Talks at PHDays 8: hacking the IoT, bypassing Windows Hello, and preparing for post-quantum cryptography

3/15/2018

Proposals for talks at Positive Hack Days are still streaming in! Based on popular demand, we have extended the Call for Papers until March 31. This means a few additional weeks to submit proposals, so we hope to see even more people taking advantage of this special opportunity!

Recently we announced one of the key speakers at PHDays 8: IDA Pro and Hex-Rays developer Ilfak Guilfanov. Today we will be offering a sneak peek at some of the talks that will be happening at PHDays. This year's participants can look forward to learning how to bypass facial recognition, why smart cars are dangerous, and how hackers puncture the security of the Internet of Things.

Keeping security relevant

Businesses have experienced enormous losses in the last few years due to criminal groups and hacktivists. The landscape of security threats continues to shift, making it more important than ever to model security threats in a way that understands the risks for business and hackers' capabilities.

As always, the success or failure of security measures relies on more than just policies or technologies: employee knowledge remains critical. The security solutions in many sectors are woefully out of date, and the skills of security staff have stagnated as well. Businesses need security to step up its game. Is it possible to churn out enough security professionals to meet these needs? How does one translate security requirements into language that top management can appreciate? These and other questions will be discussed by Eddie Schwartz, Executive Vice President of DarkMatter. Currently Schwartz is a member of the International Board of Directors of ISACA and Global Chairman of the ISACA's Cybersecurity Working Group. Prior to DarkMatter, he worked as Global Leader for Cyber Security Solutions at Verizon, Chief Security Officer at RSA, and co-founder and Chief Security Officer of NetWitness.

Hacking authentication systems

PHDays will again play host to Argentinian security expert and Cinta Infinita CEO Nahuel Grisolía. A specialist in web application penetration testing and hardware hacking, Grisolía has found vulnerabilities in software from McAfee, VMware, ManageEngine, Oracle, Websense, Google, and Twitter, as well as in free software: Achievo, Cacti, OSSIM, Dolibarr, and osTicket.

At PHDays V, Grisolía held a workshop on RFID. This year, he will speak about the Auth0 identity management platform, which secures over 2,000 clients and handles 42 million logins every day. His talk will touch on the security of JSON web tokens, authentication and authorization, cryptography, and methods for intercepting and manipulating HTTP traffic. He will even detail an authentication bypass vulnerability that places all Auth0-enabled applications at risk.

Fooling Windows Hello like one, two, three

Windows Hello is a biometric system from Microsoft that includes iris and fingerprint scanning, as well as facial recognition. This system is used for password-free login in Windows, websites, and applications.

Matthias Deeg, Head of R&D at German penetration testing company SySS, will share his research into Windows Hello and demonstrate how different versions of Windows Hello can be bypassed in surprisingly simple ways.

Unsafe at some speeds?

Smart cars are much more than four wheels and an engine—they are also computers crammed with advanced navigation and entertainment programs. This means that smart cars are open to all the security vulnerabilities traditionally associated with the IT world.

Representatives from Ixia—Stefan Tanase, Principal Security Researcher, and Gabriel Cirlig, Senior Software Engineer—have probed a smart car's information and entertainment system, which is walled off from the network infrastructure used for the car itself. They uncovered a large amount of data stored in the clear. The authors will demonstrate an attack in which a car can be used as a weapon, as well as how an attacker can track the car's movements and hack network access points with the help of the on-board computer.

Hacking the IoT

Noam Rathaus, co-founder and CTO of Beyond Security, will also speak at PHDays. Rathaus has authored four books about open-source security tools and penetration testing. He is the discoverer of more than 40 software vulnerabilities and responsible for creating around a third of the code of Nessus, a program for automatically finding known vulnerabilities in computer systems.

His talk "Put something on the Internet—and get hacked" describes the security situation with the Internet of Things (IoT). Rathaus will discuss different vulnerabilities that his team has discovered in products from well-known vendors, plus measures that can be taken to strengthen IoT security.

The topic of IoT security will be continued by Andrey Biryukov, Lead Information Security Engineer at AMT Group. His Fast Track presentation is entitled "Cloud with gaps: How IoT gets hacked." Use of cloud technologies (some of them open-source) for managing IoT devices, as well as possible incidents, will be analyzed. A video will demonstrate exploitation of the most interesting vulnerabilities, while Biryukov will give his recommendations for closing vulnerabilities and improving overall security.

Staying safe in the quantum age

In February 2016, NIST published a report on post-quantum cryptography. The report includes a list of the algorithms believed to be vulnerable to quantum computers—and almost all of today's cryptographic algorithms are on the list.

Sergey Krendelev, Head of the Modern Computer Technologies Laboratory at Novosibirsk State University (Russia), will shed light on the "quantum threat" as well as the algorithms and protocols needed for cryptography in a post-quantum age.

Different algorithms will be presented for digital signatures, hash functions, and key exchange. Likely difficulties in deployment of post-quantum cryptography and public-key infrastructure will be considered.

Like Nahuel Grisolía, Krendelev also spoke at PHDays V. His talk, "Soviet Supercomputer K-340A and Security of Cloud Computing," dealt with non-standard data encryption algorithms.

Bug bounty benefits

Website owners run serious reputational and financial risks due to vulnerabilities. Igor Bulatenko, CISO of QIWI and co-founder of Vulners.com, will delve into the shortcomings of current methods for combating vulnerabilities and the advantages of bug bounty programs. Bug bounties can be more affordable than pentesting and large security teams, and better for corporate financial stability and reputation—but are they for everyone? Bulatenko will also share his experience at QIWI, including starting a bug bounty program.

A full list of talks will be published in April on the PHDays site. For more about topics and submission guidelines, see the Call for Papers.