PHDays video




Building Honeypots to Monitor DDoS

Author: Terrence Gareau

This talk will outline how to use DDoS vulnerable services to develop a honeypot network that will extract valuable information from the Internet and produce a data feed that can be used to protect online assets with Kibana, Elasticsearch, Logstash, and AMQP. The speaker will open-source a monitoring system (a project his team has been developing for the last two years) for reflective DDoS statistics that are external to any specific network.

  • Language
  • English

Terrence Gareau is Chief Scientist at Nexusguard. Prior to joining Nexusguard, he was Principal Research Scientist at A10 Networks and Principal Security Architect and the founding member of the PLXsert for Prolexic Technologies. A recognized expert in DDoS attack mitigation, prevention, and recovery, he has shared his knowledge at such international conferences as DEF CON, Microsoft Digital Crimes Consortium, RSA Conference.

Terrence Gareau Terrence Gareau

Waf.js: How to Protect Web Applications Using JavaScript

Authors: Denis Kolegov and Arseny Reutov

The speakers will demonstrate how client-side JavaScript injection may be used to detect and prevent various attacks, search for vulnerable client components, detect leakage of data about web app infrastructure, and find web bots and malicious tools. In addition, they will share their own injection detection methods that employ syntax analyzers without signatures or filtering regular expressions, and discuss implementation of client-side JS honeypot to capture SSRF, IDOR, command injection, and CSRF attacks.

  • Language
  • Russian

Denis Kolegov is a web application security researcher at Positive Technologies, PhD, associate professor of Information Security and Cryptography Department at Tomsk State University. He has spoken at numerous security conferences, including ZeroNights, Positive Hack Days, SibeCrypt, and Codefest. With a collaborative research regarding HTTP covert timing channels, he is listed in the Top 10 Web Hacking Techniques of 2014. Prior to joining Positive Technologies, Denis was a senior security engineer at F5 Networks.

Arseny Reutov is a web application security researcher at Positive Technologies. He has participated in various CTF contests and bug bounty programs and is acknowledged by Zend, Nokia, Yandex, Barracuda and others. He participates in such infosec conferences as ZeroNights and CONFidence as a speaker and Positive Hack Days as an organizer. With a collaborative research regarding bruteforce of PHPSESSID, he is listed in the Top 10 Web Hacking Techniques of 2012. He has been maintaining the web security blog since 2008.

Denis Kolegov and Arseny Reutov Denis Kolegov and Arseny Reutov

Reverse Engineering of Binary Structures Using Kaitai Struct

Author: Mikhail Yakshin

The report will cover current approaches to reverse engineering of binary files: where to start, what's expected at the end, and what tools are typically used. The speaker will demonstrate Kaitai Struct, a new declarative language used to describe various binary data structures, collecting the results into ready-made libraries in supported languages such as C++, Java, JavaScript, Python, and Ruby. Some practical examples of reverse engineering will contribute to better understanding of this issue.

  • Language
  • Russian

Chief Linux developer for Whitebox Labs, a Swiss-based company that develops open-source hardware and software for managed ecosystems (i.e. reef aquariums, terrariums, aquaponics, hydroponics, etc.), reverse engineering third-party proprietary component communication protocols.

Mikhail Yakshin Mikhail Yakshin

Scalable and Effective Fuzzing of Google Chrome

Author: Max Moroz

The talk includes an overview of ClusterFuzz, Chrome’s distributed fuzzing system that finds security bugs in real time and provides reproducible test cases for every crash, and describes advantages of usage of different sanitizers and LibFuzzer (a library for guided fuzzing). It also covers detailed statistics of the types of bugs found in Chrome and provides an insight into the trials and tribulations of distributed fuzzing, including how you can run your own fuzzers on Google’s infrastructure and earn Chrome bounties for bugs your fuzzer finds.

  • Language
  • Russian

Max Moroz is an information security engineer at Google Chrome Security Team and a graduate of the Information Security Department of National Research Nuclear University MEPhI (Moscow Engineering Physics Institute). He is also the founder of the CTF team named BalalaikaCr3w and an active participant in CTF competitions and bug bounty programs.

Max Moroz Max Moroz

A Device Fingerprint as a Cure for Fraud. It All Depends on Dosage

Author: Evgeny Kolotinsky

A device fingerprint or browser fingerprint is a typical way of collecting data about a user or device for the purpose of identification on the internet. The speaker will illustrate the accuracy and reliability of the method. You will learn why TOR browser does not always help against tracking and that your web browsing is even less anonymous than you think. Users are being tracked by every website they visit, but it is not always intended for profit.

  • Language
  • Russian

The lead of the fraud prevention research group at Kaspersky Lab. He has worked in the company for more than 7 years. Engaged in the study of threats not related to viruses. Presented his reports at international conferences on information security.

Evgeny Kolotinsky Evgeny Kolotinsky

NFC: Naked Fried Chicken

Author: Matteo Beccaro

This talk is about transportation security, frauds, and technological failures with focus on a general methodology for professional and amateur pentesters. The speaker will cover some severe vulnerabilities in real-world transportation systems based on NFC technologies and introduce an open-source application designed to pentest such systems via a smartphone.

  • Language
  • English

Matteo Beccaro is a security researcher enrolled in Computer Engineering at the Polytechnic University of Turin. His research focuses on network protocols, NFC and EACS security. He is also the co-founder and CTO of Opposing Force, the first Italian company specialized in offensive physical security. He spoke at such international conferences as DEF CON 21, 30C3, Black Hat USA Arsenal 2014, DEF CON 22 Skytalks, Black Hat Europe 2014, Tetcon 2015, DEF CON 23, and ZeroNights 2015.

Matteo Beccaro Matteo Beccaro

How to Become the Sole Owner of Your PC

Author: Positive Research

The speakers will tell you about a no-frills way to disable Intel AMT and become the sole owner of your PC.

  • Language
  • Russian
Positive Research Positive Research

Thanks SAP for the Vulnerabilities. Exploiting the Unexploitable

Authors: Dmitry Chastukhin and Dmitry Yudin

Blah blah blah SAP. Blah blah blah big companies. Blah blah blah hack multimillion-dollar systems. This is how typical SAP talks are started. But not this time. We are really missing hardcore exploitation stuff and unusual vulnerabilities. Now it's time for real SAP hardcore! The moderator will tell (and show) how, by using a chain of minor vulnerabilities in different SAP services, you can take complete control over an affected system.

  • Language
  • Russian

Dmitry Chastuhin, Director of the security consulting department at ERPScan. He is engaged in SAP security, particularly in web applications and Java, HANA, and mobile solutions. He has official acknowledgements from SAP for vulnerabilities he found. Dmitry is also a WEB 2.0 and social network security geek and is very active in bug bounty programs (he found several critical bugs in Google, Nokia, and Badoo). He is a contributor to the EAS-SEC project. He spoke at such conferences as Black Hat, Hack in the Box, DeepSec, and BruCON.

Dmitry Yudin, a security researcher at ERPScan. He is an exploit developer, bug hunter, and Linux fan.

Dmitry Chastukhin and Dmitry Yudin Dmitry Chastukhin and Dmitry Yudin

Security Automation Based on Artificial Intelligence

Author: Rahul Sasi

It is clear that traditional web application security scanners are incapable of finding logical security bugs. The speaker will show users how they can build tools that detect such bugs by using machine learning as a key ingredient. The talk is for cloud-based application security enthusiasts.

  • Language
  • English

Rahul Sasi has over seven years of experience in security, research, and product development. He has authored multiple security tools, advisories, and articles. He spoke at various security conferences: Black Hat, CanSecWest, CoCon, Ekoparty, HITB, HITCON, Nullcon. He is the founder and CTO of CloudSek, a risk assessment company. Prior to founding CloudSek he was a senior engineer at Citrix.

Rahul Sasi Rahul Sasi

Exploiting Redundancy Properties of Malicious Infrastructure for Incident Detection

Author: John Bambenek

The cat-and-mouse game between malware researchers and malware operators has been going for years. The defense community is getting faster at responding to growing threats and taking down command and control centers of malware operators before they causes too much damage. Meanwhile, “bad guys” are building multitier redundant architectures utilizing P2P networks, Tor, and domain generation algorithms (DGA) to improve availability of supporting infrastructure against take-down operations. This report will cover the research of both American and Russian analysts into the use of such techniques and what can be learned about the adversaries who use them. Additionally, the speaker will introduce a new tool that helps researchers dig into DGAs.

  • Language
  • English

John Bambenek is a manager of threat systems at Fidelis Cybersecurity and an incident handler with the Internet Storm Center. He has been engaged in security for 17 years researching security threats. He is a published author of several articles. He has participated in many incident investigations spanning the globe. He speaks at conferences around the world and runs several private intelligence groups focusing on takedowns and disruption of criminal entities.

John Bambenek John Bambenek

Copycat Effect: From Cyberforensics to a Street Robbery

Author: Sergey Golovanov

Everybody watches everybody. We got accustomed to cyberattacks financed by governments. The internet is overloaded with such examples and exploits. Intruders propelled by an itch for money find this information useful, of course. The report will cover methods cybercriminals adopted from different special forces departments. The speaker will also tell about new methods of hacking ATMs — and a lot more.

  • Language
  • Russian

Sergey is the principal security researcher at Kaspersky Lab. Conducts research into banking threats and cyberespionage. Sergey’s areas of expertise include embedded system security, cybercriminal groups, non-Windows threats (Mac OS, Unix OS), botnets.

Sergey Golovanov Sergey Golovanov

DNS as a Defense Vector

Author: Paul Vixie

DNS offers a commanding view of both the local and global internet, and provides unparalleled intelligence on cybercriminals and attack methods. This lecture will explain how DNS can be protected, and how it can be used to protect other connected targets. In his presentation, the speaker will provide an overview of cache poisoning, DNSSEC, DDoS, rate limiting, DNS firewalls with RPZ, and passive DNS monitoring.

  • Language
  • English

Dr. Paul Vixie is the CEO of Farsight Security. He is a former chairman of Internet Systems Consortium, President of MAPS, PAIX and MIBH. He served on the ARIN Board of Trustees and was a founding member of ICANN Root Server System Advisory Committee and ICANN Security and Stability Advisory Committee. Vixie has been contributing to internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8. He has authored or co-authored a dozen of RFCs, mostly on DNS and related topics. He earned his PhD from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.

Paul Vixie Paul Vixie

Web Application Firewall Bypassing

Author: Khalil Bijjou

This workshop will teach you how to attack an application secured by a WAF. The moderator will describe WAF bypassing techniques and offer a systematic and practical approach on how to bypass web application firewalls based on these techniques. Even beginners are welcome! WAFNinja, a tool that helps to find multiple vulnerabilities in firewalls, will be introduced.

  • Language
  • English

Khalil Bijjou is an enthusiastic ethical hacker who is currently in the master's course of IT security. He works as a penetration tester for Deloitte Cyber Risk Services and performs security assessments for major companies. Khalil reached the 2nd place of the German Post IT Security Cup.

Khalil Bijjou Khalil Bijjou

Enterprise Forensics 101

Author: Mona Arkhipova

This report outlines the typical aspects of digital forensics within enterprise systems: from initial data collection to filling a report. The speaker will give a background about the accidental establishment of QIWI Forensic lab.

  • Language
  • Russian

The head of security monitoring (SOC + OPS), QIWI

Mona Arkhipova Mona Arkhipova

Wireless Hijack: From Quadrocopters to Computer Mouses

Author: Artur Garipov

The talk will focus on general aspects of SDR application for wireless traffic analysis. The speaker will demonstrate how to search and identify wireless devices, analyze and spoof protocols, take over wireless equipment and conduct a Mousejack attack.

  • Language
  • Russian

Artur Garipov is a network application security specialist at Positive Technologies. He researches security of wireless technologies and mobile systems. Organizer of the MiTM Mobile contest and workshop at PHDays V, VI.

Artur Garipov Artur Garipov

Very Mighty eXtension for debugging

Author: Artem Shishkin

This talk will show how to develop a hypervisor-based debugging facility: how to apply existing hardware features for debugging, how to maintain integrity of a debuggee, how to make this stuff interactive and how to adopt Intel specific peculiarities. The speaker will also cover OS integration and will tell how to build a hypervisor debugger into firmware. Real-world cases of using a hypervisor-based debugger will prove that Virtual Machine Extensions are indeed a Very Mighty eXtension for debugging.

  • Language
  • Russian

Artem Shishkin is a virtualization specialist and reverse engineer. An author of research papers including "Intel SMEP overview and partial bypass on Windows 8", "Stars aligner's how-to: kernel pool spraying and VMware CVE-2013-1406", and "Microsoft Windows 8.1 kernel patch protection analysis". Engaged in low-level programming and developing reverse engineering tools. Previously spoke at Positive Hack Days and ZeroNights.

Artem Shishkin Artem Shishkin

Exploiting Chrome on a Nexus Phone

Author: Guang Gong

The speaker will tell how to pwn a Nexus device with a single vulnerability. He will also talk about how to get an RCE permission by using a V8 vulnerability and then demonstrate breaking Chrome's sandbox without exploiting any security flaws.

  • Language
  • English

Guang Gong is a security researcher of the Mobile Safe Team of Qihoo 360. His research interests included Windows rootkits, virtualization and cloud computing. He is currently focuses on mobile security, especially on hunting and exploiting Android’s vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PacSec, SysCan360. He is the winner of Pwn2Own 2015, Pwn0Rama 2016 (the category of mobile devices), and Pwn2Own 2016 (the target: Chrome).

Guang Gong Guang Gong

Magic box or: A Story about White Hat ATM Hackers

Authors: Olga Kochetova and Alexey Osipov

The report focuses on the most common methods of hacking and protecting ATMs. The speaker continues the topic of her previous presentations with a more in-depth analysis of technical details. The emphasis will be on vulnerabilities in an ATM infrastructure and the security of communication with a processing center.

  • Language
  • Russian

Olga Kochetova
Olga is a senior specialist of penetration testing department at Kaspersky Lab, the author of many articles and webinars devoted to ATM insecurity. Participated in international conferences: Black Hat, Hack in Paris, Positive Hack Days, Security Analyst Summit. She is also the author of security advisories on various vulnerabilities in ATMs and software of popular vendors.

Alexey Osipov
Alexey is the lead expert of penetration testing department at Kaspersky Lab. He is the author of techniques and utilities for exploiting vulnerabilities in XML. Participated in international conferences: Black Hat, Chaos Communication Congress, Hack in Paris, NoSuchCon, Positive Hack Days. The author of security advisories on various vulnerabilities in ATMs and software of popular vendors.

Olga Kochetova and Alexey Osipov Olga Kochetova and Alexey Osipov

Mobile Communications are Insecure. Evidence-Based Arguments

Authors: Sergey Puzankov and Dmitry Kurbatov

Any mobile operator’s networks contain vulnerabilities inherited from obsolete technologies. The report reveals the security level of mobile carriers based on data gathered during the investigation of real-life networks.

  • Language
  • Russian

Sergey Puzankov
Being an expert at Positive Technologies, he is engaged in the research of attacks against mobile operators’ networks, as well as the development of SS7 Scanner and SS7 Attack Discovery. The author of several publications on SS7 security.

Dmitry Kurbatov
He has 9 years of experience in information security of corporate networks, business applications, and telecommunication equipment. An expert at Positive Technologies and the Positive Research center. Participates in organizing the Positive Hack Days forum. Dmitry has published many articles on information security.

Sergey Puzankov and Dmitry Kurbatov Sergey Puzankov and Dmitry Kurbatov

Memory Protection Based Anti-Cheat for Computer Games

Authors: Roman Kazantsev, Maxim Vafin, and Andrey Somsikov

Customer services with cheat technologies for multiplayer online games is continuously developed because cheat makers do a profitable business specializing in a wide range of games. The speakers will suggest their anti-cheat technique that relies on software obfuscation and protects against code injection cheats that can analyze memory data and collect statistics about players. The talk will be supported by a real case study of Unreal Tournament 4.

  • Language
  • Russian

Roman Kazantsev is a software engineer at Intel Corporation. With seven-year professional experience, he is currently occupied with delivering cryptographic solutions and expertise for content protection across all the Intel platforms. His professional interests are cryptography, software security, and computer science.

Maxim Vafin is a software engineer at Intel Corporation. He specializes in computer game security and software protection against reverse engineering.

Andrey Somsikov is a software engineer and security researcher at Intel Corporation. His professional interests are software security, cryptography, and computer science.

Roman Kazantsev, Maxim Vafin, and Andrey Somsikov Roman Kazantsev, Maxim Vafin, and Andrey Somsikov

Janitor to CISO in 360 Seconds: Exploiting Mechanical Privilege Escalation

Author: Babak Javadi

For over 100 years, the modern pin tumbler lock has been used as the gold standard of physical security. Unique designs have come and gone over the years, but only the pin tumbler lock has remained constant. Almost just as constant is a neat hack-turned-standard feature that is commonly referred to as Master Keying. Master Keying allows the use of "unique" permissions-based mechanical keys in large systems and remains in use in large business and government installations in every country in the world. Unfortunately, the oldest authentication system in the world still in wide use today is vulnerable to what many consider to be the original privilege escalation attack, predating digital computer systems completely. Known by a handful of locksmiths for decades and first publicly disclosed in 2003, this un-patched vulnerability remains one of the most dangerous and under-protected physical security weaknesses still present today. This talk will discuss a highly optimized attack method against common master keyed systems as it applies to modern locks, and will cover a couple of options for mitigating and defending against the attack.

  • Language
  • English

Babak Javadi is a hardware hacker with a wayward spirit. His first foray into the world of physical security was in the third grade, where he received detention for describing to another student in words alone how to disassemble the doorknob on the classroom door. After years of immersion in electronics and computer hardware hacking, he found his passion in the puzzling and mysterious world of high security locks and safes. In 2006 Babak co-founded the US division of The Open Organisation of Lockpickers, otherwise known as TOOOL, where he continues to serve on the Board of Directors as President. In the same year, he founded the CORE Group, a multi-disciplined security research and consulting firm. He has recently re-embraced the beauty of the baud and resumed hardware hacking with a vengeance, currently working on leading research from access controls to alarms.

Babak Javadi Babak Javadi

Groundbait: Analysis of a Surveillance Toolkit

Author: Anton Cherepanov

Operation “Groundbait” (Russian: Prikormka) is an ongoing cybersurveillance that took place in Ukraine. The group behind this operation has been launching targeted attacks to spy on individuals with a political motive. The group is active since 2008. The talk will uncover details about the attack campaigns and provide a technical analysis of the used malicious toolkit. The speaker will share clues uncovered during his research that may point to the origin of the attackers.

  • Language
  • Russian

Anton Cherepanov graduated from South Ural State University. Works at ESET as a malware researcher. Specializes in IT security, reverse engineering and malware analysis automation. Spoke at CARO Workshop, Virus Bulletin, and ZeroNights.

Anton Cherepanov Anton Cherepanov

A Riddle Wrapped in a Mystery, or Vulnerabilities in Medical and Industrial Software

Authors: Emil Oleynikov and Yuriy Gurkin

Both medical and SCADA systems can be operated, configured, and monitored via remote control. They are often connected to the internet. The speaker will provide an overview of vulnerabilities in application-specific software used in medicine and industrial production. The vulnerabilities were discovered using EAST (exploits and security tools), a framework similar to Metasploit. EAST automates vulnerability scanning and demonstrates possible risks.

  • Language
  • Russian

Emil Oleynikov, an information security researcher, the lead developer of EAST Framework.
Yuriy Gurkin, the chief technology officer of GLEG, a promoter of EAST Framework.

Emil Oleynikov and Yuriy Gurkin Emil Oleynikov and Yuriy Gurkin

Fear and Loathing in Telecoms

Author: Ilya Safronov

The report will provide information on various schemes used by attackers to enrich themselves at the expense of telecom operators. The speaker will cover manipulations with numbers, interconnection settings, billing, and switch configuration. The principles of SIM box operation and traffic looping will be also discussed.

  • Language
  • Russian

Ilya Safronov is an IS specialist, previously worked in the network security department at Positive Technologies and was a security assessment expert at Group-IB. The author of several articles on information security. He has participated in a number of telecommunications projects and research programs.

Ilya Safronov Ilya Safronov

Time is Not on Your Side: Exploiting Browser-Based Timing Attacks

Author: Tom Van Goethem

This talk introduces a new threat: browser-based timing attacks that can be used to extract sensitive information from trusted websites. In a classic example of a timing attack, the attacker retrieves the secret key from a cryptosystem, such as RSA, by measuring the time that is required to encrypt several inputs. To investigate potential consequences, several popular web services were analyzed (email applications, social networks, financial websites) and the research revealed that these new attacks can be exploited in every service, posing an imminent threat to our online security and privacy. The speaker will demonstrate the harmful consequences by discussing several real-world scenarios.

  • Language
  • English

Tom Van Goethem is a PhD student at the University of Leuven (Belgium), where he has a (not so secret) love affair with research on security and privacy in the context of the Web. As a result of his security research, Tom exposed fundamental flaws in DDoS protection mechanisms, the security seal ecosystem, and several widely used services and web applications, such as WordPress.

Tom Van Goethem Tom Van Goethem

Fingerprinting and Attacking a Healthcare Infrastructure

Author: Anirudh Duggal

There has been a recent spike in the number of attacks on healthcare intuitions, the most serious being the ransomware attacks. The attacks go beyond phishing victims and shutting down the entire infrastructure. The speaker will focus on how to fingerprint hospitals and healthcare institutions and how to defend a system against such attacks.

  • Language
  • English

Anirudh Duggal is a cybersecurity enthusiast who works at Philips Healthcare on securing medical devices, mobile apps, hardened systems, web services, and healthcare infrastructure. He previously worked at Infosys in the cloud security department. Founded a website on security challenges in the healthcare industry ( Presented solutions and systems at Microsoft Imagine Cup as a national finalist. Took an active part in Null and SecurityXploded. Speaker at Cocon, HITCON, Ground Zero and the forthcoming Nullcon 2016.

Anirudh Duggal Anirudh Duggal

How to Exploit Certifi-Gate, in Theory and Practice

Author: Dan Koretsky

Millions of Android devices have vulnerabilities that grant root privileges. The speaker will talk about technical reasons for security concerns (collisions of hash functions, inter-process communication abuse, mishandling of application certificates). This lecture will include a demonstration of an attack against an actual device and provide participants with recommendations on reducing potential risks. The participants will discover the reason for which vulnerabilities cannot be totally eliminated and learn about Google Play attacks.

  • Language
  • Russian

With over 8 years of experience in security and low-level research in both Windows and Linux/Android environments, Dan brings deep knowledge of cyber attacks and the information security situation in the mobile and PC worlds. Dan started working in a start-up company before he finished high-school, during which he studied for a bachelor’s degree in computer science. After that, he served for over 5 years in the Israeli army, performing a wide variety of research and development tasks. He works in Check Point as a senior security researcher for mobile products.

Dan Koretsky Dan Koretsky