News

5/20/2014

$natch at PHDays — E-banking System to Be Hacked is Available for Download

Do you want to try what it’s like to be a hacker stealing money from bank accounts? Take part in the $natch contest at Positive Hack Days IV! You will test your knowledge and skills in exploiting common vulnerabilities of remote banking web services. The task is based on the vulnerabilities that Positive Technologies' experts commonly find during real-life remote banking pentests. The contest consists of two rounds. First, you need to get familiar with the system — download the virtual machine copy at http://www.phdays.ru/download/ibank3.ova (root:phdays) or an archive with source code at http://www.phdays.ru/download/ibank_source.zip. You need to detect vulnerabilities the system includes before the contest starts. Then (during the second day of PHDays) you should exploit the vulnerabilities you discovered to withdraw funds. The winner receives the “stolen” money as a prize!

5/19/2014

Critical Infrastructure Attack. How to Hack a Whole City

We've heard a lot about industrial control systems that help reduce traffic congestions, save electricity and water, make production processes more efficient.... But what if just one hacker disrupts the whole infrastructure of a city? You think it's just a creepy idea for a sci-fi film? Let's check it! During the Critical Infrastructure Attack contest participants will be able to analyze the security of ICSs that are commonly used for factories and water power plants, transport infrastructure, illumination systems, oil and gas industry. To win, a participant should detect vulnerabilities and demonstrate their exploitation on the contest city model. A Bit of History and the Contest Legend Last year, the Choo Choo Pwn competition took place at PHDays III. The participants were offered to test a transport management system. The contest and the railway model, which was specially developed basing on three SCADA systems, became popular not only with PHDays participants, but also became a hit of other security conferences as well. About 30 information security specialists tried to hack the Choo Choo Pwn railway model during the Power of Community conference in Seoul.

5/16/2014

Government and Business Resistance to New Cyberthreats The PHDays IV Business Program

The security of critical infrastructures, prospects for investment in information security, the expediency of increasing control over the Internet, recent trends of the area of telecommunications, the security of web applications and remote banking systems, new products of the IS market—these are the main topics of the Positive Hack Days IV forum that will be held on May 21 and 22 this year. PHDays is an unprecedentedly large event that brings together specialists from both sides of the barricade, theory and practice, professional discussion and fascinating competitions. More than 2,000 specialists from 700 organizations in 18 countries will participate in the forum. The organizer is Positive Technologies. The largest technological companies will join PHDays as partners of the event: Cisco, EMC, ICL-КME CS, Intel Security, Kaspersky Lab and Mail.Ru are among them. The forum is organized with the informational support of 27 leading business and specialized media companies. Main media partners are the Expert magazine, BFM.ru (a business information portal), the Hacker magazine, the Internet portals SecurityLab.ru and Anti-Malware.ru, and the Bankir.Ru news agency. How to Protect Critical Infrastructure The round-table discussion "The Security of Critical Infrastructure" will take place on May 21. It will open the forum and give the main tone to the whole event. Participants of the discussion will have to answer two difficult questions. How heavily does humanity depend on the stability of critical infrastructure? How do we protect critical objects and do we do enough? The speakers of the session are Jean-Luc Molliner (Orange Group), Garald Bandurin (RusHydro), Ahmad Hassan (du Telecom), Jaehyoung Lee (KISA), Boris Simis (Positive Technologies), Boris Makarov (RZD). Among other participants are representatives of the FSB Information Security Center, Home Credit and Finance Bank, ICL-КME CS, IMPACT and Rosseti. Prospects of IS Startups The round-table discussion "Prospects for Investment in Information Security in Russia" is organized by Positive Technologies together with the Skolkovo information security cluster. Participants will discuss what role young specialists play in information security and their opportunities for self-fulfillment, investment funds' requirements for startups projects, present and future needs of government, banks and business. The discussion will take place on May 21, 2014. Among the participants are representatives of investment funds and technology parks, governmental bodies, media, as well as businessmen, developers, young entrepreneurs, researchers. The round-table discussion is not the only activity of the forum business program designed to support new technologies and young specialists. A pitch session, where the startups will present their products, will be held after that. It will allow representatives of business, investment funds and banks to assess the projects' potential. Those who are still considering the possibility to develop their ideas will be able to set up acquaintances and get useful recommendations. Government and Information Security A great number of new laws and bills related to "information security" have been adopted over the last two years. This refers to website blocking without a court ruling, ban on foreign hosting for government web resources, restraints on anonymous payments, and forcing bloggers with more than 3,000 readers to register with the national media office. But do these regulations prevent terrorism and criminal activity in the Internet? What influence do government initiatives have on information security? Which of them are insufficient and which excessive? Considering views of experts in different areas, participants will try to find answers on these questions during the round-table discussion "Government and Information Security" that will be held on May 22. Representatives of the Ministry of Foreign Affairs, Roskomnadzor, the State Duma, who lobby for new laws regarding the Internet, will take part in the discussion. On the other hand, these laws will hit at the interests of certain industries: representatives of the mass media and Internet business will attend the round table and express their point of view as well. Hackers will also have their word: only they know where the boundaries of information security really are. The PHDays IV business program includes the following specialized sections: "Telecoms: From SS7 to Billing" considers the latest tendencies in the security of the telecommunications sector, the need for loss prevention and anti-fraud systems and VAS/MSS implementation. Among the participants are leading experts and heads of IS departments of Megafon, VimpelCom, Vodafone India, Orange, du Telecom, Positive Technologies. "Security Management and Risk Management". Participants will discuss the relationship between information security risks and operating risks of large companies. Business leaders and heads of risk management departments of VTB Bank, Lukoil Inform, VimpelCom, Yota will appear in the section. "AppSec: From Mail to Government Services". This section considers the security of applications including remote banking systems. Representatives of the Bank of Russia, Yandex.Money, Emirates, Financial Technologies, Mail.Ru and Positive Technologies are invited. "IS Market: New Products, Questions, Answers". Major players in the market will demonstrate their products and solutions that are to determine the further development of the market in the near future. Among the speakers are experts from Cisco, Intel Security, Positive Technologies, Kaspersky Lab, ICL-КME CS. More than 100 various events will take place at PHDays IV. For more information about reports and sections please visit http://www.phdays.com/press/news/

5/14/2014

Cyberpunk Devourers Night

Many occupations are described in literature and cinemas. There are songs about pilots and scientists, films about sailors and doctors, novels about killers and bankers. However, millions of coders and other computer specialists get undeservedly little attention in the mass culture. You will hardly find a really worthwhile book or film about hackers. But that’s unfair! Just think about admins —no company can do without them. People run computer programs on their smartphones even more often than they talk to their family members. Where in the world are inspiring stories about people who create and hack digital universes? Cyberpunk Devourers Night at PHDays will fill this cultural gap. We’ll start with the project Model Dlya Sborki (or MDS, literally “a model kit”), which is popular for their radio performances of science fiction pieces. MDS prepared a special program for PHDays attendees: reading of funky stories accompanied by groovy music tracks that cause bright, unparalleled hallucinations…. Wait, hallucinations are not guaranteed, there are individual differences, you know. Some people get high listening to Bach J After this audio performance, the night cinema hall will open its doors. The program is kept secret, but here’s a hint for you: both spatial and time boundaries will expand. For example, there’ll be films about the space — a new field for hackers, isn’t it? Old and even silent movies will be shown! There’s an opinion that cyberpunk was much cooler in the early 20th century than it is now. You are invited to come and check it out! One more thing, a bar will be open in the cinema hall all night long to create the ambience and fuel your aesthetic sensitivity. You are welcome on May 21, from 22:30 till morning in the Conference Hall.

5/14/2014

Hackspaces from Four Different Countries Join PHDays Everywhere

Specialists in information security, scientists, politicians and businessmen will soon meet up in Moscow at the international forum Positive Hack Days. And this year, for the third time straight, people from other counties will be able to join the forum thanks to the PHDays Everywhere program (find more about last year's activities in the forum's blog). On May 21 and 22, hackspaces of different countries will open their doors to all comers. Hackspaces from Abu Dhabi (UAE), Birzeit (Palestine), Kiev and Lviv (Ukraine), and from such Russian cities as Krasnodar, Moscow, Murmansk, Novosibirsk, Omsk, Samara, Saratov, Ufa, Vladivostok, Vologda have already joined the initiative. The program of the forum includes reports and seminars from the world's leading experts, online contests, PHDays CTF, the competition for young scientists Young School and more. PHDays Everywhere hackpaces' visitors will keep track of the forum's events online in the HD format in both Russian and English. Competitions PHDays Everywhere provides fascinating contests for hackspace attendees in addition to online competitions held among all Internet users. They will be able to check their knowledge at PHDays Quiz, to take part in their own CTF contest, and to compete with teams from other hackspaces during Online HackQuest, organized by PentestIT. The forum's organizers prepared presents for the most active Twitter user who will tell about what is going on at his or her PHDays venue. Participants may also post on-the-spot reports in their blogs; the author of the best report will receive an award as well. You can find more about these and other competitions in the PHDays blog. PHDays Everywhere organizers will also hold separate contests for attendees from Omsk, Novosibirsk and Vladivostok. Take the opportunity of getting acquainted with information security specialists of your city. Take part in exciting contests. Join PHDays Everywhere! PHDays Everywhere hackspaces are listed on the forum's website. If you didn't find your city in the list—don't worry. New participants appear all the time.

4/25/2014

Experts and Hackers to Land on the PHDays Field How to fabricate a key, crack a browser, escape from a smart home

Why the Internet of things is a threat to national security? What is impressioning? How to detect a zero-day vulnerability in applications presented in the quantity of hundreds of millions of copies? Is there a panacea for DDoS attacks? We would like to bring to you attention a new set of reports that will be presented at Positive Hack Days IV. Two thousand experts in practical security will gather in Moscow on May 21 and 22 this year to discuss Iranian, Chinese and North Korean cyberpotencial, cryptography after Snowden and Heartbleed, raising information security awareness of Yandex specialists, important discoveries of SCADA Strangelove, cyberthreat for modern electrical substations, main attack vectors against SAP systems. Attendees of the forum will hear about new generation indicators of compromise, visual analytics in the field of information security, automated reverse engineering and more. The PHDays IV programm includes more than 40 reports, sections and round tables, hands-on labs, short and informative Fast Tracks. Do it yourself Hands-on labs held at Positive Hack Days usually get plenty of attention. As a rule, for participation in this kind of activity a person needs some basic grounding, thirst for knowledge and maybe a laptop. In particular, TOOOL's workshops are among the most popular. The members of the organization Deviant Ollam, Babak Javadi and Keith Howell keep proving that the basis of any security is physical security. This time, the three Houdinis will talk about impressioning—the art of fabricating a working key for a lock using only a hand file, a blank key, and keen observation. During the presentation, attendees will know the features of the method and will try to apply it by themselves. You can find a brief description of hands-on labs to be held at the forum on the PHDays website. Searching for the answers The most acute practical security issues that do not have a solution yet will be addressed at PHDays. The section “Internet of Things—a Threat of Next Generation?” will address address the threats triggered by gradual integration of digital technologies into our life. How to forecast these threats? What tools to use for mitigation? These and other issues will be tackled by the section speakers Andrey Bosenko (Perspektivny Monitoring), Andrey Moskvitin (Cisco), Andrey Petukhov (Moscow State University) and Artyom Chaikin (Positive Technologies). Éric Filiol, a well-known French professor, cryptologist, cybersecurity and cyber warfare expert, winner of the Roberval Prize for his book “Computer Virology: from Theory to Application”, will visit PHDays this year. He will present his view of the changes that occurred in cryptography after the revelations of Edward Snowden and shocking issues of RSA, Heartbleed, Goggle and ANSII. The speaker will also share a few non-official things. Experts from every corner of the world will consider a perspective approach to intrusion detection and prevention (Robert Griffin from EMC) and new challenges for mobile telecommunication operators based on the Orange example (Sébastien Roché, a mobile core network security manager at Orange Group). Among other topics: comparing Iranian, Chinese and North Korean hacking worlds (William Hagestad), implementation of information security awareness processes presented by Natalya Kukanova from Yandex (according to Positive Technologies, more than 30% of large companies' employees follow a phishing link). You can find a description of business-related reports on the PHDays website. Brief and clear In addition to standard reports the PHDays IV program includes an extensive Fast Track that involves informative and dynamic short speeches. Attendees will hear about how an anecdote that occurred to colleague software developers Igor Agiyevich and Pavel Markov helped them to learn “on the other side” how anti-virus labs really work. Moreover, participants of the forum with the help of Svetlana Gayvoronskaya and Ivan Petrov will learn how to catch shellcodes under ARM. Nazar Tymoshyk will tell about cloud honeypots for intruders. Dmitry Yerusov will speak on how to access corporate information in Microsoft Dynamics AX via an X++ injection. Denis Makrushin from Kaspersky Lab in his report will cover a security concept that makes DDoS attacks ineffective. Main techniques for hindering exploit detection and analysis in PHP scripts will be presented by Grigory Zemskov, Head of Revisium. Marat Rakhimov, a design engineer at Gazinformservice, will demonstrate how to integrate an IT-GRC system and a vulnerability and compliance management system. Moreover, Anton Sapozhnikov, a senior consultant at KPMG Russia, will present a brand new technique of exploiting a vulnerability in Windows SSPI implementation, which allows obtaining credentials even without admin privileges, while the system analyst at the Russian company Perspektivny Monitoring Andrey Plastunov will demonstrate a MiTM attack against an Android phone via a specially crafted NFC transmitter based on Arduino. Find more about Fast Track on the PHDays website. Reports and public round tables are only a small part of the great event that will launch in a month. Competitions are designed, the battlefield for PHDays Everywhere visitors is ready, CTF participants and Young School finalists are defined. Looking forward to seeing you at Positive Hack Days IV!

4/22/2014

Young School Finalists Defined

The Young School competition is being held for the third time in a row. The goal of the contest is to support young and talented specialists in information security giving them the opportunity to present their reports at the Positive Hack Days forum. A range of topics is rather wide, from applied cryptography through to ICS and government information systems security. The competition is designed for students, postgraduates, and young scientists. Applications for participation in the contest were accepted during three months. The most outstanding reports were selected this week. Here's the list of the finalists (in the order of abstracts receiving): Maria Korosteleva and her report “Ensuring Cryptographically Strong Group Communications with the Feature of Deniability” Philipp Bourtyka and Alyna Trepacheva with a report “Secure Cloud Computations Using Steganography: Definitions and Challenges”, Nikolay Tkachenko presenting “General Model of Web Applications Protection Techniques Based on Hash Functions”, Yelena Doynikova reporting on “Dynamic Assessment of Computer Networks Security in SIEM Systems”. One of them will be the winner. The list of out-of-competition participants will include Alexander Puzankov presenting his report with an intriguing name “Tough Time” and Maxim Kobilev, who will tell how to use a quadrocopter as a pentest tool. Young researchers will present their reports at Positive Hack Days IV. Congratulations! The program committee This year, the program committee included: Denis Gamayunov, MSU Faculty of Computational Mathematics and Cybernetics Alexey Kachalin, Advanced Monitoring Vladimir Ivanov, Yandex Evgeny Rodionov, MEPhI Peter Volkov, Yandex Dmitry Oleksyuk, an independent developer Alexey Smirnov, Parallels Igor Kotenko, SPIIRAS Nikita Abdullin, OpenWay Alexandra Dmitrienko, Technical University of Darmstadt Pavel Laskov, University of Tübingen Ekaterina Rudina, Kaspersky Lab Evgeny Tumoyan, the South Russian Regional Scientific Center of SFedU Andrey Petukhov, the chairman of the program committee, told us about the Young School final: “Sporting competitions may be played with a final four, which gives prestige to its participants. Such type of final builds up and increases the suspense during a contest. Young School holds its intrigue as well. First of all, Denis Kolegov and Nikolay Tkachenko, who took third place in the last year's competition, now are among the finalists. The list of finalists also includes representatives of the Laboratory of Computer Security Problems of SPIIRAS. And we know that last year, second place was awarded to a report received from the laboratory. Another finalist, Maria Korosteleva, a student of the Faculty of Computational Mathematics and Cybernetics of MSU, will try to match the success of the very first Young School competition winner, Anastasiya Scherbinina from the same faculty. Besides, it would be interesting to see how the newcomers, Philipp and Alyna from SFedU, will compete with the rest, more experienced participants.” Positive Hack Days IV will be held on May 21 and 22 in Moscow. You can register and visit the forum to see how the future of Russian science is created.

4/15/2014

PHDays IV Competitive Program

There is little time left before the beginning of PHDays. The CTF finalists are already determined, we develop the conference program (see part 1 and 2) and prepare PHDaуs Everywhere activities. Surely, not only exciting talks and hands-on labs, but also awesome contests are waiting for the visitors! A bit of history Traditionally, at Positive Hack Days the main focus is on practical contests, which allow attendees to demonstrate their skills in hacking and protection. Last time the PHDays contestants tried to protect the industrial control system of a miniature railroad model, practiced lockpicking, searched for breaches in a specially crafted Internet banking system and “stole” money right from an ATM. The hit of the show was the hacking labyrinth, full of laser motion sensors, imitators of covert listening devices and other cool stuff. Only at PHDays can you experience these and other adventures (such as analyzing network security or reverse engineering). Check out the contests below, prepared this time for white hats from all over the world. Challenges at the Venue Please note that you will need a laptop to participate in the majority of the contests. Critical Infrastructure Attacks (CIА) The challenge of analyzing security of real ICS systems controlling a railway model (Choo Choo Pwn) was a real specialty of PHDays III. Afterwards, its organizers had a real rock-star experience touring from one security conference to another around the world (see reports on Seoul and Hamburg).

4/2/2014

A Surprise Performance at PHDays

Since the topics to be discussed at Positive Hack Days IV are far beyond just technical issues, there's a surprise in store for participants of the forum. The creators of the project Model Dlya Sborki (or MDS, lit. “a model kit”) will present live audio performance at the Digital October Center on May 21 (from 7 pm till 10:30 pm). The history of the radio show goes back to 1995, when it first appeared on the air of Station 106.8 FM. Many listeners encountered MDS thanks to Silver Rain Radio, which aired the program from 2002 to 2004. In 2012, MDS received the Golden Podcast award at Russian Internet Week. The audio show is created under the direction of Vlad Kopp, the leader and the voice of the project. MDS is a symbiosis of literature and music. It involves reading of Russian and foreign classic and contemporary works (mainly science fiction) with the accompaniment of electronic music. We hope that you will enjoy the performance; it will consider the technological revolution and its consequences, which people might face in the nearest future.

3/20/2014

How to Hack Gmail and WordPress and Spy through TV

Hacking emails of authoritative users is usually accompanied by debates about the identity of such email correspondence that became available on the Internet. Until now, we thought that a correct DKIM signature indicates at the author of the correspondence containing this signature. But can we trust this authentication mechanism? Vulnerabilities in Google, Yandex and Mail.Ru will be discussed at the international information security forum Positive Hack Days IV, which will be held on May 21 and 22 in Moscow. Secure protocols are used insecurely The number of Google, Yandex and Mail.Ru users approaches one billion; hundreds of experts from all over the world are involved in security analysis of these services. However, no one is secured against vulnerabilities. Vladimir Dubrovin (3APA3A), the founder of SecurityVulns and developer of the 3proxy server, one of the most outstanding representatives of the Russian old school, will speak on the misuse of both well-known (SSL/TLS and Onion Routing) and recent protocols insuring privacy, integrity and data encryption. Vladimir will also present new attack vectors aimed at accessing data that are processed by various services, including email. A smart spy in your house At the beginning TV were just supposed to be TV. They were used to make people's life happier. Nowadays, TV are fully-featured PC, having a proper OS, camera, microphone, web browser, and applications. They still make people happy. Especially the malicious ones. Donato Ferrante and Luigi Auriemma , the founders of ReVuln, known for discovering vulnerabilities in SCADA and multiplayer games, will speak on the current status of Smart TV, exploring their attack surface, detailing possible areas of interest, and demonstrating some issues the speakers found while assessing the security of Smart TV from different vendors. ARM exploitation Participants of Aseem Jakhar's workshop will take their laptops and plunge into security issues of ARM. Aseem Jakhar is a researcher at Payatu Technologies and one of the founders of Nullcon. He will consider low-level programming starting right from the ARM assembly, shellcoding, buffer overflows, reverse engineering to сode injection. The workshop has a lot of hands-on to get the participants comfortable with ARM assembly and understand the issues involved in exploitation of ARM-based Linux systems. To make the workshop more interesting, it uses Android as the platform for learning ARM exploitation and hence it covers Android OS specific developing and security concepts. How to bug a conversation held on the other side of the planet Lately, phone communications records can be found in the Internet and even be heard on TV. It is obvious that such records were obtained without the knowledge of the subscribers. Many of us received weird text messages and, after that, long bills for mobile services. Sergey Puzankov, an expert at Positive Technologies specializing in mobile networks safety, will consider the possibilities of an intruder who has access to SS7. The author will speak about algorithms of attacks aimed at: disclosure of subscriber’s sensitive data and his or her location, changing dialing numbers of enabled services, call redirection, unauthorized intrusion into communication channel. Attacks are performed using recorded signaling messages. The research also consider proactive protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network. Moloch the investigator Thousands of years ago, people made human sacrifice to Moloch, an ancient god. The report about Moloch as a highly scalable and open source full packet capture system does not contain such bloodthirsty elements (intruders might think otherwise). The system can capture from the wire live for use as a network forensics tool to investigate compromises. It also serves as a great way for searching and interacting with large PCAP repositories for research (malware traffic, exploit/scanning traffic) Its web API also makes it extremely easy to integrate with existing SEIM’s or other alerting tools/consoles to help speed up analysis. Andy Wick and Eoin Miller are members of AOL’s Computer Emergency Response Team. The hands/on lab will be focused on how AOL uses Moloch combined with IDS systems (Suricata/Snort) feeding alerting into consoles/SEIM’s (Sguil/ArcSight) to help defend their employees, users and the Internet at large. The experts will also run Moloch to capture the traffic that is occurring during PHDays CTF and analyze all the incidents. Industrial cybersecurity and critical infrastructure protection in Europe The events that have taken place during the last years (from 9/11 attacks to WikiLeaks and the Stuxnet malware) have made the governments to include in their agendas the development of national cybersecurity strategies to protect their critical infrastructures. Ignacio Paredes, Studies and Research Manager at the Industrial Cybersecurity Center in Spain, says that hundreds of thousands of industrial infrastructures across Europe are at stake. The report will consider the relation between industrial and corporate environments and its impact in key organizations for the survival of a country as well as current trends in the convergence between industrial and corporate systems, threats and countermeasures. WordPress security With approximately 19% of the web running on WordPress, it comes as no surprise that the security of this content management system has an enormous impact on a large number of users. Despite being open source, and reviewed by security researchers, WordPress is—just as any other software—prone to errors and vulnerabilities. Tom Van Goethem, a PhD student at KU Leuven (Belgium), will tell PHDays IV participants how the unexpected behavior of MySQL led to the discovery of a PHP Object Injection vulnerability in the WordPress core. The author will also demonstrate how this vulnerability can be exploited. The first group speakers is listed on the official site. If you want to present your report at the international information security forum, you must hurry up, because you can submit your application till March 31. Anyways, there are other ways to join PHDays IV.