How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Wednesday, February 26, 2014

PHDays IV Topics

How can you create a virus or a botnet for Android? What else do you get when you buy a hard disk drive at an eBay auction? What threats surround a SIM card owner? How can you get one-time password tokens?

Get answers to these questions and more at Positive Hack Days IV, the international information security event.

The final stage of Call For Papers started on February 17 and lasts until March 31. The first group of speakers for the technical program of PHDays IV has been selected. Abstracts of their papers are presented below.

Cyberweapon Against Mobile Networks
Mobile networks should protect users on several fronts: calls need to be encrypted, customer data protected, and SIM cards shielded from malware. Many networks are still reluctant to implement appropriate protection measures in legacy systems, but even those who add mitigations often fail to fully capture attacks because they target symptoms instead of solving the core issue. Karsten Nohl will consider mobile network and SIM card attacks that circumvent common protection techniques to illustrate the ongoing mobile attack evolution.

Karsten Nohl is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them.

Android Exploitation
Being the leader among mobile platform vendors, Google is now also known for vulnerabilities in Android. Trojans attack millions of users. Malware programs send messages to short numbers, steal money from credit cards and personal data and conduct hidden camera spying. After the 4-hour hands-on lab, participants will find out more about the development of malware programs for Android and take part in Android exploitation.

The hands-on lab will be held by Aditya Gupta, the founder of Attify and a community member of Null (The Open Security Community in India). He will cover topics such as reversing and analyzing Android malware, auditing applications with manual and automated testing, going in-depth into Dex and Smali file manipulation, Webkit based exploitation and finally ARM exploitation for mobile devices.

Give Me Your Data! 
We hear news stories every day about malicious hackers compromising the sensitive data of corporations, governments and individuals. But that is only half of the story. You don't have to be a hardcore hacker to get sensitive information. Dave Chronister will present his report “Give Me Your Data!” to show that even today data is still not stored securely. He will not hack any systems during the experiment; all data will be collected legally. From purchasing devices on Facebook and bidding for Hard Drives on EBay, to monitoring public file sharing sites, and anonymously accessible servers, Chronister will unveil methods to retrieve information and show his findings—which are very surprising.

Dave Chronister is the founder and managing technology partner of Parameter Security. Growing up in the wild world of 1980’s BBSes and early Internet, Chronister obtained a unique, firsthand look at the mind, motives and methodologies of hackers. Chronister has provided ethical hacking services, auditing, forensics and training to clients world-wide. Chronister’s expertise has been featured in the media including CNN, CNBC, CNN Headline News, ABC World News Tonight, Bloomberg TV, CBS, FOX Business News, Computer World, Popular Science, and Information Security Magazine.

Breaking One-Time Password Tokens
Side-channel analysis (SCA) is a powerful tool to extract cryptographic secrets by observing physical properties (power consumption, EM, etc.). David Oswald will present an intro to SCA and related methods and then demonstrate the practical relevance of SCA with two case studies: how SCA can be used to circumvent the IP protection (bitstream encryption) of FPGAs, and, in a similar way, how AES keys of one-time password tokens can be extracted, allowing an attacker to steal digital identities.
David Oswald received his PhD in IT-Security in 2013 and is currently working as the Chair for Embedded Security, Ruhr-University Bochum. He is also co-founder of Kasper & Oswald GmbH.

In the Middle of Printers 
Big corporations and financial institutions need secure pull printing services which guarantee proper encryption, data access control and accountability. This research is aimed at performing a man-in-the- middle (MITM) attack on multifunction printers with embedded software from the most popular vendors. The results are staggering. Similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.

Jakub Kaluzny, the author of the report, is an IT security specialist at SecuRing. He performs penetration testing, vulnerability assessments and threat modelling of web applications and network environments. He was inducted into the Google Security Hall Of Fame in 2013.

Vulnerabilities in Business Logic
Business logic vulnerabilities are the least studied and are usually ignored by researchers and pentesters. The situation is caused from the lack of automated detection and exploitation tools and testing practices, as well as from the absence of a clear theoretical foundation which would make the categorization process easier. However, considering the goal of business application analysis, business logic vulnerabilities should be the priority for pentesters, since logical attacks may lead to such outcomes that can be compared to remote arbitrary code execution consequences. Vladimir Kochetkov will speak on theoretical issues of business applications that are basic to logical attacks. His report also covers partial domain logic modeling that allows defining potential vulnerabilities and possible attack vectors. Several real-life application business logic vulnerabilities will be analyzed as examples of the practical use of this technique.

Vladimir Kochetkov is an expert of the Positive Research Center (Positive Technologies). He focuses on security analysis of web-application source code and the theoretical side of information systems security. He also participates in the SCADA Strangelove project and is one of the developers of Positive Technologies Application Inspector. He contributes a lot to open code projects, such as

Stay Cool
People often become rash and chaotic during an IS incident and can destroy crucial evidence. The 4-hour hands-on lab “How to react to IS incidents: Investigation of a cyber-attack” focuses on a practical approach to incident investigation and learning how to act quickly and calmly to collect evidence, to analyze system logs, memory and disks, and to search for traces of a cybercrime. Participants will be provided with special instructional material and virtual machines, and will be offered several effective strategies to respond to simulated incidents.

The hands-on lab will be held by Alexander Sverdlov, an IT security officer at ProCredit Bank Bulgaria. It is not the first time that Alexander will present his work at PHDays. Last year he conducted a hands-on lab on cyber forensics.

Intercepter-NG: The New Generation Sniffer
The report focuses on the Intercepter-NG toolkit. Today it is the most progressive multifunctional tool for a pentester. Ironically, it is more popular outside of Russia. The author will give an overview of the tool's features and will discuss several examples of attack execution. Examples include: MySQL LOAD DATA LOCAL injection recently presented at Сhaos Сonstructions, and DNS over ICMP, a little-known but powerful attack.

The report will be presented by Alexander Dmitrenko, Head of Training Department at PentestIT. He regularly writes articles for the Habrahabr tech blog and Hacker Magazine. Alexander will be assisted by Ares, an expert at PentestIT and the developer of Intercepter-NG.

Side Channel Analysis: Practice and a Bit of Theory
This topic is not often addressed in hacker conferences, so this time at PHDays we will consider two points of view. Besides David Oswald, Ilya Kizhvatov will present research on Side Channel Attacks. The speaker will introduce the conference community to side channels, present an overview, and explain the state of the art in the this area, giving practical examples. Participants will be able to understand if a particular device is falling under the threat of a side channel attack, how to protect it, and maybe become motivated to play around with side channel analysis just for fun.

Ilya Kizhvatov is a senior security analyst at Riscure (Delft, Netherlands). He has 6 years of experience (half academic, half industry) in embedded security, with a focus on side channel and fault attacks on cryptographic implementations.

Nothing Happens by Chance... or Does It?
A sequence of random numbers is widely used by protection systems of modern applications (encryptions keys, session IDs, captcha, passwords). Resistance of such systems depends heavily on the quality of a random number generator. Mikhail Egorov and Sergey Soldatov will discuss vulnerabilities in Java applications that use pseudo-random number generators. Besides successful attack scenarios, the authors will demonstrate a tool that allows getting an internal state of a generator (a seed), as well as preceding and subsequent values. Participants will also learn how they could  use the tool to attack real-life Java applications.

Mikhail Egorov is an independent researcher and programmer (Java, Python). He specializes in fuzzing, reverse engineering, web application and network security. Sergey Soldatov is an independent security practitioner with more than 10 years of network security experience and has been involved in large ISP related development projects.

Learning How to Reverse Engineer OS X Drivers Properly
MacBook and Mac are commonly believed to be more secure than computers operated by Windows. However, recent sensational incidents such as free access to built-in iSight cameras speak for themselves. Egor Fedoseev will discuss analysis methods of OS X drivers, related challenges and ways to minimize efforts. His report “Reverse engineering of OS X drivers” also covers Mas driver features, existing problems of reverse engineering in IDA and possible ways to solve them. The research is interesting for analysts and OS X security specialists.

Egor Fedoseev works for the Ural Federal University (Ekaterinburg, Russia). He is the leader of the student group “Hackerdome” which was founded in 2005 by the Department of Mathematics and Mechanics of the university. Egor Fedoseev has been into reverse engineering since 2004.

Remember, you can apply until March 31 for an opportunity to present your research at Positive Hack Days IV in front of thousands of leading experts in information security. There are other ways to join the forum, too. Presentations that will take place at the forum on May 21 and 22 will be listed on the event's official web-site in April 2014.


  1. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Core Java Training in Chennai Core Java Training in Chennai

    Java Online Training Java Online Training Core Java 8 Training in Chennai Core java 8 online training JavaEE Training in Chennai Java EE Training in Chennai

  2. Welcome to the Best writers Reviews, Here you can get the best All Assignment Help reviews sites. We strongly urge you to check our entire website once and we will assure you will find this review website very useful. Our hard work will be rewarded if students like you will appreciate our effort and spread the message about this site with your class-fellows and friends.

  3. Don't know how to use commas in a sentence? This is what will help you.

  4. We understand how strict schools are with regards to plagiarism. Therefore, every Best Custom Essay Writing Service has to be screened for plagiarism so that to avoid any traces of Best Online Paper Writing Service.

  5. ترجمه متون و مقالات پزشکی کاری بسیار تخصصی و و زمان بر است و نیازمند تسلط کامل به هر دو زبان فارسی و انگلیسی ، تجربه در ترجمه و آشنایی کامل با اصطلاحات تخصصی پزشکی متناسب با پیشرفت علم است. لذا تیم ترجمه آنلاین با کادری مجرب از باسابقه ترین و بهترین مترجمان سطح کشور میتواند در راه ترجمه تخصصی پزشکی همراه شما باشد و مقالات و متون شما را با نازل ترین قیمت و بهترین کیفیت ترجمه نماید.

  6. A free forex signals is a suggestion for entering a trade on a currency pair, usually at a specific price and time. The signal is generated either by a human analyst or an automated Forex robot supplied to a subscriber of the forex signal service.


  7. Men looking for Call Girl in Surat usually have a variety of needs that need to be fulfilled. Some want to hire escorts just as a companion, some want them to be their dinner dates or dance floor partners while others may want them to play the role of the sexy girlfriends. Check our other services also..
    Female Escorts in Agra
    Female Escorts in Agra
    Female Escorts in Agra
    Female Escorts in Agra
    Female Escorts in Agra

  8. Medical assignment writing projects are very difficult to complete and many students are always searching for Help with Medical Assignment companies to help them complete their medical coursework assignments.

  9. Our CPM homework helpers use accurate problem-solving strategies to come up with the right answers to each question in this course. Stuck with the questions in the course 1 of CPM? Get cpm homework help online from us now!

  10. There are many engineering assignment help writing services and Engineering Writing Services to choose from for those stuck with their engineering research paper writing services and engineering term paper writing services.

  11. I love it! Posts are all wonderful. We are following your website posts. Please keep on posting and sharing great ideas.

    Employment Law

  12. It is important for history coursework writing service students to seek History Essay Writing Services from a reputable history research paper service provider for their custom history paper writing help services.

  13. Responsive website composition organization has taken the charge and gotten inescapable in web advancement. We ensure that our moderate web composition contact the privilege focused on crowd.

  14. Honey Bump Videos, we unite buyers and brands through drawing in videos. Our vision of inflexible quality and innovation is the thing that gives us the edge.

  15. Are you finding a quick way to get back to your Hotmail Account? Well, Outlook or Hotmail is among the most popular email services around the world. And the ...

  16. We are comprised of efficient and skilled writers, all of whom are experienced and are certified writers. We have a diversity of writers; they have backgrounds in different subject areas, and they hold degrees from outstanding universities of the world.

  17. As one of the leading online nursing dissertation writing help, we assist the students so that they do not feel stuck in their dissertation. We possess versatile knowledge and expertise in drafting a nursing thesis.

  18. British Dissertation Consultants provides effective and detail oriented dissertation proofreading services of your dissertation to ensure that your dissertation is globally acceptable.

  19. The outsourced bookkeeping is the process of maintaining the financial statements of company with help of other party that will provide the user a rock-solid all in one package