News
PHDays III Call For Papers: The Latest Intelligence Data on either side of a fence
The first wave of the Call for Papers has already yielded its results: specialists from different countries are ready to be loaded onto the plane to the PHDays III. Both reports and hands-on-labs (where the audience is able to participate) will be presented at the forum. Today we are ringing up the curtain to tell you about several reports taking place at the forum. Special Guest Stars Among special guests at the forum are: Travis Goodspeed,who we all know, and ReVuln's founders, Donato Ferrante and Luigi Auriemma, known for their researches in information security ofSCADA and Smart TV. Data Interception within Optical Fiber Networks Alexey Demenyuk (FixedBug's founder) together with Vladimir Grishachev and Dmitry Khlyapin in their report "Sound at the end of the tunnel" will demonstrate data interception methods within optical fiber network without its tapping. The speaker will raise a question on how reliable the optical fiber networks are considering security issues and will also contemplate current security threat, based on physical properties of the optical fiber. During the lecture, data interception within optical fiber network without its tapping will be demonstrated. If the Psychological Warfare can not be Stopped, it Should be Headed Andrey Manoilo (vice-chancellor at the Political Science Department at Moscow State University and editor-in-chief of Mir i Politica) will have a detailed look at the two main concepts of state policy implementation under the conditions of the psychological warfare: psychological warfare resistance and control. Upon the speaker's opinion, psychological warfare control soon will be the main category in the state information policy system. Cyber War of a Chinese Hacker, Black Economy, and Trojan Tool China's billion-plus population means that proportionally, there are a lot of hackers in China. Nonetheless, you can't say enforcement is non-existent in China. What happened to China hackers in the last ten years? Who are they and what do they want? Tao Wan, also known as Eagle Wan, the leader of the China Eagle Union will give you the truth. Airlines against hackers Security flaws associated with business process management could be a serious threat for companies. Mushtaq Ahmed, a specialist of IT Security&Risk Management department in Emirates Airline, will present a report "Software Development Life Cycle with a Tinge of Application Security". He will take up application security aspects, and flaws in business process management that could have a pernicious effect on the business effectiveness. Hackers against airlines? During a short speech "Experiments with entertainment systems on board of aircratfs", gentlemen from Anonymous and Bnonymous will show how the Internet works on the board of an aircraft, what is a strange box with video on the back of the seat before you, and what you could do with it to spend your time cheerfully and profitably during the flight. How to "sell" the security improvement tools Jerry Gamblin, an employee in House of Representatives, Missouri, whos report in PHDays 2012 was favoured by Anonymous, will show how to protect your work from the management and lobby for new projects. Hacking Services Underground Market Max Goncharov, Senior Threat Analyst at Trend Micro, will represent his report Underground Market 101: Pricing Stats and Schemas. The speaker will cover the principles of underground information exchange, ways to secure money/goods in underground transactions and basic cyber hierarchy. Crypt services, DDoS attacks, Traffic resale, Bulletproof servers, SMS Fraud, Spam services and Credit card Hijack — these topics will also be covered. Hack on level 8 Gathering enough data about systems and staff from the public resources (Open-Source Intelligence, OSINT) is often essential in security audit, and is also critical for audit success based on social engineering methods. To confirm this statement, Vladimir Styran, a well-known blogger (), Security13 podcast presenter (), will present a report about OSINT automation methods by free of charge or paid means. Abusing Browser User Interfaces for Fun and Profit Rosario Valotta, a security researcher from Italy known for demonstration of zero-day vulnerabilities in Internet Explorer, will raise the question of exploitation of user interfaces flaws. The speaker will show how notification bars in major browsers (Chrome 24, IE9, IE10) can be abused with little (or even no) social engineering, leading to users security compromise and even to conducting trivial code execution on the victim's machine. Attack modeling, security assessment metrics and visualization in promising SIEM systems Igor Vitalievich Kotenko (head of information security issues laboratory, SPIIRAN) will present the current research in SIEM systems. The report includes aspects of software implementation for an SIEM system of the next generation, developed as a part of the integrated project of The Seventh Framework Programme ( FP7), and also attack modeling and security protection issues. NFC new threats Nahuel Grisolía will present "RFID workshop for fun (and profit?;)" workshop that introduces vulnerabilities in NFC (Near Field Communication) wireless technology. The range of topics will vary from the use of traditional NFC 13.56 MHz readers, their API and proprietary software, to Proxmark3 hardware, open source software (LibNFC), known attacks and other RFID uses and practical ideas. How to develop a secure web application? Vladimir Kochetkov from Positive Technologies is going on with secure application development and presents hands-on lab "How to develop a secure web application and stay in mind?". The target audience is web application developers and researchers that want to improve skills in code and architecture security and Security Development Lifecycle for complex projects based on Microsoft ASP.NET technologies (Web Pages, Web Forms, MVC, Entity Framework, SignalR). The hands-on lab is based on real vulnerabilities in popular solutions. It considers the best practices and techniques of detection and elimination of vulnerabilities of all classes on each stage. Sqlmap: Under the Hood Miroslav Štampar is a professional software developer from Croatia, an expert in automation of SQL Injection. He will present in-depth analysis of capabilities and inner workings of sqlmap. Hands-on lab is devoted to peculiarities and hidden features of sqlmap. Hard logic for security A Berlin University of Technology (TU Berlin) PhD-student and Deutsche Telekom researcher Dmitry Nedospasov together with Keykeriki developer, Thorsten Schroder, will make «Let the „hardware“ Do All the Work: Adding Programmable Logic to Your Toolbox" report. They will report how to avoid common issues in coping with overwhelming amounts data and timing using FPGA tools matrix, that is a basis of high-end tools for hardware debugging and analysis. So Insecure Security Appliances Stefan Viehböck with his report (In)security of Appliances will lift the curtain over the vulnerabilities of security software and will demonstrate how security appliances suddenly become the weakest link of your defense, how to abuse security appliances to gain access to your network, to your data, and your crown jewels. The speaker promises to disclose world-shattering vulnerabilities in security appliances. As a part of Fast Track: Alexander Tovstolip and Alexander Kuznetsov will show ten methods to overcome DLP Systems. Artyom Poltorzhitsky together with Vladimir Konev will show the high-end bank spy for smartphones. One of the most important elements of an up-to-date virus is an antivirus system bypass module, which makes the conventional signature approach and heuristic analysis give in. To solve this problem, a lot of vendors of IS tools launched cloud reputation systems. Pavekl Korostelev's report analyzes functions of such services. How to Participate If you want to speak to the world leading IS specialists, share your experience and research results, or demonstrate your skills in practical information security, you are welcome the speakers' team of PHDays III. Do not waste your time — the later the date of your application, the fewer chances you have to be among the speakers. The second stage of Call for Papers will be over on April 14, 2013. Find the details about the format and participation rules, as well as the list of topics we are mostly interested in and application submission instructions on the PHDays website.
Last Two Weeks to Take Part in PHDays Young School!
By popular demand, we increase the time frame for young scientists in information security to send in the reports and take part in the contest. Now you can apply for participation in PHDays Young School until March 15, 2013 (24:00 UTC). We have already received applications for participation that are based on such current tendencies as information warfare, mobile platforms vulnerabilities, anonymity, and mobile devices. The contest finalists will be invited to participate in Positive Hack Days III to present their reports. A pleasant detail: transportation and accommodation costs will be refunded. Take the opportunity of telling the world about your researches. We are looking forward to receiving your report!
PHDays CTF Quals — 494 Teams from 30 Countries and PPP Triumph
PHDays CTF Quals — 494 Teams from 30 Countries and PPP Triumph This year PHDays CTF Quals, information security competition, has become the most large-scale over its history — 681 teams applied for participation, 494 of them took up the struggle, 154 teams solved at least one task, and more than 100 people discussed the battle on IRC. PPP (Plaid Parliament of Pwning), a team from the USA, became the winner. According to the results of the competition that lasted over 48 hours from 10 a.m. on December 15 to 10 a.m. on December 17, the first 10 teams of the overall rating, which scored the biggest number of points for the least time, qualified for PHDays III CTF.
Three Days Left Before PHDAYS CTF Quals Starts
Let us remind you that PHDays CTF Quals starts on the 15th of December and will last for three days. 300 teams from more than 30 different countries of the world have already registered. You still can join! Registration for Quals: till 17th of December, 2012. Time when Quals will be held: From 10 a.m. of the 15th of December till 10 a.m. of the 17th of December, 2012 (Moscow time). The contestants will try their hands at security assessment, vulnerabilities detection and exploitation, as well as fulfilling reverse engineering tasks. The conditions of PHDays CTF Quals, as opposed to many other competitions of the kind, are brought as close to real life as possible — all the vulnerabilities are not fictional, but indeed occur on present-day information systems. The winners of the contest will be those who gain the highest score earlier than others. On the basis of the PHDays CTF Quals results, the strongest teams will be invited to participate in PHDays III CTF. The main contest will take place on the 22nd and 23rd of May, 2013 in Moscow during the third international information security forum Positive Hack Days.
PHDAYS CTF Quals Hacking Competition Starts
For the attention of information security specialists, system administrators, developers — all those, who is familiar with vulnerabilities detection and is ready to demonstrate their skills in a hacking battle! PHDays CTF Quals (the qualifying stage of the PHDays CTF international information security contest) starts in December. The contestants will try their hands at security assessment, vulnerabilities detection and exploitation, as well as fulfilling reverse engineering tasks. The conditions of PHDays CTF Quals, as opposed to many other competitions of the kind, are brought as close to real life as possible — all the vulnerabilities are not fictional, but indeed occur on present-day information systems. The winners of the contest will be those who gain the highest score earlier than others. On the basis of the PHDays CTF Quals results, the strongest teams will be invited to participate in PHDays III CTF. The registration for the quals starts on the 28th of November and finishes on the 17th of December, 2012. PHDays CTF Quals will take place from 10 a.m. of the 15th of December till 10 a.m. of the 17th of December, 2012 (Moscow time). The main contest will take place on the 22nd and 23rd of May, 2013 in Moscow during the third international information security forum Positive Hack Days. How It Was Among last year's quals participants there are teams from Russia, USA, Japan, Ukrane, Netherlands, France, South Korea, Tunisia, Germany, Switzerland, Kenya, Canada, Peru and Great Britain. The first prize went to the rdot.org team from Saint-Petersburg. The final CTF 2012 contest with 300,000 rubles of prize money became a real barnburner of the second PHDays forum, organized by Positive Technologies. During two days and one night non-stop, 12 teams from 10 countries were hacking their rivals' networks and protecting their own resources. The Leet More team from Russia became the winner, they were awarded with 150,000 rubles, the second prize (100,000 rubles) was taken by 0daysober from Switzerland, and the third prize (50,000 rubles) went to the Spanish team int3pids. A large analytical study of PHDays CTF 2012 is available here. Details You can learn more about PHDays CTF Quals and register by following the link http://quals.phdays.com.
Positive Hack Days III On The Way! Call For Papers Announced
Please attention! It has been finally decided to hold Positive Hack Days III. Positive Technologies, the permanent organizer of the event, has already started preparing for the third international forum on practical information security. The forum will take place in Moscow on May 22-23, 2013. The rules remain the same: maximum experience, minimum ceremonies, no advertising materials or dull promotion. Call For Papers The guests of PHDays III - will see a lot of round tables, contests, competitions, workshops, hands-on labs, and surely many reports presented by information security specialists from all over the world. You can be among the reporters. There are no strict restrictions: anyone from a novice to a recognized expert in information security can apply for participation. Our goal is to facilitate animated, informal communication between all representatives of the information security industry. The main requirements are an interesting topic concerning information security, novelty and urgency of the issues under consideration, professionalism and competence. If you want to share your experience, research results or demonstrate your skills, then we will be waiting for you in Moscow at the end of May 2013. Without you the forum will fell through! Hurry up — the first stage when you can submit your application is from October 29, 2012 to January 27, 2013. It is worth reminding that in 2012 the forum brought together 1,500 specialists from all over the world. More than 50 reports, workshops, seminars, and round tables took place there. Legendary Bruce Schneier, Datuk Mohd Noor Amin, the chairman of IMPACT, Alexander (Solar Designer) Peslyak, Travis Goodspeed, and Alexander Gostev were among the speakers. Any details about the formats and participation rules, the most interesting topics for reports, instructions for call for papers are available here
PHDays CTF Over? PHDays CTF Goes On!
In 2012 the PHDays CTF contest’s infrastructure was based on the principle of the King of the Hill game — the point were given for keeping control over the successfully attacked systems. This made the CTF contest even more intriguing — some important nuances of the hackers’ and information security specialists’ work were taken into account in the tasks, and many participants of Positive Hack Days really appreciated it. That is why an idea came to our minds… Why not to repeat the ‘royal battle’ separately for the Internet community, let us say, in the second half of August? Dates Everybody is welcome to try on the crown during the King of the Hill contest from the 20th of August to the 2nd of September The cause for organizing the online battle is two hacking forums — in India and in Kaliningrad. From August 16 to 19 the experts of the Positive Technologies company at the SecurIT 2012hacking forum in Indiawill remotely carry out a workshop about the $natch contest. Also, from August 24 to 27 BaltCTF in Kaliningrad will welcome its guests. Participating in King of the Hill will give members of the of Internet community an opportunity to challenge professional hacker teams from France, Germany, Tunisia, Netherlands, and Russia. Where to register? To try to repeat the feats of the CTF battle participants and fight for prizes provided by Positive Technologies, please register at the official web site http://www.phdays.com/ctf/king/. The detail of the King of the Hill contest is available at the http://www.phdays.com/ctf/rules website. What is King of the Hill?
'Free-of-Charge' Tariff. Hacking Coin-Operated Telephone at PHDays
Due to the fact that Positive Hack Days is a forum devoted to the issues of practical IT security, the competitive program contained competitions of practical nature (for example, a contest related to searching information hidden in the Internet and hash hacking). One of the competitions, where not only your head but hands could work, was a contest named 2600, in the course of which the participants had an opportunity to demonstrate their skills in freaking and to hack a coin-operated telephone. Any visitor of Positive Hack Days could partake in the competition. The participants were to call a predefined number from a coin-operated telephone using tokens as the means of payment and then extract the used token and give it back to the organizers.
How Hackers Hacked the RFID
The prototype of modern RFID tags is an identification friend or foe (IFF) system developed by the Naval Forces of the USA in 1937. It was used to identify aircrafts as friends or foes during World War II. Nowadays the radio-frequency identification technology is widely used in offices (employees access), trading (tags on goods), transporting (subway entrance), and a lot of other spheres. What will happen, if a hacker needs to 'bypass' an RFID lock? You can learn the answer from the overview of the competition Hack the RFID, taken place at Positive Hack Days 2012.
Smartphone and Tablet Applications – Approved by Positive Technologies
Positive Technologies starts up a service related to critical mobile applications security analysis. Development of the new area is mainly aimed at effective and comprehensive security evaluation of different systems, the client part of which is more and more frequently used in handheld devices. Beside security analysis of remote banking systems, Internet payments, mobile communication services management, ERP systems, and information infrastructures, Positive Technologies will provide services related to evaluation of security level and search for vulnerabilities in mobile applications for Apple iOS, Google Android, Windows Phone, and other operating systems, depending on customer's requirements. The company experts have succeeded in detecting and fixing critical errors in different mobile applications (browsers, antiviruses, mail and Internet bank clients). Comprehensive analysis of all mobile applications Mobile application security analysis, offered by Positive Technologies, is a comprehensive research of information security, carried out both on the client and server parts of an application. Such analysis consists of a search for program vulnerabilities in an application and study of its behavior, which allows detecting complicated problems, such as unauthorized transaction possibility. Each mobile platform is assigned with a specific set of operations with consideration of the platform's architecture and release mode. In the course of server analysis, Positive Technologies uses self-developed methods and tools, including MaxPatrol Vulnerability and Compliance Management System. It employs methodologies of acknowledged international organizations (Web Application Security Consortium (WASC), Open Web Application Security Project (OWASP)) and best practices in application security area. To analyze mobile application security, the company experts can use both gray box testing (as an attacker, who possesses a user access to the application) and white box testing (application source code and architecture analysis). As a result, a client receives objective and independent evaluation of the application security level, which may be used as a basis for development of measures to increase the application information security level and decrease the corresponding risks. Moreover, in case of white box testing, specialized fixes of detected mistakes, namely patches, can be issued. Relevance Rapid growth of the mobile market for the last few years has resulted in new services in various business areas. Client-server applications, developed for mobile platforms (iOS, Android, etc.) to perform financial operations, are more and more often released. These applications contain vulnerabilities, exploitation of which by malware users may result in considerable financial and reputational damage of the company owning the system. According to experts, an average annual loss of large companies, caused by incidents with mobile applications, exceeded USD 400,000 in 2011. Experts' comments Boris Simis, Business Development Director at Positive Technologies: "Nowadays we use smartphones and tablets for absolutely different purposes, starting with movies watching to bank payments and important corporate data accessing. In fact a mobile device is an office in your pocket and it should be protected not worse than office systems and applications. However, our experience shows that those practices, which have been accumulated in the sphere of security of traditional applications and web systems, are hardly implemented in mobile platforms. Incredible as it may seem, a mobile program may contain mistakes that have already been eliminated in versions meant for desk computers." Dmitry Evteev, the Head of Security Assessment Department at Positive Technologies: "We analyze security of various remote banking systems regularly. Today this process is impossible without thorough security study of applications of the most popular mobile devices. This is also applicable to telecommunication, industry and many other areas, in which mobile devices serve as terminals for access to important business information more and more frequently." Detailed description of the service related to mobile applications security analysis