News

4/12/2018

PHDays 8: online contests starting soon

Just one month remains until PHDays 8. That makes it the perfect time to start warming up for The Standoff and other hacker-versus-hacker excitement! The weeks leading up to PHDays will be filled with action, in the form of two online contests: HackQuest and Competitive Intelligence. Don't miss your chance to compete—winners will receive prizes, including free invites to PHDays. The ONSEC team has prepared HackQuest, which will be held from April 23 to 29. This contest for web lovers will involve interesting old vulnerabilities and apply them in the context of today's web. All tasks are based on real-world examples. Participants will do well to look through old research and articles, as well as read the documentation for the latest services. The start will be at 12:00 a.m. (midnight), Moscow time, on April 23. Competitive Intelligence is back. For several years now, we have shown how easy it is to find sensitive information about people and companies. As they say: "The Internet never forgets!" Put on your sleuthing shoes as you dig up information about a particular organization online. Find as many correct answers as possible, as quickly as possible. The contest will last three days (May 4, 5, and 6) and starts at 9:00 a.m., Moscow time, on May 4 on Telegram: @phdayscibot. Soon we'll have more to share about all-new contests that will be going on at the venue during PHDays. Stay tuned! PHDays tickets are still available for purchase: buy now. A two-day ticket costs RUB 14,400, while a one-day ticket costs RUB 9,600.

3/28/2018

Fernando Gont to discuss IPv6 security at PHDays 8

Just days remain until the end of the Call for Papers! The program committee has already selected the first group of speakers for technical talks, and in early March we announced the key speaker Ilfak Guilfanov. If you're excited about the chance to speak from the same podium, don't delay—the deadline to submit your proposal is March 31. In the meantime, we'd like to present another big name who will be addressing PHDays 8.

3/15/2018

Talks at PHDays 8: hacking the IoT, bypassing Windows Hello, and preparing for post-quantum cryptography

Proposals for talks at Positive Hack Days are still streaming in! Based on popular demand, we have extended the Call for Papers until March 31. This means a few additional weeks to submit proposals, so we hope to see even more people taking advantage of this special opportunity! Recently we announced one of the key speakers at PHDays 8: IDA Pro and Hex-Rays developer Ilfak Guilfanov. Today we will be offering a sneak peek at some of the talks that will be happening at PHDays. This year's participants can look forward to learning how to bypass facial recognition, why smart cars are dangerous, and how hackers puncture the security of the Internet of Things. Keeping security relevant Businesses have experienced enormous losses in the last few years due to criminal groups and hacktivists. The landscape of security threats continues to shift, making it more important than ever to model security threats in a way that understands the risks for business and hackers' capabilities. As always, the success or failure of security measures relies on more than just policies or technologies: employee knowledge remains critical. The security solutions in many sectors are woefully out of date, and the skills of security staff have stagnated as well. Businesses need security to step up its game. Is it possible to churn out enough security professionals to meet these needs? How does one translate security requirements into language that top management can appreciate? These and other questions will be discussed by Eddie Schwartz, Executive Vice President of DarkMatter. Currently Schwartz is a member of the International Board of Directors of ISACA and Global Chairman of the ISACA's Cybersecurity Working Group. Prior to DarkMatter, he worked as Global Leader for Cyber Security Solutions at Verizon, Chief Security Officer at RSA, and co-founder and Chief Security Officer of NetWitness. Hacking authentication systems PHDays will again play host to Argentinian security expert and Cinta Infinita CEO Nahuel Grisolía. A specialist in web application penetration testing and hardware hacking, Grisolía has found vulnerabilities in software from McAfee, VMware, ManageEngine, Oracle, Websense, Google, and Twitter, as well as in free software: Achievo, Cacti, OSSIM, Dolibarr, and osTicket. At PHDays V, Grisolía held a workshop on RFID. This year, he will speak about the Auth0 identity management platform, which secures over 2,000 clients and handles 42 million logins every day. His talk will touch on the security of JSON web tokens, authentication and authorization, cryptography, and methods for intercepting and manipulating HTTP traffic. He will even detail an authentication bypass vulnerability that places all Auth0-enabled applications at risk. Fooling Windows Hello like one, two, three Windows Hello is a biometric system from Microsoft that includes iris and fingerprint scanning, as well as facial recognition. This system is used for password-free login in Windows, websites, and applications. Matthias Deeg, Head of R&D at German penetration testing company SySS, will share his research into Windows Hello and demonstrate how different versions of Windows Hello can be bypassed in surprisingly simple ways. Unsafe at some speeds? Smart cars are much more than four wheels and an engine—they are also computers crammed with advanced navigation and entertainment programs. This means that smart cars are open to all the security vulnerabilities traditionally associated with the IT world. Representatives from Ixia—Stefan Tanase, Principal Security Researcher, and Gabriel Cirlig, Senior Software Engineer—have probed a smart car's information and entertainment system, which is walled off from the network infrastructure used for the car itself. They uncovered a large amount of data stored in the clear. The authors will demonstrate an attack in which a car can be used as a weapon, as well as how an attacker can track the car's movements and hack network access points with the help of the on-board computer. Hacking the IoT Noam Rathaus, co-founder and CTO of Beyond Security, will also speak at PHDays. Rathaus has authored four books about open-source security tools and penetration testing. He is the discoverer of more than 40 software vulnerabilities and responsible for creating around a third of the code of Nessus, a program for automatically finding known vulnerabilities in computer systems. His talk "Put something on the Internet—and get hacked" describes the security situation with the Internet of Things (IoT). Rathaus will discuss different vulnerabilities that his team has discovered in products from well-known vendors, plus measures that can be taken to strengthen IoT security. The topic of IoT security will be continued by Andrey Biryukov, Lead Information Security Engineer at AMT Group. His Fast Track presentation is entitled "Cloud with gaps: How IoT gets hacked." Use of cloud technologies (some of them open-source) for managing IoT devices, as well as possible incidents, will be analyzed. A video will demonstrate exploitation of the most interesting vulnerabilities, while Biryukov will give his recommendations for closing vulnerabilities and improving overall security. Staying safe in the quantum age In February 2016, NIST published a report on post-quantum cryptography. The report includes a list of the algorithms believed to be vulnerable to quantum computers—and almost all of today's cryptographic algorithms are on the list. Sergey Krendelev, Head of the Modern Computer Technologies Laboratory at Novosibirsk State University (Russia), will shed light on the "quantum threat" as well as the algorithms and protocols needed for cryptography in a post-quantum age. Different algorithms will be presented for digital signatures, hash functions, and key exchange. Likely difficulties in deployment of post-quantum cryptography and public-key infrastructure will be considered. Like Nahuel Grisolía, Krendelev also spoke at PHDays V. His talk, "Soviet Supercomputer K-340A and Security of Cloud Computing," dealt with non-standard data encryption algorithms. Bug bounty benefits Website owners run serious reputational and financial risks due to vulnerabilities. Igor Bulatenko, CISO of QIWI and co-founder of Vulners.com, will delve into the shortcomings of current methods for combating vulnerabilities and the advantages of bug bounty programs. Bug bounties can be more affordable than pentesting and large security teams, and better for corporate financial stability and reputation—but are they for everyone? Bulatenko will also share his experience at QIWI, including starting a bug bounty program. A full list of talks will be published in April on the PHDays site. For more about topics and submission guidelines, see the Call for Papers.

3/5/2018

Creator of IDA Pro disassembler to speak at PHDays 8

The keynote speaker at PHDays 8 will be developer Ilfak Guilfanov, known for authoring the IDA Pro disassembler and Hex-Rays decompiler. His initial brush with fame came in 2005, when on December 31 he released an unofficial patch for the Windows Metafile vulnerability. Microsoft's official patch appeared only a week later, on January 5, 2006. However, Ilfak's crowning accomplishment is IDA Pro. This disassembler is familiar to reverse engineers, virus analysts, and security experts all around the world—in other words, nearly anyone who has to take apart other people's code. Entire books have been written about IDA Pro, including by Kris Kaspersky and Chris Eagle, the latter publishing a work with the subtitle "The Unofficial Guide to the World's Most Popular Disassembler." He later developed Hex-Rays, a decompiler based on IDA Pro, for analyzing program code. Currently Ilfak manages his own company, Hex-Rays SA, which distributes IDA Pro and Hex-Rays. At PHDays he will give a talk entitled "Decompiler internals: Microcode" in which he will cover the history of the creation of the microcode that is used in the decompiler Hex-Rays, the microcode's features, and issues that arise when decompiling programs. Get your ticket for Positive Hack Days to hear from this programming pioneer in person! If you're interested in speaking from the same podium as big-name security experts, hurry up—the Call For Papers closes on March 10. Topics and guidelines are available on the event website.

