June 10, we invite you to Digital Security ON AIR, an online meeting on information security. Let’s talk about fuzzing, reverse engineering and pentest, play online CTF and stir up Kahoot with prizes. We start at 17:00, and plan to finish at 21:00. Free admission.
Why is everything so
Digital Security has a popular mitap tradition in IT circles. We get together, discuss non-trivial issues of information security, play Kahoot and eat pizza. Now our meetings have moved online, and we decided to invite everyone to join us. Yes, eating pizza together will not work, but there will be more participants, well, excellent reports are unchanged.
Actually, about the excellent reports:
Fedor Yarochkin – Cloud Services: Attacks and Defense
Many companies benefit from moving their infrastructure to the clouds. Cloud services offer great scalability and accessibility features and seem easier to use. However, you have to pay for these amenities. At the beginning of 2019, Fedor and his colleagues conducted a study and discovered many insecure or insecurely configured services.
And it’s not only about incorrectly configured S3 bucket, the researchers found that security problems are much more diverse. Some of them can lead to the disclosure of sensitive data, others – to bypass authentication and the disclosure of authentication data.
In his report, Fedor will tell you how to improve the security of deployments in the cloud by increasing the resilience of cloud services to attacks and properly configuring certain aspects of their configuration.
Alexander Ermolov – Intel Authenticated Code Modules Vulnerabilities
Recently, much has been done to improve the security of x86-compatible computer platforms. In particular, Intel introduced hardware-supported protection mechanisms: TXT, BIOS Guard, Boot Guard, and SGX. Due to the fact that you cannot trust the runtime environment, these mechanisms rely on the hardware framework laid down at the stage of creating the architecture and production of the platform.
As a result, we have two main roots of trust in the Intel 64 architecture: Intel Management Engine ROM and Intel CPU ROM (Microcode ROM). The latter, by the way, is responsible for authenticating, downloading, and executing various trusted Intel code modules. They are Authenticated Code Modules (ACMs). These are specialized signed (Intel) binaries that lay the foundation for supporting the aforementioned security technologies. Obviously, a vulnerability in ACM could lead to a compromise of the technology that this module supports. Alexander will tell us about these vulnerabilities in detail.
Alexander Romanov – 3D Secure, or what is hidden in the security mechanisms of online payments
Millions of online purchases are made daily in the world. The volume of the e-commerce industry is estimated at trillions of dollars, and such turnovers naturally attract the attention of cybercriminals. We will talk about how the protection mechanisms for online payments work and what vulnerabilities can be hidden in them using the 3D Secure protocol as an example. Alexander will share his experience from his Pentester practice and answer your questions, of course.
Boris Ryutin and Pavel Knyazev – DevSecOps: Source Code Fuzzing
Over the past 10 years, fuzzing has become an integral part of the audit and software vulnerability search processes. Launched in 2011, the Google Fuzz Machine found thousands of vulnerabilities in Chromium and showed the need to turn a one-time study into an ongoing process. Boris and Pavel will tell you what developers will have to face when preparing their C / C ++ product for fuzzing, what pitfalls DevOps engineers expect, and how this will help reduce the number of vulnerabilities in your product even at the development stage.
Vladimir Volkov – PHP Framework Security
Despite the fact that it is now customary to build the web with the help of fashionable JS frameworks, quite a lot of web projects are written in PHP. Imagine that you have a Pentest project for PHP and you want to understand the device and features of the popular PHP frameworks. Vladimir will tell you what the structure of such projects looks like, what interesting vulnerabilities can be found in them, and also describe some PHP-specific bugs.
For those who come to the conference not only for the sake of content, we will conduct a small online CTF. We prepared tasks for reverse engineering, binary operation, web security and forensics. Registration is already open. Go!
We will also play Kahoot in between reports. Prizes according to all canons of hospitality – it’s ours, we will send everything won to the winners.
Sign up on Digital Security ON AIR, and see you on June 10 at 17:00 (Moscow time).