News
Hash Runner Results
Recently we published the review of Hash Runner tasks in our blog. The contest had been taking place during three days before Positive Hack Days. The participants were invited to show their understanding of cryptographic algorithms and their skills in cracking hash functions. Within three years of the contest, we had three unique winners: hashcat in 2012, john-users in 2013, and InsidePro in 2014. Every year, most submissions were received in the last 15 minutes and thus the winner was determined in the very nick of time. In 2012 and 2013, InsidePro was beaten into the second place by hashcat and john-users, respectively. This year, InsidePro finally became the first. Congratulations to the winners! 1. InsidePro with 22.81% (write-up) won two AMD Radeon R290X video cards. 2. hashcat with 21.23% (write-up) won an AMD Radeon R290X video card. 3. john-users with 12.78% (write-up) took the bronze. All winners received Forum souvenirs.
Survive Hacking at PHDays. Cyber Threats of a Common Apartment
Items and devices we use are becoming more and more convenient. Today, we have internet connection in our cars and even in certain kinds of microwaves and fridges. According to Gartner, there will be more than 26 billion intelligent home appliances while the market size will grow to 300 billion dollars by 2020.
PHDays IV CTF: How It Was
Positive Hack Days IV, which was held on May 21 and 22, traditionally hosted a CTF contest. During two days, ten teams from six countries hacked rivals' networks and beat back attacks. Positive Hack Days CTF's game infrastructure and tasks are usually designed according to a legend that adds special appeal to the contest. During the last year's CTF, participants became the saviors of the fictional world D’Errorim. As the task was solved, they realized that they were fighting on the wrong side, and now their own home is in danger. So the plotline of PHDays III CTF and PHDays IV CTF are related. The text of the legend is available on the forum's website. The game principle There are usually two types of CTF contests. First, task-based contests, where the goal is to solve tasks. Second, attack & defense contests, during which teams need to protect their systems and attack other teams. Positive Hack Days CTF combines these concepts and add original game mechanics. For instance, in addition to standard tasks and services that contains vulnerabilities, PHDays CTF organizers developed unique quests with limited lifetime, bonus for which depends on how many teams solved these tasks.
Smart City Hacked at PHDays IV
The Critical Infrastructure Attack (CIA) contest at Positive Hack Days IV has shown for the second time how weak critical infrastructure systems can be in terms of security. The participants successfully compromised various ICS systems during this two-day contest.
Positive Hack Days IV: There are Doors that should be Opened Carefully
The famous quote of Friedrich Nietzsche about an abyss that gazes into you became the motto of the PHDays IV forum on practical security. Participants of the annual international conference learned about cyber threats for which the civilization is unprepared: attacks performed against power and transport systems of a city, a smart home turned into a trap, and hackers emptying a virtual bank account. Various ways of survival in today's digital world were also discussed during the forum. The recipe for PHDays is the same: minimum ads, maximum useful information, entertaining contests, informal communication, rich performances, awkward questions at round-table discussions, and an atmosphere of a research during hands-on labs. On May 21 and 22 more than 2,500 people from 18 countries visited the forum: leaders and specialists from information security departments of more than 700 financial, telecommunications and industrial companies, young scientists and businessmen, representatives of governmental authorities and the Internet society. Among speakers and panellists were representatives of the Ministry of Foreign Affairs, the Bank of Russia, FSB, the Federation Council, as well as campaign managers, Russian and foreign information security experts. 15,000 people from six countries participated in performances and contests that took place at 19 PHDays Everywhere venues. "This is the most powerful event in Russia dedicated to information security. Organizers invited the best experts from Russia and abroad. The forum's program is full of events and informative reports. And what's important, there are lot of young people, and at such events they clearly see the advantages of applying their talents on the bright side", commented Sergey Himanich, Head of the Department of Information Security Project Implementation at Megafon. Scenarios for a disaster film Is it possible, that one attacker can disrupt a whole city's infrastructure? Participants of the Critical Infrastructure Attack contest tried to find an answer for this question. They needed to test SCADA systems that controlled a heating plant, transport management and illumination systems, cranes and industrial robots. After discovering vulnerabilities, they should demonstrate their exploitation on the contest city model. The forum's organizers provided participants with a ready-to-run industrial system. Despite the toylike look, the model was managed by the latest SCADA software used in real life. Alisa Shevchenko turned out to be the best to solve the task. The Russian Lisbeth Salander discovered a number of critical vulnerabilities in a popular industrial automation system that is used by world's largest companies. If exploited in real life, these vulnerabilities can cause harmful consequences, such as denial of service, functional failure of critical infrastructure management systems. Nikita Maksimov, Pavel Markov and Dmitry Kazakov took second to fourth places. William Hagestad II, an expert in cyber-intelligence and counter-intelligence: "It is a unique event, where we can see how information security is created and find out who is who in the area. The forum is notable due to realistic contests, such as CTF, Critical Infrastructure Attack and the contest where participants are dealing with a smart home's obstacles". Modern technologies Cars, doors, vacuum cleaners and TVs all got out of control... It seems like something from Stephen King's novel. However, soon anyone will have to face the threat of his or her smart home becoming insane under the control of an attacker. According to Gartner, there will be more than 26 billion intelligent home appliances and the market size will grow to 300 billion dollars by 2020. A model of a real apartment, which was created by the forum's organizers and equipped with various electrical appliances and a smart home system, turned out to be a trial for those who decided to participate in the contest. Details about winners will be available shortly. Today the number of users of remote banking services in Europe and US is more than 120 million, and security of these systems constantly increases. But at PHDays they always manage to crack everything! During the $natch contest, by detecting and exploiting new serious vulnerabilities hackers withdrew from a virtual bank account almost all the money (17 out of 20 thousand rubles). In the end of the second day, a hands-on lab on ATM security assessment was held, and then there was a contest, during which participants tried to hack an ATM. Unlike last year, though, this time no one was able to bypass the ATM's security system. Tomorrow's army Ten years ago, they said that if there happened to be a war with robots, Counter-Strike gamers were most likely to win it. But now we all know that hackers will win the war—they will just block this "heavy artillery". Capture the flag contests are among the most impressive activities of the forum. The contest was first launched not long ago, but it gives prestige to its participants: PHDays CTF winners are able to get through to the finals of other competitions held in that format. PHDays CTF stands out against other CTF contests due to the original game scenario, real-life vulnerabilities and great visualization, thanks to which it was exciting not only to participate in the contest but also to watch the virtual battle. Several hundreds of teams took part in PHDays CTF Quals. Ten teams from Russia, Spain, Poland, US and South Korea reached the final. During the two days of the forum, they fought for access to secret information, searched for vulnerabilities in the other teams' systems and protected their own systems. This year, the Polish team Dragon Sector became the winner, Int3pids from Spain took second place, and BalalaikaCr3w, a Russian team, came third. Cyber forecast The word "foresight" (methods of forecasting threats and providing preventive measures) became the most frequently used among participants of business sessions. Preemptive tactic is not luxury, but a virtual necessity—these issues were discussed at the round table "Critical Infrastructure Security". Participants spoke on measures that are taken for the protection of critical elements of various sectors: energy, banking, transport, telecommunications. They also attempted to classify cyber threats and assess incident-response readiness. And it is the right time to raise these issues: as it turned out, about one hundred security incidents occurred in each large organization last year. Positive Technologies specialists obtained these data during the security analysis of strategic companies that make the top 100 list in Russia. The main reasons of the current situation lie on the surface. It is all about unfixed vulnerabilities in systems and applications (the age of certain vulnerabilities is more than 7 years!). Participants of the discussion "State and Cybersecurity" often referred to the need of active foresight as well. The keynote of this discussion was another quote of Nietzsche: "He who fights with monsters should look to it that he himself does not become a monster". The round table organized by Skolkovo The PHDays IV forum is designed not only for professionals. It's also a chance for talented young specialists to find themselves in the "white hats" society, present their reports, launch their own project. For these purposes, PHDays Young School, a competition of research papers of students, postgraduates, and young scientists, is held. This year, twenty-two reports were presented by researchers from Russia and other countries. Finalists of the competition spoke at fast tracks during the forum. First place went to Maria Korosteleva and Denis Gamayunov; they presented the report on "Ensuring Cryptographically Strong Group Communications with the Feature of Deniability". Yelena