News
Russians Took All Places on the Medal Stand of HackQuest Online 2012
Following PHDays 2012, an international forum on practical security issues, fascinating HackQuest Online 2012 came to an end. The participants of the competition faced multiple vulnerabilities and tried themselves in solution of small tasks related to information security. The victory in this hard two-week contest was earned by Dmitry Moskin (DarkByte) from Russia, who gained 27 points. Beside excellent results in hacking and analyzing information security systems, Dmitry is known as a developer of web applications, in particular of such a popular plug-in as MusicSig vkontakte for Google Chrome, designed to expand the functional of the social network VKontakte (for instance, for downloading audio and video files). The winner highly appreciated the organization of the competition: “This CTF was probably the most interesting of all I’ve ever taken part in.” Losing to the winner by a single point, AVictor took the second place; the third place went to letm. So, all three prize-winners represent Russia. They received prizes from the sponsors and Positive Technologies, the organizers of the forum. The fourth place was won by an information security researcher from Pakistan registered as tex. Results of HackQuest Online 2012 are published on the website of PHDays 2012.
Positive Hack Days CTF 2012, or Hackmageddon
In the 19th century, carefree people who used to treat migraine with craniotomy, cough, with heroine, and other illnesses, with mercury, came to believe in the almighty Genetics. However, the long-awaited triumph of biotechnologies turned into a global catastrophe. The plot of the Russian major hacker contest, PHDays 2012 CTF, set an ambitious task for the participants, who had come from all over the world: to save the Earth Civilization, fairly beat-up and dying of starvation amidst mutants and giant weed-trees. The battle between hackers based on the Capture The Flag model has become the star turn of the PHDays 2012 program: for two days and a night non-stop 12 teams from 10 countries were breaking rival networks and protecting theirs. PHDays CTF conditions, unlike those of other contests of this kind, were as real as possible: the vulnerabilities used for the competition are common for modern information systems. Besides, the participants were allowed to take blind actions when solving the tasks. In other words, they could attack systems that they had no access to. The most curious feature of PHDays CTF 2012 was the King-of-the-Hill scheme used at the heart of the contest. According to the logic of this scheme, a team scored not only for having captured a system, but for having held it down as well. For the conditions to be as real as possible, the King-of-the-Hill scheme copied a typical arrangement of enterprise networks: the external perimeter was made of web applications, DBMS servers, and various catalogs (LDAP) and, if penetrated, gave access to the internal perimeter – Microsoft Active Directory. Everything was the way it is in real life. The Show To add a special flavor to the competitions, we prepared a game infrastructure and were modifying it throughout the CTF according to a single plot line. So, the participants were not only to complete tasks faster than their competitors, but to save the world! (For the legends of Day 1 and Day 2, visit the forum’s web-site). Besides, this time the show was spiced with an element of a reality show: random visitors were given cards with bonus keys that they could present to their favorite team at the end of the second day. Challenges The competitions were not only about “pure” hacking. In the lobby of Digital October, the organizers mounted an enormous container with “litter”. The CTF contest required the teams to dive into the container (dumpster) and find bonus keys (flags). Each team had 30 minutes to do the Dumpster Diving.
Video of Reports from PHDays 2012
Videos of reports and hands-on-labs taken place at Positive Hack Days 2012 have been released. They are grouped according to the main information security areas: telecom, state sector, network protection, SAP, SCADA and ERP, web applications, mobile devices, botnets, password protection, hackers and money, practical security, Anonymous and LulzSec. Enjoy it! Keynote Reports Bruse Schneier. The video is available here from 01:00 p.m. The guru of cryptography told about his own security philosophy that surprised most of visitors. He thinks that technologies constitute only a small part of security provision, and law breakers (hackers) may not only cause harm but be useful as well. Datuk Mohd Noor Amin. The reporter is the Chairman of the International Multilateral Partnership Against Cyber Threats (IMPACT), he leads the first United Nations-backed public-private partnership against cyber threats with UN’s International Telecommunication Union (ITU) as its partner, and with 137 countries as members, IMPACT is also recognized as the world’s largest cybersecurity alliance [video]. Telecom Report: Sergey Gordeychik. How to hack a telecom and stay alive 2. Owning a billing [video]. Where to look for the keys to a technological network? How to obtain the billings without interfering with the main business of a company? The speaker answered these questions and shared new illustrative and funny examples of penetration testing performed for telecommunication networks. Section: Evgeny Klimov, RISSPA. Telecom vs fraud. Who will win? Follow the link to watch the video (available from 12:15 p.m.). State Sector Report: Mikhail Yemelyannikov. Why it is impossible to comply with Russian private data protection law? [video]. Report: Andrey Fedichev, FSTEK of Russia. Why state secrets leak to the Internet? [video]. Report: Alexey Lukatsky. How presidential election in Russia influences information security market, or Trends in regulations. Video is available here from 04:00 p.m. Network Protection Report: Vladimir Styran. The truth about the lie. Social engineering for security experts [video]. Hands-on-lab: Andrey Masalovich. Internet competitive intelligence. Video is available here from 04:08 p.m. By using practical examples, participants of the workshop acquired the skills of using analytical technologies in solving real problems of competitive intelligence, including methods for rapid detection of confidential information leaks, fast-detection of open partitions on servers, methods of penetration on the FTP server without hacking protection; password leak-detection methods; methods of access to confidential documents via bypassing DLP; means of penetrating into sections behind 403 error messages. Techniques were demonstrated on examples of portals in certainly well-protected companies (such as the leaders of the IT and IS markets, large state organizations, intelligence, etc.). Hands-on-lab: Dmitry Ryzhavsky. Wireless network security. How your network was hacked and how it could be avoided [video]. In the course of the report the most relevant methods of obtaining unauthorized access to WiFi-network were considered, and the mechanisms, proposed by Cisco Unified Wireless Network to protect against the described attacks, were demonstrated. Hands-on-lab: Sergey Lozhkhin. Computer incident investigation. Video is available here from 02:00 p.m. This hands-on-lab was devoted to the investigation of incidents of unauthorized access to Internet resources. The reporter introduced the audience to the psychological portrait of the modern hacker and talked about types of attackers. He considered the process of working on the incident, from the detection of traces of malicious activity and response to signals about the burglary to finding the attacker, in cooperation with law enforcement. In addition, the audience heard fascinating stories about real security incidents. Hands-on-lab: Nikhil Mittal. Breaking havoc using a Human Interface Device [video]. This hands-on-lab focused on a highly dangerous and yet widely neglected computer security issue — vulnerability of Human Interface Devices (HIDs). Report: Sylvain Munaut. Abusing Calypso phones [video]. Report: Andrei Costin. PostScript: Danger ahead! Hacking MFPs, PCs and beyond… [video]. Report: Sergey Klevoghin. CEH. Ethical hacking and penetration testing [video]. Visitors of the workshop learnt typical vulnerabilities of network protocols, operating systems and applications. During the master class the speaker described the sequence of different types of attacks on computer systems and networks and made recommendations to strengthen the security of computer systems and networks. Students were immersed in a practical environment, where they saw how to really hack the system to