New Talks at PHDays 2012: From Smart Card Vulnerabilities to SAP Hacking

    Why do leading companies in Russia lose every tenth ruble due to errors and theft in the ICS environment? How many stadiums can be built with money stolen from Russian RB systems? What are the true reasons for the tough battle between banks and hackers? We continue the story of the reports of expert practitioners who announced their speeches at PHDays 2012.

    Features of the fight with Russian fraud


    Interesting fact: on January 1, 2013, the provisions of the law on the national payment system come into force. In case of unauthorized debiting of money from the client’s account, the bank will be obliged to return the money to the client’s account. In other words, now money is stolen from customers, and next year they will steal from the bank itself. This reason is quite enough for the banking community to declare a crusade against cybercriminals “working” with banking systems. How to make 2013 and subsequent years unhappy for such hackers, Yevgeny Tsarev will try to explain in the framework of the report “The system of countering fraud in Russian”. He will talk about the peculiarities of Russian fraud in the banking sector and the variety of fraud schemes, point out the reasons for the low efficiency of the Western approach and demonstrate how to build a comprehensive security system.

    DNS exfiltration using SQLmap


    In military affairs, exfiltration is the tactic of retreating from territory under enemy control. Proper camouflage during such actions is more important than speed. Hackers, having gained access to the system, are also in no hurry to display data. Firstly, there is a great risk of being discovered. Secondly, the necessary information may come later. Therefore, an attacker program sends information in small portions, using covert channels, often not intended for data transfer at all. Croatian developer Miroslav Stampar, in his report “DNS exfiltration using SQLmap”, will introduce the DNS exfiltration technique using SQL injections, talk about its pros and cons, and give visual demonstrations.

    Penetration methods through Internet Explorer


    A report by Vladimir Vorontsov, “Attacks on Web Clients of Microsoft Networks,” provides methods that allow attacks on Internet Explorer users operating within Microsoft networks. The attacks in question are aimed at obtaining confidential user data located both on remote servers (bypassing access policy restrictions) and on local PCs.



    Investigation of information security incidents in an automated process control system (SCADA Forensics)


    The manifestation of the interest of attackers in technological infrastructures and industrial control systems is becoming a kind of trend. According to experts, leading Russian industry companies lose up to 10% of their income due to internal fraud, theft, irregularities in the execution of technological processes, and errors in the settings of measuring equipment. The specificity of an automatic process control system requires the formation of a fundamentally new technical direction - computer forensics (forensics) in the environment of industrial automated systems.

    In addition, Andrei Komarov’s report will describe the mechanisms for preventing incidents in this area and the possibility of using Business Assurance Systems (BAS) to prevent economic fraud in the ICS sector (changing indicators of fuel dispensers, trading systems, accounting systems, tank sensors fuel processing systems and discount cards). The report will be accompanied by a vivid demonstration of practically significant examples of incidents that occurred in the TOP 10 largest industrial companies of various foreign countries. Andrey Komarov - Head of Audit and Consulting, Group-IB. He is currently participating on the Russian side in the development of the Penetration Testing Execution Standard (PTSE).

    Smart Card Vulnerabilities: Issue Price


    For several years in a row, there has been a rapid increase in threats aimed at Russian RB systems (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers manage to steal tens of millions of dollars every month (for a year you get the amount that is at least sufficient to build, for example, stadiums for football clubs Spartak and CSKA).



    In preparing the report “Smartcard vulnerabilities in modern banking malware”, Alexander Matrosov and Evgeny Rodionov conducted a study of the most common banking malware, and also identified interesting vulnerabilities when using two-factor authentication and smart cards . In addition, the report discusses the techniques and tricks of malefactors that impede the conduct of forensic examination. Alexander Matrosov is the director of the Center for Virus Research and Analytics at ESET, and Evgeny Rodionov is engaged in the analysis of complex threats at ESET.

    New and Popular SAP Hacking Techniques


    Over the past five years, interest in SAP security has grown exponentially. In the public information space, a lot of topics were covered, from attacks on SAProuter and SAP web applications to low-level vulnerabilities in the SAP core and ABAP code. Currently, SAP has issued more than 2,000 vulnerability fixes in its products, but this is only the beginning. What vulnerabilities remain in SAP systems, in addition to the bored XSS, SQL injection and buffer overflows? The report by Alexander Polyakov “SAP insecurity: new and better” will be dedicated to the ten most interesting vulnerabilities and attack vectors on SAP systems: from encryption problems to authentication bypasses and from funny errors to complex attack vectors. The general public will see a considerable part of the vulnerabilities presented in the report for the first time.

    Alexander Polyakov is CTO of Digital Security, one of the most famous SAP security experts in the world.

    Hurry up with PHP - you make people laugh


    Some third-party PHP implementations can reduce script execution time by five times. But are they able to ensure stable and safe operation of web applications? Positive Technologies expert Sergey Shcherbel, in his report “Not all PHP is equally useful,” will voice the identified security problems and the peculiarities of using web applications when using third-party PHP implementations, as well as provide examples of zero-day vulnerabilities. Sergey specializes in application security, penetration testing, analysis of web applications and source code. Member of the PHDays CTF development team.






    Cybersecurity in Ukrainian


    Konstantin Korsun, ex-employee of the SBU anti-cybercrime unit, director of “Website Partners Ukraine”, will talk about the formation of the Ukrainian community of information security experts, who went from noisy meetings of Ukrainian IT “security guards” in Kiev pubs to the registration of a public organization in 2012 "Ukrainian Information Security Group" (Ukrainian Information Security Group). Currently, Konstantin Korsun is the president of UISG. His report is called “Community of Information Security Professionals of Ukraine UISG. Achievements and prospects. ”

    About using PHP wrappers safely


    The topic of PHP will continue Alexey Moskvin, a security expert at Positive Technologies. The talk on the safe use of PHP wrappers will cover vulnerabilities related to PHP wrappers. Such vulnerabilities have been discussed for a long time. Links to them are present in OWASP TOP 10 and WASC TCv2. However, a number of features of some “wrappers” and filters lead to the fact that even applications designed with security in mind may contain vulnerabilities (including critical ones).

    The report will consider algorithms that allow the application to transfer data that is not provided by the logic of work. This approach can be used to bypass the Web Application Firewalls, built-in security filters in the application, as well as to implement attacks related to unauthorized access to the file system and the execution of arbitrary code. Examples of zero-day vulnerabilities discovered using the technique proposed in the study will be presented.

    Alexey specializes in issues of static and dynamic analysis of application source code from a security point of view; part of the PHDays CTF development team.

    Instrumentation methods for analyzing complex code


    As time goes on, development technologies are developing, the code is becoming more complex (virtual function, JIT-code, etc.). Statically analyzing such code is extremely difficult. Various code instrumentation techniques come to the aid of the researcher. PIN, Valgrind, DynamoRIO, DynInst libraries are a new obligatory element in the arsenal of the security researcher. Dmitry Evdokimov will talk about the existing methods of instrumentation (source code, bytecode, binary code) in his report “Light and Dark Side of Code Instrumentation”.

    Dmitry Evdokimov is the leader of the Security-soft column in the Russian hacker magazine Xakep, an expert on SAP security in the areas of internal device (SAP Kernel and SAP Basis) and ABAP code.

    Also popular now: