November 3, 2015 at 14:39Security Meetup Report October 22
On October 22, our office hosted another Security Meetup. At the meeting there were five reports on various vulnerabilities. Issues such as reverse engineering in Enterprise and related business processes (using the Qiwi payment system as an example), unsafe data deserialization in PHP, the degree of reliability of two-factor authentication in mobile applications, working for money on bug bounty, and the possibility of attacks using a “dangerous” video file.
Presentations by speakers:
“Dangerous video”. Maxim Andreev, Cloud Mail.Ru.
Maxim Andreev, the programmer of the Mail.Ru Cloud team, made a report on how to use an specially prepared video file to carry out an SSRF attack, and told how, even without launching and watching a “dangerous video”, it allows deanonymizing individual users and stealing files from their computers.
Video performances.
A post on Habré.
"Reverse Engineering in Enterprise." Alexander Secrets, Qiwi.
Alexander Secrets is an information security expert at Qiwi. He spoke about business processes related to reverse engineering in enterprise, as well as how the experience of application analysis can improve the security level of infrastructure and applications.
Video performances.
"When big brick wall becomes wooden fence" or "how to get 1kk on the Bug Bounty . " Kirill Ermakov, Qiwi.
Kirill Ermakov, CISO of the QIWI group of companies, spoke about the typical mistakes made by people who want to earn a million on bug bounty, and showed some interesting findings on the example of popular Internet services.
Video performances.
"Cell phones, money, two factors." Dmitry Evdokimov, DigitalSecurity.
Dmitry Evdokimov, director of the research center at DigitalSecurity, spoke about two-factor authentication, which is also used in mobile applications.
Video performances.
"PHP Unserialize Exploiting." Pavel Toporkov, Kaspersky Lab.
Pavel Toporkov from Kaspersky Lab made a presentation on how to exploit unsafe data deserialization in PHP and what exactly helps to exploit this vulnerability in real conditions.
Video performances. See
photos from mitap here .