subsequently be able to anticipate possible actions of a hacker and successfully resist them. Report: Travis Goodspeed. Exploiting radio noise with packets in packets. Video is available here from 03:10 p.m. This talk showed peculiarities of PIP writing, including working examples for IEEE 802.15.4 and the Nordic RF low-power radios. SAP, SCADA, ERP Report: Alexey Yudin. ERP as viewed by attackers. Video is available here from 03:00 p.m. Report: Andrey Doukhvalov. Defense of industrial control systems – a factor of survival of mankind [video]. Report: Evgeniya Shumakher. A lazy way to find out your fellow worker's salary, or SAP HR security [video]. Report: Alexander Polyakov. SAP insecurity: the new and the best [video]. This report focused on ten most interesting vulnerabilities and attack vectors on the SAP system from problems with encryption to bypassing authentication, and from the mistakes of fun to sophisticated attack vectors. A large proportion of vulnerabilities were presented to the public for the first time. Hands-on-lab: Alexey Yudin. DIY SAP security [video]. Participants of this workshop learnt how to perform security assessment of SAP R/3 and NetWeaver systems (including application servers and infrastructure) by means of available tools. Web Security Hands-on-lab: Vladimir Lepikhin. Web application attacks. The basics. Video is available here from 09:00 a.m. The mechanisms of attack on web applications, techniques and tools (specialized scanners, security, utilities, using the results of their work during manual analysis) used by violators were provided in a systematic form. Practical examples clearly demonstrated major weaknesses of web applications that make it possible to conduct attacks, illustrated by the shortcomings of the means of protection in use and methods to bypass them. Report: Miroslav Štampar. DNS exfiltration using sqlmap [video]. The speaker represented DNS exfiltration technique using SQL injection, described its pros and contras, and provided illustrative examples. Report: Vladimir Vorontsov. Attacks against Microsoft network web clients [video]. The report covered methods of attacks on Internet Explorer users functioning as part of Microsoft networks. The considered attacks are aimed at obtaining confidential information about users both on remote servers (bypassing access policy restrictions) and local PCs. Hands-on-lab: Andres Riancho. Web 2.0 security. Advanced techniques [video]. The hand-on-lab covered protection techniques against attacks exploiting XML and HPP/HPC, as well as Click Jacking and Session Puzzling. Report: Sergey Scherbel. Not all PHP implementations are equally useful. Video is available here from 04:00 p.m. The reporter considered detected security problems and operational features of Web applications using third-party implementations of PHP and gave examples of 0-day vulnerabilities. Report: Thibault Koechlin. Naxsi, an open source and positive model based web application firewall [video]. Report: Aleksey Moskvin. On secure application of PHP wrappers [video]. Several vulnerabilities related to PHP wrappers were considered. Report: Vladimir Kochetkov. Hack an ASP.NET site? It is difficult, but possible! [video]. The reporter presented examples of new 0 day attacks including a brand new type of Code Injection. Mobile Security Hands-on-lab: Manish Chasta. Securing Android applications [video]. The talk briefed the audience on the techniques of discovering and mitigating the vulnerabilities in any Android Mobile Application. In addition to this, the presentation covered Android rooting, SQLite database analysis, ADB and mobile server related threats. The audience also learnt about the proposed OWASP Top 10 for mobile applications. Report: Marcus Niemietz. Hijacking attacks on Android devices [video]. Hands-on-lab: Sergey Nevstruev. Practicalities of Mobile Security [video]. Botnets Control Report: Maria Garnayeva. The techniques of putting a spoke in botmasters' wheels: the Kelihos botnet. Video is available here from 09:10 a.m. Report: Alexander Gostev. Initially the report was titled The secret of Duqu, but then the reporter decided to concentrate on a new vulnerability called Flame. Video is available here from 02:00 p.m. Report: Alexander Lyamin. DDoS Surveillance HowTo. Part 2. Video is available here from 05:03 p.m. Report: Fyodor Yarochkin and Vladimir Kropotov. Life cycle and detection of bot infections through network traffic analysis [video] Hands-on-lab: Pierre-Marc Bureau. Win32/Georbot. Understanding and automated analysis of a malware [video]. It is the first hands-on-lab in the world related to this botnet. Issues of Password Protection Report: Alexey Zhukov. Lightweight cryptography: resource-undemanding and attack-resistant. Video is available here from 12:00 p.m. Report: Dmitry Sklyarov and Andrey Belenko. Secure password managers and military-grade encryption for smartphone: Huh, really? Video is available here from 10:15 a.m Report: Alexander (Solar Designer) Peslyak. Password security: past, present, future [video]. The report addressed the issues of password protection in a historical perspective, as well as the prospects of authentication technologies in the near future. Report: Benjamin Delpy. Mimikatz to restore passwords for Windows 8 [video]. Hackers and Money Section: Artyom Sychov. Ways to protect money [video] Report: Dmitry Gorelov, RusCrypto Association. Smart-card technologies in Russia: from payphones to Universal Electronic Card. Video is available here from 10:00 a.m. Report: Aleksandr Matrosov and Eugene Rodionov. Smartcard vulnerabilities in modern banking malware. Video is available here from 11:07 a.m. The speakers described the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also covered techniques and tricks used by hackers to conduct anti-forensics. Report: Micha Borrmann. Paying with credit cards in the Internet can result in headache [video] Practical Security Hands-on-lab: Boris Ryutin. Security without antivirus software [video]. The participants of this four-hour master class got basic knowledge of detecting Trojans in OS, learnt most recent Trojan development techniques for Windows (SpyEye, Carberp, Duqu), considered Trojans for Android and got acquainted with actual exploits (PDF, Java). Report: Yuri Gubanov. How to find an elephant in a haystack [video]. Report: Dmirty Evdokimov. Light and dark side of code instrumentation [video]. The reporter told about existing methods of instrumentation (Source Code Instrumentation, Bytecode Instrumentation, Binary Code Instrumentation). Report: Nikita Tarakanov and Alexander Bazhanyuk. Automated vulnerability detection tool. Video is available here from 05:00 p.m. Report: Igor Kotenko. Program agent cyberwars [video]. Report: Ulrich Fleck and Martin Eiszner. From 0-day to APT in terms of favorite framework [video]. Section: Demo section. Seeing once is better! Video is available here from 05:10 p.m. Anonymous and LulzSec Report: Jerry Gamblin. What we can (and should) learn from LulzSec [video]. During the report Jerry was teased by a group of people, but thanks to his good sense of humor he reacted very positively [video]. Report: Haythem El Mir. How Tunisia resisted attacks by Anonymous. Video is available here from 02:10 p.m. Other Topics Report: Alexey Andreev (Mercy Shelley). The past and the future of cyberpunk [video]. Alexey shared his views on the development of Russian cyberpunk. Award ceremony: follow the link to watch the winners receiving their prizes. Concert: a music band named Undervud closed the forum [video].
Positive Hack Days 2012 Is Over: Hackers Cracked the Planet
Positive Hack Days 2012 Is Over: Hackers Cracked the Planet Last days of May Moscow was hosting Positive Hack Days 2012, an international security forum for specialists in practical information security organized by Positive Technologies. During the days, the forum was attended by more than 1,500 people: professionals in information security, hackers from all over the world, and representatives of companies, government structures and Internet community. Hardly could have these people imagined that they would meet under the same roof. PHDays 2012 gave the floor to such speakers as legendary Bruce Schneier and Datuk Mohd Noor Amin, Chairman of IMPACT. Dozens of reports and hands-on labs were presented, numerous hacking and security protection competitions were held, including a large-scale CTF contest. Capture the Flag and HackQuest Cyber-punk script and real-life vulnerabilities became a hallmark of the CTF (Capture the Flag) contest, a keynote competition of the forum. The plot offered the teams to make time travel to the future and save the Earth civilization from a catastrophe. To ‘hunt’ the flags, 13 teams came from Russia, Japan, the USA, Germany, France, Tunisia, the Netherlands, India, Spain, and Switzerland. For two days non-stop the teams were searching for vulnerabilities in the rivals’ systems to gain access to secret information (flags), and enhancing security of their own systems by eliminating their vulnerabilities. The first place was taken by LeetMore, a Russian team from Saint Petersburg. They received 150,000 rubles as a prize. The second best team was 0daysober from Switzerland (100,000 rubles). The third leader was Int3pids from Spain (50,000 rubles). The last year’s winners of PHDays CTF, American hackers from PPP, took the fourth place. In their search for vulnerabilities and flags, the teams could share their quest with the Internet participants of Online HackQuest. The first and second places were taken by Russians – BECHED ahack.ru and ufologists, the bronze went to stratum0, a specialist from Germany. Hijacking a Drone Unmanned aircrafts are far more than just phantoms of writers’ imagination. Nowadays they are widely used in armed forces of various countries for efficient annihilation of enemies. The organizers invented a competition that modeled a situation when such a device was hijacked by a hostile force. According to the PHDays CTF legend for the second day, the teams were to find transportation means, namely, an aircraft. For this task the organizers had prepared two AR.Drone devices operated with a mobile phone via insecure connections. The CTF contestants had two hours to take over the device. Sergey Azovskov, a Russian information security expert from Yekaterinburg, was the first to cope with the task. “It was already a year ago, when the first PHDays set a high standard for a well-organized event in the field of information security. This year, the forum has been even better and proved that an event in our field can be interesting, dynamic, and positive. You can feel it that the organizers have put all their love and care in PHDays, which is half the battle. We have been working with Positive Technologies for many years, and for the second time we have supported the PHDays initiative. I’m positive that this tradition will go on,” commented Alexander Lukatsky, Cisco Systems. Hacking Apple iPhone and Windows XP In the modern information space, detecting an absolutely new vulnerability (0day) in a popular and smoothly running product is the same as making a serious invention. That is why competitions on hacking various operating systems and applications played a key role in the program. The result of the competitions is somewhat similar to that of the CTF: most prizes were taken by Russian specialists. Nikita Tarakanov demonstrated a hazardous vulnerability in Windows XP, which gave him 50,000 rubles. Pavel Shuvalov, famous for his Vulndisco Mobile 1.7 utility that is meant for jailbreaking iOS-based devices, hacked an iPhone 4S by exploiting a vulnerability in popular Office² Plus. This victory brought him the iPhone 4s and 75,000 rubles. Besides, fighting for flags, a member of LeetMore (the CTF 2012 winners) detected a 0day in the FreeBSD 8.3 release. This vulnerability enables any local user to bypass security restrictions (FreeBSD Jail). “The forum was a pleasant surprise for me, because there’s been a huge need for events of that kind in Russia. In particular, I’d like to mention the friendly atmosphere that the organizers have managed to create. The name suits the forum perfectly: everything – the content, the entry list, the quality of the reports – is far better than a year ago. PHDays has reached a higher level but managed to keep its main peculiarities: the unique emotional level and the atmosphere that encourages informal interactions with so many interesting people,” says Alexander Gostev, Kaspersky Lab. Sharing Experience Is Fun The practical goals of PHDays 2012 were highly praised by guests and participants of the forum. Over 50 presentations, hands-on labs and round tables were conducted under the slogan Minimum marketing, maximum experience. The banking section, attended by experts in information security and representatives of financial organizations, ended in the $natch competition. By exploiting vulnerabilities typical of remote banking systems, hackers managed to transfer different amounts of money to their virtual accounts, and then cash them out in an ATM standing nearby the playground. The competition was won by Alexey Osipov, a senior student at Moscow Power Engineering Institute. He was able to steal 3,500 rubles from the bank. By the way, at the banking section, Artem Sychev with Rosselkhozbank broke alarming news: every day there are 15-20 attempts of money robbery from bank accounts recorded in Russia. The main hall was really overcrowded when Bruce Schneier, a legendary cryptography researcher, was giving his presentation there. In his ironic manner, Bruce supported those who sometimes feel an uncontrollable urge to break laws out of a sheer curiosity. By breaking rules, they advance the society. Sergey Gordeychik, CTO of the company-organizer, shared his exciting experience of detecting and eliminating vulnerabilities in the telecommunication networks. A convergence of various types of networks and appliances makes them vulnerable to dozens of hacking methods. For example, an intruder can conduct an attack via a channel used by employees for online games, or employ a vulnerable interface of a web camera, a WiFi access point of a contractor, unfriendly resource located on the same hosting, and etc. Andrei Costin demonstrated the reasons for and the methods of hacking a printer. Marcus Niemietz showed disadvantages of the Android OS