On June 17 and 18, the second international conference on practical cyber security OFFZONE 2019 was held in Moscow as part of the International Cyber Security Week in Moscow. The organiser — BI.ZONE — partnered up with @mail.ru, Qiwi, Sberbank CS, Swordfish Security and VisionLabs to deliver this high-quality event.

Over the course of two days, 1600 people, among whom were active cybersecurity practitioners, developers, engineers, researchers, teachers and students from more than 20 countries visited the Digital Business Space venue. Over 60 cybersecurity experts from Russia, Europe, Asia and America shared their experiences with the attendees.

The main theme of the conference this year was the vulnerability of hardware. Evgeny Voloshin of BI.ZONE, presented the results of the company’s global review, «Attacks on Embedded Systems», which were addressed to managers and specialist engineers.

Evgeny Voloshin, Director of Expert Services, BI.ZONE: «As the leitmotif of the OFFZONE conference in 2019, we chose attacks on embedded systems. Vulnerabilities in hardware are not given due attention, unlike the due diligence afforded to software, but modern hardware has the same problems as software: Trojans, backdoors, etc. At the conference, not only did we offer practical information on attacks and measures to fend them off, but also actively raised questions of the need for a proactive approach to the security of joint-stock companies both at the level of individual companies and the industry as a whole.»

Yuri Kupashev, Lead Specialist, BI.ZONE: «The peculiarity of hardware vulnerabilities is that they arise not only because of development errors, but also because of physical side effects or failures when working in stressful conditions. In other words, if the device had not been introduced to protective mechanisms at the stage of creation, it will by default be vulnerable to hardware attacks. For whole classes of such attacks, there is enough equipment that is freely available to buy and is comparable in price to a smartphone. Hacking a secure device, however, will not work without a specialised laboratory and equipment worth hundreds of thousands of dollars. Unfortunately, protected devices today are a minority.»

The educational marathon of the first day began with a speech from the Head of Offensive Hardware and Firmware Research for NVIDIA’s main product lines, Alexander Matrosov, on the topic «The evolution of complex threats: an arms race between the analyst and the attacker». In his report, Alexander explored how the approaches to reverse analysis and forensics have changed recently, talked about the «black spots» in protection systems, focusing on what needs to be improved in order to continue the race towards evolving more effective protection.

The key speaker of the second day was Rodrigo Branco, Chief Security Researcher at Intel, who has more than 10 years of experience in the field of cybersecurity. Branko talked about «the machine from the inside» — how ethical hacking determines the methods of our calculations. In his speech, Rodrigo gave his own expertise on the most effective attack prevention schemes, explained what an exploit is, and also shared information on how large corporations ensure their own security by focusing on the most vulnerable points.

Finance.Zone, which covered topical issues of payment card security, vulnerabilities of POS terminals, fraud and antifraud, was opened on the second day of the conference. The lineup for Finance.Zone consisted of specialists from BI.ZONE, Kasperskiy Lab, QIWI Cybertonica and Positive Technologies presenting their reports on security in financial services.

Boris Ivanov, Computer Incident Investigation Specialist, BI.ZONE: «In Russia, 86% of users of digital banking services prefer to access the Internet from smartphones. And the vast majority of smartphones are based on Android OS: for example, in the third quarter of 2018, their share in the total number of released devices was 87%. Because of this, the majority of mobile phone malware is targeted at Android devices. According to our statistics, each class of such programs infects an average of 7400 devices every week. After infecting a smartphone, fraudsters get full access to the device, including Internet banking and account management.»

Aside from the educational part, the OFFZONE 2019 conference offered a lot of interactive entertainment — the conference goers spent time looking for vulnerabilities in smart devices, upgraded their badges in the soldering zone, competed in eSports tournaments and got real tattoos in post-apocalyptic style. Each successfully completed tasks on the badge was awarded conference currency — OFFCOINS — which then could be exchanged for T-shirts, posters and other souvenirs with OFFZONE branding.

About the conference
OFFZONE is the annual international conference on practical cybersecurity, which has been held in Moscow since 2018. The main mission of the conference is truly high-quality technical content and practical research in the field of cybersecurity. More information can be found on the official conference site OFFZONE.MOSCOW.