New reports at PHDays 2012: from vulnerabilities in smart cards to hacking SAP
Why do leading companies in Russia lose every tenth ruble due to errors and theft in the environment of industrial control systems? How many stadiums can you build with money stolen from Russian remote banking systems? What are the true reasons for the beginning of a tough bank struggle with hackers? We continue to talk about the reports of expert practitioners who announced their presentations at PHDays 2012.
Interesting fact: on January 1, 2013, the provisions of the law on the national payment system come into force. In case of unauthorized debiting of money from the client’s account, the bank will be obliged to return the money to the client’s account. In other words, they are now stealing money from customers, and from next year they will begin to steal from the bank itself. This reason is quite enough for the banking community to declare a crusade against cybercriminals “working” with RBS systems. How to make 2013 and subsequent years unlucky for such hackers, will try to explain Yevgeny Tsarev in the framework of the report “The system of countering fraud in Russian”. He will talk about the peculiarities of Russian fraud in the banking sector and the diversity of fraud schemes, point out the reasons for the low effectiveness of the western approach and demonstrate how to build a comprehensive protection system.
In the military, exfiltration is a tactic of retreat from territory under enemy control. Proper masking in such actions is more important than speed. Hackers, having gained access to the system, are also in no hurry to display data. First, the risk of being detected is great. Secondly, the necessary information may come later. Therefore, the attacker's program sends information in small chunks using covert channels, often not intended for data transmission at all. Croatian developer Miroslav Stampar in the report “DNS exfiltration using SQLmap” will present the DNS exfiltration technique using SQL injections, talk about its pros and cons, and also give visual demonstrations.
')
The report by Vladimir Vorontsov, Attacks on Microsoft Web Network Clients, provides methods that allow attacks against Internet Explorer users operating within Microsoft networks. The considered attacks are aimed at obtaining confidential data of users located both on remote servers (bypassing access policy restrictions) and on local PCs.
The manifestation of intruders' interest in technological infrastructures and process control systems becomes a kind of trend. According to experts, leading Russian industry companies lose up to 10% of revenues due to internal fraud, embezzlement, irregularities in the implementation of technological processes, errors in measuring equipment settings. The specifics of the automated process control system requires the formation of a fundamentally new technical direction - computer forensics (forensics) among industrial automation systems.
In addition, Andrei Komarov’s report will describe the mechanisms for preventing incidents in this area and the possibility of using Business Assurance Systems (BAS) to prevent economic fraud in the industrial control system (changes in fuel dispensers, trading systems, accounting systems, tank sensors). processing systems of fuel and discount cards). The report will be accompanied by a clear demonstration of practically significant examples of incidents that occurred in the TOP 10 of the largest industrial companies of various foreign countries. Andrei Komarov - Head of Audit and Consulting Group-IB. He is currently taking part from Russia in the development of the Penetration Testing Execution Standard (PTSE) penetration test standard.
For several years in a row, there has been a rapid growth of threats aimed at Russian remote banking systems (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). The attackers manage to steal tens of millions of dollars every month (over the course of the year, an amount at least sufficient to build, for example, stadiums for football clubs Spartak and CSKA, will turn out).
When preparing the report “Smartcard vulnerabilities from the point of view of modern banking malware”, Alexander Matrosov and Yevgeny Rodionov conducted a survey of the most common banking malware, and also revealed interesting vulnerabilities when using two-factor authentication and smart cards . In addition, the report examines the techniques and cleverness of intruders that impede the conduct of forensic examination. Alexander Matrosov is the director of the Center for Viral Research and Analytics at ESET, while Evgeny Rodionov is involved in analyzing complex threats in ESET.
Over the past five years, interest in SAP security has grown exponentially. The public information space covered many topics, ranging from attacks on SAProuter and SAP web applications to low-level vulnerabilities in the SAP core and ABAP code. So far, SAP has issued more than 2,000 vulnerability fix notices in its products, but this is only the beginning. What vulnerabilities remain in SAP systems, in addition to already bored XSS, SQL injections and buffer overflows? The report by Alexander Polyakov “SAP insecurity: new and better” will be devoted to the ten most interesting vulnerabilities and attack vectors on SAP systems: from encryption problems to authentication bypass and from funny mistakes to complex attack vectors. A large part of the vulnerabilities presented in the report will be seen by the general public for the first time.
Alexander Polyakov is the Technical Director of Digital Security, one of the world's most famous security experts at SAP.
Some third-party PHP implementations can reduce script execution time by a factor of five. But are they capable of ensuring stable and secure operation of web applications? Positive Technologies expert Sergey Scherbel in the report “Not all PHP is equally useful” will highlight the identified security problems and features of web application exploitation when using third-party PHP implementations, and also provide examples of zero-day vulnerabilities. Sergey specializes in application security, penetration testing, web application analysis and source code. Included in the PHDays CTF development team.
Ex-officer of the anti-cybercrime unit of the Security Service of Ukraine, director of Aysight Partners Ukraine Konstantin Korsun will talk about the formation of the Ukrainian community of information security specialists, who have gone from the noisy meetings of Ukrainian IT security guards in Kyiv pubs to registration in 2012 “Ukrainian Information Security Group” (Ukrainian Information Security Group). Currently Konstantin Korsun is president of the UISG. His report is called “The Community of Information Security Professionals of Ukraine UISG. Achievements and prospects.
The topic of PHP will continue Alexey Moskvin, security expert Positive Technologies. The report "On the safe use of PHP wrappers" will address the vulnerabilities associated with PHP wrappers. Such vulnerabilities are discussed for a long time. References to them are present in OWASP TOP 10 and WASC TCv2. However, a number of features of some “wrappers” and filters lead to the fact that even applications developed with regard to security requirements may contain vulnerabilities (including critical ones).
The report will consider algorithms that allow you to transfer data to an application that is not provided for by the logic of operation. This approach can be used to bypass the Web Application Firewalls built into the application of security filters, as well as to implement attacks related to unauthorized access to the file system and the execution of arbitrary code. Examples of zero-day vulnerabilities detected using the methodology proposed in the study will be presented.
Alexey specializes in static and dynamic analysis of the source code of applications from a security point of view; A member of the PHDays CTF development team.
Time goes by, technology develops, the code becomes more complex (virtual function, JIT-code, etc.). Statically analyzing such code is extremely difficult. To help the researcher come the various techniques of instrumentation code. The PIN, Valgrind, DynamoRIO, DynInst libraries are a new mandatory element in the arsenal of a security researcher. Dmitry Evdokimov will tell about the existing methods of instrumentation (source code, byte code, binary code) in the report “Light and Dark Side of Code Instrumentation”.
Dmitry Evdokimov is the Security Security heading in the Russian hacker magazine Xakep, an expert on SAP security in the areas of internal organization (SAP Kernel and SAP Basis) and ABAP code.
Features of the fight against Russian fraud
Interesting fact: on January 1, 2013, the provisions of the law on the national payment system come into force. In case of unauthorized debiting of money from the client’s account, the bank will be obliged to return the money to the client’s account. In other words, they are now stealing money from customers, and from next year they will begin to steal from the bank itself. This reason is quite enough for the banking community to declare a crusade against cybercriminals “working” with RBS systems. How to make 2013 and subsequent years unlucky for such hackers, will try to explain Yevgeny Tsarev in the framework of the report “The system of countering fraud in Russian”. He will talk about the peculiarities of Russian fraud in the banking sector and the diversity of fraud schemes, point out the reasons for the low effectiveness of the western approach and demonstrate how to build a comprehensive protection system.DNS data filtering with SQLmap
In the military, exfiltration is a tactic of retreat from territory under enemy control. Proper masking in such actions is more important than speed. Hackers, having gained access to the system, are also in no hurry to display data. First, the risk of being detected is great. Secondly, the necessary information may come later. Therefore, the attacker's program sends information in small chunks using covert channels, often not intended for data transmission at all. Croatian developer Miroslav Stampar in the report “DNS exfiltration using SQLmap” will present the DNS exfiltration technique using SQL injections, talk about its pros and cons, and also give visual demonstrations.')
Internet Explorer Intrusion Techniques
The report by Vladimir Vorontsov, Attacks on Microsoft Web Network Clients, provides methods that allow attacks against Internet Explorer users operating within Microsoft networks. The considered attacks are aimed at obtaining confidential data of users located both on remote servers (bypassing access policy restrictions) and on local PCs.Investigation of IS incidents in the SCADA Forensics environment
The manifestation of intruders' interest in technological infrastructures and process control systems becomes a kind of trend. According to experts, leading Russian industry companies lose up to 10% of revenues due to internal fraud, embezzlement, irregularities in the implementation of technological processes, errors in measuring equipment settings. The specifics of the automated process control system requires the formation of a fundamentally new technical direction - computer forensics (forensics) among industrial automation systems.In addition, Andrei Komarov’s report will describe the mechanisms for preventing incidents in this area and the possibility of using Business Assurance Systems (BAS) to prevent economic fraud in the industrial control system (changes in fuel dispensers, trading systems, accounting systems, tank sensors). processing systems of fuel and discount cards). The report will be accompanied by a clear demonstration of practically significant examples of incidents that occurred in the TOP 10 of the largest industrial companies of various foreign countries. Andrei Komarov - Head of Audit and Consulting Group-IB. He is currently taking part from Russia in the development of the Penetration Testing Execution Standard (PTSE) penetration test standard.
Vulnerabilities in smart cards: issue price
For several years in a row, there has been a rapid growth of threats aimed at Russian remote banking systems (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). The attackers manage to steal tens of millions of dollars every month (over the course of the year, an amount at least sufficient to build, for example, stadiums for football clubs Spartak and CSKA, will turn out). When preparing the report “Smartcard vulnerabilities from the point of view of modern banking malware”, Alexander Matrosov and Yevgeny Rodionov conducted a survey of the most common banking malware, and also revealed interesting vulnerabilities when using two-factor authentication and smart cards . In addition, the report examines the techniques and cleverness of intruders that impede the conduct of forensic examination. Alexander Matrosov is the director of the Center for Viral Research and Analytics at ESET, while Evgeny Rodionov is involved in analyzing complex threats in ESET.New and Popular SAP Hacking Techniques
Over the past five years, interest in SAP security has grown exponentially. The public information space covered many topics, ranging from attacks on SAProuter and SAP web applications to low-level vulnerabilities in the SAP core and ABAP code. So far, SAP has issued more than 2,000 vulnerability fix notices in its products, but this is only the beginning. What vulnerabilities remain in SAP systems, in addition to already bored XSS, SQL injections and buffer overflows? The report by Alexander Polyakov “SAP insecurity: new and better” will be devoted to the ten most interesting vulnerabilities and attack vectors on SAP systems: from encryption problems to authentication bypass and from funny mistakes to complex attack vectors. A large part of the vulnerabilities presented in the report will be seen by the general public for the first time.Alexander Polyakov is the Technical Director of Digital Security, one of the world's most famous security experts at SAP.
Hurry up with PHP - make people laugh
Some third-party PHP implementations can reduce script execution time by a factor of five. But are they capable of ensuring stable and secure operation of web applications? Positive Technologies expert Sergey Scherbel in the report “Not all PHP is equally useful” will highlight the identified security problems and features of web application exploitation when using third-party PHP implementations, and also provide examples of zero-day vulnerabilities. Sergey specializes in application security, penetration testing, web application analysis and source code. Included in the PHDays CTF development team.Cybersecurity in Ukrainian
Ex-officer of the anti-cybercrime unit of the Security Service of Ukraine, director of Aysight Partners Ukraine Konstantin Korsun will talk about the formation of the Ukrainian community of information security specialists, who have gone from the noisy meetings of Ukrainian IT security guards in Kyiv pubs to registration in 2012 “Ukrainian Information Security Group” (Ukrainian Information Security Group). Currently Konstantin Korsun is president of the UISG. His report is called “The Community of Information Security Professionals of Ukraine UISG. Achievements and prospects.About safe use of PHP wrappers
The topic of PHP will continue Alexey Moskvin, security expert Positive Technologies. The report "On the safe use of PHP wrappers" will address the vulnerabilities associated with PHP wrappers. Such vulnerabilities are discussed for a long time. References to them are present in OWASP TOP 10 and WASC TCv2. However, a number of features of some “wrappers” and filters lead to the fact that even applications developed with regard to security requirements may contain vulnerabilities (including critical ones).
The report will consider algorithms that allow you to transfer data to an application that is not provided for by the logic of operation. This approach can be used to bypass the Web Application Firewalls built into the application of security filters, as well as to implement attacks related to unauthorized access to the file system and the execution of arbitrary code. Examples of zero-day vulnerabilities detected using the methodology proposed in the study will be presented.
Alexey specializes in static and dynamic analysis of the source code of applications from a security point of view; A member of the PHDays CTF development team.
Methods of instrumentation for analyzing complex code
Time goes by, technology develops, the code becomes more complex (virtual function, JIT-code, etc.). Statically analyzing such code is extremely difficult. To help the researcher come the various techniques of instrumentation code. The PIN, Valgrind, DynamoRIO, DynInst libraries are a new mandatory element in the arsenal of a security researcher. Dmitry Evdokimov will tell about the existing methods of instrumentation (source code, byte code, binary code) in the report “Light and Dark Side of Code Instrumentation”.
Dmitry Evdokimov is the Security Security heading in the Russian hacker magazine Xakep, an expert on SAP security in the areas of internal organization (SAP Kernel and SAP Basis) and ABAP code.
Source: https://habr.com/ru/post/141720/
All Articles