Presentations from Positive Hack Days 2012 Published

It's finally happened! When videos of reports and hands-on-labs from Positive Hack Days were published, we decided to move on. So now you have an opportunity to view presentations of the forum’s reports.

For your convenience we provide links not only to the slides but to the videos of the reports as well (if they were made).

Keynote Reports

Video of Bruse Schneier's report is available here from 01:00 p.m. The guru of cryptography told about his own security philosophy that surprised most of visitors. He thinks that law breakers (hackers) may not only cause harm but be useful as well.

Datuk Mohd Noor Amin is the Chairman of the International Multilateral Partnership Against Cyber Threats (IMPACT), he leads the first United Nations-backed public-private partnership against cyber threats with UN’s International Telecommunication Union (ITU) as its partner, and with 137 countries as members, IMPACT is also recognized as the world’s largest cybersecurity alliance [video], [presentation ENG].

Telecom

Report: Sergey Gordeychik. How to hack a telecom and stay alive 2. Owning a billing [video], [presentation ]

Where to look for the keys to a technological network? How to obtain the billings without interfering with the main business of a company? The speaker answered these questions and shared new illustrative and funny examples of penetration testing performed for telecommunication networks.

Report: Roman Kaplya. Operators' cooperation against fraud [presentation RUS]

State Sector

Report: Mikhail Yemelyannikov. Why it is impossible to comply with Russian private data protection law? [video], [presentation RUS]

Report: Andrey Fedichev, FSTEK of Russia. Why state secrets leak to the Internet? [video], [presentation RUS]

Report: Alexey Lukatsky. How presidential election in Russia influences information security market, or Trends in regulations. Video is available here from 04:00 p.m [presentation RUS].

Network Protection

Report: Vladimir Styran. The truth about the lie. Social engineering for security experts [video], [presentation RUS]

Hands-on-lab: Andrey Masalovich. Internet competitive intelligence. Video is available here from 04:08 p.m [presentation RUS].

By using practical examples, participants of the workshop acquired the skills of using analytical technologies in solving real problems of competitive intelligence, including methods for rapid detection of confidential information leaks, fast-detection of open partitions on servers, methods of penetration on the FTP server without hacking protection; password leak-detection methods; methods of access to confidential documents via bypassing DLP; means of penetrating into sections behind 403 error messages. Techniques were demonstrated on examples of portals in certainly well-protected companies (such as the leaders of the IT and IS markets, large state organizations, intelligence, etc.).

Hands-on-lab: Dmitry Ryzhavsky. Wireless network security. How your network was hacked and how it could be avoided [video], [presentation RUS]

In the course of the report the most relevant methods of obtaining unauthorized access to WiFi-network were considered, and the mechanisms, proposed by Cisco Unified Wireless Network to protect against the described attacks, were demonstrated.

Hands-on-lab: Nikhil Mittal. Breaking havoc using a Human Interface Device [video], [presentation]

This hands-on-lab focused on a highly dangerous and yet widely neglected computer security issue — vulnerability of Human Interface Devices (HIDs).

Report: Sylvain Munaut. Abusing Calypso phones [video], [presentation]

Report: Andrei Costin. PostScript: Danger ahead! Hacking MFPs, PCs and beyond [video], [presentation]

Videos of demonstrations: 

http://www.youtube.com/watch?v=wnKDpelQAOw&feature=player_detailpage

http://www.youtube.com/watch?v=Sotga17rFUM&feature=player_detailpage

http://www.youtube.com/watch?feature=player_detailpage&v=JvrNOEuoIZA

http://www.youtube.com/watch?v=guyh8mJmmdw&feature=player_detailpage

http://www.youtube.com/watch?v=pTbBzGIk5ok&feature=player_detailpage

http://www.youtube.com/watch?feature=player_detailpage&v=qiSBVzUFq28

http://www.youtube.com/watch?v=HRmMm9NLWxA&feature=player_detailpage

Report: Sergey Klevoghin. CEH. Ethical hacking and penetration testing [video], [presentation RUS]

Visitors of the hands-on-lab learnt typical vulnerabilities of network protocols, operating systems and applications. The speaker described the sequence of different types of attacks on computer systems and networks and made recommendations to strengthen the security of computer systems and networks Students were immersed in a practical environment, where they saw how to really hack the system to subsequently be able to anticipate possible actions of a hacker and successfully resist them.

Report: Travis Goodspeed. Exploiting radio noise with packets in packets. Video is available here from 03:10 p.m.

 [presentation].

This talk showed peculiarities of PIP writing, including working examples for IEEE 802.15.4 and the Nordic RF low-power radios.

SAP, SCADA, ERP

Report: Alexey Yudin. ERP as viewed by attackers. Video is available here from 03:00 p.m.

 [presentation RUS].

Report: Evgeniya Shumakher. A lazy way to find out your fellow worker's salary, or SAP HR security [video], [presentation RUS]

Report: Alexander Polyakov. SAP insecurity: the new and the best [video], [presentation]

This report focused on ten most interesting vulnerabilities of SAP systems from problems with encryption to bypassing authentication, and from easy mistakes to sophisticated attack vectors. A large proportion of vulnerabilities were presented to the public for the first time.

Hands-on-lab: Alexey Yudin. DIY SAP security [video], [presentation RUS].

Participants of this workshop learnt how to perform security assessment of SAP R/3 and NetWeaver systems (including application servers and infrastructure) by means of available tools.

Report: Mikhail Afanasyev. SCADA security. Web vector [presentation RUS]

Web Security

Hands-on-lab: Vladimir Lepikhin. Web application attacks. The basics. Video is available here from 09:00 a.m.[presentation RUS].

The mechanisms of attack on web applications, techniques and tools (specialized scanners, security, utilities, using the results of their work during manual analysis) used by violators were provided in a systematic form. Practical examples clearly demonstrated major weaknesses of web applications that make it possible to conduct attacks, illustrated by the shortcomings of the means of protection in use and methods to bypass them.

Report: Miroslav Štampar. DNS exfiltration using sqlmap [video], [presentation].

The speaker represented DNS exfiltration technique using SQL injection, described its pros and contras, and provided illustrative examples.

Report: Vladimir Vorontsov. Attacks against Microsoft network web clients [video], [presentation 1], [presentation 2].

The report covered methods of attacks on Internet Explorer users functioning as part of Microsoft networks. The considered attacks are aimed at obtaining confidential information about users both on remote servers (bypassing access policy restrictions) and local PCs.

Hands-on-lab:  Andres Riancho. Web 2.0 security. Advanced techniques [video], [presentation]

The hand-on-lab covered protection techniques against attacks exploiting XML and HPP/HPC, as well as Click Jacking and Session Puzzling.

Report:  Sergey Scherbel. Not all PHP implementations are equally useful. Video is available here from 04:00 p.m. [presentation].

The reporter considered detected security problems and operational features of Web applications using third-party implementations of PHP and gave examples of 0-day vulnerabilities. 

Report:  Sergey Scherbel. Not all PHP implementations are equally useful. Video is available here from 04:00 p.m, [presentation]


Report: Thibault Koechlin. Naxsi, an open source and positive model based web application firewall [video], [presentation].

Report:  Aleksey Moskvin. On secure application of PHP wrappers [video], [presentation RUS].

Videos of demonstrations:

http://www.youtube.com/watch?feature=player_detailpage&v=rkgPFIGofYs

http://www.youtube.com/watch?feature=player_detailpage&v=J5HTTxuuu3o

Report:  Vladimir Kochetkov. Hack an ASP.NET site? It is difficult, but possible! [video], [presentation]

The reporter presented examples of new 0 day attacks and possible exploitation techniques including a brand new type of Code Injection.

Mobile Security

Hands-on-lab:  Manish Chasta. Securing Android applications [video], [presentation 1], [presentation 2]

The talk briefed the audience on the techniques of discovering and mitigating vulnerabilities in any Android Mobile Application. In addition to this, the presentation covered Android rooting, SQLite database analysis, ADB and mobile server related threats. The audience also learnt about the proposed OWASP Top 10 for mobile applications.

Report:  Marcus Niemietz. Hijacking attacks on Android devices [video], [presentation]

Hands-on-lab:  Sergey Nevstruev. Practicalities of Mobile Security [video], [presentation RUS]

Report: Artyom Chaikin. Mobile device troyan in action [presentation RUS]

Videos of demonstrations: the first and the second.

