At ZeroNights 2019, we’ll learn about cryptography issues, a new approach to fight DOM XSS, and cybersecurity of Electron. See the list of newly-approved talks!

Ilya Shaposhnikov (@drakylar) — “Oldschool way of hacking MicroDigital IP-cameras”

Ilya Shaposhnikov is a security expert in Rostelecom RedTeam. In his free time, Ilya does IoT security research, develops IoTSecSFuzz framework and plays CTF with Invuls (as captain) and with BMSTU team SFT0. 

One camera, one research project, and more than 10 dangerous CVEs. Ilya’s presentation is about the process of finding Microdigital IP-camera security vulnerabilities step-by-step: from hardware hacking and dumping firmware to finding more than 10 vulnerabilities (dos, csrf, sql injection, ssrf, auth bypass, rce, bof).

Jakub Vrana, Krzysztof Kotowicz — “Trusted Types & the end of DOM XSS”

Jakub Vrana is a software engineer who works on security refactorings at Google. Jakub designs a provably safe API, converts all existing Google code to it and then bans the old unsafe pattern. Jakub works on enabling Trusted Types in Google products by finding and fixing blockers in them and their dependencies.

Krzysztof Kotowicz is a web security researcher specialising in the discovery and exploitation of client-side vulnerabilities, and a software engineer in the Information Security Engineering team at Google. Krzysztof is a speaker at various security conferences, a member of the Google Vulnerability Reward Program panel, author of various web security attack techniques & security tools. Previously an avid fan of XSS, now he just wants to get rid of that security bug — once and for all.

Trusted Types is a new approach to fight DOM XSS by replacing strings used in sensitive contexts with new types that could be constructed by an application in a controlled way. In this talk, you will hear how Google is changing its codebase to be able to adopt Trusted Types.

Juho Nurminen — “app.setAsDefaultRCEClient: Electron, scheme handlers and stealthy security patches”

Juho Nurminen has nearly a decade of experience in application security starting from his first submissions to the Google VRP as a high school kid. He’s seen the software industry from both the developer’s and pentester’s perspectives, and over the years he’s been credited for several CVEs in Chrome, Firefox, Safari as well as a few more unconventional browsers.

In this talk, Juho will present techniques used to gain Remote Code Execution through URI scheme handlers in six popular Electron apps — despite being patched against CVE-2018-1000006. Additionally, he exposes two mitigations since implemented by Electron in almost complete silence.

Yongtao Wang — “From JDBC URI to a New Remote Code Execution Attack Surface”

Yongtao Wang (@by_Sanr) is a Leader of Red Team at BCM Social Corp. He has profound experience in wireless security and penetration testing, and his research interests include Active Directory Threat hunting. He shares research achievements at China Internet Security Conference (ISC), Blackhat, Codeblue, POC, CanSecWest, HackInTheBox, etc.

Yongtao Wang will introduce a new attack technology called “JDBC URI Attack” in this presentation. The presentation will also focus on exploiting Mysql, Oracle, Postgresql and so on. In addition, Yongtao Wang will tell about the security issues in the official JDBC standard, which will have a new impact on Java deserialization.

Andrey Belenko — “(Why) We Still Fail at Cryptography in 2019”

Andrey has been working in the area of digital security and forensics for over 15 years. His background is in cryptography, iOS forensics and mobile application security, and high-performance password recovery. Andrey has presented at various industry events such as Black Hat, Troopers, X Con, Positive Hack Days, as well as many smaller local events. Andrey works as a principal security engineer at Microsoft where he helps with securing Microsoft 365 products and offerings.

Cryptography is an inherent part of computer security and it has been this way for decades. It underpins things like TLS (Transport Layer Security), disk and file encryption, password-based and passwordless authentication and much more. One may think that by now the industry has figured out a way to implement cryptography properly, but companies regularly fail at doing cryptography right. In this talk, Andrey will take a look at the most notable cryptographic failures of recent years, will try to understand what typically goes wrong, and will discuss what can be done to prevent similar problems from occurring.