PHDays technical program: how to break IoT, bypass Windows Hello and protect yourself from a quantum computer

Acceptance of applications for participation in Positive Hack Days is in full swing. By popular demand, we extend Call for Papers until March 31. This means that everyone who wants to speak on the forum has a couple more weeks to apply .

Recently, we announced the first keynote speaker, PHDays 8 , to become the famous developer of the IDA Pro disassembler and Hex-Rays decompiler Ilfak Gilfanov. Well, today we present to your attention a group of participants whose reports have already been included in the main PHDays program. This year, forum visitors will learn how to bypass the corporate face recognition system, the dangers of smart cars, and how attackers crack IoT devices.

IB Director in the near future

Over the past few years, business has suffered huge losses as a result of the actions of criminals and hacktivists. The threat landscape is constantly changing, so now more than ever, it is important to maintain an information security model in which security solutions come from an understanding of the risk to the business and the capabilities of hackers.

The effectiveness of information security policies of companies depends not only on organizational and technical means, but also on the competence of employees. Today, in many critical sectors, information security solutions are outdated, and the skills of specialists do not develop along with technology and do not meet the requirements of the business. Who to train - people or computers? We need money - but how to translate CISO requirements into CEO? These questions will be answered by the executive vice president of DarkMatter, Eddie Schwartz, a member of the international board of directors of the Association for Audit and Control of Information Systems (ISACA), chairman of the information security team of the association. Prior to DarkMatter, Schwartz was Director of Security at Verizon and Director of Security at RSA.

Authentication Hacking

Argentinean information security expert and Cinta Infinita CEO Nahuel Grisolía will again speak at PHDays. He specializes in web application security and hardware hacking. Grisolia discovered vulnerabilities in McAfee, VMware, ManageEngine, Oracle, Websense, Google, Twitter, as well as in the free software Achievo, Cacti, OSSIM, Dolibarr and osTicket.

At the fifth PHDays forum, Grisolia held a master class on RFID, this time we will talk about the modern authentication platform Auth0, which serves more than 2,000 customers and provides 42 million authorizations per day. The report is devoted to the concept of security of JSON web tokens, authentication and authorization, cryptography, as well as methods of intercepting and manipulating HTTP traffic. The speaker will talk about a vulnerability that allows to bypass authentication and compromises all applications that use Auth0.

Bypass Windows Hello One, Two, Three

Windows Hello is Microsoft's biometric system, including scanning the iris, fingerprint, and face recognition. It is used to enter without a password on devices with Windows, for authorization on sites and applications.

Matthias Deeg, head of SySS, Germany’s leading provider of penetration testing services, will talk about his Windows Hello research and demonstrate how simple methods can work around different versions of the system.

Smart car as a weapon

Modern smart cars are not just a means of transportation, but real computers, crammed with advanced infotainment programs. New technologies open up wide opportunities for attackers: threats that used to be characteristic of the computer world are now relevant for cars.

Representatives of Ixia - chief security researcher Stefan Tanase and senior software developer Gabriel Cirlig - examined a car with an integrated infotainment system completely isolated from the network infrastructure of the vehicle itself. They found a large amount of data that is stored in the clear. The authors of the study will show how an attacker can monitor the movement of a machine and break into access points of networks using an on-board computer.

How to break IoT

Another speaker at PHDays is Noam Rathaus, one of the founders of Beyond Security, a company specializing in the development of enterprise security assessment technologies. Rathouse is the author of four books on open-source information security and penetration testing. He discovered more than 40 vulnerabilities in various software, and also created about a third of the Nessus code base - a program for automatically searching for known vulnerabilities.

His report “Substitute your device under the Internet” is devoted to the safety of the Internet of things. Noam Rathouse will talk about the various vulnerabilities that his team discovered in the products of well-known vendors, as well as give recommendations on protecting IoT devices.

The topic of IoT security will be continued by AMT-GROUP leading information security engineer Andrei Biryukov. In the Fast Track section, he will give a lecture on “M2M Leaky Clouds: How to Break IoT”. Forum participants will learn how cloud technologies (including open-source) are used to manage IoT devices. The speaker will show a video with the exploitation of the most interesting vulnerabilities and give recommendations on how to fix them.

Quantum computer protection

In February 2016, NIST published a post-quantum cryptography report. It describes algorithms that are considered vulnerable to a quantum computer; Almost all the algorithms got into the list.

Sergey Krendelev, Head of the Laboratory of Modern Computer Technologies at Novosibirsk State University, will talk about the problems that arise in connection with the “quantum threat”, about algorithms and protocols of post-quantum cryptography. Examples of various digital signature algorithms, hash functions, key exchanges will be given, as well as problems that will probably be encountered in the practical implementation of post-quantum cryptography and public key infrastructure.

By the way, Sergey Krendelev, as well as Nauel Grisolia, spoke at PHDays V. His report “The Soviet supercomputer K-340A and the security of cloud computing ”was devoted to the issues of processing encoded data using non-standard encryption algorithms.

Bugs bounty buns

Owners of publicly accessible resources suffer serious reputational and financial losses due to vulnerabilities. QIWI CISO and Vulners.com co-founder Igor Bulatenko will address the issue of the flaws in existing ways to deal with vulnerabilities and the benefits of bug bounty programs. Students will learn why bug bounty is more profitable than pentests and a large information security team and is better for financial stability and company reputation, as well as who needs (and who does not need) to open such a program. Igor will also share the QIWI experience and talk about how they deployed the bug bounty.

A full list of performances will be published on the PHDays website in April. For more information on topics and rules for participation, see the Call for Papers page .

The industrial partner of the Positive Hack Days forum is the Moscow factory FIZPRIBOR; Forum partner ─ R-Vision; exhibition sponsor ─ Group IB; participants of the Confrontation ─ Informzaschita company, “Perspective monitoring”; technology partners include Cisco, Moxa, and Advantech.