Program
Stand or fall. An army of intelligent bots controlled by hackers
Author: Andrei Masalovich
These days, the Web Standoff is not just a warfare between humans and bots, we are talking about a botnet programmed to act in an intelligent, user-like manner, an army with a proper coordination. DDoS botnets have evolved from a basic tool to a powerful weapon of information confrontation in the hands of hackers, intruders, and intelligence services. The speaker will share some real-life examples: from massive password hacking to influencing electoral outcomes.
- Language
- Russian
- Info
- Video
- Presentation
CEO at Lavina Pulse. Supervisor for a number of successful campaigns aimed at implementing analytical technologies in banking, financial-industrial groups, major retailer networks, and public sector bodies. The author of numerous publications, gave a series of lab courses on methodologies for data search and analysis at several universities in Russia and U.S. Conducted workshops on competitive intelligence through web mining at PHDays and more than 700 uniquely designed lab courses on this topic. Creator of the Avalanche search engine. Candidate of Physics and Mathematics, Distinguished Scholar awarded by the Russian Academy of Sciences, served as a Lieutenant Colonel at the Russian Federal Agency for Government Communications and Information.

Backslash powered scanning: implementing human intuition
Author: James Kettle
Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures—almost like an anti-virus. The speaker will share with you key insights from the conception and development of an open-source scanner evolved from classic manual techniques that's capable of finding and confirming both known and unknown classes of injection vulnerabilities.
- Language
- English
- Info
- Video
- Presentation
Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities and exploiting subtle CORS misconfigurations in bitcoin exchanges. He has extensive experience cultivating novel attack techniques, including server and client side RCE, and abusing the HTTP Host header to poison password reset emails and server side caches. He has previously presented at numerous prestigious conferences, including BlackHat and AppSec.

Ransomware incidents forensics
Author: Mona Arkhipova
The speaker will provide a step-by-step reconstruction of ransomware infection of an endpoint PC with Osiris and give a sample from the live system.
- Language
- Russian
- Info
- Presentation
Manager of the information security architecture and monitoring unit at Acronis.

Do WAFs dream of static analyzers?
Author: Vladimir Kochetkov
Traditional WAFs regard the applications they protect as a black box: incoming HTTP requests and outgoing HTTP requests are the only means available for attack detection. Obviously, this information is not enough for formal proof, and WAF settles for heuristic approach. Even if we intercept all requests by an application to its environment (filesystem, sockets, BD), it only improves the quality of heuritsics, though it is in no way useful for switching to formal methods. But what if we build a WAF that would treat an application as a white box? What if it could handle the application model obtained as a result of the static code analysis? What if it would be possible to decide if an HTTP request is an attack as we run application code fragments?
- Language
- Russian
- Info
- Video
- Presentation
Head of the application security assessment team. He is engaged in the development of PT Application Inspector being an expert in application security and applied cryptography. He participated in such projects as Nemerle, YAPOET, and SCADA Strangelove. His articles were published in HITB Magazine, The Hacker Magazine, and RSDN Magazine. Spoke at conferences and meetups for developers. He is also the co-organizer of Positive Development User Group, a community for developers who are interested in application security.

Hackers need your bank more than your clients
Author: Dmitry Volkov
The speaker will introduce a case-by-case analysis of several incidents related to ATMs, payment gateways, card processing, interbank transfer systems. He will describe the tactics used by attackers from different countries to gain access to a bank's local network and talk about techniques to increase privileges on the local network. The talk will demonstrate attackers' slip-ups, explain how to identify their activity and prevent the disruption of a bank's infrastructure or money theft. Participants will learn about future trends in targeting financial institutions. This talk will also give them insight on tools that will be used by attackers and techniques for covering up traces.
- Language
- Russian
- Info
- Presentation

WhatsApp & Telegram account take-over
Author: Roman Zaikin
The author will talk about a vulnerability in WhatsApp and Telegram that allows an attacker to can gain full access to a user's account by sending an innocent-looking file that contains malicious code, and then widespread the attack over WhatsApp and Telegram networks.
- Language
- English
- Info
- Video
Roman Zaikin is a Security Expert at Check Point Security Technologies. His researches has revealed significant flaws in popular services and major vendors (Facebook, EBay, WhatsApp, Microsoft). The author of "The world of security and hacking." Has over 7 years of experience in cybersecurity research. Leading Cyber Courses at HackerU. Holds more than 15 certifications.

Modern techniques and tools in malware analysis
Author: Ivan Piskunov
This hands-on lab will focus on modern countermeasures against malware analysis: antidebugging techniques, using virtual machines, antidisassembly tricks, code packing/encryption using current approaches, and special technologies and tools.
Participants will need a laptop, a Windows XP virtual machine with OllyDbg and a disassembler installed.
- Language
- Russian
- Info
- Presentation
Has been working in the IT and IS spheres for more than seven years. He writes on his blog ipiskunov.blogspot.com and in his personal column on SecurityLab.ru. He has written several articles on reversing for The Hacker magazine, and is a resident of the anti-malware.ru portal. His articles were published in magazines and mass media focused on information security, IT audit, and IS department economic management. Has three university degrees: information security, accounting and taxation, and business administration.

SOC Evolution 2017
Moderator: Elman Beybutov, Vladimir Bengin, Alexey Kachalin
What we have been discussing in recent years now has finally happened: numerous companies in Russia have taken along the concept of SOC introduced by pioneers—internal and first commercial SOCs. Specialists and managers have admitted the necessity of SOCs. We invited representatives of companies with hands-on experience in establishing and running security monitoring and incident response centers—both internal and commercial ones—to have their say in the discussion. The participants include Elman Beybutov, Alexander Bondarenko, Vladimir Dryukov, Alexey Novikov, Arkady Prokudin, Vladimir Shadrin, with Alexey Kachalin as a moderator.
- Language
- Russian

Attacks on video converter: a year later
Author: Emil Lerner and Pavel Cheremushkin
BlackHat 2016 saw the report on vulnerabilities in video services. The authors continued researching this area, and are going to tell about new vulnerabilities (logical and binary) and curious ways to exploit them. Look forward to hearing real stories about exploiting these vulnerabilities in bug bounty programs!
- Language
- Russian
- Info
- Video
- Presentation
Emil Lerner A postgraduate at the information security department at the Faculty of Computational Mathematics and Cybernetics of Moscow State University. Engaged in web application security. A member of Bushwhackers, a CTF team. Pavel Cheremushkin A student at the information system security laboratory at the Faculty of Computational Mathematics and Cybernetics of Moscow State University. He has been working in the industry for five years. Currently, he is engaged in binary exploitation and reverse engineering. A member of Bushwhackers, a CTF team.

IPv6 network reconnaissance
Author: Fernando Gont
The Internet Protocol version 6 (IPv6) and the emerging IPv6 deployments somehow change the rules of the "network reconnaissance" game: with the typical 264 addresses per subnetwork, the traditional brute-force approach to address scanning from the IPv4 world becomes unfeasible. This workshop will cover the latest IPv6 network reconnaissance techniques discussed in RFC7707. It will provide an intense IPv6 hacking experience, focusing on hands-on IPv6 network reconnaissance exercises.
- Language
- English
- Info
- Video
- Presentation
A security consultant and researcher for SI6 Networks. He specializes in the field of communications protocols security, working for private and governmental organizations from around the world. He has worked on a number of projects for the UK National Infrastructure Security Co-ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. He has written a series of recommendations for network engineers and implementers of the TCP/IP protocol suite, and has performed the first thorough security assessment of the IPv6 protocol suite.

