News
PHDays VII: The Standoff Continues
Today marks the official start of preparations for the seventh Positive Hack Days international security forum. The event will be held on May 23–24, 2017 at the World Trade Center in Moscow, Russia. As in past years, attendees will represent a diverse cross-section of security, with hackers, developers, security experts, business and government figures, and young scientists joined by specialists from finance, telecom, oil and gas, industrial, and IT companies. And as always, surprises are in store for both guests and participants—but more about that a bit later. More than just presentations and discussions of security topics, PHDays has long offered a staging ground for the most daring experiments in the field. Event organizers, as always, work to minimize advertising and promotion while maximizing interesting presentations, real-world usefulness, and hands-on competitions. The theme of PHDays VII is “The Standoff: Enemy Inside”. While futurologists were scaring us with visions of Big Brother and The Terminator, our enemies have taken a most unexpected form: an enormous number of digital devices omnipresent in our homes, pockets, streets, and offices. Cars, payment terminals, smart home sensors, children's toys, and even surveillance cameras which were supposed to keep us safe—all these are now weapons in the hands of hackers. We are, quite literally, surrounded. How can we fight an enemy when there is no front line and even our coffee machine may stab us in the back? We will try to find the answer at PHDays. At PHDays VI in 2016, we offered a new paradigm for the hacking competition: a no-holds-barred cyberbattle between attackers and defenders. Instead of abstract quizzes, participants were given specific objectives to accomplish. Now we are making the setting even more realistic, with the battlefield consisting of a city where pentesters will try to take control of city infrastructure and smart appliances. Social engineering will target team members and even ordinary visitors at PHDays VII. The hackers defeated in the previous Standoff will undoubtedly seek revenge. But who's to say that there can be only two sides to a battle? The competition will be “spiced up” with new hackable objects, more action, day/night scenarios, and social engineering. According to Timur Yunusov, Head of the Banking System Security Unit at Positive Technologies and member of the PHDays organizing committee, the main roles—hackers, defenders, and SOC—will remain the same. But Standoff participants will now include professional pentesters. The remainder of the competition will focus on city infrastructure, where participants can try to hack industrial control systems, a telecom company and bank, the Internet of Things, and network equipment. Event partners will help in laying the technical groundwork for the Standoff. Nobody can know the outcome of the competition in advance, but one thing is clear: more twists and turns mean more excitement for everyone. Participants will also be able to hear interesting presentations, attend workshops, and discuss IT security topics with leading industry specialists. Conversations will concentrate less on generalizations, and more on practical solutions for improving security. “This time around we plan to focus even more on innovations in techniques for hacking and applying security in practice. Our objective is for government, business, and industry to each contribute to the dialog on how to respond to the latest threats. Conversation will center on the Internet of Things, the combination of the IoT and SCADA, development of security solutions, and SSDL approaches. Above all, the greatest value we see in the conference is bringing everybody to the table: business executives, IT and security professionals, developers, SOC specialists, and so many others. As always, we have made sure that both technical and business aspects are reflected so that the management and technical sides hear each other and identify new opportunities for building more secure and reliable IT systems,” said Alexey Kachalin, Deputy Director of Business Development in Russia at Positive Technologies and member of the PHDays organizing committee. Interested in presenting? The first call for presenters will open soon. Stay tuned! In the meantime, feel free to view the best presentations from PHDays VI. Over 14,000 people have visited the forum over the last six years. PHDays VI set a new record, with 4,200 visitors. Don’t miss your chance to take part!
The Standoff at PHDays VI: New Format for a New Reality
Positive Hack Days VI has come and gone, making it the perfect time to take a look back as well as see what is in store for next year. The theme of these PHDays was “The Standoff” – an idea that event organizers had wanted to explore for years, and in May came to fruition as PHDays VI СityF: The Standoff. No mere hacker game, this was a two-day battle of the best in cybersecurity. Last year at PHDays V, event organizers tried to make the cybersecurity competition more like the real world. Per the event scenario, each capture-the-flag team represented a group in an imaginary country. The CTF teams accepted assignments (i.e., for hacking into different systems) through a DarkNet hacker marketplace. This year, the creators did one better by spicing up the hacker-heavy games with new participants: defenders and security operations center (SOC) specialists. This made the game much more lifelike and diverse – instead of only participants accustomed to being on “offense”, other specialists who build cybersecurity systems and investigate incidents were now represented as well.
PHDays VI: WAF Bypass Contest
The WAF Bypass competition, now an annual event held during Positive Hack Days, an international forum on information security, was organized in May this year as well. The contest’s participants attempted to bypass the security checks of PT Application Firewall that protected vulnerable applications. Positive Technologies specialists had introduced configuration errors that allowed some bypassing of the system. The goal of each task was to retrieve a flag stored in a database, file system or in cookies given to a special bot. Below is description and solutions of the contest’s tasks. 1. m0n0l1th In this task, participants performed in LDAP injection to retrieve the admin password from the LDAP storage. There was a form with an input for a username, which passed directly into an LDAP query.
PHD VI: How They Stole Our Drone
This year, a new competition was introduced at PHDays, where anyone could try to take control over a Syma X5C quadcopter. Manufacturers often believe that if they implement a wireless standard instead of IP technology, they may not think about security. As if hackers would give up because dealing with something other than IP is too long, difficult, and expensive. But in fact, SDR (software-defined radio) is an excellent way to access the IoT, where the initial level is determined by the level of an IoT vendor’s care and concern. However, even without SDR you can work wonders, even in the limited space of frequencies and protocols. The contest goal is to take control over a drone. Inputs: - drone control range: 2.4 GHz ISM, - control is driven by the modulenRF24L01+ (actually, by its clone — BK2423). Facilities (optional): Arduino Nano, nRF24L01+. The hijacker received the Syma X8C as a prize. Since those who wanted to steal our drone were trained people who had HackRF, BladeRF, and other serious tools in their arsenal, we describe two hijack methods: via SDR and nRF24L01+. The Way of the Samurai: SDR First of all, you need to find channels that are running the console. But before that, you need to skip through the data sheet, to get the idea of what you need to look for. First of all, we need to find out the organization of frequencies.
The Most Notable Moments of PHDays VI: Day One
More than 3,000 people attended the Positive Hack Days information security forum during its first day. Moreover, 15 hackspaces across Russia, Bangladesh, Belarus, India, Kazakhstan, Peru, Tunisia, and Sweden threw their open doors to those who wanted to participate in the forum online. The forum was broadcasted on the internet. About 50 reports were presented during the first day, hands-on labs and round-table talks were held, tens of hacking contests were launched. The information security level has a tendency to decrease Positive Technologies experts presented Positive Research 2016 on the forum. This analysis report reveals the decrease in information security in almost every sphere. The security of IT infrastructure of large companies still leaves much to be desired: in 46% of cases, an intruder with low qualification could get access to internal network resources. The most common vulnerabilities: the use of dictionary passwords (53%), vulnerabilities in web applications (47%) and service protocols (100%), inefficient antivirus protection (91%), out-of-date software (82%). Mobile subscribers’ data is at risk, PT experts say. They investigated SS7 security last year and the results showed that in 89% of cases it was possible to tap SMS messages, in 58% to locate a subscriber, 50% to intercept calls. Banks are still vulnerable. All of the tested systems contained vulnerabilities, 90% of them being critical. In 50% of systems lacked two-factor authentication mechanisms or they were implemented incorrectly. Mobile bank apps for iOs are more secure that ones for Android: 33% of critical vulnerabilities vs 75% accordingly. Positive Technologies specialists detected more than 100 vulnerabilities in industrial control systems in 2015. Nearly half of these errors can cause service failure. Among the most vulnerable systems: SCADA, HMI, PLC, remote terminals, network devices, and engineering software.
Teenager Hacks Electrical Substation at PHDays
A contest on hacking industrial equipment was held on May 17 during Positive Hack Days, an information security forum. According to the contest scenario, hackers attacked a model electrical power supply system. The contest model was close to a real-world system both technically and functionally. It was divided into separate parts: generation, transmission, distribution, and power supply management. The outcome of the contest Critical Infrastructure Attack: Blackout is remarkable. A seventeen-year-old student from Moscow managed to bypass industrial protocols’ security systems. The outcome of the contest Critical Infrastructure Attack: Blackout is remarkable. A seventeen-year-old student from Moscow managed to bypass industrial protocols’ security systems. Even a school student can hack a substation. A tenth grade student found specialized engineering software and exploited vulnerabilities he had detected in Siemens SCADA systems. This caused a shortage at a high-voltage substation (500 kV).
The PHDays VI Business Program: Honest Discussion of Difficult Issues
Can we protect enterprises and transportation systems from threats of the forth industrial revolution also known as Industry 4.0? Will the cybersecurity market employ a service model? Is it time to get rid of antiviruses and IDS? Will SIEM become a solution to all problems? How to detect an insider? These and other topics are included in the business program of the international forum on practical security Positive Hack Days VI that takes place on May 17-18 in Moscow. This year there will be over 4,000 participants from more than 700 organizations from 20 countries. Most of them are chief executives, government representatives, IT SEO, and heads of large international corporations. Day 1 What are the key information security problems for business? What solutions can vendors put on the table to counteract them? What role should the government play in this process? These and other questions will be raised during the discussion "Face to Face: The Arbiters of Security" that will be held in the Amphitheater Hall between 11:00 and 12:00. Among the participants are government representatives, CISO, CIO, and developers. Between 13:00 and 14:00 the same stage will be occupied by white hats. During the section "Why We Hack: The Truth" they will estimate the value of their work and discuss how to efficiently attract new researchers (bounty programs, outsourcing, development of an IS department). The speakers will also try to describe an image of a future IS researcher. The moderator is Boris Simis, Business Development Director at Positive Technologies. At the same time Hall A will be occupied by bloggers and journalists that write about cybersecurity. Should security incidents be covered by media? If so, how to raise the quality bar of news coverage? Are there any independent IS media? Is there a chance for IS-related long reads in Russia? How to make an effective protection tool out of media coverage of cybersecurity issues? The section "The Press on Information Security: TS or Breaking News?" will be moderated by the Positive Technologies representatives — Alexey Kachalin, Director of Expert Security Center, and Yuliya Sorokina, PR Manager. Between 14:00 and 15:00 the audience may choose between • Jason Shirk talking about Microsoft Bounty programs and 100,000 dollars worth vulnerabilities (Amphitheatre Hall) • Vladimir Ivanov and Sergey Gordeychik with one of the most anticipated talks of the day "Targeted Attacks: Be the First to Aim" (Seliger Hall). The experts will discuss the effectiveness of existing protection approaches, methods of bypassing a sandbox, and whether IDS and AV are obsolete. The evening will start with the section "Another Round of the Standoff: IS Services as a Response to New Threats and Challenges" (16:00 - 18:00). The experts from Positive Technologies, Kaspersky Lab, and Jet Infosystems will discuss whether clients are ready to buy IS services, focus on the advantages and disadvantages of the new services against the out-of-the-box solutions, and touch on preparation of specialists that provide such services. Between 17:00 and 18:00 in Hall A there will be the audience favorite Lightning Talk. Within 5 minutes limit, anyone can share their ideas and tell about their current project, a new vulnerability or a problem in security algorithms, a new concept for a security analysis tool or a large-scale study. The main goal is finding people who think the same. Lightning Talk will be moderated by Andrey Petukhov from the Faculty of Computational Mathematics and Cybernetics of Lomonosov Moscow State University and Evgeny Minkovsky, Head of Educational Programs at Positive Technologies. Day 2 Before iPhone, Nokia and Motorola occupied half of the mobile phone market. Before Google, the most popular search engines were MSN, Lycos, Excite, and Yahoo. Will a new IS technology appear to send the current industry leaders into oblivion? Find out more on May 18 in the section "Defense and Offense Technologies in 2016: Which Side will Make a Breakthrough?" Timur Yunusov, Dmitry Kurbatov, and other security experts will share their opinions with the audience in the Amphitheatre Hall between 10:00 and 11:00. At 11:00 starts the two-hour section "Industrial System Security: It's Time to Take Action” moderated by Ivan Melekhin. It is well proved by notorious incidents that cyber threats to industrial systems are as relevant as ever. Facilitated by Industry 4.0, integration with industrial processes makes cyber systems more vulnerable and exposed to attacks. Our guests from leading manufacturing companies and automated information system developers will share their experience while discussing industrial system security. At 12:00 the Amphitheater will be occupied by Jan Neutze, Director of Cybersecurity Policy at Microsoft Europe. We would like to draw your attention to his talk "From Cyber Offense to Cyber Arms Control: Developing Cybersecurity Norms". At 13:00 begins the section "IT Round" (Amphitheater Hall). It will be competing for the audience attention with the talk "Real and Formal Security: Born to Be Together" by Mikhail Emelyannikov that starts at the same time in the Press Hall. Technical security, i.e. vulnerability analysis, penetration tests, implementation of safety tools, is often considered as real, practical security as opposed to formal security. The speaker will show that these two types of security complement each other and it is impossible to solve actual security problems by using only one of them. At 14:00 there will be a section dedicated to proactive education methods in the cybersecurity industry. How are IS stars born and can we speed up their appearance? What new specialties are to expect in 5 years from now? The talk will be dedicated to modern education methodologies for cybersecurity specialists and ways to discover new talents, as well as educational programs that would make anyone fall in love with information security. At 15:00 starts the two-hour discussion "SIEM, or Not SIEM: That is the Question" moderated by Alexey Lukatsky (Seliger Hall). What tasks can be solved by a SIEM system and what does it actually do? Is there a future for this type of systems? What is the real state of things in the SIEM segment both in Russia and abroad? What difficulties are surrounding SIEM employment? Let the community know your opinion. Two talks will take place in Hall A. Sergii Kavun will discuss how to detect insiders' activity within a company (15:00 - 16:00). Valery Schepak will talk about the security of various enterprises, shops, restaurants, offices, banks, and cottages in his report "An Attack against a Surveillance Panel" (16:00 - 17:00). At 17:00 the forum guests will have to make a difficult choice between Andrey Masalovich in Hall A and Alfonso de Gregorio in the Seliger Hall. The first speaker will talk on how information attacks are developed, how to detect them at an early stage, and how to resist them. The second talk is about the vulnerability supply chain, its participants, and ethical questions that arise in the business. You can find the forum schedule on the official site: phdays.com/program/schedule. The main credo of Positive Hack Days is less ads and more applicable knowledge in talks and sessions, informal communication between "black suites" and "T-shirts", exciting contests and electrifying atmosphere of the research playground. The organizer is Positive Technologies. Our partners: Kaspersky Lab, Axoft, CROC, Cisco, Check Point, InfoTeCS, IBS, Qlik, ANGARA, MONT, NAG, and ICL.
Tickets to PHDays VI Are Available till May 13
Even though PHDays VI is just around the corner, there is still a chance to become a part of it. Tickets will be available for sale till May 13. Buy them now at runet-id.com/event/phdays16. The international forum on practical security Positive Hack Days is taking place at the World Trade Center in Moscow on May 17-18, 2016. For two days, it will become the playing ground for 4,000 hackers, cybersecurity experts, IT vendors, researchers, government representatives, and digital freedom activists. There will be business and tech talks, round-table discussions, sections, hands-on labs, and many more. You may find the schedule here. In addition, this year we are bringing you a fully-fledged battle between hackers and security experts — PHDays VI CityF: The Standoff. The setting for this competition is an interconnected urban environment with its own ICS, IoT, online banking system, GSM, and network equipment. We have also new contests in stock. Everyone is challenged to initiate an industrial disaster at a hydro power plant, disrupt operation of a smart home, and take control over a car. Find out more about the upcoming contests here. Don't forget about entertainment. We have prepared a lot of surprises like an art exhibition, cyberpunk night, and even a rock concert featuring the band "Lucy's First Job" — the joint venture of Positive Technologies employees. We are waiting for you at Positive Hack Days VI! It will be fun!
PHDays VI Life Stories: How Moxie Marlinspike Defeated FBI and John Bambenek Sniffed Out Number One Hacker
In early April, all the largest mass media worldwide talked about Moxie Marlinspike — a billion of WhatsApp users are now end-to-end encrypted by his Signal Protocol. In a month only, on May 17 and 18, you will have a chance to learn from Moxie at PHDays VI. Along with Moxie Marlinspike, Rahul Sasi, Paul Vixie, John Bambenek, and Andrey Masalovich will share their professional experience. Obama and Cameron against Marlinspike
Lightning Talk: Get Your 5 Minutes of Fame at PHDays VI
We invite you to take part in a session of 5-minute talks at Positive Hack Days VI. Tell the audience about a new vulnerability or a problem in security algorithms. Do you have a new concept for a security analysis tool or plan a large-scale study? Share your ideas and find people who think the same. Lightning Talk is the audience's favorite for a number of reasons. First, it's an opportunity to join an interesting project. Second, if a topic is boring or a speaker is ill-prepared, you just need to wait for a couple of minutes before another one takes his place. To take part in this event, you need to inform the FastTrack moderator or sign in at the registration desk. The rules are simple: Each talk lasts 5 minutes (1 or 2 slides) No pre-moderation Best speakers get an invitation to PHDays VII The international forum on practical security Positive Hack Days is taking place at the World Trade Center in Moscow on May 17-18, 2016. You may see with your own eyes how hackers attack power plants and mobile networks, shut down smart home ventilation and transfer money from e-banking systems, while security specialists counteract these threats.