The DeepSec experience

Taking place in the picturesque city of Vienna, DeepSec is a yearly cyber security conference which attracts all types of computer enthusiasts, hackers and security professionals. A wide range of topics are covered by both local and international speakers.

I was fortunate enough to be able to attend this completely sold-out 2023 edition.

Located in the Renaissance Wien hotel, the conference hosts two tracks, so hard decisions had to be made regarding which talks to attend.

We started the first day off with a less technical, but nevertheless interesting talk: Putin's Shadow War. Presented by Swedish journalist Maria Georgieva. She explained how OSINT was used to gather evidence that Russia was performing espionage missions with the goal of mapping critical infrastructure. 

Next up was Scott Shapiro, he revealed the long-awaited truth about how Paris Hilton's phone was hacked. Unexpectedly, this was not a tale of a sophisticated cyber-attack, executed by exploiting deep-rooted technical flaws. But rather how a teenage boy was simply able to re-assign Paris Hilton's phone number to himself, using only the T-Mobile website. In their haste to build one of the first iterations of the smartphone, it appears T-Mobile neglected to include process security in their blueprints. A costly lesson.

In the last presentation before lunch, we heard from Andreas Wiegenstein, who talked about SAP as a Cyber Weapon. A topic which was unknown to me. It mainly covered the different ways a company's SAP infrastructure could be exploited in a post-compromise scenario. Seeing as a company's development, QA and production environments are often linked to each other, an attacker who manages to get a foothold in a poorly secured development machine could pivot to the production environment.  He also explained how SAP's own programming language (ABAP) could be used to create malware implants which are extremely difficult to detect.

The final presentation of the first day, was brought by Moritz Abrell. He exposed multiple vulnerabilities in Zoom's zero-touch provisioning functionality for IP/desk phones, such as hard-coded secret keys, lack of immutable trust, and the absence of ownership verification. By combining these flaws, the IP phones could be completely compromised, sometimes even remotely!

Artificial Intelligence seems to be everywhere lately, even in phishing campaigns! Alexander Hurbean & Wolfgang Ettlinger performed a deep dive into their phishing methods, which are created and automated with the help of various AI tools. Both the offensive and defensive sides were touched upon in their presentation, which also included multiple very convincing "deepfakes", which can be used in (voice)phishing or similar social engineering attacks.

An interesting alternative for a full-blown pentest by a red-team could be found in (automated) micro attack simulations. Christian Schneider demonstrated how these simulations can be used to determine the possible points of failure in a cyber kill-chain, and how these tools can be used to verify that the implemented defences are working correctly. This could be compared to a white box pentest approach, where access to an employee laptop was provided, and the attacker performs each step from initial exploitation to full network compromise step by step.