Breaking bad. POS tampering
Authors: Gabriel Bergel and Javier Perez
The speakers will talk about insecurity of POS and fraud that can you be on. From the classic skimmer, eavesdropping, modification, and installation of third-party software to hardware tampering POS. The report also covers POS security features, main brands, cybercrime, methodology to POS tamper, impacted models, security countermeasures, PCI DSS, EMV, insecurity of EMV and NFC.
- Language
- English
Gabriel Bergel A computer system engineer, currently coursing a Masters in Cybersecurity in the IMF Business School and Camilo José Cela University (Spain). He has 14 years of experience in different fields of information security. He is a speaker at common courses, lectures, workshops, and conferences for information security both nationally and throughout Latin America. Currently, the chief strategic officer in Dreamlab Technologies and chief security ambassador in 11Paths. Javier Perez Fan of tech and security, ISECOM OSSTMM instructor, trainer for security courses, speaker, researcher. Almost 10 years in the security world. During recent years, he has specialized in payment systems EMV, NFC, POS, ATM. Currently, the director of R&D at Dreamlab Technologies.

User-friendly, though. (Messaging bots expose sensitive data)
Author: Anton Lopanitsyn
The speech will focus on messaging bots in Telegram: how a useful tool becomes a source of information leakage.
- Language
- Russian
- Info
- Video
- Presentation
A web application security expert at ONSEC. Currently working on Wallarm.

Dust application whitelisting off and take a fresh look!
Author: Artyom Ilin
Any IT engineer has heard a lot about application whitelisting drawbacks. Therefore, this technology is rarely used. The speaker will rehabilitate AWL and tell how AWL helps to withstand security threats. The talk will also clarify how to make this technology user-friendly and cover the issues of automated reaction to events and software exceptions.
- Language
- Russian
- Info
- Presentation
Works as the head of security systems department at the Infosecurity corporate group. Graduated from the Saint Petersburg State University of Aerospace Instrumentation, specializing in computing machines, systems, and networks. He is involved in testing, implementing, and supporting any software ensuring information safety.

DDoS attacks in 2016–2017: a breakthrough
Author: Artyom Gavrichenkov
In early 2016, DDoS attacks and security strategies against them looked so trivial, giving an impression of running their course. A year later, the situation changed dramatically. The speaker offers to discuss these changes, their causes, background and consequences, as well as their relationship with the development of IoT.
- Language
- Russian
- Info
- Video
- Presentation
CTO at Qrator Labs. Graduated from Moscow State University, the Faculty of Computational Mathematics and Cybernetics. Has been working in IT networking, monitoring, and information security for 10 years, seven of which specifically in DDoS mitigation related research. Spoke at numerous conferences, including those related to information security, like Black Hat and ZeroNights.

Backdooring LTE modem radio channel kernel
Author: Andrey Lovyannikov
This report will include findings of a research on radio channel kernel firmware for LTE modem Huawei E3372. The speaker will demonstrate how changes to the kernel can lead to transmission of unencrypted data over a radio channel.
- Language
- Russian
- Info
- Presentation
A leading security engineer at ASP Labs. A member of BalalaikaCr3w (LC/BC), a CTF team. A PhD student at MEPhI. He is usually engaged in reverse engineering of everything he can lay hands on. The rest of the time, he exploits binary vulnerabilities.

IoT (in)security
Moderator: Alexey Lukatsky
The internet of things is the next evolutionary jump in IT. On the one hand, this is a business opportunity, and on the other hand—a global threat to the development of companies, the internet and all modern IT world. The report will cover technical, organizational, and legal issues related to IoT safety, including attack and defense. Participants: Dmitry Berezin, Alexander Butenko, Igor Girkin, Uliana Zinina, Grigory Marshalko, Pavel Novikov. Moderator: Alexey Lukatsky.
Among the participants
-
Dmitry Berezin and Alexander Butenko, Croc. An approach to ensure Enterprise IoT security
The world of the internet of things is changing rapidly. New kinds of devices, advanced technologies, M2M architecture—all that produces new risks for information security. Each class of IoT devices (Home, Enterprise, Industrial) has its own specific features and security requirements. The speaker will review requirements to IoT in the enterprise. Business takes an advantage of using a big number of geographically distributed devices and at the same time retaining the options of centralized control and monitoring as well as ability to check security settings. The speakers will investigate what technologies ensure protection of distributed IoT systems and what is the difference between IoT and traditional IT solutions.
- Language
- Russian
- Info
- Video

Phishing: size of the problem and countermeasures
Moderator: Vyacheslav Borilin
- Today's phishing market (Dmitry Malyshev)
- Awareness Center Phishman (Nikolay Agninsky and Alexander Mitrokhin)
- Phishing—a curse or an opportunity? (Vyacheslav Borilin)
- Language
- Russian
- Info
- Video
Moderator: Vyacheslav Borilin Head of the Security Awareness unit, Kaspersky Lab. A member of IETF and ISA.

Hacker in a trap: A practical demonstration of how to block exploits and ransomware
Author: Denis Batrankov
This hands-on lab will feature simultaneous performance of real malicious code and protection tools on several virtual machines. All engines enabled: antivirus, URL filtration, antispyware, IPS, Threat Intelligence, DNS Sinkholing, sandboxes based on a next generation firewall and at the same time—the traps, sandbox, and endpoint protection based on Traps™.
- Language
- Russian
- Info
- Presentation
Denis has been active in information security since 1992. His experience spans a wide range of security technologies and products for networks, workstations, and servers from different vendors, including Palo Alto Networks, Allot, ISS, IBM, HP, Cisco, Check Point, and Microsoft. Active CISSP certification.

DIY anti-APT
Author: Danil Borodavkin
Malicious code obfuscation, social engineering, exploiting either bugs or features in Windows—modern arsenal allows hackers to bypass signature protection successfully. The report focuses on the experience of building a corporate open-source-based system aimed at detecting attacks that cannot be detected by traditional protection tools. This talk will cover static and dynamic analysis elements, curious incidents that have been detected by the system (using exploits for MS Office, JS code in CHM files, tricks with inserting OLE to PDF and multipart, hacking a contractor and a major air travel company as a facilitating step). The speaker will also share statistics on detection of a DIY system, signature tools, and one commercial anti-APT solution.
- Language
- Russian
- Info
- Presentation
A security specialist with experience in intrusion detection, sandboxes, email filtering. Head of the corporate SOC at Information Satellite Systems (the Roscosmos group of companies). An Associate Professor at the Information Security scientific laboratory, initiative of the Siberian Federal University. 10 years of experience in information security. A *nix advocate. Passionate about open source, duct tapes, and order.

Internal security awareness (QIWI)
Author: Ekaterina Pukhareva
We arranged quizzes, quests, and CTFs to increase security awareness of QIWI staff. Then we checked what they learned using internal phishing, pentests, and dropping malware-infected media.
- Language
- Russian
- Info
- Video
- Presentation
Currently works for QIWI. Engaged in IT compliance and vulnerability management. An author of several articles on compliance risks and information security audit.

SOC in a large corporate network: challenge accepted
Author: Andrey Dugin
The Security Operations Center at MTS had been at work for several years already, when the issue of creating SOC came to light at security conferences in Russia. Throughout these years, we have been gaining knowledge and experience facing a variety of cases at our SOC. What challenges do you face when establishing SOC? What specific features do you need to consider when implementing technologies and business processes in order to ensure IP/MPLS security in a large-scale network? What is the bottom line of our participation at PHDays VI: The Standoff? The speaker will answer to all these and many other questions in his talk.
- Language
- Russian
- Info
- Presentation
Works with MTS as a head of information security department. One of the tasks of his department is to ensure CCNP Security.

Techniques to protect Java apps and ways to bypass them
Author: Philip Lebedev
The report outlines a range of protection strategies for Java apps, for most of which there are bypass scenarios available.
- Language
- Russian
- Info
- Video
- Presentation
An information security engineer at ASP Labs. A member of BalalaikaCr3w, a CTF team. Mostly focused on reverse engineering and exploiting binary vulnerabilities. An expert in researching iterative block ciphers.

