Responsiveness and Responsibility

Author: Marc "van Hauser" Heuse

• Language
• English

If You Can Write a Webserver, You Can Write a Thumb Drive

Author: Travis Goodspeed

Think back to that moment when you first realized a bit of ASCII and a socket were all that it took to make an HTTP server in your favorite scripting language.  Using the open source Facedancer framework, emulators have been written in userland Python for Mass Storage, Human Interface, FTDI, and Device Firmware Update protocols. The sockets work a bit differently, and the protocols aren't ASCII, but the principles and the libraries are no more difficult than HTTP.
Practical examples of this technique include a tool for catching firmware updates by impersonating the DFU protocol and a prototype of a hard disk that actively defends itself against forensics tools and imaging.

• Language
• English

Cyber War of a Chinese Hacker, Black Economy, and Trojan Tool

Author: Tao Wan

In the past, Chinese hackers have been spurred into action by geopolitical controversies. But today many of the China hackers are turning away from the darker side of the security field and instead looking for opportunities in building legitimate businesses. China's billion-plus population means that proportionally, there are a lot of hackers in China. China also has an active cyber police system, but the country is large. Nonetheless, you can't say enforcement is non-existent in China.
What happened to China hackers in the last ten years? Who are they and what do they want? Eagle Wan, the leader of the China Eagle Union will give you the truth.

• Language
• English

Faster Secure Software Development with Continuous Deployment

Author: Nick Galbreath

Why don't developers care about security issues? Why isn't security training effective? Why do basic application security problems continue to exist? One reason is that long release cycles disenfranchise developers from caring or even knowing about security or operational issues. Continuous Deployment helps address this by small, but frequent, changes to the production environment. At first, this would seem less stable and less secure; however, continuous deployment is a lot more than "pushing code". When done well, it can be transformative to your software lifecycle and change your security group from a reactive organization into an "in-house security consultancy" that developers come to for questions and assistance. This session will discuss how to get started with continuous deployment and the tools and process needed to make it a security success.

• Language
• English

SCADA Strangelove: How to Build Your Own Stuxnet

Author: Positive Technologies

A lot of time has passed since the Stuxnet incident. While one is looking for lacking elements of the cyberweapon evolution, Positive Technologies experts want to get a glimpse of the future. The near future where to create a full-fledged SCADA worm one will only need up-to-date Metasploit and a little skill of VBScript programming.
Based on the research regarding the security of Siemens SIMATIC (TIA Portal/ WinCC /S7 PLC) series, the talk will cover the vulnerabilities which can be used to hack into ICS. The speakers will also demonstrate the ways of the worm propagation and its malicious impact on the system, ranging from the network level (S7/Profinet) to the web control interfaces, to the WinCC project files.
Information on new vulnerabilities in Siemens SIMATIC series will be presented, as well as tools which can be used to analyze security and to find new vulnerabilities in ICSs.

• Language
• Russian

Catching the Uncatchable: Investigating Malicious Activity Incidents in Corporate Networks

Author: Fyodor Yarochkin, Vladimir Kropotov, Vitaliy Chetvertakov

Vladimir, Fyodor and Vitaliy spend their daily time as security analysts detecting malicious activity outbreaks in large corporate networks. In this presentation they summarize their experience in detecting large, cross-continental mass-infection activities. The presentation will cover both, financially-oriented online crime activities as well as targeted attacks, which recently gained larger exposure due to some high profile network compromises (e. g., recent New York Times compromise incident). The presenters will thoroughly discuss mechanisms of malware dissimulation, primary attack and spreading vectors and attack details, specific to each particular campaign observed. Fyodor will also demonstrate a novel approach of detecting targeted attack compromises within enterprise networks through methods of statistical traffic analysis.

• Language
• Russian

Lockpicking & Physical Security

Author: Deviant Ollam, Babak Javadi, Keith Howell

Physical security is an oft-overlooked component of data and system security in the technology world.  While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions.  You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access to a keyboard or, worse yet, march your hardware right out the door. Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access. Discussion as well as direct example will be used to demonstrate the grave failings of low-grade hardware... much of which can be opened by audience members with no prior training. What features to look for in locks and safes will be covered, and how to invest in systems that are easiest to manage in large environments will be discussed.

• Language
• English

Underground Market 101: Pricing Stats and Schemas

Author: Max Goncharov

Online fraud has long since moved from being a mere hobby to a means for cybercriminals to earn a living. Daily we see lots of activity in social networks, blogs and forums, but this is the part of the internet visible to everyone.
There is another side to the internet however — its criminal underbelly — and here, just like on the blogs and forums, communication is key. In this talk we will cover the principles of underground information exchange, ways to secure money/goods in underground transactions and basic cyber hierarchy.
The speaker will also talk about underground products and services. Crypt services, DDoS attacks, traffic resale, bulletproof servers, SMS fraud, spam services and credit card hijack — these topics will be covered with pricing comparisons shown over the last 2 or 3 years. The speaker will go through the typical pricing steps of a criminals attack — from buying software, all the way to monetizing the volumes of infected victims.

• Language
• English

Attack Prelude: OSINT Practice and Automation

Author: Vladimir Styran

Collecting and analyzing public information on the target, aka Open Source Intelligence (OSINT), is a mandatory stage of a modern pentest. The value of such analysis is difficult to overestimate, however, only few people treat it with due attention. Some even skip this stage and start vulnerability scanning right away. It is a mistake, because collecting information on systems and personnel in the area of testing usually plays a crucial role in security audit and is essential for success of an audit conducted with the use of social engineering techniques.

• Language
• Russian

Abusing Browser User Interfaces for Fun and Profit

Author: Rosario Valotta

As social engineering has become the dominant method of malware distribution, browser makers started designing more robust and recognizable UIs in order to help end users make aware choices while surfing the Web. In this process, creating trusted notification mechanisms played a crucial role: nowadays any modern browser is able to identify potentially dangerous or sensitive action requested by a webpage (file downloading, plugin installation, granting privileges to websites) and prompt a dialog box or a notification bar to require explicit confirmation from the user.
Even though these improvements led to a greater degree of assurance, the notification mechanisms are far from being 100% safe: in this presentation the speaker will show how notification bars in major browsers (Chrome 24, IE9, IE10) can be abused with little (or even no) social engineering, leading to users security compromise and even to conducting trivial code execution on the victim's machine.

• Language
• English

Attacks Modeling, Security Metrics Calculation and Visualization in Perspective SIEM Systems

Author: Igor Kotenko

The report covers current research in the field of SIEM systems. The speaker will present new approach to analytical modeling of attacks and defense mechanisms based on the graphs of attacks and services relations, on security metrics calculation, and also on visualization of events and security metrics in promising SIEM systems. The author will outline the ways of practical application of the presented approach. The report includes aspects of software implementation for a new generation SIEM system, developed as a part of the integrated project of the Seventh Framework Programme (FP7).

• Language
• Russian

Let the Hardware Do All the Work: Adding Programmable Logic to Your Toolbox

Author: Dmitry Nedospasov, Thorsten Schröder

In the world of embedded security, off-the-shelf solutions often fall short of what is necessary to perform hardware analysis. Common issues include coping with overwhelming amounts data and timing. Generic microcontroller-based tools usually lack performance where as high-end protocol analyzers usually offer great performance, but support only a handful of protocols. At the heart of most high-end tools for hardware debugging and analysis lies an FPGA, so why not build your tools around them?

• Language
• English

Windows File Uploading Out of the Box

Author: Vyacheslav Yegoshin

The report will cover file uploading methods at the post exploitation stage using only out-of-the-box tools in Microsoft Windows environments, as well as security (antiviruses, firewalls, proxies, NATs) bypassing methods and nonstandard situations hindering exploitation.

• Language
• Russian

Honeypot that Can Bite: Reverse Penetration

Author: Alexey Sintsov

This talk will consider the concept of aggressive honeypot, the main idea of which is that defense can be aggressive, and the options how it may work. The speaker will touch upon such topics as de-anonymizing attackers, filtering and detecting non-bot attacks, determining the attacker’s technical skill level, getting control of the attacker.
Alexey Sintsov will try to answer such questions as who can use these techniques, why they are useful, and how effective it can be. The audience will have a chance to take a look into real experiment, real samples of attacks, and results from the realization of this idea. The speaker will also discuss some more interesting things such as whether one can exploit vulnerabilities of third-party services or only client-side vulnerabilities (all of them can be leveraged, and the audience will be shown how it can be done with real examples).

• Language
• Russian

Five Nightmares for a Telecom

Author: Dmitry Kurbatov

Five Nightmares for a Telecom are five stories on how to intrude into an operator’s network and perform an attack against packet services, how to gain control of the infrastructure, make money with VoIP and self-service portals. Some attacks already have precedents in the past, and others are just a fancy, which we hope will not become a reality.

• Language
• Russian

Vulnerabilities of Android Cryptographic Applications

Author: Pyotr Khenkin

The report will cover the most well-known mobile applications for Android (with the focus on the USA market), which deal with user information — text encoders, user credentials storages, messengers. The results of the performed research show that none of the considered applications complies with the stated characteristics. They include both indirect and direct security threats, which allow accessing confidential data.

• Language
• Russian

Bitcoin: Lights and Shadows of Virtual Money

Author: Antonio Teti

For several decades, electronic money has been an illusion chased by all those who believed in the possibility of creating an instrument that can produce momentous upheavals in the field of economics and finance. We have come to the initial phase of this monetary revolution, but the consequences arising from use on a global scale could be particularly dangerous....
Born a few years ago, is being heralded as a Bitcoin virtual currency whose success is surrounded by numerous oddities. The first is its creator: Satoshi Nakamoto. In an article published in October 2011 by The New Yorker, journalist Joshua Davis, who for years have started searching for the elusive inventor of Bitcoin, asserts that "Satoshi Nakamoto" is nothing more than just a pseudonym behind which lurks a group consisting of hundreds of experts in cryptography, peer-to-peer systems and techniques for transaction banking network. Since bitcoins are routed through a peer-to-peer, it remains impossible to trace the movements of electronic money and to disclose the identity of those who carry out transactions.

• Language
• English

Peculiarities of the National Hunt

Author: Aleksander Gostev

Answering the question "Who?" is more important for victims of a cyber-attack, than its technical details. Detecting attack sources is mainly based on artifacts in program code or control servers. How do security companies distinguish Chinese attacks from others? Why Red October is created by the Russians? What is the difference between the Persian Gulf and the Arabian one? The talk is based on real investigations by Global Research and Analysis Team of Kaspersky Lab.

• Language
• Russian

Find Them, Bind Them – Industrial Control Systems (ICS) on the Internet

Author: Johannes Klick, Daniel Marzin

People involved: Jan-Ole Malchow, Robert Fehrmann, Sascha Zinke, Prof. Dr. Roth

Many industrial control systems are remotely administrated and can be found on the Internet via search engines like SHODAN.
The authors of the research can show the distribution of SCADA/PLC systems over the world with their Industrial Risk Assessment Map (IRAM) using SHODAN. IRAM also shows vulnerabilities and possible exploits.
The speakers will compare the first results of their own SCADACS Search Engine (SSE) with SHODAN.
They are also going to discuss what happens if you combine IRAM, SSE and exploits into one application.

• Language
• English

Protecting Organizations from Security Breaches by Persistent Threats, with Examples from RSA

Author: Michel Oosterhof

Each enterprise is serious about protecting its resources, brand and intellectual property. Despite this, incidents happen because attackers also have huge resources to develop the means and methods of attack. The author of the report knows this first hand, because RSA is constantly under the gun attacks. As part of the report, the speaker would like to share his experience and expertise in the prevention, detection and minimize the effects of high profile APT-attacks on corporate and government infrastructure. Based on some use cases (Lockheed Martin and others) he will talk about Cyber Kill Chain concept, discuss typical patterns of attack and methods of reducing the risks associated with industrial espionage and cyber attacks. Also the speaker shares some cases and techniques based on his own experience on running internal EMC CIRC (Critical Incident Response Center).

• Language
• English

Are ICS Models Needed to Ensure Information Security of Industrial Systems?

Author: Ruslan Stefanov

Specialists face a serious problem while ensuring information security of technological systems — a complete technical audit or testing and implementing of IS components are rarely possible in a production system because operators try to avoid its failures. The speaker will touch upon the problems that occur while simulating threats and testing security solutions: impossibility of threat simulating in production ICSs, problems with software updating, and compatibility of IS solutions with ICSs. He will describe the main approaches to ICS modeling, which allow solving the above mentioned problems, and will provide a short overview of the results obtained during creation of models in Russia and other countries.

• Language
• Russian

To Watch or to Be Watched? Turning Your Surveillance Camera Against You

Author: Sergey Shekyan, Artem Harutyunyan

Low cost commodity IP surveillance cameras are becoming increasingly popular among households and small businesses. As of January 2013 Shodan (www.shodanhq.com) shows close to 100000 cameras active all over the world. Despite the fact that there are many models by different vendors, most of them are actually based on the similar hardware and firmware setup. Moreover, there are even other devices (such as Internet TV boxes) that use the similar firmware.
Interestingly enough those cameras have little or no emphasis on security. In particular, the web based administration interfaces can be considered as a textbook example of an insecure web application. This easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house. Last but not least it can be used to alter the video stream with an external stream or a still picture.

• Language
• English

Lie to Me: Bypassing Modern Web Application Firewalls

Author: Vladimir Vorontsov

The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.

• Language
• Russian

Evading Deep Inspection for Fun and Shell

Author: Olli-Pekka "Opi" Niemi

The Evader was released at Black Hat 2012. It is a freely available test and research tool for measuring middle-box security device’s protocol analysis capabilities. The Evader is an excellent tool for anyone doing defensive security to find weaknesses in defenses and it is suitable for penetration tests and security audits. In the presentation the speaker will go into technical details of the Evader and evasions and disclose evasions that still work with most of today’s security boxes.

• Language
• English

Java Everyday. System Analysis of Java 0-day Exploits

Author: Boris Ryutin

The report will cover the results of the system analysis of all zero-day vulnerabilities found in Java in 2012 and 2013 (CVE-2013-1493, CVE-2013-0431, CVE-2013-0422, CVE-2012-5076, CVE-2012-4681, CVE-2012-1723, CVE-2012-1507). The aim of the research was to find out regularities pointing out the same resource or the same method of vulnerability data search.

• Language
• Russian

Attack Modeling. Artificial Intelligence Against Natural Errors

Author: Yevgeny Tumoyan

The talk covers the problem of attack modeling and the prospect of solving the problem in relation to security and risk assessment. The speaker will discuss main existing attack models and modeling tools, and also the problems of their implementation in the practical assessment of computer system security.
The talk considers the possibilities of applying artificial intelligence for computer attack modeling. The author of the research will present and analyze a new attack model based on neuron nets.

• Language
• Russian

HOWTO. High Packet Rate on x86-64: Clearing the Bar of 14.88 Mpps

Author: Alexander Lyamin

Since new tools like netmap и PF_RING DNA became available for intruders, attacks leveraging multiple packets of minimum size have been gaining greater popularity. What is the mechanism of such attacks and which vulnerabilities in the design of modern server platforms do they exploit? What to oppose them by, having a vanilla Linux kernel and standard Intel equipment in hand? How, with usual equipment, to reach the maximum packet rate for a 10GbE environment — 14.88 Mpps? What restrictions such a solution will have and how to overcome them?

• Language
• Russian

DIY Industrial IPS

Author: Dmitry Dudov

As ICS moves into TCP/IP, its security becomes a vital issue. Many protocols designed to control and monitor critical processes do not employ encryption or authentication system. This makes it easy for an attacker to hijack sessions, modify data and inject malicious packets. Security related solutions for protocols are entering the market. Are they really effective? And if not, is it possible to perform all the necessary functions using standard network equipment?

The speaker will examine attack scenarios at the application level and their impact, taking Modbus (Modbus TCP) as an example. He will demonstrate how to develop and test the signatures employed by most of the current intrusion prevention systems. In conclusion, the speaker will compare the final set of signatures for Modbus TCP security with the set from the leading information security vendors.

• Language
• Russian

Who's Looking at You, Kid?

Author: Jeff Katz, aestetix

Do you carry a cell phone, an RFID badge, or do anything that could be tracked? Did you ever think about how that data could be used? This talk will explore findings from the OpenBeacon project, a real time location aware tracking system the speakers have deployed at several conferences. Jeff Katz and aestetix will show demos of visuals they have created, teach the technology behind their infrastructure, and show how easily an innocent gadget can be turned into a powerful tool.

• Language
• English

SAP Attacks Methodology

Author: Dmitry Gutsko, Oleg Klyuchnikov

The report will cover methods of conducting typical attacks against SAP systems and necessary tools. These methods have been successfully tested on real systems. They use both well-known and absolutely new hacking mechanisms. The report will touch upon such topics as direct database access, password hijacking via a network, hash hacking, bypassing clients security, bypassing systems security, hiding evidence of presence in a system, hacking with the transport directory. Moreover, it will expose new attack methods that have not been published yet.
The report is primarily aimed at SAP technical specialists and information security specialists.

• Language
• Russian

(In)security of Appliances

Author: Alexander Antukh

It is not news that software can be insecure. Numerous security advisories posted each day illustrate this fact.
But for security software this picture ought to be different. Its purpose is to offer secure access to our network, it protects us from malware threats, protects our emails and our crown jewels.
Such systems are supposed to be designed and developed with security in mind and should not be filled with vulnerabilities.
Let us take you on a journey into the mists of security products. Follow us while we unveil the mystery and demonstrate how security products suddenly can become the weakest link in your defense; how attackers can abuse security products in order to gain access to your network and your crown jewels.
Whilst this journey, the speaker will disclose some impressive vulnerabilities in products by F5 Networks, Symantec, and others.

• Language
• Russian

Industrial Protocols for Pentesters

Author: Alexander Timorin, Dmitry Yefanov

The report includes a general overview of the current situation with SCADA — the largest vendors, vulnerability statistics. The analysis of the main industrial protocols (Modbus, DNP3, S7, PROFINET) is described in details. Some interesting features and vulnerabilities of the protocols are analyzed from the point of view of a pentester. The authors of the report will speak about a protocol analysis technology and about used tools. They will also demonstrate software, developed in the course of their researches.

• Language
• Russian

One More Weakness in Modern Client-Server Applications

Author: Anton Sapozhnikov

The speaker will present a post-exploitation technique which allows you to hack your favorite application server and get sensitive information through pwned client and at the same time bypass firewall restrictions, leave no trace in logs and bypass many-factor authentication to exfiltrate a lot of private data.
Did you hear about modern techniques utilized by Caberp or Zeus to hijack banking apps and bypass two-factor authentications and other security features? The speaker will raise them to the level of enterprise applications such as Oracle DBMS or similar.

• Language
• Russian

Building a GRC System for SAP

Author: Alexey Yudin

The report will cover the issue of GRC systems. The speaker will describe the solutions existing on the market and explain why they are hardly suited for business. He will use the SAP ERP system to exemplify creation of a self-developed GRC system. The author will touch upon such processes as access control and fraud management, as well as segregation of duties by means of SAP, will consider typical fraud schemes and their detection methods in terms of SAP HCM and SAP MM.

• Language
• Russian