ZeroNights: the final touches

Congratulations to the winners of ZeroNights HackQuest ! For ingenuity and hacking skills, winning teams are rewarded with free tickets to ZeroNights and ONsec T-shirts.

1st place: ReallyNonamesFor
2 place: RDot.Org
3rd place: Raz0r
')
Intel, namely Intel's Security Center of Excellence, decided to support the event and become our silver sponsor. We welcome Intel in the ranks of companies willing to invest in the ZeroNights mission - spreading the principles and techniques of information security both among established specialists in various fields and among the younger generation.

Other good news: at the Security Researchers vs. Roundtable. Developers "is planned to be a truly epic battle of developers with hackers. Experts from ViaForensics, Nokia, Yandex and Google will speak against security researchers.

By popular demand, we lay out all our trumps. The site already has the first version of the program .

We are proud to announce the key presentation topics:

1. The Grugq (Thailand) will give a speech on the principles of practical combat security of anonymous hackers - OPSEC . "Black hats" in the hall retain stone faces!
2. Felix 'FX' Lindner (Germany) will give a presentation entitled “ Strive to be yourself .”

And the last batch of reports and workshops:

1. In the main program, Nikita Tarakanov (Russia) will teach you the art of binary differential analysis .
   
   Are you tired of viewing hundreds of changed features when comparing fresh Flash Player? Are you tired of Turbodiff and PatchDiff? Are you tired of making pennies on 1-day exploits?
   
   Then this report is for you!
   
   
2. In the main program, the world famous Alexander Polyakov (Russia) will once again share his amazing discoveries in the field of atypical attacks on large corporate networks .
   
   So, you have a project on the pen test of the internal infrastructure of a large enterprise. And now what? As usual: scan, exploit, escalate? Or something more interesting? Sometimes the best strategy is to listen to what is happening on the network and focus on key points of failure, for example, on the Enterprise Service Bus, as well as on atypical attacks.
   
   
3. In the main program, Alexey Troshichev (Russia) attacks iOS using the “man in the middle” method .
   
   The technique of forcing a user to install a root certificate and an overview of the consequences of the installation: monitoring the device through a fake Push Notification Server and disclosing SSL traffic.
   
   
4. In the main program, Sergey Karasikov (Russia) will take listeners behind the scenes of Android and demonstrate the security problems of this platform from both the hacker and the user in need of effective protection.
   
   ● From A to Z: the low-level hacking history of the read-only eMMC memory of the HTC Desire HD smartphone.
   I'll tell you how to learn how to write to the most closed memory section of an HTC-smartphone, a detective story includes the reverse engineering of a Chinese device to unlock / hack HTC phones, detection and cooperation with a true developer of a key element and a detailed description of the hack mechanism that allows you to remove factory reads -only flags with memory chips.
   
   ● Paranoid Android: create a werewolf phone using cryptography.
   I will describe a way to create a crypto phone inside the phone so that no one knows its existence how to solve the inevitable technical problems and why only such protection will provide 99% protection against mobile data falling into the wrong hands.
   
   ● False security: an overview of how to extract data from a Google phone.
   I will tell on the example of HTC Desire HD how to access the device to hack and extract data from a smartphone, the separation of risk groups and special equipment that can crack and flash the phone even without loading into the OS (S-OFF via GoldCard using XTC Clip and its analogues).
   
   
5. In the main program, Lady Alice Shevchenko (Russia) will show you zero-day vulnerabilities where you never expected to see them.
   
   How to quickly find a lot of zero-day vulnerabilities in common applications, and after that have no problems with exploitation? Answer: take a closer look at the "bayans" and the allegedly "unexploited" finds. We again raise the topic of vulnerability incorrect loading DLL (Insecure Library Loading or DLL Hijacking), to dispel the myth that they are trivial, useless and do not exist. Nonobvious nuances of operation, methods of leveling user interactivity and other techniques that turn a seemingly limited vector into the shortest path to the target will be considered.
   

Unfortunately, the Ras Flores workshop on Metasploit is canceled: the speaker has unforeseen problems with the visa.

1. Workshop: Alexander Potapenko and Dmitry Vyukov (Russia) will talk about two tools for finding errors in programs: AddressSanitizer and ThreadSanitizer , developed by them in the depths of Google.
   
   We will talk about two tools for finding bugs in programs: AddressSanitizer and ThreadSanitizer, focusing on their device and how they can be useful in industrial development and the search for vulnerabilities.
   
   Known errors (buffer overflow, use-after-free, race conditions) in opensource-projects, their influence on the stability and safety of the programs, and how they could be avoided will be demonstrated.
   
   The program includes:
   ● review of memory access and synchronization errors, their impact on the stability and security of the programs
   ● device two tools for finding such errors, AddressSanitizer and ThreadSanitizer, their advantages and disadvantages
   ● use of ASan / TSan on both sides of the barricade
   ● practical part
   
   Requirements for workshop participants:
   ● 2 hours
   ● laptop with Linux (64 bits, you can VM)
   
   
2. Workshop: Alexander Azimov , Artem Gavrichenkov and Alexander Lyamin (Russia) will tell visitors about the DDoS attacks saga and answer all your questions.
   
   About DDoS in three parts:
   ● Game of BGP
   ● How not to write TCP based applications
   ● DDoS attacks 2012: the art of survival
   
   Requirements for workshop participants:
   ● 3 hours
   ● And questions that concern you
   
   

1. FastTrack: Dmitry 'D1g1' Evdokimov (Russia) gathered a whole treasure trove of reverse engineering tools in Python and dedicated a website to them.
   
   Today, RE without automation of certain tasks can no longer be imagined. And Python has become an ideal and merciless weapon in the hands of a skilled reverseser, who does not trade small things, but automates everything and everyone. Demand creates supply, and a sufficiently large number of Python projects have emerged that are well or poorly known, narrowly or broadly directed, are plug-ins or separate applications, but all of them are united by one thing - this is an arsenal of reverse engineer for immersion into a cruel binary world. And especially in order not to get lost in the abundance of Python-weapons, it was decided to make a website about them and present it at the conference.
   
   
2. FastTrack: Dmitry 'chipik' Chastukhin and Gleb Cherbov (Russia) investigated the security of technologies designed to ensure security, namely tracking systems .
   
   What could be more interesting than researching the security of information systems? Bingo! Research security technology designed to provide security.
   
   The report will address the safety issues of tracking systems. Learn in detail the route of movement of the collector car? Easy! Expand the area within which conditionally freed criminals can move? Yes please! See where and with what speed dumplings your competitor? Get it, sign it. Find out where there are cars with unclosed doors? Is done. Tell something. Show something. May be.
   

During coffee breaks, do not forget about live demonstrations of SAP hacks and attacks on mobile devices on Digital Security and Neuron hacks.

November 20 for all comers held afterparty in " Zarya Bar ". Conference visitors - 15% discount on drinks!

And finally, a friendly reminder: the reception of payment for participation ends on November 15. We are waiting for you in Infospace and we promise a sea of ​​unforgettable impressions!