News
Pirates at PHDays: say "ahoy" to maritime mayhem
Become a modern-day buccaneer in our Pirate’s Gate contest on May 15–16 at Positive Hack Days. More and more devices are connected to electronic controllers. And if something has a processor inside, it contains vulnerabilities. Hackers long ago figured out how to hijack drones, take over smart cars, and derail trains. So how about stealing a ship? We invite PHDays visitors to hack our ship's navigation system and send the ship to points unknown. Participants will have before them a boom barrier and a small pool, in whose high seas our radio-controlled model boat will be sailing. The winner will be the person who most quickly hacks the boom barrier, reaches the dock, accesses the navigation system, and takes control of the vessel. The contest will be active during the entire forum. Everyone is welcome to take part—just come up to the stand. We recommend bringing your own laptop and SDR (HackRF and bladeRF). Register and buy tickets for PHDays while you still can! A two-day ticket costs RUB 14,400; a one-day ticket costs RUB 9,600.
PHDays 8: full list of contests now available
Every year at Positive Hack Days, contests offer the chance for the best hackers and defenders to show off and win glory. We have already announced a few new contests, some of which will be held online in the weeks leading up to PHDays. Here we'll share all about the contests that will take place at PHDays itself on May 15 and 16. The Standoff Of course, the center of the action is The Standoff, a 30-hour cyberbattle between teams of attackers, defenders, and security operations centers. At stake is a mock city built on a technologically advanced economy. The city precisely recreates all the digital infrastructure found in the real world: power plant and substation, railroad, energy-efficient smart homes, and banks with ATMs and self-service kiosks. And what modern city would be complete without cell phones, the Internet, and online services? The city is populated by corporate employees as well as simple folk who use smart gadgets in their daily lives. Attackers are invited to use their imaginations and do absolutely anything that is not forbidden by the rules. The action will be monitored non-stop by our jury. This year's rematch is set to be decisive, since after 2016 and 2017, the sides are tied 1:1. The teams themselves promise an exciting game, because all three sides will include participants who work in information security every day: integrators, vendors, and client-side information security staff. Learn all about the competition rules and participants: The Standoff. HackBattle The excitement is back with HackBattle, which made its debut last year. A qualifying round will be held on the first day of the forum; participants will be timed as they complete tasks of varying difficulty. The finale will be on the second day, when two hackers take the stage to attack the same target while viewers follow along on the big screen. MITM Mobile Today's phreakers are still targeting telecom companies—and you can become one of them thanks to MITM Mobile. Intercept the airwaves of our very own on-site mobile operator. The two participants completing the most tasks will win prizes. To take part, bring your own Osmocom, SDR, virtual machines, and other necessary equipment. Leave ATM Alone This classic crowd-pleaser will again offer the chance of a lifetime: 15 minutes to (legally) try to steal money from an ATM. Keep any money you can take! Total potential winnings are RUB 40,000. Attackers can look forward to network access on the first day and physical access on the second day. Perhaps you'll hit the jackpot? CAMBreaker Great news: CAMBreaker is returning to PHDays. See how well you can hack IoT devices and find zero-day vulnerabilities in popular IP cameras. We encourage web application aficionados, masters in firmware reverse engineering, and beginning Binwalkers to all take part. Bonus new to this year: firmware has been extracted for analysis from all devices (over 12 in total). blzhquest The St. Petersburg CTF (SPbCTF) community invites PHDays visitors to compete in a unique CTF. Be the first to reach the community's mascot, an enchanted hedgehog who has a few prizes for the best and brightest. Hack servers one after the other in order to climb higher on the pyramid. Each level of the pyramid consists of a set of tasks for web, reverse engineering, forensics, and crypto. Prizes await the first to complete each level. At the top stands the hedgehog, eager to award the main prize to the first person to ascend the pyramid in its entirety. To take part, walk up to the blzhquest stand and get the username and password for the contest network. Tasks can be completed from anywhere at any time during the forum. Laptop is required. The Labyrinth It's a smart home! At PHDays! Rostelecom has created The Labyrinth, in which participants are given 15 minutes and three tools of their choice to take on a smart home. To win, a three-person team must complete The Labyrinth without triggering any alarms and steal a special PHDays statuette from inside. Teams with the best times will receive prizes from Rostelecom. 2drunk2hack It's a tradition to close out the PHDays contests with 2drunk2hack. Participants will compete at hacking web applications protected by a web application firewall, as well as maintaining their ability to think while inebriated. The objective is to successfully attack a firewalled web application. Every five minutes, the participants whose actions have attracted the most attention from the WAF will down 50 ml of high-proof consolation—and then head back into battle. Win by being the first to collect the main flag via executing commands on the server. Participants must bring their own hardware and software. More information is available on the Contests page.
