PHDays V: Encryption Standards, M&A in Yandex and Chemical Attacks

Early December was marked with Call for Papers opened for everyone willing to speak at Positive Hack Days V. Later we announced the first speakers introducing John Matherly, the creator of Shodan, John Bambenek, a cyber detective, and Chris Hadnagy, a professional social engineer.

The first CFP stage was over at the end of January. Today we present a new portion of reports included in the technical, practical and business program of upcoming PHDays. The forum guests will learn how to fortify a corporate IT system digitally, how to bypass Moscow Metro Wi-Fi authorization, and how attackers exploit vulnerabilities in physical processes.

Yandex: Security for Mergers and Acquisitions

When a company buys another company, nobody ever thinks of a security audit. If, by any chance, it comes to the limelight, the current regulatory requirements alone are analyzed.

Yandex is actively purchasing technological projects all over the world now and then detonating the media scene with news about another grand merger. An information security analyst of the search giant, Natalya Kukanova, will throw light on how and why they included the security audit into the merging processes (M&A). The audience will learn what to check in case of M&A deals, how to organize audit, and how to interpret its results. All bullet points will be exemplified by real Yandex' deals.

Encryption Standards of the Future

Markku-Juhani Saarinen will detail into the NIST-sponsored CAESAR project, which is an international crypto competition aimed at the creation of a new AE security standard instead of AES-GCM (this algorithm was certified by the USA and NATO to handle secret information, but was detected to contain various security problems).

The speaker will acquaint his audience with CAESAR cyphers and consider weak and strong points of the current encryption standards and algorithms in Russia (e.g. the GOST R 34.10-2001 signature algorithm).

Markku-Juhani Saarinen has been studying information security and cryptography and developing cryptographic software for more than 15 years already.

Around OSX Sandbox

Alexander Stavonin will analyze how OSX (a sandbox designed with TrustedBSD) security tools work and how widely they are used by third-party applications. He will demonstrate potential problems and exploitation of TrustedBSD by cybercriminals — all exemplified by the source code.

How to Build a Digital Fortress

An information security and forensics expert from Bulgaria, Alexander Sverdlov, will take his floor at PHDays for the third time (his workshops on cyber forensics attracted a full house in 2013 and 2014) and will teach how to build an impregnable digital fortress. The audience will study how to enhance router protection installing alternative operating systems (Qubes OS, BSD Router project, SRG/STIG), to stop exploits, and to analyze application security.

If Hackers Were Chemists

Researchers and cybercriminals repeatedly demonstrate ways to hack SCADA systems that control electricity, transport and critical infrastructure elements such as chemical plants. However, dealing with such facilities, information security specialists often ignore the role of physical processes.

Such processes (e.g. a chemical reaction) can keep on running despite the actions of cybercriminals with full control over an infrastructure or management system. Yet if malicious users learn to exploit physical conditions, they will be able to affect reaction and process flows. The consequences are threatening: it's not that hard to imagine an explosion on a chemical plant provoked by a temperature monitoring sensor driven mad by a hacker in a cistern with a hazardous substance.

Maryna Krotofil, a Doctoral Candidate at Hamburg University of Technology, will put the audience in touch with the main stages of attacks aimed at destroying a specific physical process.

The second wave of Call for Papers is coming soon. Don't waste your chance to speak for 3,000 participants of Positive Hack Days! The exact dates will be announced in the nearest future. Keep track of the news.

To familiarize yourself with issues touched upon at PHDays, follow our post on the last year's best reports.