“OPSEC: Because Jail is for wuftpd”

Speaker: The Grugq

Drawing on lessons gleaned from recent hacker indictments, research on surveillance, espionage and counter-intelligence, this talk focuses on practical operational security (OPSEC) measures to avoid detection and prevent arrest by Law Enforcement Officials. The target audience for this talk are hacktivists whose primary mission requires strong online anonymity in the face of intense scrutiny by well-funded antagonists. Starting with a review of OPSEC goals and moving onto methodologies, techniques and technologies, this presentation will enable the target audience to devise and implement robust OPSEC measures. Effective OPSEC requires combining strong technology solutions with disciplined cautious actions to minimize the exposure of “protected information”. The talk will enumerate OPSEC principles and techniques to deny protected information to LEO, and equip hacktivists with the tools necessary to successfully conduct online operations while avoiding capture.

Try Harder 2 Be Yourself

Speaker: Felix 'FX' Lindner

“Dark and Bright Sides of iCloud (In)security”

Speakers: Andrey Belenko, Dmitry Sklyarov

In July 2011 Apple has introduced iCloud, a successor to MobileMe. iCloud is a comprehensive cloud service for Apple devices that allows to share data (such as contacts, calendars, application files, photos) among devices, as well as to backup data from iOS devices directly to iCloud. With this approach there is always a fresh backup copy available in iCloud should there be need to restore. Recent estimates report iCloud user base to be as large as 125 million users (which is almost half of the number of iOS devices sold).

In this talk we will approach the security and privacy of this “Backup to iCloud” feature. We will describe the architecture of the iCloud backups (if you think that your backups are stored in the Apple's datacenter you're soooo mistaken) and the protocol iOS devices use to talk to iCloud to backup and restore data. We will explain how iCloud backups are encrypted and why this encryption (unlike the encryption of offline backups) is no problem.

Our goal is to provide the audience with iCloud “reality check” and to show that the moment you enable iCloud backups all your data belongs to Apple or to anyone who knows your Apple ID and password.

“Fuzzing at scale and in style”

Speakers: Atte Kettunen, Miaubiz

Heating your house is important, but it helps being smart about it. We will show you how we find vulns, generate cases, use grammars, bin and track crashes, start, stare at, stop and update browsers, minimize repros, use redis, coordinate clusters and target our resources.

To be announced

Speaker: Alberto Garcia Illera (Spain, Security bussines)

“SSRF attacks and sockets: smorgasbord of vulnerabilities”

Speakers: Vladimir Vorontsov, Alexander Golovko

The report described server request forgery vulnerabilities (Server Side Request Forgery — SSRF) in terms of their practical applications to perform various attacks. The various vulnerabilities and attacks with the using sockets were researched. Such as controlling of the HTTP response, database operations, and even remote code execution. Special attention is given to the above attacks, relevant for the PHP interpreter. The above methods and techniques of the attacks have been developed and successfully used in the course of security audits of real web applications.

“On security aspects of ADS-B and other "flying" technology”

Speaker: Andrei Costin

Air-related technologies are on the verge of technological upgrade and advance in approximately the same manner the mobile communication networks and smartphones were 5-10 years.

As noticed in practice, these technological advances open opportunities for performance and innovation, but at the same time open great opportunity for security exploitation.

In this talk and whitepaper, we will approach the ADS-B (in)security from the practical angle, presenting the feasibility and techniques of how potential attackers could play with generated/injected airtraffic and as such potentially opening new attack surfaces onto AirTrafficControl systems.

“They told me I could be anything, so I became BAh7BkkiDHVzZXJfaWQGOgZFVGkG”

Speaker: joernchen of Phenoelit

In this presentation, we'll have a deeper look at Ruby on Rails' own session handling mechanisms. An overview of typical authentication and authorization patterns will be given. Alongside this, we will discover typical flaws within Ruby on Rails applications regarding authentication and authorization. A certain negligence of quite a lot of Open Source Ruby on Rails developers will be demonstrated, with gain of admin privileges on a broad range of these web applications being one of the many implications of this negligence. Additionally, with the aid of, the real world impact of this common malpractice will be evaluated.

“Mac OS X malware overview”

Speaker: Ivan Sorokin

To date, the Dr.Web classification includes about 20 malware families targeting Mac OS X. The report presents a comparative analysis of the most dangerous and widespread malicious programs currently found in the wild. Various aspects, ranging from the objective for which a program has been designed to distinctive features of a particular threat family, are considered as comparison criteria.

“Stealing from Thieves: Breaking IonCube VM to Reverse Exploit Kits”

Speaker: Mohamed Saher

Exploit kits are packs containing malicious programs that are mainly used to carry out automated ‘driveby’ attacks in order to spread malware. These kits are sold on the black market (mostly by Russian cyber mafia), where prices typically range from several hundred to over a couple thousand dollars. It is also becoming quite common to rent hosted exploit kits. Because of this, a competitive market has emerged with numerous players, including many different authors. Appearing several years ago, MPack was one of the first examples of this type of ‘tool’. This was followed shortly after by ICE-Pack, Fire-Pack and a variety of others. Today’s well-known exploit kits are, for example, Eleonore, the YES Exploit Pack, and Crimepack.

In order to protect their exploit kits, cyber criminals are using solutions that convert source code to byte code (virtualized and obfuscated), which is then encoded and passed to a loader that can then be delivered via a PHP web page. Purchased exploit kits are further protected through the use of strict licensing that restricts copying and redistribution.

In this talk, I will discuss how ionCube copy protection is used to protect exploit kits. I will also demonstrate how to break that protection in order to recover the exploit kit source code, as well as identify which IP Addresses are tied to a particular exploit kit license.

  • Understanding Copy Protection (VM Architecture)
  • VM Internals
  • VM Parameters
  • VM Under the Hood (Decoding and Deobfuscation)
  • Breaking the Encryption Algorithm for Licensing
  • Extracting License Information from VM header
  • Conclusion

“Win32/Flamer: Reverse Engineering and Framework Reconstruction”

Speakers: Aleksandr Matrosov, Eugene Rodionov

In this talk one wouldn’t see any speculations on state-sponsored cyber-espionage and ñonspirology theories on cyber weapon development. In the presentation authors will concentrate on different approaches to analysis of the malware based on object oriented architecture with respect to one of the most complex threat ever known while AV industry exists: Win32/Flamer. The authors will present methods of analysis of the malware developed in the course of research of such threats as Stuxnet, Duqu and Festi. The talk will shed light on the problems the researchers face during investigation of complex threats and the ways to deal with them using tools by Hex-Rays. The authors will also present the result of research on reconstructing framework which was used to construct Win32/Flamer and will show its similarity with Stuxnet/Duqu/Gauss with respect to code and architecture.

“Applied anti-forensics: rootkits, kernel vulnerabilities and then some”

Speaker: Oleksiuk Dmytro (aka Cr4sh)

Currently, the most well-known type of rootkits is those used in mass distribution malware. But they are also used in targeted attacks, so rootkit technologies can be divided into two large groups. The main difference between the rootkits used in targeted attacks and their mass scale counterparts is that the former should, on top of preventing the detection of system compromise on a daily basis (that is, staying invisible for users and antiviral software), be able to obstruct the detection of the rootkit to the maximum possible extent when it is specifically searched for by high-qualified forensics professionals.

In the presentation, the following questions are discussed in detail:
  • Main approaches to malware detection in the research of a compromised system.
  • Practical aspects of rootkit development for targeted attacks.
  • Demonstration of conceptual rootkits which use interesting techniques to conceal and execute code in ring0.
  • Ways to detect the concepts covered in the presentation.

P.S. The information which will be presented is not yet another good-for-nothing research of the “new ways to intercept some useless crap in OS kernel”. The speaker’s goal is to demonstrate examples and results of a complex approach to the development of hard-detectable malware.

“Modern payments security: EMV, NFC, etc.?”

Speaker: Nikita Abdullin

Have you ever thought about security & reliability of the high-tech payment stuff that inhabits your wallet and pockets? Then be prepared -- the talk will cover the security aspects of modern payment technologies from the real world: EMV-enabled credit cards and NFC-based payment solutions. Among the topics presented will be the principles of operation for EMV and NFC, attack vectors both well-known and new, countermeasures, perspectives and analytics.

“Windows Kernel Reference Count Vulnerabilities — Case Study”

Speaker: Mateusz 'j00ru' Jurczyk

Windows kernel vulnerabilities are quickly becoming the second most significant concern of low-level software specialists after client-side security issues, allowing remote exploits to subvert the widely deployed sandboxing technologies found in popular web browsers or document readers. As a growing number of such security flaws is being found and fixed every month with Microsoft investing more and more effort into hardening the kernel, we believe it is equally important to understand and discuss how certain classes of bugs could be eliminated entirely. In this presentation, we will highlight several interesting kernel-mode flaws caused by invalid reference counting recently patched by Microsoft, cover their actual impact on the system security and propose some ideas of how the bugs could have been addressed in a more generic way.

“That's why I love XML hacking!”

Speaker: Nicolas Gregoire

Yes, that's a talk about XML. But with exciting new content! You want to read part of the Adobe Reader source code? You have banged your head against a XML blacklist during your latest pentest? You wonder how to pop a shell during verification of a XML Digital Signature? I'll try to show you that XML hacking is sexier than most people think!

