Information security

Section curator: Roman Ananev

Hacking methods are constantly being improved, so you need to keep up with new technologies and get as much information about the types and methods of hacker attacks as possible. For this particular purpose I've gathered the best experts in the Information Security section. Their reports will be interesting for everyone - from an ordinary user to an IT specialist because information security concerns everyone. We will learn how hackers work, how to protect your sensitive data and why a slight paranoia in data security isn't a bad thing. To top it off, this section will feature a lecture so important and valuable, that its contents are kept secret. It's going to be very interesting. See you at Stachka!

I'm Roman Ananyev. I specialize in information security, which means that I am responsible for protecting important company data, analyzing and finding possible security breaches before they can be used by intruders.

You can contact me here: ¯ \_(ツ)_/ ¯

David Busby
Information Security Architect @ Percona

In this talk we will cover what is an attack surface and what you can do to limit it.

  • Acronym hell what does all these acronyms associated with security products mean and what do they mean?
  • Vulnerability media naming stupidity or driving the message home ?
  • Detection or Prevention avoiding the boy who cried wolf.
  • Emerging technologies to keep an eye on or even implement yourself to help improve your security posture.
  • 2014 -> 2017 what's been going on, why have there been so many compromises ?

  • Notes on the specifics of practical implementation of some network attacks.

Wire Snark
co-founder @ DEF CON Nizhny Novgorod
Nizhny Novgorod

Let us talk about how source code security analysis for Android applications should be

conducted. We are going to identify the most common mistakes—OWASP Mobile Top 10—and

review Android-specific examples.

The report discusses the methodology and major steps in source code security analysis for

Android applications. It tells about what a Threat Model is, and how it can be built in practice.

Application architecture analysis issues in terms of security will be also addressed. The report

will cover hands-on experience of using static source code analyzers to find defects that impact

application security. The most frequent mistakes according to OWASP Mobile Top 10 will be

reviewed with examples from experience.

  • TL; DR
    • About you all for a long time everyone knows,
    • And what you are doing,
    • And browser history :)
  • I'll tell you about OSINT and how to "find by IP"
    • And even practice will be, yeah :)
  • And who else and how does your data store and sell where and for how much $$$
  • "XSS? Phishing? Wut? And why are we to blame?" (c) Everyone
  • Well, yes, what to do with it and how to live with this knowledges :)

Arthur Gainullin
CEO @ Cryptogramm
  • Short overlook of mobile nets
  • What is SS7 and why it is not secure
  • Some practice: breach scheme via SS7 and some cases with examples
  • What common people and companies can do with all this:
    • Sim applets
    • End-to-end encryption
    • Other secure methods of two-factor authentication
  • Some advice for paranoics:)

Valery Boronin
Head of the R&D Center @ Positive Technologies

How to help developers incorporate safety into DevOp processes, including continuous integration and continuous deployment. What security practices are needed, which will improve the quality the work, and why. Key points for success and risks associated with expansion of secure development practices (SDL) to the Operations phase.

Alexey Kiselev
Project Manager of Kaspersky DDoS Prevention @ Kaspersky Lab

What is a DDoS attack?

Trends of modern attacks.

Why they attack and how it happens.

Impact of DDoS attacks.

Ways to protect from DDoS attacks.

Maksim Beloenko
Chief Business Development Officer @ Qrator Labs
  • IoT, and what Mirai is like
  • How to put down Twitter, PayPal and disconnect a half of the U.S. from the Internet
  • And how to defend from DDoS—what exactly should be done

Grigory Zemskov
CEO @ Revisium

The report gives advice on how to make your site secure in modern conditions of aggressive internet surrounding.

Myths, disillusions on site security, case studies, operational recommendations for web specialists and site owners.

Stage 1. Denial
Busting a myth that only particular sites are hacked and it is done with special purposes. Hacks of different CMS including commercial ones.

Stage 2. Anger
Why they hack sites, spying on hacked sites and why hackers remain ultimately unpunished.

Stage 3. Bargaining
How hackers extort money from shops, how they attack and what to do about it.

Stage 4. Depression
Why it is difficult for professionals to audit hacked sites and how to respond to security incidents.

Stage 5. Acceptance
Organizational measures and technical means available to any site owner to ensure the security of a web resource.

███ ██████
██ @ ████

█ █ █ 
█ █ █ █ 

Vasiliy Kuznetsov
Executive Partner @ International Blockchain Consult

I will tell about the ways that blockchain interferes with our common lives.
What will change in our usual home-work-home ways? How many lives will be saved with implementation of this technology in medical sector? Why will theft lose its idea? The report will deal with these and many other questions.

Wire Snark
co-founder @ DEF CON Nizhny Novgorod
Nizhny Novgorod