POSITIVE HACK DAYS



ORGANIZER

Tech


Download the full program in PDF.

Smart TV Insecurity

Authors: Donato Ferrante, Luigi Auriemma

At the beginning TV were just supposed to be TV. They were used to make people's life happier. Nowadays, TV are fully-featured PC, having a proper OS, camera, microphone, web browser, and applications. They still make people happy. Especially the malicious ones. This talk will detail the current status of Smart TV, exploring their attack surface, detailing possible areas of interest, and demonstrating some issues the speakers found while assessing the security of Smart TV from different vendors.

  • Language
  • English

Donato Ferrante
Prior to founding ReVuln Ltd., Donato was a Security Researcher for Research In Motion (Blackberry), where his daily job was performing security research and vulnerability assessments of RIM authored code, products and services including infrastructure, devices, and QNX operating system. Before moving to RIM Donato analyzed and reversed several rootkits, malware, mobile malware and exploits for Sophos Antivirus. He presented one of his research projects on Java malware and Java Virtual Machine exploits (inREVERSE) during the CARO workshop in Prague. Donato found several vulnerabilities in well-known commercial products and open source software and his first public disclosed security advisory was released in 2003.

Luigi Auriemma
Luigi has been in the security field for more than a decade, as an Independent Security Researcher (aluigi.org) he is a world recognized expert in this field and discovered more than 2000 vulnerabilities in widely used software. The following are some key points of Luigi's work. Highest number of security vulnerabilities disclosed in SCADA/HMI software: General Electric, Siemens, ABB, Rockwell, Invensys, Schneider, InduSoft, CoDeSys and many others. Most known server-side Microsoft vulnerabilities found by him: ms12-020, ms11-035. Research on Smart TV vulnerabilities. Security vulnerabilities affecting the most diffused multiplayer game engines, libraries, middleware and games.

Donato Ferrante, Luigi Auriemma Donato Ferrante, Luigi Auriemma

Mobile Network Attack Evolution

Author: Karsten Nohl

Mobile networks should protect users on several fronts: Calls need to be encrypted, customer data protected, and SIM cards shielded from malware.

Many networks are still reluctant to implement appropriate protection measures in legacy systems. But even those who add mitigations often fail to fully capture attacks: they target symptoms instead of solving the core issue.

This talk discusses mobile network and SIM card attacks that circumvent common protection techniques to illustrate the ongoing mobile attack evolution.

  • Language
  • English

Karsten Nohl is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them.

Karsten Nohl Karsten Nohl

SCADA Strangelove: Hacking in the Name

Author: Positive Technologies

The SCADA Strangelove team will present a report on industrial control systems for the second time at PHDays.
This year the team members are going to speak about new systems and vulnerabilities, discuss PLC, ICS and SCADA security nightmares. Especially for packet lovers, the researchers will address security of specific ICS protocols used by ABB, Emerson, Honeywell and Siemens. Such common techniques as fingerprinting, vivisection, bruteforcing, fuzzing are in scope. Vulnerability releases are expected as well.

  • Language
  • Russian

ICS Security Team of Positive Technologies (www.ptsecurity.com).

Positive Technologies Positive Technologies

Impressioning Attacks: Opening Locks with Blank Keys

Authors: Deviant Ollam, Babak Javadi, Keith Howell

Impressioning is the art of fabricating a working key for a lock using only a hand file, a blank key, and keen observation. Without taking any mechanisms apart, and while only accessing a locked door from its secured side, it is possible to manipulate a lock in such a way that it will “leak” information, allowing for a full decoding of the pins within. This attack sometimes takes longer than conventional lockpicking, but it is very effective and if successful it will result in total compromise of the lock not just one time… but for all time. This presentation will demonstrate the art of impressioning, and attendees will be able to try these attacks themselves afterward in our hands-on area.

  • Language
  • English

While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Babak Javadi is a hardware hacker with a wayward sprit. His first foray into the world of physical security was in the third grade, where he received detention for describing to another student in words alone how to disassemble the doorknob on the classroom door. After years of immersion in electronics and computer hardware hacking, he found his passion in the puzzling and mysterious world of high security locks and safes. After serving as a driving force within the locksport community for almost a decade and helping found the US division of The Open Organisation of Lockpickers, he has recently re-embraced the beauty of the baud and resumed hardware hacking with a vengeance. He currently serves as the President of the US group of The Open Organisation of Lockpickers (TOOOL) and is the founder of The CORE Group, a security research and consulting firm. Trained as an Electronics Engineer by the British Army, Keith Howell became interested in computers and began his learning path with a TRS-80 and has owned most Intel based processors since then. After joining UUNET Technologies in 1995, he started to get interested in the security of networks and computers and in 1998 joined the UUNET InfoSec team.

Following the ‘dot-bomb’ period in 2001, Keith returned to his electronics background and began doing physical security including Access Control, Alarm Systems and Locksmithing. Keith is a CISSP as well as an ALOA CRL (Certified Registered Locksmith). Currently, Keith is a Security Consultant in the Washington, DC area where he is contracted to Assurance Data Inc in Alexandria, VA.

Deviant Ollam, Babak Javadi, Keith Howell Deviant Ollam, Babak Javadi, Keith Howell

Misuse of "Secure" Protocols and Their Exploitation

Author: Vladimir Dubrovin

It’s a common situation when protocols designed for information protection are used without understanding their purpose, specification and limits. This results in serious flaws, which at best make the protection useless, and in worst case scenarios bring new, much more serious security problems. The talk will cover cases of protocol misuse, both well-known (related to SSL/TLS and Onion Routing) and previously unexamined. The speaker will demonstrate new attack vectors and expose several 0-day vulnerabilities (in Google, Yandex, and Mail.ru).

  • Language
  • English

Vladimir Dubrovin (aka 3ARA3A) is a graduate of the Lobachevsky State University of Nizhni Novgorod (Department of Computing Mathematics and Cybernetics), the editor of securityvulns.ru and developer of 3proxy.

Vladimir Dubrovin Vladimir Dubrovin

Give Me Your Data!

Author: Dave Chronister

We hear news stories every day about malicious hackers compromising the sensitive data of corporations, governments and individuals. But that is only half of the story. The genesis of this presentation stems from the idea that, even today, data is still not stored securely. Professional Hacker, Dave Chronister, conducted a research project to find out if he could gain access to sensitive data. The catch? He would not hack any systems, all data must be collected legally. From purchasing devices on Facebook and bidding for Hard Drives on eBay, to monitoring public file sharing sites, and anonymously accessible servers, Chronister will unveil methods to retrieve information and show his findings - which are very surprising.

  • Language
  • English

Dave Chronister – C|EH, CISSP, MCSE, C|HFI is the founder and Managing Technology Partner of Ethical Hacking firm, Parameter Security. Growing up in the wild world of 1980’s BBSes and early Internet, Chronister obtained a unique firsthand look at the mind, motives, and methodologies of hackers. Chronister has provided ethical hacking services, auditing, forensics, and training to clients world-wide. Chronister’s expertise has been featured in many media outlets including; CNN, CNBC, CNN Headline News, ABC World News Tonight, Bloomburg TV, CBS, FOX Business News, Computer World, Popular Science, Information Security Magazine, St. Louis Post Dispatch, and St. Louis Business Journal, to name a few.

Dave Chronister Dave Chronister

ID and IP Theft with Side-Channel Attacks

Author: David Oswald

Side-channel analysis (SCA) is a powerful tool to extract (cryptographic) secrets by observing physical properties (power consumption, EM) of a target device. After an intro to SCA and related methods, the speaker will demonstrate the practical relevance of SCA with two case studies: first, how SCA can be used to circumvent the IP protection (bitstream encryption) of FPGAs. In a similar way, AES keys of one-time password tokens can be extracted, allowing an attacker to steal digital identities.

  • Language
  • English

David Oswald received his PhD in IT-Security in 2013 and is currently working at the Chair for Embedded Security, Ruhr-University Bochum. His main field of research is the practical security analysis of embedded systems, e.g., commercially employed RFID smartcards. The focus is on attack methods that exploit weaknesses in the physical implementation of mathematically secure cryptographic algorithms. Those techniques include both (passive) side-channel analysis and (active) fault injection. He is co-founder of the Kasper & Oswald GmbH, offering innovative products and services for security engineering.

David Oswald David Oswald

Development of Techniques of Exploit Generation on the Basis of Binary Code Analysis

Authors: Andrey Fedotov and Vadim Kaushan

The report covers approaches to generation of code injection exploits for binary programs with crashdump available. The speakers will analyze the results of their colleagues obtained while using APEG, AEG with crashdump and separately. They will consider vectors of research needed in order to implement these technologies and will demonstrate how to gain practical results.

  • Language
  • Russian

Andrey Fedotov and Vadim Kaushan Andrey Fedotov and Vadim Kaushan

Botnet History Illustrated by BlackEnergy 2

Authors: Maria Garnaeva and Sergey Lozhkin

The report touches upon botnet history exemplified by BlackEnergy 2. Its early life was marked by DDoS module downloading. Then separate modules with other functionality were detected. However, the situation has turned upside down recently: the specialists at Kaspersky Lab have detected downloading of modules designed for up-to-date routers. The speakers will explain who, how and why infect such routers.

  • Language
  • Russian

Maria Garnaeva and Sergey Lozhkin are antivirus experts at Kaspersky Lab.

Maria Garnaeva and Sergey Lozhkin Maria Garnaeva and Sergey Lozhkin

Are Specialized Solutions a Cure-all? Discussing MDM, BYOD, etc.

Author: Kirill Kertsenbaum

New information security products and solutions (BYOD, MDM, NGF, WAF, APT, etc.) appear every year. What stands for the abbreviations? Are the newest protection technologies so good? How can we use them — and do we really need it? Do they provide complete protection or just give hard times to IT and IS specialists? And in general, can security be complete?

  • Language
  • Russian

Kirill Kertsenbaum graduated from the Faculty of Economics of Moscow State University of Instrument Engineering and Informatics (MGUPI) specializing in Economic Information Systems.
He has been professionally involved in various aspects of information security, including support of information security hardware and software sales, technical expertise of information security projects for more than 8 years.
He worked in the offices of major Western information security vendors located in Russia from 2007 to 2011. Kirill joined the team of Kaspersky Lab as the Head of Global Presale Support in 2011. Now he holds the position of Global Business Development Manager for Endpoint Protection Platform.

Kirill Kertsenbaum Kirill Kertsenbaum

Problems of Automated Generation of Exploits on the Basis of Source Code

Authors: Sergey Plekhov and Alexey Moskvin

Automated generation of exploits and source code analysis have their intricacy. For example, using only static analysis, one is unable neither to monitor the interaction of an application with a database, nor to analyze obfuscated code, nor to reveal vulnerabilities caused by system misconfiguration. Meanwhile, dynamic analysis requires an application to be deployed (installed and configured), which is difficult to fulfill if the application is a complex enterprise solution. Moreover, there are a number of vulnerabilities that are undetectable by fuzzing (dynamic analysis). In real life, neither static nor dynamic analyses give complete code coverage and reveal all vulnerabilities. Static analysis gives large amount of false positives, which depreciates the resulting reports if the detected vulnerabilities cannot be verified. The authors present the results obtained with an approach combining both static and dynamic analysis, which allows not only detecting vulnerabilities, but also generating exploits for them.

  • Language
  • Russian

Sergey Plekhov is a leading expert at Positive Technologies. He specializes on the issues of security analysis of application source code with static and dynamic methods.

Aleksey Moskvin is a security expert at Positive Technologies. He specializes on solving tasks of application source code analysis.

Sergey Plekhov and Alexey Moskvin Sergey Plekhov and Alexey Moskvin

Internet of Things Cryptography

Author: Alexey Zhukov

More and more devices get connected to the World Wide Web every year. An ordinary coffeemaker is likely to have its operating system and network access soon. Cryptography represents one of the basic technologies required for information security. The exploding Internet of Things (IoT) imposes new requirements on cryptography and cryptographers; the classic approaches are not applicable any more. What new algorithms and protocols does the IoT need? What new international standards to expect in the coming years?

  • Language
  • Russian

Alexey Zhukov is Candidate of Sciences (Physics and Mathematics), Bauman Moscow State Technical University, chairman of the board of directors of the RusCrypto association.

Alexey Zhukov Alexey Zhukov

Crypto Hot Cases – One Year Backward

Author: Éric Filiol

This talk considers the recent history of cryptography and its control by the Western countries (mainly the USA) in light of the Snowden leaks. The speaker will also share a few non-public facts coming from personal and technical analysis: Snowden leaks, Heartbleed/OpenSSL, RSA backdoored products, Windows driver signature, Windows random number generation, Windows cache management, Google/ANSSI case, TAO project, etc. The speaker will try to forecast what the very near future could be and what we should fear/expect. He will finally offer a possible solution to mitigate this cryptography control in the future.

  • Language
  • English

Éric Filiol is the head of Operational Cryptography and Computer Virology Lab, ESIEA (France), and senior consultant in offensive cybersecurity and intelligence. He spent 22 years in the French Army (Infantry/Marine Corps). He holds an engineer diploma in cryptology, a PhD in applied mathematics and computer science and a Habilitation Thesis in Computer Science. He graduated from NATO in InfoOps. Éric Filiol is the Editor-in-Chief of the Journal in Computer Virology. He has been a speaker at international security events including Black Hat, CCC, CanSecWest, PacSec, Hack.lu, Brucon, and H2HC.

Éric Filiol Éric Filiol

TPM 2.0 Security

Author: Oleg Verner

These days vendors add built-in Trusted Platform Module (TPM) chips to almost every computer, especially to mobile devices (laptops, tablets, smartphones). Since such devices get thinner and thinner, PCI and Mini PCI card slots, through which information security hardware was normally plugged, are becoming history. In these circumstances the role of security chips drastically increases.
At Black Hat 2010 in Arlington, Christopher Tarnovsky (Flylogic Engineering) announced that he managed to hack the cryptoprocessor TPM Infineon SLE 66 CL PC. How did the developers of the chip respond? The new version – TPM 2.0 is coming soon. What advanced features will the chip’s architecture include? How likely are discoveries of new ways of exploitations? What is the probable development scenario of Trusted Computer Group standards?

  • Language
  • Russian

Oleg Verner has more than 15 years of experience in information security. He conducted security audits, was among the developers of centralized agents management system of the first Russian IKE/IPsec VPN. He has been contributing to the standards of the Trusted Computing Group for several years, and frequently speaks at the international conference TRUST.

Oleg Verner Oleg Verner

Security Modelling of Access and Dataflow Control Using DP Models Theory

Author: Denis Kolegov

The talk will cover security modelling of logical access and data flow control in contemporary computer systems. The speaker will consider the approach to security modelling on the basis of DP models theory, its advantages and capabilities, along with its application characteristics when developing security mechanisms. The talk will address main components, concepts and techniques of DP models. The speaker will present new modelling approaches, targeted at software implementation of access control mechanisms.

  • Language
  • Russian

Denis Kolegov is Candidate of Science and associate professor of the Information Protection and Cryptography Chair of the Tomsk State University (TSU), Senior Pentesting Engineer at F5 Networks. He graduated from TSU, the Department of Applied Methematics and Cybernetics, where he specialized in computer security.

Denis Kolegov Denis Kolegov

CUA as an SAP Attack Vector

Author: Dmitry Gutsko

The talk will cover main vectors of attacks against SAP, particularly with CUA (Central User Administration) as a target. The speaker will review CUA vulnerabilities caused by architectural features, misconfigurations and unchanged default setting. Three attack possibilities will be discussed: obtaining control over one of child CUA systems, getting hold of communication link, and a situation with no control possibilities at all. The speaker will also advise on how to safely configure CUA systems in SAP landscapes.

  • Language
  • Russian

Dmitry Gutsko is an information security expert in the field of SAP. He graduated from MEPhI (2006) specializing in information security. Currently is the head of the SAP Applications Security Analysis Team at Positive Technologies. Dmitry published many vulnerabilities and research papers on various SAP security topics.

Dmitry Gutsko Dmitry Gutsko

Catching Shellcodes under ARM

Authors: Svetlana Gayvoronskaya and Ivan Petrov

Over the last years the ARM platform became very popular, and the software of ARM devices may contain memory vulnerabilities, which can be exploited via shellcodes. Despite there are many tools for shellcodes detection, most of them are for the x86 platform. This research is an attempt to fill in this gap. The speakers will analyze the applicability of the existing identification methods to ARM and consider possible heuristics for the detection of shellcodes written for this platform.

  • Language
  • Russian

Svetlana Gayvoronskaya is a former member of the CTF team Bushwhackers. Her interest in shellcodes resulted in presenting at DEFCON, BlackHat, NOPCon and three times at RusCrypto. Her passion for having a hands-on experience with “big systems” lead to a four months project with Microsoft Research on automated detection of malicious tenants in cloud infrastructures. Currently Svetlana works on her thesis on shellcodes detection.

Ivan Petrov is a student and member of Bushwhackers. He researches the possibilities of ARM devices, writes Metasploit modules. Already has published in a topical university articles collection and spoke at RusCrypto.

Svetlana Gayvoronskaya and Ivan Petrov Svetlana Gayvoronskaya and Ivan Petrov

Threats to Control Systems of Contemporary Electric Substations

Author: Maxim Nikandrov

The talk analyzes real-life cyber security incidents and risks in control systems of contemporary electric substations. The special focus is on IEC 61850 vulnerabilities and practical methods of fixing them.
The speaker will tell about a full-scale testing ground created in Cheboksary, imitating a real contemporary electric substation of high voltage. The results of testing the steadiness of its control systems performance, relaying, and techniques of protection against cyber threats will be shared.
The presentation is based on the collaboration of R&D Center @ FGS UES, Kaspersky Lab, and ChEAZ.

  • Language
  • Russian

Maxim Nikandrov is an expert in power control systems, Candidate of Science. He is the Head of Control Systems Department at JSK ChEAZ (Cheboksary).

Maxim Nikandrov Maxim Nikandrov

(No)SQL Timing Attacks for Data Retrieval

Author: Ivan Novikov

The author will focus on various search algorithms in SQL and NoSQL databases (binary search hashes, etc.). The goal of the research was to explore these algorithms to perform timing attacks for data retrieval purposes.
Such attacks can be used mainly in the field of web applications. For example, key-value storage is often used for storing user sessions. The conceptual attack can be, in this case, getting foreign session based on the time of creation of new sessions.

  • Language
  • Russian

Ivan Novikov is CEO and lead security expert of Wallarm. Ivan has been engaged in research in the field of web applications security since 2004, published numerous researches in the field of web application security. He has rewards from various bug hunting programs, such as Google, Facebook, Twitter, Nokia and Yandex. Currently, he is actively engaged in the development of a self-learning web application firewall system.

Ivan Novikov Ivan Novikov

Visual Analytics on Guard of Information Security

Authors: Igor Kotenko and Yevgeniya Novikova

Methods of visual analytics significantly simplify a security administrator’s work, since these methods involve intelligent data processing algorithms and allow for peculiarities of human visual data perception.
The talk will cover the existing methods of data visual analysis designed for solving various tasks in order to provide protection against computer attacks. The efficacy of applying visual analysis is exemplified by the tools developed by the research authors, specifically the utilities for traffic analysis, attack modelling, security assessment, and detecting financial infringements in mobile payment systems.

  • Language
  • Russian

Igor Kotenko is a Professor, Doctor of Technical Sciences, and Head of the SPIIRAS Laboratory of Information Security Issues. He participated in various projects on developing new computer security technologies and managed projects of the European FP7 and FP6 framework programs and also projects commissioned by HP, Intel, F-Secure, etc. These projects resulted in the development of innovative methods for detecting network intrusions, modeling network attacks, network security assessment, security protocols development, security policies verification, etc.

Yevgeniya Novikova is a Candidate of Sciences and Senior Staff Scientist of the SPIIRAS Laboratory of Information Security Issues. She focuses her research on developing new models and methods of data visual analysis for intelligent information security management of computer systems. She takes special interest in public-key cryptography.

Igor Kotenko and Yevgeniya Novikova Igor Kotenko and Yevgeniya Novikova

Reverse Engineering Automation

Author: Anton Dorfman

While reverse engineering, a researcher should perform many routine tasks in order to find out what and how a program does. These include: allocating the code which implements a certain function, analyzing data dependencies in certain points of a program, identifying control dependencies, etc. For complicated software systems, using a debugger and disassembler is not enough. Apart from Code Flow Graph (CFG) and decompiling, there are relatively new approaches, such as taint analysis, symbolic execution and dynamic binary instrumentation. However, there are also many technologies to improve the abstraction level of program presentation and routine jobs automation. The talk will address the advantages of such technologies, examples of their application and open-source utilities for their implementation.

  • Language
  • Russian

Anton Dorfman is a researcher, reverser and assembly language fan. He dislikes routine jobs and is really interested in automating any reversу engineering tasks.
Anton graduated from the Samara State Technical University with honors in 1999. He has lectured in his alma mater since 2001 and published more than 50 papers on information security. In 2007 he successfully defended his thesis on analyzing and modelling malware behavior.
He has been an organizer and playing coach of student CTF teams since 2009. Anton was the third in the contest Best Reverser at PHDays 2012, presented a 4-hour workshop on mastering shellcode at PHDays III and shared some ideas on data format reversing at Zero Nights 2013.

Anton Dorfman Anton Dorfman

My Journey Into 0-Day Binary Vulnerability Discovery in 2014

Author: Alisa Esage (Shevchenko)

While the IT security research hotspot migrates constantly towards new technologies, the demand for binary exploitation today is higher than ever before, as proven by this year’s pwn2own contest stakes and outcomes. The question that bothers many is thus whether it is still possible to discover new — and exploitable — vulnerabilities in widely deployed and extensively audited applications, given the nowadays reality of overwhelming tool base, research, computational power, and intelligence competition? The author says yes, and this is the report of her own journey on this way.
The presentation will detail into the author’s own approach to discovery of 0-day binary vulnerabilities, mostly based on fuzzing. Specific concepts and techniques, which worked (or failed), will be demonstrated. Finally, the root cause analysis of a few 0-day vulnerabilities will be presented, along with a few ideas to bypass exploitation mitigations.

  • Language
  • Russian

Alisa “Esage” Shevchenko is a self-taught offensive security researcher. She has been running her own company Esage Lab since 2009; co-founded Neuron, a hackspace in Moscow. She used to be occupied with reverse engineering, malware analysis, antivirus bypassing, penetration testing, cyber forensics, black-box software and hardware security auditing. Her current research interest is discovery and exploitation of 0-day binary vulnerabilities. Alisa spoke at such conferences as RusCrypto 2009, RECon 2011, InfoSecurity 2012, and ZeroNights 2012; published her works in such magazines as InfoSecurity Russia, (IN)Secure, Hakin9, VirusBulletin, and No Bunkum.