“A blow against MongoDB”

Speaker: Mikhail Fyrstov

More and more software developers use NoSQL databases for various applications. Attack techniques for NoSQL are barely studied and not as popular as your usual SQL injections. In this presentation, we will describe the techniques of MongoDB attacks which have not been published before.

“Armed Failure — Hacking Wireless Alarm Systems”

Speaker: Babak Javadi

Alarm systems and panels were designed before the prevalence of wireless technology and communicate with a proprietary protocol over a two-wire data bus. This bus was designed for use between alarm panels, keypads and zone expanders. However this has now been extended to allow the system to communicate with wireless sensors. Unfortunately, little research has been performed regarding these systems, and operational information about them is scarce and often incorrect. This presentation will demonstrate several classic vulnerabilities of alarm installations and then present several new techniques for reducing the effectiveness of the alarm system. In particular, this talk will focus on weaknesses and new exploits of the RF subsystem of the most popular commercial alarm system on the market today.

“No locked doors, no windows barred: hacking OpenAM infrastructure”

Speakers: Andrey Petukhov, Georgy Noseyevich

One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we will describe a popular access control system called ForgeRock OpenAM from the external security point of view. I will show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.

“The Diviner — Digital Clairvoyance Breakthrough — Gaining Access to the Source Code & Server Side Memory Structure of ANY Application”

Speaker: Shay Chen

The Crown Jewel of information disclosure, source code disclosure, is arguably the most significant information an attacker can obtain, and can be used to expose potential code-level vulnerabilities, logic, and hard coded information.

Since vulnerabilities that disclose source code are not always available, we were lead to believe that the concept of security by obscurity can provide some level of protection, as fragile as it may be… but not anymore.

Divination Attacks, a new breed of information gathering attacks, provide the means to predict the structure of the memory and source code of application components, using black box techniques with unparalleled accuracy.

These techniques were implemented in Diviner — a new OWASP ZAP extension, which can be used to locate leads for direct and indirect vulnerabilities, and can also enable testers to fingerprint fragments of the server-side source code and visualize the structure of the server memory, thus, enhancing the tester's decision making process and enabling him to properly invest his time and efforts.

“The Art of Binary Diffing or how to find 0-dayz for free”

Speaker: Nikita Tarakanov

Are you sick of scrolling through hundreds of changed functions whenever Flash Player is patched? Are you fed up with Turbodiff and PatchDiff? Are you tired of earning peanuts on 1-day exploits?

Then, this talk is for you!

“How I will break your enterprise”

Speaker: Alexander Polyakov

So, you have a project to pen-test the internals of a large enterprise. Now what? The same way again, like scan, exploit, escalate? Or something more interesting? Sometimes it’s better to listen to what has been happening in the network and concentrate on key points of failure, for example, Enterprise Service Bus, and on uncommon attacks.

“MiTM attack on iOS: Methodology and consequences”

Speaker: Alexey Troshichev

How to make a user install root certificate and a review of installation consequences: control of the device via fake Push Notification Server and SSL traffic disclosure.

“Android behind the scenes: possible attacks and radical defense measures”

Speaker: Sergey Karasikov

  1. All the way from A to Z: the story of a low-level hack of HTC Desire HD eMMC memory read-only area.

    I will tell you how to write to the most restricted partition of HTC smartphones. My detective story includes reverse engineering of a Chinese device which led to unlocking and breaking HTC phones; exposure and cooperation with the true developer of the key element; a detailed description of the hack mechanism which allows removing factory read-only flags from the memory chip.
  2. Paranoid Android: creating a turncoat phone using cryptography.

    I will describe a way to create a cryptophone inside a phone so that nobody will know it is there, how to solve inevitable technical issues, and why this is the only kind of protection that 99% protects your mobile data from leaking into unwanted hands.
  3. Fake security: a review of ways to gain data from a Google phone. I will use the example of HTC Desire HD to show you how, given access to the device, it is possible to hack it and derive the data, and I will tell you about risk group segregation and special tolls which can hack a phone and replace firmware without even loading into OS (S-OFF via GoldCard with the help of XTC Clip and its counterparts).

“A story about nonexistent 0-days, stable exploits for binary applications and user interactions”

Speaker: Alisa Shevchenko

How to find a lot of 0-days in popular software quickly and how to have no problem exploiting them later? Answer: you should look into old stories and so called inexploitable bugs. We will raise the topic of Insecure Library Loading, or DLL Hijacking again to dispel the myth about them being trivial, useless and nonexistent. The talk includes non-obvious exploitation tricks, ways to ignore user interactions and other techniques which turn the vector that seems terminated at first into the shortcut to our goal.

Official support:
With participation of:
Gold sponsor:
Silver sponsors:
Prizes Sponsors:
General Media Partner:
Media Partners:
Competition organizers: