FastTrack

FastTrack allows to the reporters to have a 15 minutes speech for the research presentation. Section is in formation.

Participation requests are to be sent to fasttrack@zeronights.org. Participation at Fast Track is a good opportunity to tell about important questions.


“Mass CSRF attacks via Flash ads”

Speaker: Kirill Samosadny

Usage of Flash technology with malicious goals has been known for long [1, 2, 3, 4]. The talk is dedicated to using the opportunities of Flash banner networks for mass CSRF attacks. I will describe the results of a research where popular banner networks were searched for the possibility to put “bad” banners online, as well as actual examples of services which are convenient to attack via CSRF through banner networks. I will also pay attention to XSS via CSRF.

[1] http://events.ccc.de/congress/2008/Fahrplan/events/2596.en.html
[2] http://blog.guya.net/2008/09/14/encapsulating-csrf-attacks-inside-massively-distributed-flash-movies-real-world-example/
[3] http://habrahabr.ru/post/143345/ [in Russian]
[4] https://www.seclab.tuwien.ac.at/papers/flash-acsac.pdf


“Techniques of automatic malware detection system bypass: interesting examples of 2012”

Speakers: Fyodor Yarochkin, Vladimir Kropotov, Vitaly Chetvertakov

In this presentation, mass malware distribution campaigns will be described, particularly the bypass techniques for automatic detection of dangerous content on compromised servers which have been spotted during 2012. The examples we will show will include:
  • real-time dynamic malicious domain name generation;
  • examples of infection in large Russian banner networks;
  • examples of domains which have a shorter lifespan than the time needed to blacklist them;
  • examples of attacks from legal resources which have had their DNS administration accounts compromised;
  • and other interesting cases.


“New developments in password hashing: ROM-port-hard functions (building upon the ideas of scrypt and security through obesity)”

Speaker: Alexander Peslyak

Like it or not, password authentication remains relevant (including when used as one of several authentication factors), and password hash database leaks remain a risk. To mitigate the risk impact, computationally expensive (bcrypt, PBKDF2) and more recently also memory-hard (scrypt) password hashing methods have been introduced. Unfortunately, at relatively low target running time and with the need to perform multiple authentication attempts concurrently, scrypt's memory cost ends up being unreasonably low, up to the point where scrypt may not be better than the much older bcrypt. In my talk, I will propose and discuss the pros and cons of an alternative approach, where an arbitrarily large lookup table may be used along with any target running time and in parallel by multiple concurrent authentication attempts. With contemporary server hardware, the lookup table may occupy tens of gigabytes of RAM (using it as a site-specific ROM), which limits attackers' use of pre-existing hardware (such as botnet nodes), thereby buying the defender time. Further development of the approach is in use of not only RAM, but also SSDs and potentially even a NAS/SAN based on SSDs. This achieves goals similar to those of the “blind hashing” concept, later dubbed “security through obesity”, which was suggested after the leak of passwords from LinkedIn this summer.

“3G modem infection”

Speaker: Oleg Kupreev

Hardware infection is not a myth anymore. For instance, Rakshasa, which was shown at Defcon, is capable of infecting BIOS and PCI ROM (LAN, CDROM). The author of this paper decided to continue research towards infecting the software of the devices and checked the practical possibility to infect a modern 3G modem.

The 3G modems of the Big Three mobile network operators were used: MTS, BeeLine, Megafon. Software for cross-platform infection (Windows, Linux, MacOS X) of virtual CD-ROM images has been developed.

“How to catch your hacker, or Makeshift security”

Speakers: Igor Gots, Sergey Soldatov

We will teach you how to build a security incident monitoring system at minimum expenses and which incidents to look for.

“Typical information security flaws in corporations and large enterprises”

Speaker: Eugeny Sobolev

This presentation refers to the attitude that ISOs have towards their duties and personnel education, and to the vulnerabilities that ensue, mostly technical ones. In particular, I will pay attention to security issues in password policies, access control, software updates, and traffic interception with practical cases. I will explain what consequences negligent companies have faced and will be facing. And how could such flaws become typical for most companies?

“Where is my car dude?”

Speakers: Dmitry 'Chipik' Chastukhin, Gleb Cherbov

What can be more interesting than a security research of an information system? Bingo! A security research of a technology which was designed to ensure security.

The issues of tracking systems security will be discussed in this presentation. Know the details of cash-in-transit vehicle route? Easy as pie! Expand the area which criminals on probation can move within? No sweat! Look up the direction and speed of noodles transportation by your competitor? Signed, sealed and delivered. Know the locations of cars with unlocked doors? Done. We will tell you something. We will show you something. Maybe.

“Python Arsenal for RE”

Speaker: Dmitry 'D1g1' Evdokimov

Nowadays, RE is unimaginable without automation of some tasks. And Python has become a perfect merciless weapon in the hands of a seasoned reverser who does not squander his talents on trifles but rather automates everything that he can. Demand breeds supply, so quite a few Python projects have appeared, which are well-known or unknown at all, which have a wide or narrow direction, which are plugins or separate applications. But they all have something in common: they are the arsenal of a reverse engineer to dive into the cruel world of binary. To keep hackers from getting lost in the flood of Python weapons, we have decided to create a special website about them and present it at the conference.

Organizers:
Official support:
With participation of:
Gold sponsor:
Silver sponsors:
Prizes Sponsors:
General Media Partner:
Media Partners:
Competition organizers: