News

7/20/2012

PHDays 2012: Tunisian version

The Positive Hack Days Everywhere organized in Tunis on May 30, 2012, was held in the INSAT university and was open mainly for students and professional members of SecuriNets, the first security club in Tunisia, and also for the members of the Tunisian Information Security Professional Associations. The participants had a good opportunity to remotely assist at the conferences and to interact with the PHDays teams.

7/12/2012

Big Shot — Hacking People at PHDays

One of the most interesting, peculiar, and amusing competitions at Positive Hack Days 2012 was Big Shot, which challenged the participants’ skills of social engineering. Each participant was provided with a person's photo not clear for unambiguous identification and a number of statements characterizing that person. These people were present at the forum, and the participants were to identify them and make certain actions according to the task (for example, to get the person's business card or to take a joint photo).

7/10/2012

Forgot Your Password? Hash Hacking at PHDays 2012

An unknown password is “made” according to the following recipe: extract minced information (hash) from cookies, database dump or another resource and process it with various tools until you get the combination of symbols you need. For the cracking time not to exceed the age of our Galaxy, you should consider numerous peculiarities. The success depends on the hacker’s experience, encoding algorithm, salt (if presented), the utilities and hardware used (nowadays programs require powerful graphics cards to decode hashes). To find out how the task is tackled by best hackers, read the article covering the Hash Runner competition held as a part of PHDays 2012. All competitions of this type are characterized with hegemony of a number of teams: hashcat, Inside Pro, john-users, which is not surprising because these are communities of developers, testers and common users formed around most popular hash hacking tools. And their success is rooted not only in years of experience, good training and unity of teams, and accessibility of formidable computer powers, but in the ability to modify the tools in the real time mode in response to ever changing circumstances. All the above-mentioned teams took most active part in Hash Runner at PHDays 2012. For two days the contestants fought for a useful prize - an AMD Radeon HD 7970 graphics cards. And here are the results. Rules The competition was open for any Internet user. All in all, there were 19 participants from various countries participating. The competitors are given a list of hash functions generated according to various algorithms (MD5, SHA-1, BlowFish, GOST3411, etc.). Points for each hacked hash were scored depending on the complexity of algorithms, generation rules and dictionaries used. To win the competition, a participant was to score as many points as possible during a limited period of time, leaving the competitors behind. It's all simple: you have a number of hashes of various types and two forum days (the competition started at 10:00 a.m. on May 30 and ended at 6 a.m. on May 31) to crack as many as possible. Participants The participants of the competition were from different countries. The main rivals were InsidePro Team 2012, teardrop and Xanadrel. Strategies To win the competition, the participants were to figure out password generation rules. The generation used dictionaries in different languages, as well as name dictionaries. The first rule guessed by the participants was a dictionary word repetition, for example: fayettefayette jeweljewel hamlethamlet Each hash types contained a certain number of passwords generated according to the same rules. Thus, by guessing a password to a hash encrypted with a simple algorithm and figuring out its generation algorithm, one could apply the knowledge to the rest positions in the list and guess passwords to more complicated hashes. It was good thinking, and not good guessing, that gave the push to the three leaders. Each team used its own tactics: one tried to brute force the passwords to the most complicated hashes, thus scoring more points, another, on the contrary, tried to outrun their rivals in the number of successfully hacked hashes, focusing on plains. The leaders gave dust to their competitiors. Xanadrel (France), who used to paly for Hashcat, decided to play a one-man game this time and fought on its own. Hardware he used for the competition included PC (i7 950, 1x 5770 and 1x 7970) and i5 2300k core for 4 LM hashes. Software tools: · Hashcat · oclHashcat-plus · ophcrack · rcracki_mt · passwordspro · maskprocessor The passwords were cracked by wordlist attacks and generation of basic/common rules in hashcat and passwordspro for the GOST hashes. During the entire competition, the contestant wasn’t able to hack not a single DES, neither phpbb3, ssha, or wordpress hash (they were unusually long and hashcat failed to crack them). It was not until the end of the competition when Xanadrel thought of bruteforce attacks and managed to get a couple of passwords like 6{x#_a or 9Mv)0. Besides, there were passwords of the ddyyy type (for example, 08march1924). For this cases, the contestant had to create rules for appending/prepending the year/day and a wordlist with months only. Оригинал райтапа Xanadrel [eng] Unlike Xanadrel, who chose to fight on his own, the guys from Insidepro teamed up. Their strategy was simple: try attacking any algorithm wherever possible using whatever technique was handy (a bruteforce attack, dictionaries). The list of hardware and software tools used by the team:

7/2/2012

Once Upon a Time in Vladivostok, or PHDays 2012

For May 30 and 31, the city of students, which is a common nickname of Vladivostok, turned into one of the biggest regional platforms of Positive Hack Days 2012, an international forum on information security. The Far-Eastern "Congress of Hackers" took place in Far-Eastern Federal University (FEFU) as a part of PHDays Everywhere, an initiative that gathered dozens of universities and hackspaces from various countries. The huge part of organizational work at the IT forum in the Soviet San Francisco was shouldered by undergraduate and postgraduate students of the FEFU School of Natural Science. The total winner of Vladivostok Positive Hack Days was Luckers team. The second place was taken by the future IT specialists of the GrayCap team. They were followed by the team of Automated Systems of Information Processing and Management. On June 7, Sergey Gordeychik, CTO of Positive Technologies, over to Vladivostok to congratulate the teams and present the prises. As a personal pleasant bonus, according to the official site of FEFU, Sergey gave a small lecture Gaps in Information Security, which was attended not only by FEFU students, but future IT specialists from other universities in the city. Besides, CTO of Positive Technologies announced that FEFU had joined the Positive Education program initiated by Positive Technologies. "We have launched this program to help universities and offer them new educational methods aimed at training really good IT professionals, which are so sought-after on the today's market. FEFU students, as well as those from other 14 universities participating in the program, will enjoy the education for free," noted Sergey. Sergey Kultyshev, a postgraduate student of the School of Natural Sciences and one of the most active organizers pf the "Congress of Hackers", shared a small secret: "Together with our new partner, Positive Technologies, we plan to organize a week of information technologies here, in FEFU, in 2013, to gather hackers and IT specialists from all the Asia-Pacific region, thus taking the event to a new level".

6/27/2012

Show Me the Money! The $natch Competition at PHDays 2012

How to Protect Money, a section of PHDays 2012 dedicated to banking issues, ended like a good old thriller: the participants, who were discussing security issues urgent for the industry a minute before, found themselves witnessing a real bank robbery. Armed with laptops, the “criminals” were attacking a “bank” represented by a remote banking system, which had been developed by Positive Technologies specialists for the competition. The participants of the $natch competition were to demonstrate their skills of exploitation of vulnerabilities common for remote banking services – rather logic than web ones (i.e. not like Cross-Site Scripting or SQL Injection). Specially for the competition, we developed our own remote banking system from scratch and stuffed it with common vulnerabilities revealed by Positive Technologies experts in the course of security assessment of such systems. The solution called PHDays I-Bank was a standard Internet bank with a web interface, PIN code to access the account and a processing.

6/20/2012

The Positive Education Program To Help Professors Coach Future Specialists

Lack of specialists is the major problem that the Russian information security market is facing today. Every year, over 250 graduates start their career in the field, which is far less than needed. Positive Technologies alone opens 100 positions every year. The Company’s experts have developed an educational program Positive Education to assist universities in coaching future information security specialists. The program was presented by Sergey Gordeychik, the company’s CTO, at Positive Hack Days 2012 in Moscow. “At present, companies have to outbit specialists from competitors or train novices on their own, sometimes “from scratch”. The Positive Education program is aimed at training competent specialists at universities,” comments Sergey Gordeychik, CTO of Positive Technologies. “Young people who graduate from technical schools today are usually quite good at Maths, but lack practical experience, so they have to pull up their knowledge at work”. In Sergey’s opinion, the market expects future employees to have solid knowledge and excellent skills in information technologies, which includes knowledge of network technologies, operating systems, DBMS, applications and web applications; understanding of security mechanisms and their implementation in certain systems; skills of security assessment; practical experience in any of the special fields (development, support, project design, analysis); skills of documentation development (Unified System for Design Documentation, National State Standard). Besides, Sergey Gordeychik emphasized a mistake common for many universities: they tend to focus primarily on training specialists in information security standards, while the market cries out for system engineers, web application specialists, experts in antivirus and system security, security assessment specialists, system analysis and developers in the information security field. Self-reliant development of practical courses tends to be a challenging task for Russian universities due to the lack of technical and human resources. Moreover, hardware infrastructure and software require significant financial investments. Positive Technologies is ready to provide all necessary components for the courses to be developed, including the assistance of company’s specialists who have practical experience in the field. Positive Education is composed of stands with virtual infrastructures, educational software products, materials for seminars, step-by-step description of labs, and support and master classes for professors. Positive Technologies specialists have already developed workshops on the following topics: Tool-aided security assessment, Penetration testing, and Web application security analysis. “We encourage all universities that find our program interesting to join us,” says Sergey Gordeychik. So far, the program covers 15 Russian universities: · Saint Petersburg State University of Economics and Management (ENGECON) · Far-Eastern University of Means of Communications (FESUMC) · Udmurt State University USU · Novosibirsk State University of Economics and Management (NSUEM) · National Nuclear Research University MEPHI · Moscow State University (MSU) · Tomsk State University, Chair of Innovations Management (TSU) · Tomsk State University of Control Systems and Radio Electronics (TUSUR) · Institute of Business Security of Moscow Energy Institute (SIBB NRI MEI) · Chair of Automated Systems of Information Processing and Management of Omsk State Technical University (OSTU) · Moscow State Technical University named after N. Bauman (MSTU) · Kuban State Technical University (KubSTU) · MIET National Research University · Voronezh Institute of Russian Ministry of Internal Affairs · Far-Eastern Federal University (FEFU) Positive Education is not the only educational initiative of Positive Technologies. Earlier, the its specialists gave seminars and special courses of study for students of technical universities and organized a series of free webinars on topical issues of information security. Besides, as a part of the PHDays 2012 forum program, Positive Technologies offered a competition for young scientists called Young School. The high level of the competition is confirmed by the fact that all works of the finalists were approved for release in the Information Technology Security magazine, which is in the Higher Attestation Commission list of major a reviewed scientific publication.

6/20/2012

Russians Took All Places on the Medal Stand of HackQuest Online 2012

Following PHDays 2012, an international forum on practical security issues, fascinating HackQuest Online 2012 came to an end. The participants of the competition faced multiple vulnerabilities and tried themselves in solution of small tasks related to information security. The victory in this hard two-week contest was earned by Dmitry Moskin (DarkByte) from Russia, who gained 27 points. Beside excellent results in hacking and analyzing information security systems, Dmitry is known as a developer of web applications, in particular of such a popular plug-in as MusicSig vkontakte for Google Chrome, designed to expand the functional of the social network VKontakte (for instance, for downloading audio and video files). The winner highly appreciated the organization of the competition: “This CTF was probably the most interesting of all I’ve ever taken part in.” Losing to the winner by a single point, AVictor took the second place; the third place went to letm. So, all three prize-winners represent Russia. They received prizes from the sponsors and Positive Technologies, the organizers of the forum. The fourth place was won by an information security researcher from Pakistan registered as tex. Results of HackQuest Online 2012 are published on the website of PHDays 2012.

6/18/2012

Positive Hack Days CTF 2012, or Hackmageddon

In the 19th century, carefree people who used to treat migraine with craniotomy, cough, with heroine, and other illnesses, with mercury, came to believe in the almighty Genetics. However, the long-awaited triumph of biotechnologies turned into a global catastrophe. The plot of the Russian major hacker contest, PHDays 2012 CTF, set an ambitious task for the participants, who had come from all over the world: to save the Earth Civilization, fairly beat-up and dying of starvation amidst mutants and giant weed-trees. The battle between hackers based on the Capture The Flag model has become the star turn of the PHDays 2012 program: for two days and a night non-stop 12 teams from 10 countries were breaking rival networks and protecting theirs. PHDays CTF conditions, unlike those of other contests of this kind, were as real as possible: the vulnerabilities used for the competition are common for modern information systems. Besides, the participants were allowed to take blind actions when solving the tasks. In other words, they could attack systems that they had no access to. The most curious feature of PHDays CTF 2012 was the King-of-the-Hill scheme used at the heart of the contest. According to the logic of this scheme, a team scored not only for having captured a system, but for having held it down as well. For the conditions to be as real as possible, the King-of-the-Hill scheme copied a typical arrangement of enterprise networks: the external perimeter was made of web applications, DBMS servers, and various catalogs (LDAP) and, if penetrated, gave access to the internal perimeter – Microsoft Active Directory. Everything was the way it is in real life. The Show To add a special flavor to the competitions, we prepared a game infrastructure and were modifying it throughout the CTF according to a single plot line. So, the participants were not only to complete tasks faster than their competitors, but to save the world! (For the legends of Day 1 and Day 2, visit the forum’s web-site). Besides, this time the show was spiced with an element of a reality show: random visitors were given cards with bonus keys that they could present to their favorite team at the end of the second day. Challenges The competitions were not only about “pure” hacking. In the lobby of Digital October, the organizers mounted an enormous container with “litter”. The CTF contest required the teams to dive into the container (dumpster) and find bonus keys (flags). Each team had 30 minutes to do the Dumpster Diving.

6/9/2012

Video of Reports from PHDays 2012

Videos of reports and hands-on-labs taken place at Positive Hack Days 2012 have been released. They are grouped according to the main information security areas: telecom, state sector, network protection, SAP, SCADA and ERP, web applications, mobile devices, botnets, password protection, hackers and money, practical security, Anonymous and LulzSec. Enjoy it! Keynote Reports Bruse Schneier. The video is available here from 01:00 p.m. The guru of cryptography told about his own security philosophy that surprised most of visitors. He thinks that technologies constitute only a small part of security provision, and law breakers (hackers) may not only cause harm but be useful as well. Datuk Mohd Noor Amin. The reporter is the Chairman of the International Multilateral Partnership Against Cyber Threats (IMPACT), he leads the first United Nations-backed public-private partnership against cyber threats with UN’s International Telecommunication Union (ITU) as its partner, and with 137 countries as members, IMPACT is also recognized as the world’s largest cybersecurity alliance [video]. Telecom Report: Sergey Gordeychik. How to hack a telecom and stay alive 2. Owning a billing [video]. Where to look for the keys to a technological network? How to obtain the billings without interfering with the main business of a company? The speaker answered these questions and shared new illustrative and funny examples of penetration testing performed for telecommunication networks. Section: Evgeny Klimov, RISSPA. Telecom vs fraud. Who will win? Follow the link to watch the video (available from 12:15 p.m.). State Sector Report: Mikhail Yemelyannikov. Why it is impossible to comply with Russian private data protection law? [video]. Report: Andrey Fedichev, FSTEK of Russia. Why state secrets leak to the Internet? [video]. Report: Alexey Lukatsky. How presidential election in Russia influences information security market, or Trends in regulations. Video is available here from 04:00 p.m. Network Protection Report: Vladimir Styran. The truth about the lie. Social engineering for security experts [video]. Hands-on-lab: Andrey Masalovich. Internet competitive intelligence. Video is available here from 04:08 p.m. By using practical examples, participants of the workshop acquired the skills of using analytical technologies in solving real problems of competitive intelligence, including methods for rapid detection of confidential information leaks, fast-detection of open partitions on servers, methods of penetration on the FTP server without hacking protection; password leak-detection methods; methods of access to confidential documents via bypassing DLP; means of penetrating into sections behind 403 error messages. Techniques were demonstrated on examples of portals in certainly well-protected companies (such as the leaders of the IT and IS markets, large state organizations, intelligence, etc.). Hands-on-lab: Dmitry Ryzhavsky. Wireless network security. How your network was hacked and how it could be avoided [video]. In the course of the report the most relevant methods of obtaining unauthorized access to WiFi-network were considered, and the mechanisms, proposed by Cisco Unified Wireless Network to protect against the described attacks, were demonstrated. Hands-on-lab: Sergey Lozhkhin. Computer incident investigation. Video is available here from 02:00 p.m. This hands-on-lab was devoted to the investigation of incidents of unauthorized access to Internet resources. The reporter introduced the audience to the psychological portrait of the modern hacker and talked about types of attackers. He considered the process of working on the incident, from the detection of traces of malicious activity and response to signals about the burglary to finding the attacker, in cooperation with law enforcement. In addition, the audience heard fascinating stories about real security incidents. Hands-on-lab: Nikhil Mittal. Breaking havoc using a Human Interface Device [video]. This hands-on-lab focused on a highly dangerous and yet widely neglected computer security issue — vulnerability of Human Interface Devices (HIDs). Report: Sylvain Munaut. Abusing Calypso phones [video]. Report: Andrei Costin. PostScript: Danger ahead! Hacking MFPs, PCs and beyond… [video]. Report: Sergey Klevoghin. CEH. Ethical hacking and penetration testing [video]. Visitors of the workshop learnt typical vulnerabilities of network protocols, operating systems and applications. During the master class the speaker described the sequence of different types of attacks on computer systems and networks and made recommendations to strengthen the security of computer systems and networks. Students were immersed in a practical environment, where they saw how to really hack the system to subsequently be able to anticipate possible actions of a hacker and successfully resist them. Report: Travis Goodspeed. Exploiting radio noise with packets in packets. Video is available here from 03:10 p.m. This talk showed peculiarities of PIP writing, including working examples for IEEE 802.15.4 and the Nordic RF low-power radios. SAP, SCADA, ERP Report: Alexey Yudin. ERP as viewed by attackers. Video is available here from 03:00 p.m. Report: Andrey Doukhvalov. Defense of industrial control systems – a factor of survival of mankind [video]. Report: Evgeniya Shumakher. A lazy way to find out your fellow worker's salary, or SAP HR security [video]. Report: Alexander Polyakov. SAP insecurity: the new and the best [video]. This report focused on ten most interesting vulnerabilities and attack vectors on the SAP system from problems with encryption to bypassing authentication, and from the mistakes of fun to sophisticated attack vectors. A large proportion of vulnerabilities were presented to the public for the first time. Hands-on-lab: Alexey Yudin. DIY SAP security [video]. Participants of this workshop learnt how to perform security assessment of SAP R/3 and NetWeaver systems (including application servers and infrastructure) by means of available tools. Web Security Hands-on-lab: Vladimir Lepikhin. Web application attacks. The basics. Video is available here from 09:00 a.m. The mechanisms of attack on web applications, techniques and tools (specialized scanners, security, utilities, using the results of their work during manual analysis) used by violators were provided in a systematic form. Practical examples clearly demonstrated major weaknesses of web applications that make it possible to conduct attacks, illustrated by the shortcomings of the means of protection in use and methods to bypass them. Report: Miroslav Štampar. DNS exfiltration using sqlmap [video]. The speaker represented DNS exfiltration technique using SQL injection, described its pros and contras, and provided illustrative examples. Report: Vladimir Vorontsov. Attacks against Microsoft network web clients [video]. The report covered methods of attacks on Internet Explorer users functioning as part of Microsoft networks. The considered attacks are aimed at obtaining confidential information about users both on remote servers (bypassing access policy restrictions) and local PCs. Hands-on-lab: Andres Riancho. Web 2.0 security. Advanced techniques [video]. The hand-on-lab covered protection techniques against attacks exploiting XML and HPP/HPC, as well as Click Jacking and Session Puzzling. Report: Sergey Scherbel. Not all PHP implementations are equally useful. Video is available here from 04:00 p.m. The reporter considered detected security problems and operational features of Web applications using third-party implementations of PHP and gave examples of 0-day vulnerabilities. Report: Thibault Koechlin. Naxsi, an open source and positive model based web application firewall [video]. Report: Aleksey Moskvin. On secure application of PHP wrappers [video]. Several vulnerabilities related to PHP wrappers were considered. Report: Vladimir Kochetkov. Hack an ASP.NET site? It is difficult, but possible! [video]. The reporter presented examples of new 0 day attacks including a brand new type of Code Injection. Mobile Security Hands-on-lab: Manish Chasta. Securing Android applications [video]. The talk briefed the audience on the techniques of discovering and mitigating the vulnerabilities in any Android Mobile Application. In addition to this, the presentation covered Android rooting, SQLite database analysis, ADB and mobile server related threats. The audience also learnt about the proposed OWASP Top 10 for mobile applications. Report: Marcus Niemietz. Hijacking attacks on Android devices [video]. Hands-on-lab: Sergey Nevstruev. Practicalities of Mobile Security [video]. Botnets Control Report: Maria Garnayeva. The techniques of putting a spoke in botmasters' wheels: the Kelihos botnet. Video is available here from 09:10 a.m. Report: Alexander Gostev. Initially the report was titled The secret of Duqu, but then the reporter decided to concentrate on a new vulnerability called Flame. Video is available here from 02:00 p.m. Report: Alexander Lyamin. DDoS Surveillance HowTo. Part 2. Video is available here from 05:03 p.m. Report: Fyodor Yarochkin and Vladimir Kropotov. Life cycle and detection of bot infections through network traffic analysis [video] Hands-on-lab: Pierre-Marc Bureau. Win32/Georbot. Understanding and automated analysis of a malware [video]. It is the first hands-on-lab in the world related to this botnet. Issues of Password Protection Report: Alexey Zhukov. Lightweight cryptography: resource-undemanding and attack-resistant. Video is available here from 12:00 p.m. Report: Dmitry Sklyarov and Andrey Belenko. Secure password managers and military-grade encryption for smartphone: Huh, really? Video is available here from 10:15 a.m Report: Alexander (Solar Designer) Peslyak. Password security: past, present, future [video]. The report addressed the issues of password protection in a historical perspective, as well as the prospects of authentication technologies in the near future. Report: Benjamin Delpy. Mimikatz to restore passwords for Windows 8 [video]. Hackers and Money Section: Artyom Sychov. Ways to protect money [video] Report: Dmitry Gorelov, RusCrypto Association. Smart-card technologies in Russia: from payphones to Universal Electronic Card. Video is available here from 10:00 a.m. Report: Aleksandr Matrosov and Eugene Rodionov. Smartcard vulnerabilities in modern banking malware. Video is available here from 11:07 a.m. The speakers described the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also covered techniques and tricks used by hackers to conduct anti-forensics. Report: Micha Borrmann. Paying with credit cards in the Internet can result in headache [video] Practical Security Hands-on-lab: Boris Ryutin. Security without antivirus software [video]. The participants of this four-hour master class got basic knowledge of detecting Trojans in OS, learnt most recent Trojan development techniques for Windows (SpyEye, Carberp, Duqu), considered Trojans for Android and got acquainted with actual exploits (PDF, Java). Report: Yuri Gubanov. How to find an elephant in a haystack [video]. Report: Dmirty Evdokimov. Light and dark side of code instrumentation [video]. The reporter told about existing methods of instrumentation (Source Code Instrumentation, Bytecode Instrumentation, Binary Code Instrumentation). Report: Nikita Tarakanov and Alexander Bazhanyuk. Automated vulnerability detection tool. Video is available here from 05:00 p.m. Report: Igor Kotenko. Program agent cyberwars [video]. Report: Ulrich Fleck and Martin Eiszner. From 0-day to APT in terms of favorite framework [video]. Section: Demo section. Seeing once is better! Video is available here from 05:10 p.m. Anonymous and LulzSec Report: Jerry Gamblin. What we can (and should) learn from LulzSec [video]. During the report Jerry was teased by a group of people, but thanks to his good sense of humor he reacted very positively [video]. Report: Haythem El Mir. How Tunisia resisted attacks by Anonymous. Video is available here from 02:10 p.m. Other Topics Report: Alexey Andreev (Mercy Shelley). The past and the future of cyberpunk [video]. Alexey shared his views on the development of Russian cyberpunk. Award ceremony: follow the link to watch the winners receiving their prizes. Concert: a music band named Undervud closed the forum [video].

6/6/2012

Positive Hack Days 2012 Is Over: Hackers Cracked the Planet

Positive Hack Days 2012 Is Over: Hackers Cracked the Planet Last days of May Moscow was hosting Positive Hack Days 2012, an international security forum for specialists in practical information security organized by Positive Technologies. During the days, the forum was attended by more than 1,500 people: professionals in information security, hackers from all over the world, and representatives of companies, government structures and Internet community. Hardly could have these people imagined that they would meet under the same roof. PHDays 2012 gave the floor to such speakers as legendary Bruce Schneier and Datuk Mohd Noor Amin, Chairman of IMPACT. Dozens of reports and hands-on labs were presented, numerous hacking and security protection competitions were held, including a large-scale CTF contest. Capture the Flag and HackQuest Cyber-punk script and real-life vulnerabilities became a hallmark of the CTF (Capture the Flag) contest, a keynote competition of the forum. The plot offered the teams to make time travel to the future and save the Earth civilization from a catastrophe. To ‘hunt’ the flags, 13 teams came from Russia, Japan, the USA, Germany, France, Tunisia, the Netherlands, India, Spain, and Switzerland. For two days non-stop the teams were searching for vulnerabilities in the rivals’ systems to gain access to secret information (flags), and enhancing security of their own systems by eliminating their vulnerabilities. The first place was taken by LeetMore, a Russian team from Saint Petersburg. They received 150,000 rubles as a prize. The second best team was 0daysober from Switzerland (100,000 rubles). The third leader was Int3pids from Spain (50,000 rubles). The last year’s winners of PHDays CTF, American hackers from PPP, took the fourth place. In their search for vulnerabilities and flags, the teams could share their quest with the Internet participants of Online HackQuest. The first and second places were taken by Russians – BECHED ahack.ru and ufologists, the bronze went to stratum0, a specialist from Germany. Hijacking a Drone Unmanned aircrafts are far more than just phantoms of writers’ imagination. Nowadays they are widely used in armed forces of various countries for efficient annihilation of enemies. The organizers invented a competition that modeled a situation when such a device was hijacked by a hostile force. According to the PHDays CTF legend for the second day, the teams were to find transportation means, namely, an aircraft. For this task the organizers had prepared two AR.Drone devices operated with a mobile phone via insecure connections. The CTF contestants had two hours to take over the device. Sergey Azovskov, a Russian information security expert from Yekaterinburg, was the first to cope with the task. “It was already a year ago, when the first PHDays set a high standard for a well-organized event in the field of information security. This year, the forum has been even better and proved that an event in our field can be interesting, dynamic, and positive. You can feel it that the organizers have put all their love and care in PHDays, which is half the battle. We have been working with Positive Technologies for many years, and for the second time we have supported the PHDays initiative. I’m positive that this tradition will go on,” commented Alexander Lukatsky, Cisco Systems. Hacking Apple iPhone and Windows XP In the modern information space, detecting an absolutely new vulnerability (0day) in a popular and smoothly running product is the same as making a serious invention. That is why competitions on hacking various operating systems and applications played a key role in the program. The result of the competitions is somewhat similar to that of the CTF: most prizes were taken by Russian specialists. Nikita Tarakanov demonstrated a hazardous vulnerability in Windows XP, which gave him 50,000 rubles. Pavel Shuvalov, famous for his Vulndisco Mobile 1.7 utility that is meant for jailbreaking iOS-based devices, hacked an iPhone 4S by exploiting a vulnerability in popular Office² Plus. This victory brought him the iPhone 4s and 75,000 rubles. Besides, fighting for flags, a member of LeetMore (the CTF 2012 winners) detected a 0day in the FreeBSD 8.3 release. This vulnerability enables any local user to bypass security restrictions (FreeBSD Jail). “The forum was a pleasant surprise for me, because there’s been a huge need for events of that kind in Russia. In particular, I’d like to mention the friendly atmosphere that the organizers have managed to create. The name suits the forum perfectly: everything – the content, the entry list, the quality of the reports – is far better than a year ago. PHDays has reached a higher level but managed to keep its main peculiarities: the unique emotional level and the atmosphere that encourages informal interactions with so many interesting people,” says Alexander Gostev, Kaspersky Lab. Sharing Experience Is Fun The practical goals of PHDays 2012 were highly praised by guests and participants of the forum. Over 50 presentations, hands-on labs and round tables were conducted under the slogan Minimum marketing, maximum experience. The banking section, attended by experts in information security and representatives of financial organizations, ended in the $natch competition. By exploiting vulnerabilities typical of remote banking systems, hackers managed to transfer different amounts of money to their virtual accounts, and then cash them out in an ATM standing nearby the playground. The competition was won by Alexey Osipov, a senior student at Moscow Power Engineering Institute. He was able to steal 3,500 rubles from the bank. By the way, at the banking section, Artem Sychev with Rosselkhozbank broke alarming news: every day there are 15-20 attempts of money robbery from bank accounts recorded in Russia. The main hall was really overcrowded when Bruce Schneier, a legendary cryptography researcher, was giving his presentation there. In his ironic manner, Bruce supported those who sometimes feel an uncontrollable urge to break laws out of a sheer curiosity. By breaking rules, they advance the society. Sergey Gordeychik, CTO of the company-organizer, shared his exciting experience of detecting and eliminating vulnerabilities in the telecommunication networks. A convergence of various types of networks and appliances makes them vulnerable to dozens of hacking methods. For example, an intruder can conduct an attack via a channel used by employees for online games, or employ a vulnerable interface of a web camera, a WiFi access point of a contractor, unfriendly resource located on the same hosting, and etc. Andrei Costin demonstrated the reasons for and the methods of hacking a printer. Marcus Niemietz showed disadvantages of the Android OS security system. Vladimir Vorontsov explained the purposes of XXE attacks revealing 0day vulnerabilities in between. Alexander Gostev with Kaspersky Lab provided new details about Flame, a recently detected spy cyber weapon of a new generation. The subject of organized hacking was further developed by Haythem El Mir, an information security specialist from Tunisia. In his report about a fight between Tunisian Computer Emergency Response Team and a group of hackers called Anonymous, he stripped away the myth about the professionalism of Anonymous, whose members are believed to be the best hackers ever. A curious incident took place during Jerry Gamblin’s presentation: while he was speaking about his analysis of LutzSec’s activities, who had hacked CIA’s web site, a group of people entered the hall with their faces hidden under the Anonymous masks. The speaker did not get confused the least bit and gladly fit on one of the masks after his presentation. The experts of Positive Research told about vulnerabilities in popular enterprise software products, such as Cisco Secure ACS network equipment management system, a popular web service Nginx, the Citrix Xen virtualization system, and about a dozen of vulnerabilities in various Web applications. At the special section on SCADA, Positive Technologies announced their initiative in the field of production management system security – cooperation with Siemens in search for and elimination of vulnerabilities in SCADA SIMATIC WinCC and development of configuration security standards for popular SCADAs. Besides, the organizers used the forum’s floor to announce their new educational project Positive Education. In the course of the project, Positive Technologies specialists will assist professors of Russian technical universities and institutes in developing practical educational programs of information security. The forum was continued with presentations of young scientists, who came from different Russian cities as finalists of the Young School competition. This year, Positive Hack Days for the first time was supported by numerous hackspaces as part of the PHDays Everywhere initiative. The geographical map of online platforms attended by the local elite of the hacker world embraced a huge distance from Tokyo to Krasnodar and from India to Tunisia. For the visitors of the hackspaces, the organizers set up interactive online broadcasting with live standups and prepared a special competition – Hacked in 137 seconds, – which required the participants to hack Cisco-based network appliances. The winner was the DCUA team from Ukraine, who were followed by Indian XBios. “I think, this event gives everyone splendid opportunities to meet their friends and partners, as well as new interesting people, and to discuss all sorts of topics. By now means, it charges you with positive energy for the whole year! I’m sure, we’ll spend the year waiting for PHDays version 3.0 (and time will fly fast)! I know, PHDays and Positive Technologies have a great future ahead. I’m so happy to see accompany the company in its first steps towards their future,” commented Aydar Guzairov, ICL-КME CS. The Planet Needs Positive Hackers The keynote speakers of the forum — Bruce Schneier and Datuk Mohd Noor Amin (Chairman of IMPACT) — unanimously mentioned significance that positive hackers have for progress and security of the humankind. Positive Hack Days 2012 ended with an amusing competition under the name of Too Drunk To Hack NG. Every five minutes a participant whose actions triggered the alarm of the firewall more often than those of other competitors was to drink a shot of tequila and go on trying to hack the application. The competition was won by Vladimir Vorontsov, ONSec. It took him 350 milliliters of the strong drink to win! “Judging by the feedbacks, Positive Hack Days has become what we wanted it to be – a place where knowledge is shared between all sorts of people: from a science fiction writer up to an official. A place where people with antipodal viewpoints can hear one another and receive the most up-to-date information about information system security. A place, where the future is created,” says Sergey Gordeychick, Positive Technologies.