News
Writeup: Competitive Intelligence Contest at PHDays V
This year among the participants of Competitive Intelligence were not only the contest’s usual fans but also CTF teams, so we adjusted difficulty levels accordingly. In addition, we allowed team play on one condition: a person couldn’t participate both individually and as part of a CTF team. That is why we reached a mutual agreement to disqualify the player who scored most — azrael.) All the contests were revolving around the fictional state — United States of Soviet Unions The Competitive Intelligence participants had to look for info about company employees with the USSU citizenship. Meantime the players were free to answer five various questions regarding five different organizations. Within one block, you could open new questions after answering the previous ones. (One team even managed to find the right answer using a brute force method, but failed to advance after that – they just didn’t have enough info.) 1. Find out dinner location of Bank of Snatch (snatch-bank.phdays.com)’s Chairman/Get any info you can on him. You had to find all the info available about the Chairman of Bank of Snatch. 1.1. Get his email address It’s quite easy in the beginning, actually — just get the Chairman’s email. Google already did that for you — it cashed several pages of snatch-bank.phdays.com, including the one with financial documentation.
Best Reverser Write-Up: Analyzing Uncommon Firmware
While developing tasks for PHDays’ contest in reverse engineering, we had a purpose of replicating real problems that RE specialists might face. At the same time we tried to avoid allowing cliche solutions.
Digital Substation Takeover: Contest Overview
Digital Substation Takeover, presented by iGRIDS, was held at PHDays V. The contest's participants tried themselves in hacking a real electrical substation designed according to IEC 61850. The general task was to perform a successful attack against the electrical equipment control system. What it's all about A special high voltage (500 kV) substation model had been developed for the contest. It included switches, time servers, protective relays that are used in modern high voltage electric networks to ensure protection in emergency situations and incidents (in case of a short circuit, faults in a power transmission line etc.). Several scenarios were offered, each of them corresponding to unauthorized access to switches: circuit breaker opening, earthing switch closing despite operation blocking. The contest's organizers suggested that the most difficult task—that is to cause an emergency on the site—would be followed by fireworks of burning wires of the model overhead power line set nearby.
How They Hacked Internet Banking at PHDays V
During Positive Hack Days V, which was held on May 26 and 27 in Moscow, the $natch competition was organized again. It consisted of two rounds. First, the contest's participants were provided with virtual machine copies that contained vulnerable web services of an internet banking system (an analog of a real system). After that, they had to analyze the banking system image and try to transfer money from the bank to their own accounts by exploiting security defects they had detected. This year's format combined various competitions with CTF (see our blog), and CTF teams were able to take part in them along with the rest of the forum's attendees. Thirty people participated in $natch. The prize money was ramped up to 40,000 rubles (last year it was 20,000).
WAF Bypass at Positive Hack Days V
As it did last year, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of PT Application Firewall, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.
PHDays V Highlights: Signs of GSM Interception, High Time to Hack Wi-Fi, Future of Encryption
Technological singularity is expected in 15 years at best, but Positive Hack Days transition is happening right now. The fifth forum had a record attendance – over 3,500 visitors, which is comparable to the leading international hacker conferences, and the number of talks, sessions, and various activities surpassed one hundred. The incredible and exciting contests involved hacking spaceships, power plants, ATMs, and railway companies. More Smoked Leet Chicken became the winning champion of this year’s CTF, showing their best at stock exchange speculation. Congratulations! A detailed write-up about that is coming soon. Right now let’s focus on a number of recommendations and tips that impressed us most of all during the 2-day hacker marathon that took place in World Trade Center on May 26-27.
PHDays V. Day One: How to Intercept SMS and Hack Satellite
Positive Hack Days launched on May 26, and on the very first day, cybersecurity experts demonstrated various techniques that are used to hack ATMs, online banking systems, mobile carriers' networks, energy, transport, and industrial companies. More than 50 reports were presented at the Word Trade Center. A number of hands-on labs, round tables were held as well. The organizer provided several video streams to broadcast the most interesting events on the forum's website. Damage caused by a cyberattack can be measured in billions of dollars, while its actual cost is rather low. According to the Positive Research center, anyone with less than 10,000 dollars is able to gain remote access to somebody else's SIM card, which means access to the subscriber's traffic, SMS, calls and location data. Twenty percent of SIM cards are vulnerable to such attacks. It is also possible to obtain a subscriber's confidential information by attacking his mobile carrier's equipment. An attack on a GSM cell can cost about 1,000 dollars. To hack a base station, an intruder might need only a PC and access to the SS7 network. Banking systems keep pace with the telecommunications sector. An ATM can hold 10 million rubles. And when it comes to hacking the cash machine, you might only need a Raspberry Pi for $60. Last year, Russia took second place in the world (after Palestine) for the quantity of ATMs that can be detected by special search engines and remotely reprogrammed by using insecure protocols and exploiting numerous vulnerabilities in Windows XP. The situation with e-money is not much better. In 2014, 70% of Android applications and 50% iOS apps contained vulnerabilities that gave access to an e-money account. Devices that seem harmless at first sight, such as wireless USB modems, can also constitute a danger to users. Mobile operating system developers are slick at fixing vulnerabilities, while modem firmware developers haven't paid much attention to security until recently. According to Positive Technologies researchers, 27 out of 30 firmwares contained critical vulnerabilities. Timur Yunusov presented a report, which reveals how easy it is for an intruder to enable automatic identification and infection of 4G modems in order to intercept traffic, manipulate an account and SMS, break into a computer connected to such a modem. The philosophical conception of PHDays V involved certain elements of cosmological theories. However, practical aspects were as well in the range of interest, which is why the forum's organizer held the session named Amateur Radio for Space Communication. Speakers discussed information security of space stations; in particular, they discussed the Fobos-Grunt crash considering a version based on external influence. The radio amateur Dmitry Pashkov claims that it is quite possible to jam signals between a control center and a spacecraft. You will find the necessary equipment in any electronics store. Except for an antenna— you'll have to make it by yourself. By using homemade devices, Dmitry managed to obtain solar eclipse images from Meteor-M No. 2 (a Roscosmos satellite) and to get the most up-to-date weather forecast. How to Protect A more effective fight against vulnerabilities in information systems and measures for protection of national interests have been discussed at the most "governmental" section — Today's Russia in Unfriendly Cyberworld. Dmitry Finogenov (FSB department #8), Alexander Radovitsky (RF Ministry of Foreign Affairs), Alexander Baranov (Federal Tax Service), Vadim Dengin, Andrey Tumanov, and Ilya Kostunov (deputies of the State Duma) took part in the discussion. Alexey Andreev (Positive Technologies) and Alexey Lukatsky (Cisco) were speaking on the part of the expert community. The government officials promised that a new Russian IS concept would have been published by the end of 2015. Vadim Dengin urged Russian Internet users (over 70 million people at the moment) to always be responsible for their words (in court as well) and said, that the security of citizens, data privacy in particular, was the task #1 for the government; therefore, the federal law on data processing center (DPC) transfer to the Russian territory won't be postponed. "The international business totally agrees with that," he said. Vadim's colleague Ilya Kostunov had recently revealed that Google Analytics was installed in all the Russian governmental bodies. Thus, he made an inquiry to the Prosecutor General's Office and Ministry of Economic Development. Ilya mentioned that Russia had had an opportunity to launch its own payment system with chip cards back in 2000.
Making Money on Cyberwar
It is well known that insider info about ups and downs of large corporations, if gained in time and played right, can earn you millions on the stock market. It’s hackers’ prerogative to get hold of such data or to influence a company’s activity by cracking critical business systems. So why not make some dough on your skill at Positive Hack Days V? This year PHDays participants will be able to become part of our virtual country — the United States of Soviet Unions (USSU) — and trade stocks on the PHDays Stock Market. All forum attendees will be able to buy and sell “company” stocks (firsthand or using a broker) and gain advantage from insider info on the stock market. The hacker contest participants will be able to effect share prices by hacking railway companies, power plants, news agency sites, and other resources. In addition, successful hacking attacks may give you some useful information. You may spend virtual money to treat yourself to a drink in our bar or to buy souvenirs with the forum’s logo. For additional info, feel free to address our specialists that will be located next to the bar counter in the WTC Congress Hall.
Rock Bands, Artists and Cyberhybrids at PHDays V
PHDays, an international forum on practical security held on May 26-27, continues to attract an ever increasing audience including many from the arts including musicians, artists, retrofuturists, and writers. PHDays is not just a technical event but one that encompassed the culture associated with the cyber community. Our non-technical program includes our first cyberpunk short story competition. Six Million Characters of Cyberpunk
Schneider Electric Thanks the Winner of the Positive Hack Days Hacker Contest
Early April, Schneider Electric has released several updates and patches fixing vulnerabilities in the software used for creating SCADA and HMI systems at nuclear power plants, chemical plants and other critical units. The vulnerabilities which even a novice attacker could exploit were found in InduSoft Web Studio 7.1.3.2, InTouch Machine Edition 2014 7.1.3.2 as well as previous versions of these products. Among bugs fixed — arbitrary code execution and non-encrypted storage/transfer of sensitive data. The vendor recommends downloading the new patches as soon as possible.