2/27/2018

Early-bird discount for PHDays tickets ends tomorrow

Tomorrow is the last day to pick up PHDays 8 tickets at a discounted rate! Starting March 1, a two-day ticket will cost 14,400 rubles and a one-day ticket will be 9,600 rubles. Quantities are limited. Don't miss out! Of course, there are still ways to attend PHDays free of charge. Snag an invite by submitting exciting security research (the Call for Papers is in full swing), taking top place in our special hacking contest, or joining one of the teams at The Standoff. Stay tuned!

2/22/2018

Young School: special opportunities for tomorrow's security stars

Excellent news for undergrads, graduate students, and young researchers—Young School will be back at PHDays 8. This year, two formats will be available to choose from: a research track and Spring Hack Tricks, a series of five-minute rapid-fire talks. Selected applicants will be able to present their contributions to the international security community at PHDays 8 in May. "For several years now, Young School has motivated undergraduate and graduate students to come forward and share their work with the wider public. Young people come from a number of countries each year to demonstrate their findings in the field of applied security. For some of the participants, this will not even be their first time speaking at Young School," says Andrey Petukhov, member of the PHDays Young School program committee. "So far, most applicants are coming from Russian cities such as Tomsk, St. Petersburg, and Taganrog. We expect that the finalists will include new names and a few familiar ones too. The research track of Young School is intended for original work in the field of applied information security. Successful proposals are chosen for their novelty and relevance; experimental or empirical value is a must. In the case of research with multiple authors, one author will be invited to speak at PHDays and will have travel and accommodation reimbursed; co-authors will receive complimentary PHDays tickets, but will not be reimbursed. In Spring Hack Tricks, we invite you to talk about a nifty trick or tool that you use in your work, bug bounties, or CTF competitions. Proposals are selected based on their originality and usefulness in practice. If your proposal is selected, you will receive a complimentary ticket to PHDays and the opportunity to share your idea with the community. To apply for Young School, write to youngschool@phdays.com. Rules and other guidelines are available on the Young School page. Young School application deadlines: Research track: April 1 Spring Hack Tricks: April 15

2/19/2018

Draw the Future: calling for comics of robots, sarcasm, math, and information security!

Artists rejoice! We're announcing the first-ever PHDays comic contest, called Draw the Future. For several years now, PHDays has held a contest for short stories ("Hacked Future"). Did you really think that hardcore cyberpunk, steampunk in-a-top-hat, and warp-worthy science fiction had nothing more to say? We didn't think so either. But this time, instead of describing the future with words alone, we hope you'll pick up your drawing pen. Draw the world of the future: tell us a story in comic form. The funny thing is, everyone envisions the future differently. Sometimes it's scary and shudder-inducing. For others, the (glorious?) future is already here for us, the mere sliver of humankind that has lived to experience a raft of technologies that could hardly be imagined twenty years ago. The digital world can be harsh: some people run in the other direction, while others are busy trying to profit off it. And some people, well, they sip their whiskey, gawk as the world careens into the e-singularity, and let out a belly laugh as they watch it all burn. Good times! Draw the future, in any way you imagine it: dripping with misery, ascending towards transcendence, frightful, funny, or anything else. As long as the plot involves information technology, we're game! Artist guidelines Each comic should tell a story. If it helps, here are some ideas to get you started: In a galaxy far, far away… The Internet of Good and Evil Things Cybercrime capers (Mr. Robot meets Futurama?*) Adventures of a bitcoin Artificial intelligence attacks Let your imagination run wild! This isn't an exam, there is no "right" answer. So pick the style and genre that you like and do best.If you're dead-set on smashing the competition, winning prizes, getting published in our journal, and even more (imagine your comic in a beautifully bound volume with other exquisite creations for the most rarified of connoisseurs!)… then keep in mind: Doge and MS Paint won't cut it. We may be willing to consider memes of exceptional dankness, but you had better really impress us. Also, if da Vinci can give all his paintings a name, we ask that you give your comic a name to be remembered for the ages. And… do we even have to say it? If you wouldn't see it on your grandma's Facebook feed, don't draw it. Because your grandma does not tolerate profanity, hate speech, or extremism. Nor does she partake in any pornography, hentai, #etcetcetc whatsoever. Even more obvious: don't plagiarize. That's not interesting for anyone. At all. Technical requirements Flattened (single-layer) high-resolution image measuring 220×320 mm @ 300 dpi + lightweight preview. Format: JPEG/PNG. In some cases, the jury may ask you to provide the source materials (with layers). Since we plan to publish the best works, we will be delighted if your comic gracefully contorts itself to the confines of А4 format. Our lawyers said that you should probably check out the legal fine print.\ So what will happen? The creators of 10 best works will get free tickets to attend PHDays 8, which will be held on May 15-16, 2018. Three winners will be announced at our ceremony on May 16. The prizes are going to be fabulous—we'll make it worth your while, let’s put it that way. There will also be a Popular Choice prize. If you're interested, check out our Facebook and Twitter pages and keep an eye out for the latest news. If you're not asking who the judges are, good, because we're not telling (yet). Send your comics by May 10 to comics@phdays.com. Good luck and may the drawing begin! Questions? We'll be happy to help you out: comics@phdays.com. * Rules about intellectual property and copyright use notwithstanding; see the legal verbiage below.\ You must agree with all of the contest rules in order to participate; these rules include but are not limited to the "Legal verbiage" below. By sending materials to comics@phdays.com, you confirm that you are familiar with the contest rules and fully accept them as binding.Legal verbiage:– The participant certifies that all materials submitted to comics@phdays.com for the contest (the Materials) have been created by the sole efforts of the participant, and no part of the materials or likenesses contained therein is the property of any other person or entity.– The participant allows the contest organizer, JSC Positive Technologies (the Organizer), to use the Materials provided by the participant free of charge in any way the Organizer may choose, including:– Posting the Materials online at phdays.com as part of contest-related news;– Publicly displaying the Materials at or around the Positive Hack Days forum on screen, print, or other media;– Publishing the Materials in a printed compilation of materials submitted by contest winners; the compilation may be published and distributed by the Organizer and/or its designees.– All participants must be 16 years or older.

1/10/2018

PHDays invites speakers: tell us what the digital community should look like

PHDays 8 Call for Papers starts. Speakers are welcome to apply till March 10. Our international program committee comprising independent researchers and lead experts in information security and IT will review all your applications and select the most exciting reports. If you've got something to say, we look forward to you saying it at PHDays 8. The upcoming forum is called Digital Bet and it focuses on potential security threats and challenges that state, business, and citizens have to face due to the global switch to digital economy. "Every year, we do our best to cover both technical and business reports dedicated to the hottest security issues, and invite security experts from Russia and other countries. PHDays 8 is not going to be an exception, states Sergey Gordeychik, the chairman of the program committee. The upcoming era brings digitalization to all public, business, and social spheres. However, threats imposed by modern technologies and their impact on our lives have not been taken seriously yet. We believe that representatives of government entities, participants of the Digital Economy program, and all information security experts should join in to find a solution of our common problems." You can make your talk in one of the following ways: a traditional talk (50 minutes), Fast Track (15 minutes), or Hands-on Lab (up to 4 hours). Key topics: Role of the government and regulation organizations in economy digitalization Digitalization of finance technologies Security of critical digital infrastructure Actions to reduce risks and control information security Techniques and tools for physical security Neurotechnology and artificial intelligence Home and industrial IoT issues Blockchain technology and its security Security of biometric authentication systems For participation rules and application guidelines, visit the Call for Papers page

12/11/2017

Tickets for PHDays 8 already on sale

Good news! PHDays tickets are available right now. The Early Birds discount is on offer until December 31: the price of two-day participation in the forum is RUB 7,337. Starting from January 1, two days will cost RUB 9,600 (RUB 11,400 if lunch is included on one day, RUB 13,200 if lunch is included on both days) while the price per day will go up to RUB 7,337 (RUB 9,137 if lunch is included). The number of tickets is limited. Don't miss your chance to benefit from the discount until all tickets have been sold out as a New Year gift :) For all those who do not look for easy ways: please be reminded that it is possible to take part in the forum for free. To obtain an invitation, please prepare a bright IS research, or win a special hacker contest, or join one of The Standoff teams. More details are coming up soon. Watch out for updates!

11/16/2017

PHDays 8: Digital Bet

Mark your calendars for the eighth annual Positive Hack Days, which will be held on May 15–16, 2018. As before, the venue will be the World Trade Center Moscow. Preparations are already in full swing as the organizers ready surprises, design the area for The Standoff, test new equipment, and fine-tune the program. For the eighth year now, we're doing things our way and staying true to the ethos of a one-of-a-kind event. This time at PHDays, the headline topic is the Digital Bet. Big changes are coming. Governments have bet big on data and the web. Telemedicine, online government services, remote management of transportation and industrial infrastructure, smart devices, and cryptocurrencies are all here and now. And soon these new technologies will improve the lives of people in a multitude of ways. But while the world is caught up in the excitement of this digital transformation, hackers are in the driver's seat: they get to decide who will gain from this process and who will lose out… What awaits us if data really does become the most valuable asset? Is there any way to stay safe in a world where life is technology-centric and the line between the real and the virtual is blurred? Can we expect electronic bliss or should we prepare for digital apocalypse? Boris Simis, Deputy CEO for Business Development at Positive Technologies, comments: “Today we live in a world where, for billions of people, living unconnected is unimaginable. The flow of information is now a flood. Given these facts, the transition to a digital economy is a natural one. Yet for all of the benefits, there are plenty of potential downsides. At PHDays we will demonstrate the information security issues that governments, businesses, and individuals will confront as the result of the digital bet. By looking beyond the hype, we hope to improve the quality of the conversation around security.” As in years past, PHDays will offer an enormous range of roundtables, hands-on labs, and demonstrations, as well as technical talks given by security experts from all over the world. Top topics on the agenda for PHDays 8 include the role of government and regulators in the e-economy, the digital wave in finance, security of critical digital infrastructure, security risk management, and physical security. Contests will highlight potential threats and issues in the security of today's cities (transportation, video surveillance), medicine, industry, e-government, and the Internet of Things for both home users and businesses. Contests will also probe for weaknesses in blockchains and biometric authentication. City warfare Cyberbattle between attackers and defenders has long been a crowd favorite. At PHDays 8, the organizers plan to surprise forum visitors with version 3.0 of The Standoff. The conflict between attackers and defenders is going to the next level. The battleground: a city whose economy is based on blockchain technology. City infrastructure includes an electrical plant and substation, railroad, energy-efficient smart homes, and banks with ATMs and self-service kiosks. And of course, what modern city would be complete without online services, mobile network operators, and the Internet? Mikhail Pomzov, a member of the PHDays organizing committee, gives a peek at what to expect: “The city that competitors have grown to know and love is now based on an e-economy. Infrastructure will include both vital facilities and the creature comforts to which most of us are accustomed. Lots of mock people live in our mock city: they work in offices and factories for different companies, live in modern homes, and go outdoors on the weekends. All the infrastructure is linked together in an intricate mechanism that runs like clockwork. But what happens when somebody disturbs this mechanism? We are going to shake up the format a bit. The main participants will still be defenders and attackers, but the latter may have to bone up on their defensive skills. We also plan to give participants a bit more freedom of action, such as by allowing denial of service attacks.” Attackers and defenders are tied so far at 1:1 in past competitions. In May, we'll know everything about this PHDays marquee event—including which of the sides will pull ahead to take the lead. With six months still to go till spring, it's a great time to view the best talks from PHDays VII online. Coming soon: the first Call for Papers and ticket sales. More news to come!