PHDays — Positive Hack Days. Fast Track

POSITIVE HACK DAYS



ORGANIZER

Fast Track

User-friendly, though. (Messaging bots expose sensitive data)

Want to visit   +85

Author: Anton Lopanitsyn

The speech will focus on messaging bots in Telegram: how a useful tool becomes a source of information leakage.

  • Language
  • Russian

A web application security expert at ONSEC. Currently working on Wallarm.

Anton Lopanitsyn Anton Lopanitsyn

Backdooring LTE modem radio channel kernel

Want to visit   +80

Author: Andrey Lovyannikov

This report will include findings of a research on radio channel kernel firmware for LTE modem Huawei E3372. The speaker will demonstrate how changes to the kernel can lead to transmission of unencrypted data over a radio channel.

  • Language
  • Russian

A leading security engineer at ASP Labs. A member of BalalaikaCr3w (LC/BC), a CTF team. A PhD student at MEPhI. He is usually engaged in reverse engineering of everything he can lay hands on. The rest of the time, he exploits binary vulnerabilities.

Andrey Lovyannikov Andrey Lovyannikov

Internal security awareness (QIWI)

Want to visit   +74

Author: Ekaterina Pukhareva

We arranged quizzes, quests, and CTFs to increase security awareness of QIWI staff. Then we checked what they learned using internal phishing, pentests, and dropping malware-infected media.

  • Language
  • Russian

Currently works for QIWI. Engaged in IT compliance and vulnerability management. An author of several articles on compliance risks and information security audit.

Ekaterina Pukhareva Ekaterina Pukhareva

Techniques to protect Java apps and ways to bypass them

Want to visit   +71

Author: Philip Lebedev

The report outlines a range of protection strategies for Java apps, for most of which there are bypass scenarios available.

  • Language
  • Russian

An information security engineer at ASP Labs. A member of BalalaikaCr3w, a CTF team. Mostly focused on reverse engineering and exploiting binary vulnerabilities. An expert in researching iterative block ciphers.

Philip Lebedev Philip Lebedev

Will your business stand a ransomware?

Want to visit   +69

Author: Yulia Omelyanenko

You're building your continuity and disaster recovery program, plan how to get over with a crisis caused by fires, power failure, natural disasters. But suddenly you get a notice that your network was hit with a ransomware and every second some data is probably getting lost. We will discuss ransomware threat from a business continuity point of view and analyze options to prevent it or minimize its impact in case a company was infected.

  • Language
  • English

A GRC unit manager in Acronis. Previously worked as a GRC lead in a large FMCG company. Graduated from Moscow Engineering Physics Institute. Has over 6 years of practical experience in information governance.

Yulia Omelyanenko Yulia Omelyanenko

Non-signature-based detection of PHP backdoors

Want to visit   +69

Author: Gregory Zemskov

The speaker reports about the developed and implemented algorithm of non-signature-based detection of malicious PHP code fragments.

  • Language
  • Russian

Head of Revisium, a company focused on integrated website security. An IS specialist and developer of free website malware and security scanning tools. A permanent participant of conferences, a lecturer at Moscow State University of Mechanical Engineering, an author of courses, master classes and numerous web app security articles.

Gregory Zemskov Gregory Zemskov

How to find zero-days in the Linux kernel

Want to visit   +67

Author: Andrey Konovalov

This talk will present how to find vulnerabilities in the Linux kernel using syzkaller. It is a coverage-guided Linux syscall fuzzer. The fuzzer has found over 400 bugs during internal Linux kernel testing and numerous bugs while being used by external users.

  • Language
  • Russian

A Google software engineer working on various bug finding tools for the Linux kernel.

Andrey Konovalov Andrey Konovalov

The other side of DDoS

Want to visit   +64

Author: Krassimir T. Tzvetanov

This talk intends to introduce defenders to the tools that are popular in the Underground to set up denial-of-service attacks. It will go through some of the tool-kits and techniques that are used to launch those attacks and look at some of the economics: how much it costs an attacker to execute the attack and how much it costs the defender to defend. From point of view of defense we are also going to investigate what are the benefits and drawback of mitigating the attack on premise vs using a service provider that specializes in that field.

  • Language
  • English

A security engineer at Fastly, a high performance CDN designed to accelerate content delivery as well as serve as a shield against DDoS attacks. Worked for hardware vendors like Cisco and A10 focusing on threat research, DDoS mitigation features, product security and best security software development practices. Also worked at Yahoo! and Google. Was a department lead for Defcon and an organizer of the premier BayArea security event BayThreat. Holds a Bachelor's degree in Electrical Engineering (Communications) and a Master's degree in Digital Forensics and Investigations.

Krassimir T. Tzvetanov Krassimir T. Tzvetanov

Horizontal penetration in the windows-based infrastructure

Want to visit   +61

Author: Teimur Kheirkhabarov

Every targeted attack consists of several stages. At the initial stage, attackers collect information about the company and its employees to find out the weakest link. Next, the intruders penetrates the corporate network and obtains access to one or several hosts inside the protected perimeter. They will attempt to get authentication data of users with privileges on various corporate hosts. Then, attackers start lurking on hosts in search of relevant information or systems. A multitude of tools for remote execution of Windows commands and other authorized utilities, so popular among system administrators, are at disposal of attackers. The speaker will talk about all these mechanisms and utilities. You will also learn how to find the traces of their usage inevitably left behind in event logs.

  • Language
  • Russian

Engaged in theoretical and practical aspects of information security research for more than six years. SOC analyst at Kaspersky Lab. Formerly, the head of the infosec department at an industrial company. Received specialist's and master's degrees from the Siberian State Aerospace University where later he was giving lectures on IS. An active participant to CTF contests. Spoke at ZeroNights.

Teimur Kheirkhabarov Teimur Kheirkhabarov

Using the event types relationship graph for data correlation in SIEM systems

Want to visit   +59

Authors: Andrey Fedorchenko, Andrey Chechulin, and Igor Kotenko

The talk will focus on correlation-related research for SIEM systems based on the structural analysis of types of security events. The speakers provide an approach to automated analysis, which considers security events as input data with dynamic content. A graph of event types with direct and indirect relationships between them is suggested for automated analysis. Handling of input security data involves functional and behavioral analysis performed by calculating the frequency-time characteristics of events, classifying events by severity, and creating behavior patterns. The suggested approach allows you to use rank correlation, along with other intelligent techniques. Requirements for normalization of source data are also stated. The speakers will demonstrate an analysis of security event log and event types relationship graph resulting from this analysis.

  • Language
  • Russian

Andrey Fedorchenko
Junior research associate at the Laboratory of Computer Security Problems (Saint-Petersburg Institute for Informatics and Automation). Engaged in research in the field of event correlation and information security in SIEM systems. Finalist for Young School competition held at PHDays V.

Andrey Chechulin
Senior research associate at the Laboratory of Computer Security Problems (Saint-Petersburg Institute for Informatics and Automation). Participant of several Russian and international projects dedicated to various aspects of information security. Was involved in the development of a course on computer forensics at Federal Criminal Police Office of Germany, development of systems for analytical modeling of attacks in the context of the The 7th European Framework Programme (FP7), development of visualization systems for the projects of the Federal Targeted Program of the Russian Federation. Spoke at a number of national and international conferences on computer security.

Igor Kotenko
Head of the Laboratory of Computer Security Problems (Saint-Petersburg Institute for Informatics and Automation). Participated in a variety of projects to develop new technologies for information security (project management for the Federal Target Program of the Russian Federation, the Russian Science Foundation, the Russian Foundation for Basic Research, the European Framework Programmes FP6 and FP7, projects commissioned by HP, Intel, and F-Secure). Speaker at a number of conferences on computer security.

Andrey Fedorchenko, Andrey Chechulin, and Igor Kotenko Andrey Fedorchenko, Andrey Chechulin, and Igor Kotenko

Risk management: how to abandon illusions

Want to visit   +58

Author: Alex Smirnoff

Providers of GRC solutions tend to present formal compliance as a required step to effective risk assessment. The speaker will point out shortcomings of these solutions, discuss alternative techniques, and advise on how to employ low-cost and future-proof approaches to vulnerability management.

  • Language
  • Russian

Started his career as a mainframe hacker in 1989, and for several years hacked mostly for fun. Developed a firewall, advised on cybersecurity issues. Worked as CISO with Parallels for four years. Now has turned back to consulting. An expert with the Open Net Association.

Alex Smirnoff Alex Smirnoff

Energy depletion attack analysis: a case with wireless network devices

Want to visit   +55

Author: Vladislav Alexandrov and Vasily Desnitsky

The research reviewed attacks targeted at energy depletion of battery-powered devices. The following types of attacks have been analyzed: denial-of-sleep attacks, traffic increase, electromagnetic interference, software misuse. The report will be supported by modeling some types of attacks on an Android-based mobile device and on ZigBee network nodes.

