Agenda

Schedule

August 25–26, 2022

August 25

11:00–11:10

Opening ceremony

Track 1

Russian

August 25

11:00–11:45

Dahua IP camera. Where to look, what to poke?

DC&HW.Zone

Russian

Yuri will talk about the practical research of the security of an IP‑camera from a well‑known vendor. In the report, the speaker will look at the encryption algorithms used by the manufacturer to protect the device firmware, followed by reverse‑engineering of these algorithms ...

Yuri Vasin

Security Researcher, Raccoon Security

Presentation

August 25

11:10–12:00

Notes of a traveler between realms: IS and IT

Track 1

Russian

Most large and medium‑sized companies, regardless of the industry, have moved beyond just having the internal IT infrastructure. While proprietory software development is already the standard rather than the exception, this process poses new security risks and threats ...

Dmitriy Evdokimov

Founder and CTO, Luntry

Presentation

August 25

11:50–12:30

Turning an ordinary SSD drive into two with reverse engineering

DC&HW.Zone

Russian

Nikita is going to look at the process of reversing the firmware of the NVME‑to‑USB adapter and demonstrate the process of organizing dual‑booting the laptop with the modified adapter ...

Nikita Firsov

Security Researcher, Raccoon Security

Presentation

August 25

12:00–13:00

pypi.sos()—analyzing open‑source project repositories for trojans

Track 1

Russian

Every month, malicious packages are reported to be found and neutralized in the PyPI, npm, and RubyGems repositories. They steal AWS tokens, payment card data, browser passwords, and other sensitive information. Open‑source projects appear to be a great opportunity for information security vendors to demonstrate their ...

Stanislav Rakovsky

TI Specialist, Positive Technologies Expert Security Center (PT ESC)

Presentation

August 25

12:00–13:00

ATM security for newbies

Finance.Zone

Russian

The report is about ATM security analysis, beginning with the simplest and most common cases. The consequences of not ensuring proper security will be demonstrated using real‑life examples. We will also analyze possible attack scenarios and talk about how ATMs are actually protected nowadays ...

Maxim Kostikov

Deputy Head of Application Security Analysis, Positive Technologies

Presentation

August 25

12:00–13:00

The insidious world of open-source through the developer's and the user's eyes

AppSec.Zone

Russian

We all use open‑source software and enjoy the variety and functionality of programs that have been created for us. The downside of flexibility and functionality is the possibility of making a mistake that leads to vulnerabilities in the design, code, and configuration of applications. This talk ...

Michael Markevich

Security advisor

Presentation

August 25

12:00–20:00

Exploiting the Linux kernel

Workshop

Russian

The workshop will guide you into the basics of Linux kernel security. In a series of exercise‑driven labs, you are going to explore the process of exploiting kernel bugs in modern Linux distributions on the x86‑64 architecture ...

Andrey Konovalov

Security researcher

August 25

12:30–13:15

AMD PSP UEFI Firmware Structure

DC&HW.Zone

Russian

During the Summ3r of h4ck internship at DSec, the speaker chose the topic of AMD PSP research and writing a dumper of PEI phase files. Given the ridiculous shortage of material on this topic on the Internet in any language, the speaker decided to talk about how the UEFI firmware works for devices containing ...

Georgy Zaitsev

kks

Presentation

August 25

13:00–14:00

Mobile (Fail)rensics

Track 1

Russian

This report examines the method of obtaining access to protected data stored on mobile devices in the context of forensic analysis without a password. This appears to be extremely complicated, but for a number of devices (Huawei P9, Samsung A5 2016) it is feasible due to the presence ...

Georgy Khoruzhenko

Independent security researcher

Presentation

August 25

13:00–14:00

Android security in POS terminals

Finance.Zone

Russian

In the report Eugene will give insight into the actual situation on the market and demonstrate the hacking of the five most popular POS terminals ...

Eugene Kotsareu

Teamlead, Evotor OS team, Evotor LLC

August 25

13:00–14:00

CTF in a bank. Hack the system, get the ca$h

AppSec.Zone

Russian

A CTF‑style cybersecurity competition is part of a training program on secure design and programming of information systems. The CTF allows developers to get hands‑on experience with typical vulnerabilities and exploitation techniques to avoid any such vulnerabilities in released products ...

Nikolai Klendar

Head of Information Security, Home Credit Bank

Presentation

August 25

13:00–14:30

BI.ZONE Bug Bounty platform release

Press.Zone

Russian

The BI.ZONE team will take the opportunity at OFFZONE to showcase the platform interface, demonstrate which companies the product is designed for, and explain the process of earning rewards for bug hunters ...

August 25

13:30–14:45

Сryptocurrencies and Privacy Аspects

DC&HW.Zone

Russian

Walls have ears and houses have eyes. The report is dedicated to the privacy and anonymity of cryptocurrencies. It will be useful for newcomers to learn about the principles of blockchain, and advanced users will learn more about ensuring their own privacy ...

Curiv

Founder of DC7342

August 25

14:00–15:00

Kubernetes security: deception phase

Track 1

Russian

The deception phase of information systems security is often unjustifiably neglected. Even though it can be used to provoke an intruder, who is trying to infiltrate your system or has already done so, to expose themselves and thereby detect them ...

Dmitriy Evdokimov

Founder and CTO, Luntry

Presentation

August 25

14:00–15:00

Payment application vulnerabilities

Finance.Zone

Russian

The speakers will talk about their experience in testing payment applications and about interesting vulnerabilities that they have come across in real projects ...

Anton Ostrokonskiy

Head of Research Lab, Deiteriy

Denis Derevtsov

Pentester, Deiteriy

Presentation

August 25

14:00–15:00

How Privacy Sandbox broke the web, but promised to fix it

AppSec.Zone

Russian

What is a Privacy Sandbox? What problems are being solved with it, and what problems are eventually created by rejecting third‑party cookies? Let’s discuss the proposed technologies (FPS, CHIPS, FedCM, etc.) and the current status of their adoption ...

Denis Rybin

Head of AppSec Mail.ru, VK

Presentation

August 25

14:45–15:45

Investigating cryptocurrency

DC&HW.Zone

Russian

Gospodin Sobaka

NDA

August 25

15:00–16:00

Fork Bomb For Flutter

Track 1

Russian

You can come across Flutter applications in security analysis projects or bug bounty programs. Most often, such assets are simply overlooked due to the lack of methodologies and ways to reverse engineer them ...

Filip Nikiforov

Senior Mobile AppSec Analyst, Positive Technologies

Presentation

August 25

15:00–16:00

Tinkoff craft Anti‑Phishing

Finance.Zone

Russian

In this report, Pavel presents Tinkoff’s in‑house system developed for checking the resilience of its employees to phishing attacks ...

Pavel Zherelin

Head of Infrastructure Security, Tinkoff

Presentation

August 25

15:00–16:00

Using tokens for secrets search or imitating SAST

AppSec.Zone

Russian

Finding secrets in a codebase is an essential stage of any mature SDLC. This report is about Avito’s approach to finding secrets in their codebase and docker images. The speaker will talk in depth about the process in the context of SDLC, why the current open source does not cover all needs, and most ...

Nikolai Khechumov

Senior Security Engineer, Avito

Presentation

August 25

16:00–17:00

How to deal with bad pentests when you are a bad pentester

Track 1

Russian

A story of one bad pentest, which teaches us that even an absolutely hopeless situation can be dealt with if you think carefully and believe in yourself ...

Pavel Toporkov

Independent security researcher

Presentation

August 25

16:00–17:00

Corporate Cryptocurrency Wallet Management

Finance.Zone

Russian

There is a trend toward the possible use of cryptocurrencies at the corporate level. The speaker will share how to minimize mistakes when it comes to implementation. The report compiles the main technologies and practices that will allow corporations to use cryptocurrency for settlements safely ...

Valery Tyukhmenev

Application Security Engineer, Exness

Presentation

August 25

16:00–17:00

Ultimate Open-Source SAST

AppSec.Zone

Russian

This presentation will cover SAST Semgrep and its integration into CI/CD. It will explore the basics of writing own scanning rules ...

Alexander Gerasimov

Founder of Awillix

Presentation

August 25

16:00–17:00

Anti-Panopticum & Privacy Problems

DC&HW.Zone

Russian

The word panopticum literally translates from the Greek as “the place where you can see everything.” In the report the audience will learn about the technologies to ensure their own privacy. Cryptographic methods of protection will be discussed for the most part ...

Curiv

Founder of DC7342

August 25

17:00–18:00

FHRP Nightmare

Track 1

Russian

The organization of fault tolerance systems in corporate networks is a crucial link in order to make a computer network more reliable. This research delves into FHRPs and what they can mean for a pentester during a network attack ...

Magama Bazarov

Security engineer

Presentation

August 25

17:00–17:30

The specifics of modern web application security analysis. Goodbye, injection!

AppSec.Zone

Russian

Modern frameworks eliminate a whole layer of security issues that were commonplace just a few years ago. In the report, the speaker will show what the security analysis of modern web applications looks like and share his experience in improving the efficiency of this approach ...

Egor Bogomolov

Security Expert, Founder of Singleton Security, CEO of CyberEd

Presentation

August 25

17:00–19:00

A full review of YubiKey, passwordLess with examples of practical use, and TPM

DC&HW.Zone

Russian

The speakers will give a detailed overview of Yubikey security keys, using such tools as GPG, U2F (FIDO/FIDO2), OTP, Git. They will show how to use passwordless, how to use TPM in Linux, and how to store SSH keys in it ...

Andrey Zinovyev

Cyberprotect

n0nvme

EC 1337

Presentation

August 25

17:30–18:00

Mistakes We Make: SDLC Implementation

AppSec.Zone

Russian

The report talks about the mistakes that the speaker made when implementing SDLC from scratch and the lessons learned from these mistakes that may help in the future ...

Artsem Kadushko

Application Security Engineer

Presentation

August 25

18:00–19:00

Application Security Design Antipatterns

Track 1

Russian

Security antipatterns are common insecure application design practices. Without realizing it, such patterns “leave land mines” in the application’s core, which leads to recurring vulnerabilities and security issues. Meanwhile, all that patching can cost a fortune, especially in mature services ...

Aleksei Meshcheriakov

Security Engineer

Presentation

August 25

18:00–19:00

Upgradeable smart contracts security

Finance.Zone

Russian

One of the fundamental properties of blockchain is the impossibility of data spoofing (immutability). However, not all smart contracts have immutable code. A common practice is to use the contract logic update template with the help of a proxy. You have to be very careful when updating implementation ...

Arseniy Reutov

CTO, Decurity

Presentation

August 26

11:00–12:00

Hi! Can I charge my phone?

Track 1

Russian

Nowadays, USB cables are not so simple and harmless as you may think. Some of them may be hiding secrets. Really dangerous secrets. Are you sure this USB cable connected to your laptop is only for charging that kind dude’s phone ...

Nikita Panov

Independent expert, digital forensics specialist, community leader at 4n6.ru

Presentation

August 26

11:00–12:00

Machine learning security

Track 2

Russian

This report focuses on attacks that target machine learning systems. What are the dangers of such attacks? How difficult is it to prevent them? The speaker will talk about some of the things required from a security expert, and why this is so fascinating ...

Danila Emelyanov

Leading Mathematician at the Information and Network Security Lab, Kryptonite Research and Production Company

Presentation

August 26

11:00–12:30

LockPick: the autopsy will tell

DC&HW.Zone

Russian

The report consists of three parts, in which the construction of locks, attacks on them, and defense mechanisms are analyzed step by step. We will also talk about the different tools used by lockpickers and go a bit deeper into the history ...

ostara

Independent IS researcher, B4CKSP4CE

August 26

11:30–14:30

Take me to LPE. DLL hijacking, side‑loading and other

Workshop

Russian

You will learn how adversaries can use standard utilities (LOLBAS) and legitimate applications to attack Windows devices in 2022 ...

Vladislav Burtsev

Threat Intelligence Analyst, Kaspersky

August 26

12:00–13:00

APT attacks on Russian companies in H1 2022: highlights

Track 1

Russian

Since the beginning of 2022, PT ESC analysts have been recording a surge in targeted attacks on companies in Russia. Based on the data acquired as a result of incident response activities and threat intelligence gathering, the report examines the most interesting attacks out of those detected. It also ...

Aleksandr Grigorian

Threat Researcher, Positive Technologies Expert Security Center (PT ESC)

Daniil Koloskov

Malware Researcher, Positive Technologies Expert Security Center (PT ESC)

Presentation

August 26

12:00–13:00

Developing UEFI modules and debugging them without NDA

Track 2

Russian

The report focuses on the firmware that is built into the motherboard—namely, UEFI (unified extensible firmware interface)—and the development of modules with subsequent debugging ...

Mars

Independent security researcher

Alx14

Independent security researcher

Presentation

August 26

12:00–13:00

Threat modeling without the headache

AppSec.Zone

Russian

The classical approach to threat modeling has long proved inefficient. Then again, developers never execute the requirements for the threat model. The reasons behind that and the ways to streamline the process are explored in Svetlana’s report ...

Svetlana Gazizova

Head of Application Security Audit, Swordfish Security

Presentation

August 26

12:30–14:00

RFID

DC&HW.Zone

Russian

Electronic pass cards are a staple of our everyday lives, especially in the corporate segment. Find out in practice what lies under the hood of RFID and why most of the electronic passes are vulnerable ...

nipnull

Independent researcher

soxoj

DC7495

August 26

13:00–14:00

Microsoft cloud authentication tokens—there are no more secrets

Track 1

Russian

The lecture is about authentication and authorization in Microsoft Office 365. You will learn how the office applications such as Outlook, OneDrive, Teams, Word, Excel, and the Windows operating system as such are authorized on cloud servers. Specifically, where and how they store their access tokens, what DPAPI (Data Protection API), ...

Konstantin Evdokimov

Researcher, pentester, redteam specialist; Head of MIS‑Team, "M 13"

Nikolay Dolbin

Senior Researcher, Cybersecurity Department, Sber

Presentation

August 26

13:00–14:00

Missed Opportunity: Detecting Legitimate Third-Party Tools Abused by the Threat Actors

Track 2

Russian

Threat actors are known to use various features of operating systems to achieve their goals. However, sometimes it is not enough, so they may employ legitimate third‑party tools that are most unlikely to be detected by security solutions. For example, to perform Active Directory reconnaissance, an adversary may ...

Oleg Skulkin

Head of Digital Forensics and Malware Analysis Lab, Group‑IB

Presentation

August 26

13:00–14:00

Knowledge is power or How to build your own AppSec competence center

AppSec.Zone

Russian

In the course of our work, we often encounter a negative attitude of developers toward the security department, and sometimes there’s hardly anyone aware of its existence. How to foster the relationship between security and development? How to make developers our allies and get them interested in safe coding? How to remind ...

Yury Shabalin

Senior Information Security Architect, Swordfish Security

Presentation

August 26

14:00–15:00

Chasing Evil: Modern Approaches to Anomaly Detection in Windows Infrastructures with LDAP and RPC Monitoring

Track 1

Russian

Once a user account is compromised, an intruder has a foothold to attack the Active Directory domain. One of the primary tasks of the attacker at this stage is to collect information about domain objects for privilege escalation. While there is a great variety of enumeration tools, all of them, however, ...

Maxim Tumakov

Principal Analyst of Cyber Defense Center, BI.ZONE

Presentation

August 26

14:00–14:30

Malicious browser extensions

Track 2

Russian

An excursion into what browser extensions can conceal based on the analysis of malicious samples. How do hackers use extensions? Why are the efforts of browser developers insufficient to address this problem? And how to avoid taking the bait ...

Ilsaf Nabiullin

Penetration Tester, Innostage

Presentation

August 26

14:00–14:30

Why you should NOT hire DevSecOps engineers

AppSec.Zone

Russian

Everybody knows that building and maintaining SDLC (Software Development Life Cycle) can be done by a DevOps engineer. Many would think that a DevSecOps engineer can turn SDLC into SSDLC (Secure SDLC), but these expectations are somewhat unrealistic ...

Ilya Polyakov

Head of Source Code Analysis, Angara Security

Presentation

August 26

14:00–15:00

How to write killer content

Press.Zone

Russian

Being a qualified professional, at some point, you will need to be able to put your experience into words. Where to get the motivation to start your article? How to overcome your fear ...

Andrei Pismennyy

Editor‑in‑Chief Xakep.ru

August 26

14:30–15:00

Attacks on AI made easy

Track 2

Russian

The results produced by AI are more often than not astonishing, but nevertheless, machines are not flawless. The cost of mistakes increases when dealing with security—for hackers, AI can be just an additional high‑impact attack vector ...

Elizaveta Tishina

Security Analysis Specialist, DeteAct

Presentation

August 26

14:30–15:00

Do you really want to know what happens inside your dependencies?

AppSec.Zone

Russian

Building software on top of open‑source libraries and packages has become the norm. Modern languages and frameworks, like Python, Node.js, Go, Rust encourage developers to just “download and execute” whatever is offered by third‑party repositories without thinking much about the consequences ...

Leonid Bezvershenko

Junior Security Researcher, Kaspersky

Igor Kuznetsov

Chief Security Researcher, Kaspersky

Presentation

August 26

15:00–16:00

Local privilege escalation on Apple devices

Track 1

Russian

Apple has been introducing various security mitigations for years. Since macOS Big Sur / iOS 14, exploiting kernel memory corruption has been made a lot more difficult by introducing memory sequestering and kernel heaps. Apple continued to sabotage attackers’ efforts by introducing more mitigations against memory corruption vulnerabilities ...

Nikita Tarakanov

Independent security researcher

August 26

15:00–15:30

Secure ML modeling

Track 2

Russian

The report talks about improving the security of machine learning models at various stages of development. It introduces a list of adversarial attacks and their use in model training and testing, as well as the security of the environment when training and running models ...

Vitaly Bolokhovtsev

AppSec Engineer, Sber

Presentation

August 26

15:00–16:00

Grand DevSecOps myths and legends: the experience of a bank

AppSec.Zone

Russian

This report is about the experience of introducing and developing DevSecOps in three domains: technology, processes, and people. The speakers are going to talk about the things you can expect while implementing the Sec part of DevOps, which is applied to thousands of applications. Furthermore, you will see what ...

Karina Petrova

DevSecOps Analyst, Sber

Nikita Tazhbenov

DevSecOps Engineer, Sber

Presentation

August 26

15:00–16:30

Classics of Wi‑Fi pentest

DC&HW.Zone

Russian

Although it seems that the Wi-Fi network has been completely explored inside and out, it is still full of vulnerabilities. At the DC stand, you can practice finding and exploiting current vulnerabilities ...

Sergey Ivashchenko

Pentester, Jet Infosystems

Evgeny Artemyev

Pentester, Jet Infosystems

Presentation

August 26

15:30–16:00

Osinter's Notes

Track 2

Russian

The report contains information about OSINT techniques for penetration testing. The cases presented illustrate the benefits of these techniques for different specialists ...

Alexander Goncharov

Engineer and Pentester, Innostage

Presentation

August 26

15:30–18.30

Finding vulnerabilities in image parsers in practice

Workshop

Russian

Everyone knows about popular vulnerabilities in media content parsers like ImageMagick or such novelties as vulnerabilities in librsvg. But most experts do not examine these vulnerabilities broadly or persistently enough. All because it is not always obvious and you need to predict the behavior of a vulnerable library ...

Egor Bogomolov

Security Expert, Founder of Singleton Security, CEO of CyberEd

August 26

16:00–17:00

А small mistake. A story of 5G router research

Track 1

Russian

The report is dedicated to the OPPO 5G router security research. It explores the steps to getting RCE without having firmware and without physically manipulating the device. Other detected vulnerabilities will also be demonstrated ...

Georgii Kiguradze

Application Assessment Expert, Positive Technologies

Presentation

August 26

16:00–16:30

FreeIPA Pentesting

Track 2

Russian

It’s not uncommon that client infrastructures are deployed under a standard scheme that uses Active Directory. The algorithm for testing such infrastructures is continuously being perfected throughout the years: it’s now clear what steps to take, what to look out for, what types of attacks to run, how to evade ...

Olga Karelova

Independent security researcher, redteamer

Presentation

August 26

16:00–17:00

Vulnerability management for dummies or How to train your automation

AppSec.Zone

Russian

This report will talk about vulnerability management for SecOps and AppSec, specifically, how to automate the process in such a way as to achieve maximum efficiency in the end, and, at the same time, spend minimum resources of the information security team ...

Roza Abdullaeva

Infrastructure Security Engineer, PS Development

Dmitriy Sherstoboyev

Application Security Engineer, PS Development

Presentation

August 26

16:30–17:00

Undocumented features of some Burp Suite extensions

Track 2

Russian

This report looks at the known Burp Suite extensions, mostly by James Kettle. Since many of the known extensions have only a brief description, this sets a significant entry threshold for use. The presentation covers extensions such as Turbo Intruder, Hackvertor, and others with the purpose of reducing the difficulty ...

Ilya Danenkov

Pentester, Deiteriy

Presentation

August 26

16:30–18:00

Recovering encrypted data from damaged media

DC&HW.Zone

Russian

Quest report: during a counter‑terrorist operation, the special forces obtained some data carriers, which contain data that would compromise the activities of the terrorist group. The media includes a memory stick and a hard drive. Since the operation was carried out with the use of brutal physical force, the data ...

}{отт@бь)ч

DC78182

Jane Tehhi

DC78182

Presentation

August 26

17:00–17:30

Fishnet Framework—Intuitive Penetration Testing

Track 2

Russian

Fishnet Framework is a powerful and multitasking web‑based collaboration and automated penetration testing platform. The main goal of Fishnet is to provide an understandable set of tools that everyone, from an office clerk to a professional security researcher, can access ...

Ivan Nikolsky

Independent security researcher; Founder and leader of the EntySec team

Presentation

August 26

17:00–18:00

Current application security issues in the financial sector and how we solved them

AppSec.Zone

Russian

This report focuses on the security problems and real cases in financial organizations. Aleksey will talk about the current challenges of the last couple of years (how COVID‑19 changed our lives, what we did with Log4Shell and other). The speaker will use his own examples to demonstrate what AppSec processes look like ...

Aleksey Morozov

Head of AppSec, Tinkoff

Presentation

August 26

17:30–18:30

A brief look into CVE-2021-27223

Track 2

Russian

The current research deals with CVE-2021-27223 that was registered for some Kaspersky Lab products ...

Denis Straghkov

Researcher, Ivannikov Institute for System Programming of the Russian Academy of Sciences (ISP RAS)

Presentation

August 26

18:30–19:00

Closing and award ceremony

Track 1

Russian