ZeroNights Conference

Speaking at international security conferences, I often encountered the question of Russian events. All were very surprised at the answer: in Russia, until recently, there were no full-fledged conferences on information security. That is why I am very happy to talk about the new ZeroNights conference, which is being organized by the Russian DEFCON community with the support of Digital Security.

At the moment, the selection of reports is underway and by November 1 a team of independent experts will select the most worthy ones. The program committee includes: Chris Kaspersky (Intel, USA), Dave Aitel (CEO Immunity, USA), Peter Van Iekhout (CorelanTeam, Belgium), The Grugq (COSEINC, Thailand), Evgeny Klimov (PWC, Russia), Ilya Medvedovsky ( DigitalSecurity, Russia), Alexander Matrosov (ESET, Russia) and your humble servant. By the way, it's not too late to apply for a speech .
I will introduce speakers and reports that have already been officially announced to the conference program.

Conference program

Samuel Shah (NetSquare): The Third Web War .
Founder and CEO of Net-Square Solutions, the author of a heap of books on information security, a regular speaker at the world's best conferences: Blackhat, RSA, HITB, IT Underground, CanSecWest, etc.
Samuel will share his thoughts on (e) the evolution of protocols, HTML5 and other standards with a complex fate. Exploitation of bugs in browsers, innovative exploitation technologies of vulnerabilities, low-level attacks combined with the classic web-hack, security of mobile browsers and many other new attack vectors are just some of the topics that will be covered in Samuel's report.

Fedor Yarochkin (Amorize): "Analysis of illegal Internet activities . "
Security analyst and software architect at Armorize Technologies. The old school hacker, our compatriot, author of X-Probe and co-founder of the consulting company GuardInfo, now living in Taiwan. Fedor will share his personal experience in analyzing computer security incidents on the example of specific cases covering mobile malware, targeted attacks, actions of commercial computer crime and others. In addition, it will focus on the practice of studying suspicious activity using honeypot networks.
')
Alexey Sintsov (Digital Security): “Where is the money?”
Alexey is the head of the audit department at the Digital Security company, a great expert in the field of exploit development, the author of a number of new techniques for exploiting vulnerabilities, research and exploits ( from public ). In his report, Alexey will talk about security problems in RBS systems: many specific 0day vulnerabilities in real-time online banking systems will be shown (all information is impersonal). In addition, the common mistakes of all developers of popular domestic products will be considered. And of course, it will be told what all this leads to in terms of the likelihood of theft of money.

• Most dumb bugs
• How to send a payment without EDS
• Practical tips on “to bypass” tokens in 5 minutes
• Attacks on the bank or on the client from the inside - what and how, pen tester experience.
• Efficiency of protection systems (anti-fraud, IPS, firewalls)

Alexander Polyakov (DigitalSecurity): "Do not touch, but it will fall apart: hacking the business of applications in extreme conditions"
Technical Director of Digital Security, a regular speaker at the world's leading security conferences, the happy father of the SAP ERPScan security scanner, the author of Oracle Security through the Eyes of an Auditor: Attack and Defense, and the project manager for OWASP-EAS.
In his report, Alexander will show a number of vulnerabilities in business applications that he and his colleagues spent no more than 5 minutes in their free time to work: in an airplane, train or hotel, when there is no Internet, there is no familiar environment like fuzzers, sniffers and debuggers , and there is only a notebook and installed software. A small guide to finding vulnerabilities in extreme conditions on live examples. Who will be experimental? Probably everyone knows these names: Documentum, 1C, SAP, PeopleSoft, Oracle BI.

Dmitry Chastukhin: "Practical attacks on Internet kiosks and payment terminals"
A student of the St. Petersburg Polytechnic, actively and successfully working in the field of security of SAP-systems, the author of several studies that revealed a number of critical vulnerabilities in such large projects as Yandex.Maps, Google docs and Vkontakte. In addition, Dmitry is one of the co-authors of the OWASP-EAS project and actively participates in international conferences: Hack in the Box and BruCON.
In his report, Dmitry will talk about the practice of hacking Internet kiosks, payment terminals, ticket registration systems and other devices with Internet access, which can be found at airports, hotels and train stations. The report will show photos and videos of real attacks of the listed systems in various parts of the world from Russia and Europe to India, Asia and the USA.

Alexey Lukatsky (Cisco):
“Boston matrix of cybercrime or what is the business model of a modern hacker?”
A business consultant on information security of Cisco, a member of the ARB / CB working group on the development of the 4th and 5th versions of the Bank of Russia standard, a member of the ARB consulting center on the use of 152- “On personal data”.
Alexey’s report discusses the world of cyber crime and a built-in business model: custom development, malware auctions, shadow labor exchanges, various cash withdrawal mechanisms, an extensive partner network, marketing and advertising, support services for viruses sold and Trojans.

Alexander Matrosov (ESET): “Current trends in the development of malware for RBS systems”
Director of the ESET Virus Research and Analytics Center, author of a number of studies on the most interesting and complex threats (Stuxnet, TDL3, TDL4, Carberp, Hodprot), author of the Software Protection course, who personally teaches at the Department of Cryptology and Discrete Mathematics of the National Research Nuclear University MEPI .
In his report, Alexander will talk about trends in the development of banking Trojans from the perspective of an anti-virus company employee. It will be a question of vulnerabilities in remote payment systems, and more precisely, how they are used by hackers in the most common Trojan programs aimed at Russian banks. Also, issues of circumventing security software and methods to counter forensic examinations used in modern banking Trojans will be considered.

Contests for live hacking

Everyone loves contests, and the organizers of the conference decided to hold them in a special way. Zeronights will not be fictional situations. Those who wish will be provided with this hardware and software systems and systems. On such systems, everyone will be able to test their abilities to find new 0day vulnerabilities online. ACU-TP, payment terminal, server with SAP system and much more.

In addition, various other contests from conference partners will be available: a competition to bypass WAF, search for vulnerabilities, reverse engineering and, of course, the traditional competition on locking locks (lockpicking): prizes will be riveted by locks and will be picked up by the person who first opens the lock . A detailed description of the competitions is available on the conference website .