Introducing PHDays VI Reports: How to Hack a Fare Card, Set Up a Honeypot, and Sell Vulnerabilities

On January 31, the first wave of applications to join Positive Hack Days was completed. The forum on information security will take place on May 17 and 18, 2016, at the Moscow World Trade Center. If you want to take part in the forum, you can apply in the near future: the second wave of Call for Papers will hit on February 17 and will last till March 31.

For now, we will announce the first participants enrolled in the Tech program. PHDays attendees will learn how to snatch a large sum at Microsoft and test transport systems security with a smartphone, and know the ins and outs of the zero-day vulnerability market.

Honeypot

Terrence Gareau, a recognized expert in DDoS attack mitigation, prevention, and recovery, will make his debut at PHDays. He will outline how to develop a honeypot network and produce a data feed that can be used to protect online assets with Kibana, Elasticsearch, Logstash, and AMQP. Terrence Gareau will open-source a monitoring system (a project his team has been developing for the last two years) for reflective DDoS statistics that are external to any specific network.

Reward chasers, or Who is who in the exploit market
Alfonso De Gregorio, the founder of BeeWise and a principal security researcher at secYOUre, will speak at the international forum for the second time. He will continue the topic of the previous talk, exploit selling. Alfonso will speak about the vulnerability supply chain's participants, zero-day exploits brokers, and ethical questions that arise in the business.

How to make a lifelong travel card

Matteo Beccaro, an Italian security researcher, will talk about transportation security, frauds, and technological failures. The speaker will cover some severe vulnerabilities in real-world transportation systems based on NFC technologies and introduce an open-source application designed to pentest such systems via a smartphone. The talk will attract both professional and amateur pentesters.

Web application security with JavaScript

Client-side JavaScript injection may be used to detect and prevent various attacks, search for vulnerable client components, detect leakage of data about web app infrastructure, and find web bots and malicious tools. The Positive Technologies experts Denis Kolegov and Arseny Reutov will show how to ensure application security with JavaScript share their own injection detection methods that employ syntax analyzers without signatures or filtering regular expressions. They will also discuss implementation of client-side JS honeypot to capture SSRF, IDOR, command injection, and CSRF attacks.

How to snatch a large sum at Microsoft 

Until recently, Microsoft refused to launch a bug bounty program despite the fact that it has become a customary practice for competitors. Now, however, Microsoft pays researchers for certain types of vulnerabilities from USD 100 up to USD 100,000. Several recent exciting changes to the Microsoft Bounty Program include the competitive aspect of listing out its Top 100 finders.

Jason Shirk, the principal security strategist for MSRC, will explain how the MSRC works with researchers, what bounties are available, and what other rewards can be earned. He will also uncover some secrets behind big bounties that have been paid.

The complete list of reports will be available on the PHDays official site in April. To participate for free, you can present your report on information security or to take part in one of the forum's hacking contests or in the cyberpunk short-story competition. You can also buy a ticket to get to PHDays. Starting from February 15, the price for the full 2-day conference registration will be 9,600 rubles and 7,337 rubles for one day. On March 1, the cost will go up to 14,400 and 9,600 rubles respectively.