Results ZeroNights 2018

    This year, ZeroNights was held at the A2 A2 club in St. Petersburg and brought together more than 1000 participants from around the world, among them: managers and employees of information security services, programmers, researchers, analysts, pentesters, journalists and all who are interested in applied aspects of information security.



    60 speakers from 9 countries were presented at the conference: France, Spain, Germany, China, Malaysia, Malta, Kazakhstan, Russia and Armenia. From various companies: Airbus, Facebook, Synacktiv, Kaspersky Lab, Tencent Security Xuanwu Lab, Shape Security, Wrike, X41 D-Sec GmbH and others.



    The main topics of the conference:


    • How hackers can get hold of a mobile device via Wi-Fi chip
    • How faxes can become enemies in the corporate network
    • What USB device drivers for Windows contain a large number of vulnerabilities
    • How Git Web Servers Extend Attacker
    • How to use hardware to compromise
      network equipment and infrastructure
    • How attackers can use the UPnP protocol to hide their network activity
    • What are the problems of security and the process of closing vulnerabilities in the products of Russian process administration systems?
    • What are the consequences of the rash use of new technologies in client development
    • As in the compilers, there are errors that can be used to embed backdoors in the software
    • How can the system be infected to the BIOS level
    • That the Ntlm Relay attack is still dangerous and can be used in new ways.
    • How can you quickly and efficiently evaluate the security of network equipment configuration files?
    • What are the security issues in SD-WAN technology?
    • How development systems can be attacked and used against their owners.
    • How GPU virtualization tools can be used to attack the system
    • What vulnerabilities and problems can be found in widespread products and libraries ImageMagick, Redis, SCADA systems and node.js projects.

    As part of ZeroNights, various activities were also implemented: hacker quests, Web Village sections and the Hardware Zone.


    Web village


    It's nice to see Web Village gathering a huge amount of viewers again and again.



    We already note the traditional stream of reports from experienced Weber with extensive experience in the practical field. See for yourself, this time among the speakers: Mail.Ru, Yandex, Kaspersky Lab, Digital Security, Sploitus, Acunetix, Deteact, Rambler. We also consider a big plus - the complete lack of public relations companies, various solutions and arguments about the market. But, of course, the main achievement of ZeroNights 2018 is a high level of preparation of reports with non-beat examples:


    1. Do you know everything about XSS? I bet you still learn something new from this report? - Read
    2. Still inserting the Blind-XSS vector with your hands? Then we go to you! - Read
    3. Didn't XSS work again? Apparently there CSP, now zabaypasim - Read
    4. Why do the same actions manually when you can automate the search for vulnerabilities? - Read
    5. Do you want to hack the browser, but do not know where to start? - Read
    6. Pentester look at a typical developer infrastructure - Read
    7. Atypical vulnerabilities or how to make MEGABAGU from several absolutely legal features - Read
    8. An overview of the features and problems of PHP that can lead and necessarily lead to vulnerabilities - Read
    9. What is (de) serialization, how it is implemented in PHP and how it can be dangerous - Read
    10. What to do if you come across SPEL - Expression Language for the Spring Framework - Read
    11. It is not so easy to patch a vulnerability so that three more do not appear. Fix like a PRO - Read


    What are our plans for next year?


    • We will definitely plan more chairs and sofas :)
    • Arrange more activities. Security quiz from Mail.ru and Yandex proved that it is fun and cool.
    • The number of people willing to perform in the WV-track is growing, and it pleases. It looks like you have to organize a separate CFP.
    • We will try to leave in the heritage not only presentations, but also full-fledged chitshits.

    Hardware zone



    The guests of the conference could take part in the Hardware Zone for two days. Full reports from the stage covered the topics of practical security of ATMs, IoT, tools and methods for analyzing hardware protocols and much more.



    Participants could hack a vending system and game currency using NFC-cards, which could then be paid off at the bar. To successfully complete the task, the participants used useful information obtained at several workshops by Pavel Zhovner, as well as all the necessary hardware tools presented at the stand. Anyone could apply this knowledge in practice and test his strength in the analysis of wireless protocols and conducting attacks on typical representatives of the IoT world, receiving (as a result) not unhelpful memorable gifts (proxmark3, chameleon mini, BBC Microbit).



    The activity of the participants shows an undying interest in the topic of security of embedded devices and hardware hacks, so we will continue to continue the tradition of the Hardware Zone and increase the number of educational reports and competitions.


    Contests


    The site also held activity from our partners.


    Mail.ru held a contest for pneumatic hacking, the winners earned $ 100 and Bug Hunter hoodies.



    SEMrush played MacBook Air, Sony PlayStation 4 Pro and Quadcopter DJI Spark in the Crush SEMrush competition. Participants had to find vulnerabilities in the service with disabled WAF.



    It was possible to get certificates for English classes at the largest online school in the Skyeng affiliate area.



    The role of the "white" hacker in the virtual world of dystopia was tried on by the hacker quest DefHack. And in the “Slot Machine” competition - one-armed gangster, the game of which is built on the basis of Blockchain, the jackpot was 100 units. cryptocurrency, the first hacked system received a ticket to ZeroNights 2019.


    Also at the opening of the conference was a party, the headliner of which was the musical project The Dual Personality, the winners of the remix contest from Linkin Park and the participants of the Alfa Future People electronic music festival.



    We thank each participant of the conference, as well as partners who supported ZeroNights this year: Yandex, Mail.ru, Sberbank, Epam, SEMrush, Digital Security.


    • Video presentations are available on our YouTube .
    • Photos from the conference are available here .
    • Conference materials can be found here .


    For those who read to the end - the competition! For the most informative feedback about ZeroNights 2018, we will give our cool merch: first place - a backpack, second and third - sweatshirts. Send your feedback with a detailed story about what you really liked or didn’t like at all at the conference, send it to visitor@zeronights.org. Marked with “Fidbeck for merch”. We are for honesty!


    And see you at ZeroNights 2019!

    Tags:

    Also popular now: