Let’s play the game: One more way to perform a penetration test
Speaker: Kirill Ermakov
Every large enterprise company makes external penetration test and security audits. There are a lot of approaches for it. But only a few of them can really simulate hacker attacks. Other ones are only a little bit better than an automated scan. I want to show you our vision of a "penetration test" and to tell you a story of the two month security survival game.
Fighting against a Flash 0-day: a hunt for a tainted vector
Speakers: Andrey Kovalev, Konstantin Otrashkevich, Evgeny Sidorov
In 2015 exploitation of Adobe Flash is a stable and popular trend among security researchers as well as among cybercriminals. It is caused by existence of a player consisting of a single code base and working in all modern browsers and for all popular operating systems. Such circumstances allow cybercriminals to attack different platforms with one exploit.
The story of Flash exploits based on Vector objects corruption began in 2013 when the first exploit for CVE-2013-0634 "Lady Boyle" was released. In 2014 CVE-2014-0322 brought a more common approach based on Vector.length field corruption. Corruption of this field allowed reading and writing IE process memory, creating a ROP-shellcode and executing it. The approach is very powerful and all recent exploits (including those leaked from HackingTeam sources) use this idea.
Only in July 2015 Google and Adobe came up with the new mitigation technology that protects end-users but exploit pack developers aren’t going to get rid of such Flash exploits.
At Yandex we have our own behavioral detection technology developed for such exploits and in our presentation we’re going to share the key principles it’s based on. We’ll also give some directions that will help to build behavioral detection systems for complex Flash exploits.
In our talk we’ll also highlight:
- main techniques used in recent Adobe Flash player exploits
- Google’s Vector<...>.length validation technique and its bypass
- mitigation approaches to exploiting Adobe Flash vulnerabilities and methods of their bypassing (Adobe Flash Control Flow Guard bypassing)
- our experience of such exploitation attempts detection
«Analyze it – assembling modern SIEM based on Open Source components for large-scale logs analysis»
Speaker: Daniil Svetlov
When it comes to vulnerabilities detection by OpenSource means, there is no shortage in software – AIDE, OSSEC, Snort, Suricata, Bro IDS are available.
We may include antiviruses, firewalls and net equipment logs here as well. All mentioned systems have their own log types, various users interfaces and may generate at least several thousand alerts daily.
In such kind of situation a question of all these alerts collection, their analysis, and mail notification arises. At the same time it's a good idea to get desired events selection and applicable diagrams as easy as just in a couple of mouse clicks. Modern SIEMS are either rather expensive or free but limited versions. In this presentation, the author will demonstrate how to assemble OSSEC, Snort, Suricata and Cisco ASA log analysis system out of Elasticsearch, Logstash and Kibana. The system will have an SQL-like search feature, flexible mail notification management, large-scale multi-tier architecture out of the box. Finally Daniil will provide a link to ansible playbook, which launches all the necessary components on the server and configures, so you could start your log analysis in practically no time.
«Correlating security events with Esper»
Speaker: Nikolai Klendar
The talk is devoted to Esper library and the features it has for performing complex security event processing (correlating). Basic and advanced features will be discussed as well as an application that enables efficient attack, suspicious activities and other anomalies detection.
«Automation of web applications scanning: experience of Yandex»
Speaker: Eldar Zaitov
Anyone who is trying to implement application security scanning as a process faces same problems. We’ll speak about the evolution of our scanning process, technical (and other) aspects of automation and share our solutions with you.
«Banking Trojans: a look from the new perspective»
Speaker: Alexey Levin
Client-bank system developers often face stealing money from clients of banks by means of trojans. The most dangerous trojans use drive-by download and hide payments on client computers, while simultaneously modifying java programs. The talk will focus on such Trojans, defense measures and technologies that we use to develop them. We will discuss the tools that we use, their efficiency, and have a look at additional methods of protection (for instance, constant-pool integrity controlling, implementing invokedynamic).
«Do-it-yourself banking SDL»
Speaker: Yuri Shabalin
One does not normally expect adequate approach to hands-on information security from banks, especially when it comes to such new technical trends as SDL. But is it always like this? The speaker will talk about his experience in secure development at Alfa-Bank, highlight the main challenges he faced.
Stay tuned for updates!