Alisa Esage (Shevchenko) Alisa Esage (Shevchenko)

How to Intercept a Conversation Held on the Other Side of the Planet

Authors: Sergey Puzankov and Dmitry Kurbatov

Lately, phone communication records can be found in the Internet and even be heard on TV. It is obvious that such records were obtained without the knowledge of the subscribers. Many of us have received weird text messages and, after that, long bills for mobile services. The authors of the research are Sergey Puzankov and Dmitry Kurbatov, experts at Positive Technologies specializing in mobile networks safety. They will consider the range of possibilities of an intruder who accessed the holy of holies of telecom companies — SS7. The talk will address attacks aimed at: disclosure of subscriber’s sensitive data including his or her location, changing enabled services, call forwarding, unauthorized intrusion into a voice communication channel. Information about signaling messages, which can help to perform these attacks, is open for public access. The research also covers types of proactive protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network.

  • Language
  • Russian

Sergey Puzankov graduated from Penza State University with a degree in Automated Data Processing Systems. He is interested in mobile networks safety. Being an expert at Positive Technologies, he designed MaxPatrol 8 modules of security standards compliance for several types of GSM and UMTS mobile communication equipment.

Dmitry Kurbatov graduated from Moscow State Institute of Radio Engineering, Electronics and Automation with degree in Information Security of Telecommunication Systems. He has 7 years of experience in information security of corporate networks, business applications, and telecommunication equipment. An expert at the Positive Technologies company and Positive Research Center, he participated in organizing all Positive Hack Days forums. Dmitry has published many articles on information security.

Sergey Puzankov and Dmitry Kurbatov Sergey Puzankov and Dmitry Kurbatov

PHP Object Injection Vulnerability in WordPress: an Analysis

Author: Tom Van Goethem

With approximately 19% of the web running on WordPress, it comes as no surprise that the security of this content management system has an enormous impact on a large number of users. Despite being open source, and reviewed by security researchers, WordPress is—just as any other software—prone to errors and vulnerabilities.
In this talk, the author will discuss how the unexpected behavior of MySQL led to the discovery of a PHP Object Injection vulnerability in the WordPress core. The author will also demonstrate how this vulnerability can be exploited in order to run arbitrary code on WordPress installations that enable a popular plugin.

  • Language
  • Russian

Tom Van Goethem is a PhD student at KU Leuven (Belgium).

Tom Van Goethem Tom Van Goethem

Side Channel Analysis: Practice and a Bit of Theory

Author: Ilya Kizhvatov

The proposed talk is about side channel analysis of secure devices. This topic is not so often addressed in hacker conferences. The speaker will introduce the conference community to side channels, present an overview, and explain the state of the art in the this area, giving practical examples. After the talk, a listener should be able to understand if a particular device is falling under the threat of a side channel attack, how to protect it, and maybe become motivated to play around with side channel analysis just for fun.

  • Language
  • English

Ilya Kizhvatov is a senior security analyst at Riscure (Delft, Netherlands). He has 6 years of experience (half academic, half industrial) in embedded security, with the focus on side channel and fault attacks on cryptographic implementations, and 2 years of embedded software engineering experience. He spoke at scientific and industrial conferences and seminars.

Ilya Kizhvatov Ilya Kizhvatov

OS X Drivers Reverse Engineering

Author: Egor Fedoseev

It is a technical report on the peculiar features of OS X driver analysis that covers the main complexities and ways to simplify the analysis. The report will be of interest to virus analysts and OS X security researchers.

  • Language
  • Russian

Egor Fedoseev has never worked in the information security industry. He works in the Ural Federal University and leads the student group Hackerdom. He has been engaged in reverse engineering since 2004.

Egor Fedoseev Egor Fedoseev

In the Middle of Printers: (In)security of Pull Printing Solutions

Author: Jakub Kałużny

Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.

  • Language
  • English

Jakub Kaluzny has more than 7 years experience in web programming focused on security - PHP, pgSQL, MySQL, bash scripting, and 3 years experience in software security lifecycle and penetration testing. He was introduced in the Google Security Hall Of Fame in 2013. He was a speaker at OWASP Poland Local Chapter - "Advanced data mining" - focusing on security aspects of data crawlers in 2011. In 2008 presented his report "Ciphers and encrypted file systems" at Open-source security conference, Warsaw. Jakub Kaluzny was Main Programmer and Security Officer at Homepay.pl in 2010 - 2012 (developing financial intermediary platform, security hardening). Now he is an IT security specialist at SecuRing (penetration tests, vulnerability assessment and threat modelling of web applications and network environment). He is intended to receive a bachelor’s degree in Engineering in Applied Computer Science at AGH University Of Science And Technology, Cracow.

Jakub Kałużny Jakub Kałużny

Cracking Pseudorandom Sequences Generators in Java Applications

Authors: Mikhail Egorov and Sergey Soldatov

Modern applications widely use random sequences for security related tasks: encryption keys, authentication challenges, session identifiers, CAPTCHAs and passwords. Resistance to cracking of such applications strongly depends on the quality of random sequences generators.

The talk will explain vulnerabilities found in Java-applications that using pseudorandom generators, how to successfully attack them. The speaker will demonstrate a tool that effectively recover the internal state of the generator (a.k.a. seed), previous and subsequent generator output values.
The research also covers mechanisms for session IDs generation for different Java application servers and web servers both open source and proprietary.

  • Language
  • Russian

Mikhail Egorov
Mikhail Egorov graduated from Moscow State Technical University named after Bauman in 2009 and obtained a Master’s degree in information security. He is an independent security researcher and experienced Java/Python programmer. His area of expertise includes vulnerabilities research, fuzzing, reverse engineering, web application and network security. He worked as an information security consultant and software developer in different companies, holds OSCP and CISSP certifications.

Sergey Soldatov
Sergey Soldatov is a Bauman Moscow State Technological university graduate and an independent security practitioner with more than 10 years of network security experience. He has extensive programming experience and has been involved in large ISP related development projects. He is a speaker at a number of conferences including HITB, ZeroNights, holds CISA and CISSP certifications.

Mikhail Egorov and Sergey Soldatov Mikhail Egorov and Sergey Soldatov

Intercepter-NG: The New-Generation Sniffer

Authors: Alexander Dmitrenko, Ares

The report is devoted to a unique toolkit named Intercepter-NG developed in Russia. Today it is the most advanced sniffer with a lot of functions.
Ironically enough, it is more popular in other countries than in Russia, and the report is intended to change the situation. The speaker will not only review the utility’s main peculiar features, but will give full details of two attacks with Intercepter-NG: MySQL LOAD DATA LOCAL injection recently presented at Chaos Constructions and DNS over ICMP, a little-known but powerful attack.

  • Language
  • Russian

Alexander Dmitrenko
The Head of Training Department at PentestIT, the author of articles on habrahabr.ru and in the “Hacker” magazine.

Ares
PentestIT expert, the developer of Intercepter-NG.

Alexander Dmitrenko, Ares Alexander Dmitrenko, Ares

Vulnerabilities on Various Data Processing Levels

Author: Omar Ganiev

Developers become more security-aware and understand that user data should be properly processed, and sensitive data should not be available to unauthorized users. However, not all of them can distinguish between a user communication channel and a trusted data source. They tend to think on the level of their code syntax. This leads to later unexpected discoveries of unsecure input and output channels, since the program is not limited to the code itself, but involves the whole associated infrastructure with all complex interactions.
The speaker will try to systematize flaws of the insufficient input validation type (specifically in web applications), and draw to them the attention of both developers and security researches.

  • Language
  • Russian

Omar Ganiev is a security assessment expert at IncSecurity, an HSE graduate (Department of Mathematics, 2012), active CTF contestant both as a member of several teams and individually (under the nickname Beched). A member the RDot.Org independent community and the CTF team of the same name.

Omar Ganiev Omar Ganiev