PHDays technical program: how to break IoT, bypass Windows Hello and are protected from a quantum computer

Accepting applications for participation in the Positive Hack Days is in full swing. By popular demand, we extend Call for Papers until March 31. This means that everyone who wants to speak at the forum has a couple more weeks to submit an application .

We recently announced the first key speaker of PHDays 8 - they will be the well-known developer of the IDA Pro disassembler and the Hex-Rays decompiler Ilfak Gilfanov. Well, today we present to your attention a group of participants whose reports have already been included in the main PHDays program. This year, forum visitors will learn how to bypass the corporate face recognition system, how dangerous smart cars are and how intruders hack IoT devices.
')

IB Director in the near future

Over the past few years, the business has suffered huge losses as a result of the actions of criminals and hacktivists. The threat landscape is constantly changing, so now, more than ever, it is important to maintain an information security model, in which security solutions come from an understanding of the risk to business and the capabilities of hackers.

The effectiveness of the information security policy of companies depends not only on organizational and technical means, but also on the competence of employees. Today, in many critical sectors, information security solutions are outdated, and the skills of specialists do not develop together with technology and do not meet the requirements of the business. Who to teach - people or computers? We need money - but how to translate CISO requirements into the language of CEO? These questions will be answered by Eddie Schwartz, Executive Vice President of DarkMatter, member of the International Board of Directors of the Information Systems Audit and Control Association (ISACA), Chairman of the Association’s Information Security Working Group. Prior to DarkMatter, Schwartz was the director of information security solutions at Verizon and the director of security at RSA.

Hacking authentication system

The Argentinean information security expert and head of Cinta Infinita Nahuel Grisolía will again speak at PHDays. He specializes in web application security and hardware hacking. Grissia found vulnerabilities in McAfee, VMware, ManageEngine, Oracle, Websense, Google, Twitter, and Achievo, Cacti, OSSIM, Dolibarr, and osTicket.

At the fifth PHDays forum, Grisoliya held a RFID workshop , this time it will be a question of the modern authentication platform Auth0, which serves more than 2,000 clients and provides 42 million authorizations per day. The report focuses on the concept of securing JSON web tokens, authentication and authorization, cryptography, as well as methods for intercepting and manipulating HTTP traffic. The speaker will talk about a vulnerability that bypasses authentication and compromises all applications using Auth0.

Windows Hello rounds one, two, three

Windows Hello is a Microsoft biometric system that includes scanning of the iris, fingerprint, and face recognition. It is used to log in without a password on Windows devices, for authorization on sites and in applications.

The head of R & D at SySS, the leading German penetration testing service provider, Matthias Deeg, talks about his Windows Hello study and demonstrates how to use different methods to get around different versions of the system using simple methods.

Smart car as a weapon

Modern smart cars are not just a means of transportation, but real computers, stuffed with advanced infotainment programs. New technologies open up broad opportunities for intruders: the threats that were previously characteristic of the computer world are now relevant to cars.

Representatives of Ixia - chief security researcher Stefan Tanase (Stefan Tanase) and senior software developer Gabriel Cirlig - examined a car with an integrated infotainment system completely separated from the network infrastructure of the vehicle itself. They found a large amount of data that is stored in clear text. The authors of the study will show how an attacker can monitor the movement of the machine and hack the network's access points using an onboard computer.

How to break IoT

Another PHDays speaker is Noam Rathaus, one of the founders of Beyond Security, a company specializing in the development of enterprise security assessment technologies. Rathaus is the author of four books about open security tools and penetration testing. He found more than 40 vulnerabilities in various software, and also created about a third of the code base of Nessus, a program for automatically searching for known vulnerabilities.

His report "Substitute your device under the Internet" is devoted to the security of the Internet of things. Noam Rathaus will talk about various vulnerabilities that his team found in the products of well-known vendors, as well as give recommendations on the protection of IoT devices.

Andrey Biryukov, leading information security officer of AMT Group, will continue the topic of IoT security. At the Fast Track section, he will make a presentation on “Leaky M2M Clouds: How to Break IoT”. Forum participants will learn how cloud technologies (including open-source) are used to control IoT devices. The speaker will show a video of the exploitation of the most interesting vulnerabilities and give recommendations on how to fix them.

Quantum Computer Protection

In February 2016, NIST published a post-quantum cryptography report. It describes algorithms that are considered vulnerable to a quantum computer; The list includes almost all algorithms.

Sergei Krendelev, Head of the Modern Computer Technologies Laboratory at Novosibirsk State University, will talk about the problems posed by the “quantum threat”, algorithms and protocols for post-quantum cryptography. Examples will be given of various digital signature algorithms, hash functions, key exchange, and problems that may be encountered in the practical implementation of post-quantum cryptography and public key infrastructure.

By the way, Sergey Krendelev, as well as Nahuel Grisolia, spoke at PHDays V. His report “The Soviet K-340A Supercomputer and Cloud Computing Security ” was devoted to the processing of coded data using non-standard encryption algorithms.

Bug bounty buns

Owners of publicly available resources suffer serious reputational and financial losses due to vulnerabilities. QIWI's CISO and co-founder of Vulners.com, Igor Bulentenko, will highlight the shortcomings of existing ways of dealing with vulnerabilities and the advantages of bug bounty programs. Listeners will find out why bug bounty is more profitable than pentest and large information security team and better for the financial stability and reputation of the company, as well as who needs (and who does not need) to open such a program. Igor will also share his QIWI experience and tell you how they deployed bug bounty.

A full list of performances will be published on the PHDays website in April. Learn more about topics and rules for participation on the Call for Papers page .

Industrial partner of the Positive Hack Days forum - Moscow factory "FIZPRIBOR"; Forum partner ─ company R-Vision; exhibition sponsor ─ Group IB; participants of the Confrontation ─ companies Informzaschita, Perspective Monitoring; technology partners include Cisco, Moxa and Advantech.