Developing secure homebrewed products
Moderator: Dmitry Gusev
- Language
- Russian
- Info
- Video

Practical machine learning in infosecurity
Authors: Anto Joseph and Clarence Chio
Machine learning (ML) is the future. The speaker will give an introduction to the topic with the Boolean classification problem and introduce classifiers, which are at the core of many of the most common ML systems. He will also provide a simple example of deploying security machine learning systems in production pipelines using Apache Spark. The speaker will talk about how such systems can be poisoned, misguided, and utterly broken if the architects and implementers are not careful.
- Language
- English
- Info
- Video
- Presentation
Anto Joseph A security engineer at Intel. He has 5 years of corporate experience in developing and advocating security in mobile and web platforms. Machine learning is one of his key areas of interest. He has been a presenter and trainer at various security conferences including BH USA 2016, DEF CON 24, BruCon, HackInParis, HITB Amsterdam, NullCon, GroundZero, c0c0n, XorConf. Clarence Chio Graduated with a B.S. and M.S. in Computer Science from Stanford within four years, specializing in data mining and artificial intelligence. Currently works as a security researcher at Shape Security, building a product that protects high-valued web assets from automated attacks. Spoke on machine learning and security at DEFCON 24, GeekPwn, PHDays, BSides, Code Blue, SecTor, GrrCon, Hack in Paris, QCon, and DeepSec. A community speaker with Intel, and is also the founder and organizer of the Data Mining for Cyber Security meetup group, the largest gathering of security data scientists in the San Francisco Bay Area.

Will your business stand a ransomware?
Author: Yulia Omelyanenko
You're building your continuity and disaster recovery program, plan how to get over with a crisis caused by fires, power failure, natural disasters. But suddenly you get a notice that your network was hit with a ransomware and every second some data is probably getting lost. We will discuss ransomware threat from a business continuity point of view and analyze options to prevent it or minimize its impact in case a company was infected.
- Language
- English
- Info
- Video
- Presentation
A GRC unit manager in Acronis. Previously worked as a GRC lead in a large FMCG company. Graduated from Moscow Engineering Physics Institute. Has over 6 years of practical experience in information governance.

Jumping from Tenable's SecurityCenter CV to production environments
Author: Oleksandr Kazymyrov
This talk will cover passive (extracting information on assets, users, passwords, private keys, etc.) and active (encrypted credentials) information gathering on a rooted server with installed Tenable's SecurityCenter. Moreover, a method for lateral movement from DMZ to production environments using features of Nessus scanning will be demonstrated. It will help red teams to penetrate deeper into internal networks, especially into those containing highly valuable information, like cardholder data environments. From the blue team perspective, the demonstrated techniques will help better understand the risk of vulnerability scanners placed unattended in DMZ zones.
- Language
- English
Has a PhD in information security from the University of Bergen. A member of non-functional testing group in financial services at EVRY. Holds CEH (Certified Ethical Hacker) and CES (Certified Encryption Specialist) certificates. A co-author of the Ukrainian standards of block cipher and hash function.

Non-signature-based detection of PHP backdoors
Author: Gregory Zemskov
The speaker reports about the developed and implemented algorithm of non-signature-based detection of malicious PHP code fragments.
- Language
- Russian
- Info
- Video
- Presentation
Head of Revisium, a company focused on integrated website security. An IS specialist and developer of free website malware and security scanning tools. A permanent participant of conferences, a lecturer at Moscow State University of Mechanical Engineering, an author of courses, master classes and numerous web app security articles.

Discovering botnets in corporate networks by intercepting web traffic
Authors: Tatyana Shishkova and Alexey Vishnyakov
The speakers will share their experience in discovering botnets by intercepting web traffic between the bot and the C&C server, and speak about important parts of traffic that you should pay attention to in order to effectively detect malicious activity. They will also tell about the most recent cases of infections of large corporations and organizations in their practice and give examples of real-world botnet traffic, such as Neurevt, Andromeda, Fareit, Carberp, Tinba.
- Language
- Russian
- Info
- Video
Tatyana Shishkova Graduated from the Faculty of Computational Mathematics and Cybernetics, Lomonosov Moscow State University. A malware analyst at Kaspersky Lab, has been working in the company since 2013. Specializes in network intrusion detection. Alexey Vishnyakov Graduated from the National Research Nuclear University MEPhI in 2015. A malware analyst in the Shift AV Group at Kaspersky Lab. One of his activities is detection and analysis of malicious objects.

How to find zero-days in the Linux kernel
Author: Andrey Konovalov
This talk will present how to find vulnerabilities in the Linux kernel using syzkaller. It is a coverage-guided Linux syscall fuzzer. The fuzzer has found over 400 bugs during internal Linux kernel testing and numerous bugs while being used by external users.
- Language
- Russian
- Info
- Video
- Presentation
A Google software engineer working on various bug finding tools for the Linux kernel.

Live hacking: how digital attackers are intruding into your systems
Author: Sebastian Schreiber
IT security incidents in the recent past demonstrate emphatically that the IT systems even in international high-tech companies and major state institutions don't have sufficient protection. Widespread IT quality assurance measures may suffice to safeguard 99% of systems. However, the decisive factor is that the remaining one percent provides a target for digital attacks. Every gap, however tiny, is sufficient to render an otherwise well-secured IT infrastructure vulnerable in its entirety. During a live hacking presentation, the speaker will perform different attacks on IT systems. He will show that it is astonishingly easy to bypass protective measures in order to access sensitive information.
- Language
- English
- Info
- Video
- Presentation
Managing Director at SySS GmbH, the leading German provider of penetration tests.

Opening. Information security today: the splendor and misery of corporate security
Moderator: Boris Simis
- Language
- Russian
- Info
- Video

The other side of DDoS
Author: Krassimir T. Tzvetanov
This talk intends to introduce defenders to the tools that are popular in the Underground to set up denial-of-service attacks. It will go through some of the tool-kits and techniques that are used to launch those attacks and look at some of the economics: how much it costs an attacker to execute the attack and how much it costs the defender to defend. From point of view of defense we are also going to investigate what are the benefits and drawback of mitigating the attack on premise vs using a service provider that specializes in that field.
- Language
- English
A security engineer at Fastly, a high performance CDN designed to accelerate content delivery as well as serve as a shield against DDoS attacks. Worked for hardware vendors like Cisco and A10 focusing on threat research, DDoS mitigation features, product security and best security software development practices. Also worked at Yahoo! and Google. Was a department lead for Defcon and an organizer of the premier BayArea security event BayThreat. Holds a Bachelor's degree in Electrical Engineering (Communications) and a Master's degree in Digital Forensics and Investigations.

Live dissection: anatomy of a router-based botnet
Authors: Maxim Goncharov and Ilya Nesterov
Buy web traffic, prepare infrastructure for exploit kit and dropzone, rent a bulletproof hosting space, encrypt a malicious binary to be sure its not detected by most of AV, build sophisticated management protocols, run a C2 and hide yourself all the time behind several mixed layers of VPNs, SSH and proxy just to be sure you are safe—what a headache! Eventually, you'll have to deal with all that if you wish to have a real botnet. But what if there is a simpler way?
- Language
- Russian
- Info
- Video
- Presentation
Maxim Goncharov A threat researcher at Shape Security with 16 years of experience in computer security. Participates as speaker at various security conferences and training seminars on cybercrime and related issues (e.g., vulnerabilities research, cyberterrorism, cybersecurity, underground economy). A recent speaker at Black Hat, PacSec, Power of Community, DeepSec, VB, APWG, and PHDays. Ilya Nesterov A security researcher at Shape Security. Prior to Shape, worked at F5 Networks. Earned his master's degree from Tomsk Polytechnic University. His interests include modern web application security threats and countermeasures, botnets, malware, exploits, and honeypot development. Also works as an independent security researcher. Spoke at different conferences including: Black Hat, OWASP AppSec, BSides.

