News
PHDays V Contest Program Published
Positive Hack Days V will take place at WTC on May 26-27. Preparations are well underway: the program of reports and hands-on labs is being formed (you can vote for a performance at the site), new spots from a variety of countries joined the PHDays Everywhere initiative, and there's more to come. Traditionally, the forum organizes many contests. Today we will take a look at the challenges and prizes for the Internet users and PHDays guests. Challenges at the Venue Please note that you will need a laptop to participate in most of the contests. Leave ATM Alone ATM physical attacks are gradually giving place to software attacks. At this contest, everyone can try his or her hand at detecting ATM vulnerabilities.
PHDays V: How to Create Your Own Shodan, Find ROP Shellcodes, and Automate Reverse Engineering
The fifth Positive Hack Days international forum on practical security will take place in Moscow World Trade Center on May 26-27. With the second wave of Call for Papers finished, we present a new portion of reports. Automation: Reverser’s Helper Reverse engineering often implies thorough analysis of an application system code, and the star tool here is a disassembler. Researchers encounter various difficulties — from deciding on an order of function processing and differences in system versions to inability to fully debug and emulate the code in built-in systems. In his report Anton Dorfman, who presented a workshop on mastering shellcode at PHDays III, will share his experience in creating a reverse engineering plugin based on IDAPython, which is capable of conducting primary automated code analysis and transferring results from a currently researched system to its other versions. How to Create Your Own Shodan The acclaimed international security specialist Igor Agievich will cover the topic of creating a search system identical to “the world’s most dangerous search engine” — Shodan.
What's New in the PHDays Program: supercomputer protection, iOS security, exploit selling
The first stage of Call for Papers has finished recently and we'd like to announce another batch of reports that will be presented on May 26 and 27 at PHDays V (you can find the first and the second announcements on Habrahabr). Speakers will discuss how to improve iOS application security and what hackers find attractive about supercomputers. They will also address the relationship between sellers and buyers of zero-day vulnerability exploits. Debugging automation Alexander Tarasenko's report is devoted to debugging automation using WinDbg. Attendees will gain skills in writing scripts using the built-in WinDbg's engine, and also in Python and Pykd extension. The report will be interesting for code researchers and developers of software that requires uncommon debugging tools. iOS security Prateek Gianchandani, a member of OWASP and an information security engineer at Emirates, will lead a hands-on lab on developing exploits for iOS applications. During the demonstration, the speaker will use his own application with typical vulnerabilities. Participants will learn how to improve iOS applications' security level at the stage of development. Upon the introductory part, participants will try to test iOS applications by themselves. On guard of supercomputers Felix Wilhelm and Florian Grunow from ERNW, a German infosec company, will tell about the IBM General Parallel File System, abouts its architecture and vulnerabilities. The system is used in certain known supercomputers (such as IBM Watson), which makes it a prime target for attackers aiming at both data stored in the file system and the system's powerful resources. The speakers will demonstrate the exploitation of two security bugs in IBM GPFS. Exploit selling Alfonso De Gregorio, the founder of BeeWise and chief consultant at secYOUre, will speak about the relationship between sellers and buyers of zero-day vulnerability exploits, about morals in the exploit market. Hash hacking at fifth gear Alexey Cherepanov took part in the development of John the Ripper and maintains its GUI interface. He will tell us how to speed-up hash hacking by using code generation methods. Fast and useful In addition to standard reports the PHDays V program includes an extensive FastTrack that involves informative and dynamic short speeches. Sergey Kharkov, a specialist at National Research Nuclear University MEPhI, will tell attendees how to tap a GSM-based phone by attacking a GSM network and replacing the base station. Moreover, Sylvain Pelissier, a cryptologist and a security engineer at Kudelski Security, will show how sometimes file encryption tools allow cracking user passwords. During Denis Gorchakov's presentation, the audience will learn how to prevent payment fraud. He will speak about a hardware and software system for virus analysis, detection of botnet control centers and data collectors. The second stage of Call for Papers started on February 16. It will last till March 31, so you still have a chance to become a speaker at PHDays this year. We also invite you to participate in CFP launched by our partner, the HITB conference. We look forward to seeing you at Positive Hack Days V!
PHDays V: Encryption Standards, M&A in Yandex and Chemical Attacks
Early December was marked with Call for Papers opened for everyone willing to speak at Positive Hack Days V. Later we announced the first speakers introducing John Matherly, the creator of Shodan, John Bambenek, a cyber detective, and Chris Hadnagy, a professional social engineer. The first CFP stage was over at the end of January. Today we present a new portion of reports included in the technical, practical and business program of upcoming PHDays. The forum guests will learn how to fortify a corporate IT system digitally, how to bypass Moscow Metro Wi-Fi authorization, and how attackers exploit vulnerabilities in physical processes. Yandex: Security for Mergers and Acquisitions When a company buys another company, nobody ever thinks of a security audit. If, by any chance, it comes to the limelight, the current regulatory requirements alone are analyzed. Yandex is actively purchasing technological projects all over the world now and then detonating the media scene with news about another grand merger. An information security analyst of the search giant, Natalya Kukanova, will throw light on how and why they included the security audit into the merging processes (M&A). The audience will learn what to check in case of M&A deals, how to organize audit, and how to interpret its results. All bullet points will be exemplified by real Yandex' deals. Encryption Standards of the Future Markku-Juhani Saarinen will detail into the NIST-sponsored CAESAR project, which is an international crypto competition aimed at the creation of a new AE security standard instead of AES-GCM (this algorithm was certified by the USA and NATO to handle secret information, but was detected to contain various security problems). The speaker will acquaint his audience with CAESAR cyphers and consider weak and strong points of the current encryption standards and algorithms in Russia (e.g. the GOST R 34.10-2001 signature algorithm). Markku-Juhani Saarinen has been studying information security and cryptography and developing cryptographic software for more than 15 years already. Around OSX Sandbox Alexander Stavonin will analyze how OSX (a sandbox designed with TrustedBSD) security tools work and how widely they are used by third-party applications. He will demonstrate potential problems and exploitation of TrustedBSD by cybercriminals — all exemplified by the source code. How to Build a Digital Fortress An information security and forensics expert from Bulgaria, Alexander Sverdlov, will take his floor at PHDays for the third time (his workshops on cyber forensics attracted a full house in 2013 and 2014) and will teach how to build an impregnable digital fortress. The audience will study how to enhance router protection installing alternative operating systems (Qubes OS, BSD Router project, SRG/STIG), to stop exploits, and to analyze application security. If Hackers Were Chemists Researchers and cybercriminals repeatedly demonstrate ways to hack SCADA systems that control electricity, transport and critical infrastructure elements such as chemical plants. However, dealing with such facilities, information security specialists often ignore the role of physical processes. Such processes (e.g. a chemical reaction) can keep on running despite the actions of cybercriminals with full control over an infrastructure or management system. Yet if malicious users learn to exploit physical conditions, they will be able to affect reaction and process flows. The consequences are threatening: it's not that hard to imagine an explosion on a chemical plant provoked by a temperature monitoring sensor driven mad by a hacker in a cistern with a hazardous substance. Maryna Krotofil, a Doctoral Candidate at Hamburg University of Technology, will put the audience in touch with the main stages of attacks aimed at destroying a specific physical process.
Tickets for PHDays V Now Available
Ticket sales for the forum on practical information security Positive Hack Days V will start on Wednesday, December 23.
CFP is open
Positive Hack Days V, the international forum on practical information security, opens Call for Papers on December 3. If you want to share your research results or have something to tell the community about, you are welcome to join PHDays speakers on May 26 and 27, 2015. The first stage is until January 30, 2015. Find any details about the format, participation rules, and CFP instructions on the PHDays website: http://www.phdays.com/program/call_for_papers/ See you at PHDays V!
Positive Hack Days V: entering a singularity
The fifth Positive Hack Days international forum on practical information security will take place in World Trade Center Moscow on May 26 and 27, 2015. The conference organized by Positive Technologies will bring together leading experts on cyber defense and the elite of the hacker world, representatives of state institutions and executives of large businesses, young scientists and journalists.
Videos of Reports and Presentations from PHDays IV are Now Available for Download!
Present-day citizens spend tons of time in public transport. Why not to use these tedious minutes for self-education? From now on, a part of the reports and workshops held at PHDays IV are available on the forum's site and anyone can watch them on their way to work. You can download some of them from Vimeo: How to React to Security Incidents: Investigation of a Cyber-Attack Android Exploitation Give Me Your Data! Side Channel Analysis: Practice and a Bit of Theory A New Approach to Intrusion Detection and Prevention Crypto Hot Cases – One Year Backward Smart TV Insecurity Comparing Iranian, Chinese & North Korean Hacking Worlds ARM Exploitation Impressioning Attacks: Opening Locks with Blank Keys More than 60 reports are placed on the PHDays site at: http://www.phdays.com/broadcast/ Most of the speakers sent us their presentations and now they are published at: We have also made a short movie that summarized the most powerful moments of the recent event:
The Competitive Intelligence Contest’s Outcome
Competitive Intelligence became one of the most popular online contests at Positive Hack Days, the international forum on practical security. The contest was held during May 15, 16 and 17. It checked the participants' skills in searching for certain information in the internet. Many of us heard about actions of the Anonymous group. Competitive Intelligence gave each participant an opportunity to feel like an agent who is assigned to penetrate into such a group. According to the story, a participant finds himself to be a new member of Anneximous, an underground gang. The task is to gather information about the leaders of ATH, competitors from the World Wide Idol group and about dishonest members of the newly-made agent’s own community. This time tasks were more difficult as compared to the last year's contest. A competitive intelligence researcher needs a great number of different skills and should be able to handle various tools and plugins. That's why we decided to make tasks more challenging. However, traditional requirements for deductive thinking and the ability to find links between data are still applicable. The contest was finished at 7:00 pm on May 17, though some participants offered their answers after the contest was over. 301 participants registered to compete in the contest, 82 solved the intro task. A participant with the nickname The.Ghost became the winner of the main prize — iPad. Second place went to yarbabin, and MooGeek took third place. Other details are available in the table below. | Nickname | Points | Place | | ----------------------------------- | ---------- | --------- | | The.Ghost | 230* | I | | yarbabin | 195* | II | | MooGeek | 130* | III | | godzillanurserylab | 105* | | | topol | 35* | | | Eugene-vs | 20 | | | supertramp | 20 | | | ReallyNonamesFor | 20 | | | Anatolik11 | 20 | | | true-bred | 0* | | | gohome | 0* | | | File_marshall | 15 | | | * excluding 20 points for task 2.4 | | | A detailed analysis of the contest's tasks is available in our blog. Some of the tasks turned out too difficult for every one of the participants, which is why the competition was extended.
WAF Bypass Results
This year, the visitors of the Positive Hack Days Forum could have a shot at bypassing the PT Application Firewall in the contest called WAF Bypass. It was a good opportunity for us to test our product in action, because the forum gathered the best information security experts. Each contest task represented a script with a typical vulnerability. The participants were invited to use these vulnerabilities to get flags. All tasks were solvable, though some solutions were not obvious. The contestants were provided with the report about scanning the tasks' source code with another Positive Technologies product Application Inspector. The winner was a Moscow State University team consisting of Georgiy Noseevich, Andrey Petukhov, and Alexander Razdobarov. They managed to solve all the tasks! Ivan Novikov (d0znpp) took the second place and Tom Van Goethem, a speaker from Belgium, was the third. All the three medal places were awarded with valuable prizes: Apple iPad Air, Sony Xperia Z2, and an annual license for Burp Suite Pro, respectively. Find more about the tasks, WAF bypassing, and the obtained experience in our blog.