PHDays Technical Program: What to Expect from HummingBad Trojan, What Is macOS Malware, and Java Card Attacks

Positive Hack Days is just around the corner: more than 4,000 security experts are gathering in Moscow on May 23 and 24 this year to discuss the most pressing issues of information security. Recently we announced the first batch of speakers who got into the main technical program. If you’d like to share the stage with the biggest names in information security, you have your last chance—we are extending our Call for Papers until March 30. And while you are preparing your applications, we’d like to introduce our next batch of speakers.

For the first time at PHDays, a former NSA employee and now Synack's Research Director Patrick Wardle will give a talk. He studies macOS malware and develops free protection tools for this platform, in particular OverSight that protects Mac webcams against spying. For a long time, Wardle claimed that malware for OS X is comparable to Windows viruses 10 to 15 years ago. Has anything changed? The speaker will explain what is special about macOS malware that appeared in 2016 (properties, infection vectors, and persistence mechanisms) and will tell the participants of the forum about universal methods of detecting attacks (generic detections) that provide macOS security.

Security Analyst at Riscure (Netherlands) Sergei Volokitin studies vulnerabilities in the Java Card platform used in modern smart cards. Most cards from different manufacturers do not ensure integrity and confidentiality of data in secure containers. At PHDays, Sergey will talk about attacks on Java-based smart card containers that allow an attacker to steal cryptographic keys and PINs of other applets installed on cards.

More and more companies rely on security centers to scan and manage vulnerabilities. Typically, to cover more systems and keep the least privileges, a security center is deployed in the demilitarized zone (DMZ). Oleksandr Kazymyrov, a member of a non-functional test group in Financial Services at EVRY, will tell the attendees about passive and active data collection on an administration server with a security center installed. Aleksandr will demonstrate a way to get from the DMZ into the working environment using the Nessus scanner, which allows white hat hackers to penetrate the internal network where confidential data is stored.

PHDays VII will also feature the creator of the NoSQL Exploitation Framework, Francis Alexander. The need for distributed applications is growing, and so tools for coordination and configuration management for these applications are also emerging. The expert will share the results of penetration tests of various configuration management systems as well as present distributed configuration management tools, such as Apache ZooKeeper, HashiCorp Consul and Serf, CoreOS Etcd. The participants will learn how to create snapshots of these systems and use typical configuration errors to increase the attack surface.

In 2016, the world learned about the Android Trojan HummingBad created by a group of Chinese hackers Yingmob. HummingBad is downloaded along with applications from unverified sources. Once on a mobile device, the Trojan allows attackers to take full control of the device and use it for advertising fraud—clicks, for example. Tens of millions of mobile devices were infected with HummingBad. A year later, a new version of the Trojan, called HummingWhale, appeared. Check Point experts have investigated one of the most widespread mobile botnets. Learn how to deal with HummingBad from Andrey Polkovnichenko, a reverse engineer team lead at Check Point.

A full list of speakers will be published on the PHDays VII official website in April. For more details about the topics and terms of participation, visit Call for Papers.

The conference is taking place on May 23 and 24, 2017 at World Trade Center Moscow. You can register and buy tickets here. The price for two days of the forum is 9,600 rubles and 7,337 rubles for one day.

The forum's partners are Microsoft, IBM, Infotecs, R-Vision, Solar Security and Axoft; the business partners is MONT; among technology partners are Cisco, CompTek, ARinteg, Qrator, and Wallarm; the Standoff partners are PaloAlto, ICL System technologies, Beyond Security; the Standoff participants are Informzaschita, Advanced Monitoring, Jet Infosystems and CROC; the general information partner is the news agency TASS.