect. However, automatic security scanners are not able to properly

0106, 2021

Press Release: Modern Desktops as a Security Hole – DeepSec Conference offers Trainings and Tests for Secure Applications

Sanna/ June 1, 2021/ Press, Training

What do a modern office application and a fancy oil pipeline have in common? A desktop that led to disaster. Graphical interfaces for operating computers go back to research in the 1960s and 1970s. At that time people thought about how computers can best support people. By the 1990s at the latest, the desktop became a battleground for market dominance. That has stayed the same, only there are additional security aspects. After all, the desktop is often the first step from an attacker to a company’s digital treasures. The annual DeepSec conference offers security experts and developers a two-day crash course on desktop security. No attack without interaction Many successful attacks on companies or infrastructure depend on cooperation with the victims. Malware is executed using tricks and only then does it compromise the system.

0510, 2020

DeepSec 2020 Training: Threat Modelling: The Ultimate “Shift Left” – Irene Michlin & Kreshnik Rexha

Sanna/ October 5, 2020/ Training

The earlier in the life-cycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. The participants will learn the technique and gain practical skills through exercises. The curriculum of the training consists of : Threat modelling: introduction and motivation Data Flow Diagrams STRIDE Beyond STRIDE Prioritization Mitigations Integrating threat modelling in SDLC This training targets mainly blue teamers, as well as software developers, QA engineers, and architects; but will be also beneficial for scrum masters and product owners. We asked Irene and Kreshnik a few more questions about their training. Please tell us the top 5 facts about your training. Lots of hands-on exercises and group work

1009, 2020

DeepSec 2020 Training: Open Source Intelligence Gathering on Human Targets – Robert Sell

Sanna/ September 10, 2020/ Training

Robert Sell conducts a two-day training at DeepSec. In his own words: „In this workshop I provide the class with real humans (missing persons) and while they are collaborating on this I provide tools and techniques for them to use to bring them closer to their goal. This is a hands on workshop where students will also have the opportunity to learn from each other. The beginning of the class will consist of a brief intro to OpSec considerations while the end will wrap up with report prep and intel safe guarding.“ We asked Robert a few more questions about his training. Please tell us the top 5 facts about your training. The Intelligence Community has been involved in open source intelligence (OSINT) for more than 50 years. The value of open source information

0909, 2020

Reminder for your Training @ DeepSec 2020: Token Hijacking via PDF – Dawid Czagan

René Pfeiffer/ September 9, 2020/ Conference

PDF files are everywhere. No day goes by without someone having used a PDF document. This is why PDF files are the perfect hacking tool. They can even be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with

0309, 2020

DeepSec 2020 Online Training: Mobile Security Testing Guide Hands-On – Sven Schleier & Ryan Teoh

Sanna/ September 3, 2020/ Conference, Training

This online course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven and Ryan will share their experience and many small tips and tricks to attack mobile apps. We asked Sven and Ryan a few more questions about their training. Please tell us the top 5 facts about your training. Learn a holistic methodology for testing the security of mobile apps A full Penetration Test against iOS apps can also be done on non-jailbroken devices! Learn how to bypass Anti-Frida security controls in a mobile app with Frida Focus on hands-on exercises during the training with vulnerable apps build by the trainers You just need to have a laptop (no Android or iOS devices

2007, 2020

Token Hijacking via PDF – Dawid Czagan

Sanna/ July 20, 2020/ Training

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; 17/18 November) Tags:

0707, 2020

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Sanna/ July 7, 2020/ Training

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (training at DeepSec 2020; 17/18 November)

0205, 2020

First DeepSec 2020 Trainings confirmed

René Pfeiffer/ May 2, 2020/ Conference

We haven’t been idle in the past weeks. The Austrian government is reducing the lock-down rules to see how normal business and private life can go on. We take this as an opportunity to announce the first three confirmed trainings for DeepSec 2020. The preliminary descriptions can be found on our schedule web site. Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation – Dawid Czagan (Silesia Security Lab) Open Hardware Hacking – Paula de la Hoz Garrido (Telefónica Security Engineering) Defending Industrial Control Systems – Tobias Zillner & Thomas Brandstetter (Limes Security) Early Bird tickets are available. Given the unusual start into 2020 we ask you to consider buying Early Bird tickets (especially for the trainings). We are exploring special attendee tickets for remote attendance of the trainings. A

2511, 2019

DeepSec 2019 Press Release: High-quality Randomness protects Companies

Sanna/ November 25, 2019/ Conference, Training

The ‘bugs’ of the’ 90s are still alive – hidden in IoT devices, integrated systems and industrial controls. Modern information security can’t manage without mathematics. It is less about statistics in the form of operational data or risk analysis. It’s about cryptography, which is constantly used in everyday life. It uses elements that build on high-quality random numbers to protect information from attacks. This year’s DeepSec Security Conference addresses key aspects of product implementation – data protection during transport and storage. Protecting the Digital Transformation Whether “intelligent” bulbs and illuminants, heating or building controls, tv-sets, industrial plants or entire production lines – the digital transformation covers all areas of our lives and leads to changes. On the one hand, digitization opens up opportunities such as the optimization of processes, the more efficient use of

2011, 2019

DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

Sanna/ November 20, 2019/ Conference

Defences focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaries in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the “why?”. This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training

2610, 2019

DeepSec 2019 Training: Threat Hunting with OSSEC – Xavier Mertens

Sanna/ October 26, 2019/ Training

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points. During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / … and add more contextual content with OSINT feeds. We

2510, 2019

DeepSec 2019 Training: Pentesting Industrial Control Systems – Arnaud Soullie

Sanna/ October 25, 2019/ Training

In this intense two day training at DeepSec, you will learn everything you need to start pentesting Industrial Control Networks [also called Industrial Control Systems (ICS)]. We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems. And we will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them. The training will end with an afternoon dedicated to a challenging hands-on exercise: The first [Capture The Flag] CTF in which you capture

2410, 2019

DeepSec 2019 Training: Mobile Hacking – Davy Douhine and Guillaume Lopes

Sanna/ October 24, 2019/ Training

Guillaume Lopes and Davy Douhine, senior pentesters, will share many techniques, tips and tricks with pentesters, bug bounty researchers or just the curious in a 100% “hands-on” training. Their goal is to introduce tools(Adb, Apktool, Jadx, Androguard, Cycript, Drozer, Frida, Hopper, Needle, MobSF, etc.) and techniques to help you to work faster and in a more efficient way in the mobile ecosystem. This is exactly the training that you would have liked to have before wasting your precious time trying and failing while testing. Agenda Two days based mainly on practical exercises: – Day 1: Android Hacking – Day 2: iOS Hacking Main topics of the training are based on the fresh OWASP MSTG (Mobile Security Testing Guide): – Review the codebase of a mobile app (aka static analysis) – Run the app on

1909, 2019

DeepSec 2019 Training: IoT/Embedded Development – Attack and Defense Lior Yaari

Sanna/ September 19, 2019/ Training

Every developer makes mistakes. If you are unlucky, these mistakes result in a security vulnerability, an almost untraceable bug for the normal developer. Going around the world, helping developers to find and understand the vulnerabilities they’ve accidentally created, we learned that unlike bugs, vulnerabilities are invisible to the eye, mind and UT. No one teaches developers how an attacker thinks, what computers security mechanisms are capable of (and what not), and how to avoid creating possible security mistakes endangering your customers. In this course we will teach you the basics of Embedded Devices security from the beginning: How vulnerabilities are created and how an attacker approaches a new device. From the internals, – physical manipulations, buffer overflows, memory corruptions, timing attacks, all the way to the solution: How to avoid common mistakes and even

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: