Speakers (preliminary) - DeepSec IDSC 2018 Europe

Attacking Internet of Things with Software Defined Radio

Johannes Pohl (Hochschule Stralsund)

Participants will learn how to reverse engineer the wireless communication between Internet Of Things devices with Software Defined Radios (SDR) using the Universal Radio Hacker (URH). The workshop covers required HF basics such as digital modulations and encodings and shows how to reveal the protocol logic step by step and, finally, develop attacks against devices. For demonstration we will investigate and attack a wireless socket and a smart home door lock.

During the course of the workshop the communication of the two devices will be analyzed and reverse engineered. In conclusion, attacks on both devices will be developed.
By the end of the workshop we'll be able to switch the socket and open the door lock with SDRs.

This of course requires knowledge in the field of modulation, coding and Log formats, which will be pracitcally conveyed during the workshop. "Learning by doing" is the motto.
For this to work, the participants need their own computer to operate the software (Universal Radio Hacker) which we use to analyze the signals and bring them back in.

If attendees already own a software defined radio (f.ex.HackRF), they can record the signals and attack the devices themselves. If that's not the case, I can make the signals available online so participants can download and import them into the Universal Radio Hacker.

In short:

What do I need?
Must have: laptop / calculator
Nice to have: Software Defined Radio (f.ex. HackRF)

What awaits me?
- Picking up of raw signals with Software Defined Radios
- Demodulation of raw signals to get Bits
- Decoding of the Bits
- Reverse engineering of the protocol format (where are addresses,sequence numbers etc.)
- Developing of attacks with fuzzing and simulation
We will elaborate this on the basis of two practical examples.

Johannes Pohl studied Computer Science at the University of Applied Sciences Stralsund and received his Master of Science in 2013. Since then he works there as a PhD student and conducts research in the area of Location Privacy and Wireless Security. He worked for two years in DevOps research at Boreus Data Center, Germany. Since March 2017 he works as a Scientific Co-Worker at the University of Applied Sciences, Stralsund.

Fundamentals of Routing and Switching for Blue and Red Team

Paul Coggin (Financial Institution)

In this intense 2-day class, students will learn the fundamentals of routing and switching from a blue and red team perspective. Using hands-on labs, students will receive practical experience with routing and switching technologies with a detailed discussion on how to attack and defend the network infrastructure. Students will leave the class with a good understanding of how to configure and operate routing and switching protocols as well as how to attack and defend the control, management and data planes in their organization networks.

Requirements: Students will need to bring a computer with Windows and VMware installed.
The students should have administrative privilege for installing software and configuring
VM’s. The Cisco CCNA simulator by Wendell Odem will be used for the majority of the lab
scenarios. Additional labs may utilize Mininet VM for SDN and NRL CORE for BGP.

Student software requirements for labs: CCNA Routing and Switching 200-125 Network Simulator, Download Version orderable at http://www.ciscopress.com/ or http://www.amazon.com/.

Paul Coggin is a Cyber Security Research Scientist for a financial institution. His expertise includes tactical, service provider, and ICS/SCADA network infrastructure attacks, and defenses, as well as large complex network design and implementation. His experience includes leading network architecture reviews, vulnerability analysis, and penetration testing engagements for critical infrastructure and tactical networks. Pauls’ experience includes teaching networking, hacking and forensics courses internationally. He has a BS in Math/Computer Science, a MS in Information Assurance and Security and a MS in Computer Information Systems. In addition he holds a number of network and security certifications.

Hunting with OSSEC

Xavier Mertens (Freelance Cyber Security Consultant / SANS ISC)

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points. During this workshop, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. Then I will demonstrate how to deploy specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk /etc...

Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, threat hunting, OSINT). Besides his daily job, Xavier is also a security blogger (https://blog.rootshell.be), a SANS Internet Storm Center Senior Handler (https://isc.sans.org) and co-organizer of the BruCON (http://www.brucon.org) security conference.

Malware Analysis Intro

Christian Wojner

With Malware featuring crypto-trojans (ransomware), banking-trojans, information- and credential-stealers, bot-nets of various specifications, and, last but not least, industry- or even state-driven cyber espionage, the analysis of this kind of software ıs becoming more and more important these days. With a naturally strong focus on Microsoft Windows based systems this entertaining first-contact workshop introduces you to one of the most demanding but nonetheless compelling fields in IT-Security. On the basis of an especially designed, exciting scenario blended with various technical detours packed into a 6-stages workshop, students will


  • learn how easy it is to get infected by malicious software,

  • learn to assess what’s possible and what isn’t,

  • gain a comprehensive overview of the various malware categories and their according specifics,

  • learn about the individual phases of malware analysis and according tools including hands-on experience,

  • find out what malware analysts (are able to) do,

  • develop and hence understand typical strategic concepts and tactics in reverse engineering,

  • build a basic understanding of typical activities when dealing with cyber security incidents,

  • develop a realistic perspective regarding possibly upcoming malware incidents regarding their company,

  • learn a lot about the ”hidden“ gears under the hood of Microsoft Windows and modern operating systems in general and to locate and fill in gaps in their knowledge accordingly,

  • gather/train their abilities to deal with unforeseeable and even chaotic situations in a flexible and constructive manner thinking outside the box,

  • and, last but not least, build a stable foundation and therefore an ideal "trampoline" for next steps and further advancement in malware analysis.



Station 1: Prologue – Who? How? What? Malware categories, adversaries, motives

Station 2: The Lab – Setup, concepts, strategies, pitfalls and common mistakes

Station 3: Initial Incident Handling – The first encounter

Station 4: Sample Extraction – The needle in the haystack

Station 5: Behavioral Analysis – Eavesdropping the OS

Station 6: Code Analysis – Machinecode, portable executables, disassemblers, debuggers, strategies



A laptop!!! As this workshop also features hands-on sessions students are expected to bring a laptop matching the following requirements: During the workshop we will work with virtual machines based on Oracle’s free virtualization software VirtualBox. In this respect, please be sure that the laptop matches the according requirements (https://www.virtualbox.org/wiki/End-user documentation).


General requirements for your laptop:

  • At least 80 GB free diskspace

  • At least 8 GB RAM

  • Activated virtualization support options in BIOS

  • Installed (!!) 7-Zip Tool (http://www.7-zip.org/)

  • Installed (!!) Oracle VirtualBox (https://www.virtualbox.org/)

Christian Wojner is one of the core team members of the national and governmental computer emergency response team (CERT) of Austria (CERT.at/GovCERT Austria). Apart from his classical IT security incident handling and response duties, he particularly specializes in computer forensics with a very strong focus on analysis and reverse engineering of (malicious) software on Microsoft Windows based systems. In this respect, Christian is the author of various technical articles and papers, frequently gives talks specifically focusing on malware analysis, and supports the IT security community with his contributions in terms of forensical software tools, a lot of them as part of forensics software compilations like SANS’ specialized Linux distributions for reverse engineering (REMnux) and computer forensics (SIFT). One of his most popular projects however, is ”ProcDOT“, which gave behaviour-based malware analysis a massive boost in terms of efficiency and simplicity due to its visual approach using animated, interactive behaviour graphs. Besides being featured in many articles, ProcDOT was the 2nd place winner of Russ McRee’s Toolsmith ”Tool of the Year Award“ in 2013.

Security Risks in Cellular Networks: Phone, RAN, and Core (closed)

David Burgess (YateBTS)

This workshop describes security shortcomings in mobile networks, both in the core network and in radio network, for GSM, UMTS, and LTE. The purpose of this workshop is to educate the audience on the range of security risks associated with using mobile devices.

The workshop will start with a general overview of cellular technology, the structure and function of mobile networks, and types of security flaws common to all mobile networks, some of which are unavoidable. We will then proceed to specific examples of security failures for different technology types and different services. The workshop will include live demonstrations of some of these security failures. This workshop covers the mobile network and handset baseband only, and does not address Android, iOS, or application-layer security.

David Burgess worked in signals intelligence and radio-location for over 10 years. He is probably best known as the primary author of OpenBTS. For the last 7 years, he has been working on SDR products for the commercial market. For more information on those products, see yatebts.com.

Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation

Dawid Czagan (Silesia Security Lab)

Until 2017 HackerOne bug hunters have earned $20 million in bug bounties and they are expected to earn $100 million by the end of 2020. Some of HackerOne customers include the United States Department of Defense, General Motors, Uber, Twitter, and Yahoo. This clearly shows where the challenges and opportunities lie for you in the upcoming years. What you need is a solid technical training by one of the Top 10 HackerOne bug hunters.

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say ‘No’ to classical web application hacking. Join this unique hands-on training and become a full-stack exploitation master.

After completing this training, you will have learned about:

- REST API hacking

- AngularJS-based application hacking

- DOM-based exploitation

- Bypassing Content Security Policy

- Server-side request forgery

- Browser-dependent exploitation

- DB truncation attack

- NoSQL injection

- Type confusion vulnerability

- Exploiting race conditions

- Path-relative stylesheet import vulnerability

- Reflected file download vulnerability

- Subdomain takeover

- and more…


Students will receive a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.


To get the most out of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.


Students will need a laptop with a 64-bit operating system, at least 4 GB RAM (8 GB preferred), 35 GB free hard drive space, USB port (2.0 or 3.0), wireless network adapter, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11. (You can get it here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).


Penetration testers, bug hunters, security researchers/consultants

Dawid Czagan (@dawidczagan) is an internationally recognized security researcher and trainer. He is listed among the Top 10 Hackers (HackerOne). Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his security bug hunting experience in his hands-on trainings "Hacking Web Applications – Case Studies of Award-Winning Bugs in Google, Yahoo, Mozilla and More" and "Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation". He delivered security training courses at key industry conferences such as Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), DeepSec (Vienna), HITB GSEC (Singapore), BruCON (Gent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and the government sector. (Recommendations: https://silesiasecuritylab.com/services/training/#opinions).

Dawid Czagan is a founder and CEO at Silesia Security Lab – a company which delivers specialized security testing and training services. He is also an author of online security courses at Pluralsight. To find out about the latest of Dawid Czagan's work, you are invited to follow him on Twitter (@dawidczagan).


Mobile App Attack 2.0 (closed)

Sneha Rajguru

Mobile Apps are the most preferred way of delivering attacks today. Understanding the finer details of Mobile App attacks is soon becoming an essential skill for penetration testers as well as for app developers & testers. So, if you are an Android or an iOS User, a developer, a security analyst, a mobile pen-tester or just a mobile security enthusiast then ’Mobile App Attack’ is of definite interest to you. The training familiarizes attendees with in-depth technical explanations of some of the most notorious mobile (Android and iOS) based vulnerabilities, ways to verify and exploit them, along with the various Android, iOS application analysis techniques, inbuilt security schemes and teachings how to bypass those security models on both platforms.


The labs are equipped with intentionally crafted real-world vulnerable Android and iOS apps by the author and enables participants to learn the art of finding and exploiting flaws in mobile applications.


The platforms used for the trainings will be iOS 11 and Android 8.


Course Content:

Android Exploitation

– Introduction to ARM CPU

– Architecture, Registers and Modes of Operations

– ARM Assembly

– Debugging

– Stack Overflow in ARM

– Writing your first shellcode


ARM Exploitation

– Introduction to ARM CPU

– Architecture, Registers and Modes of Operations

– ARM Assembly

– Debugging

– Stack Overflow in ARM

– Writing your first shellcode


iOS Exploitation

– Getting started with iOS

– iOS Security Basics

– Setting up the Lab

– Reverse Engineering iOS Applications

– Static Analysis and Dynamic Analysis of iOS Apps

– Jailbreak Detection and Bypass

– Identifying and Exploiting Flaws in iOS Apps

– Findings security flaws in real world iOS Apps


Hands on CTF Challenge!


What Students will be provided with:

• Training Material / Slide Decks

• Mobile Application Hacking Lab Manual

• DIVA iOS Vulnerable iOS Application

• DIVA Android Vulnerable Android Application

• VM



Who should take this course?

Penetration testers/security professionals, mobile developers, anyone interested to learn mobile application security.



What should students bring?

  • A jailbroken iPhone/iPad/iPod for iOS testing is must for hands-on.

  • Laptop with 20+ GB free hard disk space 4+ GB RAM

  • Windows 7/8 , Ubuntu 12.x + (64 bit Operating System), MacOSX (Maverick or later)

  • Android SDK , Genymotion installed.

  • Intel / AMD Hardware Virtualization enabled Operating System

  • Administrative access on your laptop with external USB allowed


What will be provided?

Slides (PDF), Lab manuals, practice apps, VM for pen testing mobile apps




Sneha works as a Security Consultant with Payatu Software Labs LLP. Her areas of interest lie in web application and mobile application security and fuzzing. She has discovered various application flaws within open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided training at GNUnify, FUDCon, DefCamp, DefCon, BSides- LV, Nullcon, AppSec USA, DeepSec and BSidesVienna. Sneha is also the chapter lead for null - Pune. Twitter: @sneharajguru.

Advanced Infrastructure Hacking

Anant Shrivastava (NotSoSecure)

Course Outline

Note: This is a fast paced version of the original 4 day class, cut down to 2 days. To fit the entire training material within 2 days, some of the exercises have been replaced by demos which will be shown by the instructor. Students will receive FREE 1 month lab access to practice each exercise after the class.

Whether you are penetration testing, Red Teaming or trying to get a better understanding of managing vulnerabilities in your environment, understanding advanced hacking techniques is critical. This course covers a wide variety of neat, new and ridiculous techniques to compromise modern Operating Systems and networking devices.

While prior pentest experience is not a strict requirement, familiarity with both Linux and Windows command line syntax will be greatly beneficial. The following is the syllabus for the class:

Day 1:
* IPv4/IPv6 Basics
* Host Discovery & Enumeration
* OSINT & Asset Discovery
* Hacking Application and CI Servers
* Oracle Database Exploitation
* Windows Vulnerabilities and Configuration Issues
* Windows Desktop 'Breakout' and AppLocker Bypass Techniques
* A/V & AMSI Bypass Techniques
* Offensive PowerShell Tools and Techniques
* Local Privilege Escalation
* Post Exploitation Tips, Tools and Methodology
* An Introduction into Active Directory Delegation
* Pivoting, Port Forwarding and Lateral Movement Techniques

Day 2:
* Linux Vulnerabilities and Configuration Issues
* User/Service Enumeration
* File Share Hacks
* SSH Hacks
* Restricted Shells Breakouts
* Breaking Hardened Webservers
* Local Privilege Escalation
* MongoDB, TTY, Reverse tunneling
* Post Exploitation
* VLAN Hopping
* Docker breakout
* Kubernetes vulnerabilities
* Hacking VoIP
* Exploiting Insecure VPN Configurations

Anant Shrivastava is an information security professional with 9+ years of corporate experience and expertise in Network, Mobile, Application and Linux Security. He is the Regional Director for the Asia Pacific Area for NotSoSecure Global Services and has trained about 600 delegates at various conferences (Blackhat all 3 editions, Nullcon, g0s, c0c0n, ruxcon). Anant also leads the Open Source project Android Tamer (www.androidtamer.com) and CodeVigilant (www.codevigilant.com). His work can be found at anantshri.info

Advanced Penetration Testing in the Real World

Davy Douhine & Guillaume Lopes (RandoriSec)

Guillaume and Davy, senior pentesters, will share many techniques, tips and tricks with pentesters, red teamers, bug bounty researchers or even defenders during a 2-day 100% “hands-on” workshop. This is the very training you'd like to have instead of wasting your precious time trying and failing while pentesting.

The main topics of the training are:
- Buffer overflow 101: Find and exploit buffer overflows yourself and bypass OS protections.
(A lot of pentesters don’t even know how it works. So let's have a look under the hood);

- Web exploitation: Manually find and exploit web app vulnerabilities using Burpsuite.
(Yes, running WebInspect, AppScan, Acunetix or Netsparker is fine but you can do a lot more by hand);

- Network exploitation: Manually exploit network related vulnerabilities using Scapy, ethercap and Responder. (Because it works so often when doing internal pentests);

- Passwords: Optimize the way you attack offline and online passwords. (0day is fun, but the way attackers gain access most of the time is simply by using login/passwords);

- Mobile app hacking: Find and exploit Android/iOS app vulnerabilities using Needle, Frida, Cycript and Hopper. (Companies move their apps into the cloud and the mobile world so pentesters have to evolve with that… or die);

Founder of RandoriSec, a security focused IT firm, Davy Douhine is working in the ITSec field since almost fifteen years. He has mainly worked for financial, banks and defense key accounts doing pentests and trainings to help them to improve their security.

Guillaume Lopes is working in the pentest field since about 10 years. He has written many ITSec articles and has attended many security conferences.

ERP Security: Assess, Exploit and Defend SAP Platforms

Pablo Artuso & Yvan Genuer (Onapsis)

Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks.

This course empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.
It provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps.
You will understand why even strict user roles and profiles are not enough to protect a SAP system, and how malicious attackers could break into the system anonymously, even without having a valid user.
With a strong focus on the SAP application layer, you will learn the key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAPWeb Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities, the new SAP HANA Database, SAP Cloud solutions and much more! You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit - the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, proactively protecting your business-critical platforms. Previous SAP expertise is NOT required!

Pablo Artuso is a security researcher at the Onapsis Research Labs. His work is focused on the research and detection of vulnerabilities in SAP systems. As a result of his research, he has reported and published several vulnerabilities in different SAP solutions such as HANA, Netweaver, etc. Moreover, Pablo works closely with the Innovation team contributing to the development of cutting-edge technologies to boost Onapsis products.

Yvan has 16 years of experience in SAP, now working as a security researcher at Onapsis. He received official acknowledgements from SAP AG for vulnerabilities he's reported. Furthermore, he has conducted trainings and talks at HIP, Hack.lu, Troopers and SSTIC.

Opening DeepSec 2018

DeepSec Organisation Team (DeepSec In-Depth Security Conference)

Opening Ceremony DeepSec 2018 In-Depth Security Conference


Keynote: We're All Gonna Die

Peter Zinn

Let’s kick off this conference with a frank frolic into the future. What better way to start the morning than investigating several ways our civilisation could end, including, of course, Cybergeddon.

ICT and Internet started out with a promise of a utopian future, where all we humans had to do was lay back, sip a drink, and tweet a bit. And everybody believed it. Except you of course. Well, they have been tricked. Again…

But now that the dark side of ICT raises its ugly head so high that maybe even those outside the security community can smell its foul breath we will all surely wake up, get together, and create a safer world.

Nah… Probably not. On the contrary: it is only getting worse. And in this uplifting and inspiring talk I will tell you exactly why.

Peter Zinn is an independent specialist and speaker on cybercrime. He energetically bridges the gap between ICT security specialists and decision makers. Peter has a degree in software engineering, had worked for private industry, and in 2007 made the move to cyber crime (fighting it, that is). As strategic advisor of the newly established National High Tech Crime Unit of the Dutch Police he helped shape its strategy and guide its growth for 10 years. And collected stories he is still not allowed to tell.

Peter is currently a full time speaker and consultant on cybercrime. One of the things he is working on (with a group of CISO’s) is how to prepare for a crisis where all systems are down for an undefined but long time.

Uncovering Vulnerabilities in Secure Coding Guidelines

Fernando Arnaboldi (IOActive)

Several government-related and private organizations provide guidance on how to improve the security of existing software as well as best practices for developing new code. These organizations include the Computer Emergency Readiness Team (CERT) Secure Coding Standards, Common Weakness Enumeration (CWE), Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) Software Assurance Metrics.

This talk will expose multiple underlying exploitable vulnerabilities in secure pieces of code that follows the recommendations from each of these organizations. Even though these guidelines were created to improve software security, they may also inject side vulnerabilities.

Within secure code snippets, reviewed by many and considered trustworthy by all, are issues that attackers could exploit to escape secure directories, abuse insecure hashing and encryption practices, or even expose applications to SQL injection attacks among others.

Fernando Arnaboldi is a developer and security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on breaking the security of different programming languages and has presented his findings at security conferences such as Black Hat USA & Europe, DEF CON, Ruxcon, OWASP AppSec USA & Europe and HITB Amsterdam.

Keynote: Automatic Exploitation - The DARPA Cyber Grand Challenge, what came after, and what is next

Kevin Borgolte (Princeton University)

The automatic exploitation of vulnerabilities has long been a holy grail for software security.
However, even manual exploitation by experienced security analysts and researchers has become ever more challenging due to the increased complexity of software systems and the introduction of security defenses.

In this keynote, we will orientate ourselves on where we are on the path to automatically "popping root shells with theorems."
We will recap the DARPA Cyber Grand Challenge, a competition organized by the United States' Defense Advanced Research Projects Agency, in which competitors were required to develop and implement a self-contained system that automatically finds, patches, and exploits vulnerabilities in software, and which spurred research on automatic exploitation because of its high stakes.
We will look into the automatic exploitation systems that Shellphish fielded in the DARPA Cyber Grand Challenge (CGC), the Mechanical Phish, which exploited more binary executables than any other team in the CGC's final event.
Finally, we will learn what research came after the DARPA Cyber Grand Challenge, the limitations of current approaches, and what the next challenges that we need to tackle are.

Kevin Borgolte is a postdoctoral research scientist at Princeton University in the Department of Computer Science and the Center for Information Technology Policy.
His research interests span system, software, and network security, currently focused on large-scale Internet abuse, protocol security, and security misconfigurations.
He is a member of the Shellphish Capture the Flag team, and he won third place overall, first place academic, and first place self-funded in the DARPA Cyber Grand Challenge (CGC) with his colleagues from Shellphish.
Kevin holds a PhD in Computer Science from the University of California, Santa Barbara.

Without a Trace – Cybercrime, Who are the Offenders?

Edith Huber & Bettina Pospisil (Donau-Universität Krems)

Cybercrime is a worldwide and diverse phenomenon, which needs multidisciplinary and global prevention and intervention strategies. Regarding the situation in Austria, no evidence-based scientific analysis exists that depicts the bright field of Cybercrime.
Therefore an interdisciplinary research group investigated the phenomenon cybercrime regarding the questions:
(1) Who are the offenders and the victims? (2) Which initiation and realisation strategies of Cybercrime can be identified? (3) Which offender-structure can be found? (4) Which investigation methods, performed by the police, can be identified as useful and what can be said about the further prosecution of the identified offenders? To address these questions, court files of the last ten years (2006-2016) have been analysed and considered through a crime-sociological, legal, technical and economical perspective.

Edith Huber is a Senior Researcher in the field of Security Research. Her research focuses on Cyber Security, CERTs, Information Security, Communication, Cybercrime, Cyberstalking, New Media, Social Science and Criminology. In 2009, she received the federal security prize of Austria. She has a lot of publications and experience in international research projects.

Bettina Pospisil received the B.A. and also the M.A. degree in sociology from the University of Vienna (2014, 2017). In 2015 she was Research Assistant with the Institute of Instructional and School Development at the University of Klagenfurt and at the Institute for Information Management and Control at the Vienna University of Economics and Business. Since 2017 she works as Junior Researcher in different KIRAS and FWF funded projects at the Faculty of Business and Globalization at the Danube University Krems. 2017 she and her colleague received the Innovation Award of the Danube University Krems for the project called "CERT-Kommunikation II". By now Bettina Pospisil is the co-author of different papers and presented academic lectures at criminological and technical conferences. Her research interest includes the topics Cybersecurity and Crime Studies.

IoD - Internet of Dildos, a Long Way to a Vibrant Future

Werner Schober (SEC Consult)

In recent years the internet of things has slowly creeped into our daily life and is now an essential part of it, whether you want it or not. A long-existing sub category of the internet of things is a mysterious area called teledildonics. This term got invented about 40 years ago and described (at this time fictional) devices, allowing their users to pleasure themselves, while being interconnected to a global network of plastic dongs. In the 21st century, teledildonics actually exist. Multiple devices are on the (multi-million dollar) market, offering the ability to pleasure an individual, while being connected to the internet. Those devices offer functionalities like remote pleasuring over local links as well as over the internet. They implement social media-like functionalities such as friends lists, instant messaging, movie chats and explicit-image sharing.

With great pleasure comes great responsibility. A responsibility, which is not taken enough into consideration by the smart sex toy manufacturers as much as it should be while handling extremely sensitive data. As long as there is no serious breach there is no problem, right?
This was the basis for a research project called “Internet of Dildos, a long way to a vibrant future”, dealing with the assessment of smart sex toys and the identification of vulnerabilities in those products, including mobile apps, backends and the actual hardware.

After the assessment of a selection of multiple smart sex toys an abyss of vulnerabilities was revealed. The identified vulnerabilities range from technically interesting vulnerabilities to vulnerabilities which affect the privacy of the users in extreme and explicit ways. It was possible to gain access to thousands of users’ data records, including cleartext passwords, explicit images, real-world names, real-world addresses, and many more specific facts. Furthermore, we were able to remotely pleasure individuals without their consent over the internet, or over a local link.

Talk outline:
1. Why?
o Explanation as to why it is necessary to conduct penetration tests in the area of teledildonics and why the topic was chosen for further research.
2.Quick introduction into basics like
o Internet of Things (IoT)
o Sextech
o Teledildonics
o Internet of Dongs (IoD)
3.The “Test Devices”
o A quick introduction of the test devices examined during this project.
o Explanation of their feature set including areas of application and use-cases.
4.Let’s get dirty – An overview of the identified vulnerabilities
o .DS_STORE File Information Disclosure
o Customer Database Credential Disclosure
o Unrestricted Access to administrative interfaces
o Weird authentication implementation
o Unauthenticated Bluetooth LE Connections
o Missing Authentication in Remote Control
o And many more…
5.Bluetooth LE Protocol exploitation
o Brief overview over Bluetooth LE security features
o Brief overview over Bluetooth LE authentication/pairing methods
o Brief overview over Bluetooth LE exploitation Hardware
o Brief overview over Bluetooth LE exploitation Software
o Hands-on example
6. The “Swinger Club Problem”
o How the manufacturers tried to downplay the vulnerabilities.
7.Legal Issues – Rape over the wire?
o How are current laws dealing with sexual pleasure without consent over the internet?
8.Responsible Disclosure Process
o Coordinated vulnerability remediation with the German CERT-Bund and why it was necessary to consult an independent 3rd party.
9. Ongoing/Similar Research

Werner Schober has been working as a professional IT Security consultant for SEC Consult since 2015. Besides being quite active in the SEC Consult Vulnerability Lab, where he identifies vulnerabilities in standard software, he is a penetration testing generalist. He likes to probe for vulnerabilities in everything which runs code, ranging from Android apps, smart homes, Wireless Networks, heavy-duty machines to whole Windows domains.

During his research at the University of Applied Sciences St. Pölten he focused on smart meter and smart grid best practices concerning IT Security resulting in graduating with a Bachelor of Science.

Pushed by the knowledge he gathered during his daily work at SEC Consult with various IoT devices, he decided to go a step further and analyse a myth-enshrouded IoT category for his Master Thesis - Smart Sex Toys. The research project "Internet of Dildos"
was born. Werner is now focusing on the identification of vulnerabilities in smart sex toys for his master thesis.

How Android's UI Security is Undermined by Accessibility

Anatoli Kalysch (Friedrich-Alexander-Universität Erlangen-Nürnberg)

Android's accessibility API was designed to assist users with disabilities, or temporarily preoccupied users unable to interact with a device, e.g., while driving a car. Nowadays, many Android apps rely on the accessibility API for other purposes, including apps like password managers but also malware. From a security perspective, the accessibility API is precarious as it undermines an otherwise strong principle of sandboxing in Android that separates apps. By means of an accessibility service, apps can interact with the UI elements of another app, including reading from its screen and writing to its text fields. As a consequence, design shortcomings in the accessibility API and other UI features such as overlays have grave security implications.

This talk will provide a critical perspective on the current state of Android accessibility and selected UI security features. Starting with an app store centered overview of how accessibility services are used we will continue with currently unpatched flaws in the accessibility design of Android discovered during our assessment. These flaws and vulnerabilities allow information leakages and denial of service attacks up until Android 8.1. With an enabled accessibility service, we are able to sniff sensitive data from apps, including the password of Android's own lock screen.

To evaluate the effectiveness of our attacks against third-party apps, we examined the 1100 most downloaded apps from Google Play and found 99.25% of them to be vulnerable to at least one of the attacks covered in this talk. In the end possible countermeasures are discussed and we shed some light on the reporting process of Android vulnerabilities.

Anatoli Kalysch is a PhD student in IT Security at Friedrich-Alexander University Erlangen-Nürnberg (FAU). His research interests include reverse engineering and program analysis, obfuscation techniques, and Android security with a focus on malware analysis, and UI security. Selected projects are available on 'https://github.com/anatolikalysch/'.

Moving Money: Inside the Global Watchlist for Banking across Borders

Jasmin Klofta & Tom Wills (Investigative Reporter NDR/ARD (Germany) & Datajournalist The Times of London (UK))

It's a rare glimpse of an otherwise tightly guarded datastore - and it's worrying: many innocent people and organizations find themselves in the World Check database, which protects banks against potentially dangerous customers. This was the outcome of joint research by The Times of London (Great Britain), NDR / Süddeutscher (Germany), NPO Radio 1 (Netherlands), De Tijd (Belgium), La Repubblica (Italy) and The Intercept (USA). For the first time, they had comprehensive insight into World Check thanks to a leaked copy of the dataset containing more than two million profiles as of 2014.

The World Check database is a service of the global information and media group Thomson Reuters and one of only a few major offerings for identifying potentially problematic customers for banks and financial service providers: Politically Exposed Persons (PEPs), as well as individuals and organizations in the categories of crime, money laundering and terror. Under anti-money laundering and corruption laws, banks are required to scrutinise in advance those with whom they do business. If suspicion arises, they may refuse even a basic account. The banks are required to watch closely those customers with international connections, and cross-border transfers must be considered carefully.
However, the journalists revealed that many individuals and organizations were wrongly listed: Many are demonstrably innocent, such as people and organizations against whom allegations have not been proven or that are controversial and uncomfortable, but not criminal. Examples include the human rights organization Human Rights Watch, the animal welfare organization Peta, the environmental group Greenpeace, opposition politicians from Sri Lanka and Eritrea, and American whistleblower Chelsea Manning, whose entry points to financial crime. The reason for these listings was often in the sources, which are added to a profile without any rating or weighting. Among them are state propaganda, conspiracy, even right-wing extremist sites. Official government sources from around the world are used – but activity deemed criminal in one country may be perfectly legal in another.

Confronted with the research results, Thomson Reuters spoke cautiously, citing data protection reasons. The company said the information underlying World-Check comes primarily from hundreds of government and judicial databases, regulatory and law enforcement agencies, the EU and the United Nations. It said further information, such as from blogs, only flows in to confirm other findings and is clearly marked. The findings would also be brought together by teams of specialized staff. Thomson Reuters promotes its service boasting sophisticated algorithms and a team of 250 analysts who create 25,000 new profiles and update a further 40,000 existing profiles every month.

Investigative journalists Jasmin Klofta (Germany) and Tom Wills (UK) explain how, as part of an international collaboration, they exposed World-Check. They will show how they used data mining, OSINT and traditional investigative techniques to analyse this database and discover the human impact of this Kafkaesque system, which is used by almost every major bank and many other institutions including law enforcement agencies.

Jasmin Klofta is an investigative reporter from Hamburg. She works for PANORAMA (NDR/ARD) focusing on politics, digital economicy and surveillance.

Tom Wills is an investigative journalist who specialises in using data mining, open source intelligence and digital forensics to find stories.

Suricata and XDP, Performance with an S like Security

Eric Leblond (OISF)

extended Berkeley Packet Filter (eBPF) and eXtreme Data Path (XDP) technologies are gaining in popularity in the tracing and performance community in Linux for eBPF and among the networking people for XDP. After an introduction to these technologies, this talk proposes to have a look at the usage of the eBPF and XDP technology in the domain of security. A special focus lies on Suricata that uses this technology to enhance its performance and by consequence on the accuracy of its network analysis and detection.

Éric Leblond is an active member of the open source community. Since 2009 he works on the development of Suricata, the open source IDS/IPS, and he is currently one of the Suricata core developers. He is a Netfilter Core Team member working mainly on communications between kernel and userland. He is also one of the founders of Stamus Networks, a company providing security solutions based on Suricata.

The Swift Language from a Reverse Engineering Perspective

Malte Kraus & Vincent Haupert (Friedrich-Alexander University Erlangen-Nuremberg)

Over the last decade, mobile devices have taken over the consumer market for computer hardware. Almost all these mobile devices run either Android or iOS as their operating systems. In 2014, Apple introduced the Swift programming language as an alternative to Objective C for writing iOS and macOS applications. The rising
adoption of this new language has to some extent obsoleted existing techniques for program analysis for these platforms, like method swizzling and "class-dump".

In this paper we discuss features of Swift binaries that help in reverse engineering the functionality of the contained code: We document the memory layout of compound data types and the calling convention used by the Swift compiler, as well as the runtime type information that is used by runtime and debugger when data types are
not known statically. This type information is rich enough to allow an almost full recovery of the definition of most Swift data types, e.g. including even the names and offset of the members of compound data types.

Based on these findings, we introduce the open source swift-frida library for iOS built on top of the Frida instrumentation framework. It provides this information about all public and many private Swift data types in a process. It allows transparent read/write access to Swift variables and their data members with known type and memory location.

Malte Kraus recently graduated with a M.Sc. in computer science from Friedrich-Alexander University Erlangen-Nuremberg. He likes to build things that break other things and has been playing CTFs since 2013.

Vincent Haupert is a research fellow and PhD candidate at the IT Security Infrastructures Lab of the Friedrich-Alexander University Erlangen-Nürnberg (FAU) in Germany. His main interests are authentication, system security and software protection of mobile devices. Particularly the security of FinTechs and mobile banking is one of his major research subjects.


Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests

Tomasz Tuzel (Assured Information Security)

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers?

While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an "introspecting" hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn't.

We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system, which has been deployed onto a hypervisor to determine the potential presence (or lack) of introspection. These techniques are developed to examine properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behavior of the hypervisor. Moreover, we have developed timing methods such as thread racing to determine whether a hypervisor is monitoring regions of memory or hooking instructions.

Tomasz Tuzel is a software engineer with Assured Information Security, Inc since 2016. Previously, he was a software engineer with the Department of Defense for five years. He focuses on operational work and hypervisor research.

Efail and other Failures with Encryption and E-Mail

Hanno Böck (-)

The Efail bug against encrypted e-mails showed a variety of problems with the interaction of outdated cryptography and HTML e-mails. This talk will give an overview of the flaws that led to Efail and some other fun attacks that followed it.

Efail is an attack against E-Mail encryption with both S/MIME and OpenPGP. It often allows attackers, able to observe the encrypted message, to construct modified messages that will send the encrypted content back to the attacker. When Efail was published earlier this year only incomplete fixes were available. For S/MIME the issue is still completely unfixed and it's likely to stay that way.

Efail combines two weaknesses: Both E-Mail encryption standards use outdated cryptography, particularly they don't use proper authenticated encryption. This allows attackers to modify transmitted messages. HTML mails give the sender of a mail a huge amount of control over what happens when rendering a mail. This can be abused in a variety of ways to send decrypted e-mail content to the attacker. After the first incomplete fixes for Efail the speaker was able to bypass the implemented fixes in Enigmail multiple times. The talk will go over the basics of Efail, discuss attacks and variations that followed it, and discuss some further attacks including SigSpoof and two yet undisclosed attacks.

Hanno Böck is a freelance writer and hacker. He's regularly covering IT security issues for the German news site Golem.de and others. He's also the author of the montly Bulletproof TLS newsletter. After the discovery of Efail Hanno discovered multiple bypasses for the first fixes deployed.

Library and Function Identification by Optimized Pattern Matching on Compressed Databases

Maximilian von Tschirschnitz (Technical University of Munich)

The goal of library and function identification is to find the original library and function to a given machine-code snippet. These snippets commonly arise from penetration tests attacking a remote executable, static malware analysis or from an IP infringement investigation. While there are several tools designed to achieve this task, all of these seem to rely on varied methods of signature-based identification. In this paper, we argue that this approach is not sufficient for many cases and propose a design and implementation for a multitool called KISS. KISS uses lossless compression and highly optimized pattern matching algorithms to create a very compact but substantial database of library versions. In practice, KISS
shows to achieve remarkable compression rates below 30 percent of the original database size while still allowing for extremely fast (sublinear) snippet identification.
We use statistical test to show that its code snippet recognition is tremendously successful while having a close to the lowest theoretical bound of false positives. Finally, we also demonstrate how our approach improves the security of existing techniques as our design relies fully on complete function body verification, which prevents analysis-resilient malware from disguising as external and trusted library code. This has recently rosen to a problem for malware analysts with existing identification solutions.

Maximilian von Tschirschnitz is working as an prototype engineer and researcher for the Intel Corporation in Germany.
In parallel he is currently conducting his studies of Informatics at the TU Munich.
His current research topics cover IT-security and high precision positioning methods.
His further professional interests include theoretical informatics, image feature recognition and computer graphics.

Defense Informs Offense Improves Defense: How to Compromise an ICS Network and How to Defend It

Joe Slowik (Dragos)

ICS attacks have an aura of sophistication, high barriers to entry, and significant investment in time and resources. When looking at the situation from a defender's perspective, nothing could be further from the truth. Attacking and potentially taking down an ICS network requires - and probably operates best - via permutations of 'pen tester 101' actions combined with some knowledge of the environment and living off the land.

In this talk, we will explore some concrete ICS attack examples to explore just what is needed to breach and impact this environment. More importantly, using malware and data captured from recent attacks - specifically TRISIS and CRASHOVERRIDE - we'll see how the attackers 'messed up' their attacks and why a more simplified and direct approach to achieving offensive goals would not only be more effective, but likely far more difficult for defenders to catch as well. To close the conversation, we'll explore what defensive measures can be applied - and are necessary - to detect and stop such attacks in their tracks.

Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other data available. Prior to his time at Dragos, Joe ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Joe has consistently worked to 'take the fight to the adversary' by applying forward-looking, active defense measures to constantly keep threat actors off balance. An important part of this strategy is understanding adversary techniques and actions: good defense requires knowing (and at times practicing) offense.


Paul Coggin (Financial Institution)

SS7 is to the PSTN what BGP is for the Internet. In this presentation Paul will explain the fundamentals of the SS7 protocol and telecommunications architecture. An overview of how SS7 is utilized by large enterprises, mobile networks and service providers will be discussed. Security issues with the SS7 protocol will be covered with real world examples of how a service provider network may be targeted to gain access to the SS7 network.

Paul Coggin is a Cyber Security Research Scientist for a large financial institution. His expertise includes tactical, service provider, and ICS\SCADA network infrastructure attacks, and defenses, as well as large complex network design and implementation. His experience includes leading network architecture reviews, vulnerability analysis, and penetration testing engagements for critical infrastructure and tactical networks. Pauls’ experience includes teaching networking, hacking and forensics courses Internationally. He has a BS in Math\Computer Science, MS in Information Assurance and Security and a MS in Computer Information Systems. In addition he holds a number of network and security certifications.

Kernel-Assisted Debugging of Linux Applications

Tobias Holl, Philipp Klocke, Fabian Franzen (Technical University of Munich)

On Linux, most---if not all---debuggers use the ptrace debugging API to control their target processes. However, ptrace proves unsatisfactory for many malware analysis and reverse engineering tasks: So-called split-personality malware often adapts its behavior in the presence of a debugger, yet ptrace makes no attempt to hide from a target process. Furthermore, ptrace enforces a strict one-to-many relation meaning that while each tracer can trace many tracees, each tracee can only be controlled by at most one tracer. Simultaneously, the complex API and signal-based communications provide opportunities for erroneous usage.

Previous works have identified the newer uprobes tracing API as a candidate for building a replacement for ptrace, but ultimately rejected it due to lack of practical use and documentation. Building upon uprobes, we introduce plutonium-dbg, a Linux kernel module providing debugging facilities independent of the limitations of ptrace alongside a GDB-compatible interface. Our approach aims to mitigate some of the design flaws of ptrace that make it both hard to use and easy to detect by malicious software.

We show how plutonium-dbg's design and implementation remove many of the most frequently named issues with ptrace, and that our method improves on traditional ptrace-based debuggers (GDB and LLDB) when evaluated on software samples that attempt to detect the presence of a debugger.

Tobias Holl is a computer science student at TUM with a passion for reverse engineering and IT security. By day, he develops high-performance parallel software in C++, with a focus on computer vision and machine learning.

Philipp Klocke is a hacker, nerd and tech-enthusiast. He occasionally plays CTF and pursues a B.Sc. at the Technical University of Munich.

Since 2018 Fabian Franzen is a PhD student and researcher at the Chair of IT-Security of the Technical University of Munich (TUM). When he is not trying to teach his students the foundations of IT security, he is interested in various research topics. More specifically, these are reverse engineering, binary exploitation, Android security and improving systems security by introducing additional features to the Linux Kernel.

Security Response Survival Skills

Benjamin Ridgway (Microsoft)

Jarred awake by your ringing phone, bloodshot eyes groggily focus on a clock reading 3:00 AM. A weak "Hello?" barely escapes your lips before a colleague frantically relays the happenings of the evening. As the story unfolds, you start to piece together details leading you to one undeniable fact: Something has gone horribly wrong...

Despite the many talks addressing the technical mechanisms of security incident response (from the deep forensic know-how to developing world-class tools) the one aspect of IR that has been consistently overlooked is the human element. Not every incident requires forensic tooling or state of the art intrusion detection systems, yet every incident involves coordinated activity of people with differing personalities, outlooks, and emotional backgrounds. Often these people are scared, angry, or otherwise emotionally impaired.

Drawing from years of real-word experience, hundreds of incidents worked by Microsoft Security Response Center, and the many lessons learned from some of the greats in IR around the company this talk will delve into:

• Human psychological response to stressful and/or dangerous situations
• Strategies for effectively managing human factors during a crisis
• Polices and structures that set up incident response teams for success
• Tools for building a healthy and happy incident response team

Effectively navigating the human element is a critical skill for anybody who may be called upon to manage or participate in a security incident. This talk is geared toward occasional or full-time responders who are looking for practical human-management skills.

It is now 3:05AM. Everything has gone horribly wrong. A room full of panicked engineers await. It is your time to sink or swim. Good luck.

Ben Ridgway has been involved in a wide variety of projects during his security career. He started with a position at NASA looking for vulnerabilities in spacecraft control systems. Following that, he took a job with the MITRE Corporation as part of a team which consulted for the US Government. This work involved everything from pen testing high assurance systems to building out Cyber Security Operations Centers. He was hired by Microsoft in 2011 to be one of the original security engineers on Microsoft’s Azure cloud. He helped founding the security incident response team for Microsoft Azure. Over time that scope has grown across multiple online service, cloud, and machine learning technologies. Today he is the lead of the Microsoft Security Response Center - Trust and Strategy Team. This team is responsible for managing critical security incidents within Microsoft’s cloud and artificial intelligence services while preparing for the incidents of tomorrow.

New Attack Vectors for the Mobile Core Networks

Dr. Silke Holtmanns (Nokia Bell Labs)

Structure of the talk:
- Introduction & background
- Introduction to interconnection network (What is it, how does it work)
- Why is it important for all of us?
- Where does it come from? (Basics to understand the problems)
- Existing attacks (Focus on 3G/4G)
- Who are the attackers?
- What is done against them? (Focus on EU ENISA, USA FCC and GSMA work)
- How do they get in (Real examples will be shown)
- Attacks & Countermeasures
- Introduction to network set-up (So the demonstration is understandable)
- Presentation of high level attack scenarios for DoS / Fraud / Data Interception using the charging system
- Demonstration of those attacks in testlab 
- User impacts (What do these attacks mean on a personal level?)
- Countermeasures and fixes
- Wrapping up
- Outlook for 5G - Main security challenges
- Summary
- Q&A

Dr Silke Holtmanns is a distinguished member of technical staff and security specialist at Nokia Bell Labs. She researches new attack vectors and mitigation approaches. The creation of new and the investigation of existing security attacks using SS7, Diameter and GTP via the Interconnect lead to new countermeasures for 4G/5G networks. Her focus lies on the evolution and future of security for mobile networks. For 5G she investigates potential risk areas coming from the combination of IT security and signaling threats. As an expert on existing and future attack patterns for interconnection security, she provides advice and input to customers, standard boards, and regional and national regulating governmental bodies e.g. in US FCC and EU ENISA.

She has over 18 years of experience in mobile security research and standardization with strong focus on 3GPP security and GSMA. She is rapporteur of ten 3GPP specifications and of the GSMA Interconnection Diameter Signalling Protection document. She is (co)-author of more than 70 security publications.

Publication List:

Isha Singh is the co-autor of the talk that will be presented at DeepSec.
Isha is a masters student at Aalto University in Finland and doing her thesis research work at Nokia Bell Labs under the guidance of Dr. Silke Holtmanns. She has a Masters in Wireless Communication and Machine Learning.
She has published paper on smart city environmental perception from ambient cellular signals and 5G Ubiquitous sensing. She is passionate about IoT devices and their security in the 5G scenario. She has experience working on embedded devices (Arduino, Raspberry Pi) for multiple projects like Analog to Digital converter used in optical communication and face recognition. Presently she is exploring Cybersecurity, starting from the mobile communication core network security. Testing loopholes and providing solutions using Machine Learning.


Injecting Security Controls into Software Applications

Katy Anton (CA Technologies | Veracode)

SQL Injection was first mentioned in a 1998 article in Phrack Magazine. Twenty years later, injection is still a common occurrence in software applications (No.1 in latest OWASP Top 10 2017). For the last 20 years, we have been focusing on vulnerabilities from an attacker’s point of view and SQL injection is still King. Something else must be done.

What if there is another way to look at software vulnerabilities? Can vulnerabilities be decomposed into security controls familiar to developers? Which security controls are an absolute must-have, and which additional security measures do you need to take into account?

These are hard questions as evidenced by the numerous insecure applications we still have today. Attend this talk to explore security vulnerabilities from a different angle. As part of this briefing, we examine how to decompose vulnerabilities into security controls that developers are familiar with and offer actionable advice when to use them in SDLC and how to verify them.

We will flip security from focusing on vulnerabilities (which are measured at the end) on focusing on techniques familiar to developers, which can be done from the beginning of the software and measured throughout SDLC.

Katy Anton is a security professional with a background in software development. An international public speaker she enjoys speaking about secure coding and how to secure software applications.

In her previous roles she led software development teams and implemented security best practices in software development life cycles. As part of her work she got involved in the OWASP Top Ten Proactive Controls project where she joined as project leader.

In her current role as Principal Application Security Consultant at CA Technologies | Veracode, Katy works with security teams and software developers around the world and helps them secure their software.

Offpath Attacks Against PKI

Markus Brandt (Fraunhofer Institute for Secure Information Technology SIT)

The security of Internet-based applications fundamentally rely on the trustworthiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a very weak off-path attacker can effectively subvert the trustworthiness of popular and commercially used CAs. Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificate market. The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains that the attacker does not own. Namely, certificates binding the attacker’s public key to victim domain.

Our work is the first to weaponise DNS cache poisoning and to apply it to circumvent security of a critical PKI system.

Markus Brandt is a researcher in the field of cybersecurity and presented his work at top tier academical conferences. Mr Brandt has 30 years of programming experience and is an established hacker and security researcher. His main interests lie in network security (attack and defense), including routing and naming systems, Internet infrastructure, software security and reverse engineering, new and emerging paradigms like IoT, and he also likes breaking cryptography. Mr Brandt is involved with different industry and research activities, mentors groups in a cybersecurity accelerator, and teaches at TU Darmstadt.

Blinding the Watchers: The Growing Tension between Privacy Concerns and Information Security

Mark Baenziger (FireEye Deutschland GmbH)

This talk explores the growing tension between recent changes to customer and employee expectations of privacy, and the need for organizations to gather and examine data in order to detect and respond to information security incidents. This talk highlights specific areas that cause issues, including examples of where security teams have deliberately subverted data privacy controls to do their job, and proposes some potential solutions to the issues.


This talk is derived from an earlier project which explored how security teams violate rules and laws in order to accomplish their mission. During the previous project, there were several examples of teams which violated privacy controls because they felt that they had to in order to do their job.

The talk starts with examples of how information security teams have run into privacy issues while attempting to detect and respond to intrusions, and gives examples about where some teams have deliberately circumvented privacy controls in order to meet requirements to detect and respond to security incidents.

While this talk briefly reviews the various privacy laws that exist, as well as the privacy drivers of EU businesses, its primary focus is on the actual mechanisms where information security team members attempt to subvert or work around privacy controls.

It will also explain some of the reasons for the perceived need of information security teams to gather and analyze data used to detect and respond to security incidents, by walking through the use of netflow, full packet capture, weblog, E-mail, and endpoint data acquisitions to support detection and analysis of potential or actual security incidents.

The talk closes by demonstrating some alternatives to analyzing these types of data and further exploration of potential future technical and policy changes. These changes can help to strike a better balance between the need to protect employee and customer privacy, and the need to detect, analyze, and respond to computer intrusions and incidents.

Mark has 20 years experience as a pentester, incident handler, and leader. He currently manages detection and response on a million endpoints.

Open Source Network Monitoring

Paula de la Hoz Garrido (Student)

I'd like to offer an introduction into Network System Monitoring using different open tools available in linux. The talk is a technical approach to identify the best sniffing points in a network and how to orchestrate a full analysis of the content to secure the network, as well as showing ideas of collaborative and distributed hacking.

Also, for a better performance, the talk includes a brief guide into configuring a Raspberry PI for creating a simple Network Capture Probe.

The main point of the talk is to show how open source tools are a nice option for this kind of security assessment.

Paula de la Hoz Garrido is a 22 years old computer engineering student. So far, she's worked as a systems analyst, as a robotics teacher in Switzerland and Arduino monitor at a summer camp for girls at the University of Granada.

She has a Columbia University certificate in Investigative Journalism and recently founded a digital rights and privacy awareness association in Spain called "Interferencias", which already has around 500 members. Paula is into Network security, and is training a group of telecommunications students who passed a CTF test in the kind of security assessment Paula introduces us to in her talk.

Attacks on Mobile Operators

Aleksandr Kolchanov (n/a)

I'd like to talk about telecom security.

My research contains information about security of mobile operators: classic and new (or very rare) attack vectors and vulnerabilities.

This presentation will consist of three main parts:

First, I will share information on the security of mobile operators in general. I'll tell you a little bit about why it is important (usually, phone numbers are used as a key to social networks, messengers, bank accounts, etc). So, if an attacker can hack a mobile operator, he can gain access to a big amount of user data and money. Also, in this part, I will tell you about typical SS7 attacks (how to intercept SMS or send fake ones).

During the second part, I will tell you about different vulnerabilities and security issues. All of the problems I will refer to were found in systems of mobile operators from Russia and the Ukraine. I will speak about the classic vulnerabilities I found (XXS, CSRF and HTTPS issues) that allow attackers to gain access to subscribe accounts through a mobile operators site or an application.
Also, I will talk about authorisation issues (SMS codes, bruteforce, etc).
Then I will tell you about new attack vectors (or very rare ones): attacks via IVR (at call centers), problems in operator services, that allow to send SMS from user numbers, and problems in operator applications (which allow attackers to intercept calls and SMS).
I also will speak about attacks on sim-card change systems (how I can gain access to information that I can use to change sim-cards and gain access to calls and SMS).
Of course, I will show demos and PoC (images, video or real-time demonstration) of some attacks.

In the final part of the talk I will talk about post-exploitation. The main idea of this part is to show how I can use the vulnerabilities, adressed in the second part of my talk, to gain access to private data (including SMS-content), intercept calls and SMS, send fake SMS, gain access to email, messenger, and social network accounts (using restore via SMS), to steal money from bank accounts (using account restore or SMS-banking) and for some other ideas.

Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs - PayPal, Facebook, Yahoo, Coinbase, Protonmail, Telegram, etc., and holds the first place the Privatbank bug bounty program (one of biggest banks in the Ukraine). Aleksandr also won the "Hack Internet-Bank" competition of PromSvazBank, Russia.
He's interested in uncommon security issues, telecom problems, airline security and social engineering.

Everything is connected: how to hack Bank Account using Instagram

Aleksandr Kolchanov (-)
Attacks on IVR systems and call centers of bank are interesting and funny, but 
sometimes they are not so effective. Usually hacker should know some user's 
information for authorization. So, hacker can gain access to private information 
and money (sometimes) of one known person, but what he can do, if he want to 
attack thousands users? Luckily (or no) many people share their information in 
the Internet.

In this talk I will show, how and where attacker can gather information, which 
can be used for attack on IVR systems. At the final I will show practical case 
from one private bank.

Aleksandr Kolchanov - I'm independent security researcher and consultant. Ex penetration tester in bank in Russia. I take part in different bug bounty programs (PayPal, Facebook, Yahoo, Coinbase, Protonmail, Telegram, etc), Privatbank (one of the biggest banks from Ukraine) bug bounty program (https://privatbank.ua/ru/safeness/bughunters - pyrk (first place).
Winner of "Hack Internet-Bank" competition of PromSvazBank, Russia.  I'm interesting in uncommon security issues, telecom problems, airline security and social engineering.

How to Communicate about IT Security without Getting the Cybers

Hauke Gierow & Tim Berghoff (G DATA Software AG)

A long long time ago any results from security research were mainly communicated via message boards and mailing lists such as full-disclosure. Today, researchers and academics have new ways to make their work known to a wider audience by establishing relationships with journalists and other intermediaries. This can cause problems if researchers with no prior exposure to journalists and other media representatives get into contact with media who are more focused on producing fancy headlines and where accuracy often takes second place. The problem goes both ways: Jounalists or editors with no knowledge or experience in infosec can - sometimes inadvertently - interpret something as the "hack of the century", when in fact it isn't. A prime example of this is The Guardian's coverage of what they thought was a backdoor in Whatsapp.

This talk wants to address the problem and offer some advice to both parties. For example the relevant questions that should be asked by a journalist prior to publishing any research they were handed. It will also look at where potential overlaps in the interests of both parties are and how those can lead to an unwanted outcome, e.g. if media outlets quote proper academic research out of context. We will present disclaimers and other useful tools that can help to get the public informed in a better way about the critical field of IT security research.

Hauke ist a Security Communications Manager at G DATA Software AG. Before, he worked as a journalist with Golem.de as well as Head of Internet Freedom Desk at Reporters Without Borders Germany and a China Think Tank in Berlin.

Tim is a Security Evangelist at G DATA Software AG and frequently speaks about security at conferences and gatherings. Before he consulted companies and the public sector on IT-security questions.

Cracking HiTag2 Crypto - Weaponising Academic Attacks for Breaking and Entering

Kevin Sheldrake (Not representing employer)

HiTag2 is an RFID technology operating at 125KHz. It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions - the majority of RFID technologies at 125KHz feature no authentication or encryption at all. As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers.

In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2’ that presented three attacks on the encryption system used in HiTag2. They implemented their attacks on the Proxmark 3 device (an RFID research and hacking tool) and gave several high-profile demonstrations, but didn’t release any of their code or tools. Since then, the forums supporting Proxmark 3 and RFIDler (another RFID hacking tool) have received many requests for implementations of these attacks, but until recently none had been forthcoming. In 2016, Garcia et al released the paper 'Lock It And Still Lose It' offering a fast correlation attack against HiTag2 but again did not release any tools.

In this talk I will explain how HiTag2 RFID works in detail, including the PRNG and the authentication and encryption protocols, and will present my own implementations of the attacks, written for RFIDler and supported by desktop computers. The first attack uses a nonce replay to misuse the integrity protection of the comms in order to allow access to the readable RFID tag pages without needing to know the key. The second, third and fourth attacks use time/memory trade-off brute force, cryptanalytic attacks and a fast correlation attack to recover the key, such that the contents of the read-protected pages can also be accessed. The attacks are weaponised and permit cloning of tags, which I will demonstrate.

All tools are publicly available on the ApertureLabs/RFIDler github.

Kevin Sheldrake is a penetration tester and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and system administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer and an entrepreneur who founded and ran his own security consulting company. His current interests lies in tool development for better penetration testing, and he has specialised in IoT and crypto for a number of years.

He has a Masters degree, is a Chartered Engineer and, in the past, has been a CHECK Team Leader, a CISSP and held CLAS.

Kev has presented at 44CON, Troopers, DEFCON 4420, 441452 and 441392 on RFID crypto (Cracking HiTag2 Crypto); EMF Camp, DEFCON 4420 and 441452 on hacking embedded devices (Inside our Toys); presented on building debuggers for embedded devices at Securi-Tay (Phun with Ptrace()); and also presented a lengthy take down on the use of NLP in Social Engineering at DEFCON 4420 (Social Engineering LIES!). He has also presented regularly at his employer’s internal security conference, winning best talk in 2014 for ‘Embedded Nonsense’, a talk about hacking an IoT device and reversing its crypto, which he subsequently presented at Cyber Security Challenge.

Project Introduction: Data over Sound - Risks and Chances of an emerging Communication Channel

Matthias Zeppelzauer (St. Pölten University of Applied Sciences)

The ultrasonic frequency band represents a novel and so far hardly used channel for the communication between different devices, such as mobile phones, computers, TVs, and personal assistants like Google Chromecast. Ultrasonic communication is a promising technology since it requires only a standard loudspeaker and a microphone (as built into our phones) for communication. While offering a number of opportunities for innovative services (e.g. in the domain of Internet of Things), the technology, however, also bears a number risks, such as being exploited as a covert channel. Companies like Silverpush, for example, employed ultrasonic data exchange to track users across devices and to collect information about their behavoir without their knowledge. Furthermore, the acoustic channel can be used to exfiltrate information from IT infrastructures and to de-anomymize users. In my talk I will present the novel technology of ultrasonic communication, show how it works and which risks and chances are linked to it. Additionally, I will present the project "SoniControl" which aims at the development of an ultrasonic firewall to protect the privacy of users as well as the project "SoniTalk" which aims at developing a safe and privacy-oriented protocol for ultrasonic communication.


A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter

Dr.-Ing Ashar Javed (Hyundai AutoEver Europe GmbH)

Cross-Site Scripting (XSS) outbreak has started almost twenty years ago and since then it has been infecting web applications at a concerning pace. It is feared that the influx of programs and bug hunters arriving at bug bounty platforms will worsen the situation given more disclosed cases of bug(s) or public citing and viewing. According to #FakeNews Media, the outbreak engulfed One Microsoft Way in Redmond. This is where a contagious tour starts.

The tour guide will convoy you thru 50 award winning shattered windows in Office 365, Azure and SharePoint. All reported XSS findings spawned great riches and ended up in The Honor Roll or made their way to a simple acknowledgement entry or several CVE-plated thanks. The goal of this walking tour: an intimate look at Microsoft online or cloud services (Office 365 and Azure) bug bounty programs through the eyes of a bug hunter.

This briefing will conclude on: classical XSS is here to stay while Redmond's outbreak "... was like a storm. But storms, they can come back. Can't they? The question is, if they come back, is it the same storm, or has something changed?"

Ashar Javed currently works on penetration testing, source code review and mobile application vulnerability assessments at Hyundai AutoEver Europe GmbH (an IT service company for Hyundai & KIA Motors). He works alongside developers and external third-party application vendors in order to eliminate web vulnerabilities. He has spent three years as a security researcher for Ruhr-Universität Bochum, Germany. Ashar holds a PhD degree from Ruhr-Universität Bochum and MSc from Technische Universität Hamburg-Harburg, Germany. His research interests include web application vulnerabilities and in particular Cross-Site Scripting. He has a passion for XSS and lives and breathes in XSS.

Ashar delivered talks at main security events like Black Hat Europe 2014, Hack in the Box Kuala Lumpur 2013, OWASP Spain (2014, 2015 & 2016), SAP Product Security Conference 2015, International PHP Conference 2015, ISACA Ireland 2014, RSA Europe (OWASP Seminar) 2013, DeepSec, Austria (2013, 2014 & 2015), and GISEC, Dubai 2016. In his free time, he likes to participate in bug bounty programs. He has been listed 30 times on Microsoft's acknowledgement page for online services and has achieved a #22nd rank among Microsoft's Top 100 researchers of 2017, while other acknowledgements in hall of fames include Google, Twitter/Paypal/Ebay/GitHub/Adobe/Etsy/Netflix/AT&T Security Pages & Facebook White Hat. Ashar is at #1 among Top 5 bug bounty hunters recognized by Microsoft for Q1 and Q2 of 2018. Ashar also does security consulting including consulting for a media tycoon. He bloggs at "Respect XSS" and tweets at @soaj1664ashar.

Building your Own WAF as a Service and Forgetting about False Positives

Juan Berner (Booking.com)

When a Web Application Firewall (WAF) is presented as a defensive solution to web application attacks, there is usually a decision to be made: Will this be placed inline (and risk affecting users due to outages or latency) or will it be placed out of band (not affecting users but not protecting them either). This talk will cover a different approach you can take when deciding how to use any WAF at your disposal, which is to try and get the best of both worlds, making the WAF work in passive mode out of band detecting attacks and in active mode by selectively routing traffic through your WAF to decide if it should block the request or allow it.

To achieve this we will have to abstract the WAF around a web service, something that developers are commonly used to work with, which can result in delivering security in a targeted and scalable manner. In this network agnostic setup, a WAF web service can grow horizontally, allowing you to enhance the WAF decisions with your own business knowledge. This will mean that the decision to block or to route traffic through the WAF will not only depend on the WAF’s decision but also on data about your application and its context, which can significantly reduce the false positive rate.

In this talk, I will go through how such a service can be built with open source examples, what alternatives are there, depending on the flexibility of the WAF used, and how this approach can be used to manually decide on the false positive rate wanted and the desired business risk depending on the attack type. We will also cover the drawbacks of what's not a fully inline solution and speak about possible improvements of this architecture.

Juan Berner is a security researcher with over 8 years of experience in the field, currently working as Security Lead Developer at Booking.com, as SME for Application Security and Architect for security solutions.

Information, Threat Intelligence, and Human Factors

John Bryk (Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC, North America))

• There’s a huge difference between threat data, information, and intelligence. Understanding the difference is essential to getting the most out of your cybersecurity efforts.
• In the progression from data to information to intelligence, the volume of outputs reduces while the value of those outputs increases.
• Threat intelligence platforms produce data and information, which human analysts can use to produce actionable (operational) threat intelligence and to share that intelligence.
• A computer can never produce threat intelligence, but humans are unsuited to the task of collecting and processing huge volumes of threat data.
• Action must always be the end goal. Threat intelligence is useless unless it can be used to improve cybersecurity.

John Bryk retired as a colonel from the United States Air Force after a 30-year career, with early assignments that included launching the Space Shuttle and unmanned rockets. As a senior officer, he served as a military diplomat at U.S. embassies in Canada, and in Central and Western Europe, including Berlin. Colonel Bryk deployed to Southwest Asia on three combat tours and was awarded the Bronze Star Medal for service in Afghanistan. Prior to retirement he was attached to the Defense Intelligence Agency, where he later continued to serve as a civilian until joining the private sector in 2015.

As the threat intelligence analyst for the Downstream Natural Gas-ISAC, John focuses on the protection of North America’s natural gas critical cyber and physical infrastructure. His blog, Infrastructure Cyber Defender, appears online in CSO Magazine, where he shares a personal take on current cyber and physical issues.

John holds an MBA, an MS in Cybersecurity, and an MA in Business and Organizational Security. He maintains a certification as a Counterintelligence Threat Analyst, is an international cybersecurity speaker, and serves on the Governing Board of the McAfee Institute.

Pure In-Memory (Shell)Code Injection in Linux Userland

reenz0h (Sektor7)

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).

Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any trace behind. You need to run additional tools, but you don't want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain?

This talk will show how to bypass execution restrictions and run code on the machine, using only tools available on the system. It's a bit challenging in an everything-is-a-file OS, but doable if you think outside the box and use the power this system provides.

Anyone interested in offensive security should find the talk sexy, especially since it's not theoretical mumbling but a demo-rich journey through the inner workings of Linux and some old-school hacks.

Geek by passion, engineer by profession since the last millennium. For many years he's been working in global red teams, simulating threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) across the globe. Speaker at HackCon, NoVA Hackers, Geek Girls Carrots, Tech3.Camp, PWNing Con. Organizer of x33fcon - IT security conference for red and blue teams, held in Gdynia, Poland. Founder of Sektor7 research company.

Discussion: Mobile Network Security

DeepSec Speaker & Digital Guardian (Security Community)

DeepSec 2018 focuses heavily on mobile security, especially mobility. As part of the outstanding group of speakers and papers submitted for DeepSec we are exploring a roundtable/panel discussion on Mobile security that would extend to SIM card security, application security, lawful intercept and telecom operator relationships, privacy and network infrastructure.

Topics to be discussed with relation to mobile security include:
- where the responsibility to protect the end user lies within the chain: on the sim card, on the physical device, within the software, on the leased/towers, within the government regulatory scheme, etc.
- to what extent should a user expect privacy over security of the majority (lawful intercept, national security, etc.)
- what is a reasonable expectation for a mobile user in terms of their own security? How knowledgeable does a average user have to be to ensure their own mobile security?
- how do we as a community oversee and ensure things like mobile applications are safe/secure for users?


RFID Chip Inside the Body: Reflecting the Current State of Usage, Triggers, and Ethical Issues

Ulrike Hugl (Innsbruck University, Faculty of Business and Management)

Chipping humans can be seen as one of the most invasive biometric identification technologies. RFID (Radio Frequency Identification) as the key technology in the field of the Internet of Things produces many applications.

For example, human implants are used by scientists in the fields of cyborgism, robotics, biomedical engineering and artificial intelligence, by hobbyists for identification reasons to start their computers, cars, for smart home applications or to pay by credit card, by hospitals for the control of human biological functions of patients, but also by companies to tag their employees for security reasons and workplace surveillance.

All in all, worldwide human implants are mainly used for security, healthcare, and private (individual) reasons. Beside some positive individual or organizational outcomes, implants may compromise privacy and raise manifold ethical questions.

For example, research in the field of information security has shown that RFID implants can be hacked to gain sensitive data stored on such chips. From an ethical point of view, other questions refer to its influence on a person’s identity and body, as well as to how individuals are probably able to resist such a surveillance technology against the background of felt pressure in an organizational or societal environment.

This talk focuses on the current state of the discussion and the applications of human implants, used for various reasons. It discusses triggers mainly from an individual and organizational point of view, and analyzes some already existing and upcoming ethical-, legal- and privacy-related aspects in the field. We will present results from a qualitative study with managers in Austria and close the talk with some theses for future research, applications and related individual and societal outcomes.

Professor Ulrike Hugl is a senior scientist and lecturer at the University of Innsbruck (School
of Management), Department of Accounting, Auditing and Taxation. She is member of various scientific committees of international conferences and reviewer of several journals. Her research mainly focuses on new technologies with impact on information security and data protection of organizations, as well as on occupational/corporate crime (especially insider threat) and industrial espionage issues.

DNS Exfiltration and Out-of-Band Attacks

Nitesh Shilpkar (PwC Singapore)

The Domain Name Server or DNS is one of the most fundamental parts of the internet. It is crucial for a billion of users daily to help us build presence on the internet using names humans can understand rather than IP addresses. However, DNS comes with security issues organizations should be aware of and take into consideration. Attackers are abusing the DNS to redirect traffic to malicious sites, communicate with command and control (C&C) servers, steal data from organizations and conduct massive attacks that cause harm to organizations. Many organizations are not prepared to mitigate, or even detect, the problems DNS might bring.
Due to the criticality of DNS to maintain an Internet presence, access applications, connect to a network or simply send an email, everyone has the potential to be impacted by DNS vulnerabilities. Since DNS is important for routing traffic, it simply cannot be disabled. Organizations should look for ways to protect their DNS data. We should learn about ways to manage the attack surface DNS offers and also to benefit from the capabilities DNS has to offer.
Security companies and vendors are getting more aware of the fact that DNS is the first line of defense and, since all the traffic is routed through the DNS, it acts as a good resource for analyzing any form of malicious traffic or attacks. Most vendors now provide IP address management (IPAM) data for diagnosing the network traffic regarding network and security problems. DNS plays an important role for malware detection based on its logical place in the network architecture. Incident Response teams look to DNS, DHCP and IPAM data for carrying out thorough investigations and improving threat hunting capabilities.
DNS traffic should result into being one of the main points for network traffic data analysis, which would serve organizations to improve their detection and analyzing capabilities in order to be ready for what may come.

In this talk we examine the following:

• About DNS
A brief introduction to DNS and how it works.

• Types of DNS-based attacks
A brief introduction to the type of attacks on DNS.
 DNS Cache Poisoning
 Denial of Service
o DNS Flood Attacks
o DNS Reflection Attacks
o DNS Amplification Attacks

• DNS Tunneling
A brief introduction about DNS Tunneling and the negligence of the DNS port 53 in the security posture of organizations due to the large size.

• Data exfiltration using DNS
How attackers and malwares are targeting DNS for exfiltration of data.

• Case Study of DNSMessenger
DNSMessenger is a RAT that uses DNS queries to execute malicious Powershell commands through a two-way communication of command and control server.

• Out of band attacks
A description of “out of band” attacks.
o SQL Injection
How SQL injections can be used to fetch information through DNS queries.

o XML Injection
How XML-Injections can be used to get information from the server.
• Magic of Burp
Showcase of how to use Burp for carrying out DNS based attacks and gain information.

• DNS Exfiltration Restrictions
About limitations of DNS based exfiltration.

• Best practices for using DNS data to enhance investigations
We will give certain guidelines that could be used by organizations to leverage the DNS traffic and provide a better security posture.

• Conclusion

Nitesh Shilpkar is a security researcher currently working with PwC Singapore. He has received CVE’s for finding bugs in products like Adobe Coldfusion, Adobe Shockwave Player, Apple iCloud and Amazon Kindle. He has been acknowledged by over 40 websites such as Facebook, Google, AT&T etc. He currently holds certifications like OSCE, OSCP, OSWP, CREST-CRT. His interests lie in Exploit Development and Research.

Global Deep Scans - Measuring Vulnerability Levels across Organizations, Industries, and Countries

Luca Melette & Fabian Bräunlein (Security Research Labs)

We introduce global deep scans that provide insights into the security hygiene of all organizations exposed to the Internet. Our presentation discusses vulnerability levels across different groups of organizations and points out differences in the underlying maintenance processes.
We find that different industries have a lot to learn from each other and provide the necessary measurements to start these dialogues.

Luca Melette is a security researcher with focus on all sorts of telecommunication networks.
In the past years, together with Karsten Nohl, he discovered and disclosed several security vulnerabilities in mobile networks, from low-cost radio attacks to more sophisticated interconnect abuse.
Luca's one of the maintainers of the website gsmmap.org and the related mobile app SnoopSnitch.

Fabian Bräunlein has always been curious about taking systems apart. He works as a Security Researcher and Consultant at Berlin-based hacker collective SRLabs. His previous research includes hacking payment systems (32c3), travel systems (HEUREKA) and IP cameras (DeepSec 2017).

