Day 1 of PHDays 8: staking it all on the Digital Bet
5/16/2018
The first day of Positive Hack Days was full of participants (over 3,800) and events (over 50 talks, plus hands-on labs, roundtables, and nearly a dozen hacking contests). Under the headline topic of the Digital Bet, experts explored how to fool biometric identification systems, discussed whether blockchain security is necessary, and described how office life will change in the digital age—and also demonstrated techniques for hacking mobile networks, IoT devices, industrial control systems, and more.
Here are some of the highlights from the first day of PHDays 8.
Insight from those in the know
The forum was kicked off by Positive Technologies experts, who presented their findings from real-world protection work in 2017. The experts covered the security of corporate systems, industrial equipment, telecom and financial companies, blockchain projects, and vulnerabilities in Cisco ACS and Intel Management Engine.
Corporate systems remain vulnerable to both outside and inside attackers. Almost half of companies encountered at least one advanced persistent threat (APT) in 2017. Despite all the software, hardware, and organizational measures usually in place, Positive Technologies penetration testers (in the role of insiders) were successful at every single company tested in obtaining full control of infrastructure. As pointed out by Boris Simis, Deputy CEO at Positive Technologies, only 5 percent of companies even detected pentesting activity.
Breaching the network perimeter as an outside attacker, such as by using social engineering or Wi-Fi attacks, was accomplished by Positive Technologies testers at 68 percent of clients. In some ways, the security situation deteriorated year-over-year. Obtaining access to LAN resources was "trivial" at 27 percent of companies in 2016, which increased to 56 percent in 2017. Critical vulnerabilities worsened as well: they made up 84 percent of the total in 2017, compared to 47 percent in 2016.
Simis closed by sharing his recipe for protection: "You have to do three simple things: install antivirus protection everywhere, eliminate critical vulnerabilities on the external perimeter at the very least, and realize that you have very likely already been hacked—which is why you need to scour your network for indicators of compromise."
Elmar Nabigaev, Head of Threat Response at Positive Technologies, looked at recent developments in attacks. The company's research shows that attacks are increasingly destructive in nature, with the purpose of damaging digital infrastructure. Attacks are also becoming more sophisticated, as they make greater use of zero-day vulnerabilities and complex malware. Among the key findings: even without zero-day vulnerabilities in hand, hackers weaponize public vulnerabilities extremely quickly, making it essential to install patches the moment they become available.
Experts predict a rise in targeted attacks, especially on the part of hacker groups sponsored by nation-states—world tensions are a contributing factor. Other predictions include increased attack sophistication plus higher numbers of attacks on industry, the IoT, and cloud services (as a method for third-party compromise), plus low-level attacks.
Dmitry Kurbatov, Head of Telecom Security at Positive Technologies, described recent trends in the telecom industry. The last two years have shown minor improvement, but mobile subscribers and their data remain under threat.
Smart contract vulnerabilities and attacks on investors were the focus of Arseny Reutov, Head of Application Security Research at Positive Technologies. Since August 2017, hackers have managed to steal enormous amounts (around $300 million) from cryptocurrency exchanges. Research by Positive Technologies shows that these hackers are using classic techniques long seen in other spheres. Most attacks on cryptocurrency exchanges and ICOs take advantage of poor web application security.
Reutov also noted that in the last year, Positive Technologies has secured many large ICO projects, including Blackmoon, Utrust, and 3DIO.
The reports and other data referenced by Positive Technologies experts during the RE: search session are freely available on the company's website: https://www.ptsecurity.com/ww-en/analytics/
Boris Simis and Maxim Filippov (Positive Technologies), together with the heads of digital security for major companies and government agencies, tried to figure out what the Russian security industry is still missing. Views were shared by Alexander Baranov (Federal Tax Service), Pavel Bryantsev (United Metallurgical Company), Taras Ivashchenko (Mail.Ru), Muslim Medzhlumov (Rostelecom), Evgeny Nikitin (Russian Pension Fund), Viktor Pensky (Unipro), and Roman Popov (Transneft). Audience members learned about the fears that keep CSOs awake at night: disruption of core business processes, loss of client data, and regulatory consequences for non-compliance.
Muslim Medzhlumov noted: "As a major telecom operator, our main job is not to prevent hacks or even to have perfect protection. It's to ensure high uptime and availability of services for our clients. Here's my real nightmare: someone hacks into our core network, gets access to all the routers, deletes the configuration, and leaves the vast majority of Russians without Internet access."
As described by Roman Popov, the real concern for an industrial company is loss of control: "The inability to see what is happening is a nightmare. But the real nightmare is the lack of control over what belongs to me."
Participants also described current threats and how each company gets security teams involved in new projects. According to Evgeny Nikitin, in the electronic age, "every citizen could be an intruder who needs to be reckoned with by information security systems."
Another question raised was the degree to which the actions of Russian regulators are aimed at improving security in practice.
Evgeny Nikitin: "The new requirements in Russia could really mean a change. The documentation requirements mean that companies will no longer be able to evade responsibility by hiding behind paperwork. The main question is how much an incident will cost them. Now everyone will learn to calculate the potential financial cost of incidents."
Roman Popov: "These documents were a pleasant surprise—usually we have to wait for them for years. And the quality of documents is much higher than it was previously. I think that any attention by regulators and the government in the security arena can only help. Even though the earliest drafts of legislation were frankly bad, they got the discussion going."
Alexander Baranov: "I suppose that yes, the strictness of Russian laws is compensated for by their lack of enforcement. But if the legislation is followed even just halfway, that will still be good. And actual security is markedly improving as well."
Boris Simis: "The recent moves of regulators are dragging us forward towards real security. For instance, the Federal Technical and Export Control Service (FSTEK) is making and sharing its own database of vulnerabilities and threats. I agree that we have finally started treating security as a moving target. Security is important in its own right, not as an excuse or as a checkbox. So these developments are encouraging."
***
Living in the digital age, we depend on computers for everything. The convenience of e-government services, remote management of transportation and industrial infrastructure, smart devices, and cryptocurrencies is undeniable. But is everything really so sunny? Several sessions and talks were dedicated to the forum's headline topic.
At the roundtable, Denis Gorchakov, Director of Cybersecurity Projects at Rostelecom, discussed the security of biometrics: how secure they are, what besides fingerprints and retinas can be used, how biometrics can be fooled, and how to combat fraud.
Ivan Berov, Digital Identity Director at Rostelecom, talked about development of biometric systems and their current state. "Biometric technologies are poorly adapted for easy everyday use. They work best in special, controlled circumstances—there are standards as to what such circumstances are, both in Russia and abroad. But on the mass market, we run into problems associated with the external environment, convenience, and speed of use."
During the discussion, Dmitry Dyrmovsky, CEO of Center of Speech Technologies, presented the results of research used to develop the system that won an international spoofing detector competition last year (Automatic Speaker Verification Spoofing and Countermeasures Challenge 2017). He also spoke about types of spoofing attacks, common hacking methods, and signs of data fakery.
"Security of critical infrastructure: practical aspects" offered an in-depth look at implementation of the new Russian law on securing critical IT infrastructure. Discussion was joined by: Dmitry Tsarev, Head of Information Security Operations and Support (Rostelecom); Vladimir Shadrin, Director of Cyberthreat Monitoring and Response (Rostelecom); Roman Kobtsev, Business Development Director (InfoTeCS); Alexander Bondarenko, CEO (R-Vision); Alexey Pavlov, Director of JSOC Presales (Solar Security); Sergey Kuts, Product Promotion Manager (Positive Technologies), and Ruslan Zamaliyev, Security Consultant (ICL System Technologies).
