0day / tequila / cryptography

Last week, the RusCrypto conference was held. As far as I know, this is the oldest existing conference on information security.

Despite the age of honor, the conference lives and develops, for which many thanks to the organizers: the RusCrypto Association and the AIS . At one time, it was on this platform that I ran in my ideas, which later led to the appearance of Positive Hack Days . It was here that the first large-scale CTF under the leadership of Dmitry Evteev passed. In general, my attitude to RusKrypto is extremely warm and to some extent even nostalgic.

This year the conference was held at the site of the country hotel " Sunny ". By the way, the mobile malware is conveniently located on the hotel's website - it is regarded as a proficiency test =)
')

A little about the conference audience

As the name suggests, the main theme of the conference is cryptography. This to some extent determines the speakers and listeners. First of all, these are producers of CIPF (“Crypto-Pro”, “Aktiv”, “Infotex”, etc.) and consumers of their decisions - state structures and banks. Regulators, bien sûr.

However, due to the tight connection between the cryptographic market and the scientific environment, there are quite a lot of representatives from the academic community at the conference - there is a separate “scientific” section under the leadership of Mr. Kotenko from SPIIRAN and even an honorary post of scientific sponsor.

Several years ago, RusCrypto began to develop alternative topics, and the tracks of network and applied security were tightly incorporated into the conference program. This diluted the audience with independent experts, analysts and hackers. I will quote my answer to the representative of one of the Russian integrators participating in the conference: “Sell? There is no one to sell here. ” However, there is someone to discuss with and from whom to feed on new ideas.

More about sections

Your humble servant traditionally led one of the sections titled “ Defense and Attack Technologies ”. In my opening remarks, “Why can Russia lose to cyber warfare?” I shared what had become painful: from the legislation that had not changed since Soviet times in the field of research and development, to the position of the Ministry of Education in relation to practical security. Both defensive and offensive. From the legislation on research and development work that has not changed since Soviet times to the position of the Ministry of Education in relation to practical security. Both defensive and offensive. "Your hacker contests ... It's like teaching young people how to break safes ..." As it turned out during the discussions, it was not only my one that became painful. For several reasons, I do not post slides.

The conference itself began on the day of arrival, much earlier than the plenary session. In the evening, everyone gathers on sofas and billiard tables and aligns the semantic field. From research to the information security market in Russia, from it, the birthmark - to the fate of the Fatherland. And then - where the curve of the informal professional discussion will lead. We parted about 3 o'clock in the morning, and without having managed to dot the i in questions of the relevance in the modern world of three ways of its knowledge: the religious-mystical, scientific and philosophical.

Much to my regret, I belong to that common breed of people who, having heard the phrase “jumping cellular automata”, begin to convulsively recall the color of the cover of the textbook and the name of the subject. In this regard, the cryptographic sections were walked on the sidelines in the company of colleagues specializing in application security. It's funny, but the topic we are discussing on evaluating the effectiveness of remedies was very well represented in the conference program.

Ilya Shabanov, managing partner of Anti-Malware.Ru , in his introductory speech to his section “The Present and Future of the Anti-Virus Industry” hinted that the scalability limits of modern anti-virus technologies were practically reached. Dmitry Ushakov from StoneSoft in his work “New protection techniques against old threats - it's impossible to get around ?!” demonstrated the results of testing popular IDS / IPS. The technique is simple and effective - conducting a set of attacks using various signature traversal techniques. The results are disappointing.

Andrei Petukhov in the report “ Know Thy Limits ...” demonstrated simple, but effective techniques to counter the systems of active detection of malicious code on sites.

Another topic that now and then appeared in various variations is the threats of “zero day” and other sploets and shelcodes.

Olesya Shelestova in the overview report on the fashion word APT announced the analytics of Positive Techologies on security of web applications. The main intrigue of the review is the following fact: more than 10% of the sites of commercial and state-owned companies are compromised and contain malware of different origin, direction and degree of malware.

Olesya's presentation below:


Alice Shevchenko ( Esage , Neurone ) and Gilyazov Ruslan from Crypto-Pro literally repeated the demonstration part of the performance, showing the joint work of client software vulnerabilities, Windows kernel vulnerabilities and modern rootkit techniques.

I'll tell you more. If you simply run trojan.exe, the antivirus will immediately detect it and report it. But if you launch exploit.exe trojan.exe *, then the antivirus will not work, and the “malware” unintelligently begins to “live” in the antivirus process, using it to disguise its network activity. Horror, in general.

In response to this, Alex Gostev from Kaspersky Lab has theatrically dismantled Duqu and the C & C intermediate servers of this trojan, ignoring the questions “on which it was written.” During the report, Alexander showed interesting moments from the life of targeted malware operators, who confused teams of various Linux distributions and, on the whole, made quite a few mistakes.

In response to a remark from one of the listeners: “how it looks like a script-kiddie”, someone from the audience objected: “how it looks like a military man”.

Vladimir Kropotov, in a joint report with Fedor Yarochkin, demonstrated the daily work of specialists who protect users from the effects of the Drive by Download attacks. See uncharacteristic patterns in the IDS event flow. Pull out a desperately resisting malware from an infected host. Find a hacked site used for infection. Convince owners who resist sometimes more desperately than malware to clear out the infection. Send a sample to antivirus vendors and wait for days to change the detection counter on virustotal ... Hard work. The work of hell. But - such a job.

There were other interesting discussions about the fate of the law “On EDS” and the details of the Universal Electronic Card (UEC) project. Alexey Lukatsky made a traditional provocation, this time wrapped in the “What if?” Business game format. More information about this can be found in the blog of Alexei himself.

The RISSPA Association together with AP KIT and the FSB of Russia conducted a section on the use of cryptography in cloud solutions. I hope that the report will appear on the association website soon.

Summing up, RusCrypto was and remains a bright event in the community of professional practitioners. It is very pleasant to see that the conference is developing both in the organizational part and in terms of content. The only disappointment was the fact that I could not get on the hands-on lab in the footsteps of PHDays CTF 2011 in Neúron Hackspace. I had to play " Pour " in absentia.

Sergey Gordeychik,
CTO, Positive Technologies

* Utilities trojan.exe and exploit.exe are not included in the standard Microsoft Windows distribution.

** Ruscrypto-twitter is quite lively this year: https://twitter.com/#!/ruscrypto