Doynikova took second place; Denis Kolegov and Nikolay Tkachenko, third. For more information, see the PHDays website. Visitors of the round-table discussion "Prospects for Investment in Information Security" spoke about the future of Russian startups. The discussion was organized by Positive Technologies together with the Skolkovo information security cluster. Main security trends in banking, manufacture and government were discussed during the session. Organizational issues of startup events were also demonstrated. Skolkovo Foundation announced the launch of the competition of information security projects (for details see isecurity.sk.ru), which will last from June 2, 2014 till November. Skolkovo will grant financial assistance and tutorial support of leading experts to the winning participants. Future of the information security market During the session "IS Market: New Products, Questions, Answers", major players in the market demonstrated their products and solutions that might determine the development of the market in the near future. Cisco, Intel Security, RSA, Positive Technologies and Kaspersky Lab ran the marathon of new products. According to the panellists, there are three or four main sectors of constantly rising interest. For instance, small and medium-sized businesses are interested in ready-made tools that can take into account their specific characters; big business wants products that can translate information about security threats into terms accessible to shareholders and risk managers. Proactive defense for web applications and a variety of other applications is a topical problem as well. Their quantity and significance is growing constantly, and it is hard to protect them using old technics. Evgeniya Potseluevskaya, Head of the Analytical Group at Positive Technologies, presented the application security management system by telling about new security methods and unique functions of the new products PT Application Inspector and PT Application Firewall. It's worth mentioning that PT Application Firewall by Positive Technologies (released in the middle of the last year) is already listed as a secure WAF, according to Gartner, and was implemented by Megafon. Ten most quoted reports In several days after Positive Hack Days IV, the ranking of reports and sessions most quoted in social networks was formed. The topic of competitive intelligence turned out to be the most popular with the audience. Among the top three were the reports by Igor Ashmanov, Andrey Masalovich, Dmitry Kurbatov and Sergey Puzankov. The list of the most popular reports at PHDays IV and video recordings of sessions are available on the event's website. The musical performance "The night of the cyberpunk eaters" at PHDays fitted in well with the theme of the event, filling the vacuum between the first and second day with inspiring stories about people creating and destroying digital worlds. During the first part, the audience met the MDS project, famous for reading classic and contemporary works on the radio: they read stories by Mersey Shelley and Bruce Sterling this time. After the performance, the night show started at the movie hall. Partners The largest technological companies joined PHDays as partners of the event: Cisco, EMC, ICL-КME CS, Intel Security, Kaspersky Lab and Mail.Ru were among them. The forum was organized with the informational support of 27 leading business and specialized media companies. Main media partners are the Expert magazine, BFM.RU (a business information portal), the Hacker magazine, the Internet portals SecurityLab.ru and Anti-Malware.ru, and the Bankir.Ru news agency.
Best Reports at PHDays IV: Surveillance, Hacking and Nation-Specific Cyberwar
Big conferences with multiple reports delivered at once seem to cooperate with the Murphy's Law — the most interesting (personally to you) sections have the same schedule time. Choose one of them — miss the others. What can you do? As to the international forum on practical security Positive Hack Days, this problem is easy to solve — watch the report video records. It is particularly valuable for those who missed the conference. All the video files are on the website phdays.com/broadcast/ Yet watching all the records made in all the halls during two days is an option for extremely patient people. It is far more logical to filter them by topics or authors: first, read the descriptions in the program and then choose a particular report from the video list. Still, do not forget the reports were described before the conference, when nobody knew how interesting they would be. What if only the title is cool and the contents are dull? This is the reason we suggest the third method — by popularity. We have analyzed the feedback of the PHDays participants and picked ten fanciest reports. Here they are:
- Big Data on Social Networks: No Need for NSA’s Special Surveillance to Keep Track of You
- Life After Snowden. Modern Tools of Internet Intelligence
- How to Intercept a Conversation Held on the Other Side of the Planet
- Comparing Iranian, Chinese & North Korean Hacking Worlds
- Government and Information Security
- Intercepter-NG: The New-Generation Sniffer
- My Journey Into 0-Day Binary Vulnerability Discovery in 2014
- Impressioning Attacks: Opening Locks with Blank Keys
- SCADA Strangelove: Hacking in the Name
- . . . . . . . . . . . . . . .
