News

5/26/2014

Day Two at PHDays IV: Most Notable Quotes

With the heart in the middle of Moscow, the grand forum on practical information security Positive Hack Days IV walked around the planet and reached its finale. Many thanks to all of you! Incredible concentration of out-of-the-box thinkers from different parts of the world made these two days run way too quickly. The winners of the international CTF competition, 2drunk2hack and many other contests have been decided, important reports and entertaining hands-on labs have been held. Fifteen PHDays Everywhere hackspaces in four countries saw not less interesting events. Keep track of our news and twitter @phdays. Today we are citing the most remarkable ideas expressed during the key discussions on May 22. Who Owns the Internet?

5/23/2014

The First Day of PHDays IV: From Critical Infrastructure to Clip Thinking

The international forum on practical security Positive Hack Days IV launched on May 21 in Moscow. More than 2000 experts in information security, hackers, scientists, writers, representatives of the Internet society and government gathered together to take part n the forum. Due to a large number of reports and seminars, discussions and contests, participants were able to learn more about real information security, talk about the future of the industry, and discuss the main topic of the forum – critical infrastructure security. How to protect factories and ships Infrastructure companies have become dependent on web systems, which makes experts think about various "Doomsday" scenarios, starting from disruption of water supply and electric power systems, and then interruption in trade operations and food price crisis. Participants of the section "Critical Infrastructure Security" tried to classify problems that threaten critical industries and to understand whether they are ready to respond to such irregular situations. Representatives of the Federal Security Service and other organizations also spoke on protection of large international events, such as Olympic games. Bulat Guzairov, Head of the Department of Server Technologies at ICL-KME CS, told about establishing a protection center for the Universiade. The center consisted of experts from Positive Technologies and Kaspersky Lab and other companies. Boris Simis, Deputy CEO at Positive Technologies, presented results of public opinion research of 63 leaders of top 100 largest Russian companies. According to the research, malware attacks occurred in all the companies. More than 50% of the incidents caused serious financial and reputational damage and work disruption. Despite the fact that the questioned companies claimed their IS systems were debugged, in one case out of seven an incident was detected when the attacker penetrated into the internal network. Among the session's participants were representatives of critical industries: Andrey Kurilo, Deputy Head of the Information Security Department at the Bank of Russia, Garald Bandurin, CIO at RusHydro, Marc Furrer, President of the Swiss company ComCom, Ahmad Hassan, Director of Risk Management and Compliance at du Telecom, Boris Makarov, Head of the Cybersecurity Center at RZD (Russian Railways). The participants suggested that one of the main problems of critical infrastructure security is the lack of a foresight approach. Garald Bandurin noticed that information security issues should be solved during the planning stage. Bulat Guzairov from ICL shared this point of view during his speech on security infrastructure development for the Universiade held in Kazan. He said that they had learned that information security system development process and organization of a large event should start simultaneously. In other words, information security specialists should be involved as soon as possible. Ahmad Hassan from du Telecom offered a practical example from the telecom industry. He told that they usually start from risk assessment and designing response plans for various parts of the project. He also mentioned that the tendency to switching to cloud technologies changed the approach to information security. RZD sticks to complex methods to IS issues as well. Boris Makarov said that one of the company's goals is to move the development cycle of microprocessor systems to Russia and a gradual shift to domestic development of computer elements. During the discussion, experts also pointed out the importance of sharing experience between companies, and countries as well. The session's participants considered the problem of finding qualified personnel as "global". Quotes of the day Boris Simis: "It is not so easy to pass knowledge in our sphere as it might seem. We need personnel training methods—on the level of a state program, if possible. No need for NSA Igor Ashmanov was greeted with great enthusiasm. He is an expert in artificial intelligence, software development and project management and the managing partner of the famous media agency. Igor told the audience about security of social networks, i.e. about the fact that it's impossible to keep any information secret if you use these services. Systems that handle big data allow learning more about private life of any person: from planning a pregnancy and troubles with a car or something to political views. Personal data of millions of users can be useful not for gloomy intelligence services but for large corporations with a clean image. According to Igor's research, Facebook stores and analyze users' comments that were not published. "Users migrated from LiveJournal to Facebook, – Igor says – And now they got used to short texts, short-living topics. So the clip thinking is being formed. A message lives for about 4–6 hours. This is the period during which the message is commented, retwitted, got likes etc. Moreover, 90% of people registered with social networks simply consume, they don't post or comment anything." Igor Ashmanov: "After the Olympic games and the Crimea crisis, many liberals downloaded the Patriot update #phdays" Hacking for good reasons What do the second largest gas storage facility in Turkmenistan, the airport in Zurich and the Large Hadron Collider have in common? Sergey Gordeychik, Deputy CEO at Positive Technologies and enthusiastic specialists from SCADA Strangelove told about new vulnerabilities in ICSs (SCADA) that manage a large number of critical objects. According to Sergey, specialists from Positive Technologies have discovered more than two hundred 0-day vulnerabilities in such systems and many of them haven't been fixed yet. More than seventy thousand ICSs are connected to the Internet and there are many publicly available tools that help detecting them. And many exploits that allow using errors in these systems. But vendors are not in a hurry to fix them. And it's worth mentioning that almost one fifth of these vulnerabilities allow executing arbitrary code, which threatens not only business but physical security of many people. Artem Chaikin, a specialist at Positive Technologies, shared details about serious defects in smart grid technology for control and optimization of power supply expenses. Due to the rapid implementation of the technology, it will be soon possible to cut off the electricity supply of a whole city by writing a short code. Apart from competitions, CTF contests, reports, Fast Tracks and seminars (including making keys with specialists from TOOOL), the program of the first day included the section "Prospects for Investment in Information Security in Russia" organized by representatives from Skolkovo. During the round-table discussions "Telecoms: From SS7 to Billing" information security problems in the telecom sphere were discussed. Speakers of the section "Security Management Means Risk Managemeприблизившиеся nt" (Mikhail Yemelyannikov as the moderator, among the participants: representatives of VTB Bank, VimpelCom, Lukoil-Inform and Yota) discussed correlation of information security risks and operational risks. And this is not a half of it On the second day of the forum Alexey Andreev led the section "State and Cybersecurity", the main topic of which was whether it is possible to preserve civil liberties nowadays. On four other halls speakers told about botnets, ARM exploitation, and cryptographically strong group communications. Every participant of the $natch contest held on May 22 can try to withdraw money from bank accounts, while during the Critical Infrastructure Attack contest participants will be able to analyze the security of ICSs that are commonly used for factories and water power plants, transport infrastructure, illumination systems, oil and gas industry. You will know the details shortly. The schedule and more information about the forum's activities are available at http://www.phdays.com/program/schedule/.

5/22/2014

The $natch Contest Is Over

The $natch contest took place during Positive Hack Days IV. Contestants needed to detect vulnerabilities in remote banking systems.

5/21/2014

Any Participant Can Speak at PHDays

For the first time at Positive Hack Days an open-mic session will be held. Any participant will be able to share details about his or her work and research with world’s leading experts. To speak at the forum, you will need to twit a message with the hashtag #phdom mentioning the official account of the forum @phdays or to send an e-mail at cfp@phdays.ru. Please, add your name and a topic to the message. Example: @phdays #phdom How to Stop Hacking and Start Phreaking:John Doe:15 A participant will have 15 minutes for the speech. The session will take place at the Transformer Hall on May 22 at 3:00 p.m. See you at PHDays!

5/20/2014

$natch at PHDays — E-banking System to Be Hacked is Available for Download

Do you want to try what it’s like to be a hacker stealing money from bank accounts? Take part in the $natch contest at Positive Hack Days IV! You will test your knowledge and skills in exploiting common vulnerabilities of remote banking web services. The task is based on the vulnerabilities that Positive Technologies' experts commonly find during real-life remote banking pentests. The contest consists of two rounds. First, you need to get familiar with the system — download the virtual machine copy at http://www.phdays.ru/download/ibank3.ova (root:phdays) or an archive with source code at http://www.phdays.ru/download/ibank_source.zip. You need to detect vulnerabilities the system includes before the contest starts. Then (during the second day of PHDays) you should exploit the vulnerabilities you discovered to withdraw funds. The winner receives the “stolen” money as a prize!

5/19/2014

Critical Infrastructure Attack. How to Hack a Whole City

We've heard a lot about industrial control systems that help reduce traffic congestions, save electricity and water, make production processes more efficient.... But what if just one hacker disrupts the whole infrastructure of a city? You think it's just a creepy idea for a sci-fi film? Let's check it! During the Critical Infrastructure Attack contest participants will be able to analyze the security of ICSs that are commonly used for factories and water power plants, transport infrastructure, illumination systems, oil and gas industry. To win, a participant should detect vulnerabilities and demonstrate their exploitation on the contest city model. A Bit of History and the Contest Legend Last year, the Choo Choo Pwn competition took place at PHDays III. The participants were offered to test a transport management system. The contest and the railway model, which was specially developed basing on three SCADA systems, became popular not only with PHDays participants, but also became a hit of other security conferences as well. About 30 information security specialists tried to hack the Choo Choo Pwn railway model during the Power of Community conference in Seoul.

5/16/2014

Government and Business Resistance to New Cyberthreats The PHDays IV Business Program

The security of critical infrastructures, prospects for investment in information security, the expediency of increasing control over the Internet, recent trends of the area of telecommunications, the security of web applications and remote banking systems, new products of the IS market—these are the main topics of the Positive Hack Days IV forum that will be held on May 21 and 22 this year. PHDays is an unprecedentedly large event that brings together specialists from both sides of the barricade, theory and practice, professional discussion and fascinating competitions. More than 2,000 specialists from 700 organizations in 18 countries will participate in the forum. The organizer is Positive Technologies. The largest technological companies will join PHDays as partners of the event: Cisco, EMC, ICL-КME CS, Intel Security, Kaspersky Lab and Mail.Ru are among them. The forum is organized with the informational support of 27 leading business and specialized media companies. Main media partners are the Expert magazine, BFM.ru (a business information portal), the Hacker magazine, the Internet portals SecurityLab.ru and Anti-Malware.ru, and the Bankir.Ru news agency. How to Protect Critical Infrastructure The round-table discussion "The Security of Critical Infrastructure" will take place on May 21. It will open the forum and give the main tone to the whole event. Participants of the discussion will have to answer two difficult questions. How heavily does humanity depend on the stability of critical infrastructure? How do we protect critical objects and do we do enough? The speakers of the session are Jean-Luc Molliner (Orange Group), Garald Bandurin (RusHydro), Ahmad Hassan (du Telecom), Jaehyoung Lee (KISA), Boris Simis (Positive Technologies), Boris Makarov (RZD). Among other participants are representatives of the FSB Information Security Center, Home Credit and Finance Bank, ICL-КME CS, IMPACT and Rosseti. Prospects of IS Startups The round-table discussion "Prospects for Investment in Information Security in Russia" is organized by Positive Technologies together with the Skolkovo information security cluster. Participants will discuss what role young specialists play in information security and their opportunities for self-fulfillment, investment funds' requirements for startups projects, present and future needs of government, banks and business. The discussion will take place on May 21, 2014. Among the participants are representatives of investment funds and technology parks, governmental bodies, media, as well as businessmen, developers, young entrepreneurs, researchers. The round-table discussion is not the only activity of the forum business program designed to support new technologies and young specialists. A pitch session, where the startups will present their products, will be held after that. It will allow representatives of business, investment funds and banks to assess the projects' potential. Those who are still considering the possibility to develop their ideas will be able to set up acquaintances and get useful recommendations. Government and Information Security A great number of new laws and bills related to "information security" have been adopted over the last two years. This refers to website blocking without a court ruling, ban on foreign hosting for government web resources, restraints on anonymous payments, and forcing bloggers with more than 3,000 readers to register with the national media office. But do these regulations prevent terrorism and criminal activity in the Internet? What influence do government initiatives have on information security? Which of them are insufficient and which excessive? Considering views of experts in different areas, participants will try to find answers on these questions during the round-table discussion "Government and Information Security" that will be held on May 22. Representatives of the Ministry of Foreign Affairs, Roskomnadzor, the State Duma, who lobby for new laws regarding the Internet, will take part in the discussion. On the other hand, these laws will hit at the interests of certain industries: representatives of the mass media and Internet business will attend the round table and express their point of view as well. Hackers will also have their word: only they know where the boundaries of information security really are. The PHDays IV business program includes the following specialized sections: "Telecoms: From SS7 to Billing" considers the latest tendencies in the security of the telecommunications sector, the need for loss prevention and anti-fraud systems and VAS/MSS implementation. Among the participants are leading experts and heads of IS departments of Megafon, VimpelCom, Vodafone India, Orange, du Telecom, Positive Technologies. "Security Management and Risk Management". Participants will discuss the relationship between information security risks and operating risks of large companies. Business leaders and heads of risk management departments of VTB Bank, Lukoil Inform, VimpelCom, Yota will appear in the section. "AppSec: From Mail to Government Services". This section considers the security of applications including remote banking systems. Representatives of the Bank of Russia, Yandex.Money, Emirates, Financial Technologies, Mail.Ru and Positive Technologies are invited. "IS Market: New Products, Questions, Answers". Major players in the market will demonstrate their products and solutions that are to determine the further development of the market in the near future. Among the speakers are experts from Cisco, Intel Security, Positive Technologies, Kaspersky Lab, ICL-КME CS. More than 100 various events will take place at PHDays IV. For more information about reports and sections please visit http://www.phdays.com/press/news/

5/14/2014

Cyberpunk Devourers Night

Many occupations are described in literature and cinemas. There are songs about pilots and scientists, films about sailors and doctors, novels about killers and bankers. However, millions of coders and other computer specialists get undeservedly little attention in the mass culture. You will hardly find a really worthwhile book or film about hackers. But that’s unfair! Just think about admins —no company can do without them. People run computer programs on their smartphones even more often than they talk to their family members. Where in the world are inspiring stories about people who create and hack digital universes? Cyberpunk Devourers Night at PHDays will fill this cultural gap. We’ll start with the project Model Dlya Sborki (or MDS, literally “a model kit”), which is popular for their radio performances of science fiction pieces. MDS prepared a special program for PHDays attendees: reading of funky stories accompanied by groovy music tracks that cause bright, unparalleled hallucinations…. Wait, hallucinations are not guaranteed, there are individual differences, you know. Some people get high listening to Bach J After this audio performance, the night cinema hall will open its doors. The program is kept secret, but here’s a hint for you: both spatial and time boundaries will expand. For example, there’ll be films about the space — a new field for hackers, isn’t it? Old and even silent movies will be shown! There’s an opinion that cyberpunk was much cooler in the early 20th century than it is now. You are invited to come and check it out! One more thing, a bar will be open in the cinema hall all night long to create the ambience and fuel your aesthetic sensitivity. You are welcome on May 21, from 22:30 till morning in the Conference Hall.

5/14/2014

Hackspaces from Four Different Countries Join PHDays Everywhere

Specialists in information security, scientists, politicians and businessmen will soon meet up in Moscow at the international forum Positive Hack Days. And this year, for the third time straight, people from other counties will be able to join the forum thanks to the PHDays Everywhere program (find more about last year's activities in the forum's blog). On May 21 and 22, hackspaces of different countries will open their doors to all comers. Hackspaces from Abu Dhabi (UAE), Birzeit (Palestine), Kiev and Lviv (Ukraine), and from such Russian cities as Krasnodar, Moscow, Murmansk, Novosibirsk, Omsk, Samara, Saratov, Ufa, Vladivostok, Vologda have already joined the initiative. The program of the forum includes reports and seminars from the world's leading experts, online contests, PHDays CTF, the competition for young scientists Young School and more. PHDays Everywhere hackpaces' visitors will keep track of the forum's events online in the HD format in both Russian and English. Competitions PHDays Everywhere provides fascinating contests for hackspace attendees in addition to online competitions held among all Internet users. They will be able to check their knowledge at PHDays Quiz, to take part in their own CTF contest, and to compete with teams from other hackspaces during Online HackQuest, organized by PentestIT. The forum's organizers prepared presents for the most active Twitter user who will tell about what is going on at his or her PHDays venue. Participants may also post on-the-spot reports in their blogs; the author of the best report will receive an award as well. You can find more about these and other competitions in the PHDays blog. PHDays Everywhere organizers will also hold separate contests for attendees from Omsk, Novosibirsk and Vladivostok. Take the opportunity of getting acquainted with information security specialists of your city. Take part in exciting contests. Join PHDays Everywhere! PHDays Everywhere hackspaces are listed on the forum's website. If you didn't find your city in the list—don't worry. New participants appear all the time.

4/25/2014

Experts and Hackers to Land on the PHDays Field How to fabricate a key, crack a browser, escape from a smart home

Why the Internet of things is a threat to national security? What is impressioning? How to detect a zero-day vulnerability in applications presented in the quantity of hundreds of millions of copies? Is there a panacea for DDoS attacks? We would like to bring to you attention a new set of reports that will be presented at Positive Hack Days IV. Two thousand experts in practical security will gather in Moscow on May 21 and 22 this year to discuss Iranian, Chinese and North Korean cyberpotencial, cryptography after Snowden and Heartbleed, raising information security awareness of Yandex specialists, important discoveries of SCADA Strangelove, cyberthreat for modern electrical substations, main attack vectors against SAP systems. Attendees of the forum will hear about new generation indicators of compromise, visual analytics in the field of information security, automated reverse engineering and more. The PHDays IV programm includes more than 40 reports, sections and round tables, hands-on labs, short and informative Fast Tracks. Do it yourself Hands-on labs held at Positive Hack Days usually get plenty of attention. As a rule, for participation in this kind of activity a person needs some basic grounding, thirst for knowledge and maybe a laptop. In particular, TOOOL's workshops are among the most popular. The members of the organization Deviant Ollam, Babak Javadi and Keith Howell keep proving that the basis of any security is physical security. This time, the three Houdinis will talk about impressioning—the art of fabricating a working key for a lock using only a hand file, a blank key, and keen observation. During the presentation, attendees will know the features of the method and will try to apply it by themselves. You can find a brief description of hands-on labs to be held at the forum on the PHDays website. Searching for the answers The most acute practical security issues that do not have a solution yet will be addressed at PHDays. The section “Internet of Things—a Threat of Next Generation?” will address address the threats triggered by gradual integration of digital technologies into our life. How to forecast these threats? What tools to use for mitigation? These and other issues will be tackled by the section speakers Andrey Bosenko (Perspektivny Monitoring), Andrey Moskvitin (Cisco), Andrey Petukhov (Moscow State University) and Artyom Chaikin (Positive Technologies). Éric Filiol, a well-known French professor, cryptologist, cybersecurity and cyber warfare expert, winner of the Roberval Prize for his book “Computer Virology: from Theory to Application”, will visit PHDays this year. He will present his view of the changes that occurred in cryptography after the revelations of Edward Snowden and shocking issues of RSA, Heartbleed, Goggle and ANSII. The speaker will also share a few non-official things. Experts from every corner of the world will consider a perspective approach to intrusion detection and prevention (Robert Griffin from EMC) and new challenges for mobile telecommunication operators based on the Orange example (Sébastien Roché, a mobile core network security manager at Orange Group). Among other topics: comparing Iranian, Chinese and North Korean hacking worlds (William Hagestad), implementation of information security awareness processes presented by Natalya Kukanova from Yandex (according to Positive Technologies, more than 30% of large companies' employees follow a phishing link). You can find a description of business-related reports on the PHDays website. Brief and clear In addition to standard reports the PHDays IV program includes an extensive Fast Track that involves informative and dynamic short speeches. Attendees will hear about how an anecdote that occurred to colleague software developers Igor Agiyevich and Pavel Markov helped them to learn “on the other side” how anti-virus labs really work. Moreover, participants of the forum with the help of Svetlana Gayvoronskaya and Ivan Petrov will learn how to catch shellcodes under ARM. Nazar Tymoshyk will tell about cloud honeypots for intruders. Dmitry Yerusov will speak on how to access corporate information in Microsoft Dynamics AX via an X++ injection. Denis Makrushin from Kaspersky Lab in his report will cover a security concept that makes DDoS attacks ineffective. Main techniques for hindering exploit detection and analysis in PHP scripts will be presented by Grigory Zemskov, Head of Revisium. Marat Rakhimov, a design engineer at Gazinformservice, will demonstrate how to integrate an IT-GRC system and a vulnerability and compliance management system. Moreover, Anton Sapozhnikov, a senior consultant at KPMG Russia, will present a brand new technique of exploiting a vulnerability in Windows SSPI implementation, which allows obtaining credentials even without admin privileges, while the system analyst at the Russian company Perspektivny Monitoring Andrey Plastunov will demonstrate a MiTM attack against an Android phone via a specially crafted NFC transmitter based on Arduino. Find more about Fast Track on the PHDays website. Reports and public round tables are only a small part of the great event that will launch in a month. Competitions are designed, the battlefield for PHDays Everywhere visitors is ready, CTF participants and Young School finalists are defined. Looking forward to seeing you at Positive Hack Days IV!