Java Card platform attacks based on malicious applets
Author: Sergei Volokitin
The presentation introduces attacks on the secured containers of a Java-based smart card, which allows an attacker to steal cryptographic keys and PINs of the other applets installed on the card.
- Language
- English
- Info
- Video
- Presentation
A security analyst at Riscure in the Netherlands. Develops new attacks on the Java Card platform installed on the most of the modern smart cards. Received a degree in information security in 2013 and now is working on the Software Science Master program at Radboud University Nijmegen.

Voice cloning and its detection
Author: Roman Kazantsev
Banks started to apply authentication technology based on voice biometric data for access to credit cards. From information security point, such speech elements are sensitive and need protection against compromising and impersonalization. Impersonalization can be achieved by employing voice morphing (cloning) methods. The speaker will demonstrate software implementation for all phases of the voice cloning method, show how a voice recognition system can detect cloned voices, and present research data about dependency between performance of cloned voice detector and a number of cepstrum features used for training.
- Language
- Russian
- Info
- Video
- Presentation
Works as a Software Engineer in the Software & Services Group at Intel Corporation. Has 7+ years of professional experience in software engineering. Focuses on cryptography, software security, and computer science. He received a Bachelor and Master's degree in computer science with honors at Nizhny Novgorod State University, Russia. Has about ten published papers and two patents in information security.

Horizontal penetration in the windows-based infrastructure
Author: Teimur Kheirkhabarov
Every targeted attack consists of several stages. At the initial stage, attackers collect information about the company and its employees to find out the weakest link. Next, the intruders penetrates the corporate network and obtains access to one or several hosts inside the protected perimeter. They will attempt to get authentication data of users with privileges on various corporate hosts. Then, attackers start lurking on hosts in search of relevant information or systems. A multitude of tools for remote execution of Windows commands and other authorized utilities, so popular among system administrators, are at disposal of attackers. The speaker will talk about all these mechanisms and utilities. You will also learn how to find the traces of their usage inevitably left behind in event logs.
- Language
- Russian
- Info
- Video
- Presentation
Engaged in theoretical and practical aspects of information security research for more than six years. SOC analyst at Kaspersky Lab. Formerly, the head of the infosec department at an industrial company. Received specialist's and master's degrees from the Siberian State Aerospace University where later he was giving lectures on IS. An active participant to CTF contests. Spoke at ZeroNights.

DIY tablet PC for hacking
Author: Andrey Biryukov
Mobile devices penetrated our everyday life. Smartphones and tablet PCs allow performing numerous tasks in various areas, including information security. Although there is a vast range of mobile OS software, the programs required for penetration testing are unavailable. As a solution, the speaker suggests creating a DIY tablet PC based on Raspberry Pi 3 and running Linux. In contrast to other Raspberry-based solutions, this device does not require any peripherals—either a keyboard or a mouse. Interaction with the user is only via touch screen, therefore the device size can be reduced down to smartphone dimensions. The tablet PC is running Aircrack-ng, Kismet, Nmap, Wireshark, Metasploit (!), and custom Python scripts. The speaker will demonstrate how the device works and give tips on how to assemble and configure it.
- Language
- Russian
- Info
- Video
- Presentation
Graduated from the Moscow Aviation Institute, the Faculty of Applied Mathematics and Physics. 12+ years of experience in information security. Lead information security engineer with AMT GROUP with the focus on ICS security. A regular author for the Russian magazine "System administrator." Wrote several books on information security.

Meet and greet the macOS malware class of 2016
Author: Patrick Wardle
Say hello to KeRanger, Eleanor, Keydnap, and more! 2016 was a busy year for Mac malware authors who released a variety of new macOS malware creations. The talk will provide a technical overview of this malware, by discussing their infection vectors, persistence mechanisms, and features. We will discuss various generic detections that strive to ensure our Mac remain secure.
- Language
- English
- Info
- Video
Director of Research at Synack. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. In his free time, he collects OS X malware and writes free OS X security tools.

Using the event types relationship graph for data correlation in SIEM systems
Authors: Andrey Fedorchenko, Andrey Chechulin, and Igor Kotenko
The talk will focus on correlation-related research for SIEM systems based on the structural analysis of types of security events. The speakers provide an approach to automated analysis, which considers security events as input data with dynamic content. A graph of event types with direct and indirect relationships between them is suggested for automated analysis. Handling of input security data involves functional and behavioral analysis performed by calculating the frequency-time characteristics of events, classifying events by severity, and creating behavior patterns. The suggested approach allows you to use rank correlation, along with other intelligent techniques. Requirements for normalization of source data are also stated. The speakers will demonstrate an analysis of security event log and event types relationship graph resulting from this analysis.
- Language
- Russian
- Info
- Video
- Presentation
Andrey Fedorchenko Junior research associate at the Laboratory of Computer Security Problems (Saint-Petersburg Institute for Informatics and Automation). Engaged in research in the field of event correlation and information security in SIEM systems. Finalist for Young School competition held at PHDays V. Andrey Chechulin Senior research associate at the Laboratory of Computer Security Problems (Saint-Petersburg Institute for Informatics and Automation). Participant of several Russian and international projects dedicated to various aspects of information security. Was involved in the development of a course on computer forensics at Federal Criminal Police Office of Germany, development of systems for analytical modeling of attacks in the context of the The 7th European Framework Programme (FP7), development of visualization systems for the projects of the Federal Targeted Program of the Russian Federation. Spoke at a number of national and international conferences on computer security. Igor Kotenko Head of the Laboratory of Computer Security Problems (Saint-Petersburg Institute for Informatics and Automation). Participated in a variety of projects to develop new technologies for information security (project management for the Federal Target Program of the Russian Federation, the Russian Science Foundation, the Russian Foundation for Basic Research, the European Framework Programmes FP6 and FP7, projects commissioned by HP, Intel, and F-Secure). Speaker at a number of conferences on computer security.

Android Task Hijacking
Authors: Yury Shabalin and Evgeny Blashko
Android Task Hijacking is an Android vulnerability that makes it possible to spoof any application using only standard mechanisms and requiring no specific permits. It does not require root access to the device, and Google easily let such applications to the Store. All applications on the device are vulnerable to spoofing including the system ones, because this vulnerability is on the system level. The speaker will tell about technical details, show how this vulnerability works, and share possible solutions.
- Language
- Russian
- Info
- Video
- Presentation
Yury Shabalin Responsible for SDLC implementation in the context of source code audit and overall integration of application analysis tools into an integral development ecosystem. Previously worked with Alfa Bank and Positive Technologies in such areas as security audit, forensics, penetration testing, and implementation of a Secure Software Development Lifecycle (SSDL). A speaker at ZeroNights, RISSPA, OWASP. Evgeny Blashko Five years of experience in information security; three years, in development of applications for desktop and mobile operation systems. Engaged in analysis of source code and mobile application security at SberTech. Spoke at OWASP Russia.

Risk management: how to abandon illusions
Author: Alex Smirnoff
Providers of GRC solutions tend to present formal compliance as a required step to effective risk assessment. The speaker will point out shortcomings of these solutions, discuss alternative techniques, and advise on how to employ low-cost and future-proof approaches to vulnerability management.
- Language
- Russian
- Info
- Video
- Presentation
Started his career as a mainframe hacker in 1989, and for several years hacked mostly for fun. Developed a firewall, advised on cybersecurity issues. Worked as CISO with Parallels for four years. Now has turned back to consulting. An expert with the Open Net Association.

