News

Non-Technical Program, or Hackers and Artists are only One Step Apart

Do hackers and artists truly come from two different worlds? Well, we don’t believe that and to prove it we are continuing to build on last years’ experience, some would say experiment, at PHDays to bring together the hacker and artistic communities. So, what’s happening at this year’s PHDays VI? We are hosting an exhibition of work by Alexey Andreev, an artist from Saint-Petersburg. His artworks, using a digital painting technique, were a highlight of PHDays V with many visitors commenting on the work. Alexey draws the observer into a fantasy world where all is not as it seems, where the obvious is twisted into an alternative reality. Unusual themes, eccentric characters and surreal surroundings are all important elements of his work. This year Alexey is also presenting his augmented reality images. Forum visitors will be able to animate pictures via their smartphone. Just a simple app download, scan of a QR code, and within a couple of seconds you’ll be in a world of flying trains and post-apocalyptic monsters. The artists’ works will be available for purchase during PHDays. All event attendees will have the opportunity to meet with the artist during the event. As usual, there will be a game zone with retro game machines (Battleship and Autorally-M) plus games that became popular during the 90’s including: Sega, Dendy, and PlayStation. A new addition, this year, is a vending machine stocked with ‘real space food’ (packed in tubes as it would be for astronauts) to help energize participants before they attend their next presentation or engage in a long lasting warfare activity. We also have some other surprises including our robot. So if you tire of your colleagues why not try asking our robot a question instead? The robot will answer any question, but only if it likes you. Are you an art lover? If you are, then there is a feast for the eyes, as you will be surrounded by a multitude of objets d’art. A chronicle of PHDays displayed on a board of floppy disks, the hacker manifesto projected onto a huge screen, and optical installations which can only be appreciated from a certain viewpoint and distance from the installation. They cheat the eye and demonstrate how your brain tricks you — all this and more will be available at PHDays VI. PHDays VI is taking place at the World Trade Center in Moscow on the 17-18 May 2016. Specialists from the areas of information security, hacking, science, media, politics, and business will gather together at this forum. So, why not participate? Buy tickets now at runet-id.com/event/phdays16. To get a free ticket, present your research on information security (closing date for the second wave of CFP is March 31), show off your hacking skills in one of our contests (preliminaries and registration will start right before the conference).

PHDays VI Young School Call for Papers

PHDays Young School has become something of a tradition at the annual PHDays forum. Now in its fifth year, Young School provides an amazing opportunity for would-be security experts to share their research with some of the world's leading security experts. This year, Young School has been changed from a single contest to a full section within the PHDays program. Applications to participate are invited from students, postgraduates, and young scientists engaged in infosec studies. The primary research topic remains the same – practical security: Hackers' new targets. Internet of Things: refrigerator botnets, smart bracelets, and remote car control Computer forensics focused on targeted APT attacks and cyber spying Attacks on payment and online banking systems; payWave, PayPass, and Apple Pay security Running a security operations center: cases, methods, and tools Ways to counteract DDoS attacks ERP system and business application security. Counteracting attacks against web applications New vectors and techniques of attacks on mobile devices Protection of cloud computing. Security of government information systems and E-government Applied cryptography Techniques and tools for physical security Protection of ICS/SCADA. Securing industrial systems and modern cities Zero-day vulnerabilities and new exploit deliveries Insecure secure development. SSDL and vulnerabilities in infosec solutions Authors should demonstrate the practical value of their research; the research methods should be described and substantiated. We do not accept papers that include ideas only (even if they are genius) without research results. Authors of the best papers will get to share their findings with hackers and security specialists at Positive Hack Days VI, an information security forum held in Moscow, May 17 and 18, 2016. Authors will be reimbursed for all travel and accommodation expenses; co-authors will receive tickets to the forum. Submissions This year, you need only to provide some key talking points in English or Russian. However, our review board should have access to the full research (see details in submission rules). The review board consists of infosec experts from the academic sector. You are welcome to consult with the Young School organizers prior to submitting your proposals. For any queries, please contact Andrew Petukhov (youngschool@phdays.com). PHDays Young School made its debut in 2012. Participants from universities in Krasnoyarsk, Moscow, Novosibirsk, St. Petersburg, and Taganrog were the finalists that year. Young School has grown to be truly international since then — last year finalists included those from Germany, Russia, Romania, and the USA. To take advantage of this great opportunity to participate in Positive Hack Days VI please send your application to youngschool@phdays.com. The closing date is April 1, 2016.

