Program is in formation. All the reports are approved by program committee.

"Dissecting unlawful Internet activities"

Speaker: Fyodor Yarochkin

In this presentation Fyodor will discuss his experience in analyzing computer security incidents. The material is organized as a set of various security incidents covering areas of mobile malware, activities captured on honeynet infrastructure, targeted attacks (also known as APT), gray area and commercialized computer crime activities and more. The presentation will cover in-depth technical details of each of the incidents, methods and techniques used in analyzing the incidents and general interpretation of potential motives and origins of each case. The presentation will be concluded with a set of demonstrations and summary of the findings by cross-correlating results with other known studies in this field, such as those produced by Shadowserver project and Honeynet project.

“Boston cybercrime Matrix or what is the business model of the modern hacker?”

Speaker: Alexey Lukatsky

Those days when hackers were informal looking youngsters, who spent nights in front of FreeBSD consoles, and their main goal was to crack a web-site and to publish a sentence “I love Kate” have passed. Today the world of cybercrime is totally different to what was 3-4 years ago. Ordered developments, auctions of malware selling, shadow labor exchanges, different mechanisms of cashing the earned money, branched partner network, marketing and advertisement, support services of viruses and trojans sold… These are elements of a successful business-model of the modern hacker community, which transformed its activity into a valuable business, bringing billions of dollars as the revenue to their owners. In the report of Alexey Lukatsky will be discussed how the financial backstage is being built.

«Where do the money lie?»

Speaker: Alexey Sintsov

In the report problems of online banking from security point of view will be discussed. Particularly real problem of legal persons in providing IS of an employee working place, who works with bank-client, infrastructure vulnerabilities of the banks in front of the possible threads will be revealed. Moreover, many 0day vulnerabilities of online banking systems, common mistakes of all popular products’ developers will be presented. And, of course, it will be shown what it will lead to in the terms of cash theft probability…

  • The most stupid RBS mistakes
  • What don’t do developers
  • How to send a payment order without an EDS?
  • Practical tips on bypassing Tokens within 5 minutes
  • Attacks on the bank or a customer from inside – what to do, pen tester experience
  • The effectiveness of security systems (anti fraud, IPS, firewalls)
  • Where the money lie

«Modern technologies in malware programs’ developing for RBS systems«

Speaker: Alexander Matrosov, Eugene Rodionov

Over the past two years development of malware programs for RBS systems turned from fate of several cyber-criminal groups to mass thread for Russian banks’ clients. Malefactors’ profits exceed all conceivable borders, one controller of bank botnet can bring millions in profit to his employer. Only this year amount of incidents in RBS systems has doubled. The aim of this report is to tell about vulnerabilities in remote payment systems, and more precisely how they are used by malefactors in the most widespread Trojan programs, aimed at Russian banks. In addition questions of security software bypass and methods of counteraction to criminal expertise, used in modern bank Trojans, will be raised.

«Splitting, smuggling and cache poisoning: come back!»

Speaker: Vladimir Vorontsov

The report focuses on new research in the field of vulnerabilities such as HTTP response splitting, smuggling and cache poisoning. In presentation are considered aspects of attack vectors of this type in modern browsers and web-applications conditions. There are shown the results of new research, practical examples and demonstration.

«About practical deobfuscation»

Speakers: Dmitry Schelkunov, Vasily Bukasov

It is not a secret that the aims for a reverse engineering become more and more difficult from year to year. Obfuscation technologies play far not the last role in it. Particularly technologies of code virtualization which became widely available. More and more often these technologies are used to hide the malicious code, and it adds a headache to virus analysts. Is there any way to effectively fight with this problem? Is the code virtualization so scary and unapproachable?

«Kernel Pool Overflow: from Windowsd XP to Windows 8»

Speaker: Nikita Tarakanov

Kernel Pool overflow vulnerabilities are frequently discovered, like heap overflows in userland. However, there are just a few presentations, that describe explotation techniques. There is no public exploit, that exploits kernel pool overflow at all. There will be talk about "generic" explotation techniques, and also will be shown different kinds of vulnerabilities, where custom techniques should be applied. Also there will be technical description of kernel pool overflow mitigations, that introduce in modern version of Windows OS.

