On June 17 and 18, the second international conference on practical cybersecurity OFFZONE 2019 was held in Moscow as part of the Global Cyber Week. The organizer—BI.ZONE—partnered up with Mail.Ru, QIWI, Sberbank CS, Swordfish Security, and VisionLabs to deliver this high-quality event.
Over the course of two days, 1,600 people, among whom were active cybersecurity practitioners, developers, engineers, researchers, lecturers, and students from more than 20 countries, visited the Digital Business Space venue. Over 60 cybersecurity experts from Russia, Europe, Asia, and America shared their experiences with the attendees.
The main theme of the conference this year was the vulnerability of hardware. Evgeny Voloshin of BI.ZONE presented the results of the company’s global review, “Attacks on embedded systems,” which were addressed to managers and specialist engineers.
Evgeny Voloshin, Chief Security Officer, BI.ZONE, “As the leitmotif of the OFFZONE conference in 2019, we chose attacks on embedded systems. Vulnerabilities in hardware are not given due attention, unlike the due diligence afforded to software, but modern hardware has the same problems as software: trojans, backdoors, etc. At the conference, not only did we offer practical information on attacks and measures to fend them off, but also actively raised questions of the need for a proactive approach to the security of joint-stock companies both at the level of individual companies and the industry as a whole.”
Yuri Kupashev, Lead Reverse Engineer, BI.ZONE, “The peculiarity of hardware vulnerabilities is that they arise not only because of development errors, but also because of physical side effects or failures when working in stressful conditions. In other words, if the device had not been introduced to protective mechanisms at the stage of creation, it will by default be vulnerable to hardware attacks. For whole classes of such attacks, there is enough equipment that is freely available to buy and is comparable in price to a smartphone. Hacking a secure device, however, will not work without a specialized laboratory and equipment worth hundreds of thousands of dollars. Unfortunately, protected devices today are a minority.”
The educational marathon of the first day began with a speech from the Head of Offensive Hardware and Firmware Research for NVIDIA’s main product lines, Alexander Matrosov, on the topic “The evolution of complex threats: an arms race between the analyst and the attacker.” In his report, Alexander explored how the approaches to reverse analysis and forensics have changed recently, talked about the blind spots in protection systems, focusing on what needs to be improved in order to continue the race toward evolving more effective protection.
The key speaker of the second day was Rodrigo Branco, Chief Security Researcher at Intel, who has more than 10 years of experience in the field of cybersecurity. Branco talked about “the machine from the inside”—how ethical hacking determines the methods of our calculations. In his speech, Rodrigo gave his own expertise on the most effective attack prevention schemes, explained what an exploit is, and also shared information on how large corporations ensure their own security by focusing on the most vulnerable points.
Finance.Zone, which covered topical issues of payment card security, vulnerabilities of POS terminals, fraud and anti-fraud, was opened on the second day of the conference. The lineup for Finance.Zone consisted of specialists from BI.ZONE, Kaspersky Lab, QIWI, Cybertonica, and Positive Technologies presenting their reports on security in financial services.
Boris Ivanov, Computer Incident Investigation Specialist, BI.ZONE, “In Russia, 86% of users of digital banking services prefer to access the Internet from smartphones. And the vast majority of smartphones are based on Android OS: for example, in the third quarter of 2018, their share in the total number of released devices was 87%. Because of this, the majority of mobile phone malware is targeted at Android devices. According to our statistics, each class of such programs infects an average of 7,400 devices every week. After infecting a smartphone, fraudsters get full access to the device, including online banking and account management.”
Aside from the educational part, the OFFZONE 2019 conference offered a lot of interactive entertainment—the conference goers spent time looking for vulnerabilities in smart devices, upgraded their badges in the soldering zone, competed in esports tournaments and got real postapocalyptic-style tattoos. For every completed task, the participants were awarded Offcoins, the conference currency. The coins were credited to their badges and could be exchanged for T-shirts, posters, and other OFFZONE merch.