News
PHDays CTF Over? PHDays CTF Goes On!
In 2012 the PHDays CTF contest’s infrastructure was based on the principle of the King of the Hill game — the point were given for keeping control over the successfully attacked systems. This made the CTF contest even more intriguing — some important nuances of the hackers’ and information security specialists’ work were taken into account in the tasks, and many participants of Positive Hack Days really appreciated it. That is why an idea came to our minds… Why not to repeat the ‘royal battle’ separately for the Internet community, let us say, in the second half of August? Dates Everybody is welcome to try on the crown during the King of the Hill contest from the 20th of August to the 2nd of September The cause for organizing the online battle is two hacking forums — in India and in Kaliningrad. From August 16 to 19 the experts of the Positive Technologies company at the SecurIT 2012hacking forum in Indiawill remotely carry out a workshop about the $natch contest. Also, from August 24 to 27 BaltCTF in Kaliningrad will welcome its guests. Participating in King of the Hill will give members of the of Internet community an opportunity to challenge professional hacker teams from France, Germany, Tunisia, Netherlands, and Russia. Where to register? To try to repeat the feats of the CTF battle participants and fight for prizes provided by Positive Technologies, please register at the official web site http://www.phdays.com/ctf/king/. The detail of the King of the Hill contest is available at the http://www.phdays.com/ctf/rules website. What is King of the Hill?
'Free-of-Charge' Tariff. Hacking Coin-Operated Telephone at PHDays
Due to the fact that Positive Hack Days is a forum devoted to the issues of practical IT security, the competitive program contained competitions of practical nature (for example, a contest related to searching information hidden in the Internet and hash hacking). One of the competitions, where not only your head but hands could work, was a contest named 2600, in the course of which the participants had an opportunity to demonstrate their skills in freaking and to hack a coin-operated telephone. Any visitor of Positive Hack Days could partake in the competition. The participants were to call a predefined number from a coin-operated telephone using tokens as the means of payment and then extract the used token and give it back to the organizers.
How Hackers Hacked the RFID
The prototype of modern RFID tags is an identification friend or foe (IFF) system developed by the Naval Forces of the USA in 1937. It was used to identify aircrafts as friends or foes during World War II. Nowadays the radio-frequency identification technology is widely used in offices (employees access), trading (tags on goods), transporting (subway entrance), and a lot of other spheres. What will happen, if a hacker needs to 'bypass' an RFID lock? You can learn the answer from the overview of the competition Hack the RFID, taken place at Positive Hack Days 2012.
Smartphone and Tablet Applications – Approved by Positive Technologies
Positive Technologies starts up a service related to critical mobile applications security analysis. Development of the new area is mainly aimed at effective and comprehensive security evaluation of different systems, the client part of which is more and more frequently used in handheld devices. Beside security analysis of remote banking systems, Internet payments, mobile communication services management, ERP systems, and information infrastructures, Positive Technologies will provide services related to evaluation of security level and search for vulnerabilities in mobile applications for Apple iOS, Google Android, Windows Phone, and other operating systems, depending on customer's requirements. The company experts have succeeded in detecting and fixing critical errors in different mobile applications (browsers, antiviruses, mail and Internet bank clients). Comprehensive analysis of all mobile applications Mobile application security analysis, offered by Positive Technologies, is a comprehensive research of information security, carried out both on the client and server parts of an application. Such analysis consists of a search for program vulnerabilities in an application and study of its behavior, which allows detecting complicated problems, such as unauthorized transaction possibility. Each mobile platform is assigned with a specific set of operations with consideration of the platform's architecture and release mode. In the course of server analysis, Positive Technologies uses self-developed methods and tools, including MaxPatrol Vulnerability and Compliance Management System. It employs methodologies of acknowledged international organizations (Web Application Security Consortium (WASC), Open Web Application Security Project (OWASP)) and best practices in application security area. To analyze mobile application security, the company experts can use both gray box testing (as an attacker, who possesses a user access to the application) and white box testing (application source code and architecture analysis). As a result, a client receives objective and independent evaluation of the application security level, which may be used as a basis for development of measures to increase the application information security level and decrease the corresponding risks. Moreover, in case of white box testing, specialized fixes of detected mistakes, namely patches, can be issued. Relevance Rapid growth of the mobile market for the last few years has resulted in new services in various business areas. Client-server applications, developed for mobile platforms (iOS, Android, etc.) to perform financial operations, are more and more often released. These applications contain vulnerabilities, exploitation of which by malware users may result in considerable financial and reputational damage of the company owning the system. According to experts, an average annual loss of large companies, caused by incidents with mobile applications, exceeded USD 400,000 in 2011. Experts' comments Boris Simis, Business Development Director at Positive Technologies: "Nowadays we use smartphones and tablets for absolutely different purposes, starting with movies watching to bank payments and important corporate data accessing. In fact a mobile device is an office in your pocket and it should be protected not worse than office systems and applications. However, our experience shows that those practices, which have been accumulated in the sphere of security of traditional applications and web systems, are hardly implemented in mobile platforms. Incredible as it may seem, a mobile program may contain mistakes that have already been eliminated in versions meant for desk computers." Dmitry Evteev, the Head of Security Assessment Department at Positive Technologies: "We analyze security of various remote banking systems regularly. Today this process is impossible without thorough security study of applications of the most popular mobile devices. This is also applicable to telecommunication, industry and many other areas, in which mobile devices serve as terminals for access to important business information more and more frequently." Detailed description of the service related to mobile applications security analysis
PHDays 2012: Tunisian version
The Positive Hack Days Everywhere organized in Tunis on May 30, 2012, was held in the INSAT university and was open mainly for students and professional members of SecuriNets, the first security club in Tunisia, and also for the members of the Tunisian Information Security Professional Associations. The participants had a good opportunity to remotely assist at the conferences and to interact with the PHDays teams.
Big Shot — Hacking People at PHDays
One of the most interesting, peculiar, and amusing competitions at Positive Hack Days 2012 was Big Shot, which challenged the participants’ skills of social engineering. Each participant was provided with a person's photo not clear for unambiguous identification and a number of statements characterizing that person. These people were present at the forum, and the participants were to identify them and make certain actions according to the task (for example, to get the person's business card or to take a joint photo).
Forgot Your Password? Hash Hacking at PHDays 2012
An unknown password is “made” according to the following recipe: extract minced information (hash) from cookies, database dump or another resource and process it with various tools until you get the combination of symbols you need. For the cracking time not to exceed the age of our Galaxy, you should consider numerous peculiarities. The success depends on the hacker’s experience, encoding algorithm, salt (if presented), the utilities and hardware used (nowadays programs require powerful graphics cards to decode hashes). To find out how the task is tackled by best hackers, read the article covering the Hash Runner competition held as a part of PHDays 2012. All competitions of this type are characterized with hegemony of a number of teams: hashcat, Inside Pro, john-users, which is not surprising because these are communities of developers, testers and common users formed around most popular hash hacking tools. And their success is rooted not only in years of experience, good training and unity of teams, and accessibility of formidable computer powers, but in the ability to modify the tools in the real time mode in response to ever changing circumstances. All the above-mentioned teams took most active part in Hash Runner at PHDays 2012. For two days the contestants fought for a useful prize - an AMD Radeon HD 7970 graphics cards. And here are the results. Rules The competition was open for any Internet user. All in all, there were 19 participants from various countries participating. The competitors are given a list of hash functions generated according to various algorithms (MD5, SHA-1, BlowFish, GOST3411, etc.). Points for each hacked hash were scored depending on the complexity of algorithms, generation rules and dictionaries used. To win the competition, a participant was to score as many points as possible during a limited period of time, leaving the competitors behind. It's all simple: you have a number of hashes of various types and two forum days (the competition started at 10:00 a.m. on May 30 and ended at 6 a.m. on May 31) to crack as many as possible. Participants The participants of the competition were from different countries. The main rivals were InsidePro Team 2012, teardrop and Xanadrel. Strategies To win the competition, the participants were to figure out password generation rules. The generation used dictionaries in different languages, as well as name dictionaries. The first rule guessed by the participants was a dictionary word repetition, for example: fayettefayette jeweljewel hamlethamlet Each hash types contained a certain number of passwords generated according to the same rules. Thus, by guessing a password to a hash encrypted with a simple algorithm and figuring out its generation algorithm, one could apply the knowledge to the rest positions in the list and guess passwords to more complicated hashes. It was good thinking, and not good guessing, that gave the push to the three leaders. Each team used its own tactics: one tried to brute force the passwords to the most complicated hashes, thus scoring more points, another, on the contrary, tried to outrun their rivals in the number of successfully hacked hashes, focusing on plains. The leaders gave dust to their competitiors. Xanadrel (France), who used to paly for Hashcat, decided to play a one-man game this time and fought on its own. Hardware he used for the competition included PC (i7 950, 1x 5770 and 1x 7970) and i5 2300k core for 4 LM hashes. Software tools: · Hashcat · oclHashcat-plus · ophcrack · rcracki_mt · passwordspro · maskprocessor The passwords were cracked by wordlist attacks and generation of basic/common rules in hashcat and passwordspro for the GOST hashes. During the entire competition, the contestant wasn’t able to hack not a single DES, neither phpbb3, ssha, or wordpress hash (they were unusually long and hashcat failed to crack them). It was not until the end of the competition when Xanadrel thought of bruteforce attacks and managed to get a couple of passwords like 6{x#_a or 9Mv)0. Besides, there were passwords of the ddyyy type (for example, 08march1924). For this cases, the contestant had to create rules for appending/prepending the year/day and a wordlist with months only. Оригинал райтапа Xanadrel [eng] Unlike Xanadrel, who chose to fight on his own, the guys from Insidepro teamed up. Their strategy was simple: try attacking any algorithm wherever possible using whatever technique was handy (a bruteforce attack, dictionaries). The list of hardware and software tools used by the team:
Once Upon a Time in Vladivostok, or PHDays 2012
For May 30 and 31, the city of students, which is a common nickname of Vladivostok, turned into one of the biggest regional platforms of Positive Hack Days 2012, an international forum on information security. The Far-Eastern "Congress of Hackers" took place in Far-Eastern Federal University (FEFU) as a part of PHDays Everywhere, an initiative that gathered dozens of universities and hackspaces from various countries. The huge part of organizational work at the IT forum in the Soviet San Francisco was shouldered by undergraduate and postgraduate students of the FEFU School of Natural Science. The total winner of Vladivostok Positive Hack Days was Luckers team. The second place was taken by the future IT specialists of the GrayCap team. They were followed by the team of Automated Systems of Information Processing and Management. On June 7, Sergey Gordeychik, CTO of Positive Technologies, over to Vladivostok to congratulate the teams and present the prises. As a personal pleasant bonus, according to the official site of FEFU, Sergey gave a small lecture Gaps in Information Security, which was attended not only by FEFU students, but future IT specialists from other universities in the city. Besides, CTO of Positive Technologies announced that FEFU had joined the Positive Education program initiated by Positive Technologies. "We have launched this program to help universities and offer them new educational methods aimed at training really good IT professionals, which are so sought-after on the today's market. FEFU students, as well as those from other 14 universities participating in the program, will enjoy the education for free," noted Sergey. Sergey Kultyshev, a postgraduate student of the School of Natural Sciences and one of the most active organizers pf the "Congress of Hackers", shared a small secret: "Together with our new partner, Positive Technologies, we plan to organize a week of information technologies here, in FEFU, in 2013, to gather hackers and IT specialists from all the Asia-Pacific region, thus taking the event to a new level".
Show Me the Money! The $natch Competition at PHDays 2012
How to Protect Money, a section of PHDays 2012 dedicated to banking issues, ended like a good old thriller: the participants, who were discussing security issues urgent for the industry a minute before, found themselves witnessing a real bank robbery. Armed with laptops, the “criminals” were attacking a “bank” represented by a remote banking system, which had been developed by Positive Technologies specialists for the competition. The participants of the $natch competition were to demonstrate their skills of exploitation of vulnerabilities common for remote banking services – rather logic than web ones (i.e. not like Cross-Site Scripting or SQL Injection). Specially for the competition, we developed our own remote banking system from scratch and stuffed it with common vulnerabilities revealed by Positive Technologies experts in the course of security assessment of such systems. The solution called PHDays I-Bank was a standard Internet bank with a web interface, PIN code to access the account and a processing.
The Positive Education Program To Help Professors Coach Future Specialists
Lack of specialists is the major problem that the Russian information security market is facing today. Every year, over 250 graduates start their career in the field, which is far less than needed. Positive Technologies alone opens 100 positions every year. The Company’s experts have developed an educational program Positive Education to assist universities in coaching future information security specialists. The program was presented by Sergey Gordeychik, the company’s CTO, at Positive Hack Days 2012 in Moscow. “At present, companies have to outbit specialists from competitors or train novices on their own, sometimes “from scratch”. The Positive Education program is aimed at training competent specialists at universities,” comments Sergey Gordeychik, CTO of Positive Technologies. “Young people who graduate from technical schools today are usually quite good at Maths, but lack practical experience, so they have to pull up their knowledge at work”. In Sergey’s opinion, the market expects future employees to have solid knowledge and excellent skills in information technologies, which includes knowledge of network technologies, operating systems, DBMS, applications and web applications; understanding of security mechanisms and their implementation in certain systems; skills of security assessment; practical experience in any of the special fields (development, support, project design, analysis); skills of documentation development (Unified System for Design Documentation, National State Standard). Besides, Sergey Gordeychik emphasized a mistake common for many universities: they tend to focus primarily on training specialists in information security standards, while the market cries out for system engineers, web application specialists, experts in antivirus and system security, security assessment specialists, system analysis and developers in the information security field. Self-reliant development of practical courses tends to be a challenging task for Russian universities due to the lack of technical and human resources. Moreover, hardware infrastructure and software require significant financial investments. Positive Technologies is ready to provide all necessary components for the courses to be developed, including the assistance of company’s specialists who have practical experience in the field. Positive Education is composed of stands with virtual infrastructures, educational software products, materials for seminars, step-by-step description of labs, and support and master classes for professors. Positive Technologies specialists have already developed workshops on the following topics: Tool-aided security assessment, Penetration testing, and Web application security analysis. “We encourage all universities that find our program interesting to join us,” says Sergey Gordeychik. So far, the program covers 15 Russian universities: · Saint Petersburg State University of Economics and Management (ENGECON) · Far-Eastern University of Means of Communications (FESUMC) · Udmurt State University USU · Novosibirsk State University of Economics and Management (NSUEM) · National Nuclear Research University MEPHI · Moscow State University (MSU) · Tomsk State University, Chair of Innovations Management (TSU) · Tomsk State University of Control Systems and Radio Electronics (TUSUR) · Institute of Business Security of Moscow Energy Institute (SIBB NRI MEI) · Chair of Automated Systems of Information Processing and Management of Omsk State Technical University (OSTU) · Moscow State Technical University named after N. Bauman (MSTU) · Kuban State Technical University (KubSTU) · MIET National Research University · Voronezh Institute of Russian Ministry of Internal Affairs · Far-Eastern Federal University (FEFU) Positive Education is not the only educational initiative of Positive Technologies. Earlier, the its specialists gave seminars and special courses of study for students of technical universities and organized a series of free webinars on topical issues of information security. Besides, as a part of the PHDays 2012 forum program, Positive Technologies offered a competition for young scientists called Young School. The high level of the competition is confirmed by the fact that all works of the finalists were approved for release in the Information Technology Security magazine, which is in the Higher Attestation Commission list of major a reviewed scientific publication.