News
New Contests at PHDays VI: Hacking Power Facilities and Smart Homes
The PHDays competitions have always featured cutting edge challenges, testing the skills of participants. Hackers have been challenged to break into electrical substations, mobile communication systems and online banking systems, to throw a missile off course, steal money from an ATM, and derail trains. This year, the competitions revolve around the infrastructure of the city of CityF. Competitors will hack SCADA systems, the IoT, online banks, GSM and network equipment. All details are provided on the contests page of the forum. We have also prepared two very exciting new competitions — BMS & Smart House Attack and Critical Infrastructure Attack: Blackout described below. PHDays VI CityF will feature an electricity company (distribution and transmission substations, a hydroelectric power plant, central and regional control centers) and smart home. Participants will compete to test the safety of real systems individually or as part of a CityF team. Critical Infrastructure Attack: Blackout Hackers are challenged to attack a model of a regional power supply system. The model is similar to the systems used to power a city both technically and functionally. It is divided into several parts including power supply generation, transmission, distribution, and management. Participants will try to disrupt the normal operation of the system. Contestants will work with a substation of a 10 kV voltage class that distributes electricity to the city’s infrastructure facilities (houses, industrial enterprises). The competition will include a model of a house connected to many vital service systems. Competitors will try to capture the transmission substation (500kV) and disrupt its operation to generate a local blackout or even “switch off” the whole city. They will also attempt to take control of a hydroelectric plant, including disabling electricity transmission from the plant or affecting the operation of automatic hydraulic units and the power plant control system (turning on the emergency spillway and flooding the city). Hackers will have an opportunity to access a regional power dispatching system and a central control room to be able to monitor all the systems and manage this energy area. The winner will receive an Apple iPad, and the second-place winner will receive a Raspberry Pi 2 Kit. BMS & Smart House Attack Hackers will attempt to take control over vital service systems that range from a central electricity distribution system to a simple socket in a house. The model is a hybrid of building automation and smart home systems including lighting systems, water meters, elevators, and ventilation. The challenge is to gain control of individual systems or disable them. The task is complicated by the fact that the power supply of the house depends on the city’s distribution substation, which needs to be attacked as well. The winners will receive prizes from our partners Advantech and ProSoft — providers of the model and automation systems.
The EAST 4 SCADA Stand: How to Derail a Train
Ever wondered if you could crash a train? Well, now you can give it a shot at the PHDays EAST 4 SCADA showcase. EAST 4 SCADA is being launched at this year’s PHDays event giving the opportunity to those interested in ICS security to try and find vulnerabilities in SCADA systems or, indeed, craft their own exploits — or even crash a train on our model railway. The EAST 4 SCADA team will conduct a workshop around typical vulnerabilities found in industrial systems and the ways to hack them with an open-source exploits and security tools framework called EAST. The showcase will include a range of automation systems from such industry leaders as ABB, Siemens, Rockwell, ICP DAS, etc. You will discover how to find vulnerabilities in ICS, SCADA and PLC components, as well as to create and run test modules and exploits that demonstrate the existing risks in SCADA. You can try out some simple methods designed to impact ICS test systems, find vulnerabilities, and derail the train. Both experienced hackers and newbies are welcome. We recommend you bring your own laptops.
New at PHDays: Hardware Village
This year, we are launching Hardware Village at Positive Hack Days. Visitors are invited to inspect a whole heap of equipment and to participate in hands-on labs where Hardware Village developers will share their knowledge of hardware programming and hacking. Hardware Village runs over two days and is open to both experienced and novice hardware geeks. The first day is dedicated to wired networks and data transfer interfaces: Ethernet, 1-Wire, UART, JTAG, SPI, USB, CAN. The Hardware Village team will advise on how to choose the right equipment for your needs and how to use it correctly. Visitors will learn about multimeters, oscilloscopes, and logic analyzers and will explore homemade hacking devices on Arduino, ARM, and FPGA. The second day looks at wireless networks that work in the frequency range from 125kHz to 5GHz and popular data exchange technologies (RFID, NFC, Wi-Fi, Bluetooth). The Hardware Village organizers have also prepared an SDR hands-on lab and a hacking contest. Remember to bring along any of your own devices for the hands-on sessions. We look forward to seeing you there.
CityF Contest: A Standoff between Hackers and Security Experts
In just two months, we will kick off Positive Hack Days VI. Our preparations are well underway with the first wave of speakers already announced and the second wave to be named soon. Additionally, we have started receiving applications for Young School. So we are now delighted to reveal the rules of CityF: The Standoff. This year the competition will be a little different from other years. Instead of the CTF format, there will be a full-fledged battle between hackers and security experts. Participants will be grouped into three teams — hackers, defenders, and the SOC (security operations center). The scenario is created to be as realistic as possible with a huge variety of targets to hack including a bank, mobile operator, large corporation, electric company, etc. Beside the teams, all PHDays guests and PHDays Everywhere participants are encouraged to join the battle. The goal can be reached using any means that are acceptable excluding those restricted by the rules.l. Contact us at phd@ptsecurity.com to get enlisted for this battle. Applications are accepted until April 10, 2016. The number of participants is limited.l.
Non-Technical Program, or Hackers and Artists are only One Step Apart
Do hackers and artists truly come from two different worlds? Well, we don’t believe that and to prove it we are continuing to build on last years’ experience, some would say experiment, at PHDays to bring together the hacker and artistic communities. So, what’s happening at this year’s PHDays VI? We are hosting an exhibition of work by Alexey Andreev, an artist from Saint-Petersburg. His artworks, using a digital painting technique, were a highlight of PHDays V with many visitors commenting on the work. Alexey draws the observer into a fantasy world where all is not as it seems, where the obvious is twisted into an alternative reality. Unusual themes, eccentric characters and surreal surroundings are all important elements of his work. This year Alexey is also presenting his augmented reality images. Forum visitors will be able to animate pictures via their smartphone. Just a simple app download, scan of a QR code, and within a couple of seconds you’ll be in a world of flying trains and post-apocalyptic monsters. The artists’ works will be available for purchase during PHDays. All event attendees will have the opportunity to meet with the artist during the event. As usual, there will be a game zone with retro game machines (Battleship and Autorally-M) plus games that became popular during the 90’s including: Sega, Dendy, and PlayStation. A new addition, this year, is a vending machine stocked with ‘real space food’ (packed in tubes as it would be for astronauts) to help energize participants before they attend their next presentation or engage in a long lasting warfare activity. We also have some other surprises including our robot. So if you tire of your colleagues why not try asking our robot a question instead? The robot will answer any question, but only if it likes you. Are you an art lover? If you are, then there is a feast for the eyes, as you will be surrounded by a multitude of objets d’art. A chronicle of PHDays displayed on a board of floppy disks, the hacker manifesto projected onto a huge screen, and optical installations which can only be appreciated from a certain viewpoint and distance from the installation. They cheat the eye and demonstrate how your brain tricks you — all this and more will be available at PHDays VI. PHDays VI is taking place at the World Trade Center in Moscow on the 17-18 May 2016. Specialists from the areas of information security, hacking, science, media, politics, and business will gather together at this forum. So, why not participate? Buy tickets now at runet-id.com/event/phdays16. To get a free ticket, present your research on information security (closing date for the second wave of CFP is March 31), show off your hacking skills in one of our contests (preliminaries and registration will start right before the conference).
PHDays VI Young School Call for Papers
PHDays Young School has become something of a tradition at the annual PHDays forum. Now in its fifth year, Young School provides an amazing opportunity for would-be security experts to share their research with some of the world's leading security experts. This year, Young School has been changed from a single contest to a full section within the PHDays program. Applications to participate are invited from students, postgraduates, and young scientists engaged in infosec studies. The primary research topic remains the same – practical security: Hackers' new targets. Internet of Things: refrigerator botnets, smart bracelets, and remote car control Computer forensics focused on targeted APT attacks and cyber spying Attacks on payment and online banking systems; payWave, PayPass, and Apple Pay security Running a security operations center: cases, methods, and tools Ways to counteract DDoS attacks ERP system and business application security. Counteracting attacks against web applications New vectors and techniques of attacks on mobile devices Protection of cloud computing. Security of government information systems and E-government Applied cryptography Techniques and tools for physical security Protection of ICS/SCADA. Securing industrial systems and modern cities Zero-day vulnerabilities and new exploit deliveries Insecure secure development. SSDL and vulnerabilities in infosec solutions Authors should demonstrate the practical value of their research; the research methods should be described and substantiated. We do not accept papers that include ideas only (even if they are genius) without research results. Authors of the best papers will get to share their findings with hackers and security specialists at Positive Hack Days VI, an information security forum held in Moscow, May 17 and 18, 2016. Authors will be reimbursed for all travel and accommodation expenses; co-authors will receive tickets to the forum. Submissions This year, you need only to provide some key talking points in English or Russian. However, our review board should have access to the full research (see details in submission rules). The review board consists of infosec experts from the academic sector. You are welcome to consult with the Young School organizers prior to submitting your proposals. For any queries, please contact Andrew Petukhov (youngschool@phdays.com). PHDays Young School made its debut in 2012. Participants from universities in Krasnoyarsk, Moscow, Novosibirsk, St. Petersburg, and Taganrog were the finalists that year. Young School has grown to be truly international since then — last year finalists included those from Germany, Russia, Romania, and the USA. To take advantage of this great opportunity to participate in Positive Hack Days VI please send your application to youngschool@phdays.com. The closing date is April 1, 2016.
Introducing PHDays VI Reports: How to Hack a Fare Card, Set Up a Honeypot, and Sell Vulnerabilities
On January 31, the first wave of applications to join Positive Hack Days was completed. The forum on information security will take place on May 17 and 18, 2016, at the Moscow World Trade Center. If you want to take part in the forum, you can apply in the near future: the second wave of Call for Papers will hit on February 17 and will last till March 31. For now, we will announce the first participants enrolled in the Tech program. PHDays attendees will learn how to snatch a large sum at Microsoft and test transport systems security with a smartphone, and know the ins and outs of the zero-day vulnerability market. Honeypot Terrence Gareau, a recognized expert in DDoS attack mitigation, prevention, and recovery, will make his debut at PHDays. He will outline how to develop a honeypot network and produce a data feed that can be used to protect online assets with Kibana, Elasticsearch, Logstash, and AMQP. Terrence Gareau will open-source a monitoring system (a project his team has been developing for the last two years) for reflective DDoS statistics that are external to any specific network. Reward chasers, or Who is who in the exploit market Alfonso De Gregorio, the founder of BeeWise and a principal security researcher at secYOUre, will speak at the international forum for the second time. He will continue the topic of the previous talk, exploit selling. Alfonso will speak about the vulnerability supply chain's participants, zero-day exploits brokers, and ethical questions that arise in the business. How to make a lifelong travel card Matteo Beccaro, an Italian security researcher, will talk about transportation security, frauds, and technological failures. The speaker will cover some severe vulnerabilities in real-world transportation systems based on NFC technologies and introduce an open-source application designed to pentest such systems via a smartphone. The talk will attract both professional and amateur pentesters. Web application security with JavaScript Client-side JavaScript injection may be used to detect and prevent various attacks, search for vulnerable client components, detect leakage of data about web app infrastructure, and find web bots and malicious tools. The Positive Technologies experts Denis Kolegov and Arseny Reutov will show how to ensure application security with JavaScript share their own injection detection methods that employ syntax analyzers without signatures or filtering regular expressions. They will also discuss implementation of client-side JS honeypot to capture SSRF, IDOR, command injection, and CSRF attacks. How to snatch a large sum at Microsoft Until recently, Microsoft refused to launch a bug bounty program despite the fact that it has become a customary practice for competitors. Now, however, Microsoft pays researchers for certain types of vulnerabilities from USD 100 up to USD 100,000. Several recent exciting changes to the Microsoft Bounty Program include the competitive aspect of listing out its Top 100 finders. Jason Shirk, the principal security strategist for MSRC, will explain how the MSRC works with researchers, what bounties are available, and what other rewards can be earned. He will also uncover some secrets behind big bounties that have been paid. The complete list of reports will be available on the PHDays official site in April. To participate for free, you can present your report on information security or to take part in one of the forum's hacking contests or in the cyberpunk short-story competition. You can also buy a ticket to get to PHDays. Starting from February 15, the price for the full 2-day conference registration will be 9,600 rubles and 7,337 rubles for one day. On March 1, the cost will go up to 14,400 and 9,600 rubles respectively.
Discount PHDays VI Tickets Available till February 14
We’ve made a decision to extend the current Early Birds discount period for two more weeks, which means that you still got a chance to purchase a 2-day pass for only 7,337 rubles. Starting from February 15, the prices will change to: 9,600 rubles for the full 2-day conference registration and 7,337 rubles for one day only. On March 1, their cost will rocket to 14,400 and 9,600 rubles respectively. There are several ways you can join PHDays VI for free: Present your research on information security (the second wave of Call for Papers starts on February 17) Show off your hacking skills in one of our contests (preliminaries and registration will start right before the conference) Organize an interactive forum in your town (learn more about the PHDays Everywhere initiative). For two days, the PHDays VI forum will become the playing ground for 4,000 hackers, cybersecurity experts, IT vendors, researchers, government representatives, and digital freedom activists. The event is to take place on May 17-18 in Moscow World Trade Center (Krasnopresnenskaya naberezhnaya, 12). Buy tickets now at: runet-id.com/event/phdays16.
Tickets for PHDays VI are now available
Tickets for the international forum on information security Positive Hack Days VI are available for purchase from December 17. We are keeping last year’s prices till mid-January. A two-day ticket costs 7,337 rubles before January 30. You can register and buy ticket on the RUNET-ID Registration page. From January 31, the price will raise: a ticket for two days will cost 9,600 rubles, and 7,337 rubles for a one-day pass. From March 1, the cost will raise to 14,400 for two days and 9,600 rubles per day. Other ways to participate in PHDays There are several other ways to join PHDays VI. You can present a report on information security. The first stage of Call for Papers lasts till January 30. The review board considers applications not only from acknowledged information security experts, but also from newcomers. Before you apply, please, consider the forum's concept, topics, and previous presentations. You can also get an invitation by proving yourself in one of the hacking contests. Moreover, anyone can organize his own PHDays forum in his town: check out PHDays Everywhere registration terms. 4,000 hackers, information security specialists, IT vendors, researchers, government representatives and internet privacy defenders are expected to gather at PHDays VI on May 17 and 18, 2016. The event will take place at the Moscow World Trade Center (Krasnopresnenskaya naberezhnaya, 12). Buy tickets at: runet-id.com/event/phdays16. More information about PHDays IV: phdays.com.
Speak About Your Cyberwar at PHDays VI
Positive Hack Days VI, the international forum on practical information security, opens Call for Papers on December 3, 2015. Our international program committee consisting of very competent and experienced experts will consider every application, whether from a novice or a recognized expert in information security, and select the best proposals. Now, more than ever before, cybersecurity specialists are being asked to stop sitting on the fence and choose a side — competitive intelligence vs DLP systems; security system developers vs targeted cyberattacks; cryptographers vs reverse engineers; hackers vs security operations centers. A new concept of PHDays VI is designed to show what the current vibe is in information security. We want researchers to speak about the real dangerous threats and possible consequences. We also expect developers and integrators to give real answers to these threats rather than to talk about empowering security technologies. Come and share your experience at PHDays VI in Moscow, May 17 and 18, 2016. Your topic can revolve around any modern infosec field: new targeted attacks against SCADA, new threats to medical equipment, vulnerabilities of online government services, unusual techniques to protect mobile apps, antisocial engineering in social networks, or what psychological constitution SOC experts have. In addition, this year, we are planning to discuss IS software design, development tools, and SSDL principles. Our key criteria is that your research should be unique and offer a fresh perspective on hacking, modern information technologies, and the role they play in our lives. If you have something interesting or surprising to share, but none of the formats are suitable for your participation, please apply anyway and be sure we will consider your work. The first stage of CFP ends on January 31, 2016. Apply now — the number of final reports is limited.