Cyber Defense Operations Center—Microsoft experience
Author: Andrei Miroshnikov
Review of the Microsoft Cyber Defense Operations Center in the context of functionality, design, specifics, and workflow management. Security incident detection, investigation, and response with Windows Defender ATP, Microsoft ATA, O365 Threat Explorer, and WEF—tools that allow monitoring security risks within the Microsoft network.
- Language
- Russian
A Senior Security Analyst in the Information Security Risk Management team at Microsoft's Cyber Defense Operations Center. The author and organizer of Forensics CTF (for the DEFCON 24). Spoke at Microsoft BlueHat. The author of "Windows 10 and Windows Server 2016 security auditing and monitoring reference." Graduated from Irkutsk State University with a Master's Degree in Computer Science. Currently getting an MBA degree at Washington State University.

Finding your way to domain admin access—and even so, the game isn't over yet
Author: Keith Lee
There are scenarios where getting domain admin access doesn't mean you have access to all hosts, shares, or databases in the network. The tricky part for an attacker is to find the right account to get in and out of the environment fast. In this presentation, the speaker will discuss the tricky scenarios his team faced during internal penetration test engagements and will tell how they developed a tool to solve those issues.
- Language
- English
- Info
- Video
- Presentation
Senior Security Consultant with Trustwave's SpidersLabs (one of the world's largest specialist security teams with over 100 consultants spread across North and South America, Europe, and the Asia Pacific). Focuses on penetration testing, social engineering, and incident response services to clients in the Asia-Pacific region.

Information security tomorrow: is it a stop factor for digitalization of economy?
Moderator: Alexey Kachalin
Participants:
- Alexey Sokolov (Deputy Minister of Telecom and Mass Communications)
- Sergey Plugotarenko (Director of the Russian Association for Electronic Communications)
- Kirill Kertsenbaum (Kaspersky Lab)
- Denis Baranov (Director of Research and Development of Positive Technologies)
- Ilya Sachkov (Group-IB)
- Dmitry Finogenov (advisor to the director of Positive Technologies)
- Georgy Gritsay (the Open Networks association)
- Roman Chaplygin (PWC)
- Vyacheslav Kasimov (Executive Director for information secueity, Otkritie Bank)
Moderator: Alexey Kachalin (the program director of PHDays, Positive Technologies).
- Language
- Russian
- Info
- Video

Energy depletion attack analysis: a case with wireless network devices
Author: Vladislav Alexandrov and Vasily Desnitsky
The research reviewed attacks targeted at energy depletion of battery-powered devices. The following types of attacks have been analyzed: denial-of-sleep attacks, traffic increase, electromagnetic interference, software misuse. The report will be supported by modeling some types of attacks on an Android-based mobile device and on ZigBee network nodes.
- Language
- Russian
- Info
- Video
- Presentation
Vasily Desnitsky PhD in Technical Sciences. Senior Research Fellow at the Laboratory of Computer Security Problems, SPIIRAS. An Associate Professor at the Bonch-Bruevich Saint Petersburg State University of Telecommunications, Department of Protected Information Systems. Has a keen interest in research and development in the following areas: embedded devices and IoT systems security, attack analysis and modeling, security event management systems, software protection. Vladislav Alexandrov Is taking the second year of a Master's Degree at the University of Information Technologies, Mechanics, and Optics (ITMO), specializes in Information Security, works as a programmer with Positive Technologies. Takes part in projects initiated by the Laboratory of Computer Security Problems, SPIIRAS. Performs researches in the areas of IoT system protection and energy depletion attack analysis.

Lightning Talks
Moderator: Andrey Petukhov
We invite you to take part in a 5-minute Lightning Talk. Tell the audience about a new vulnerability or a problem in security algorithms, about a new concept for a security analysis tool, or a study. Share your ideas and find people who think the same. To take part in this event, you need to inform the fast track moderator.
- Each talk lasts 5 minutes (1 or 2 slides).
- No pre-moderation.
- Best speakers get an invitation to PHDays VIII.
- Language
- Russian

Developing DBFW from scratch
Authors: Denis Kolegov and Arseny Reutov
The talk describes technical aspects of developing a Database Firewall prototype from scratch, such as: what is required to develop DBFW; whether machine learning can be used for effective detection of SQL injection based on SQL requests; how to detect SQL injections using syntax analysis; and how to implement attribute and role-based access control. The speaker will also tell about prospective application protection mechanisms based on firewalls and static code analysis.
- Language
- Russian
- Info
- Video
- Presentation
Denis Kolegov PhD in Technical Sciences. An Associate Professor at the Tomsk State University (the information security and cryptography department). The lead of the application protection technics research team at Positive Technologies. Arseny Reutov Graduated from Mari State University in 2012. Head of the application protection research department at Positive Technologies. An author of various research papers on information security and the web security blog raz0r.name. Specializes in information security issues, penetration testing, and analysis of web applications and source code.

Anthology of antifraud techniques: transition to mathematical models and artificial intelligence
Authors: Aleksey Sizov and Evgeniy Kolesnikov
The talk gives you an insight into the history and development of antifraud systems in Russia. The speaker will focus on the attack techniques against payment and banking services used by fraudsters over the past 10 years. You will also learn about the functional elements of antifraud systems related to attack detection and prevention. The second part of the presentation addresses application of mathematical models in antifraud systems and the effectiveness of this approach.
- Language
- Russian
- Info
- Video
- Presentation
Graduated from the faculty of Applied Mathematics and Cybernetics at Lomonosov Moscow State University in 2006. In 2009, received a research degree in Information Security from the Russian National Research Institute of Computer Science and IT Development. PhD in technical sciences. Worked for three years at Moscow Industrial Bank in the Credit Card Security Department. He was engaged in deployment of fraud monitoring systems and integration of encryption into credit card service processes. Later on, he was the Deputy Head of the Payment Risk Department at Tinkoff Bank. Since 2012, a fraud prevention manager at Jet Infosystems' Information Security Center.

Interface through web analyst's eyes: experience with usage of web analytics widgets on online banking login pages
Author: Dmitry Pavlov
Vast majority of websites and applications for monitoring visitors behavior use web analytics tools. The received data is used for the purposes of promotion and optimization of a website. Banks also use web statistics tools on their websites; sometimes, on online banking login pages. The speaker will represent statistics of using JavaScript widgets for analytics on online banking login pages, which contain sensitive information.
- Language
- Russian
- Info
- Video
- Presentation
A fourth-year student of the Faculty of Computational Mathematics and Cybernetics at MSU.

The evolution of Trojan memory sticks
Author: Andrey Biryukov
Malicious devices based on Teensy and other development boards are rather well-known: mimicking a keyboard or another legitimate device, they bypass protection tools and perform a malicious activity. However, a Trojan device based on Raspberry Pi Zero microcomputer allows implementing even more types of attacks. It can be used for MITM attack, automated vulnerability scanning with further exploitation, or connection to a target system via JTAG to reconfigure BIOS settings. The speaker will demonstrate implementation of a number of such attacks.
- Language
- Russian
- Info
- Video
- Presentation
Graduated from the Moscow Aviation Institute, the Faculty of Applied Mathematics and Physics. 12+ years of experience in information security. Lead information security engineer with AMT GROUP with the focus on ICS security. A regular author for the Russian magazine "System administrator." Wrote several books on information security.

Hadoop safari: hunting for vulnerabilities
Authors: Mahdi Braik and Thomas Debize
With the growth of data traffic and data volumetric analysis needs, Big Data has become one of the most popular fields in IT and many companies are currently working on this topic by deploying Hadoop clusters, which is the current most popular Big Data framework. This talks aims to present in a simple way Hadoop security issues or rather its concepts, as well as to show the multiples vectors to attack a cluster.
- Language
- English
- Info
- Video
- Presentation
Mahdi Braik and Thomas Debize are French security enthusiasts and work as infosec auditors at Wavestone, a French consulting company. They work on all kinds of security audits, penetration tests, and incident responses through the company's CERT. Both developed a specific interest in Hadoop technologies few years ago: as they got to know how immature this ecosystem was, they decided to hunt for vulnerabilities in it. They like to git push new infosec tools and write blog posts in the corporate blog and infosec-specialized magazines.