New contests at PHDays
Many say contests are the most exciting part of Positive Hack Days. And this year we have some all-new additions awaiting. Come to the Fizpribor stand to engage in H@rd Logic Combat. If you're tired of tin soldiers and toy trains, pit yourself against the solutions used for field-level automation and and safety instrumented systems for state-of-the-art Russian industrial control systems in nuclear energy. Over the course of two days, participants will try their hardest against ALTLinux and QNX components, as well as algorithmic modules based on hard logic. Participants must register in advance by writing to hlc@fizpribor.ru. Please note that participation is at the full discretion of the organizers. The winners can look forward to an iPad, electric scooters, and other prizes. All are welcome to take part in EtherHack, a new online contest. Find and exploit vulnerabilities in smart contracts in the Ethereum blockchain. The more tasks you complete, the more points you get—so score big to win. The smart contracts will be on the Ropsten testnet. Participants will need an Ethereum local client or browser extension (MetaMask). First place will be recognized with ether (valued at $1,000); the second-place winner will get a Ledger Nano S cryptocurrency hardware wallet and third place will come with mementos from the organizers. Don't wait until the forum to get hacking! In the weeks leading up to PHDays 8, we will be holding two online contests: HackQuest and Competitive Intelligence. Nifty gifts and free PHDays invites await the winners. Register for PHDays and purchase tickets here. A ticket for two days costs RUB 14,400; one day costs RUB 9,600.
Deloitte Hackazon contest to start April 30
Deloitte is hosting Hackazon, an online contest that offers hackers a chance to warm up before next month's Positive Hack Days. The contest kicks off on April 30 and will last five days. Winners will receive PHDays invites and souvenirs. This jeopardy-style capture the flag (CTF) contest will be hosted on the Hackazon platform, which has been specially developed by Deloitte for simulating attacks on real infrastructure. Participants can gain experience in a safe environment while improving their pentesting skills. Deloitte Hackazon will have tasks of varying difficulty. Participants complete these tasks as quickly as possible, winning points for each task based on its difficulty level. Task completion is tracked in real time. Victory goes to those who complete the tasks most successfully and most quickly! Interested participants must sign up in advance. The first five participants able to complete all tasks will each receive a ticket to PHDays 8. Three of them will also receive PHDays souvenirs. The exact start time, as well as the Hackazon URL, will be posted by the organizers closer to the contest start. Check this space for updates!
PHDays 8: online contests starting soon
Just one month remains until PHDays 8. That makes it the perfect time to start warming up for The Standoff and other hacker-versus-hacker excitement! The weeks leading up to PHDays will be filled with action, in the form of two online contests: HackQuest and Competitive Intelligence. Don't miss your chance to compete—winners will receive prizes, including free invites to PHDays. The ONSEC team has prepared HackQuest, which will be held from April 23 to 29. This contest for web lovers will involve interesting old vulnerabilities and apply them in the context of today's web. All tasks are based on real-world examples. Participants will do well to look through old research and articles, as well as read the documentation for the latest services. The start will be at 12:00 a.m. (midnight), Moscow time, on April 23. Competitive Intelligence is back. For several years now, we have shown how easy it is to find sensitive information about people and companies. As they say: "The Internet never forgets!" Put on your sleuthing shoes as you dig up information about a particular organization online. Find as many correct answers as possible, as quickly as possible. The contest will last three days (May 4, 5, and 6) and starts at 9:00 a.m., Moscow time, on May 4 on Telegram: @phdayscibot. Soon we'll have more to share about all-new contests that will be going on at the venue during PHDays. Stay tuned! PHDays tickets are still available for purchase: buy now. A two-day ticket costs RUB 14,400, while a one-day ticket costs RUB 9,600.
Fernando Gont to discuss IPv6 security at PHDays 8
Just days remain until the end of the Call for Papers! The program committee has already selected the first group of speakers for technical talks, and in early March we announced the key speaker Ilfak Guilfanov. If you're excited about the chance to speak from the same podium, don't delay—the deadline to submit your proposal is March 31. In the meantime, we'd like to present another big name who will be addressing PHDays 8.
