Expert hacker landing on PHDays IV: we make the keys to locked doors, break browsers and save ourselves from the “smart home”

Why is the Internet of Things a National Security Threat? What is the impression? How to find zero-day vulnerability in applications with circulation of hundreds of millions of copies? Is there a panacea for DDoS attacks? We present to your attention a new portion of speeches, which will be presented at the international forum Positive Hack Days IV (see also the 1st and 2nd announcements).

Approximately 2000 experts on practical security will gather in Moscow on May 21 and 22, 2014 to talk about the cyber potential of Iran, China and the DPRK, cryptography after Snowden and Heartbleed, raise awareness of Yandex’s security staff, important findings of the SCADA Strangelove group, cyber threats for modern electrical substation, the main directions of attacks on SAP-systems. Forum guests will learn about next-generation compromise indicators, information security analytics, reverse engineering and much more.
')
In total, the PHDays IV program includes more than 40 reports , sections and round tables (we will tell about the latter separately), master classes and short fascinating FastTrack stand-ups.

Do-it-yourself practical tasks

Positive Hack Days are usually riveted with maximum attention. Hands-on Labs at PHDays are practical exercises, to participate in which you usually need to have only basic training, a craving for new knowledge - and usually another laptop.

The traditional sold-out on the site causes, in particular, the performance of three “Houdini” from the company TOOOL (Deviant Ollama, Babak Zhavadi and Keith Howell), who do not tire of demonstrating that physical security is at the core of any security. This time they will talk about impression - the art of creating a key from someone else’s door with a blank, flat file and careful observation. All participants of the presentation will not only get acquainted with the peculiarities of the method, but will also be able to practice its application.

A brief description of all Hands-on Labs is available on the event website .

Search for answers

PHDays will dissect the most acute problems of practical security, for which there are no ready-made recipes today.

So, the participants in the section “The Internet of Things - the Threat of the Next Generation?” Will focus on the dangers that may be caused by the deep penetration of digital technologies into our life. How to predict these hazards? What tools to use to minimize potential damage? Andrei Bosenko and Alexey Kachalin (“Perspective Monitoring”), Andrei Moskvitin (Cisco), Andrei Petukhov (VMK MGU), Artem Chaykin (Positive Technologies) will try to answer these questions.

PHDays IV will be visited by French professor Eric Filol (Éric Filiol), a cryptologist, an expert in cyber security and cyber warfare, winner of the Roberval Prize for the book “Computer Viruses: Theory, Practice and Application”. He will present his view on the changes in cryptography after the revelations of Edward Snowden and the scandals with RSA, Heartbleed, Google, ANSII, and will touch on a couple of topics that have not yet been written in the newspapers.

Specialists from around the world will consider promising approaches to detecting and preventing intrusions (speaker - Robert Griffin from EMC), new dangers for telecom operators using the example of the Orange network (Sebastian Roche, security services of the core network in the Orange Group). Among other topics discussed are a comparison of the cyber potential of Iran, China and North Korea (William Hagestad will present it) and problems of increasing employees' awareness of information security - Natalia Kukanova from Yandex will tell about them (more than 30, according to Positive Technologies, % of employees of the largest companies follow phishing links!).

A description of business reports scheduled for PHDays IV can be found on the forum website .

And now more about the new reports.

Finding binary zero-day vulnerabilities in 2014

How to search, find and exploit zero-day vulnerabilities in statistically significant applications (OS, office applications, browsers) - 10 years after the release of the book Shellcoder's Handbook, after a million reports, thousands of application utilities and multiply computing power? The speaker will try to answer this question by presenting his own fuzzing system, several zero-day vulnerabilities and a number of circumvention technologies.

The report will be presented by Alisa Shevchenko (Esage) - a researcher in the field of computer security. She has been running Esage Lab's own company since 2009 and is a co-founder of the Neuron Moscow Hackspace.

Cyber ​​espionage: what are compromise indicators and what do they eat?

The speakers will talk about the concept of indicators of compromise (indicators of compromise, IOC) and its use in responding to and investigating incidents. The platform developed by the authors allows integrating various formats of compromise indicators with the dynamic protection framework.

Speakers: Fedor Yarochkin - P1 Security analyst, Academy Sinika; Vladimir Kropotov and Vitaly Chetvertakov are independent researchers in the field of information security.

Visual analytics in information security

The infographic is called the new technological alphabet, and it is quite natural that the specialists in the field of information security are looking at it, and not only for processing the research. The authors of the report have developed visual tools for analyzing traffic, modeling attacks, assessing security, and detecting financial irregularities in the mobile money transfer system. They argue that such an approach is much more effective than the traditional one, and they are ready to prove it in practice.

The employees of the SPIIRAN laboratory Igor Kotenko and Yevgeny Novikov intend to demonstrate how the visual analyst turns an ordinary "infosecurity" into computer Batman.

Time Attacks on SQL and NoSQL

The main area of ​​application of such attacks is web applications. The study is devoted to various search algorithms for SQL and NoSQL databases and attacks using analysis of the execution time of such algorithms.

Speaker - Ivan Novikov, an expert on information security of the company and the executive director of Wallarm. More than once he was awarded for detecting vulnerabilities in Google, Facebook, Twitter, Nokia, Yandex services. Currently actively developing a self-learning WAF-system.

Cyber ​​threats to control systems of a modern electrical substation

The author will talk about a full-scale test site created in Cheboksary, imitating a modern high-voltage substation, and analyze real cyber-security incidents in control systems of an electrical substation.

The results of the joint work of NTC FGC UES, Kaspersky Lab and TsUP CHEZ LLC will be presented by Maxim Nikandrov, an expert in the field of electric power management systems, and the head of the management systems department of TsUP ChEAZ LLC.

Trusted channels and data conversion

Programmers are becoming more intelligent and know that it is necessary to correctly process user data and not to give out confidential data to unauthorized users. However, not everyone understands what is a channel for exchanging data with the user, and what is a trusted source of data, and think only at the level of syntax of their own code. The report attempts to systematize weak input input validation types (primarily in web applications).

Speaker - Omar Ganiev, an expert of the Russian company IncSecurity. Since 2011, he has actively participated in CTF competitions, he has won many victories both in individual competitions under the pseudonym Beched and in team competitions (as part of the RDot.Org, UFOLogists, More Smoked Leet Chicken teams).

SAP Attack Vector - CUA System

The report will discuss the main directions of attacks on SAP, in particular, on the centralized user management system for SAP CUA. The author will show the vulnerabilities of CUA systems related to architectural features, incorrect configuration and default settings.

Speaker - Dmitry Gutsko, SAP security expert. He heads the SAP applications security analysis group at Positive Technologies. Has published numerous vulnerabilities and research on various SAP security topics.

Modeling security access control and information flow based on DP-models

The report is devoted to the security modeling of logical control of access and information flows in modern computer systems. An approach to security modeling based on the theory of DP-models, its advantages and capabilities, as well as features of the application in the development of protection mechanisms are considered. The main elements, provisions and methods of DP-models are described. New modeling approaches are proposed that focus on software implementation of access control mechanisms.

Denis Kolegov - Candidate of Technical Sciences, Associate Professor at the Department of Information Protection and Cryptography at TSU, Senior Security Testing Engineer at F5 Networks.

Reverse engineering automation

In the process of reverse engineering, many routine actions occur on the researcher’s path to understanding what the program does. But there are a large number of technologies to increase the level of abstraction of program presentation and to automate routine actions. The report will consider the advantages of these technologies, examples of application and open utilities for their implementation.
Speaker: Anton Dorfman - a researcher, reverser and fan of assembly language. Since 2009, the organizer and active playing coach of student CTF-teams.

The announcement of the remaining reports can be found on the forum site .

Briefly and clearly

In addition to standard reports, the program PHDays IV is scheduled for an extensive FastTrack, consisting of rich and dynamic fifteen-minute speeches, which we briefly describe below.

Analysis of the work of various anti-virus labs

A curious incident that occurred with the developers of the company helped to find out how the antivirus labs actually work “on the other side” when analyzing suspicious software. Speakers will talk about how real attackers can proactively identify interest in their command servers from antivirus laboratories based on the analysis of incoming traffic.

The research in the FastTrack express format will be presented by Igor Agiyevich, deputy head of the IT department at Radio Monitoring Technologies, and Pavel Markov, software engineer at Radio Monitoring Technologies, St. Petersburg.

We catch shellcodes under ARM

Despite the abundance of shellcode detection tools, most of them are only relevant for the x86 platform. Presenters will attempt to fill this gap. The applicability of existing methods to ARM will be analyzed and possible heuristics for detecting shellcodes for this platform will be considered.

