News
The Standoff at PHDays VII: hello IoT and hackable objects, goodbye flags
Last year's PHDays was host to a spirited contest between hackers and defenders at PHDays VI СityF: The Standoff. The field of battle was a virtual city: the hackers attacked the city with all available methods, while teams of defenders and security operations centers (SOCs) tried to thwart them. This shakeup in contest format captured the participants' imaginations, so we have taken things even further this year. At PHDays VII, the main contest will be The Standoff, and the overall theme for PHDays is The Standoff: Enemy Inside. The organizers promise more attack vectors, more objects to defend and attack, and no more flags to capture. We invite hackers, defenders, and SOCs to take part—although who's to say that there are only three sides to this story? Events will unfold in the same virtual place as last year, but the city itself has been significantly expanded. Hackers and defenders can run wild with a telecom company, сombined heat and power plant, office complex, and—new to this year—a large number of IoT devices. Even PHDays visitors will be involved in the game. During the game, teams will be able to do anything that is not forbidden by the rules. The rules themselves have been changed as well: defenders now are restricted by a budget. Each team of defenders is given the same amount of game currency, with which they can purchase security solutions from a local distributor or procure SOC monitoring services. Detailed rules for The Standoff have been published by the organizers. If you're interested in joining in on the fun at The Standoff, write us at phd@ptsecurity.com. The application deadline is April 3, 2017. Don't forget that participation in The Standoff is open to PHDays guests, Internet users attending via PHDays Everywhere, and those who would like to try out particular assignments (such as hacking an office complex). The forum's partners are Microsoft, IBM, Infotecs, R-Vision, Solar Security and Axoft; the business partners is MONT; among technology partners are Cisco, CompTek, ARinteg, Qrator, and Wallarm; the Standoff partners are PaloAlto, ICL System technologies, Beyond Security; the Standoff participants are Informzaschita, Advanced Monitoring, Jet Infosystems and CROC; the general information partner is the news agency TASS.
PHDays Call for Papers: First Wave Closing
The first wave of the application process for the Positive Hack Days VII international applied security forum is nearly over. Despite the winter holidays, over 50 proposals for talks and workshops have been received already. For those who want to speak at the event, there is still time to apply. And for those who submit during the first wave, the program committee may offer suggestions and advice. The results of the first wave will become known after February 15. For information on topics and guidelines, see the Call for Papers page. Proposals received by the program committee have come from Europe, Russia, Asia, Africa, North America, and South America. Topics include: — What's worse: poor implementation or vague standards? Russian and international practice with vulnerability-finding during standards compliance audits; bypassing of app store checks. — Hacking Android apps and IPv6 networks: technology overview and typical attacks. — Hacking medical equipment: hacker-to-machine interface and other IoT security topics. — When defenders attack: hacking a botnet for incident investigation. — Hacking cloud infrastructure and apps: scalability of red teams and larger numbers of attackable targets in complex systems. — Looking critically at protection technologies: which is “deader,” antivirus or SIEM? Which has more to offer: vulnerability intelligence, bank transaction analysis, or logs of hidden site trackers? — Yesterday's threats, today's attacks: vulnerabilities in Docker, HTML5, Hadoop, and IPv6. — New levels of (in)security in payment and banking systems. POS security meets NFC and Java Card security. The Call for Papers ends on March 15; results will be made known by March 30. A full list of presentations will be published in April on the official PHDays VII site. The conference will be held on May 23–24, 2017, at the World Trade Center in Moscow, Russia. Conference registration and passes are available here. A two-day pass costs RUB 9,600, while one day at the event costs RUB 7,337. The forum's partners are Microsoft, IBM, Infotecs, R-Vision, Solar Security and Axoft; the business partners is MONT; among technology partners are Cisco, CompTek, ARinteg, Qrator, and Wallarm; the Standoff partners are PaloAlto, ICL System technologies, Beyond Security; the Standoff participants are Informzaschita, Advanced Monitoring, Jet Infosystems and CROC; the general information partner is the news agency TASS.
PHDays VII Discount Reminder
We would like to remind that you have only one week to buy PHDays VII tickets with the Early Birds discount! Until December 30, the ticket package for the two days of the forum costs 7,337 rubles. Starting December 31, the price will go up to 9,600 rubles for the two-day package and 7,337 rubles for one day. You can register and buy tickets here. How to get to PHDays VII free of charge: Participate as a speaker with your security research. Potential speakers can apply here. The Call for Papers phase one will last until January 30. Read more on Call for Papers. Take part in the hackers’ contests. Qualification and registration will start closer to the event. Get through to the final round of the cyberpunk short-story competition. Rules of the contest will be published soon. Hold your own security forum in your city of residence as part of the PHDays Everywhere initiative. Keep your eye on the official news! Students can also be granted free admission through participating in the PHDays Young School section. This year, apart from research track, we’ll have Spring Hack Tricks—five-minute lightning talks—and product comparison and review article contest. Read more on PHDays Young School. Best research authors will have an opportunity to give a talk to hackers and security specialists. Application deadlines: January 15* for review work (the work itself must be completed by April 1*) April 1** for Young School research track April 15** for Spring Hack Tricks Send your application to youngschool@phdays.com.
PHDays VII Young School: Applications Now Accepted
We're excited to announce PHDays VII Young School! Undergrads, graduate students, and independent young researchers in all areas of information security are invited to take part. Last year, the Young School format pivoted from peer competition to presenting ideas, and this year we've made more changes: young researchers will have even more options for sharing their work. As before, we will have the research track for applied security topics. There should be experimental proof of practical value; criteria for novelty and relevance should also be met. For topics that are accepted, one author will be invited to give a talk at the forum with reimbursement from the organizers for travel and accommodation. Coauthors will receive forum passes, without reimbursement of their expenses. Researchers are also welcome to apply to present Spring Hack Tricks: in these five-minute lightning talks, you can describe a trick and/or tools that help you in your work, bug bounty, or CTF contests. The main criteria are real-world relevance and originality. If your proposal is accepted, you will receive a forum pass and the opportunity to share your idea with the community. Another way to present at the forum is to write an in-depth review article comparing two or more information security products of the same class. This is an all-new format for Young School, so the organizers are going all-out to make it happen: they will help with preparing an outline of the review and give feedback to improve the quality of the work. Authors of accepted works will be invited to the forum with reimbursement for travel and accommodation, and will be able to present the results of their work at the forum. How to apply Apply by sending your application to youngschool@phdays.com. Rules and application requirements are posted at phdays.com/program/ys/. Prospective applicants are invited to contact the organizers before applying. In case of questions regarding research topics, results, how to present information, etc., contact youngschool@phdays.com Application deadlines: — January 15 for review work (the work itself must be completed by April 1) — April 1 for Young School research track — April 15 for Spring Hack Tricks
PHDays VII Ticket Sale Kick-Off
On November 29, the ticket sale for the international forum on practical information security Positive Hack Days VII was launched. You can register and buy tickets here. Similar to previous year, we are offering the Early Birds discount: until December 30, the ticket package for the two days of the forum costs 7,337 rubles. Starting December 31, the price will go up to 9,600 rubles for the two-day package and 7,337 rubles for one day. How to get to PHDays VII free of charge You can participate as a speaker. Potential speakers can apply here, the Call for Papers phase one will last until January 30. Both recognized experts and aspiring specialists can hand in their research results. For the list of topics and “how to apply” tips see the Call for Papers page. Alternatively, take part in the hackers’ contests or hold your own security forum in your city of residence as part of the PHDays Everywhere initiative. Students can also be granted free admission through participating in the PHDays Young School section. Best research authors will have an opportunity to give a talk to hackers and security specialists. Further details coming soon, keep your eye on the news!
PHDays VII Call for Papers: How to Stand Up at the Standoff
November 15 marks the start of the call for papers for Positive Hack Days VII, an international digital security forum that will be held at the World Trade Center in Moscow, Russia, on May 23–24, 2017. Potential presenters must apply by sending an application form before January 30, 2017. Both established experts and up-and-coming specialists are encouraged to apply. At the event, we plan to emphasize the threats and opportunities for building a safer Internet of Things. The theme of the prior forum—The Standoff—has taken on a life of its own with some unexpected twists. Cyberwarfare now threatens the everyday objects around us and hackers can use smart cars, smart home sensors, video cameras, and even children's toys to their advantage. More than just a place for discussing security issues, PHDays is a space for building solutions. We urge speakers to share specific advice and tactics for mitigating security threats. We welcome both real-world experience and original research in all imaginable areas of security: defense, offense, smart devices, social networks, physical security, social engineering... If you have something to say, we hope to hear it at PHDays VII. For information on topics and guidelines, see the Call for Papers page at www.phdays.com/call_for_papers. Applicants are strongly encouraged to apply early. Early-bird applicants leave time for the program committee to provide recommendations, which increases the likelihood of their presentation making the final cut.
PHDays VII: The Standoff Continues
Today marks the official start of preparations for the seventh Positive Hack Days international security forum. The event will be held on May 23–24, 2017 at the World Trade Center in Moscow, Russia. As in past years, attendees will represent a diverse cross-section of security, with hackers, developers, security experts, business and government figures, and young scientists joined by specialists from finance, telecom, oil and gas, industrial, and IT companies. And as always, surprises are in store for both guests and participants—but more about that a bit later. More than just presentations and discussions of security topics, PHDays has long offered a staging ground for the most daring experiments in the field. Event organizers, as always, work to minimize advertising and promotion while maximizing interesting presentations, real-world usefulness, and hands-on competitions. The theme of PHDays VII is “The Standoff: Enemy Inside”. While futurologists were scaring us with visions of Big Brother and The Terminator, our enemies have taken a most unexpected form: an enormous number of digital devices omnipresent in our homes, pockets, streets, and offices. Cars, payment terminals, smart home sensors, children's toys, and even surveillance cameras which were supposed to keep us safe—all these are now weapons in the hands of hackers. We are, quite literally, surrounded. How can we fight an enemy when there is no front line and even our coffee machine may stab us in the back? We will try to find the answer at PHDays. At PHDays VI in 2016, we offered a new paradigm for the hacking competition: a no-holds-barred cyberbattle between attackers and defenders. Instead of abstract quizzes, participants were given specific objectives to accomplish. Now we are making the setting even more realistic, with the battlefield consisting of a city where pentesters will try to take control of city infrastructure and smart appliances. Social engineering will target team members and even ordinary visitors at PHDays VII. The hackers defeated in the previous Standoff will undoubtedly seek revenge. But who's to say that there can be only two sides to a battle? The competition will be “spiced up” with new hackable objects, more action, day/night scenarios, and social engineering. According to Timur Yunusov, Head of the Banking System Security Unit at Positive Technologies and member of the PHDays organizing committee, the main roles—hackers, defenders, and SOC—will remain the same. But Standoff participants will now include professional pentesters. The remainder of the competition will focus on city infrastructure, where participants can try to hack industrial control systems, a telecom company and bank, the Internet of Things, and network equipment. Event partners will help in laying the technical groundwork for the Standoff. Nobody can know the outcome of the competition in advance, but one thing is clear: more twists and turns mean more excitement for everyone. Participants will also be able to hear interesting presentations, attend workshops, and discuss IT security topics with leading industry specialists. Conversations will concentrate less on generalizations, and more on practical solutions for improving security. “This time around we plan to focus even more on innovations in techniques for hacking and applying security in practice. Our objective is for government, business, and industry to each contribute to the dialog on how to respond to the latest threats. Conversation will center on the Internet of Things, the combination of the IoT and SCADA, development of security solutions, and SSDL approaches. Above all, the greatest value we see in the conference is bringing everybody to the table: business executives, IT and security professionals, developers, SOC specialists, and so many others. As always, we have made sure that both technical and business aspects are reflected so that the management and technical sides hear each other and identify new opportunities for building more secure and reliable IT systems,” said Alexey Kachalin, Deputy Director of Business Development in Russia at Positive Technologies and member of the PHDays organizing committee. Interested in presenting? The first call for presenters will open soon. Stay tuned! In the meantime, feel free to view the best presentations from PHDays VI. Over 14,000 people have visited the forum over the last six years. PHDays VI set a new record, with 4,200 visitors. Don’t miss your chance to take part!
The Standoff at PHDays VI: New Format for a New Reality
Positive Hack Days VI has come and gone, making it the perfect time to take a look back as well as see what is in store for next year. The theme of these PHDays was “The Standoff” – an idea that event organizers had wanted to explore for years, and in May came to fruition as PHDays VI СityF: The Standoff. No mere hacker game, this was a two-day battle of the best in cybersecurity. Last year at PHDays V, event organizers tried to make the cybersecurity competition more like the real world. Per the event scenario, each capture-the-flag team represented a group in an imaginary country. The CTF teams accepted assignments (i.e., for hacking into different systems) through a DarkNet hacker marketplace. This year, the creators did one better by spicing up the hacker-heavy games with new participants: defenders and security operations center (SOC) specialists. This made the game much more lifelike and diverse – instead of only participants accustomed to being on “offense”, other specialists who build cybersecurity systems and investigate incidents were now represented as well.
PHDays VI: WAF Bypass Contest
The WAF Bypass competition, now an annual event held during Positive Hack Days, an international forum on information security, was organized in May this year as well. The contest’s participants attempted to bypass the security checks of PT Application Firewall that protected vulnerable applications. Positive Technologies specialists had introduced configuration errors that allowed some bypassing of the system. The goal of each task was to retrieve a flag stored in a database, file system or in cookies given to a special bot. Below is description and solutions of the contest’s tasks. 1. m0n0l1th In this task, participants performed in LDAP injection to retrieve the admin password from the LDAP storage. There was a form with an input for a username, which passed directly into an LDAP query.
PHD VI: How They Stole Our Drone
This year, a new competition was introduced at PHDays, where anyone could try to take control over a Syma X5C quadcopter. Manufacturers often believe that if they implement a wireless standard instead of IP technology, they may not think about security. As if hackers would give up because dealing with something other than IP is too long, difficult, and expensive. But in fact, SDR (software-defined radio) is an excellent way to access the IoT, where the initial level is determined by the level of an IoT vendor’s care and concern. However, even without SDR you can work wonders, even in the limited space of frequencies and protocols. The contest goal is to take control over a drone. Inputs: - drone control range: 2.4 GHz ISM, - control is driven by the modulenRF24L01+ (actually, by its clone — BK2423). Facilities (optional): Arduino Nano, nRF24L01+. The hijacker received the Syma X8C as a prize. Since those who wanted to steal our drone were trained people who had HackRF, BladeRF, and other serious tools in their arsenal, we describe two hijack methods: via SDR and nRF24L01+. The Way of the Samurai: SDR First of all, you need to find channels that are running the console. But before that, you need to skip through the data sheet, to get the idea of what you need to look for. First of all, we need to find out the organization of frequencies.