Talks at PHDays 8: hacking the IoT, bypassing Windows Hello, and preparing for post-quantum cryptography
Proposals for talks at Positive Hack Days are still streaming in! Based on popular demand, we have extended the Call for Papers until March 31. This means a few additional weeks to submit proposals, so we hope to see even more people taking advantage of this special opportunity! Recently we announced one of the key speakers at PHDays 8: IDA Pro and Hex-Rays developer Ilfak Guilfanov. Today we will be offering a sneak peek at some of the talks that will be happening at PHDays. This year's participants can look forward to learning how to bypass facial recognition, why smart cars are dangerous, and how hackers puncture the security of the Internet of Things. Keeping security relevant Businesses have experienced enormous losses in the last few years due to criminal groups and hacktivists. The landscape of security threats continues to shift, making it more important than ever to model security threats in a way that understands the risks for business and hackers' capabilities. As always, the success or failure of security measures relies on more than just policies or technologies: employee knowledge remains critical. The security solutions in many sectors are woefully out of date, and the skills of security staff have stagnated as well. Businesses need security to step up its game. Is it possible to churn out enough security professionals to meet these needs? How does one translate security requirements into language that top management can appreciate? These and other questions will be discussed by Eddie Schwartz, Executive Vice President of DarkMatter. Currently Schwartz is a member of the International Board of Directors of ISACA and Global Chairman of the ISACA's Cybersecurity Working Group. Prior to DarkMatter, he worked as Global Leader for Cyber Security Solutions at Verizon, Chief Security Officer at RSA, and co-founder and Chief Security Officer of NetWitness. Hacking authentication systems PHDays will again play host to Argentinian security expert and Cinta Infinita CEO Nahuel Grisolía. A specialist in web application penetration testing and hardware hacking, Grisolía has found vulnerabilities in software from McAfee, VMware, ManageEngine, Oracle, Websense, Google, and Twitter, as well as in free software: Achievo, Cacti, OSSIM, Dolibarr, and osTicket. At PHDays V, Grisolía held a workshop on RFID. This year, he will speak about the Auth0 identity management platform, which secures over 2,000 clients and handles 42 million logins every day. His talk will touch on the security of JSON web tokens, authentication and authorization, cryptography, and methods for intercepting and manipulating HTTP traffic. He will even detail an authentication bypass vulnerability that places all Auth0-enabled applications at risk. Fooling Windows Hello like one, two, three Windows Hello is a biometric system from Microsoft that includes iris and fingerprint scanning, as well as facial recognition. This system is used for password-free login in Windows, websites, and applications. Matthias Deeg, Head of R&D at German penetration testing company SySS, will share his research into Windows Hello and demonstrate how different versions of Windows Hello can be bypassed in surprisingly simple ways. Unsafe at some speeds? Smart cars are much more than four wheels and an engine—they are also computers crammed with advanced navigation and entertainment programs. This means that smart cars are open to all the security vulnerabilities traditionally associated with the IT world. Representatives from Ixia—Stefan Tanase, Principal Security Researcher, and Gabriel Cirlig, Senior Software Engineer—have probed a smart car's information and entertainment system, which is walled off from the network infrastructure used for the car itself. They uncovered a large amount of data stored in the clear. The authors will demonstrate an attack in which a car can be used as a weapon, as well as how an attacker can track the car's movements and hack network access points with the help of the on-board computer. Hacking the IoT Noam Rathaus, co-founder and CTO of Beyond Security, will also speak at PHDays. Rathaus has authored four books about open-source security tools and penetration testing. He is the discoverer of more than 40 software vulnerabilities and responsible for creating around a third of the code of Nessus, a program for automatically finding known vulnerabilities in computer systems. His talk "Put something on the Internet—and get hacked" describes the security situation with the Internet of Things (IoT). Rathaus will discuss different vulnerabilities that his team has discovered in products from well-known vendors, plus measures that can be taken to strengthen IoT security. The topic of IoT security will be continued by Andrey Biryukov, Lead Information Security Engineer at AMT Group. His Fast Track presentation is entitled "Cloud with gaps: How IoT gets hacked." Use of cloud technologies (some of them open-source) for managing IoT devices, as well as possible incidents, will be analyzed. A video will demonstrate exploitation of the most interesting vulnerabilities, while Biryukov will give his recommendations for closing vulnerabilities and improving overall security. Staying safe in the quantum age In February 2016, NIST published a report on post-quantum cryptography. The report includes a list of the algorithms believed to be vulnerable to quantum computers—and almost all of today's cryptographic algorithms are on the list. Sergey Krendelev, Head of the Modern Computer Technologies Laboratory at Novosibirsk State University (Russia), will shed light on the "quantum threat" as well as the algorithms and protocols needed for cryptography in a post-quantum age. Different algorithms will be presented for digital signatures, hash functions, and key exchange. Likely difficulties in deployment of post-quantum cryptography and public-key infrastructure will be considered. Like Nahuel Grisolía, Krendelev also spoke at PHDays V. His talk, "Soviet Supercomputer K-340A and Security of Cloud Computing," dealt with non-standard data encryption algorithms. Bug bounty benefits Website owners run serious reputational and financial risks due to vulnerabilities. Igor Bulatenko, CISO of QIWI and co-founder of Vulners.com, will delve into the shortcomings of current methods for combating vulnerabilities and the advantages of bug bounty programs. Bug bounties can be more affordable than pentesting and large security teams, and better for corporate financial stability and reputation—but are they for everyone? Bulatenko will also share his experience at QIWI, including starting a bug bounty program. A full list of talks will be published in April on the PHDays site. For more about topics and submission guidelines, see the Call for Papers.
Creator of IDA Pro disassembler to speak at PHDays 8
The keynote speaker at PHDays 8 will be developer Ilfak Guilfanov, known for authoring the IDA Pro disassembler and Hex-Rays decompiler. His initial brush with fame came in 2005, when on December 31 he released an unofficial patch for the Windows Metafile vulnerability. Microsoft's official patch appeared only a week later, on January 5, 2006. However, Ilfak's crowning accomplishment is IDA Pro. This disassembler is familiar to reverse engineers, virus analysts, and security experts all around the world—in other words, nearly anyone who has to take apart other people's code. Entire books have been written about IDA Pro, including by Kris Kaspersky and Chris Eagle, the latter publishing a work with the subtitle "The Unofficial Guide to the World's Most Popular Disassembler." He later developed Hex-Rays, a decompiler based on IDA Pro, for analyzing program code. Currently Ilfak manages his own company, Hex-Rays SA, which distributes IDA Pro and Hex-Rays. At PHDays he will give a talk entitled "Decompiler internals: Microcode" in which he will cover the history of the creation of the microcode that is used in the decompiler Hex-Rays, the microcode's features, and issues that arise when decompiling programs. Get your ticket for Positive Hack Days to hear from this programming pioneer in person! If you're interested in speaking from the same podium as big-name security experts, hurry up—the Call For Papers closes on March 10. Topics and guidelines are available on the event website.
Early-bird discount for PHDays tickets ends tomorrow
Tomorrow is the last day to pick up PHDays 8 tickets at a discounted rate! Starting March 1, a two-day ticket will cost 14,400 rubles and a one-day ticket will be 9,600 rubles. Quantities are limited. Don't miss out! Of course, there are still ways to attend PHDays free of charge. Snag an invite by submitting exciting security research (the Call for Papers is in full swing), taking top place in our special hacking contest, or joining one of the teams at The Standoff. Stay tuned!
Young School: special opportunities for tomorrow's security stars
Excellent news for undergrads, graduate students, and young researchers—Young School will be back at PHDays 8. This year, two formats will be available to choose from: a research track and Spring Hack Tricks, a series of five-minute rapid-fire talks. Selected applicants will be able to present their contributions to the international security community at PHDays 8 in May. "For several years now, Young School has motivated undergraduate and graduate students to come forward and share their work with the wider public. Young people come from a number of countries each year to demonstrate their findings in the field of applied security. For some of the participants, this will not even be their first time speaking at Young School," says Andrey Petukhov, member of the PHDays Young School program committee. "So far, most applicants are coming from Russian cities such as Tomsk, St. Petersburg, and Taganrog. We expect that the finalists will include new names and a few familiar ones too. The research track of Young School is intended for original work in the field of applied information security. Successful proposals are chosen for their novelty and relevance; experimental or empirical value is a must. In the case of research with multiple authors, one author will be invited to speak at PHDays and will have travel and accommodation reimbursed; co-authors will receive complimentary PHDays tickets, but will not be reimbursed. In Spring Hack Tricks, we invite you to talk about a nifty trick or tool that you use in your work, bug bounties, or CTF competitions. Proposals are selected based on their originality and usefulness in practice. If your proposal is selected, you will receive a complimentary ticket to PHDays and the opportunity to share your idea with the community. To apply for Young School, write to youngschool@phdays.com. Rules and other guidelines are available on the Young School page. Young School application deadlines: Research track: April 1 Spring Hack Tricks: April 15