Video of Reports from PHDays 2012
June 9, 2012
Videos of reports and hands-on-labs taken place at Positive Hack Days 2012 have been released. They are grouped according to the main information security areas: telecom, state sector, network protection, SAP, SCADA and ERP, web applications, mobile devices, botnets, password protection, hackers and money, practical security, Anonymous and LulzSec. Enjoy it!
Bruse Schneier. The video is available here from 01:00 p.m. The guru of cryptography told about his own security philosophy that surprised most of visitors. He thinks that technologies constitute only a small part of security provision, and law breakers (hackers) may not only cause harm but be useful as well.
Datuk Mohd Noor Amin. The reporter is the Chairman of the International Multilateral Partnership Against Cyber Threats (IMPACT), he leads the first United Nations-backed public-private partnership against cyber threats with UN’s International Telecommunication Union (ITU) as its partner, and with 137 countries as members, IMPACT is also recognized as the world’s largest cybersecurity alliance [video].
Report: Sergey Gordeychik. How to hack a telecom and stay alive 2. Owning a billing [video].
Where to look for the keys to a technological network? How to obtain the billings without interfering with the main business of a company? The speaker answered these questions and shared new illustrative and funny examples of penetration testing performed for telecommunication networks.
Section: Evgeny Klimov, RISSPA. Telecom vs fraud. Who will win? Follow the link to watch the video (available from 12:15 p.m.).
Report: Mikhail Yemelyannikov. Why it is impossible to comply with Russian private data protection law? [video].
Report: Andrey Fedichev, FSTEK of Russia. Why state secrets leak to the Internet? [video].
Report: Alexey Lukatsky. How presidential election in Russia influences information security market, or Trends in regulations. Video is available here from 04:00 p.m.
Report: Vladimir Styran. The truth about the lie. Social engineering for security experts [video].
Hands-on-lab: Andrey Masalovich. Internet competitive intelligence. Video is available here from 04:08 p.m.
By using practical examples, participants of the workshop acquired the skills of using analytical technologies in solving real problems of competitive intelligence, including methods for rapid detection of confidential information leaks, fast-detection of open partitions on servers, methods of penetration on the FTP server without hacking protection; password leak-detection methods; methods of access to confidential documents via bypassing DLP; means of penetrating into sections behind 403 error messages. Techniques were demonstrated on examples of portals in certainly well-protected companies (such as the leaders of the IT and IS markets, large state organizations, intelligence, etc.).
Hands-on-lab: Dmitry Ryzhavsky. Wireless network security. How your network was hacked and how it could be avoided [video].
In the course of the report the most relevant methods of obtaining unauthorized access to WiFi-network were considered, and the mechanisms, proposed by Cisco Unified Wireless Network to protect against the described attacks, were demonstrated.
Hands-on-lab: Sergey Lozhkhin. Computer incident investigation. Video is available here from 02:00 p.m.
This hands-on-lab was devoted to the investigation of incidents of unauthorized access to Internet resources. The reporter introduced the audience to the psychological portrait of the modern hacker and talked about types of attackers. He considered the process of working on the incident, from the detection of traces of malicious activity and response to signals about the burglary to finding the attacker, in cooperation with law enforcement. In addition, the audience heard fascinating stories about real security incidents.
Hands-on-lab: Nikhil Mittal. Breaking havoc using a Human Interface Device [video].
This hands-on-lab focused on a highly dangerous and yet widely neglected computer security issue — vulnerability of Human Interface Devices (HIDs).
Report: Sylvain Munaut. Abusing Calypso phones [video].
Report: Andrei Costin. PostScript: Danger ahead! Hacking MFPs, PCs and beyond… [video].
Report: Sergey Klevoghin. CEH. Ethical hacking and penetration testing [video].
Visitors of the workshop learnt typical vulnerabilities of network protocols, operating systems and applications. During the master class the speaker described the sequence of different types of attacks on computer systems and networks and made recommendations to strengthen the security of computer systems and networks. Students were immersed in a practical environment, where they saw how to really hack the system to subsequently be able to anticipate possible actions of a hacker and successfully resist them.
Report: Travis Goodspeed. Exploiting radio noise with packets in packets. Video is available here from 03:10 p.m.
This talk showed peculiarities of PIP writing, including working examples for IEEE 802.15.4 and the Nordic RF low-power radios.
SAP, SCADA, ERP
Report: Alexey Yudin. ERP as viewed by attackers. Video is available here from 03:00 p.m.
Report: Andrey Doukhvalov. Defense of industrial control systems – a factor of survival of mankind [video].
Report: Evgeniya Shumakher. A lazy way to find out your fellow worker's salary, or SAP HR security [video].
Report: Alexander Polyakov. SAP insecurity: the new and the best [video].
This report focused on ten most interesting vulnerabilities and attack vectors on the SAP system from problems with encryption to bypassing authentication, and from the mistakes of fun to sophisticated attack vectors. A large proportion of vulnerabilities were presented to the public for the first time.
Hands-on-lab: Alexey Yudin. DIY SAP security [video].
Participants of this workshop learnt how to perform security assessment of SAP R/3 and NetWeaver systems (including application servers and infrastructure) by means of available tools.
Hands-on-lab: Vladimir Lepikhin. Web application attacks. The basics. Video is available here from 09:00 a.m.
The mechanisms of attack on web applications, techniques and tools (specialized scanners, security, utilities, using the results of their work during manual analysis) used by violators were provided in a systematic form. Practical examples clearly demonstrated major weaknesses of web applications that make it possible to conduct attacks, illustrated by the shortcomings of the means of protection in use and methods to bypass them.