Day Two at PHDays IV: Most Notable Quotes
With the heart in the middle of Moscow, the grand forum on practical information security Positive Hack Days IV walked around the planet and reached its finale. Many thanks to all of you! Incredible concentration of out-of-the-box thinkers from different parts of the world made these two days run way too quickly. The winners of the international CTF competition, 2drunk2hack and many other contests have been decided, important reports and entertaining hands-on labs have been held. Fifteen PHDays Everywhere hackspaces in four countries saw not less interesting events. Keep track of our news and twitter @phdays. Today we are citing the most remarkable ideas expressed during the key discussions on May 22. Who Owns the Internet?
The First Day of PHDays IV: From Critical Infrastructure to Clip Thinking
The international forum on practical security Positive Hack Days IV launched on May 21 in Moscow. More than 2000 experts in information security, hackers, scientists, writers, representatives of the Internet society and government gathered together to take part n the forum. Due to a large number of reports and seminars, discussions and contests, participants were able to learn more about real information security, talk about the future of the industry, and discuss the main topic of the forum – critical infrastructure security. How to protect factories and ships Infrastructure companies have become dependent on web systems, which makes experts think about various "Doomsday" scenarios, starting from disruption of water supply and electric power systems, and then interruption in trade operations and food price crisis. Participants of the section "Critical Infrastructure Security" tried to classify problems that threaten critical industries and to understand whether they are ready to respond to such irregular situations. Representatives of the Federal Security Service and other organizations also spoke on protection of large international events, such as Olympic games. Bulat Guzairov, Head of the Department of Server Technologies at ICL-KME CS, told about establishing a protection center for the Universiade. The center consisted of experts from Positive Technologies and Kaspersky Lab and other companies. Boris Simis, Deputy CEO at Positive Technologies, presented results of public opinion research of 63 leaders of top 100 largest Russian companies. According to the research, malware attacks occurred in all the companies. More than 50% of the incidents caused serious financial and reputational damage and work disruption. Despite the fact that the questioned companies claimed their IS systems were debugged, in one case out of seven an incident was detected when the attacker penetrated into the internal network. Among the session's participants were representatives of critical industries: Andrey Kurilo, Deputy Head of the Information Security Department at the Bank of Russia, Garald Bandurin, CIO at RusHydro, Marc Furrer, President of the Swiss company ComCom, Ahmad Hassan, Director of Risk Management and Compliance at du Telecom, Boris Makarov, Head of the Cybersecurity Center at RZD (Russian Railways). The participants suggested that one of the main problems of critical infrastructure security is the lack of a foresight approach. Garald Bandurin noticed that information security issues should be solved during the planning stage. Bulat Guzairov from ICL shared this point of view during his speech on security infrastructure development for the Universiade held in Kazan. He said that they had learned that information security system development process and organization of a large event should start simultaneously. In other words, information security specialists should be involved as soon as possible. Ahmad Hassan from du Telecom offered a practical example from the telecom industry. He told that they usually start from risk assessment and designing response plans for various parts of the project. He also mentioned that the tendency to switching to cloud technologies changed the approach to information security. RZD sticks to complex methods to IS issues as well. Boris Makarov said that one of the company's goals is to move the development cycle of microprocessor systems to Russia and a gradual shift to domestic development of computer elements. During the discussion, experts also pointed out the importance of sharing experience between companies, and countries as well. The session's participants considered the problem of finding qualified personnel as "global". Quotes of the day Boris Simis: "It is not so easy to pass knowledge in our sphere as it might seem. We need personnel training methods—on the level of a state program, if possible. No need for NSA Igor Ashmanov was greeted with great enthusiasm. He is an expert in artificial intelligence, software development and project management and the managing partner of the famous media agency. Igor told the audience about security of social networks, i.e. about the fact that it's impossible to keep any information secret if you use these services. Systems that handle big data allow learning more about private life of any person: from planning a pregnancy and troubles with a car or something to political views. Personal data of millions of users can be useful not for gloomy intelligence services but for large corporations with a clean image. According to Igor's research, Facebook stores and analyze users' comments that were not published. "Users migrated from LiveJournal to Facebook, – Igor says – And now they got used to short texts, short-living topics. So the clip thinking is being formed. A message lives for about 4–6 hours. This is the period during which the message is commented, retwitted, got likes etc. Moreover, 90% of people registered with social networks simply consume, they don't post or comment anything." Igor Ashmanov: "After the Olympic games and the Crimea crisis, many liberals downloaded the Patriot update #phdays" Hacking for good reasons What do the second largest gas storage facility in Turkmenistan, the airport in Zurich and the Large Hadron Collider have in common? Sergey Gordeychik, Deputy CEO at Positive Technologies and enthusiastic specialists from SCADA Strangelove told about new vulnerabilities in ICSs (SCADA) that manage a large number of critical objects. According to Sergey, specialists from Positive Technologies have discovered more than two hundred 0-day vulnerabilities in such systems and many of them haven't been fixed yet. More than seventy thousand ICSs are connected to the Internet and there are many publicly available tools that help detecting them. And many exploits that allow using errors in these systems. But vendors are not in a hurry to fix them. And it's worth mentioning that almost one fifth of these vulnerabilities allow executing arbitrary code, which threatens not only business but physical security of many people. Artem Chaikin, a specialist at Positive Technologies, shared details about serious defects in smart grid technology for control and optimization of power supply expenses. Due to the rapid implementation of the technology, it will be soon possible to cut off the electricity supply of a whole city by writing a short code. Apart from competitions, CTF contests, reports, Fast Tracks and seminars (including making keys with specialists from TOOOL), the program of the first day included the section "Prospects for Investment in Information Security in Russia" organized by representatives from Skolkovo. During the round-table discussions "Telecoms: From SS7 to Billing" information security problems in the telecom sphere were discussed. Speakers of the section "Security Management Means Risk Managemeприблизившиеся nt" (Mikhail Yemelyannikov as the moderator, among the participants: representatives of VTB Bank, VimpelCom, Lukoil-Inform and Yota) discussed correlation of information security risks and operational risks. And this is not a half of it On the second day of the forum Alexey Andreev led the section "State and Cybersecurity", the main topic of which was whether it is possible to preserve civil liberties nowadays. On four other halls speakers told about botnets, ARM exploitation, and cryptographically strong group communications. Every participant of the $natch contest held on May 22 can try to withdraw money from bank accounts, while during the Critical Infrastructure Attack contest participants will be able to analyze the security of ICSs that are commonly used for factories and water power plants, transport infrastructure, illumination systems, oil and gas industry. You will know the details shortly. The schedule and more information about the forum's activities are available at http://www.phdays.com/program/schedule/.
The $natch Contest Is Over
The $natch contest took place during Positive Hack Days IV. Contestants needed to detect vulnerabilities in remote banking systems.
Any Participant Can Speak at PHDays
For the first time at Positive Hack Days an open-mic session will be held. Any participant will be able to share details about his or her work and research with world’s leading experts. To speak at the forum, you will need to twit a message with the hashtag #phdom mentioning the official account of the forum @phdays or to send an e-mail at cfp@phdays.ru. Please, add your name and a topic to the message. Example: @phdays #phdom How to Stop Hacking and Start Phreaking:John Doe:15 A participant will have 15 minutes for the speech. The session will take place at the Transformer Hall on May 22 at 3:00 p.m. See you at PHDays!