Leveraging Endpoints to Boost Incident Response Capabilities

Francisco Galian, Mauro Silva (Nirvan and IBM X-Force IRIS, Telefonica UK (O2))

In our day to day we constantly see how most of the organisations fail to respond properly to real incidents and a lot of times this is due to the lack of visibility on endpoints.

The aim of this talk is to help the Blue teams to understand what they can do in order to improve their detection mechanisms, and at the same time to show what is important when responding to a real incident.

We have built a lab with an Active Directory and other common crown jewels found in most organisations. From this point of consideration we have chosen some of the attacks and techniques that we've faced during incident response cases, from Threat Financial groups to some APTs ones. Next, we have ingested the logs produced on the different endpoints and used different incident response techniques to find multiples IOCs that would detect the different attacks.

Francisco Galian, SME on Incident Response & Digital Forensics. Leading the response during security incidents, compromised networks and data breaches. Helping customers in a proactive way by providing trainings, table top exercises and active threat assessments.
Previous roles include assessing security on a Critical National Infrastructure, consultancy and being main developer of Threat Intel solutions like malware sandboxes.

Mauro Silvas interests can be summarized by two words: challenges and scripting. He loves challenges, and scripts every repetitive task he can.

In his current position he leads a team responsible for threat hunting within a telco environment. He has also developed a training program for it that includes simulation of incidents and puts the team into several roles present in order to enable it to understand the nuances of an incident. That includes red teaming (aka pentesting).
In his past positions he has focused mainly on Incident Response and Forensic Investigations. He was also involved in the development of a Threat Intel gathering tool called IntelMQ. Mauro always tries to streamline his team's work by automating everything that can be automated. He'd also represented his previous employers at several conferences and led a nation wide cybersecurity exercise.

Orchestrating Security Tools with AWS Step Functions

Jules Denardou & Justin Massey (Datadog)

Increasingly frequent deployments make it impossible for security teams to manually review all of the code before it is released.

We wrote a Terraform-deployed application to solve this problem by tightly integrating into the developer workflow. The plugin-based application has three core components, each represented by at least one Lambda function: a trigger, processing and analysis, and output. The plugins, such as static analysis, dependency checking, github integrations, container security scanning, or secret leak detection can be written in any language supported by AWS Lambda.

The underlying technology for this tool is a serverless system utilizing several AWS Services, such as API Gateways, Step Functions and Lambdas.

In this talk you'll not only learn about our tool and how to implement it in your CI/CD pipeline, but also how to easily deploy complex serverless systems and step functions for your own automated tooling.

Jules Denardou is a Security Engineer at Datadog. He got his MS Degree in Computer Science at Ecole Centrale Paris in France, before joining the company in New York City. He especially focuses on integrating security into the developers workflow rather than blocking it. Blue teaming during the week, he is also a CTF Player on weekends.

Justin Massey is a Security Engineer at Datadog. His background in managing the technical operations of an MSP led him to discovering weaknesses in many businesses’ networks and applications. After leaving the MSP, he transitioned into the role of penetration tester to identify the weaknesses before the attackers. Justin’s current focus is to discover new ways to ensure product security, while maintaining developers efficiency and happiness.

Drones, the New Threat from the Sky

Dom (D#FU5E) Brack (Reputelligence)

I will talk about drones. Drone risks and countermeasures. Drones have become an inherent risk not just for critical infrastructure but also public events (sports, concerts) and privacy. I will speak about the exclusive risk catalogue I have developed for a small highly secialised startup called DroneGuard. The catalogue contains over 140 detailed drone related risks. From payload of drones (explosives, chemicals, etc.) to cyberrisks like Signal Hacking & Disruption (WiFi, GSM, Bluetooth, RFID, etc.). Since Deepsec is a more technically oriented event I will highlight the risk management frame work, my experience with our personal payload drone and the cyber risks. This talk will help you if you have to protect critical infrastructure from a physical perspective, or if you have to protect yourself or your company from privacy implications.

Dominique C. Brack is a recognized expert in information security, including identity theft, social media exposure, data breach, cyber security, human manipulation and online reputation management. He is a highly qualified, top-performing professional with outstanding experience and achievements within key IT security, risk and project management roles, confirming expertise in delivering innovative, customer-responsive projects and services in highly sensitive environments on an international scale. Mr. Brack is accessible, real, professional, and provides topical, timely and cutting edge information. Dominique’s direct and to-the-point tone of voice can be counted on to capture attention, and – most importantly - inspire and empower action.

Security as a Community Healthcare: Helping Small Non-Profit Organisations Stay Secure

Eva Blum-Dumontet (Privacy International)

This talk will look at the way Privacy International has relied on its experience from working with a network of small NGOs across the Global South to shape its approach to security and develop Thornsec, an automated way to deploy, test, and audit internal and external services for an organisation.

Privacy International works with a network of over twenty organisations located in Latin America, Africa, Asia and the Middle-East. Together we research and document threats and abuses to privacy from governments and corporations and advocate for better privacy protection both from a technological and a legal standpoint. Being at the forefront of the fight against surveillance means that the partners of privacy International are sometimes exposed to oppressive political regimes. They experience a wide range of threats from office burglary, physical surveillance by intelligence services to phishing attacks, hacking team-type of malware, ... etc. Yet the advice they have received so far has been solely focused on end users, not organisations. This talk will highlight our journey towards challenging this situation and our take on attempting to help small organisations with network security.

Eva Blum-Dumontet has been a researcher at Privacy International since 2014. She is leading a project on gender and privacy, exploring the impact of corporate, government and societal surveillance on women and gender non-conforming individuals. She is the author of a report on smart cities and their impact on the right to privacy. Her work has largely focused on the Global South and she conducted a number of investigations on government surveillance in various countries, including Egypt and Thailand.

Anomaly Detection of Host Roles in Computer Networks

Yury Kasimov (Stratosphere IPS / Avast)

Detecting malware infections is one of the most challenging tasks in modern computer security. Although there exist tools that can help the analysts in this task, such as Snort/Bro/Suricata, truth is that most of the analysis is done by hand. Most of the automation focuses on organizing and visualizing data, but not on detection. When it comes to machine learning for detection, the most common approach in most security companies is to run an anomaly detection algorithm as a first layer and then complement the results with a classification algorithm. An anomaly detection method is designed to model normal traffic and then to find deviations from that model. Although widely used, anomaly detection techniques usually come with different problems, such as the difficulty to obtain labels for a good verification, and a large amount of false positives. We propose and describe a new user profile-based method to detect anomalous changes in the network behavior of users. The profiles have multiple features used to describe the behavior of a wide range of actions of the users from different perspectives in the network. Each profile encapsulates what the user did during a period of time. Compared to other feature-based anomaly detectors, our profiles offer a more high-level view of the behaviors.
Since the datasets used for training and evaluating a method are very important, we created our complex datasets of malware attacks. Our datasets contain real normal actions of a human user, while the user is infected with real malware. Our anomaly detection method was trained using these datasets with our own assigned labels. These datasets are the first of their kind and are available for download.
Results show that our method can accurately detect attacks (anomalies recognized as attacks) and keep a very low false positive rate. Despite not finding each and all of the anomalies, our method shows that it is possible to detect almost all malware infections within a short time period. We also tested our algorithm for monitoring IoT devices, such as cameras, and we were able to recognize unauthorized login attacks. We believe that our method can show the community an advanced technique and tool to implement into their own networks. The complete detection method and dataset is freely available for download.

Yury Kasimov received his master degree at Czech Technical University. His major is machine learning and artificial intelligence. He has been working at Stratosphere project (https://www.stratosphereips.org/) for 2.5 years and wrote his master thesis there.
Yury's interested in applying machine learning to the field of network security.

Can not See the Wood for the Trees - Too Many Security Standards for Automation Industry

Frank Ackermann (Yokogawa Deutschland GmbH)

Plant operators and manufacturers are currently faced with many challenges in the field of automation. Issues such as digitization, Industry 4.0, legal requirements or complex business processes that connect IT and OT are paramount. Related security problems and risks need to be addressed promptly and lastingly. Existing and newly created industry security standards (such as 62443, 61508 and 61511, 27001, ...) are designed to help to improve security. But do the different approaches of these standards fit together? Are managers of the companies and manufacturers supported or rather confused by them? The presentation provides an overview of the key security industry standards, discusses the dependency and coverage of the standards, and aims to encourage discussion about if the standards optimize general security in industrial control systems.

Frank Ackermann has been active in the field of IT and information security for over 15 years. At renowned international companies, he worked in the core security team or examined the implementation of security solutions.
Modern business processes today require a bridge between an industrialized automation environment (OT) and classical information technology (IT). This means that processes, organizations and technical measures should be designed holistically and inherently secure. All parties involved must work continuously on this.

Mapping and Tracking WiFi Networks / Devices without Being Connected

Caleb Madrigal (Mandiant/FireEye)

Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area along with all the devices connected to them? Or maybe you want to know who's hogging all the bandwidth? Or what if you want to know when a certain someone's cell phone is nearby? Or perhaps you'd like to know if your Airbnb host's IP Camera is uploading video to the cloud?

For all these use-cases, I've developed a new tool called "trackerjacker". In this talk we'll use this tool to explore some of the surprisingly informative data floating around in radio space, and you'll come away with a new skill or two adding to your radio hacking skill tree, as well as a new magical weapon... I mean tool.

Caleb is a programmer who enjoys hacking and mathing. He is a member of the Mandiant/FireEye advanced research team, where he researches and builds sweet incident response software. Lately he's mostly been hacking with Python, Jupyter, C, and Machine Learning. Though only recently getting into it professionally, Caleb has been into security for a while - in high school, he wrote his own (bad) cryptography and steganography software. In college, he did a good bit of "informal pen testing". These days, he has fun doing a lot of Radio/Wireless hacking, and using Machine Learning/Math to do cool security-related things.

Manipulating Human Memory for Fun and Profit

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

The human memory is very volatile and not really trustworthy. Judges, interrogators and scientists know that humans often mix up or straight up create new false memories. In this talk I will show what we know about how the human memory works, which factors lead to a loss of quality of stored memories and how they can be altered or manipulated for social engineering attacks. Since, ethically, this is a very controversial topic, I will also speak about the ethics behind this. And be advised that I will not talk about NLP (Neuro Linguistic Programming), as this stuff is unsubstantiated, unscientific esoteric charlatanry.

Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since, he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he's leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security.
He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec, DeepIntel, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.