Smart TV Insecurity

Author: Donato Ferrante, Luigi Auriemma

At the beginning TV were just supposed to be TV. They were used to make people's life happier. Nowadays, TV are fully-featured PC, having a proper OS, camera, microphone, web browser, and applications. They still make people happy. Especially the malicious ones. This talk will detail the current status of Smart TV, exploring their attack surface, detailing possible areas of interest, and demonstrating some issues the speakers found while assessing the security of Smart TV from different vendors.

  • Language
  • Russian

Donato Ferrante
Prior to founding ReVuln Ltd., Donato was a Security Researcher for Research In Motion (Blackberry), where his daily job was performing security research and vulnerability assessments of RIM authored code, products and services including infrastructure, devices, and QNX operating system. Before moving to RIM Donato analyzed and reversed several rootkits, malware, mobile malware and exploits for Sophos Antivirus. He presented one of his research projects on Java malware and Java Virtual Machine exploits (inREVERSE) during the CARO workshop in Prague. Donato found several vulnerabilities in well-known commercial products and open source software and his first public disclosed security advisory was released in 2003.

Luigi Auriemma
Luigi has been in the security field for more than a decade, as an Independent Security Researcher (aluigi.org) he is a world recognized expert in this field and discovered more than 2000 vulnerabilities in widely used software. The following are some key points of Luigi's work. Highest number of security vulnerabilities disclosed in SCADA/HMI software: General Electric, Siemens, ABB, Rockwell, Invensys, Schneider, InduSoft, CoDeSys and many others. Most known server-side Microsoft vulnerabilities found by him: ms12-020, ms11-035. Research on Smart TV vulnerabilities. Security vulnerabilities affecting the most diffused multiplayer game engines, libraries, middleware and games.

Donato Ferrante, Luigi Auriemma Donato Ferrante, Luigi Auriemma

Mobile Network Attack Evolution

Author: Karsten Nohl

Mobile networks should protect users on several fronts: Calls need to be encrypted, customer data protected, and SIM cards shielded from malware.

Many networks are still reluctant to implement appropriate protection measures in legacy systems. But even those who add mitigations often fail to fully capture attacks: they target symptoms instead of solving the core issue.

This talk discusses mobile network and SIM card attacks that circumvent common protection techniques to illustrate the ongoing mobile attack evolution.

  • Language
  • Russian

Karsten Nohl is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them.

Karsten Nohl Karsten Nohl

Impressioning Attacks: Opening Locks with Blank Keys

Author: Deviant Ollam, Babak Javadi, Keith Howell

Impressioning is the art of fabricating a working key for a lock using only a hand file, a blank key, and keen observation. Without taking any mechanisms apart, and while only accessing a locked door from its secured side, it is possible to manipulate a lock in such a way that it will “leak” information, allowing for a full decoding of the pins within. This attack sometimes takes longer than conventional lockpicking, but it is very effective and if successful it will result in total compromise of the lock not just one time… but for all time. This presentation will demonstrate the art of impressioning, and attendees will be able to try these attacks themselves afterward in our hands-on area.

  • Language
  • Russian

While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Babak Javadi is a hardware hacker with a wayward sprit. His first foray into the world of physical security was in the third grade, where he received detention for describing to another student in words alone how to disassemble the doorknob on the classroom door. After years of immersion in electronics and computer hardware hacking, he found his passion in the puzzling and mysterious world of high security locks and safes. After serving as a driving force within the locksport community for almost a decade and helping found the US division of The Open Organisation of Lockpickers, he has recently re-embraced the beauty of the baud and resumed hardware hacking with a vengeance. He currently serves as the President of the US group of The Open Organisation of Lockpickers (TOOOL) and is the founder of The CORE Group, a security research and consulting firm. Trained as an Electronics Engineer by the British Army, Keith Howell became interested in computers and began his learning path with a TRS-80 and has owned most Intel based processors since then. After joining UUNET Technologies in 1995, he started to get interested in the security of networks and computers and in 1998 joined the UUNET InfoSec team.

Following the ‘dot-bomb’ period in 2001, Keith returned to his electronics background and began doing physical security including Access Control, Alarm Systems and Locksmithing. Keith is a CISSP as well as an ALOA CRL (Certified Registered Locksmith). Currently, Keith is a Security Consultant in the Washington, DC area where he is contracted to Assurance Data Inc in Alexandria, VA.

Deviant Ollam, Babak Javadi, Keith Howell Deviant Ollam, Babak Javadi, Keith Howell

Give Me Your data!

Author: Dave Chronister

We hear news stories every day about malicious hackers compromising the sensitive data of corporations, governments and individuals. But that is only half of the story. The genesis of this presentation stems from the idea that, even today, data is still not stored securely. Professional Hacker, Dave Chronister, conducted a research project to find out if he could gain access to sensitive data. The catch? He would not hack any systems, all data must be collected legally. From purchasing devices on Facebook and bidding for Hard Drives on EBay, to monitoring public file sharing sites, and anonymously accessible servers, Chronister will unveil methods to retrieve information and show his findings - which are very surprising.

  • Language
  • Russian

Dave Chronister – C|EH, CISSP, MCSE, C|HFI is the founder and Managing Technology Partner of Ethical Hacking firm, Parameter Security. Growing up in the wild world of 1980’s BBSes and early Internet, Chronister obtained a unique firsthand look at the mind, motives, and methodologies of hackers. Chronister has provided ethical hacking services, auditing, forensics, and training to clients world-wide. Chronister’s expertise has been featured in many media outlets including; CNN, CNBC, CNN Headline News, ABC World News Tonight, Bloomburg TV, CBS, FOX Business News, Computer World, Popular Science, Information Security Magazine, St. Louis Post Dispatch, and St. Louis Business Journal, to name a few.

Dave Chronister Dave Chronister

ID and IP Theft with Side-Channel Attacks

Author: David Oswald

Side-channel analysis (SCA) is a powerful tool to extract (cryptographic) secrets by observing physical properties (power consumption, EM) of a target device. After an intro to SCA and related methods, the speaker will demonstrate the practical relevance of SCA with two case studies: first, how SCA can be used to circumvent the IP protection (bitstream encryption) of FPGAs. In a similar way, AES keys of one-time password tokens can be extracted, allowing an attacker to steal digital identities.

  • Language
  • Russian

David Oswald received his PhD in IT-Security in 2013 and is currently working at the Chair for Embedded Security, Ruhr-University Bochum. His main field of research is the practical security analysis of embedded systems, e.g., commercially employed RFID smartcards. The focus is on attack methods that exploit weaknesses in the physical implementation of mathematically secure cryptographic algorithms. Those techniques include both (passive) side-channel analysis and (active) fault injection. He is co-founder of the Kasper & Oswald GmbH, offering innovative products and services for security engineering.

David Oswald David Oswald

Compromise Indicator Magic

Author: Fyodor Yarochkin, Vladimir Kropotov and Vitaliy Chetvertakov

In this presentation Vladimir, Fyodor and Vitaliy will cover an interesting concept of compromise indicators and use of compromise indicators in pro-active incident response and forensic investigation process. The team has developed a framework and a platform that allows integration of various IOC formats into dynamic defense framework. The framework allows integration of various 3rd party-encoded indicators (such as CyBox, OpenIOC, etc.) and provides facilities to perform individual IOC characteristic mapping to known/existing Indicators of Compromise. The input can be provided in form of an IP address, a hash, a URL, a process of executable name, an executable behavior characteristic and so on. The output of indicators of compromise can be produced in form of: snort rule(s), Yara rule(s), or a hunt description for GRR Rapid Response Framework. The authors will demonstrate an applied process of identifying, mining and refining IOCs as well as running "IOC sweeps" on available data sources. Several tools will be demonstrated (including passive DNS, passive HTTP frameworks developed by authors) in these examples as well as possibilities of integration with 3rd party tools, such as Splunk, Moloch and so on.

The authors will also discuss the implementation of IOC sharing policies and facilitation of such shares and will walk attendees through series of simulated case studies including breach simulations, customized rootkits detection and use of framework to detect, refine, redeploy and sweep for potential indicators of compromise.

All the provided tools are to be released open-source.

  • Language
  • Russian

Fyodor Yarochkin is a security analyst at P1 Security, Academia Sinica.

Vladimir Kropotov is an information security analyst and independent researcher.

Vitaliy Chetvertakov is a security analyst and independent researcher.

Fyodor Yarochkin, Vladimir Kropotov and Vitaliy Chetvertakov Fyodor Yarochkin, Vladimir Kropotov and Vitaliy Chetvertakov

Visual Analytics on Guard of Information Security

Author: Igor Kotenko, Yevgheniya Novikova

Methods of visual analytics significantly simplify a security administrator’s work, since these methods involve intelligent data processing algorithms and allow for peculiarities of human visual data perception.
The talk will cover the existing methods of data visual analysis designed for solving various tasks in order to provide protection against computer attacks. The efficacy of applying visual analysis is exemplified by the tools developed by the research authors, specifically the utilities for traffic analysis, attack modelling, security assessment, and detecting financial infringements in mobile payment systems.

  • Language
  • Russian

Igor Kotenko is a Professor, Doctor of Technical Sciences, and Head of the SPIIRAS Laboratory of Information Security Issues. He participated in various projects on developing new computer security technologies and managed projects of the European FP7 and FP6 framework programs and also projects commissioned by HP, Intel, F-Secure, etc. These projects resulted in the development of innovative methods for detecting network intrusions, modeling network attacks, network security assessment, security protocols development, security policies verification, etc.

Yevgheniya Novikova is a Candidate of Sciences and Senior Staff Scientist of the SPIIRAS Laboratory of Information Security Issues. She focuses her research on developing new models and methods of data visual analysis for intelligent information security management of computer systems. She takes special interest in public-key cryptography.

Igor Kotenko, Yevgheniya Novikova Igor Kotenko, Yevgheniya Novikova

Orange – Security in CS Mobile Core Network

Author: Sébastien Roché

Mobile Telecommunication operators are facing new challenges in cyber security domain. Now in the full IP age, mobile core network engineers should assess new security risks in several domains to ensure protection due to the usage of TDM/ATM technologies. This report intends to detail the current situation based on the Orange example and the potential new needs arising in security domain around CS core mobile infrastructures.

  • Language
  • Russian

Sébastien Roché received a master’s degree in Computer Sciences and Telecommunication at Cergy Pontoise University in 2004. He has 9 years of experience as a mobile research engineer and is currently working as Mobile Core Network Security Manager for Orange Group. Sébastien contributed to an NFV program by working on virtualization for mobile CS infrastructure. He also managed projects involving CS mobile architecture evolution analysis, mobile lab installation, validation and deployment support on NSN, Huawei, Ericsson, ZTE, MSC R4 products for Orange affiliates.

Sébastien Roché Sébastien Roché

Teach, Teach and, Once Again, Teach

Author: Natalya Kukanova

The speaker will detail into how they developed and implemented information security awareness processes at Yandex (approx. 6,000 employees). This issue is relevant to any company's security service — software and hardware tools are on their guard already, but the security level remains low. The report describes difficulties to overcome while building employees' awareness and methods to assess this process efficiency.

  • Language
  • Russian

Natalya Kukanova is an analyst at Yandex. She graduated from the University of Information Technologies, Mechanics and Optics (ITMO) in St. Petersburg in 2006. Natalya worked at Digital Security from 2004 until 2009, then at Positive Technologies from 2010 until 2012. Her main professional achievements are development and deployment of information security control systems, information risk management, and implementation of information security processes.