Botnets Control

Report:  Maria Garnayeva. The techniques of putting a spoke in botmasters' wheels: the Kelihos botnet. Video is available here from 09:10 a.m. [presentation RUS].

Report: Alexander Lyamin. DDoS Surveillance HowTo. Part 2. Video is available here from 05:03 p.m.  [presentation].

Report:  Fyodor Yarochkin and Vladimir Kropotov. Life cycle and detection of bot infections through network traffic analysis [video], [presentation]

Hands-on-lab:  Pierre-Marc Bureau. Win32/Georbot. Understanding and automated analysis of a malware [video], [presentation]. 

It is the first hands-on-lab in the world related to this botnet.

Issues Of Password Protection

Report:  Alexey Zhukov. Lightweight cryptography: resource-undemanding and attack-resistant. Video is available here from 12:00 p.m. [presentation RUS].

Report:  Dmitry Sklyarov and Andrey Belenko. Secure password managers and military-grade encryption for smartphone: Huh, really? Video is available here from 10:15 a.m [presentation].

Report:  Alexander (Solar Designer) Peslyak. Password security: past, present, future [video], [presentation].

The report addressed the issues of password protection in a historical perspective, as well as the prospects of authentication technologies in the near future.

Report:  Benjamin Delpy. Mimikatz to restore passwords for Windows 8 [video] , [presentation]

Hackers And Money

Report:  Aleksandr Matrosov and Eugene Rodionov. Smartcard vulnerabilities in modern banking malware. Video is available here from 11:07 a.m. [presentation].

The speakers described the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also covered techniques and tricks used by hackers to conduct anti-forensics.

Report:  Micha Borrmann. Paying with credit cards in the Internet can result in headache [video], [presentation]

Report: Nikita Shvetsov. Three new stories about attacks on remote banking systems [presentation].

Report: Dmitry Kuznetsov. Payment application security [presentation].

Practical Security

Hands-on-lab:  Boris Ryutin. Security without antivirus software [video].

Presentations: [first ], [second], [third], [fourth] (RUS).

The participants of this four-hour master class got basic knowledge of detecting Trojans in OS, learnt most recent Trojan development techniques for Windows (SpyEye, Carberp, Duqu), considered Trojans for Android and got acquainted with actual exploits (PDF, Java).

Report:  Dmirty Evdokimov. Light and dark side of code instrumentation [video], [presentation]

The reporter told about methods of instrumentation (Source Code Instrumentation, Bytecode Instrumentation, Binary Code Instrumentation).

Report:  Nikita Tarakanov and Alexander Bazhanyuk. Automated vulnerability detection tool. Video is available here from 05:00 p.m. [presentation].

Report:  Igor Kotenko. Program agent cyberwars [video], [presentation RUS]

Report:  Ulrich Fleck and Martin Eiszner. From 0-day to APT in terms of favorite framework [video] , [presentation 1], [presentation 2]

Report: Alexey Lafitsky. Defense of industrial control systems – a factor of mankind survival [presentation RUS]

Report: Alexey Sintsov. How to hack VMWare vCenter in 60 seconds [presentation]

Anonymous and LulZ

Report:  Jerry Gamblin. What we can (and should) learn from LulzSec [video], [presentation].

Report:  Haythem El Mir. How Tunisia resisted attacks by Anonymous. Video is available here from 02:10 p.m. [presentation ENG].

Other topics

Report: Evgeny Tsarev. Fraud prevention the way it is done in Russia [presentation RUS]

Report: Vasily Pimenov. Application of quantitative risk assessment against fraud in communication network [presentation RUS]

Report: Konstantin Mytkin. Smart technologies. Developer's point of view [presentation RUS]

Report: Alexandr Dorofeev. Social engineering technologies — is it difficult to "hack" people? [presentation 1 RUS], [presentation 2 RUS]

Round table: Dmitry Ershov. Human resources. Assembly instruction [presentation RUS]

P.S. All presentations are available on SlideShare.

You may learn how it was going on in Twitter making use of our hashtag #PHDays.