The Positive Hack Days — international forum on practical information security.
How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?
Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters? Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?
Presentations from Positive Hack Days 2012 Published
It's finally happened! When videos of
reports and hands-on-labs from Positive Hack Days were published, we decided to
move on. So now you have an opportunity to view presentations of the forum’s reports.
For your convenience we provide links not
only to the slides but to the videos of the reports as well (if they were
Video of Bruse Schneier's report is
from 01:00 p.m. The guru of cryptography told about his own security philosophy
that surprised most of visitors. He thinks that law breakers (hackers) may not
only cause harm but be useful as well.
Datuk Mohd Noor Amin is the Chairman of the
International Multilateral Partnership Against Cyber Threats (IMPACT), he leads
the first United Nations-backed public-private partnership against cyber
threats with UN’s International Telecommunication Union (ITU) as its partner,
and with 137 countries as members, IMPACT is also recognized as the world’s
largest cybersecurity alliance [video],
Sergey Gordeychik. How to hack a telecom and stay alive 2.Owning a billing [video],
Where to look for the keys to a
technological network? How to obtain the billings without interfering with the
main business of a company? The speaker answered these questions and shared new
illustrative and funny examples of penetration testing performed for
Report: Roman Kaplya. Operators'
cooperation against fraud [presentation RUS]
Mikhail Yemelyannikov. Why it is impossible to comply with Russian private data protection
Andrey Fedichev, FSTEK of Russia. Why state secrets leak to the Internet?
Alexey Lukatsky. How presidential election in Russia influences information security
market, or Trends in regulations. Video is available here
from 04:00 p.m [presentation RUS].
Vladimir Styran. The truth about the lie. Social engineering for security experts [video],
Hands-on-lab: Andrey Masalovich. Internet
competitive intelligence. Video is available here
from 04:08 p.m [presentation RUS].
By using practical examples, participants
of the workshop acquired the skills of using analytical technologies in solving
real problems of competitive intelligence, including methods for rapid
detection of confidential information leaks, fast-detection of open partitions
on servers, methods of penetration on the FTP server without hacking
protection; password leak-detection methods; methods of access to confidential
documents via bypassing DLP; means of penetrating into sections behind 403
error messages. Techniques were demonstrated on examples of portals in
certainly well-protected companies (such as the leaders of the IT and IS
markets, large state organizations, intelligence, etc.).
Hands-on-lab: Dmitry Ryzhavsky. Wireless
network security. How your network was hacked and how it could be avoided [video],
In the course of the report the most
relevant methods of obtaining unauthorized access to WiFi-network were
considered, and the mechanisms, proposed by Cisco Unified Wireless Network to
protect against the described attacks, were demonstrated.
Hands-on-lab: Nikhil Mittal. Breaking havoc
using a Human Interface Device [video],
This hands-on-lab focused on a highly
dangerous and yet widely neglected computer security issue — vulnerability of
Human Interface Devices (HIDs).
Visitors of the hands-on-lab learnt typical
vulnerabilities of network protocols, operating systems and applications. The
speaker described the sequence of different types of attacks on computer
systems and networks and made recommendations to strengthen the security of
computer systems and networks Students were immersed in a practical
environment, where they saw how to really hack the system to subsequently be
able to anticipate possible actions of a hacker and successfully resist them.
Travis Goodspeed. Exploiting radio noise with packets in packets. Video is available here from 03:10 p.m.
Report: Evgeniya Shumakher. A lazy way to find out your fellow worker's salary, or SAP HR security [video],
Report: Alexander Polyakov. SAP insecurity: the new and the best [video],
focused on ten most interesting vulnerabilities of SAP systems from problems
with encryption to bypassing authentication, and from easy mistakes to sophisticated
attack vectors. A large proportion of vulnerabilities were presented to the
public for the first time.
Participants of this workshop learnt how to
perform security assessment of SAP R/3 and NetWeaver systems (including
application servers and infrastructure) by means of available tools.
Report: Mikhail Afanasyev. SCADA
security. Web vector [presentation RUS]
Hands-on-lab: Vladimir Lepikhin. Web application attacks. The basics. Video is available here from 09:00 a.m.[presentation RUS].
The mechanisms of attack on web
applications, techniques and tools (specialized scanners, security, utilities,
using the results of their work during manual analysis) used by violators were
provided in a systematic form. Practical examples clearly demonstrated major
weaknesses of web applications that make it possible to conduct attacks,
illustrated by the shortcomings of the means of protection in use and methods to
The report covered methods of attacks on
Internet Explorer users functioning as part of Microsoft networks. The considered attacks are aimed at obtaining
confidential information about users both on remote servers (bypassing access
policy restrictions) and local PCs.
Hands-on-lab:Andres Riancho. Web 2.0 security. Advanced techniques [video],
The hand-on-lab covered protection
techniques against attacks exploiting XML and HPP/HPC, as well as Click Jacking
and Session Puzzling.
Report: Sergey Scherbel. Not all PHP implementations are equally useful. Video is available here from 04:00 p.m. [presentation].
The reporter considered
detected security problems and operational features of Web applications using
third-party implementations of PHP and gave examples of 0-day vulnerabilities.
Report: Sergey Scherbel. Not all PHP implementations are equally useful. Video is available here from 04:00 p.m,
Report: Thibault Koechlin. Naxsi, an open source and positive model based web application firewall [video], [presentation].
Report: Aleksey Moskvin. On secure application of PHP wrappers [video],
The talk briefed the audience on the
techniques of discovering and mitigating vulnerabilities in any Android Mobile
Application. In addition to this, the presentation covered Android rooting,
SQLite database analysis, ADB and mobile server related threats. The audience
also learnt about the proposed OWASP Top 10 for mobile applications.
Report: Marcus Niemietz. Hijacking attacks on Android devices [video],
Hands-on-lab:Sergey Nevstruev. Practicalities of Mobile Security [video],
Artyom Chaikin. Mobile
device troyan in action [presentation RUS]
The report addressed the issues of password
protection in a historical perspective, as well as the prospects of
authentication technologies in the near future.
Report: Benjamin Delpy. Mimikatz to restore passwords for Windows 8 [video] ,
Hackers And Money
Report: Aleksandr Matrosov and Eugene Rodionov. Smartcard vulnerabilities in modern banking malware. Video is available here from 11:07 a.m. [presentation].
described the study of the most common banking malware, as well as the
discovery of interesting vulnerabilities by using two-factor authentication and
smart cards. The report also covered techniques and tricks used by hackers to
Report: Micha Borrmann. Paying with credit cards in the Internet can result in headache [video],
Report: Nikita Shvetsov. Three new
stories about attacks on remote banking systems [presentation].
The participants of this four-hour master
class got basic knowledge of detecting Trojans in OS, learnt most recent Trojan
development techniques for Windows (SpyEye, Carberp, Duqu), considered Trojans
for Android and got acquainted with actual exploits (PDF, Java).
Report: Dmirty Evdokimov. Light and dark side of code instrumentation [video],
The reporter told
about methods of instrumentation (Source Code Instrumentation, Bytecode
Instrumentation, Binary Code Instrumentation).
Report: Nikita Tarakanov and Alexander Bazhanyuk. Automated vulnerability detection tool. Video is available here from 05:00 p.m. [presentation].