News
The Most Notable Moments of PHDays VI: Day One
More than 3,000 people attended the Positive Hack Days information security forum during its first day. Moreover, 15 hackspaces across Russia, Bangladesh, Belarus, India, Kazakhstan, Peru, Tunisia, and Sweden threw their open doors to those who wanted to participate in the forum online. The forum was broadcasted on the internet. About 50 reports were presented during the first day, hands-on labs and round-table talks were held, tens of hacking contests were launched. The information security level has a tendency to decrease Positive Technologies experts presented Positive Research 2016 on the forum. This analysis report reveals the decrease in information security in almost every sphere. The security of IT infrastructure of large companies still leaves much to be desired: in 46% of cases, an intruder with low qualification could get access to internal network resources. The most common vulnerabilities: the use of dictionary passwords (53%), vulnerabilities in web applications (47%) and service protocols (100%), inefficient antivirus protection (91%), out-of-date software (82%). Mobile subscribers’ data is at risk, PT experts say. They investigated SS7 security last year and the results showed that in 89% of cases it was possible to tap SMS messages, in 58% to locate a subscriber, 50% to intercept calls. Banks are still vulnerable. All of the tested systems contained vulnerabilities, 90% of them being critical. In 50% of systems lacked two-factor authentication mechanisms or they were implemented incorrectly. Mobile bank apps for iOs are more secure that ones for Android: 33% of critical vulnerabilities vs 75% accordingly. Positive Technologies specialists detected more than 100 vulnerabilities in industrial control systems in 2015. Nearly half of these errors can cause service failure. Among the most vulnerable systems: SCADA, HMI, PLC, remote terminals, network devices, and engineering software.
Teenager Hacks Electrical Substation at PHDays
A contest on hacking industrial equipment was held on May 17 during Positive Hack Days, an information security forum. According to the contest scenario, hackers attacked a model electrical power supply system. The contest model was close to a real-world system both technically and functionally. It was divided into separate parts: generation, transmission, distribution, and power supply management. The outcome of the contest Critical Infrastructure Attack: Blackout is remarkable. A seventeen-year-old student from Moscow managed to bypass industrial protocols’ security systems. The outcome of the contest Critical Infrastructure Attack: Blackout is remarkable. A seventeen-year-old student from Moscow managed to bypass industrial protocols’ security systems. Even a school student can hack a substation. A tenth grade student found specialized engineering software and exploited vulnerabilities he had detected in Siemens SCADA systems. This caused a shortage at a high-voltage substation (500 kV).
The PHDays VI Business Program: Honest Discussion of Difficult Issues
Can we protect enterprises and transportation systems from threats of the forth industrial revolution also known as Industry 4.0? Will the cybersecurity market employ a service model? Is it time to get rid of antiviruses and IDS? Will SIEM become a solution to all problems? How to detect an insider? These and other topics are included in the business program of the international forum on practical security Positive Hack Days VI that takes place on May 17-18 in Moscow. This year there will be over 4,000 participants from more than 700 organizations from 20 countries. Most of them are chief executives, government representatives, IT SEO, and heads of large international corporations. Day 1 What are the key information security problems for business? What solutions can vendors put on the table to counteract them? What role should the government play in this process? These and other questions will be raised during the discussion "Face to Face: The Arbiters of Security" that will be held in the Amphitheater Hall between 11:00 and 12:00. Among the participants are government representatives, CISO, CIO, and developers. Between 13:00 and 14:00 the same stage will be occupied by white hats. During the section "Why We Hack: The Truth" they will estimate the value of their work and discuss how to efficiently attract new researchers (bounty programs, outsourcing, development of an IS department). The speakers will also try to describe an image of a future IS researcher. The moderator is Boris Simis, Business Development Director at Positive Technologies. At the same time Hall A will be occupied by bloggers and journalists that write about cybersecurity. Should security incidents be covered by media? If so, how to raise the quality bar of news coverage? Are there any independent IS media? Is there a chance for IS-related long reads in Russia? How to make an effective protection tool out of media coverage of cybersecurity issues? The section "The Press on Information Security: TS or Breaking News?" will be moderated by the Positive Technologies representatives — Alexey Kachalin, Director of Expert Security Center, and Yuliya Sorokina, PR Manager. Between 14:00 and 15:00 the audience may choose between • Jason Shirk talking about Microsoft Bounty programs and 100,000 dollars worth vulnerabilities (Amphitheatre Hall) • Vladimir Ivanov and Sergey Gordeychik with one of the most anticipated talks of the day "Targeted Attacks: Be the First to Aim" (Seliger Hall). The experts will discuss the effectiveness of existing protection approaches, methods of bypassing a sandbox, and whether IDS and AV are obsolete. The evening will start with the section "Another Round of the Standoff: IS Services as a Response to New Threats and Challenges" (16:00 - 18:00). The experts from Positive Technologies, Kaspersky Lab, and Jet Infosystems will discuss whether clients are ready to buy IS services, focus on the advantages and disadvantages of the new services against the out-of-the-box solutions, and touch on preparation of specialists that provide such services. Between 17:00 and 18:00 in Hall A there will be the audience favorite Lightning Talk. Within 5 minutes limit, anyone can share their ideas and tell about their current project, a new vulnerability or a problem in security algorithms, a new concept for a security analysis tool or a large-scale study. The main goal is finding people who think the same. Lightning Talk will be moderated by Andrey Petukhov from the Faculty of Computational Mathematics and Cybernetics of Lomonosov Moscow State University and Evgeny Minkovsky, Head of Educational Programs at Positive Technologies. Day 2 Before iPhone, Nokia and Motorola occupied half of the mobile phone market. Before Google, the most popular search engines were MSN, Lycos, Excite, and Yahoo. Will a new IS technology appear to send the current industry leaders into oblivion? Find out more on May 18 in the section "Defense and Offense Technologies in 2016: Which Side will Make a Breakthrough?" Timur Yunusov, Dmitry Kurbatov, and other security experts will share their opinions with the audience in the Amphitheatre Hall between 10:00 and 11:00. At 11:00 starts the two-hour section "Industrial System Security: It's Time to Take Action” moderated by Ivan Melekhin. It is well proved by notorious incidents that cyber threats to industrial systems are as relevant as ever. Facilitated by Industry 4.0, integration with industrial processes makes cyber systems more vulnerable and exposed to attacks. Our guests from leading manufacturing companies and automated information system developers will share their experience while discussing industrial system security. At 12:00 the Amphitheater will be occupied by Jan Neutze, Director of Cybersecurity Policy at Microsoft Europe. We would like to draw your attention to his talk "From Cyber Offense to Cyber Arms Control: Developing Cybersecurity Norms". At 13:00 begins the section "IT Round" (Amphitheater Hall). It will be competing for the audience attention with the talk "Real and Formal Security: Born to Be Together" by Mikhail Emelyannikov that starts at the same time in the Press Hall. Technical security, i.e. vulnerability analysis, penetration tests, implementation of safety tools, is often considered as real, practical security as opposed to formal security. The speaker will show that these two types of security complement each other and it is impossible to solve actual security problems by using only one of them. At 14:00 there will be a section dedicated to proactive education methods in the cybersecurity industry. How are IS stars born and can we speed up their appearance? What new specialties are to expect in 5 years from now? The talk will be dedicated to modern education methodologies for cybersecurity specialists and ways to discover new talents, as well as educational programs that would make anyone fall in love with information security. At 15:00 starts the two-hour discussion "SIEM, or Not SIEM: That is the Question" moderated by Alexey Lukatsky (Seliger Hall). What tasks can be solved by a SIEM system and what does it actually do? Is there a future for this type of systems? What is the real state of things in the SIEM segment both in Russia and abroad? What difficulties are surrounding SIEM employment? Let the community know your opinion. Two talks will take place in Hall A. Sergii Kavun will discuss how to detect insiders' activity within a company (15:00 - 16:00). Valery Schepak will talk about the security of various enterprises, shops, restaurants, offices, banks, and cottages in his report "An Attack against a Surveillance Panel" (16:00 - 17:00). At 17:00 the forum guests will have to make a difficult choice between Andrey Masalovich in Hall A and Alfonso de Gregorio in the Seliger Hall. The first speaker will talk on how information attacks are developed, how to detect them at an early stage, and how to resist them. The second talk is about the vulnerability supply chain, its participants, and ethical questions that arise in the business. You can find the forum schedule on the official site: phdays.com/program/schedule. The main credo of Positive Hack Days is less ads and more applicable knowledge in talks and sessions, informal communication between "black suites" and "T-shirts", exciting contests and electrifying atmosphere of the research playground. The organizer is Positive Technologies. Our partners: Kaspersky Lab, Axoft, CROC, Cisco, Check Point, InfoTeCS, IBS, Qlik, ANGARA, MONT, NAG, and ICL.
Tickets to PHDays VI Are Available till May 13
Even though PHDays VI is just around the corner, there is still a chance to become a part of it. Tickets will be available for sale till May 13. Buy them now at runet-id.com/event/phdays16. The international forum on practical security Positive Hack Days is taking place at the World Trade Center in Moscow on May 17-18, 2016. For two days, it will become the playing ground for 4,000 hackers, cybersecurity experts, IT vendors, researchers, government representatives, and digital freedom activists. There will be business and tech talks, round-table discussions, sections, hands-on labs, and many more. You may find the schedule here. In addition, this year we are bringing you a fully-fledged battle between hackers and security experts — PHDays VI CityF: The Standoff. The setting for this competition is an interconnected urban environment with its own ICS, IoT, online banking system, GSM, and network equipment. We have also new contests in stock. Everyone is challenged to initiate an industrial disaster at a hydro power plant, disrupt operation of a smart home, and take control over a car. Find out more about the upcoming contests here. Don't forget about entertainment. We have prepared a lot of surprises like an art exhibition, cyberpunk night, and even a rock concert featuring the band "Lucy's First Job" — the joint venture of Positive Technologies employees. We are waiting for you at Positive Hack Days VI! It will be fun!
PHDays VI Life Stories: How Moxie Marlinspike Defeated FBI and John Bambenek Sniffed Out Number One Hacker
In early April, all the largest mass media worldwide talked about Moxie Marlinspike — a billion of WhatsApp users are now end-to-end encrypted by his Signal Protocol. In a month only, on May 17 and 18, you will have a chance to learn from Moxie at PHDays VI. Along with Moxie Marlinspike, Rahul Sasi, Paul Vixie, John Bambenek, and Andrey Masalovich will share their professional experience. Obama and Cameron against Marlinspike
Lightning Talk: Get Your 5 Minutes of Fame at PHDays VI
We invite you to take part in a session of 5-minute talks at Positive Hack Days VI. Tell the audience about a new vulnerability or a problem in security algorithms. Do you have a new concept for a security analysis tool or plan a large-scale study? Share your ideas and find people who think the same. Lightning Talk is the audience's favorite for a number of reasons. First, it's an opportunity to join an interesting project. Second, if a topic is boring or a speaker is ill-prepared, you just need to wait for a couple of minutes before another one takes his place. To take part in this event, you need to inform the FastTrack moderator or sign in at the registration desk. The rules are simple: Each talk lasts 5 minutes (1 or 2 slides) No pre-moderation Best speakers get an invitation to PHDays VII The international forum on practical security Positive Hack Days is taking place at the World Trade Center in Moscow on May 17-18, 2016. You may see with your own eyes how hackers attack power plants and mobile networks, shut down smart home ventilation and transfer money from e-banking systems, while security specialists counteract these threats.
New Contests at PHDays VI: Hacking Power Facilities and Smart Homes
The PHDays competitions have always featured cutting edge challenges, testing the skills of participants. Hackers have been challenged to break into electrical substations, mobile communication systems and online banking systems, to throw a missile off course, steal money from an ATM, and derail trains. This year, the competitions revolve around the infrastructure of the city of CityF. Competitors will hack SCADA systems, the IoT, online banks, GSM and network equipment. All details are provided on the contests page of the forum. We have also prepared two very exciting new competitions — BMS & Smart House Attack and Critical Infrastructure Attack: Blackout described below. PHDays VI CityF will feature an electricity company (distribution and transmission substations, a hydroelectric power plant, central and regional control centers) and smart home. Participants will compete to test the safety of real systems individually or as part of a CityF team. Critical Infrastructure Attack: Blackout Hackers are challenged to attack a model of a regional power supply system. The model is similar to the systems used to power a city both technically and functionally. It is divided into several parts including power supply generation, transmission, distribution, and management. Participants will try to disrupt the normal operation of the system. Contestants will work with a substation of a 10 kV voltage class that distributes electricity to the city’s infrastructure facilities (houses, industrial enterprises). The competition will include a model of a house connected to many vital service systems. Competitors will try to capture the transmission substation (500kV) and disrupt its operation to generate a local blackout or even “switch off” the whole city. They will also attempt to take control of a hydroelectric plant, including disabling electricity transmission from the plant or affecting the operation of automatic hydraulic units and the power plant control system (turning on the emergency spillway and flooding the city). Hackers will have an opportunity to access a regional power dispatching system and a central control room to be able to monitor all the systems and manage this energy area. The winner will receive an Apple iPad, and the second-place winner will receive a Raspberry Pi 2 Kit. BMS & Smart House Attack Hackers will attempt to take control over vital service systems that range from a central electricity distribution system to a simple socket in a house. The model is a hybrid of building automation and smart home systems including lighting systems, water meters, elevators, and ventilation. The challenge is to gain control of individual systems or disable them. The task is complicated by the fact that the power supply of the house depends on the city’s distribution substation, which needs to be attacked as well. The winners will receive prizes from our partners Advantech and ProSoft — providers of the model and automation systems.
The EAST 4 SCADA Stand: How to Derail a Train
Ever wondered if you could crash a train? Well, now you can give it a shot at the PHDays EAST 4 SCADA showcase. EAST 4 SCADA is being launched at this year’s PHDays event giving the opportunity to those interested in ICS security to try and find vulnerabilities in SCADA systems or, indeed, craft their own exploits — or even crash a train on our model railway. The EAST 4 SCADA team will conduct a workshop around typical vulnerabilities found in industrial systems and the ways to hack them with an open-source exploits and security tools framework called EAST. The showcase will include a range of automation systems from such industry leaders as ABB, Siemens, Rockwell, ICP DAS, etc. You will discover how to find vulnerabilities in ICS, SCADA and PLC components, as well as to create and run test modules and exploits that demonstrate the existing risks in SCADA. You can try out some simple methods designed to impact ICS test systems, find vulnerabilities, and derail the train. Both experienced hackers and newbies are welcome. We recommend you bring your own laptops.
New at PHDays: Hardware Village
This year, we are launching Hardware Village at Positive Hack Days. Visitors are invited to inspect a whole heap of equipment and to participate in hands-on labs where Hardware Village developers will share their knowledge of hardware programming and hacking. Hardware Village runs over two days and is open to both experienced and novice hardware geeks. The first day is dedicated to wired networks and data transfer interfaces: Ethernet, 1-Wire, UART, JTAG, SPI, USB, CAN. The Hardware Village team will advise on how to choose the right equipment for your needs and how to use it correctly. Visitors will learn about multimeters, oscilloscopes, and logic analyzers and will explore homemade hacking devices on Arduino, ARM, and FPGA. The second day looks at wireless networks that work in the frequency range from 125kHz to 5GHz and popular data exchange technologies (RFID, NFC, Wi-Fi, Bluetooth). The Hardware Village organizers have also prepared an SDR hands-on lab and a hacking contest. Remember to bring along any of your own devices for the hands-on sessions. We look forward to seeing you there.
CityF Contest: A Standoff between Hackers and Security Experts
In just two months, we will kick off Positive Hack Days VI. Our preparations are well underway with the first wave of speakers already announced and the second wave to be named soon. Additionally, we have started receiving applications for Young School. So we are now delighted to reveal the rules of CityF: The Standoff. This year the competition will be a little different from other years. Instead of the CTF format, there will be a full-fledged battle between hackers and security experts. Participants will be grouped into three teams — hackers, defenders, and the SOC (security operations center). The scenario is created to be as realistic as possible with a huge variety of targets to hack including a bank, mobile operator, large corporation, electric company, etc. Beside the teams, all PHDays guests and PHDays Everywhere participants are encouraged to join the battle. The goal can be reached using any means that are acceptable excluding those restricted by the rules.l. Contact us at phd@ptsecurity.com to get enlisted for this battle. Applications are accepted until April 10, 2016. The number of participants is limited.l.