Report: Miroslav Štampar. DNS exfiltration using sqlmap [video].
The speaker represented DNS exfiltration technique using SQL injection, described its pros and contras, and provided illustrative examples.
Report: Vladimir Vorontsov. Attacks against Microsoft network web clients [video].
The report covered methods of attacks on Internet Explorer users functioning as part of Microsoft networks. The considered attacks are aimed at obtaining confidential information about users both on remote servers (bypassing access policy restrictions) and local PCs.
Hands-on-lab: Andres Riancho. Web 2.0 security. Advanced techniques [video].
The hand-on-lab covered protection techniques against attacks exploiting XML and HPP/HPC, as well as Click Jacking and Session Puzzling.
Report: Sergey Scherbel. Not all PHP implementations are equally useful. Video is available here from 04:00 p.m.
The reporter considered detected security problems and operational features of Web applications using third-party implementations of PHP and gave examples of 0-day vulnerabilities.
Report: Thibault Koechlin. Naxsi, an open source and positive model based web application firewall [video].
Report: Aleksey Moskvin. On secure application of PHP wrappers [video].
Several vulnerabilities related to PHP wrappers were considered.
Report: Vladimir Kochetkov. Hack an ASP.NET site? It is difficult, but possible! [video].
The reporter presented examples of new 0 day attacks including a brand new type of Code Injection.
Hands-on-lab: Manish Chasta. Securing Android applications [video].
The talk briefed the audience on the techniques of discovering and mitigating the vulnerabilities in any Android Mobile Application. In addition to this, the presentation covered Android rooting, SQLite database analysis, ADB and mobile server related threats. The audience also learnt about the proposed OWASP Top 10 for mobile applications.
Report: Marcus Niemietz. Hijacking attacks on Android devices [video].
Hands-on-lab: Sergey Nevstruev. Practicalities of Mobile Security [video].
Report: Maria Garnayeva. The techniques of putting a spoke in botmasters' wheels: the Kelihos botnet. Video is available here from 09:10 a.m.
Report: Alexander Gostev. Initially the report was titled The secret of Duqu, but then the reporter decided to concentrate on a new vulnerability called Flame. Video is available here from 02:00 p.m.
Report: Alexander Lyamin. DDoS Surveillance HowTo. Part 2. Video is available here from 05:03 p.m.
Report: Fyodor Yarochkin and Vladimir Kropotov. Life cycle and detection of bot infections through network traffic analysis [video]
Hands-on-lab: Pierre-Marc Bureau. Win32/Georbot. Understanding and automated analysis of a malware [video].
It is the first hands-on-lab in the world related to this botnet.
Issues of Password Protection
Report: Alexey Zhukov. Lightweight cryptography: resource-undemanding and attack-resistant. Video is available here from 12:00 p.m.
Report: Dmitry Sklyarov and Andrey Belenko. Secure password managers and military-grade encryption for smartphone: Huh, really? Video is available here from 10:15 a.m
Report: Alexander (Solar Designer) Peslyak. Password security: past, present, future [video].
The report addressed the issues of password protection in a historical perspective, as well as the prospects of authentication technologies in the near future.
Report: Benjamin Delpy. Mimikatz to restore passwords for Windows 8 [video].
Hackers and Money
Section: Artyom Sychov. Ways to protect money [video]
Report: Dmitry Gorelov, RusCrypto Association. Smart-card technologies in Russia: from payphones to Universal Electronic Card. Video is available here from 10:00 a.m.
Report: Aleksandr Matrosov and Eugene Rodionov. Smartcard vulnerabilities in modern banking malware. Video is available here from 11:07 a.m.
The speakers described the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also covered techniques and tricks used by hackers to conduct anti-forensics.
Report: Micha Borrmann. Paying with credit cards in the Internet can result in headache [video]
Hands-on-lab: Boris Ryutin. Security without antivirus software [video].
The participants of this four-hour master class got basic knowledge of detecting Trojans in OS, learnt most recent Trojan development techniques for Windows (SpyEye, Carberp, Duqu), considered Trojans for Android and got acquainted with actual exploits (PDF, Java).
Report: Yuri Gubanov. How to find an elephant in a haystack [video].
Report: Dmirty Evdokimov. Light and dark side of code instrumentation [video].
The reporter told about existing methods of instrumentation (Source Code Instrumentation, Bytecode Instrumentation, Binary Code Instrumentation).
Report: Nikita Tarakanov and Alexander Bazhanyuk. Automated vulnerability detection tool. Video is available here from 05:00 p.m.
Report: Igor Kotenko. Program agent cyberwars [video].
Report: Ulrich Fleck and Martin Eiszner. From 0-day to APT in terms of favorite framework [video].
Section: Demo section. Seeing once is better! Video is available here from 05:10 p.m.
Anonymous and LulzSec
Report: Jerry Gamblin. What we can (and should) learn from LulzSec [video].
During the report Jerry was teased by a group of people, but thanks to his good sense of humor he reacted very positively [video].
Report: Haythem El Mir. How Tunisia resisted attacks by Anonymous. Video is available here from 02:10 p.m.
Report: Alexey Andreev (Mercy Shelley). The past and the future of cyberpunk [video].
Alexey shared his views on the development of Russian cyberpunk.
Award ceremony: follow the link to watch the winners receiving their prizes.
Concert: a music band named Undervud closed the forum [video].