October 14, 2011 at 13:37

ZeroNights Conference


    Communicating at international security conferences, I often came across the question of Russian events. Everyone was very surprised at the answer: until recently in Russia there were no full-fledged information security conferences. That is why I am very pleased to talk about the new ZeroNights conference, which is organized by the Russian DEFCON community with the support of Digital Security.

    At the moment, reports are being selected and by November 1, a team of independent experts will select the most worthy. The program committee includes: Chris Kaspersky (Intel, USA), Dave Aitel (CEO Immunity, USA), Peter Van Iekhout (CorelanTeam, Belgium), The Grugq (COSEINC, Thailand), Evgeny Klimov (PWC, Russia), Ilya Medvedovsky ( DigitalSecurity, Russia), Alexander Matrosov (ESET, Russia) and your humble servant. By the way, it’s not too late to apply for a speech.
    I will introduce speakers and reports that have already been officially announced in the conference program.

    Conference program


    Samuel Shah (NetSquare): "The Third Web War . "
    Founder and CEO of Net-Square Solutions, author of a bunch of books on information security, regular speaker at the best world conferences: Blackhat, RSA, HITB, IT Underground, CanSecWest, etc.
    Samuel will share his thoughts on (e) the evolution of protocols, HTML5 and other standards with a complex fate. Bug exploitation in browsers, innovative vulnerability exploitation technologies combined with the classic web-hack low-level attacks, the security of mobile browsers and many other new attack vectors are just some of the topics that will be covered in Samuel's report.

    Fedor YarochkinFedor Yarochkin (Amorize): “Analysis of illegal Internet activities .
    Information Security Analyst and Software Architect at Armorize Technologies. An old-school hacker, our compatriot, the author of X-Probe and co-founder of the GuardInfo consulting company, now residing in Taiwan. Fedor will share his personal experience in analyzing computer security incidents using specific cases as examples covering mobile malware, targeted attacks, commercial computer crime, and others. In addition, we will focus on the practice of studying suspicious activity using honeypot networks.

    Aleksey Sintsov (Digital Security): “Where does the money lie?”
    Aleksey is the head of the security audit department at Digital Security, a specialist in the field of exploit development, and the author of a number of new techniques for exploiting vulnerabilities, research, and exploits ( from public) In his report, Alexey will talk about security problems in remote banking systems: many specific 0day vulnerabilities in real online banking systems will be shown (all information is anonymized). In addition, common errors of all developers of popular domestic products will be considered. And of course, it will be told what all this leads to in terms of the likelihood of theft of funds.
    • The most stupid errors of RBS
    • How to send a payment without EDS
    • Practical tips for “bypassing” tokens in 5 minutes
    • Attacks on the bank or on the client from the inside - what and how, the experience of a pen tester.
    • Efficiency of protection systems (anti-fraud, IPS, firewalls)


    Alexander Polyakov (DigitalSecurity): “Do not touch, or it will fall apart: hacking business applications in extreme conditions”
    Technical Director of Digital Security, a regular speaker at leading world security conferences, the happy father of the SAP ERPScan security scanner, author of the book “Oracle Security through the eyes of the auditor: attack and defense ”and OWASP-EAS project manager.
    In his report, Alexander will show a number of vulnerabilities in business applications, the search for which he and his colleagues spent no more than 5 minutes in their free time: in an airplane, train or hotel, when there is no Internet, there is no familiar environment like fuzzers, sniffers and debuggers , but there is only a notepad and installed software. A small guide to finding vulnerabilities in extreme conditions using live examples. Who will be the test subjects? Probably everyone knows these names: Documentum, 1C, SAP, PeopleSoft, Oracle BI.

    Dmitry Chastukhin: “Practical attacks on Internet kiosks and payment terminals”
    A student at the St. Petersburg Polytechnic, actively and successfully working in the field of security of SAP systems, the author of several studies that have identified a number of critical vulnerabilities in such large projects as Yandex.Maps, Google docs and Vkontakte. In addition, Dmitry is one of the co-authors of the OWASP-EAS project and actively participates in international conferences: Hack in the Box and BruCON.
    In his report, Dmitry will talk about the practice of hacking Internet kiosks, payment terminals, flight registration systems and other devices with Internet access that can be found at airports, hotels and train stations. The report will show photographs and videos of real attacks of these systems in various parts of the world from Russia and Europe to India, Asia and the United States.

    Alexey Lukatsky (Cisco):
    “The Boston matrix of cybercrime or what is the modern hacker’s business model?”
    Cisco business security consultant, member of the ARB / Central Bank working group on the development of the 4th and 5th version of the Bank of Russia standard, member of the ARB advisory center on the application of 152- Federal Law "On Personal Data".
    Alexey’s report will focus on the world of cyber crime and a built-in business model: custom-made developments, malware sales auctions, shadow labor exchanges, various mechanisms for cashing in the money earned, an extensive affiliate network, marketing and advertising, support services for viruses and trojans sold.

    Alexander Matrosov (ESET): “Current Trends in the Development of Malware for RBS Systems”
    Director of the Center for Viral Research and Analytics ESET, author of a number of studies of the most interesting and complex threats (Stuxnet, TDL3, TDL4, Carberp, Hodprot), author of the training course "Software Protection", which he personally teaches at the Department of Cryptology and Discrete Mathematics, NRNU MEPhI .
    In his report, Alexander will talk about the development trends of banking Trojans from the point of view of an anti-virus company employee. We are talking about vulnerabilities in remote payment systems, and more specifically about how they are used by cybercriminals in the most common Trojan programs aimed at Russian banks. The issues of circumventing security software and methods of counteracting forensic examinations that are used in modern banking Trojans will also be examined.

    Live Hacking Contests


    Everyone loves the competitions, and the organizers of the conference decided to hold them in a special way. There will be no fictitious situations at Zeronights. Those who wish will be provided with real hardware and software systems and systems. On such systems, everyone can test their ability to search for new 0day vulnerabilities online. ACU-TP, payment terminal, server with SAP system and much more.

    In addition, various other contests from conference partners will be available: a competition to bypass WAF, search for vulnerabilities, reverse engineering and, of course, the traditional competition for breaking locks (lockpicking): prizes will be chained with locks and they will be picked up by the person who opens the lock first . A detailed description of the competitions is available on the conference website .
    Tags:

    Also popular now: