News
PHDays online contests: let there be CTF
Participation in online contests is a great opportunity to get into the right mood for PHDays. In early May, as a part of preparation for the forum, CTF, HackQuest (from Wallarm), and Competitive Intelligence contests will be held. Presents and free invitations to PHDays are at stake. The traditional contest HackQuest will be held from May 1 till May 13. This time, it is organized by Wallarm. Participants should solve as many hacking tasks as possible in a short time. The tasks are based on real vulnerabilities discovered in the last year. By the way, this will be the first time participants will have to contend ... with neural networks. Winners will receive souvenirs and free tickets for PHDays. The motto of the Competitive Intelligence contest is "keep on seeking, and you will find." Any participant will be able to check how fast he or she is in searching for information on the internet. But in contrast to previous years, they will need to find information on IoT devices, not on people. The contest will be held for three days, from May 14 till May 16. Some participants longed for the good old CTF. This year, no one will leave disappointed. On May 12 and 13, an online CTF will be held in the attack/defense format. The contest is organized the Hackerdom team. The main topic of the forum is the internet of things. You can register at . Winners will get valuable presents and invitations for the forum. Get your things packed! The PHDays contest program will be published soon. Stay tuned! The forum will take place on May 23 and 24, 2017, at the Moscow World Trade Center. You can register and buy tickets here. The price for the full 2-day conference is 9,600 rubles, and 7,337 rubles for one day. The forum's partners are Microsoft, IBM, Infotecs, R-Vision, Solar Security and Axoft; the business partners is MONT; among technology partners are Cisco, CompTek, ARinteg, Qrator, and Wallarm; the Standoff partners are PaloAlto, ICL System technologies, Beyond Security; the Standoff participants are Informzaschita, Advanced Monitoring, Jet Infosystems and CROC; the general information partner is the news agency TASS.
PHDays Technical Program: What to Expect from HummingBad Trojan, What Is macOS Malware, and Java Card Attacks
Positive Hack Days is just around the corner: more than 4,000 security experts are gathering in Moscow on May 23 and 24 this year to discuss the most pressing issues of information security. Recently we announced the first batch of speakers who got into the main technical program. If you’d like to share the stage with the biggest names in information security, you have your last chance—we are extending our Call for Papers until March 30. And while you are preparing your applications, we’d like to introduce our next batch of speakers.
Hacking Contests at PHDays VII: City-Wide Digital Mayhem
For many, the highlight of PHDays is the hacking contests—besides adding a bit of competitive fun, they give valuable experience. This year's participants will be able to peek under the hood of a smart car and break into the automation systems powering an entire (virtual) city. Most of the contests at PHDays VII are part of The Standoff, including Critical Infrastructure Attack: City, in which hackers can probe and test automated control systems. Last year, at Critical Infrastructure Attack: Blackout, a tenth-grader succeeded in causing a short-circuit at a high-voltage substation (500 kW). Hackers will have free reign on digital infrastructure that faithfully recreates the systems found in a real city, consisting of: Residential areas with building management systems (BMS), smart homes, transportation systems, and IoT gadgets Railroad Power station and substation (electrical generation, distribution, and management) Oil refinery and oil storage/transport facilities Video surveillance systems If that seems too intimidating to start, we have partnered with ASP Labs to prepare a special warm-up contest named Free SCADA. Our stand will consist of SCADA equipment and PLCs (based on Raspberry Pi single-board computers), where participants can start practicing for Critical Infrastructure Attack: City and get hints about the city infrastructure and system settings. Hackers may take part in the contests only as part of Standoff teams. All necessary software and hardware must be brought by the participants. In addition, conference participants will have two days of access to stands containing the “electronic insides” of modern vehicles. Today's cars are essentially computers with wheels, making them a tempting target for hackers. At the Automotive Village hands-on lab, experts and novices alike can see how car electronics are structured, independently explore a car's network, and write their own exploits. For the theoretically minded, discussion will include security of self-driving and connected cars, plus the difficulties of ECU reverse engineering and QNX security. Aficionados of automotive security can test their knowledge at Automotive Village: CarPWN. This contest will include searching for wires, ECU searching, connecting to the on-board network without interruption, setting up an MitM attack using CANToolz, testing the security of QNX, and much more. All forum visitors are invited to take part. We recommend bringing your own CAN bus equipment. Important: Participants must bring their own laptop for all contests. A detailed description of contests and hands-on labs will be published soon on the forum website. Stay tuned for more news! The forum's partners are Microsoft, IBM, Infotecs, R-Vision, Solar Security and Axoft; the business partners is MONT; among technology partners are Cisco, CompTek, ARinteg, Qrator, and Wallarm; the Standoff partners are PaloAlto, ICL System technologies, Beyond Security; the Standoff participants are Informzaschita, Advanced Monitoring, Jet Infosystems and CROC; the general information partner is the news agency TASS.
New at PHDays VII: Hacking IPv6 Networks, WAFs of the Future, POS Terminals
Preparations for PHDays VII are in full swing. Early in this year, we received 50 applications for presenting reports and workshops from Russia, Europe, Asia, Africa, North and South America. On February 1, the second stage of Call for Papers started. For now, we will announce the first participants enrolled in the Tech program. This year, attendees will learn how to hack IPv6 networks, how attackers steal money using POS terminals, and will know about new generation WAFs. Insecurity of payment systems: vulnerabilities in POS terminals Today, almost every shop is equipped with a POS terminal (point of sale) for processing transactions at financial calculations via magnetic stripe cards and smart cards. Terminals are widely used in different countries, and of course, where there is money, there are also attackers. In fall 2013, two hackers were arrested for hacking hundreds of POS terminals and stealing payment details of more than 100,000 of Americans. The attackers scanned the internet searching for vulnerable devices that supported RDP, obtained access to them, and installed a keylogger on detected terminals. At PHDays VII, Gabriel Bergel, Chief Strategic Officer (CSO) in Dreamlab Technologies and Chief Security Ambassador in 11Paths, will talk about vulnerabilities in protocols of POS terminals and possible fraud methods: from the classic skimmer, eavesdropping, modification, and installation of third-party software to hardware tampering POS. Alternative methods for vulnerability detection In November 2016, James Kettle, Head of Research at PortSwigger Web Security, designed an open-source scanner that implied an alternative approach to searching for vulnerabilities. Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures—almost like an anti-virus. The speaker will share key insights from the conception and development of an open-source scanner that's capable of finding and confirming both known and unknown classes of injection vulnerabilities. ICS security: flaws again Brian Gorenc, a senior manager of Vulnerability Research at Trend Micro and the head of the Zero Day Initiative (ZDI) program (the world's largest vendor-agnostic bug bounty program), will also speak at PHDays this year. Brian will present in-depth analysis performed on a corpus of more than 200 confirmed SCADA HMI vulnerabilities. Attendees will know about popular vulnerability types discovered in HMI solutions developed by Schneider Electric, Siemens, General Electric, and Advantech. The speaker will also talk on vendors' policies on issuing patches. Additional guidance will be provided on detecting critical vulnerabilities in the underlying code. Do WAFs dream of static analyzers? For most modern WAFs, a protected application is a black box: HTTP requests in the input, HTTP responses in the output—that's all that is available for a firewall to make decisions and build a statistical model. Even if the WAF will be able to catch all application requests to the outside world (the file system, sockets, databases, and so on), it will improve the quality of heuristic methods, but will not help to switch over to formal methods of proving an attack. But what if we teach the WAF to work with the application model that is received as a result of static analysis of its code. Or if we display it directly during the runtime, implemented in all the important steps of the application running process? Vladimir Kochetkov, a lead expert at Positive Technologies and one of the organizers of Positive Development User Group, a community of developers who are interested in application security, will speak on implementing the concept of WAF that considers an application as a white box and relies on formal methods of detecting attacks instead of heuristic ones. Machine learning is the future A report of Anto Joseph, a security engineer at Intel, covers the field of machine learning: he will give an introduction to the topic with the classic Boolean classification problem and introduce classifiers, which are at the core of many of the most common machine learning systems. Anto Joseph will also provide a simple example of deploying security machine learning systems in production pipelines using Apache Spark. Drawing a bead on IPv6 The whole world switches to IPv6, a new version of IP. It should solve the problem of internet addresses that existed in IPv4 by using the address length of 128 bits. This means that each device that has access to the internet will have a unique IP address. However, the emerging IPv6 deployments change the rules of the "network reconnaissance" game: with the typical 264 addresses per subnetwork, the traditional brute-force approach to address scanning from the IPv4 world becomes unfeasible. Fernando Gont, a security consultant and researcher for SI6 Networks, performed security analyses of IPv6. At PHDays VII, he will hold a hands-on lab on methods of research and hacking IPv6 networks, and will tell about the latest IPv6 network reconnaissance techniques discussed in RFC7707. \* This is only a part of accepted reports of the first stage. We will soon tell you about several interesting topics and speakers. Stay tuned! If you want to present a report at PHDays VII, you still have time to apply till March 15, 2017. We remind you that we will announce the results on March 30, 2017. A full list of presentations will be published in April on the official website of PHDays VII. You can find more about topics and participation rules at the Call for Papers page. The forum will be held in Moscow on May 23 and 24, 2017, at the Moscow World Trade Center. You can register and buy tickets here. The ticket price for two days of the forum is 9,600 rubles, and 7,337 rubles is for one day. The forum's partners are Microsoft, IBM, Infotecs, R-Vision, Solar Security and Axoft; the business partners is MONT; among technology partners are Cisco, CompTek, ARinteg, Qrator, and Wallarm; the Standoff partners are PaloAlto, ICL System technologies, Beyond Security; the Standoff participants are Informzaschita, Advanced Monitoring, Jet Infosystems and CROC; the general information partner is the news agency TASS.
The Standoff at PHDays VII: hello IoT and hackable objects, goodbye flags
Last year's PHDays was host to a spirited contest between hackers and defenders at PHDays VI СityF: The Standoff. The field of battle was a virtual city: the hackers attacked the city with all available methods, while teams of defenders and security operations centers (SOCs) tried to thwart them. This shakeup in contest format captured the participants' imaginations, so we have taken things even further this year. At PHDays VII, the main contest will be The Standoff, and the overall theme for PHDays is The Standoff: Enemy Inside. The organizers promise more attack vectors, more objects to defend and attack, and no more flags to capture. We invite hackers, defenders, and SOCs to take part—although who's to say that there are only three sides to this story? Events will unfold in the same virtual place as last year, but the city itself has been significantly expanded. Hackers and defenders can run wild with a telecom company, сombined heat and power plant, office complex, and—new to this year—a large number of IoT devices. Even PHDays visitors will be involved in the game. During the game, teams will be able to do anything that is not forbidden by the rules. The rules themselves have been changed as well: defenders now are restricted by a budget. Each team of defenders is given the same amount of game currency, with which they can purchase security solutions from a local distributor or procure SOC monitoring services. Detailed rules for The Standoff have been published by the organizers. If you're interested in joining in on the fun at The Standoff, write us at phd@ptsecurity.com. The application deadline is April 3, 2017. Don't forget that participation in The Standoff is open to PHDays guests, Internet users attending via PHDays Everywhere, and those who would like to try out particular assignments (such as hacking an office complex). The forum's partners are Microsoft, IBM, Infotecs, R-Vision, Solar Security and Axoft; the business partners is MONT; among technology partners are Cisco, CompTek, ARinteg, Qrator, and Wallarm; the Standoff partners are PaloAlto, ICL System technologies, Beyond Security; the Standoff participants are Informzaschita, Advanced Monitoring, Jet Infosystems and CROC; the general information partner is the news agency TASS.
PHDays Call for Papers: First Wave Closing
The first wave of the application process for the Positive Hack Days VII international applied security forum is nearly over. Despite the winter holidays, over 50 proposals for talks and workshops have been received already. For those who want to speak at the event, there is still time to apply. And for those who submit during the first wave, the program committee may offer suggestions and advice. The results of the first wave will become known after February 15. For information on topics and guidelines, see the Call for Papers page. Proposals received by the program committee have come from Europe, Russia, Asia, Africa, North America, and South America. Topics include: — What's worse: poor implementation or vague standards? Russian and international practice with vulnerability-finding during standards compliance audits; bypassing of app store checks. — Hacking Android apps and IPv6 networks: technology overview and typical attacks. — Hacking medical equipment: hacker-to-machine interface and other IoT security topics. — When defenders attack: hacking a botnet for incident investigation. — Hacking cloud infrastructure and apps: scalability of red teams and larger numbers of attackable targets in complex systems. — Looking critically at protection technologies: which is “deader,” antivirus or SIEM? Which has more to offer: vulnerability intelligence, bank transaction analysis, or logs of hidden site trackers? — Yesterday's threats, today's attacks: vulnerabilities in Docker, HTML5, Hadoop, and IPv6. — New levels of (in)security in payment and banking systems. POS security meets NFC and Java Card security. The Call for Papers ends on March 15; results will be made known by March 30. A full list of presentations will be published in April on the official PHDays VII site. The conference will be held on May 23–24, 2017, at the World Trade Center in Moscow, Russia. Conference registration and passes are available here. A two-day pass costs RUB 9,600, while one day at the event costs RUB 7,337. The forum's partners are Microsoft, IBM, Infotecs, R-Vision, Solar Security and Axoft; the business partners is MONT; among technology partners are Cisco, CompTek, ARinteg, Qrator, and Wallarm; the Standoff partners are PaloAlto, ICL System technologies, Beyond Security; the Standoff participants are Informzaschita, Advanced Monitoring, Jet Infosystems and CROC; the general information partner is the news agency TASS.
PHDays VII Discount Reminder
We would like to remind that you have only one week to buy PHDays VII tickets with the Early Birds discount! Until December 30, the ticket package for the two days of the forum costs 7,337 rubles. Starting December 31, the price will go up to 9,600 rubles for the two-day package and 7,337 rubles for one day. You can register and buy tickets here. How to get to PHDays VII free of charge: Participate as a speaker with your security research. Potential speakers can apply here. The Call for Papers phase one will last until January 30. Read more on Call for Papers. Take part in the hackers’ contests. Qualification and registration will start closer to the event. Get through to the final round of the cyberpunk short-story competition. Rules of the contest will be published soon. Hold your own security forum in your city of residence as part of the PHDays Everywhere initiative. Keep your eye on the official news! Students can also be granted free admission through participating in the PHDays Young School section. This year, apart from research track, we’ll have Spring Hack Tricks—five-minute lightning talks—and product comparison and review article contest. Read more on PHDays Young School. Best research authors will have an opportunity to give a talk to hackers and security specialists. Application deadlines: January 15* for review work (the work itself must be completed by April 1*) April 1** for Young School research track April 15** for Spring Hack Tricks Send your application to youngschool@phdays.com.
PHDays VII Young School: Applications Now Accepted
We're excited to announce PHDays VII Young School! Undergrads, graduate students, and independent young researchers in all areas of information security are invited to take part. Last year, the Young School format pivoted from peer competition to presenting ideas, and this year we've made more changes: young researchers will have even more options for sharing their work. As before, we will have the research track for applied security topics. There should be experimental proof of practical value; criteria for novelty and relevance should also be met. For topics that are accepted, one author will be invited to give a talk at the forum with reimbursement from the organizers for travel and accommodation. Coauthors will receive forum passes, without reimbursement of their expenses. Researchers are also welcome to apply to present Spring Hack Tricks: in these five-minute lightning talks, you can describe a trick and/or tools that help you in your work, bug bounty, or CTF contests. The main criteria are real-world relevance and originality. If your proposal is accepted, you will receive a forum pass and the opportunity to share your idea with the community. Another way to present at the forum is to write an in-depth review article comparing two or more information security products of the same class. This is an all-new format for Young School, so the organizers are going all-out to make it happen: they will help with preparing an outline of the review and give feedback to improve the quality of the work. Authors of accepted works will be invited to the forum with reimbursement for travel and accommodation, and will be able to present the results of their work at the forum. How to apply Apply by sending your application to youngschool@phdays.com. Rules and application requirements are posted at phdays.com/program/ys/. Prospective applicants are invited to contact the organizers before applying. In case of questions regarding research topics, results, how to present information, etc., contact youngschool@phdays.com Application deadlines: — January 15 for review work (the work itself must be completed by April 1) — April 1 for Young School research track — April 15 for Spring Hack Tricks
PHDays VII Ticket Sale Kick-Off
On November 29, the ticket sale for the international forum on practical information security Positive Hack Days VII was launched. You can register and buy tickets here. Similar to previous year, we are offering the Early Birds discount: until December 30, the ticket package for the two days of the forum costs 7,337 rubles. Starting December 31, the price will go up to 9,600 rubles for the two-day package and 7,337 rubles for one day. How to get to PHDays VII free of charge You can participate as a speaker. Potential speakers can apply here, the Call for Papers phase one will last until January 30. Both recognized experts and aspiring specialists can hand in their research results. For the list of topics and “how to apply” tips see the Call for Papers page. Alternatively, take part in the hackers’ contests or hold your own security forum in your city of residence as part of the PHDays Everywhere initiative. Students can also be granted free admission through participating in the PHDays Young School section. Best research authors will have an opportunity to give a talk to hackers and security specialists. Further details coming soon, keep your eye on the news!
PHDays VII Call for Papers: How to Stand Up at the Standoff
November 15 marks the start of the call for papers for Positive Hack Days VII, an international digital security forum that will be held at the World Trade Center in Moscow, Russia, on May 23–24, 2017. Potential presenters must apply by sending an application form before January 30, 2017. Both established experts and up-and-coming specialists are encouraged to apply. At the event, we plan to emphasize the threats and opportunities for building a safer Internet of Things. The theme of the prior forum—The Standoff—has taken on a life of its own with some unexpected twists. Cyberwarfare now threatens the everyday objects around us and hackers can use smart cars, smart home sensors, video cameras, and even children's toys to their advantage. More than just a place for discussing security issues, PHDays is a space for building solutions. We urge speakers to share specific advice and tactics for mitigating security threats. We welcome both real-world experience and original research in all imaginable areas of security: defense, offense, smart devices, social networks, physical security, social engineering... If you have something to say, we hope to hear it at PHDays VII. For information on topics and guidelines, see the Call for Papers page at www.phdays.com/call_for_papers. Applicants are strongly encouraged to apply early. Early-bird applicants leave time for the program committee to provide recommendations, which increases the likelihood of their presentation making the final cut.