Preventing attacks in ASP.NET Core
Author: Mikhail Shcherbakov
ASP.NET Core is a continuation of ASP.NET platform, but unlike its elder brother, ASP.NET Core is completely open-source and supported by the community. The framework architecture has been reconsidered, with new security features created and a part of the existing ones rewritten. The speaker will describe the internal structure of ASP.NET Core attack prevention mechanisms, cryptography options available out of the box, arrangement of session management, and other features. The report will be useful for developers writing secure ASP.NET applications, specialists performing .NET project security reviews, and for those who would like to understand how to implement security components using this platform.
- Language
- Russian
- Info
- Presentation
Microsoft MVP, participant of .NET Core Bug Bounty Program, .NET community leader in St. Petersburg and Moscow, an independent software developer and consultant. The professional area is static and dynamic code analysis, information security, automatization of debugging code, research of .NET CLR internals.

Exploring billion states of a program like a pro. How to cook your own fast and scalable DBI-based security tool. A case study
Author: Maksim Shudrak
The main purpose of this talk is to introduce DBI, delve deeper in this topic, demonstrate the power of this technique, and consider typical problems of its application for "industrial" tasks. Audience will get acquainted with DBI in general, will understand in which fields it is successfully applied, what are potential problems of this technique related to implementation of their own tool based on presented frameworks (Intel PIN and DynamoRIO), and see real examples of the technique used for heap-based bug detection in heavyweight programs along with dynamic malware analysis.
- Language
- Russian
- Info
- Video
- Presentation
A cyber security researcher at IBM Research Israel, PhD. Field of interests: reverse engineering, software security analysis, dynamic binary instrumentation, malware analysis, emulation technologies.

Injecting security into web apps in the runtime
Author: Ajin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
- Language
- English
- Info
- Video
- Presentation
Ajin Abraham is a security engineer for IMMUNIO with 7+ years of experience in application security including 4 years of security research. He is passionate on developing new and unique security tools. Some of his contributions to the hacker arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, NodeJsScan. He has been invited to speak at multiple security conferences: ClubHack, Nullcon, OWASP AppSec, Black Hat (Europe, U.S., Asia), Hack Miami, Confidence, ToorCon, Ground Zero Summit, Hack In the Box, and c0c0n.

Cyberespionage in Central Asia
Author: Anton Cherepanov
ESET researchers recently discovered an interesting cyberespionage campaign in several Central Asia countries. The discovered malware has been used in targeted attacks against high-value targets since at least 2016. The talk will uncover details about the campaign and provide technical analysis of the used malicious toolkit.
- Language
- Russian
- Info
- Video
A senior malware researcher in ESET. Responsibilities include analysis of complex threats. Spoke at numerous conferences, including Virus Bulletin, CARO Workshop, 4SICS (CS3STHLM), and ZeroNights. His interests focus on IT security, reverse engineering, and malware analysis automation.

Protection against unauthorized access—which method is better?
Authors: Roman Alferov and Andrey Gorokhov
The report will summarize results of a research evaluating effectiveness of several information security products. Case studies will show the flaws identified by the researchers.
- Language
- Russian
- Info
- Video
- Presentation
Roman Alfyorov Works as an analytical engineer with Standart Bezopasnosti (Security Standard). A member of a CTF team named girav. Studies at the Yaroslavl State University (specializes in computer security). Deals with reverse engineering of Windows binaries and penetration testing. Andrey Gorokhov Works as an engineer with Standart Bezopasnosti (Security Standard). A member of a CTF team named girav. A postgraduate student at the Yaroslavl State University. Engaged in cybercrime investigations and penetration testing.

Evil Printer: assembling an uncommon firmware
Author: Anton Dorfman
We are surrounded by devices doing important job, but their security is often neglected. These devices are network printers and multifunction devices. The speaker will review how to extend standard features of these devices by means of modifying their firmware. He will show live payloads required for attacks on enterprise and industrial networks. Speaker: Anton Dorfman, authors: Vladimir Nazarov and Ivan Boyko.
- Language
- Russian
- Info
- Video
- Presentation
Researcher, reverser, and assembly language fan. PhD in Technical Sciences. Graduated with honors from the Samara State Technical University. Lectured on reverse engineering. The author of over 50 scientific publications on IT security. Keen on automating any reverse engineering tasks. Was the third in the contest Best Reverser at PHDays II. Was a speaker at PHDays, Zeronights, and HITB 2014. Organizes and trains student CTF teams. Lead specialist at the application analysis unit at Positive Technologies.

Security and psychological research of social dating applications
Authors: Nikita Tarakanov, Mohamed Saher, and Ahmed Garhy
In an ever-connected world, people all around the globe are freely surrendering their personal information and privacy over to the helms of the social media giants with unprecedented trust. But what happens when this information falls in hands of wrong people? What if the social media platforms have not done as good of a job as they claim in protecting us from criminals and stalkers who mean to cause us harm? In this presentation, the speakers identify some flaws in one of the most popular social media platforms used globally today and demonstrate how an attacker can retrieve information about its users and track their location and movements. The speakers will also demonstrate how to extract information from people unknowingly and to identify users that tend to use the platform for fraud.
- Language
- English

How we hacked distributed configuration management systems
Authors: Francis Alexander and Bharadwaj Machiraju
The talk deals with how the researchers came across and exploited different configuration management systems during their pentests. The speakers will introduce different distributed configuration management tools, like Apache ZooKeeper, HashiCorp Consul and Serf, CoreOS Etcd; discuss multiple ways to fingerprinting these systems, and exploit generic misconfigurations for increasing attack surface.
- Language
- English
- Info
- Video
- Presentation
Francis Alexander An information security researcher and the author of NoSQL Exploitation Framework. Interested in web app and stand-alone app security, DBMS security, coding tools and fuzzing. Spoke at HITB AMS, Hack in Paris, 44CON, DerbyCon, Defcon. Bharadwaj Machiraju The project leader for OWASP OWTF. He is mostly found either building a web app sec tool or hunting bugs for fame. Spoke at such conferences as Nullcon, Troopers, BruCON, PyCon. Apart from information security, he is interested in sleeping, mnemonic techniques, and machine learning.

Dangerous controllers
Author: Igor Dusha
The main issues the speaker will cover are vulnerabilities in PLCs, process interface units, computer-based interlocking units, and other smart devices. He will also review specific features of penetration testing in SCADA, classification of vulnerabilities in SCADA systems and PLC—all supported by case studies and elimination methods. The report also outlines specific features of ensuring security in proprietary technologies for data transfer between control units and field devices, which allow controlling processes in oil and gas, nuclear, and other industries. The report is supplemented by real test results and compilations.
- Language
- Russian
- Info
- Video
- Presentation
Graduated from MEPhI (Moscow Engineering Physics Institute), the Faculty of Cybernetics and Information Security. Currently works as a security engineer with ASP Labs, architect of the complex SCADA security solution. Involved in SCADA security activities, such as audits, penetration testing, design and installation of information security tools, in railway, nuclear, petroleum refining, and power distribution industries. A member of the BalalaikaCr3w team in CTF.

Information security education: new perspectives
Author: Mikhail Saveliev
This event is aimed at young professionals, graduates, and graduate students, as well as agents of the security industry and educational institutions. The speakers from Sberbank, Kaspersky Lab, and Positive Technologies will explain which areas of knowledge are nowadays at a premium and why information security does not fit in traditional education. The representatives of the Moscow Polytechnic University and MIRBIS College will tell about new education models.
- Language
- Russian

Hacker-machine interface
Authors: Brian Gorenc and Fritz Sands
This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA and HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors, and provide a comparison of the SCADA industry to the rest of the software industry. Additional guidance will be provided to SCADA developers and operators looking to reduce the available attack surface along with a prediction on what we expect next in attacks that leverage SCADA and HMI vulnerabilities.
- Language
- English
- Info
- Video
- Presentation
Brian Gorenc A senior manager of Vulnerability Research at Trend Micro. He leads the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world's most popular software. He is also responsible for organizing and adjudicating the ever-popular Pwn2Own hacking competitions. Fritz Sands A security researcher with Trend Micro's Zero Day Initiative. In this role, he analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI program, which is the world's largest vendor-agnostic bug bounty program. Also focuses on writing tools to perform static and dynamic analysis for discovering vulnerabilities. Prior to joining the ZDI in 2014, was in Microsoft's Trustworthy Computing and Secure Windows Initiative operations where he audited Windows code and developed dynamic analysis tools, and before that he was a system developer for multiple iterations of Microsoft Windows.

Developing a Google Chrome extension to protect against information leakage through other browser extensions
Author: Anastasiya Parygina
A significant concern about browser extensions is that they are prone to information leakage. This talk focuses on a browser extension to improve security for users with minimal technical skills and knowledge in information security.
- Language
- Russian
- Info
- Video
- Presentation
Native of Astana (the Republic of Kazakhstan). A senior student at the Information Technology department of L. N. Gumilyov Eurasian National University. Has been involved in design and development of information systems since 2015.

Linux kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation
Author: Alexander Krizhanovsky
The talk describes an extension of the Linux TCP/IP stack, so that HTTPS works in the same stack with TCP and IP. Application-layer HTTP DDoS attacks are usually mitigated by HTTP accelerators or HTTP load balancers. However, Linux socket interface used by the software doesn't provide reasonable performance for extreme loads caused by DDoS attacks. HTTP servers based on user space TCP/IP stacks are becoming popular due to their better performance, but TCP/IP stacks are huge and complex code, so it's not wise to implement and run it twice in user and kernel spaces. Kernel TCP/IP stack is well integrated with many powerful tools like IPTables, IPVS, tc, tcpdump that are unavailable for a user space TCP/IP stack or require complex interfaces. The speaker will present Tempesta FW, which introduces HTTPS processing to the kernel. HTTPS is built into the Linux TCP/IP stack. As an HTTP firewall, Tempesta FW implements a set of rate limits and heuristics to defend against HTTPS floods and Slow HTTP attacks.
- Language
- Russian
- Info
- Video
- Presentation
CEO at Tempesta Technologies and lead developer of Tempesta FW, a Linux application delivery controller. Founder and CEO of NatSys Lab., a company providing consultancy and custom software development in high performance network traffic processing and databases. Responsible for architecture and performance of several products in network traffic processing and database areas.

HummingBad: past, present, and future
Author: Andrey Polkovnichenko
First-hand details on research of one of the most widespread mobile botnets by Check Point specialists. What is HummingBad, what are the perils, what is behind, and how to deal with it.
- Language
- Russian
A reverse engineer team lead at Check Point. For the last three years, he has been saving the world from mobile threats.

Your money and your data threat sentry
Author: Young Hak Lee
Recently, advanced persistent threats (APT) using a drive-by download occur with increasing frequency. Existing auto analysis systems generally are not able to analyze malware used for APT attacks, and a malware researcher has to manually analyze them. The speaker will demonstrate a new real time memory auto analysis system (Malware Analyst). This system does not generate a memory dump by using LibVMI, directly accesses memory to improve diagnostic speed, and clearly distinguishes suspicious malware behavior.
- Language
- English
- Info
- Video
- Presentation
Security Senior Researcher and Security Research Team Manager. Spoke at CODEGATE and HITCON. In 2013, organized a CTF contest at CODEGATE; in 2012, was one of the conference's organizers.

A heuristic approach for detection of DOM-based XSS combined with tolerant parsing
Author: Alexey Pertsev
The talk includes details on client-side detection and prevention of attacks related to DOM-based XSS using syntax error tolerant of JavaScript parsers. This technique is meant to be especially useful in WAFs.
- Language
- Russian
- Info
- Video
- Presentation
A graduate of G. I. Nevelskoi Maritime State University. Engaged in penetration testing at Digital Security.

To vulnerability database and beyond
Author: Alexander Leonov
The speaker will talk about public databases of vulnerabilities and exploits, detection rules, security bulletins, and other security-related content. What's the use of such a database? Is it possible to automatically highlight hot topics by considering correlations between objects without going into technical details? Can such a database help to search and prioritize vulnerabilities in your infrastructure? Do you need security experts, or it is enough to buy your IT specialists a subscription for the vulnerability database?
- Language
- Russian
- Info
- Video
- Presentation
Expert in information security automation. For six years, had been engaged in development vulnerability scanners and IT compliance management. Works in Russia's largest internet company. Responsible for automated vulnerability assessment of a huge and diverse IT-infrastructure. Runs his own blog page on vulnerability management at avleonov.com.

Circumventing mobile app stores security checks using Hybrid Frameworks and HTML5-fu
Author: Paul Amar
This talk covers a new attack vector regarding app stores, circumventing security checks associated when publishing an app on any app store. Usually, after publishing a mobile application, stores run sandbox or manual tests and decide whether the application is legitimate. By using Hybrid framework (such as Cordova), it is possible to update mobile applications without user consent and without notifying app stores.
- Language
- English
- Info
- Video
- Presentation
A security engineer doing digital forensics and incident response. Likes developing (mostly in Python and some hipster stuff) and always has a bunch of crazy ideas coming up everyday. Spoke at DeepSec, BSides. His latest project, Data Exfiltration Toolkit, was showcased at Black Hat.

ICS information security
Moderator: Roman Krasnov and Dmitry Darensky
The section will cover the following issues: R&D in protection of industrial control systems (ICS) and the internet of things, establishment of ICS cybersecurity centers, product compatibility testing and certification, traditional SOC arrangement and modern SOC establishment strategies. Speakers: Evgeny Gengrinovich, Pavel Lutsik, Andrey Nuikin, Alexey Petukhov, and Ruslan Stefanov. The participants of a round-table discussion will raise the following issues: shall SOC monitor ICS? What shall SOC be able to do in order to cope with IT and IS incidents? How to deal with remote autonomous objects? Participants: Denis Babaev, Andrey Nuikin, and Ruslan Stefanov. Moderators: Roman Krasnov and Dmitry Darensky.
Among reports
Kaspersky Lab ICS-CERT. Research and investigations
In October 2016, Kaspersky Lab launched Kaspersky Lab ICS CERT, a visionary project designed to distribute information on current threats and vulnerabilities in industrial automation. Within the first six months of the project, the team eliminated a big number of vulnerabilities, conducted several incident investigations in industrial automation systems and published some reports covering ICS security issues. The report will describe ICS security problems detected in course of investigations and searches for vulnerabilities. The speaker will also tell about the project development plans and give the list of artefacts that can be useful for ICS component vendors, security departments of industrial companies, and independent researchers.
- Language
- Russian

Secure service-oriented architecture. Smart home voice control as a case study
Author: Wire Snark
The report reviews secure system development methodology as applied to IoT applications. The speaker will tell what is a threat model and how it is embedded in software development lifecycle. A voice control application will be used to demonstrate the single responsibility principle and the principle of least privilege. The report also reviews practical aspects of creating service-oriented architecture apps in Yocto Linux environment, such as using DBus IPC, selecting suitable secure programming languages (out of Go, Rust, Python, Node.js, Java). The speaker touches upon isolation of vulnerable code processing untrusted input data.
- Language
- Russian
- Info
- Video
- Presentation
Graduated from the Lobachevsky State University of Nizhny Novgorod. Started his career as a trainee at Intel in Nizhny Novgorod, then worked as a mathematician programmer with ASCON. Currently is a programmer and team lead with MERA. A system developer, mainly works with Yocto Linux and Android-based services and daemons; is interested in telephony and voice control. As a security researcher is involved in white-box audit. Supports privacy, anonymity, and security of users. An adherent of ethical hacking and free software.

