News
17 Hackspaces From 7 Countries Joined PHDays III
To take part in the PHDays forum, local information security specialists gathered together in Abu Dhabi (United Arab Emirates), Birzeit (Palestine), Cairo (Egypt), Kollam (India), Tunis (Tunisia), Kiev and Lviv (Ukraine), and Vladivostok, Voronezh, Kaliningrad, Novosibirsk, Omsk, St. Petersburg, Saratov and Ufa (Russia).
A Researcher from Tomsk Wins PHDays III Young School
The results of PHDays III Young School, a national information security competition of young scientists, are known. The program committee considered a great number of applications and selected four best works, the authors of which spoke at PHDays in front of leading IS specialists from all over the world. The ideas of the PHDays Young School participants find practical application very quickly. At the final stage of the competition, Andrey Iskhakov's "Two-Factor Authentication System Based on QR Code" (Tomsk State University of Control Systems and Radioelectronics) was voted the most interesting and promising work. It is already decided that the premises of Tomsk special economic zone will be equipped with Andrey's security system in 2014 — security badges will be substituted by a special identification program for employees' mobile devices. The mobile applications of the PHDays III Young School winner allow fixing security badge and passage ticket flaws, in which static identifiers are used. This software automatically generates one-time passwords valid for a few seconds only. This method decreases the possibility of their copy and exploitation by attackers. Andrey Chechulin (St. Petersburg) with his research "Composition of Attack Charts for Analysis of Security Events" was the second. Nikolay Tkachenko (Tomks) presented his report on "Development and Implementation of the Mandatory Access Control Mechanism in MySQL" and took the third place, and Ksenia Tsyganok (Taganrog) with her report "Statistical Analysis for Malware Classification" came forth. Young School is devoted to students, postgraduates and independent young scientists and is held by the PHDays organizers for the second year in a row. The goal of the competition is to find talented information security specialists and to define whether Russian universities graduates are ready to perform their own researches. In 2012 works of eight finalists of the competition were published in journals that are included in the Higher Attestation Commission list, which is to confirm the high level of the works. The competition of young scientists is held as part of the Positive Education program initiated by Positive Technologies. The initiative is to expand the knowledge that young scientists got at the university and to introduce the experience of practical security gained by the Positive Technologies experts. This time the winners were decided by leading IS experts from Positive Technologies, Microsoft, Advanced Monitoring, Digital Security, ERPScan, Yandex, Hacker Magazine, MSU Faculty of Computational Mathematics and Cybernetics, MEPHI, SPIIRAS, Technical University of Darmstadt, University of Tübingen, Russian Defcon Group. The competition was supported by Asteros, an intellectual sponsor of the forum. "At the risk of sounding like Captain Obvious, I should say that such contests play a great part in creation of the modern IS community and stimulate young scientists to get involved in real research projects. Downloaded term papers will become a rare case once," commented Andrey Petukhov (Faculty of Computing Mathematics and Cybernetics, MSU), one of the organizers of PHDays III Young School. "A stereotype has developed recently — a graduate is a specialist who needs to be trained for several more years. Having thought of Young School, we wanted to show that the situation is different — students and postgraduates can perform researches independently and provide innovative and requested technical solutions. We were so pleased to know we were right. It would be amazing if students could be engaged not only in "paper security" but in practical tasks, with which specialists have to deal every day. I hope that such contests as Young School will ignite universities competitiveness, which will only do good to all of us," noted Dmitry Kuznetsov, Deputy CTO at Positive Technologies.
PHDays III CTF: Levart D’Errorim
The Positive Hack Days forum, which was held on May 23 and 24, traditionally hosted a CTF contest. During two days, ten teams from six countries beat back attacks and hacked rivals' networks. Plot To add a special appeal to the contest, the PHDays CTF organizers created a legend according to which the plot line and game infrastructure were prepared. The PHDays III CTF legend ran as follows: the teams were to save the poor people of D’Errorim from horrid monsters that would knock down every living thing. Visualization The audience often notes that CTF contests are not entertaining. In order to turn the PHDays CTF into the most spectacular hacking contest, many efforts has been taken by the organizers for creating visualization. Due to their efforts iPhone and Android apps were developed. By installing the application, anyone could watch the battle on his or her phone display. In addition, a web visualization was available on the PHDays site. Tasks The conditions of the CTF contest are as close to real life as possible, although it has a tinge of magic. During the tasks creating, the Positive Technologies experts’ practical experience in detecting security issues was used, that's why many vulnerabilities of the game infrastructure can occur in real life as well. Anyways, the participants were to show not only their hacking skills to win the contest. On of the PHDays III CTF tasks was the Labyrinth: the participants needed to get over the laser field and motion detectors, open secret doors, clear the room of bugs, combat with artificial intelligence and render a bomb harmless. Another test for the partakers was to solve the Competitive Intelligence task. Winners The contest was really fierce. During two days of the forum, different teams enjoyed the leading place at various times, among them were ufologists, PPP, RAON_ASRT, Eindbazen and More Smoked Leet Chicken. Eindbazen became the winner. PPP, a US team that won PHDays CTF 2011, took second place, and More Smoked Leet Chicken, the last year's champion, a Russian team, came third. The winners were awarded with cases with money inside as a prize. 2drunk2hack After the CTF contest, the teams could finally relax and take part in 2drunk2hack. Vladimir Vorontsov (ONSec), a repeated champion of the contest, conceded the championship to geohot, a well-known hacker from the PPP team. The winner celebrated the victory performing a freestyle song in a Moscow bar. That's all for today! We're going to make the next year's PHDays CTF more fascinating and it will left no indifferent.
Positive Hack Days III is Over
The information security forum PHDays III attracted more than 2,000 participants from Germany, India, Spain, Italy, Korea, Netherlands, United Arab Emirates, USA, Japan, and other countries. They are leading information security experts, hackers, bloggers, pressmen, politicians, and government representatives. The forum, which took place on May 23 and 24, embraced discussions of security and attack technologies, of regulations and law initiatives, competitions in detection of ATM, remote banking system and SCADA vulnerabilities, hands-on labs and hacking battles. Jackets and t-shirts Both the government and business need information security experts. This is the main idea of the round table initiated for the sake of young specialists' problems. Georgy Gritsay, Deputy Head of the Radio Frequency and Telecom Networks Department of the Ministry for Communications, underlined that, according to the situation in 2012, Russia needs information security specialists badly. Ruslan Gattarov, a representative of the Federation Council, noted that the President of Russia pays close attention to the industry — decree of the President No. 31c, which makes information security a state concern issue, was issued in January. Vladimir Zhirinovsky advised young information security specialists to work positively and not to mess with crime, and Oksana Dokuchaeva, who represented the Information Security Center of the Federal Security Service, addressed the Russian regions to pay more attention to CTF games in Russia. The forum saw more than ten business sections related to cyberwar and cybercrime, SCADA security, regulators audit, bank application security, and other topics. Much interest was aroused by an open discussion with the representatives of FSTEC, Rostelecom, Cisco, Positive Technologies, where the drawbacks of the modern security certification system were talked over. Vitaly Lyutikov, Head of the Administration of the Federal Service for Technical and Export Control (FSTEC of Russia), stated that the regulating authority was developing a whole series of up-to-date standards: guidelines on security assessment, trust download and some security tools, as well as Federal Standard (GOST) related to the organization of the lifecycle of secured information system development. So long-awaited recommendations on updating of certified security tools (installation of patches decertifies a system) are being prepared now. According to Lyutikov, FSTEC welcomes experts to take part in regulations development and keeps on public discussion of document drafts. The say, "I don't believe!" and keep on hacking Dozens of reports were delivered and a lot of topics were brought up at PHDays III — from bypassing modern WAF by Vladimir Vorontsov to detecting attack sources by Alexander Gostev. Numerous SCADA vulnerabilities detected by the expert group of Positive Research Center were also talked over. Marc Heuse, a researcher and developer from Germany also known as van Hauser, pointed out the importance of coordination of all parties interested in information security development. "We make a whole. Don't be afraid of hackers, but take into account their specific work. Good hackers are rebels by nature, they hardly blend with common corporate or government structures, where it is supposed that their products are the best, their systems are 100% protected, their customers are secured. They say, "I don't believe", and detect so annoying flaws and vulnerabilities. We need to work together, to understand and teach each other. There is no other way." Hack an ATM with a clip The reporters of PHDays III managed to surprise the world once again — they showed the most perilous vulnerabilities detected in hundreds of thousands of surveillance cameras all over the word, dashcams security flaws, security problems with the Internet access systems used by the planes of American Airlines. Experts demonstrated new ATM attack vectors including access to an ATM service zone using materials at hand. They also switched an ATM to a service mode by a common clip. Though hackers from all over the world participated in the forum, students from Russia did better than the others. For instance, Anatoly Katyushin, a fifth-year student, was the best in exploitation of a remote banking system vulnerability, and Mikhail Elizarov, a first-year student, conquered not only a railroad controlled by SCADA, but an ATM constructed specifically for the contest as well. New ideas A special exhibition, where the largest IT companies (ELVIS-PLUS, Stonesoft Corporation, Kaspersky Lab, EMC, Asteros, Cisco, and ICL) showed their newest solutions, was initiated. Positive Technologies, the forum organizer, presented two products: PT Application Inspector, a security control system, which combines static, dynamic and interactive source code analysis, as well as PT Application Firewall, which combines common white and black lists and new self-training possibilities. It's just the beginning PHDays III threw it doors open to young researchers and start-up companies (ONsec, Esage Lab, Fairwaves, SolidLab) as well. They managed to tell the expert audience about their business and to receive valuable comments. According to the forum organizers, the industry can develop only if innovative and promising ideas are implemented in real life helping to ensure security.
ATM Hacked at PHDays III
Foreign experts in physical information security discovered and demonstrated vulnerabilities in bank equipment at the Positive Hack Days III forum, which was held on May 23 and 24 in Moscow. The contest's ATM contained vulnerabilities, one of which gave access to servicing area without a key. The other vulnerability allowed switching the machine into service mode using a common paper clip. Later on, a related contest was held at the venue. During a limited period of time the participants were to exploit detected vulnerabilities and reproduce the steps that allowed switching the ATM into service mode. Mikhail Elizarov, a first-year student from the North Caucasian Federal University (Nevinnomyssk, Stavropol Krai, Russia) was the first to solve the tasks and so he won the contest. The Positive Hack Days participants traditionally pay attention to bank security issues. Besides the contest related to physical security analysis, the $natch competition was hosted during the forum. The partakers needed to find security errors in a remote banking system. The section "Banking Applications and Cybercrimes: Which will Win?" was also held on the second day of the forum. The moderator was Artyom Sychev, Head of Security Service at Russian Agricultural Bank.
Students Found SCADA Vulnerabilities at PHDays
Mikhail Elizarov, a first year student of the North-Caucasus Federal University (Nevinnomyssk, Stavropol Territory), and Arseny Levshin, a student from Minsk, won the contest related to SCADA security assessment, which took place as part of the international forum Positive Hack Days III. SCADA is used to control important objects in such sectors as energy, transportation, etc. For instance, such systems are employed in nuclear power plants and electric trains. Any SCADA failure can lead to a disaster and extensive damage, however, the developers of such systems still pay little attention to their software security. This was proved by the contest results. The Choo Choo Pwn participants needed to detect and exploit the vulnerabilities of industrial equipment used to control and automate technological processes. The contest was aimed at accessing the control system of a railroad and cargo re-loading model and at bringing down a video surveillance system as part of an extra task. Alexander Timorin, Ilya Karpov, Gleb Gritsay, and Dmitry Efanov, the information security experts at Positive Technologies, were engaged in development of the railroad model and SCADA. Mikhail Elizarov told us about the competition, "At first, we tried to obtain control over the re-loading system, which was running on Modbus. We managed to detect a system, which emulated this protocol. It allowed us to find out control bits and render them to the system gaining control over the crane. We could hardly detect all the vulnerabilities of the provided protocols — we were short of time." According to Mikhail, SCADA contains a lot of vulnerabilities because developers expect these systems to have no direct connection to the Internet, and thus do not pay due attention to security. "Franky speaking, I've just cut my teeth on industrial protocols. The contest provided quite a serious emulation of SCADA, so it was very interesting to participate in the security assessment competition", said Arseny Levshin. "When Stuxnet and direct ICS attacks appeared, the security of industrial systems became a top issue in publications, conferences, and researches. On the other hand, this area is Terra Incognita, which requires significant investments. Such contests allow demonstrating how low the current security level of critical infrastructure components is", resumed Sergey Gordeychik, the CTO at Positive Technologies. It is worth noting that Mikhail Elizarov also won the contest, which was held as part of the forum. The winners received gifts from Positive Technologies, the PHDays organizer, and from the event sponsors.
A Specialist from Perm Wins the Network Infrastructure Security Analysis Contest at PHDays
The security of network infrastructure is the most important task in business. Companies often suffer significant losses and sometimes go bankrupt when intruders manage to access a company's internal network and steal sensitive information. A key role in providing high security level usually belongs to an equipment on the basis of which a network is built. Stanislav Mironov (Perm, Russia) cracked network infrastructure during the NetHack contest. Stanislav is an expert in network administration and security and currently works for a commercial bank in Moscow. The contest's participants needed to obtain access to the game network during a limited period of time, then get to the unrouted segment that contains a certain automated system. The game network developed for the contest included typical vulnerabilities discovered by the Positive Technologies experts during security analysis and penetration tests. The partakers had an hour to gain access to five network devices, get flags and enter them into a form on a special web page. There was a total of seven participants. The contest's network infrastructure was developed by the Positive Research Center experts Mikhail Pomzov and Sergey Pavlov. The first flag was captured by Alexey "Foxter" Kashin, which took him 10 minutes. It should be noted that each following task was more complicated than previous one. It took Yuri "marsei" Shkodin 15 minutes to capture the second flag. After that, we had another leader: Stanislav "st.Ass" Mironov captured the last three flags and won the contest. The organizers assigned 50 minutes for the NetHack competition. But as it was difficult to determine a winner during the period, 15 extra minutes were added, which decided the outcome of the contest. In the last seconds of the extra time, Stanislav Mironov managed to capture the fifth flag. The rest of the participants failed to capture it. Eventually, Yuri Shkodin took second place, and Sergey Stankevich came third. Both participants captured four flags each. According to Stanislav Mironov, the task was interesting and it was hard to solve it being constrained by time; however, in real life an experienced specialist must not make such errors during setup. "Serious companies have standards and scanning procedures that help detect errors and prevent problems. But mistakes still can be made in real life", Mironov said. "The task that was offered in the contest is mainly related to service errors and misconfiguration of large network infrastructures, which arise from a deviation from standards and best practices. Automated tools for compliance and vulnerability management can reduce risks", said Sergey Pavlov, Head of the Department for Network Devices Security Assessment at Positive Technologies. The winners received special prizes from Cisco, the PHDays technological sponsor, and Positive Technologies, the forum's organizer.
A Student Hacks a Remote Banking System at PHDays
The security of banking systems became one of the key topics at Positive Hack Days III. Discussions, contests and hands-on labs on banking systems were held during the forum. Anatoly "heartless" Katyushin, a student from the Samara State Aerospace University (Samara, Russia), hacked a remote banking system during the $natch competition and "stole" 4,995 rubles. The contest consisted of two rounds. at first, virtual machine copies with vulnerable web services of the remote banking system (a real I-banking system analog) were provided to the participants. In the second round, the hackers needed to exploit the discovered vulnerabilities and steal as much money as it was possible. Positive Technologies developed a test remote banking system PHDays I-Bank for the contest and included typical vulnerabilities. The participants had one hour to exploit the security problems that were discovered during the first round of the contest and to transfer the money to their account. The system contained 20,000 rubles. The winner manages to "steal" only 4,995. Asteros, the forum's partner, doubled the sum. "It took about 4 hours to detect security problems in the system's image. Then we needed just to write a script to automate the vulnerability exploitation," — Anatoly Katyushin said at the end of the contest. Omar Ganiev (beched), a student of the Department of Mathematics at the Higher school of economics, took second place "stealing" 3,277 rubles. "I didn't win last year, because of a script error. But this time I manage to take second place," — said Omar Ganiev. Other participants didn't get a ruble from the PHDays iBank.
The First Day of PHDays Comes to an End
Positive Hack Days III, an international forum on practical information security, has started today, on May 23 in the WTC Moscow. Among the participants are IS experts, hackers, politicians and representatives of the Internet community from every corner of the world. During the reports, hands-on labs and various discussions, the forum’s attendees took a close look at practical security and discussed the perspectives of the industry. Young specialists and IS At the beginning of the forum the section “The Role of the Young of Today on the Information Security Market of Russia” was presented, the moderator was Alexey Lukatsky. Representatives from the Ministry of Communications and Mass Media, FSB Information Security Center, Security Council, Technologies and RuCTF, Ruslan Gattarov, a member of the Federation Council, and Vladimir Zirinovsky, the leader of LDPR and a member of the State Duma Committee on Security participated in the discussion. The participants noted that the government realized the role of cyber security and is starting to respond to the threats. Therefore, the IS experts’ role becomes more and more significant. Vladimir Zirinovsky told that his colleagues in legislation faced mainly the negative side of information security, attacks and hacking. The politician added that in spite the industry is quiet young, the government needs its support, that’s why the State Duma is ready to develop a legal base which will allow the experts to work without the fear of responsibility. SCADA security One of the most important problems discussed at the forum was the security of industry systems. The following works were presented: the report “Are ICS Models Needed to Ensure Information Security of Industrial Systems” by Ruslan Stefanov, the section “ICS Security — an Oxymoron or the Task of the Decade?” by Garald Bandurin (RusHydro) and the presentation by Positive Technologies “SCADA Strangelove: How to Build Your Owen Stuxnet” in which the team announced the release of the new utilities for checking ICS security. Moreover, each participant of the forum could take a close look at industry systems security thanks to the Choo Choo Pwn contest. The goal was to obtain access to a model of a system which controls a railroad and cargo loading by exploiting vulnerable protocols or bypassing authentication of SCADA systems and industrial equipment web interfaces. In the middle of the day, a related hands-on lab devoted to railroad ICS was delivered by Ilya Karpov, Alexander Timorin and Dmitry Efanov. Leave ATM Alone Leave ATM Alone, a hands-on lab on ATM’s software security, generated considerable excitement. It was performed twice by Olga Kochetova and Alexey Osipov in the contests area. Labyrinth The Labyrinth contest was also quite popular. The participants were to get over the laser field and motion detectors, open secret doors, clear the room of bugs, combat with artificial intelligence, and render a bomb harmless. PHDays CTF: Levart D'Errorim This is the third time the PHDays CTF contest is held. Ten teams from six countries are engaged in a fierce struggle: they are to attack the opponents’ systems and defend their ones. The contests are held within one legend: this time the rescue of D’Errorim is prepared for the contestants. You can follow the struggle not only at the venue but also online via the the PHDays broadcasting and special mobile apps for iOS and Android. Tomorrow on May 24 in addition to a great number of hands-on labs and reports, the forum’s participants will hear the report of a key speaker Marc “van Hauser” Heuse. The audience will also see numerous contests (held at the venue and online) and the PHDays CTF final. Follow the news!
Positive Hack Days III Online Competitions
If, for some reason, you will not be able to visit the venue of Positive Hack Days on May 23 and 24, this doesn’t mean you should miss the opportunity to participate. Thanks to the competition program of the forum, anyone will have a chance to compete with contestants from all over the world during exciting online Positive Hack Days III challenges. Best Reverser The purpose of the contest is to demonstrate good knowledge in analysis of executable files for Microsoft Windows. The contestants will be offered to generate a code that will successfully pass validation in a special program. It is only possible to enter another code after the successful validation of the previous one. You can use any method that complies with the law of the Russian Federation. The participant who is the first to generate three valid codes and to provide the jury with a concise description of the process of obtaining the codes, will be the winner. The participants who accomplish the task later than the winner, and those who generate two codes or even one, have a chance to take prize-winning places according to the jury's decision. The contest will last for two days during the forum. Hash Runner Hash Runner challenges the competitors’ knowledge of cryptographic hash algorithms and skills of cracking password hash functions. К конкурсу допускается любой интернет-пользователь. Any Internet user can participate in the competition. You can register via the website phdays.com (the registration is in full swing!). The competition will last through the forum days. Competitive Intelligence The competition will enable participants of the forum to discover how quickly and accurately they can find useful information on the Internet. The competition web page will contain questions concerning a certain organization, information about which can be found online. The task of the competition participants is to find as many correct answers to the questions as possible in the shortest time. The results will be announced at the end of the second day of the forum. PHDays III Online HackQuest The PHDays 2013 program will include Online HackQuest, a competition for the Internet users that offers participants to try their hands at solving various information security tasks. The participants will be provided with access to the site with a list of tasks. The tasks are grouped according to their type and level of difficulty. Once a task is solved, the participant obtains a key (flag) to submit to the jury via a special form. If the flag is valid, the participant will score an appropriate number of points. The participant who scores the maximum points quicker than others becomes the winner. The competition is open for any Internet user. You can register on the PHDays website, from the moment the forum starts. The contest will be held for two days, during the forum. The winners of the contest (first, second, and third participant) will receive prizes from the PHDays organizers (Positive Technologies) and the sponsors of the forum. The registration is at its high! Do not miss the chance to demonstrate your skills and have a great time. Details on competitions and prizes are available on the official Positive Hack Days web site.