Conversation at the roundtable centered on how to protect critical infrastructure, the definition of critical infrastructure, categorization, issues in compliance with the law's requirements, and best practices.
For example, R-Vision CEO Alexander Bondarenko talked about a prioritized approach to implementing critical infrastructure requirements, as well as where to start. "Taking inventory is absolutely key. From what we've seen, this process is broken at many companies. IT departments might have a faint idea at least, but if there's a separate department for IT security, they won't get any information at all. So that department has two choices: start your own process or improve your relationship with IT. Everything else—dedicating systems, categorizing, reacting to incidents, sending information, localizing incidents—will be simply impossible. If you don't have this, you don't stand a chance."
Information security in the Eastern Europe/CIS region was the focus of attention for Arman Abdrasilov, Director of the Center for Analysis and Investigation of Cyberattacks (CAICA) of Kazakhstan, and government officials from countries in the region. Issues included security processes in CIS countries, regulatory requirements, security products, and security trends and predictions. The session was organized by CAICA with support from National Information Technologies.
This event marked the first time that such figures had gathered at a single conference on information security in Russia. Murat Aigozhiev of the State Technical Service of Kazakhstan expressed his praise. "This is a great opportunity for security specialists from all across the CIS to have a full discussion on the questions that matter. The open, candid conversation on security that we see in Russia is truly noteworthy. This is constructive and very beneficial. I think that both regulators and ourselves could gain from this approach. So the fact that all of us have gathered here at PHDays is a wonderful sign of things to come."
Sergey Gordeychik, DarkMatter Product Director, in "Why EINSTEIN was wrong," gave an overview of the cybersecurity initiatives of various governments: the U.S. Federal Intrusion Detection Network (FIDNET), Russian national system for cyberthreat response, Golden Shield, Great Firewall of China, Chinese cybersecurity legislation, and EU Network and Information Security (NIS) Directive.
The Einstein system is often compared, erroneously, to FIDNET. But FIDNET is the only point of access for U.S. government agencies. A similar project was started in Russia in 1998 and still exists, although nobody uses it. Einstein is also a rather old project, initiated in 2003 as part of national cyberprotection efforts. The system is supposed to ensure online security for all federal agencies outside of the intelligence and defense community (such as the Department of Defense and CIA). A second version of Einstein existed as well, from 2008 to 2013. A special "government Internet" was made with the help of major Internet providers, reducing Internet access points for government agencies from 4,300 to 50. Layer 7 IDS based on the open-source Snort intrusion prevention system, malware detection, and detection of metadata in network traffic were all added. Detective as well as predictive mechanisms, such as sinkholes and analysis of emails and web content, appeared in the next iteration of Einstein. In 2015, 228 IDS sensors were deployed, along with the ability to install commercial utilities such as IDS and sandbox solutions. Effectively, the message was: ensure security by any means necessary, as long as it works. Collecting and sharing indicators of compromise was encouraged as well.
Long-time PHDays participant and Lavina Pulse CEO Andrei Masalovich talked about the role of intellect in modern cyberweapons. He reviewed some of the artificial intelligence constructs used in the context of digital munitions: generative adversarial networks (GAN) for recognizing new types of cyberattacks, methods for deep reinforcement learning (DRL) for agent modeling, and "digital look-alike" methods for evaluating physical and psychological consequences without having to perform test attacks.
Heavy tech from tech heavies
At a much-anticipated talk, "Decompiler internals: microcode," IDA PRO and Hex-Rays developer Ilfak Guilfanov spoke about how he created the Hex-Rays language, its technical characteristics, and issues that arise when decompiling programs.
Hex-Rays, intended to assist analysis of software code, is widely used by reverse engineers, virus analysts, and security professionals worldwide. Entire books have been written about IDA Pro, including by Kris Kaspersky and Chris Eagle.
As Ilfak says, microcode allows avoiding the complexity of processor instructions and CPU-specific peculiarities, such as the FPU value stack and segment registers on x86 or thumb mode (bit 0) addressing on ARM.
Judging by the large number of "Likes" on the PHDays site, "Exploring vulnerabilities in the 4G Diameter interoperator network" by Sergey Mashukov was eagerly awaited as well. He discussed the security of the Diameter protocol used for mobile networks, including results of testing for mobile operators and examples of successful attacks.
Noam Rathaus, co-founder of Beyond Security, which specializes in automated testing and vulnerability management, spoke as well. Noam has authored four books on open-source security and penetration testing. He has discovered over 40 software vulnerabilities and coded approximately one third of Nessus, a program for automatically finding known vulnerabilities.
His talk, titled "Put something on the Internet—and get hacked," was dedicated to the security of the Internet of Things and what to do about it. He described vulnerabilities found by his team in products from well-known vendors and during audits. At one plastic factory, an old vulnerability in the GoAhead web server allowed using an extra slash in a GET request to access the memory of ICS components and thus modify parameters of the production process, such as plastic heating time. The vulnerability was published in 2004. Another case involved Geneko routers, which can be used to connect two offices via radio frequencies. By sending GET requests, an attacker can access any incoming files on the router.
While users are slow to deal with vulnerabilities on IoT devices, manufacturers too are in no rush to release updates. Infrared camera vendor FLIR acknowledges that no patches have been released for the models on which Norm's team found critical vulnerabilities—but demurs by saying that the models are no longer produced. As a result, at least 10,000 such cameras, used by government, industry, militaries, and private companies, can be easily discovered and remotely hacked via the Internet. Rathaus recommends that IoT manufacturers incorporate support for automatic updates into their devices, inform users of the importance of updates, allow users to downgrade to stable versions in case of update problems, and protect firmware from modifications.
Hands-on labs were also in full swing. Visitors learned how to create a network funnel to defend corporate traffic from malware, configure SELinux, build a threat-hunting infrastructure designed to stop sophisticated attacks, and practice their mobile interception skills.
Hacking contests and hard rock
Alongside talks and presentations, the venue was also busy with hacking contests, in particular The Standoff.
In The Standoff, teams of attackers, defenders, and security operations centers do battle in a mock city with an advanced e-economy. The events and infrastructure are maximally realistic. The city offers a massive re-creation of the digital infrastructure found in actual metropolises, including an electrical plant and substation, railroad, smart homes, banks with ATMs and self-service kiosks, mobile phones, Internet, and online services.
On Day 1, one of the attacker teams succeeded in hacking an unprotected office, as reported by the Rostelecom SOC. In addition, attackers found camera vulnerabilities and performed denial of service. Throughout the day, bug bounty vulnerabilities and bank card information were reported to the organizers, for which attackers were rewarded with in-game money. All said, however, things are rather quiet for now. The teams are playing it safe and not attempting massive attacks. But some excitement might be on the way—hackers never sleep, right?
A number of other contests continue as well. During the two days of the forum, all comers can try their hand at finding vulnerabilities in Ethereum smart contracts, stealing cash from an ATM, and hacking IoT devices, smart homes, telecom equipment, and industrial control systems.
On May 16, attendees can look forward to the finales of two contests, MeterH3cker and HackBattle, plus the traditional closing competition, 2drunk2hack, in which participants must successfully attack a web application that is protected by a firewall. The application contains a finite number of vulnerabilities that, if exploited properly, will allow OS Commanding. Every five minutes, the participants whose actions have been flagged the most by the web application firewall will have to drink 50 mL of hard alcohol and keep hacking. The winner is the first one to capture the main flag via OS Commanding on the server.
After a long day of talks and technical wizardry, it was time for a little fun and music at Positive Hard Days. Three bands—EDEN, Jack, and NEU Stereo—rocked away.
Be in the know about everything on Day 2 of PHDays 8: watch the action live and keep on eye on us on social media #phdays.