News

PHDays VI: Moving to Direct Confrontation

The sixth Positive Hack Days forum on practical information security will take place at the Moscow World Trade Center on May 17 and 18, 2016. PHDays is a forum for security experts from across the globe to meet up and offers both researchers and students the opportunity to: hack mobile networks, derail trains, shut down the electricity grid, break into an ATM with a paper clip—and learn about the type of protection available to counteract these threats. As usual, the forum will have a key theme, which for PHDays VI will be the concept of confrontation. In 2016, business and government representatives to show hackers the power of resistance. One side will attack and the other defend. Who will win this two-day war? We will have to wait until PHDays VI to find out. Who’s attacking who Year after year PHDays have brought together various groups from the information security community: hackers and information security experts, government officials, those who value personal freedom, IT-business and law enforcement personnel—always around the theme of security. However, there has been a shift in the security world and today we see more and more often conflict between these groups, those on one side of the barricade have only a view from their side and cannot see the whole picture. This year, at PHDays VI, we are moving from a competition based around solving tasks to a two-sided practical game: hacker teams vs. SOC, cryptographers vs. reverse engineers, competitive intelligence specialists vs. DLP systems, developers of protection tools vs. targeted attacks. Speakers at PHDays VI will demonstrate the most critical threats and protection methods we are dealing with today and not just some scaremongering stories on vulnerability exploitation possibilities because what we really want and need to know is how the industry will respond to a specific threat. An airplane, tank or ship? We are designing a new PHDays program based on its basic principles: an ongoing search for unknown areas, live video broadcasting of speakers and panelists, no commercials, online training, unique set-ups, informal discussions, security incidents. The program will include tens of reports and hands-on labs, sessions and round tables, CTF contests, the Young School competition, and a cyberpunk short story contest. PHDays will have a completely new competition program offering new devices and loads of chill out space for hacking. A six-fold increase in number PHDays is becoming more popular year on year. PHDays is becoming more popular year on year. Just compare — the forum gathered 600 specialists in 2011, then 1,500 in 2012, more than 2,000 in 2013, and 2,500 in 2014. 3,500 attendees visited the forum in 2015. The forum included hundreds of reports, sessions and activities. The forum featured John Bambenek, Whitfield Diffie (via teleconference), Chris Hadnagy, Kevin Williams, Natalya Kasperskaya, Alexey Lukatsky, Dmitry Finogenov (FSB department #8), Alexander Radovitsky (RF Ministry of Foreign Affairs), Alexander Baranov (Federal Tax Service), Vadim Dengin, Andrey Tumanov and Ilya Kostunov (deputies of the State Duma), senior executives of the Bank of Russia and representatives of big business. Managing partners of Almaz Capital sponsored a startup competition with prize money of 1.5 million rubles. Contests involved hacking missiles, electrical substations, ATMs, and railways. Testimonials Over the past five years, PHDays has been the recipient of several awards and many kind words. The forum hosted such iconic figures of the information security community as Bruce Schneier (the author of Applied Cryptography), Marc Heuse (the founder of the security research group he Hacker’s Choice, the creator of Hydra, Amap, THC-IPV6), Karsten Nohl (one of the most famous specialists in GSM security), Donato Ferrante and Luigi Auriemma (Italian specialists in SCADA and Smart TV), Alexander Peslyak (known as Solar Designer, the creator of the password cracking tool John the Ripper), Whitfield Diffie (the advisor for Almaz Capital, the father of digital signatures and asymmetric encryption), Datuk Mohd Noor Amin (Chairman of IMPACT), William Hagestad (a military expert in cyber-intelligence). Last year, PHDays became the only cyber security conference held in Russia to be listed among the largest information security meetings, according to Concise Courses, the web’s most respected cyber security conference list. Experts on PHDays Bruce Schneier, Cryptography Expert, Chief Security Technology Officer at British Telecom: “We have been organizing security conferences for more than ten years. The majority of them are boring corporate events. However, this conference is something completely different. It not only inspires, it is very practical and quite counter-cultural.” Ilya Kostunov, a member of the Safety Committee and Corruption Counteraction Committee of the State Duma: “I’ve heard several reports at Positive Hack Days, and statistics have shocked me. I’m planning to intensify a draft bill on the protection of critical infrastructure.” Alexander Galitsky, Managing Partner at Almaz Capital: “Positive Technologies created the best information security conference in Russia. It is a relaxed and informal meeting place, and the central characters are not public authorities but security experts and developers.” Ruslan Gattarov, the member of the Council of the Federation Committee on Science, Education, Culture and Information Policy: “Our colleagues from foreign countries pump money into the information security industry, create cyberweapons, and increase the number of ‘cyber soldiers’ by ten times.” William Hagestad II, an expert in cyber-intelligence and counter-intelligence: “It is a unique event, where we can see how information security is created and find out who’s who in the area. The forum is notable due to its realistic contests, such as CTF, Critical Infrastructure Attack and the contest where participants are working on hacking the ‘smart home’.” Natalya Kasperskaya, CEO of InfoWatch: “I am struck by the scale of the event: I read how many attendees were expected, but the reality exceeded all my expectations.” Datuk Mohd Noor Amin, Head of IMPACT (United Nations): “Modern cyber threats are not only spam or fraud, but also graver risks with people’s lives at stake.” Keving Williams, General Manager of Team Cymru — UK Internet Security: “Here Russian private companies, public organizations, and government are trying to find a solution to the common problems. This is really interesting.” More information: phdays.com. Check out reports from previous meetings on YouTube.

People are Main Vulnerabilities. Social Engineering at PHDays V

Now you can watch Positive Hack Days V on YouTube — there are dozens of lectures on practical security in Russian and English. The 2015 forum was devoted to not only hardcore hacking techniques, but also "non-technical" attacks. Quite interesting and unusual was a report by Chris Hadnagy, who exploits human psychology and doesn't believe in technological progress: "While you're looking for zero-day vulnerabilities, we can just pick up the phone and find out your secrets." Let's take a look at some of the stories and observations of a 42-year-old American.

The MiTM Mobile Contest: GSM Network Down at PHDays V

Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware. Contest conditions and technologies You've got a corporate cell phone of a MiTM Mobile network user. Through the DarkNet you have obtained some information that can be useful:

1. The codes for publes (PHDays game currency – Pseudo rUBLE) are regularly sent to the phone number of the corporation's chief accountant — 10000.
2. The financial director is missing, nobody can get him on the phone for several days, his cell phone is turned off, but he is still getting passwords.
3. You can obtain key information by calling the number 2000, but there is authorization by the caller's number. We also managed to find out the phone number of the director's private secretary — 77777. He must have the access. There are other numbers in the network through which some employees get important information, but, unfortunately, we failed to find them. Besides, don't forget — you can always come across someone's private information in the corporate network.

Hot Cyberwar. Hackers and Missile Launchers

The most spectacular contest during PHDays V was the one organized by Advantech. The contest's participants must gain control over an industrial system that controlled a missile launcher and to hit a certain secret object. General A missile launcher on a turret rotating about two axes, and a target were presented on a stand. The contest's participants must gain control over the industrial system, turn the missile to the target and hit it (breaking down the equipment wouldn't count). According to the contest's scenario, a hacker bypassed the external perimeter and had access to the office's network segment. Those who connected to the network received the operator's login and password and could watch the system in operation. IP addresses of all the set devices were listed in a table on the stand. This year's format combined various competitions and capture the flag contests (for more information see our blog). About 40 PHDays attendees and several CTF teams took part in the contest. Technical details The SCADA system was deployed on the panel PC Advantech TPC-1840WP and was running on Windows 7 Ultimate without any additional protection systems. The operating system's updates were installed, Windows firewall was up. The SCADA system was implemented on Advantech WebAccess 8.0. Since the software could contain unpatched vulnerabilities, the operator's access was limited to visualization of the processes that go on in the controller. The controller's tags were read-only, and rewriting them didn't affect the equipment's operation. With administrator privileges, the attacker could access the page containing description of the system's structure and intrinsic addressing.

Writeup: Competitive Intelligence Contest at PHDays V

This year among the participants of Competitive Intelligence were not only the contest’s usual fans but also CTF teams, so we adjusted difficulty levels accordingly. In addition, we allowed team play on one condition: a person couldn’t participate both individually and as part of a CTF team. That is why we reached a mutual agreement to disqualify the player who scored most — azrael.) All the contests were revolving around the fictional state — United States of Soviet Unions The Competitive Intelligence participants had to look for info about company employees with the USSU citizenship. Meantime the players were free to answer five various questions regarding five different organizations. Within one block, you could open new questions after answering the previous ones. (One team even managed to find the right answer using a brute force method, but failed to advance after that – they just didn’t have enough info.) 1. Find out dinner location of Bank of Snatch (snatch-bank.phdays.com)’s Chairman/Get any info you can on him. You had to find all the info available about the Chairman of Bank of Snatch. 1.1. Get his email address It’s quite easy in the beginning, actually — just get the Chairman’s email. Google already did that for you — it cashed several pages of snatch-bank.phdays.com, including the one with financial documentation.

Best Reverser Write-Up: Analyzing Uncommon Firmware

While developing tasks for PHDays’ contest in reverse engineering, we had a purpose of replicating real problems that RE specialists might face. At the same time we tried to avoid allowing cliche solutions.

Digital Substation Takeover: Contest Overview

Digital Substation Takeover, presented by iGRIDS, was held at PHDays V. The contest's participants tried themselves in hacking a real electrical substation designed according to IEC 61850. The general task was to perform a successful attack against the electrical equipment control system. What it's all about A special high voltage (500 kV) substation model had been developed for the contest. It included switches, time servers, protective relays that are used in modern high voltage electric networks to ensure protection in emergency situations and incidents (in case of a short circuit, faults in a power transmission line etc.). Several scenarios were offered, each of them corresponding to unauthorized access to switches: circuit breaker opening, earthing switch closing despite operation blocking. The contest's organizers suggested that the most difficult task—that is to cause an emergency on the site—would be followed by fireworks of burning wires of the model overhead power line set nearby.

How They Hacked Internet Banking at PHDays V

During Positive Hack Days V, which was held on May 26 and 27 in Moscow, the $natch competition was organized again. It consisted of two rounds. First, the contest's participants were provided with virtual machine copies that contained vulnerable web services of an internet banking system (an analog of a real system). After that, they had to analyze the banking system image and try to transfer money from the bank to their own accounts by exploiting security defects they had detected. This year's format combined various competitions with CTF (see our blog), and CTF teams were able to take part in them along with the rest of the forum's attendees. Thirty people participated in $natch. The prize money was ramped up to 40,000 rubles (last year it was 20,000).

WAF Bypass at Positive Hack Days V

As it did last year, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of PT Application Firewall, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.

PHDays V Highlights: Signs of GSM Interception, High Time to Hack Wi-Fi, Future of Encryption

Technological singularity is expected in 15 years at best, but Positive Hack Days transition is happening right now. The fifth forum had a record attendance – over 3,500 visitors, which is comparable to the leading international hacker conferences, and the number of talks, sessions, and various activities surpassed one hundred. The incredible and exciting contests involved hacking spaceships, power plants, ATMs, and railway companies. More Smoked Leet Chicken became the winning champion of this year’s CTF, showing their best at stock exchange speculation. Congratulations! A detailed write-up about that is coming soon. Right now let’s focus on a number of recommendations and tips that impressed us most of all during the 2-day hacker marathon that took place in World Trade Center on May 26-27.