  • Language
  • Russian

Vasily Desnitsky
PhD in Technical Sciences. Senior Research Fellow at the Laboratory of Computer Security Problems, SPIIRAS. An Associate Professor at the Bonch-Bruevich Saint Petersburg State University of Telecommunications, Department of Protected Information Systems. Has a keen interest in research and development in the following areas: embedded devices and IoT systems security, attack analysis and modeling, security event management systems, software protection.

Vladislav Alexandrov
Is taking the second year of a Master's Degree at the University of Information Technologies, Mechanics, and Optics (ITMO), specializes in Information Security, works as a programmer with Positive Technologies. Takes part in projects initiated by the Laboratory of Computer Security Problems, SPIIRAS. Performs researches in the areas of IoT system protection and energy depletion attack analysis.

Vladislav Alexandrov and Vasily Desnitsky Vladislav Alexandrov and Vasily Desnitsky

Interface through web analyst's eyes: experience with usage of web analytics widgets on online banking login pages

Want to visit   +55

Author: Dmitry Pavlov

Vast majority of websites and applications for monitoring visitors behavior use web analytics tools. The received data is used for the purposes of promotion and optimization of a website. Banks also use web statistics tools on their websites; sometimes, on online banking login pages. The speaker will represent statistics of using JavaScript widgets for analytics on online banking login pages, which contain sensitive information.

  • Language
  • Russian

A fourth-year student of the Faculty of Computational Mathematics and Cybernetics at MSU.

Dmitry Pavlov Dmitry Pavlov

The evolution of Trojan memory sticks

Want to visit   +54

Author: Andrey Biryukov

Malicious devices based on Teensy and other development boards are rather well-known: mimicking a keyboard or another legitimate device, they bypass protection tools and perform a malicious activity. However, a Trojan device based on Raspberry Pi Zero microcomputer allows implementing even more types of attacks. It can be used for MITM attack, automated vulnerability scanning with further exploitation, or connection to a target system via JTAG to reconfigure BIOS settings. The speaker will demonstrate implementation of a number of such attacks.

  • Language
  • Russian

Graduated from the Moscow Aviation Institute, the Faculty of Applied Mathematics and Physics. 12+ years of experience in information security. Lead information security engineer with AMT GROUP with the focus on ICS security. A regular author for the Russian magazine "System administrator." Wrote several books on information security.

Andrey Biryukov Andrey Biryukov

Exploring billion states of a program like a pro. How to cook your own fast and scalable DBI-based security tool. A case study

Want to visit   +54

Author: Maksim Shudrak

The main purpose of this talk is to introduce DBI, delve deeper in this topic, demonstrate the power of this technique, and consider typical problems of its application for "industrial" tasks. Audience will get acquainted with DBI in general, will understand in which fields it is successfully applied, what are potential problems of this technique related to implementation of their own tool based on presented frameworks (Intel PIN and DynamoRIO), and see real examples of the technique used for heap-based bug detection in heavyweight programs along with dynamic malware analysis.

  • Language
  • Russian

A cyber security researcher at IBM Research Israel, PhD. Field of interests: reverse engineering, software security analysis, dynamic binary instrumentation, malware analysis, emulation technologies.

Maksim Shudrak Maksim Shudrak

Cyberespionage in Central Asia

Want to visit   +54

Author: Anton Cherepanov

ESET researchers recently discovered an interesting cyberespionage campaign in several Central Asia countries. The discovered malware has been used in targeted attacks against high-value targets since at least 2016. The talk will uncover details about the campaign and provide technical analysis of the used malicious toolkit.

  • Language
  • Russian

A senior malware researcher in ESET. Responsibilities include analysis of complex threats. Spoke at numerous conferences, including Virus Bulletin, CARO Workshop, 4SICS (CS3STHLM), and ZeroNights. His interests focus on IT security, reverse engineering, and malware analysis automation.

Anton Cherepanov Anton Cherepanov

Protection against unauthorized access—which method is better?

Want to visit   +53

Authors: Roman Alferov and Andrey Gorokhov

The report will summarize results of a research evaluating effectiveness of several information security products. Case studies will show the flaws identified by the researchers.

  • Language
  • Russian

Roman Alfyorov
Works as an analytical engineer with Standart Bezopasnosti (Security Standard). A member of a CTF team named girav. Studies at the Yaroslavl State University (specializes in computer security). Deals with reverse engineering of Windows binaries and penetration testing.