Svetlana Gayvoronskaya is a former member of the Bushwhackers CTF team, a participant in the Microsoft Research project for the automatic detection of malicious tenants in cloud infrastructures. Ivan Petrov is a current member of the Bushwhackers CTF team. Studies the possibilities of exploitation of ARM devices, writes modules for Metasploit.

Introspection of virtual machines, or How to track an attacker in the cloud

The speaker will tell how the “clouds” can help identify cybercriminals, as well as consider the approach used in the honeypots project and taking into account the actions of the attacker or insider in VirtualBox. Nazar Timoshik - software security engineer, penetration testing specialist, worked in various Ukrainian outsourcing companies (SoftServe, Eleks, Symphony-Solutions).

Axapt Inject: Attack on Business Data in Microsoft Dynamics AX

The speaker will explain how to use the features of the three-tier architecture of the ERP system of Microsoft Dynamics AX in order to get access to the account of the domain administrator of the system and data on the activities of the enterprise using X ++ code.

Speaker: Dmitry Erusov has been developing and implementing solutions based on the Axapta ERP system for the last 10 years.

Techniques that make it difficult to detect and analyze malicious code in PHP scripts

The report describes the main methods that malware developers use to make it difficult to detect and analyze their scripts: multistage encryption, obfuscation, code hiding, “mimicry”, hidden calls to PHP functions, and others. For each method, examples are considered methods of detection by the scanner, the complexity of implementation, detection. The list of tools for decoding is given.

The speaker is Grigory Zemskov, the head of the Revizium company, an information security specialist. The author and developer of the AI-Bolit malware scanner. He worked as a senior developer at Tecom Group and as a leading architect at Teleca Russia.

To the crowd at the mercy: a crowd filter as a panacea for DDoS

DDoS protection is a battle of resources. Crowdsourcing resources for filtering traffic and load balancing can help reduce the cost of fighting DDoS. The report will examine the concept of a defense system that makes distributed attacks known to be ineffective.

Denis Makrushin, an expert from Kaspersky Lab, who specializes in cyber-threat protection technologies, will talk about cloud-based anti-DDoS technologies during his FastTrack performance.

Technical implementation of the integration of IT-GRC class systems and security and compliance control systems

The report discusses the implementation of the integration of the IT-GRC system and the System for Monitoring Security and Compliance with Standards (SKZSS) using built-in mechanisms. A construction of a SKZSS report based on a reference XML report containing all possible elements and attributes from SKZSS reports is demonstrated.

Marat Rakhimov graduated from ITMO University in 2013 with a degree in the Organization and Technology of Information Security. He works as a design engineer in Gazinformservice LLC. Certified Platform Administrator RSA Archer GRC.

Nothing is more permanent than temporary.

Web developers or administrators often do not pay attention to temporary files and make configuration errors, so not the most welcome guests can get access to important information. The report will consider the main attack vectors, possible due to the “tracks” of various popular programs and version control systems, and provide detailed statistics of such attacks.

The applicability of the ancient proverb to information security will be illustrated by Dmitry Bumov, a security researcher and penetration testing specialist from OnSec.

How to get credentials without administrator privileges

An attacker usually cannot get a password from an account so easily if he has infected a computer with access to the organization’s internal network at the level of a regular user. Known methods require privilege escalation or great luck. The author will present the original technique of using the vulnerability in the implementation of Windows SSPI, as well as a tool for its use, allowing you to bypass the limitations.

Speaker - Anton Sapozhnikov, Senior Consultant, KPMG. He has been involved in penetration testing for more than seven years and has worked with many companies from the Fortune Global 500 list. A CTF participant in the More Smocked Leet Chicken team that has won and won prizes at events like Codegate, HITB, DEFCON.

NFC: protocol security

NFC technology successfully penetrates into most branches of human activity - from paying for the subway to arranging the “smart home”. Conveniently. But is it safe? The report will look at the NFC device interaction protocol, outline the attack surface and consider the threat model for NFC. An example is the MiTM attack on an Android phone using its own Arduino-based NFC transmitter.

The report will be presented by Andrey Plastunov (systems analyst of the company "Perspective Monitoring") and Roman Bazhin (developer of the software "Perspective Monitoring").

All details about speeches in the format FastTrack - on the forum site .

Technical reports and master classes are only part of a grand event that will take place in less than a month. An exciting competition program has already been developed, a battlefield has been prepared for visitors to PHDays Everywhere sites, CTF competition participants have been identified, and finalists for the Young School Young Scientists contest have been selected.

We are waiting for you at Positive Hack Days IV!