Schedule

August 25–26, 2022

August 25

August 25
11:00–11:10
Opening ceremony
Track 1
Russian
August 25
11:00–11:45
Dahua IP camera. Where to look, what to poke?
DC&HW.Zone
Russian
Yuri will talk about the practical research of the security of an IP‑camera from a well‑known vendor. In the report, the speaker will look at the encryption algorithms used by the manufacturer to protect the device firmware, followed by reverse‑engineering of these algorithms ...
August 25
11:10–12:00
Notes of a traveler between realms: IS and IT
Track 1
Russian
Most large and medium‑sized companies, regardless of the industry, have moved beyond just having the internal IT infrastructure. While proprietory software development is already the standard rather than the exception, this process poses new security risks and threats ...
August 25
11:50–12:30
Turning an ordinary SSD drive into two with reverse engineering
DC&HW.Zone
Russian
Nikita is going to look at the process of reversing the firmware of the NVME‑to‑USB adapter and demonstrate the process of organizing dual‑booting the laptop with the modified adapter ...
August 25
12:00–13:00
pypi.sos()—analyzing open‑source project repositories for trojans
Track 1
Russian
Every month, malicious packages are reported to be found and neutralized in the PyPI, npm, and RubyGems repositories. They steal AWS tokens, payment card data, browser passwords, and other sensitive information. Open‑source projects appear to be a great opportunity for information security vendors to demonstrate their ...
August 25
12:00–13:00
ATM security for newbies
Finance.Zone
Russian
The report is about ATM security analysis, beginning with the simplest and most common cases. The consequences of not ensuring proper security will be demonstrated using real‑life examples. We will also analyze possible attack scenarios and talk about how ATMs are actually protected nowadays ...
August 25
12:00–13:00
The insidious world of open-source through the developer's and the user's eyes
AppSec.Zone
Russian
We all use open‑source software and enjoy the variety and functionality of programs that have been created for us. The downside of flexibility and functionality is the possibility of making a mistake that leads to vulnerabilities in the design, code, and configuration of applications. This talk ...
August 25
12:00–20:00
Exploiting the Linux kernel
Workshop
Russian
The workshop will guide you into the basics of Linux kernel security. In a series of exercise‑driven labs, you are going to explore the process of exploiting kernel bugs in modern Linux distributions on the x86‑64 architecture ...
August 25
12:30–13:15
AMD PSP UEFI Firmware Structure
DC&HW.Zone
Russian
During the Summ3r of h4ck internship at DSec, the speaker chose the topic of AMD PSP research and writing a dumper of PEI phase files. Given the ridiculous shortage of material on this topic on the Internet in any language, the speaker decided to talk about how the UEFI firmware works for devices containing ...
August 25
13:00–14:00
Mobile (Fail)rensics
Track 1
Russian
This report examines the method of obtaining access to protected data stored on mobile devices in the context of forensic analysis without a password. This appears to be extremely complicated, but for a number of devices (Huawei P9, Samsung A5 2016) it is feasible due to the presence ...
August 25
13:00–14:00
Android security in POS terminals
Finance.Zone
Russian
In the report Eugene will give insight into the actual situation on the market and demonstrate the hacking of the five most popular POS terminals ...
August 25
13:00–14:00
CTF in a bank. Hack the system, get the ca$h
AppSec.Zone
Russian
A CTF‑style cybersecurity competition is part of a training program on secure design and programming of information systems. The CTF allows developers to get hands‑on experience with typical vulnerabilities and exploitation techniques to avoid any such vulnerabilities in released products ...
August 25
13:00–14:30
BI.ZONE Bug Bounty platform release
Press.Zone
Russian
The BI.ZONE team will take the opportunity at OFFZONE to showcase the platform interface, demonstrate which companies the product is designed for, and explain the process of earning rewards for bug hunters ...
August 25
13:30–14:45
Сryptocurrencies and Privacy Аspects
DC&HW.Zone
Russian
Walls have ears and houses have eyes. The report is dedicated to the privacy and anonymity of cryptocurrencies. It will be useful for newcomers to learn about the principles of blockchain, and advanced users will learn more about ensuring their own privacy ...
August 25
14:00–15:00
Kubernetes security: deception phase
Track 1
Russian
The deception phase of information systems security is often unjustifiably neglected. Even though it can be used to provoke an intruder, who is trying to infiltrate your system or has already done so, to expose themselves and thereby detect them ...
August 25
14:00–15:00
Payment application vulnerabilities
Finance.Zone
Russian
The speakers will talk about their experience in testing payment applications and about interesting vulnerabilities that they have come across in real projects ...
August 25
14:00–15:00
How Privacy Sandbox broke the web, but promised to fix it
AppSec.Zone
Russian
What is a Privacy Sandbox? What problems are being solved with it, and what problems are eventually created by rejecting third‑party cookies? Let’s discuss the proposed technologies (FPS, CHIPS, FedCM, etc.) and the current status of their adoption ...
August 25
14:45–15:45
August 25
15:00–16:00
Fork Bomb For Flutter
Track 1
Russian
You can come across Flutter applications in security analysis projects or bug bounty programs. Most often, such assets are simply overlooked due to the lack of methodologies and ways to reverse engineer them ...
August 25
15:00–16:00
Tinkoff craft Anti‑Phishing
Finance.Zone
Russian
In this report, Pavel presents Tinkoff’s in‑house system developed for checking the resilience of its employees to phishing attacks ...
August 25
15:00–16:00
Using tokens for secrets search or imitating SAST
AppSec.Zone
Russian
Finding secrets in a codebase is an essential stage of any mature SDLC. This report is about Avito’s approach to finding secrets in their codebase and docker images. The speaker will talk in depth about the process in the context of SDLC, why the current open source does not cover all needs, and most ...
August 25
16:00–17:00
How to deal with bad pentests when you are a bad pentester
Track 1
Russian
A story of one bad pentest, which teaches us that even an absolutely hopeless situation can be dealt with if you think carefully and believe in yourself ...
August 25
16:00–17:00
Corporate Cryptocurrency Wallet Management
Finance.Zone
Russian
There is a trend toward the possible use of cryptocurrencies at the corporate level. The speaker will share how to minimize mistakes when it comes to implementation. The report compiles the main technologies and practices that will allow corporations to use cryptocurrency for settlements safely ...
August 25
16:00–17:00
Ultimate Open-Source SAST
AppSec.Zone
Russian
This presentation will cover SAST Semgrep and its integration into CI/CD. It will explore the basics of writing own scanning rules ...
August 25
16:00–17:00
Anti-Panopticum & Privacy Problems
DC&HW.Zone
Russian
The word panopticum literally translates from the Greek as “the place where you can see everything.” In the report the audience will learn about the technologies to ensure their own privacy. Cryptographic methods of protection will be discussed for the most part ...
August 25
17:00–18:00
FHRP Nightmare
Track 1
Russian
The organization of fault tolerance systems in corporate networks is a crucial link in order to make a computer network more reliable. This research delves into FHRPs and what they can mean for a pentester during a network attack ...
August 25
17:00–17:30
The specifics of modern web application security analysis. Goodbye, injection!
AppSec.Zone
Russian
Modern frameworks eliminate a whole layer of security issues that were commonplace just a few years ago. In the report, the speaker will show what the security analysis of modern web applications looks like and share his experience in improving the efficiency of this approach ...
August 25
17:00–19:00
A full review of YubiKey, passwordLess with examples of practical use, and TPM
DC&HW.Zone
Russian
The speakers will give a detailed overview of Yubikey security keys, using such tools as GPG, U2F (FIDO/FIDO2), OTP, Git. They will show how to use passwordless, how to use TPM in Linux, and how to store SSH keys in it ...
August 25
17:30–18:00
Mistakes We Make: SDLC Implementation
AppSec.Zone
Russian
The report talks about the mistakes that the speaker made when implementing SDLC from scratch and the lessons learned from these mistakes that may help in the future ...
August 25
18:00–19:00
Application Security Design Antipatterns
Track 1
Russian
Security antipatterns are common insecure application design practices. Without realizing it, such patterns “leave land mines” in the application’s core, which leads to recurring vulnerabilities and security issues. Meanwhile, all that patching can cost a fortune, especially in mature services ...
August 25
18:00–19:00
Upgradeable smart contracts security
Finance.Zone
Russian
One of the fundamental properties of blockchain is the impossibility of data spoofing (immutability). However, not all smart contracts have immutable code. A common practice is to use the contract logic update template with the help of a proxy. You have to be very careful when updating implementation ...