Anti-APT Swiss knife
Authors: Kirill Mikhailov, Andrey Semenyuchenko, Anatoly Viklov
Speakers will talk about a standard and a comprehensive approach to protection against APT attacks and demonstrate the possibilities of a "Swiss knife" in investigation of IS incidents.
- Language
- Russian
- Info
- Presentation

Innovations in protection tools and security tests
Authors: Anton Ivanov and Egor Nazarov
This section is devoted to advanced information security technologies illustrated by the relevant use cases. Experts seeking new breakthrough solutions are welcome. Moderators: Anton Ivanov and Egor Nazarov.
- Language
- Russian

Security in motion: traffic inspection and network security
Moderator: Mikhail Kader
Transformation of traffic protection technologies when accessing network services and content Taras Ivaschenko, Yandex
From signatures to behavioral analytics: evolution of approaches to identifying threats Alexey Danilov, Infotecs
How to find something you know nothing about? Andrey Akinin, Web Control
Detection of malicious code in traffic encrypted using TLS (without decryption) Ruslan Ivanov, Cisco
- Language
- Russian

Security cloud strategy
Moderator: Aleksey Goldbergs
Lost in translation: transferring services to the cloud Aleksey Goldbergs, Positive Technologies
Practical usage of cloud services and BigData for attack detection Anna Luchnik, Microsoft
Integration of information security services into NFV infrastructure Vitaly Antonenko and Alexander Ermilov, ARCCN
Increasing trust and security of using cloud services in a company Andrey Akinin, Web Control
Round-table talk: Security cloud strategy Participants: Andrey Ivanov (Microsoft), Muslim Mejlumov (Rostelecom), Alexander Lyamin (Qrator Labs), Maxim Kaminsky (Brain4Net), Vitaly Antonenko (ARCCN). Moderator: Aleksey Goldbergs, Positive Technologies.
- Language
- Russian

Nonpublic section from Informzaschita
Author: Evgeny Klimov
- Language
- Russian

Security practice
Author: Denis Remchukov
Topical approaches and solutions for ensuring information security. Is the working SIEM a truth or a myth? UEBA: tomorrow or never? When will you stop buying these useless end-point antiviruses? Discussion about current and innovative protection technologies. Participants: Oleg Bashkinsky, Pavel Zemtsov, Konstantin Goldstein, Andrey Revyashko, Sergey Rysin. Moderator: Denis Remchukov.
- Language
- Russian

Anti-plenary session. Technologies security: personal views of leading minds
Moderator: Alexey Kachalin
These days, information security suffers acute internal conflicts. All around, we hear: "No one is interested!", "You'll be hacked in any case!", "Buy new stuff." Both security solution developers and users have lost their faith and motivation. The most outstanding representatives of the community will sit together to share their pains and ideas that can influence every person and industry in general. As minimum slides or any tinsel as possible, and loads of personal experience, understanding of the subject, and emotions. Participants: Alexey Kachalin, Ilya Sachkov, Alexey Lukatsky, Alexey Volkov, Vladimir Bengin, Elman Beybutov, Mikhail Kader, Dmitry Manannikov, Ivan Novikov.
- Language
- Russian
- Info
- Video
- Presentation

Mobile networks insecurity as it was yesterday, is today, and will be tomorrow
Authors: Kirill Puzankov, Sergey Mashukov, Pavel Novikov
- Language
- Russian
- Info
- Video
- Presentation

Security Path: Dev vs Manage vs Hack
Authors: Dmitry Mannanikov and Mikhail Levin
We all started our career either as engineers or as operators—developed and created systems, experimented with design and research. But eventually each of us has come up to the question: what to do next, in a year or two, and what we would like to become in five or ten years. How to create a career in the security area? What would help in development, and what can be a dead end both for hackers and defenders? Is it possible to be a bug hunter throughout all life or shifting to a paperwork expert or people manager is inevitable? What is more attractive to hack and design: software or bulletproof enterprise processes? Specialists thinking about their future and managers guiding their staff in development are welcome.
- Language
- Russian
- Info
- Video

Software architecture: security requirements
Author: Kirill Ivanov
Software development is in any case based on certain requirements. The complete list of these requirements consists of business objectives of the app, various restrictions, and quality expectations (so-called NFR). Software security requirements refer to the last point. The report describes where these requirements come from, how they can be managed and prioritized. Specific attention will be paid to the principles of software architecture design—with or without such requirements. The speaker will also demonstrate how modern and well-known approaches to application design help to improve the app architecture and minimize potential threat landscape.
- Language
- Russian
- Info
- Presentation
A software architect at Positive Technologies

Network security audit (standard 802.11)
Author: Oleg Kupreev
- Language
- Russian
- Info
- Presentation

Application Security Outback
Authors: Vladimir Kochetkov, Denis Kolegov
Have you ever wondered how modern application protection mechanisms are arranged? What theory is the basis of WAF and SAST implementation? What are their limitations? How far can we push them aside if we would have a broader look at the application security issue? This hands-on lab will show basic methods and algorithms of the two fundamental application security technologies: web application firewall and static code analysis. Using open source tools developed specifically for this hands-on lab, the participants will review the problems that app protection developers come across and possible solutions to these problems.
- Language
- Russian
- Info
- Presentation
Vladimir Kochetkov Vladimir is a team lead at the source code analyzer development department at Positive Technologies Denis Kolegov Lead of the application protection research team at Positive Technologies

Formal verification of C code
Author: Denis Efremov
The report covers the issue of developing correct software applying one of the types of static code analysis. The speaker will also address the matters of using such methods, their weaknesses and limitations, as well as the results they can produce. Using case studies, the speaker will show what C code specification development and evidence of the code conformity to specifications look like.
- Language
- Russian
- Info
- Presentation

From experiments to industrial programming: a ten-year journey
Author: Katerina Troshina
Developing science-based software has its own specific features: there is no clear problem statement or precise understanding of the result. But even with a problem set up like that, we need to code right things and in the right way. The speaker's team successfully developed several science-based products that are already used in industrial operation. They travelled a challenging path from an experiment, which resulted into a prototype, to industrial versions that are successfully sold both in national and international markets. To overcome the challenges, we implemented proper managerial solutions, which the speaker would like to share with you.
- Language
- Russian
- Info
- Presentation

Automation of rule construction for Approof
Author: Denis Efremov
Approof is a static code analyzer for testing web applications for vulnerable components. The analyzer is based on rules that store signatures of components it searches. The report examines the basic structure of rules for Approof and automation of their development.
- Language
- Russian
- Info
- Presentation

Vulnerable Android application: N proven methods of falling into the same trap
Author: Nikolay Anisenya
Developers rarely consider security in application architecture at the design stage. It would need extra money, extra time, and—what is even more important—understanding of threats and attacker models. Application protection comes into the limelight as soon as vulnerabilities start to cost money. At that moment, the application usually works and introduction of significant changes into the code becomes a challenge. Fortunately, developers are also people, and different app codes can contain similar flaws. The report will run about top popular critical mistakes admitted by Android app developers. The speaker will touch upon specific features of Android OS, give real examples of vulnerabilities in apps, and describe possible remedies.
- Language
- Russian
- Info
- Presentation
A specialist of the mobile application security research department, Positive Technologies
