DeepSec 2018 Wrap-Up

I’m writing this quick wrap-up in Vienna, Austria where I attended my first DeepSec conference. This event was already on my schedule for a while but I never had a chance to come. This year, I submitted a training and I was accepted! Good opportunity to visit the beautiful city of Vienna! Like many security conferences, the event started with a set of trainings on Tuesday and Wednesday. My training topic was about using OSSEC for threat hunting.

On Thursday and Friday, regular talks were scheduled and split across three tracks. Two tracks for regular presentations and the third one called “Roots”, more dedicated to academic researches and papers. There was a good balance between offensive and defensive presentations.

The keynote speaker was Peter Zinn and he presented a very entertaining keynote called “We’re all gonna die“. Basically, the main idea was to review how our world is changing in many points and new threats are coming: the climate change, magnetic fields, Donald Trump, etc. But also from an information technology point of view. Peter revealed that we have to face 4 types of “cyber-zombies”:

  • People
  • Inequality
  • Operational technology and IOT
  • Artificial Intelligence (here is a funny video that demonstrate how AI may fail)

Later, we will face the “IoP” of “Internet of People”. IT will be present inside our bodies (RFID implants, sensors, contact lenses, …) and we’ll have to deal with them. Nice keynote!

Here is a quick recap of the talk that I attended. Fernando Arnaboldi and “Uncovering Vulnerabilities in Secure Coding Guidelines“. The idea behind this talk was to demonstrate that, even if you follow all well-known development guidelines (like OWASP, CWE or NIST), you can fail. He gave several snippets of code as examples. Personally, I liked the mention to the new KPI: “the WTF’s/minute”.

Then, Werner Schober presented the “Internet of Dildos“. Always entertaining to have a talk focusing on “exotic” IoT devices. He explained the different vulnerabilities that he found in a sex-toy and the associated mobile app & website in Germany. Basically, he explained how it was possible to access all (hot) pictures uploaded by the users, how to enable (make vibrate) any device connected in the world or, worse, access to personal data of the consumers…

Then, Eric Leblond talked about the new features that are constantly added to the Suricata IDS with a focus on eBPF filters. I already saw Eric’s presentation a few month ago but he added more stuff like a crazy idea to use BCC (“BPF Code Compiler”) to generate BFP filters from C code directly present in a Python script!

Joe Slowik came to speak about ICS attacks. More and more ICS attacks are reported in the news because there is some kind of aura of sophistication around them. Joe started with a recap of the major ICS attacks that industries faced in the last years. But, many attacks are successful because the IT components used to control the ICS components are vulnerable and the same tools are abuse to compromize them (like Mimikatz, PsExec, etc).  Note that the talk was a mix of offensive & defensive.

Benjamin Ridgway (from the Microsoft Incident Response Center) came to speak about incident handling. The abstract was not clear and a lot of people expected a talk explaining how to select and use the right tools to perform incident management but it was completely different and not technical. Benjamin explained how to implement your IH process with a focus on the following points:

  • Human psychological response to stressful and/or dangerous situations
  • Strategies for effectively managing human factors during a crisis
  • Polices and structures that set up incident response teams for success
  • Tools for building a healthy and happy incident response team

It was an excellent presentation, one of my preferred!

Then, Dr. Silke Holtmanns from Nokia Bell Las came to speak about new attack vectors for mobile core networks. The problem for people that are not in the field of mobile networks is the complexity of terms and abbreviations used. It’s crazy! But Silke explained very well the basic: how roaming is used, how billing profile are managed. Of course, the idea was then to explain some attacks. I like the one focusing on how to change a billing plan when you’re abroad to reduce the roaming costs. Very didactic!

The new speaker was Mark Baenziger which is doing incident handling. He explained the challenges that incident handlers might face when handling personal data (and so, how to protect their privacy). He explained how, in some case, security teams failed to achieve this properly.

The last slot was assigned to Paula de la Hoz Garrido (she’s studying in Spain). She explained her project of network monitoring tools bundled on a Raspberry Pi. Interesting but the practical part was missing (how to build the project on the Pi. The talk was more a review of tools that are used to capture/process packets.

The second day started with a nice talk called “Everything is connected: how to hack Bank Account using Instagram“. The idea was to abuse phone services provided by some banks to allow their customers to perform a lot of basic operations (through IVR). Aleksandr Kolchanov explained the attacks he performed against an Ukrainian bank. Some services are available only based on the caller-ID. This information can be easily spoofed using only services (ex: spooftel.com). Funny but crazy!

Then, I switched to the “Roots” room to attend a talk about using data over sound. More precisely, ultrasonic sounds. Matthias Zeppelzauer explained the research he made about this technology which is used more then we could expect! It’s possible to collect interesting informations (ex: how people watch television programs) or to deliver ads to people entering a shop. He also presented the project “SoniControl” which is some kind of an ultrasonic firewall to protect the privacy of users.

My next choice was “RFID Chip Inside the Body: Reflecting the Current State of Usage, Triggers, and Ethical Issues” presented by Ulrike Hugl. RFID implants in human bodies are not new but what’s the status today? Are people ready to have such kind of hardware under their skin? There is not massive deployment but some companies try to convince their users to use this technology. But it remains usually tests or funny projects.

Finally, my last choice was “Global Deep Scans – Measuring Vulnerability Levels across Organizations, Industries, and Countries” by Luca Melette & Fabian Bräunlein. I was curious when I read the abstract. The idea behind this research was to scan the Internet, to classify scanned IP addresses by location and business. Then, they used an algorithm to compute an “hackability” level. Indeed, from a defender perspective, it’s interesting to learn how your competitor are safe. From an attacker point of view, it’s nice to know which are the most juicy targets. The result of their research is available here.

This was a very quick wrap-up of my first DeepSec (and I hope not the last one!). The conference size is nice, not too many attendees (my rough estimation is ~200 people) and properly managed by the  crew. Thanks to them!