Introducing PHDays VI Reports: How to Hack a Fare Card, Set Up a Honeypot, and Sell Vulnerabilities

On January 31, the first wave of applications to join Positive Hack Days was completed. The forum on information security will take place on May 17 and 18, 2016, at the Moscow World Trade Center. If you want to take part in the forum, you can apply in the near future: the second wave of Call for Papers will hit on February 17 and will last till March 31. For now, we will announce the first participants enrolled in the Tech program. PHDays attendees will learn how to snatch a large sum at Microsoft and test transport systems security with a smartphone, and know the ins and outs of the zero-day vulnerability market. Honeypot Terrence Gareau, a recognized expert in DDoS attack mitigation, prevention, and recovery, will make his debut at PHDays. He will outline how to develop a honeypot network and produce a data feed that can be used to protect online assets with Kibana, Elasticsearch, Logstash, and AMQP. Terrence Gareau will open-source a monitoring system (a project his team has been developing for the last two years) for reflective DDoS statistics that are external to any specific network. Reward chasers, or Who is who in the exploit market Alfonso De Gregorio, the founder of BeeWise and a principal security researcher at secYOUre, will speak at the international forum for the second time. He will continue the topic of the previous talk, exploit selling. Alfonso will speak about the vulnerability supply chain's participants, zero-day exploits brokers, and ethical questions that arise in the business. How to make a lifelong travel card Matteo Beccaro, an Italian security researcher, will talk about transportation security, frauds, and technological failures. The speaker will cover some severe vulnerabilities in real-world transportation systems based on NFC technologies and introduce an open-source application designed to pentest such systems via a smartphone. The talk will attract both professional and amateur pentesters. Web application security with JavaScript Client-side JavaScript injection may be used to detect and prevent various attacks, search for vulnerable client components, detect leakage of data about web app infrastructure, and find web bots and malicious tools. The Positive Technologies experts Denis Kolegov and Arseny Reutov will show how to ensure application security with JavaScript share their own injection detection methods that employ syntax analyzers without signatures or filtering regular expressions. They will also discuss implementation of client-side JS honeypot to capture SSRF, IDOR, command injection, and CSRF attacks. How to snatch a large sum at Microsoft Until recently, Microsoft refused to launch a bug bounty program despite the fact that it has become a customary practice for competitors. Now, however, Microsoft pays researchers for certain types of vulnerabilities from USD 100 up to USD 100,000. Several recent exciting changes to the Microsoft Bounty Program include the competitive aspect of listing out its Top 100 finders. Jason Shirk, the principal security strategist for MSRC, will explain how the MSRC works with researchers, what bounties are available, and what other rewards can be earned. He will also uncover some secrets behind big bounties that have been paid. The complete list of reports will be available on the PHDays official site in April. To participate for free, you can present your report on information security or to take part in one of the forum's hacking contests or in the cyberpunk short-story competition. You can also buy a ticket to get to PHDays. Starting from February 15, the price for the full 2-day conference registration will be 9,600 rubles and 7,337 rubles for one day. On March 1, the cost will go up to 14,400 and 9,600 rubles respectively.

Discount PHDays VI Tickets Available till February 14

We’ve made a decision to extend the current Early Birds discount period for two more weeks, which means that you still got a chance to purchase a 2-day pass for only 7,337 rubles. Starting from February 15, the prices will change to: 9,600 rubles for the full 2-day conference registration and 7,337 rubles for one day only. On March 1, their cost will rocket to 14,400 and 9,600 rubles respectively. There are several ways you can join PHDays VI for free: Present your research on information security (the second wave of Call for Papers starts on February 17) Show off your hacking skills in one of our contests (preliminaries and registration will start right before the conference) Organize an interactive forum in your town (learn more about the PHDays Everywhere initiative). For two days, the PHDays VI forum will become the playing ground for 4,000 hackers, cybersecurity experts, IT vendors, researchers, government representatives, and digital freedom activists. The event is to take place on May 17-18 in Moscow World Trade Center (Krasnopresnenskaya naberezhnaya, 12). Buy tickets now at: runet-id.com/event/phdays16.

Tickets for PHDays VI are now available

Tickets for the international forum on information security Positive Hack Days VI are available for purchase from December 17. We are keeping last year’s prices till mid-January. A two-day ticket costs 7,337 rubles before January 30. You can register and buy ticket on the RUNET-ID Registration page. From January 31, the price will raise: a ticket for two days will cost 9,600 rubles, and 7,337 rubles for a one-day pass. From March 1, the cost will raise to 14,400 for two days and 9,600 rubles per day. Other ways to participate in PHDays There are several other ways to join PHDays VI. You can present a report on information security. The first stage of Call for Papers lasts till January 30. The review board considers applications not only from acknowledged information security experts, but also from newcomers. Before you apply, please, consider the forum's concept, topics, and previous presentations. You can also get an invitation by proving yourself in one of the hacking contests. Moreover, anyone can organize his own PHDays forum in his town: check out PHDays Everywhere registration terms. 4,000 hackers, information security specialists, IT vendors, researchers, government representatives and internet privacy defenders are expected to gather at PHDays VI on May 17 and 18, 2016. The event will take place at the Moscow World Trade Center (Krasnopresnenskaya naberezhnaya, 12). Buy tickets at: runet-id.com/event/phdays16. More information about PHDays IV: phdays.com.

Speak About Your Cyberwar at PHDays VI

Positive Hack Days VI, the international forum on practical information security, opens Call for Papers on December 3, 2015. Our international program committee consisting of very competent and experienced experts will consider every application, whether from a novice or a recognized expert in information security, and select the best proposals. Now, more than ever before, cybersecurity specialists are being asked to stop sitting on the fence and choose a side — competitive intelligence vs DLP systems; security system developers vs targeted cyberattacks; cryptographers vs reverse engineers; hackers vs security operations centers. A new concept of PHDays VI is designed to show what the current vibe is in information security. We want researchers to speak about the real dangerous threats and possible consequences. We also expect developers and integrators to give real answers to these threats rather than to talk about empowering security technologies. Come and share your experience at PHDays VI in Moscow, May 17 and 18, 2016. Your topic can revolve around any modern infosec field: new targeted attacks against SCADA, new threats to medical equipment, vulnerabilities of online government services, unusual techniques to protect mobile apps, antisocial engineering in social networks, or what psychological constitution SOC experts have. In addition, this year, we are planning to discuss IS software design, development tools, and SSDL principles. Our key criteria is that your research should be unique and offer a fresh perspective on hacking, modern information technologies, and the role they play in our lives. If you have something interesting or surprising to share, but none of the formats are suitable for your participation, please apply anyway and be sure we will consider your work. The first stage of CFP ends on January 31, 2016. Apply now — the number of final reports is limited.

PHDays VI: Moving to Direct Confrontation

The sixth Positive Hack Days forum on practical information security will take place at the Moscow World Trade Center on May 17 and 18, 2016. PHDays is a forum for security experts from across the globe to meet up and offers both researchers and students the opportunity to: hack mobile networks, derail trains, shut down the electricity grid, break into an ATM with a paper clip—and learn about the type of protection available to counteract these threats. As usual, the forum will have a key theme, which for PHDays VI will be the concept of confrontation. In 2016, business and government representatives to show hackers the power of resistance. One side will attack and the other defend. Who will win this two-day war? We will have to wait until PHDays VI to find out. Who’s attacking who Year after year PHDays have brought together various groups from the information security community: hackers and information security experts, government officials, those who value personal freedom, IT-business and law enforcement personnel—always around the theme of security. However, there has been a shift in the security world and today we see more and more often conflict between these groups, those on one side of the barricade have only a view from their side and cannot see the whole picture. This year, at PHDays VI, we are moving from a competition based around solving tasks to a two-sided practical game: hacker teams vs. SOC, cryptographers vs. reverse engineers, competitive intelligence specialists vs. DLP systems, developers of protection tools vs. targeted attacks. Speakers at PHDays VI will demonstrate the most critical threats and protection methods we are dealing with today and not just some scaremongering stories on vulnerability exploitation possibilities because what we really want and need to know is how the industry will respond to a specific threat. An airplane, tank or ship? We are designing a new PHDays program based on its basic principles: an ongoing search for unknown areas, live video broadcasting of speakers and panelists, no commercials, online training, unique set-ups, informal discussions, security incidents. The program will include tens of reports and hands-on labs, sessions and round tables, CTF contests, the Young School competition, and a cyberpunk short story contest. PHDays will have a completely new competition program offering new devices and loads of chill out space for hacking. A six-fold increase in number PHDays is becoming more popular year on year. PHDays is becoming more popular year on year. Just compare — the forum gathered 600 specialists in 2011, then 1,500 in 2012, more than 2,000 in 2013, and 2,500 in 2014. 3,500 attendees visited the forum in 2015. The forum included hundreds of reports, sessions and activities. The forum featured John Bambenek, Whitfield Diffie (via teleconference), Chris Hadnagy, Kevin Williams, Natalya Kasperskaya, Alexey Lukatsky, Dmitry Finogenov (FSB department #8), Alexander Radovitsky (RF Ministry of Foreign Affairs), Alexander Baranov (Federal Tax Service), Vadim Dengin, Andrey Tumanov and Ilya Kostunov (deputies of the State Duma), senior executives of the Bank of Russia and representatives of big business. Managing partners of Almaz Capital sponsored a startup competition with prize money of 1.5 million rubles. Contests involved hacking missiles, electrical substations, ATMs, and railways. Testimonials Over the past five years, PHDays has been the recipient of several awards and many kind words. The forum hosted such iconic figures of the information security community as Bruce Schneier (the author of Applied Cryptography), Marc Heuse (the founder of the security research group he Hacker’s Choice, the creator of Hydra, Amap, THC-IPV6), Karsten Nohl (one of the most famous specialists in GSM security), Donato Ferrante and Luigi Auriemma (Italian specialists in SCADA and Smart TV), Alexander Peslyak (known as Solar Designer, the creator of the password cracking tool John the Ripper), Whitfield Diffie (the advisor for Almaz Capital, the father of digital signatures and asymmetric encryption), Datuk Mohd Noor Amin (Chairman of IMPACT), William Hagestad (a military expert in cyber-intelligence). Last year, PHDays became the only cyber security conference held in Russia to be listed among the largest information security meetings, according to Concise Courses, the web’s most respected cyber security conference list. Experts on PHDays Bruce Schneier, Cryptography Expert, Chief Security Technology Officer at British Telecom: “We have been organizing security conferences for more than ten years. The majority of them are boring corporate events. However, this conference is something completely different. It not only inspires, it is very practical and quite counter-cultural.” Ilya Kostunov, a member of the Safety Committee and Corruption Counteraction Committee of the State Duma: “I’ve heard several reports at Positive Hack Days, and statistics have shocked me. I’m planning to intensify a draft bill on the protection of critical infrastructure.” Alexander Galitsky, Managing Partner at Almaz Capital: “Positive Technologies created the best information security conference in Russia. It is a relaxed and informal meeting place, and the central characters are not public authorities but security experts and developers.” Ruslan Gattarov, the member of the Council of the Federation Committee on Science, Education, Culture and Information Policy: “Our colleagues from foreign countries pump money into the information security industry, create cyberweapons, and increase the number of ‘cyber soldiers’ by ten times.” William Hagestad II, an expert in cyber-intelligence and counter-intelligence: “It is a unique event, where we can see how information security is created and find out who’s who in the area. The forum is notable due to its realistic contests, such as CTF, Critical Infrastructure Attack and the contest where participants are working on hacking the ‘smart home’.” Natalya Kasperskaya, CEO of InfoWatch: “I am struck by the scale of the event: I read how many attendees were expected, but the reality exceeded all my expectations.” Datuk Mohd Noor Amin, Head of IMPACT (United Nations): “Modern cyber threats are not only spam or fraud, but also graver risks with people’s lives at stake.” Keving Williams, General Manager of Team Cymru — UK Internet Security: “Here Russian private companies, public organizations, and government are trying to find a solution to the common problems. This is really interesting.” More information: phdays.com. Check out reports from previous meetings on YouTube.

People are Main Vulnerabilities. Social Engineering at PHDays V

Now you can watch Positive Hack Days V on YouTube — there are dozens of lectures on practical security in Russian and English. The 2015 forum was devoted to not only hardcore hacking techniques, but also "non-technical" attacks. Quite interesting and unusual was a report by Chris Hadnagy, who exploits human psychology and doesn't believe in technological progress: "While you're looking for zero-day vulnerabilities, we can just pick up the phone and find out your secrets." Let's take a look at some of the stories and observations of a 42-year-old American.

The MiTM Mobile Contest: GSM Network Down at PHDays V

Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware. Contest conditions and technologies You've got a corporate cell phone of a MiTM Mobile network user. Through the DarkNet you have obtained some information that can be useful:

1. The codes for publes (PHDays game currency – Pseudo rUBLE) are regularly sent to the phone number of the corporation's chief accountant — 10000.
2. The financial director is missing, nobody can get him on the phone for several days, his cell phone is turned off, but he is still getting passwords.
3. You can obtain key information by calling the number 2000, but there is authorization by the caller's number. We also managed to find out the phone number of the director's private secretary — 77777. He must have the access. There are other numbers in the network through which some employees get important information, but, unfortunately, we failed to find them. Besides, don't forget — you can always come across someone's private information in the corporate network.

Hot Cyberwar. Hackers and Missile Launchers

The most spectacular contest during PHDays V was the one organized by Advantech. The contest's participants must gain control over an industrial system that controlled a missile launcher and to hit a certain secret object. General A missile launcher on a turret rotating about two axes, and a target were presented on a stand. The contest's participants must gain control over the industrial system, turn the missile to the target and hit it (breaking down the equipment wouldn't count). According to the contest's scenario, a hacker bypassed the external perimeter and had access to the office's network segment. Those who connected to the network received the operator's login and password and could watch the system in operation. IP addresses of all the set devices were listed in a table on the stand. This year's format combined various competitions and capture the flag contests (for more information see our blog). About 40 PHDays attendees and several CTF teams took part in the contest. Technical details The SCADA system was deployed on the panel PC Advantech TPC-1840WP and was running on Windows 7 Ultimate without any additional protection systems. The operating system's updates were installed, Windows firewall was up. The SCADA system was implemented on Advantech WebAccess 8.0. Since the software could contain unpatched vulnerabilities, the operator's access was limited to visualization of the processes that go on in the controller. The controller's tags were read-only, and rewriting them didn't affect the equipment's operation. With administrator privileges, the attacker could access the page containing description of the system's structure and intrinsic addressing.