«UI Redressing and Clickjacking: About click fraud and data theft»

Speaker: Marcus Niemietz

This talk focuses on UI redressing and clickjacking concerning their different attack vectors and counteractive measures. The primary goals are to understand how the safeguards are available. Furthermore, a case study and statistics attack and combinations of it work and to get knowledge about which will be shown. Last but not least, a conclusion is given with an outlook about how UI redressing can affect the future of web applications.

«Behind the Window Update Scenes. From vulnerability to patńh.»

Speaker: Andrey Beshkov

In this report it will be shown how different programs inside Microsoft, directed on interaction with security researchers and vulnerability brokers, work. How vulnerability data are accepted and processed. How vulnerability check, variability in vulnerabilities, classification and making a decision on what to do next with this vulnerability are conducted. Also questions on testing of produced patches will be covered. You will learn why patches are monthly released. Then we will talk about provision of stable update of more than billion systems on the planet. The most frequent ways of exploit appearance in the first 30 days after patch release will be shown. And also it will be told how MS exchanges data with security partners for them to be able to protect clients, who do not have time to update during the first month, with help of updates to IDS/IPS and antiviruses. Also it will be told about 0-day vulnerabilities’ influence on overall landscape of Microsoft products’ security. All the data, given in the report, are gathered from 600 millions of PC in 117 countries.

«Post Memory Corruption Memory Analysis.»

Speaker: Jonathon Brossard

In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process.

We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...).

We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed.

In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infere the mapping of the binary.

We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR).

Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself.

Those techniques are implemented in the form of a proof of concept tool available under the Apache 2.0 license at: .

«How to hack a telecom and stay alive»

Speaker: Sergey Gordeychik

Penetration testing of telecommunication companies' networks is one of the most complicated and interesting tasks of this kind. Millions of IPs, thousands of nodes, hundreds of Web servers and only one spare month. What challenges are waiting for an auditor during the telecom network testing? What to pay attention on? How to use the working time more effectively? Why is the subscriber more dangerous than hacker? Why is contractor more dangerous than subscriber? How to connect vulnerability with financial losses? Sergey Gordeychik will tell about it and the most significant and funny cases of penetration testing of telecommunication networks in his report.

«Security Development Lifecycle Tools»

Speaker: Ivan Medvedev

The talk will give a quick overview of the Microsoft's Security Development Lifecycle, discuss the SDL security tools and explain how using them during development and testing can make software more secure. It will cover tools like the SDL Threat Modeling Tools, SDL BinScope, Attack Surface Analyzer (ASA), !exploitable debugger plugin and some others.

«Joint anti-crime. Open source security.»

Speaker: Anton Bolshakov

Report is devoted to the forthcoming launching of Pentoo 2012, utilities on security/computer investigation, which will be included in it. And also to the method of assembly, complexity and simplicity of using, way of support. It will also be told who is responsible for it and how this distributive affects the open source systems as a whole.

«3G and LTE insecurity: from the radio to the core network and protocols.»

Speaker: Philippe Langlois

Telecom security is way more than SIP-breaking some peripheral PBXs and raking a few thousands of dollars of free calls. From the formerly closed garden of SS7 to new all-IP telecom protocols such as Diameter and LTE protocols, the telecom domain faces now both the challenges of availability -one minute of downtime costs literally millions- and signaling vulnerabilities cutting down entire countries, causing massive frauds and the all new networking protocols. These new telecom protocols are rolled out in IP-centric fashion, with its myriad of standard IP security pitfalls and vulnerabilities, as well as very specific telecom vulnerabilities. The HLR is not only using TCP/IP for OAM and business workflow, but also now being named an HSS, it uses IP-only protocols such as Diameter for its Core Network signaling operations. That means that now telecom are facing new security risks both in term of exposure and threats, with its Core Network being exposed to unsophisticated IP-centered attackers, and the continuous waves of telecom-centered defrauders. In this presentation, we'll demo the new technologies of 3G and LTE networks and how to attack and defend them. We'll also show what kind of exposure one telecom companies, Mobile Network Operators and SS7 providers shows to external attackers.

Official support:
With participation of:
Tech partner:
Media partners:
Competitions organizers: