Crazy car, semi-legal TPM and liquid nitrogen: what did NeoQUEST-2014 remember

    Hello, Habr! In this article, we will share with readers the materials of the NeoQUEST-2014 reports, which took place on July 3 in St. Petersburg, and tell about the event itself.
    So, under the cut:
    • Presentations of reports:
      - “In MESH: how secure are mesh networks?”
      - “The Internet is in the order of things”
      - “Useless PC Speaker”
      - “tpm.txt: what can overseas iron do?”
      - “How to steal a cat via USB”
      - “A car as a big smartphone: cyber security threats”
    • presentation and many photos with the chronology of cold-boot attack;

    That same July 3 ...

    ... it was uncharacteristically sunny for Petersburg, however, despite such a rare chance to sunbathe, there were a large number of guests all day in the conference hall of the Resource Center for International Activities.

    Early in the morning

    The event opened the report “In Meshing: How secure are mesh networks?” highlighting the relevance of mesh networks (in particular, ad-hoc and DTN) and related information security incidents.

    The discussion of mesh networks smoothly flowed into the report “The Internet in the Order of Things” , about what the Internet of things is, why it is so difficult to build effective protection of “networks of things” and what modern protection methods are most relevant.

    In between the first presentations, the lively host Dmitry Kuzenyatkin helped the guests feel at ease and at ease, arranging fun contests and generously rewarding the winners and participants with a truly masculine gift: socks with the NeoQUEST logo!

    In addition to socks, mugs, lanterns, and elegant cane umbrellas were played out (This is Peter, baby!), Which were useful to the lucky already in the evening, when, according to St. Petersburg custom, a downpour completely surged.

    In the middle of the report, “Useless PC Speaker,” technical contests had already begun : viewers had to unravel what kind of message the “grunt” squeaked! The idea was that the audio message was a morse code, and it needed to be decoded. However, there were no spectators-radio operators in the hall, so no one managed to hear Morse code by ear, and the guests managed to decrypt the message only after the prompt published on Twitter:

    Fun breaks

    Intriguing chess competition: anyone could play chess with one of the organizers of NeoQUEST, and he guessed his age by what pieces he went. Sounds like IP guessing, doesn't it? However, the solution is absolutely logical and directly related to mathematics. You can test yourself by taking the conditions of problems on our Twitter ( here and here ).

    In addition, throughout the day on Twitter NeoQUEST was held a quiz "Unified State Examination on Information Security", which includes tasks on the wit in information security! Active guests puzzled over reverse Polish recording , features of SVG-format files, POSTNET- coding, and even not everyone managed the elaborately crafted Caesar cipher!

    For those who were tired of sitting and wanted some kind of vigorous activity, an "escape" room was assembled, where people who wanted to feel like a spy were waiting for a flash drive with artificial intelligence, password-protected smartphones, various sensors, signaling and tracking devices.

    A prerequisite for obtaining a prize was the successful passage of all sections of the room, however, the siren sounded in the hall every now and then, announcing that the participant in the first section had been noticed!


    After the coffee break, the speeches were continued with a review report “I2P and TOR: you cannot be executed.” Is anonymity on the Internet an illusion or a reality? ”, And after it came the time for the long-awaited report for many guests about TPM and TXT ( “ tpm.txt: what can overseas iron do? ” ). The report talked about what TPM is, where to get it (how to enable it), how to work with it, and much, much more!

    After the next coffee break, the guests gathered in anticipation of the promised cold-boot attack. A few slides of a stylish comic presentation - and the show has begun! To the music of Prodidgy and, as we promised, with the help of the guys from the audience!

    Checking whether it was possible by means of cold-boot to really decrypt the passwords entered by the guests from the audience was somewhat delayed: this was exactly the Thursday on which Windows puts the updates. While updates were being made, the guests listened to the report “How to Steal a Cat via USB” , devoted to security threats when synchronizing smartphones with a PC. The report was accompanied by a demonstration of how to intercept and modify data during synchronization. Possible methods for counteracting attacks were also considered: from the side of the PC (isolating approach) and from the side of the smartphone (cryptographic approach). For each approach, their positive and negative sides were described, key fragments of the implemented sources were presented.

    After the report, the guys proudly announced the successful completion of the experiment: the password was erased from memory, and, what is extremely important: it was the same password that, secretly from the organizers of the attack, the guest had invented from the audience!

    A lot of photos of cold-boot attacks!

    Evening “in the car”

    The final chord of the evening was the report “Car - a smartphone on wheels. Fasten your cyber seat belts! ” which caused a large number of questions and discussions. By the way, in the parking lot near the venue NeoQUEST was Crazy Car, demonstrating all the potential vulnerabilities of a modern car that can be exploited by cybercriminals.

    To be continued...

    One of the key events of NeoQUEST 2014 was Hackquest - a cybersecurity competition among the winners of the February online tour. To get the main prize - a trip to one of the international conferences on information security - the guys had to go through 5 difficult and absolutely diverse tasks: the security of the Web, hardware, mobile and network technologies. Participants were given 8 hours to complete, and, by the way, one task still did not pass anyone!
    About who won, what were the tasks, and - most interesting - how do you get through them? - in our next article about NeoQUEST!

    Also popular now: