New Reports at PHDays III: From ICS Security, to the Analysis of Java 0-day Exploits

How to build your own Stuxnet? Are security systems safe? Is it easy to watch the people and why physical security is the basis of any kind of security? Today we would like to bring to you attention some of more than 30 reports of the main technical program of Positive Hack Days III.

If You Can Write a Webserver, You Can Write a Thumb Drive

Travis Goodspeed will speak on using the open source Facedancer framework to write emulators in userland Python for Mass Storage, Human Interface, FTDI, and Device Firmware Update protocols. The sockets work a bit differently, and the protocols aren't ASCII, but the principles and the libraries are no more difficult than HTTP. Practical examples of this technique include a tool for catching firmware updates by impersonating the DFU protocol and a prototype of a hard disk that actively defends itself against forensics tools and imaging.

Faster Secure Software Development with Continuous Deployment

Continuous Deployment allows developer to avoid long release cycles that disenfranchise from caring or even knowing about security issues. When done well, it can be transformative to your software lifecycle and change your security group from a reactive organization into an "in-house security consultancy" that developers come to for questions and assistance. Nick Galbreath, the Vice President of Engineering at IPONWEB, will speak on how to get started with continuous deployment and the tools and process needed to make it a security success.

Attack Prelude: OSINT Practice and Automation

Collecting and analyzing public information on the target, aka Open Source Intelligence (OSINT), is a mandatory stage of a modern pentest. The value of such analysis is difficult to overestimate, however, some skip this stage and start vulnerability scanning right away. It is a mistake, because collecting information on systems and personnel in the area of testing usually plays a crucial role in security audit and is essential for success of an audit conducted with the use of social engineering techniques.

Vladimir Styran, the lead consultant at BMS Consulting, head of information security testing section.

Abusing Browser User Interfaces for Fun and Profit

Nowadays any modern browser is able to identify potentially dangerous or sensitive action requested by a webpage (file downloading, plugin installation, granting privileges to websites) and prompt a dialog box or a notification bar to require explicit confirmation from the user. Even though these improvements led to a greater degree of assurance, the notification mechanisms are far from being 100% safe. Rosario Valotta, an IT security professional with over 12 years’ experience, will show how notification bars in major browsers (Chrome 24, IE9, IE10) can be abused with little (or even no) social engineering, leading to users security compromise and even to conducting trivial code execution on the victim's machine.

Who's Looking at You, Kid?

A cell phone, an RFID badge could be tracked. Jeff Katz and aestetix, the members of the OpenBeacon project, will explore their latest findings and a real time location aware tracking system. The speakers will show demos of visuals they have created, teach the technology behind their infrastructure, and show how easily an innocent gadget can be turned into a powerful tool.

Honeypot that Can Bite: Reverse Penetration

The talk will consider the concept of aggressive honeypot, the main idea of which is that defense can be aggressive, and the options how it may work. The speaker will touch upon such topics as de-anonymizing attackers, filtering and detecting non-bot attacks, determining the attacker’s technical skill level, getting control of the attacker. Alexey Sintsov, a Senior Security Engineer at Nokia, will demonstrate a real experiment, real samples of attacks, and results from the realization of this idea. The speaker will also discuss some more interesting things such as whether one can exploit vulnerabilities of third-party services or only client-side vulnerabilities.

Five Nightmares for a Telecom

Five Nightmares for a Telecom are five stories on how to intrude into an operator’s network and perform an attack against packet services, how to gain control of the infrastructure, make money with VoIP and self-service portals. Some attacks already have precedents in the past, and others are just a fancy, which we hope will not become a reality. The speaker is Dmitry Kurbatov, an information security specialist at Positive Technologies.

Lie to Me: Bypassing Modern Web Application Firewalls

The founder, head and leading expert of the company ONsec, Vladimir Vorontsov will present a report that considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.

Java Everyday. System Analysis of Java 0-day Exploits

The report will cover the results of the system analysis of all zero-day vulnerabilities found in Java in 2012 in 2013 (CVE-2013-1493, CVE-2013-0431, CVE-2013-0422, CVE-2012-5076, CVE-2012-4681, CVE-2012-1723, CVE-2012-1507). The aim of the research was to detect regularities pointing out the same resource or the same method of vulnerability data search. The speaker is Boris Ryutin and the co-author is Alisa Shevchenko.

SCADA Strangelove: How to Build Your Own Stuxnet

While one is looking for lacking elements of the cyberweapon evolution, Positive Technologies experts want to get a glimpse of the future, where to create a full-fledged SCADA worm one will only need up-to-date Metasploit and a little skill of VBScript programming.

Based on the research regarding the security of Siemens SIMATIC (TIA Portal/ WinCC /S7 PLC) series, the talk will cover the vulnerabilities which can be used to hack into ICS. The reporters will also demonstrate the ways of the worm propagation and its malicious impact on the system, ranging from the network level (S7/Profinet) to the web control interfaces, to the WinCC project files. Information on new vulnerabilities in Siemens SIMATIC series will be presented, as well as tools which can be used to analyze security and to find new vulnerabilities in ICSs.

Lockpicking & Physical Security

Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access to a keyboard or, worse yet, march your hardware right out the door. Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access. Discussion as well as direct example will be used to demonstrate the grave failings of low-grade hardware ... much of which can be opened by audience members with no prior training. Deviant Ollam, Babak Javadi, Keith Howell will speak on what features to look for in locks and safes will be covered, and how to invest in systems that are easiest to manage in large environments.

Evading Deep Inspection for Fun and Shell

Evader is an excellent tool to find weaknesses in defenses and it is suitable for penetration tests and security audits. Olli-Pekka Niemi, a well-known specialist in information security, will go into technical details of the Evader and evasions and disclose evasions that still work with most of today’s security boxes.

Find Them, Bind Them – Industrial Control Systems (ICS) on the Internet

Do you happen to know that many industrial control systems are remotely administrated and can be found on the Internet via search engines like SHODAN. Johannes Klick, Daniel Marzin developed their own SCADACS Search Engine (SSE) and are going to compare the first results of the search engine with SHODAN. They will show the distribution of SCADA/PLC systems over the world with our "Industrial Risk Assessment Map (IRAM)" using SHODAN. IRAM also shows vulnerabilities and possible exploits. The speakers are also going to discuss what happens if you combine IRAM, SSE and exploits into one application.

Protecting Organizations from Security Breaches by Persistent Threats, with Examples from RSA

Michel Oosterhof (CISSP, CISM, CISA, GCIH), is a Senior Systems Engineer with RSA, The Security Division of EMC. Each enterprise is serious about protecting its resources, brand and intellectual property. Despite this, incidents happen because attackers also have huge resources to develop the means and methods of attack. The author of the report knows this first hand, because RSA is constantly under the gun attacks. As part of the report, the speaker would like to share his experience and expertise in the prevention, detection and minimize the effects of high profile APT-attacks on corporate and government infrastructure. Based on some use cases (Lockheed Martin and others) he will talk about Cyber Kill Chain concept, discuss typical patterns of attack and methods of reducing the risks associated with industrial espionage and cyber attacks. Also the speaker shares some cases and techniques based on his own experience on running internal EMC CIRC (Critical Incident Response Center).

The complete list of the reports that will be presented at Positive Hack Days is available on the forum's official website. Besides standard reports, there are Fast Track reports in the PHDays III program, including more than 20 short talks that will cover a number of fascinating topics, from straightening a car out, to the methods of DLP bypassing.

P. S. We have aggregated Twitter accounts into a separate list for you to subscribe to them easily:)

P. P. S. Registration for the forum is still in progress!