Security Meetup Report October 22

On October 22, our office hosted the regular Security Meetup. At the meeting there were five reports devoted to various vulnerabilities. Issues such as reverse engineering in Enterprise and related business processes (using the Qiwi payment system as an example), unsafe deserialization of data in PHP, the degree of reliability of two-factor authentication in mobile applications, work for money on bug bounty, and the possibility of attacks with a “dangerous” video file.

Presentations of speakers:

"Dangerous video." Maxim Andreev, Cloud Mail.Ru.
')


Maxim Andreev, programmer for the Mail.Ru Cloud team, made a report on how to perform an SSRF attack using a specially prepared video file and told how even without launching and viewing “dangerous video” it allows de-anonymizing individual users and stealing files from their computers.

Video performance.
Post on Habré.

"Reverse Engineering in Enterprise". Alexander Secrets, Qiwi.



Alexander Sekretov - Qiwi information security expert. He spoke about business processes related to reverse engineering in an enterprise, as well as how the experience of analyzing applications can improve the security of infrastructure and applications.

Video performance.

“When to get brick wall becomes a wooden fence” or “how to get 1kk on the Bug Bounty” . Kirill Ermakov, Qiwi.



Kirill Yermakov, CISO of the QIWI group of companies, told about typical mistakes that people make to dream of earning a million on bug bounty, and showed some interesting findings on the example of popular Internet services.

Video performance.

"Mobile phones, money, two factors." Dmitry Evdokimov, DigitalSecurity.



Dmitry Evdokimov, director of the research center of DigitalSecurity, spoke about two-factor authentication used, including, in mobile applications.

Video performance.

"PHP Unserialize Exploiting." Pavel Toporkov, Kaspersky Lab.



Pavel Toporkov from Kaspersky Lab gave a presentation on how to exploit insecure deserialization of data in PHP, and what exactly helps to use this vulnerability in real conditions.

Video performance.

Photos from mitap see the link .