Andrey Gorokhov
Works as an engineer with Standart Bezopasnosti (Security Standard). A member of a CTF team named girav. A postgraduate student at the Yaroslavl State University. Engaged in cybercrime investigations and penetration testing.

Roman Alferov and Andrey Gorokhov Roman Alferov and Andrey Gorokhov

Evil Printer: assembling an uncommon firmware

Want to visit   +52

Author: Anton Dorfman

We are surrounded by devices doing important job, but their security is often neglected. These devices are network printers and multifunction devices. The speaker will review how to extend standard features of these devices by means of modifying their firmware. He will show live payloads required for attacks on enterprise and industrial networks.
Speaker: Anton Dorfman, authors: Vladimir Nazarov and Ivan Boyko.

  • Language
  • Russian

Researcher, reverser, and assembly language fan. PhD in Technical Sciences. Graduated with honors from the Samara State Technical University. Lectured on reverse engineering. The author of over 50 scientific publications on IT security. Keen on automating any reverse engineering tasks. Was the third in the contest Best Reverser at PHDays II. Was a speaker at PHDays, Zeronights, and HITB 2014. Organizes and trains student CTF teams. Lead specialist at the application analysis unit at Positive Technologies.

Anton Dorfman Anton Dorfman

Dangerous controllers

Want to visit   +51

Author: Igor Dusha

The main issues the speaker will cover are vulnerabilities in PLCs, process interface units, computer-based interlocking units, and other smart devices. He will also review specific features of penetration testing in SCADA, classification of vulnerabilities in SCADA systems and PLC—all supported by case studies and elimination methods. The report also outlines specific features of ensuring security in proprietary technologies for data transfer between control units and field devices, which allow controlling processes in oil and gas, nuclear, and other industries. The report is supplemented by real test results and compilations.

  • Language
  • Russian

Graduated from MEPhI (Moscow Engineering Physics Institute), the Faculty of Cybernetics and Information Security. Currently works as a security engineer with ASP Labs, architect of the complex SCADA security solution. Involved in SCADA security activities, such as audits, penetration testing, design and installation of information security tools, in railway, nuclear, petroleum refining, and power distribution industries. A member of the BalalaikaCr3w team in CTF.

Igor Dusha Igor Dusha

Developing a Google Chrome extension to protect against information leakage through other browser extensions

Want to visit   +50

Author: Anastasiya Parygina

A significant concern about browser extensions is that they are prone to information leakage. This talk focuses on a browser extension to improve security for users with minimal technical skills and knowledge in information security.

  • Language
  • Russian

Native of Astana (the Republic of Kazakhstan). A senior student at the Information Technology department of L. N. Gumilyov Eurasian National University. Has been involved in design and development of information systems since 2015.

Anastasiya Parygina Anastasiya Parygina

A heuristic approach for detection of DOM-based XSS combined with tolerant parsing

Want to visit   +48

Author: Alexey Pertsev

The talk includes details on client-side detection and prevention of attacks related to DOM-based XSS using syntax error tolerant of JavaScript parsers. This technique is meant to be especially useful in WAFs.

  • Language
  • Russian

A graduate of G. I. Nevelskoi Maritime State University. Engaged in penetration testing at Digital Security.

Alexey Pertsev Alexey Pertsev

Secure service-oriented architecture. Smart home voice control as a case study

Want to visit   +45

Author: Wire Snark

The report reviews secure system development methodology as applied to IoT applications. The speaker will tell what is a threat model and how it is embedded in software development lifecycle. A voice control application will be used to demonstrate the single responsibility principle and the principle of least privilege. The report also reviews practical aspects of creating service-oriented architecture apps in Yocto Linux environment, such as using DBus IPC, selecting suitable secure programming languages (out of Go, Rust, Python, Node.js, Java). The speaker touches upon isolation of vulnerable code processing untrusted input data.

  • Language
  • Russian

Graduated from the Lobachevsky State University of Nizhny Novgorod. Started his career as a trainee at Intel in Nizhny Novgorod, then worked as a mathematician programmer with ASCON. Currently is a programmer and team lead with MERA. A system developer, mainly works with Yocto Linux and Android-based services and daemons; is interested in telephony and voice control. As a security researcher is involved in white-box audit. Supports privacy, anonymity, and security of users. An adherent of ethical hacking and free software.

Wire Snark Wire Snark