August 26

August 26
11:00–12:00
Hi! Can I charge my phone?
Track 1
Russian
Nowadays, USB cables are not so simple and harmless as you may think. Some of them may be hiding secrets. Really dangerous secrets. Are you sure this USB cable connected to your laptop is only for charging that kind dude’s phone ...
August 26
11:00–12:00
Machine learning security
Track 2
Russian
This report focuses on attacks that target machine learning systems. What are the dangers of such attacks? How difficult is it to prevent them? The speaker will talk about some of the things required from a security expert, and why this is so fascinating ...
August 26
11:00–12:30
LockPick: the autopsy will tell
DC&HW.Zone
Russian
The report consists of three parts, in which the construction of locks, attacks on them, and defense mechanisms are analyzed step by step. We will also talk about the different tools used by lockpickers and go a bit deeper into the history ...
August 26
11:30–14:30
Take me to LPE. DLL hijacking, side‑loading and other
Workshop
Russian
You will learn how adversaries can use standard utilities (LOLBAS) and legitimate applications to attack Windows devices in 2022 ...
August 26
12:00–13:00
APT attacks on Russian companies in H1 2022: highlights
Track 1
Russian
Since the beginning of 2022, PT ESC analysts have been recording a surge in targeted attacks on companies in Russia. Based on the data acquired as a result of incident response activities and threat intelligence gathering, the report examines the most interesting attacks out of those detected. It also ...
August 26
12:00–13:00
Developing UEFI modules and debugging them without NDA
Track 2
Russian
The report focuses on the firmware that is built into the motherboard—namely, UEFI (unified extensible firmware interface)—and the development of modules with subsequent debugging ...
August 26
12:00–13:00
Threat modeling without the headache
AppSec.Zone
Russian
The classical approach to threat modeling has long proved inefficient. Then again, developers never execute the requirements for the threat model. The reasons behind that and the ways to streamline the process are explored in Svetlana’s report ...
August 26
12:30–14:00
RFID
DC&HW.Zone
Russian
Electronic pass cards are a staple of our everyday lives, especially in the corporate segment. Find out in practice what lies under the hood of RFID and why most of the electronic passes are vulnerable ...
August 26
13:00–14:00
Microsoft cloud authentication tokens—there are no more secrets
Track 1
Russian
The lecture is about authentication and authorization in Microsoft Office 365. You will learn how the office applications such as Outlook, OneDrive, Teams, Word, Excel, and the Windows operating system as such are authorized on cloud servers. Specifically, where and how they store their access tokens, what DPAPI (Data Protection API), ...
August 26
13:00–14:00
Missed Opportunity: Detecting Legitimate Third-Party Tools Abused by the Threat Actors
Track 2
Russian

Threat actors are known to use various features of operating systems to achieve their goals. However, sometimes it is not enough, so they may employ legitimate third‑party tools that are most unlikely to be detected by security solutions. For example, to perform Active Directory reconnaissance, an adversary may ...

August 26
13:00–14:00
Knowledge is power or How to build your own AppSec competence center
AppSec.Zone
Russian
In the course of our work, we often encounter a negative attitude of developers toward the security department, and sometimes there’s hardly anyone aware of its existence. How to foster the relationship between security and development? How to make developers our allies and get them interested in safe coding? How to remind ...
August 26
14:00–15:00
Chasing Evil: Modern Approaches to Anomaly Detection in Windows Infrastructures with LDAP and RPC Monitoring
Track 1
Russian
Once a user account is compromised, an intruder has a foothold to attack the Active Directory domain. One of the primary tasks of the attacker at this stage is to collect information about domain objects for privilege escalation. While there is a great variety of enumeration tools, all of them, however, ...
August 26
14:00–14:30
Malicious browser extensions
Track 2
Russian
An excursion into what browser extensions can conceal based on the analysis of malicious samples. How do hackers use extensions? Why are the efforts of browser developers insufficient to address this problem? And how to avoid taking the bait ...
August 26
14:00–14:30
Why you should NOT hire DevSecOps engineers
AppSec.Zone
Russian
Everybody knows that building and maintaining SDLC (Software Development Life Cycle) can be done by a DevOps engineer. Many would think that a DevSecOps engineer can turn SDLC into SSDLC (Secure SDLC), but these expectations are somewhat unrealistic ...
August 26
14:00–15:00
How to write killer content
Press.Zone
Russian
Being a qualified professional, at some point, you will need to be able to put your experience into words. Where to get the motivation to start your article? How to overcome your fear ...
August 26
14:30–15:00
Attacks on AI made easy
Track 2
Russian
The results produced by AI are more often than not astonishing, but nevertheless, machines are not flawless. The cost of mistakes increases when dealing with security—for hackers, AI can be just an additional high‑impact attack vector ...
August 26
14:30–15:00
Do you really want to know what happens inside your dependencies?
AppSec.Zone
Russian
Building software on top of open‑source libraries and packages has become the norm. Modern languages and frameworks, like Python, Node.js, Go, Rust encourage developers to just “download and execute” whatever is offered by third‑party repositories without thinking much about the consequences ...
August 26
15:00–16:00
Local privilege escalation on Apple devices
Track 1
Russian
Apple has been introducing various security mitigations for years. Since macOS Big Sur / iOS 14, exploiting kernel memory corruption has been made a lot more difficult by introducing memory sequestering and kernel heaps. Apple continued to sabotage attackers’ efforts by introducing more mitigations against memory corruption vulnerabilities ...
August 26
15:00–15:30
Secure ML modeling
Track 2
Russian
The report talks about improving the security of machine learning models at various stages of development. It introduces a list of adversarial attacks and their use in model training and testing, as well as the security of the environment when training and running models ...
August 26
15:00–16:00
Grand DevSecOps myths and legends: the experience of a bank
AppSec.Zone
Russian
This report is about the experience of introducing and developing DevSecOps in three domains: technology, processes, and people. The speakers are going to talk about the things you can expect while implementing the Sec part of DevOps, which is applied to thousands of applications. Furthermore, you will see what ...
August 26
15:00–16:30
Classics of Wi‑Fi pentest
DC&HW.Zone
Russian
Although it seems that the Wi-Fi network has been completely explored inside and out, it is still full of vulnerabilities. At the DC stand, you can practice finding and exploiting current vulnerabilities ...
August 26
15:30–16:00
Osinter's Notes
Track 2
Russian
The report contains information about OSINT techniques for penetration testing. The cases presented illustrate the benefits of these techniques for different specialists ...
August 26
15:30–18.30
Finding vulnerabilities in image parsers in practice
Workshop
Russian
Everyone knows about popular vulnerabilities in media content parsers like ImageMagick or such novelties as vulnerabilities in librsvg. But most experts do not examine these vulnerabilities broadly or persistently enough. All because it is not always obvious and you need to predict the behavior of a vulnerable library ...
August 26
16:00–17:00
А small mistake. A story of 5G router research
Track 1
Russian
The report is dedicated to the OPPO 5G router security research. It explores the steps to getting RCE without having firmware and without physically manipulating the device. Other detected vulnerabilities will also be demonstrated ...
August 26
16:00–16:30
FreeIPA Pentesting
Track 2
Russian
It’s not uncommon that client infrastructures are deployed under a standard scheme that uses Active Directory. The algorithm for testing such infrastructures is continuously being perfected throughout the years: it’s now clear what steps to take, what to look out for, what types of attacks to run, how to evade ...
August 26
16:00–17:00
Vulnerability management for dummies or How to train your automation
AppSec.Zone
Russian
This report will talk about vulnerability management for SecOps and AppSec, specifically, how to automate the process in such a way as to achieve maximum efficiency in the end, and, at the same time, spend minimum resources of the information security team ...
August 26
16:30–17:00
Undocumented features of some Burp Suite extensions
Track 2
Russian
This report looks at the known Burp Suite extensions, mostly by James Kettle. Since many of the known extensions have only a brief description, this sets a significant entry threshold for use. The presentation covers extensions such as Turbo Intruder, Hackvertor, and others with the purpose of reducing the difficulty ...
August 26
16:30–18:00
Recovering encrypted data from damaged media
DC&HW.Zone
Russian
Quest report: during a counter‑terrorist operation, the special forces obtained some data carriers, which contain data that would compromise the activities of the terrorist group. The media includes a memory stick and a hard drive. Since the operation was carried out with the use of brutal physical force, the data ...
August 26
17:00–17:30
Fishnet Framework—Intuitive Penetration Testing
Track 2
Russian
Fishnet Framework is a powerful and multitasking web‑based collaboration and automated penetration testing platform. The main goal of Fishnet is to provide an understandable set of tools that everyone, from an office clerk to a professional security researcher, can access ...
August 26
17:00–18:00
Current application security issues in the financial sector and how we solved them
AppSec.Zone
Russian
This report focuses on the security problems and real cases in financial organizations. Aleksey will talk about the current challenges of the last couple of years (how COVID‑19 changed our lives, what we did with Log4Shell and other). The speaker will use his own examples to demonstrate what AppSec processes look like ...
August 26
17:30–18:30
August 26
18:30–19:00