Finance.Zone

All about cybersecurity in finance

Have you ever wondered how fintech projects and banking infrastructures get attacked? How the organizations protect against attacks? How cybersecurity works in the world of finance? If yes, make sure you come around to Finance.Zone.

August 25

August 25
11:00–11:10
Opening ceremony
Track 1
Russian
August 25
11:00–11:45
Dahua IP camera. Where to look, what to poke?
DC&HW.Zone
Russian
Yuri will talk about the practical research of the security of an IP‑camera from a well‑known vendor. In the report, the speaker will look at the encryption algorithms used by the manufacturer to protect the device firmware, followed by reverse‑engineering of these algorithms ...
August 25
11:10–12:00
Notes of a traveler between realms: IS and IT
Track 1
Russian
Most large and medium‑sized companies, regardless of the industry, have moved beyond just having the internal IT infrastructure. While proprietory software development is already the standard rather than the exception, this process poses new security risks and threats ...
August 25
11:50–12:30
Turning an ordinary SSD drive into two with reverse engineering
DC&HW.Zone
Russian
Nikita is going to look at the process of reversing the firmware of the NVME‑to‑USB adapter and demonstrate the process of organizing dual‑booting the laptop with the modified adapter ...
August 25
12:00–13:00
pypi.sos()—analyzing open‑source project repositories for trojans
Track 1
Russian
Every month, malicious packages are reported to be found and neutralized in the PyPI, npm, and RubyGems repositories. They steal AWS tokens, payment card data, browser passwords, and other sensitive information. Open‑source projects appear to be a great opportunity for information security vendors to demonstrate their ...
August 25
12:00–13:00
ATM security for newbies
Finance.Zone
Russian
The report is about ATM security analysis, beginning with the simplest and most common cases. The consequences of not ensuring proper security will be demonstrated using real‑life examples. We will also analyze possible attack scenarios and talk about how ATMs are actually protected nowadays ...
August 25
12:00–13:00
The insidious world of open-source through the developer's and the user's eyes
AppSec.Zone
Russian
We all use open‑source software and enjoy the variety and functionality of programs that have been created for us. The downside of flexibility and functionality is the possibility of making a mistake that leads to vulnerabilities in the design, code, and configuration of applications. This talk ...
August 25
12:00–20:00
Exploiting the Linux kernel
Workshop
Russian
The workshop will guide you into the basics of Linux kernel security. In a series of exercise‑driven labs, you are going to explore the process of exploiting kernel bugs in modern Linux distributions on the x86‑64 architecture ...
August 25
12:30–13:15
AMD PSP UEFI Firmware Structure
DC&HW.Zone
Russian
During the Summ3r of h4ck internship at DSec, the speaker chose the topic of AMD PSP research and writing a dumper of PEI phase files. Given the ridiculous shortage of material on this topic on the Internet in any language, the speaker decided to talk about how the UEFI firmware works for devices containing ...
August 25
13:00–14:00
Mobile (Fail)rensics
Track 1
Russian
This report examines the method of obtaining access to protected data stored on mobile devices in the context of forensic analysis without a password. This appears to be extremely complicated, but for a number of devices (Huawei P9, Samsung A5 2016) it is feasible due to the presence ...
August 25
13:00–14:00
Android security in POS terminals
Finance.Zone
Russian
In the report Eugene will give insight into the actual situation on the market and demonstrate the hacking of the five most popular POS terminals ...
August 25
13:00–14:00
CTF in a bank. Hack the system, get the ca$h
AppSec.Zone
Russian
A CTF‑style cybersecurity competition is part of a training program on secure design and programming of information systems. The CTF allows developers to get hands‑on experience with typical vulnerabilities and exploitation techniques to avoid any such vulnerabilities in released products ...
August 25
13:00–14:30
BI.ZONE Bug Bounty platform release
Press.Zone
Russian
The BI.ZONE team will take the opportunity at OFFZONE to showcase the platform interface, demonstrate which companies the product is designed for, and explain the process of earning rewards for bug hunters ...
August 25
13:30–14:45
Сryptocurrencies and Privacy Аspects
DC&HW.Zone
Russian
Walls have ears and houses have eyes. The report is dedicated to the privacy and anonymity of cryptocurrencies. It will be useful for newcomers to learn about the principles of blockchain, and advanced users will learn more about ensuring their own privacy ...
August 25
14:00–15:00
Kubernetes security: deception phase
Track 1
Russian
The deception phase of information systems security is often unjustifiably neglected. Even though it can be used to provoke an intruder, who is trying to infiltrate your system or has already done so, to expose themselves and thereby detect them ...
August 25
14:00–15:00
Payment application vulnerabilities
Finance.Zone
Russian
The speakers will talk about their experience in testing payment applications and about interesting vulnerabilities that they have come across in real projects ...
August 25
14:00–15:00
How Privacy Sandbox broke the web, but promised to fix it
AppSec.Zone
Russian
What is a Privacy Sandbox? What problems are being solved with it, and what problems are eventually created by rejecting third‑party cookies? Let’s discuss the proposed technologies (FPS, CHIPS, FedCM, etc.) and the current status of their adoption ...
August 25
14:45–15:45
August 25
15:00–16:00
Fork Bomb For Flutter
Track 1
Russian
You can come across Flutter applications in security analysis projects or bug bounty programs. Most often, such assets are simply overlooked due to the lack of methodologies and ways to reverse engineer them ...
August 25
15:00–16:00
Tinkoff craft Anti‑Phishing
Finance.Zone
Russian
In this report, Pavel presents Tinkoff’s in‑house system developed for checking the resilience of its employees to phishing attacks ...
August 25
15:00–16:00
Using tokens for secrets search or imitating SAST
AppSec.Zone
Russian
Finding secrets in a codebase is an essential stage of any mature SDLC. This report is about Avito’s approach to finding secrets in their codebase and docker images. The speaker will talk in depth about the process in the context of SDLC, why the current open source does not cover all needs, and most ...
August 25
16:00–17:00
How to deal with bad pentests when you are a bad pentester
Track 1
Russian
A story of one bad pentest, which teaches us that even an absolutely hopeless situation can be dealt with if you think carefully and believe in yourself ...
August 25
16:00–17:00
Corporate Cryptocurrency Wallet Management
Finance.Zone
Russian
There is a trend toward the possible use of cryptocurrencies at the corporate level. The speaker will share how to minimize mistakes when it comes to implementation. The report compiles the main technologies and practices that will allow corporations to use cryptocurrency for settlements safely ...
August 25
16:00–17:00
Ultimate Open-Source SAST
AppSec.Zone
Russian
This presentation will cover SAST Semgrep and its integration into CI/CD. It will explore the basics of writing own scanning rules ...
August 25
16:00–17:00
Anti-Panopticum & Privacy Problems
DC&HW.Zone
Russian
The word panopticum literally translates from the Greek as “the place where you can see everything.” In the report the audience will learn about the technologies to ensure their own privacy. Cryptographic methods of protection will be discussed for the most part ...
August 25
17:00–18:00
FHRP Nightmare
Track 1
Russian
The organization of fault tolerance systems in corporate networks is a crucial link in order to make a computer network more reliable. This research delves into FHRPs and what they can mean for a pentester during a network attack ...
August 25
17:00–17:30
The specifics of modern web application security analysis. Goodbye, injection!
AppSec.Zone
Russian
Modern frameworks eliminate a whole layer of security issues that were commonplace just a few years ago. In the report, the speaker will show what the security analysis of modern web applications looks like and share his experience in improving the efficiency of this approach ...
August 25
17:00–19:00
A full review of YubiKey, passwordLess with examples of practical use, and TPM
DC&HW.Zone
Russian
The speakers will give a detailed overview of Yubikey security keys, using such tools as GPG, U2F (FIDO/FIDO2), OTP, Git. They will show how to use passwordless, how to use TPM in Linux, and how to store SSH keys in it ...
August 25
17:30–18:00
Mistakes We Make: SDLC Implementation
AppSec.Zone
Russian
The report talks about the mistakes that the speaker made when implementing SDLC from scratch and the lessons learned from these mistakes that may help in the future ...
August 25
18:00–19:00
Application Security Design Antipatterns
Track 1
Russian
Security antipatterns are common insecure application design practices. Without realizing it, such patterns “leave land mines” in the application’s core, which leads to recurring vulnerabilities and security issues. Meanwhile, all that patching can cost a fortune, especially in mature services ...
August 25
18:00–19:00
Upgradeable smart contracts security
Finance.Zone
Russian
One of the fundamental properties of blockchain is the impossibility of data spoofing (immutability). However, not all smart contracts have immutable code. A common practice is to use the contract logic update template with the help of a proxy. You have to be very careful when updating implementation ...