Natalya Kukanova Natalya Kukanova

My Journey Into 0-Day Binary Vulnerability Discovery in 2014

Author: Alisa Esage (Shevchenko)

While the IT security research hotspot migrates constantly towards new technologies, the demand for binary exploitation today is higher than ever before, as proven by this year’s pwn2own contest stakes and outcomes. The question that bothers many is thus whether it is still possible to discover new — and exploitable — vulnerabilities in widely deployed and extensively audited applications, given the nowadays reality of overwhelming tool base, research, computational power, and intelligence competition? The author says yes, and this is the report of her own journey on this way.
The presentation will detail into the author’s own approach to discovery of 0-day binary vulnerabilities, mostly based on fuzzing. Specific concepts and techniques, which worked (or failed), will be demonstrated. Finally, the root cause analysis of a few 0-day vulnerabilities will be presented, along with a few ideas to bypass exploitation mitigations.

  • Language
  • Russian

Alisa “Esage” Shevchenko is a self-taught offensive security researcher. She has been running her own company Esage Lab since 2009; co-founded Neuron, a hackspace in Moscow. She used to be occupied with reverse engineering, malware analysis, antivirus bypassing, penetration testing, cyber forensics, black-box software and hardware security auditing. Her current research interest is discovery and exploitation of 0-day binary vulnerabilities. Alisa spoke at such conferences as RusCrypto 2009, RECon 2011, InfoSecurity 2012, and ZeroNights 2012; published her works in such magazines as InfoSecurity Russia, (IN)Secure, Hakin9, VirusBulletin, and No Bunkum.

Alisa Esage (Shevchenko) Alisa Esage (Shevchenko)

How to Intercept a Conversation Held on the Other Side of the Planet

Author: Sergey Puzankov

Lately, phone communication records can be found in the Internet and even be heard on TV. It is obvious that such records were obtained without the knowledge of the subscribers. Many of us have received weird text messages and, after that, long bills for mobile services. The author of the research is Sergey Puzankov, an expert at Positive Technologies specializing in mobile networks safety. He will consider the range of possibilities of an intruder who accessed the holy of holies of telecom companies—SS7. The author will speak about attacks aimed at: disclosure of subscriber’s sensitive data including his or her location, changing enabled services, call forwarding, unauthorized intrusion into a voice communication channel. Information about signaling messages, which can help to perform these attacks, is open for public access. The research also includes types of proactive protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network.

  • Language
  • Russian

Sergey Puzankov graduated from Penza State University with a degree in Automated Data Processing Systems. He is interested in mobile networks safety. Being an expert at Positive Technologies, he designed MaxPatrol 8 modules of security standards compliance for several types of GSM and UMTS mobile communication equipment.

Sergey Puzankov Sergey Puzankov

PHP Object Injection Vulnerability in WordPress: an Analysis

Author: Tom Van Goethem

With approximately 19% of the web running on WordPress, it comes as no surprise that the security of this content management system has an enormous impact on a large number of users. Despite being open source, and reviewed by security researchers, WordPress is—just as any other software—prone to errors and vulnerabilities.
In this talk, the author will discuss how the unexpected behavior of MySQL led to the discovery of a PHP Object Injection vulnerability in the WordPress core. The author will also demonstrate how this vulnerability can be exploited in order to run arbitrary code on WordPress installations that enable a popular plugin.

  • Language
  • Russian

Tom Van Goethem is a PhD student at KU Leuven (Belgium).

Tom Van Goethem Tom Van Goethem

Side Channel Analysis: Practice and a Bit of Theory

Author: Ilya Kizhvatov

The proposed talk is about side channel analysis of secure devices. This topic is not so often addressed in hacker conferences. The speaker will introduce the conference community to side channels, present an overview, and explain the state of the art in the this area, giving practical examples. After the talk, a listener should be able to understand if a particular device is falling under the threat of a side channel attack, how to protect it, and maybe become motivated to play around with side channel analysis just for fun.

  • Language
  • Russian

Ilya Kizhvatov is a senior security analyst at Riscure (Delft, Netherlands). He has 6 years of experience (half academic, half industrial) in embedded security, with the focus on side channel and fault attacks on cryptographic implementations, and 2 years of embedded software engineering experience. He spoke at scientific and industrial conferences and seminars.

Ilya Kizhvatov Ilya Kizhvatov

OS X Drivers Reverse Engineering

Author: Egor Fedoseev

It is a technical report on the peculiar features of OS X driver analysis that covers the main complexities and ways to simplify the analysis. The report will be of interest to virus analysts and OS X security researchers.

  • Language
  • Russian

Egor Fedoseev has never worked in the information security industry. He works in the Ural Federal University and leads the student group Hackerdom. He has been engaged in reverse engineering since 2004.

Egor Fedoseev Egor Fedoseev

In the Middle of Printers: (In)security of Pull Printing Solutions

Author: Jakub Kałużny

Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.

  • Language
  • Russian

Jakub Kaluzny has more than 7 years experience in web programming focused on security - PHP, pgSQL, MySQL, bash scripting, and 3 years experience in software security lifecycle and penetration testing. He was introduced in the Google Security Hall Of Fame in 2013. He was a speaker at OWASP Poland Local Chapter - "Advanced data mining" - focusing on security aspects of data crawlers in 2011. In 2008 presented his report "Ciphers and encrypted file systems" at Open-source security conference, Warsaw. Jakub Kaluzny was Main Programmer and Security Officer at Homepay.pl in 2010 - 2012 (developing financial intermediary platform, security hardening). Now he is an IT security specialist at SecuRing (penetration tests, vulnerability assessment and threat modelling of web applications and network environment). He is intended to receive a bachelor’s degree in Engineering in Applied Computer Science at AGH University Of Science And Technology, Cracow.

Jakub Kałużny Jakub Kałużny

Cracking Pseudorandom Sequences Generators in Java Applications

Author: Mikhail Egorov and Sergey Soldatov

Modern applications widely use random sequences for security related tasks: encryption keys, authentication challenges, session identifiers, CAPTCHAs and passwords. Resistance to cracking of such applications strongly depends on the quality of random sequences generators.

The talk will explain vulnerabilities found in Java-applications that using pseudorandom generators, how to successfully attack them. The speaker will demonstrate a tool that effectively recover the internal state of the generator (a.k.a. seed), previous and subsequent generator output values.
The research also covers mechanisms for session IDs generation for different Java application servers and web servers both open source and proprietary.

  • Language
  • Russian

Mikhail Egorov
Mikhail Egorov graduated from Moscow State Technical University named after Bauman in 2009 and obtained a Master’s degree in information security. He is an independent security researcher and experienced Java/Python programmer. His area of expertise includes vulnerabilities research, fuzzing, reverse engineering, web application and network security. He worked as an information security consultant and software developer in different companies, holds OSCP and CISSP certifications.

Sergey Soldatov
Sergey Soldatov is a Bauman Moscow State Technological university graduate and an independent security practitioner with more than 10 years of network security experience. He has extensive programming experience and has been involved in large ISP related development projects. He is a speaker at a number of conferences including HITB, ZeroNights, holds CISA and CISSP certifications.

Mikhail Egorov and Sergey Soldatov Mikhail Egorov and Sergey Soldatov

Intercepter-NG: The New-Generation Sniffer

Author: Alexander Dmitrenko, Ares

The report is devoted to a unique toolkit named Intercepter-NG developed in Russia. Today it is the most advanced sniffer with a lot of functions.
Ironically enough, it is more popular in other countries than in Russia, and the report is intended to change the situation. The speaker will not only review the utility’s main peculiar features, but will give full details of two attacks with Intercepter-NG: MySQL LOAD DATA LOCAL injection recently presented at Chaos Constructions and DNS over ICMP, a little-known but powerful attack.

  • Language
  • Russian

Alexander Dmitrenko
The Head of Training Department at PentestIT, the author of articles on habrahabr.ru and in the “Hacker” magazine.

PentestIT expert, the developer of Intercepter-NG.

Alexander Dmitrenko, Ares Alexander Dmitrenko, Ares