security system. Vladimir Vorontsov explained the purposes of XXE attacks revealing 0day vulnerabilities in between. Alexander Gostev with Kaspersky Lab provided new details about Flame, a recently detected spy cyber weapon of a new generation. The subject of organized hacking was further developed by Haythem El Mir, an information security specialist from Tunisia. In his report about a fight between Tunisian Computer Emergency Response Team and a group of hackers called Anonymous, he stripped away the myth about the professionalism of Anonymous, whose members are believed to be the best hackers ever. A curious incident took place during Jerry Gamblin’s presentation: while he was speaking about his analysis of LutzSec’s activities, who had hacked CIA’s web site, a group of people entered the hall with their faces hidden under the Anonymous masks. The speaker did not get confused the least bit and gladly fit on one of the masks after his presentation. The experts of Positive Research told about vulnerabilities in popular enterprise software products, such as Cisco Secure ACS network equipment management system, a popular web service Nginx, the Citrix Xen virtualization system, and about a dozen of vulnerabilities in various Web applications. At the special section on SCADA, Positive Technologies announced their initiative in the field of production management system security – cooperation with Siemens in search for and elimination of vulnerabilities in SCADA SIMATIC WinCC and development of configuration security standards for popular SCADAs. Besides, the organizers used the forum’s floor to announce their new educational project Positive Education. In the course of the project, Positive Technologies specialists will assist professors of Russian technical universities and institutes in developing practical educational programs of information security. The forum was continued with presentations of young scientists, who came from different Russian cities as finalists of the Young School competition. This year, Positive Hack Days for the first time was supported by numerous hackspaces as part of the PHDays Everywhere initiative. The geographical map of online platforms attended by the local elite of the hacker world embraced a huge distance from Tokyo to Krasnodar and from India to Tunisia. For the visitors of the hackspaces, the organizers set up interactive online broadcasting with live standups and prepared a special competition – Hacked in 137 seconds, – which required the participants to hack Cisco-based network appliances. The winner was the DCUA team from Ukraine, who were followed by Indian XBios. “I think, this event gives everyone splendid opportunities to meet their friends and partners, as well as new interesting people, and to discuss all sorts of topics. By now means, it charges you with positive energy for the whole year! I’m sure, we’ll spend the year waiting for PHDays version 3.0 (and time will fly fast)! I know, PHDays and Positive Technologies have a great future ahead. I’m so happy to see accompany the company in its first steps towards their future,” commented Aydar Guzairov, ICL-КME CS. The Planet Needs Positive Hackers The keynote speakers of the forum — Bruce Schneier and Datuk Mohd Noor Amin (Chairman of IMPACT) — unanimously mentioned significance that positive hackers have for progress and security of the humankind. Positive Hack Days 2012 ended with an amusing competition under the name of Too Drunk To Hack NG. Every five minutes a participant whose actions triggered the alarm of the firewall more often than those of other competitors was to drink a shot of tequila and go on trying to hack the application. The competition was won by Vladimir Vorontsov, ONSec. It took him 350 milliliters of the strong drink to win! “Judging by the feedbacks, Positive Hack Days has become what we wanted it to be – a place where knowledge is shared between all sorts of people: from a science fiction writer up to an official. A place where people with antipodal viewpoints can hear one another and receive the most up-to-date information about information system security. A place, where the future is created,” says Sergey Gordeychick, Positive Technologies.
Apple iPhone, Windows XP, And FreeBSD Hacked at PHDays 2012, Moscow
At Positive Hack Days 2012, an international forum on practical information security, the participants of the Hack2own competition demonstratively hacked Apple iPhone 4S and a popular operating system Windows XP. In addition, the CTF contestants detected new vulnerability in FreeBSD, while hackers taking part in the $natch competition showed how to steal money by exploiting vulnerabilities typical of remote banking systems. Russian hackers deserved a special mentioning. Hacking iPhone During PHDays Hack2own, Pavel Shuvalov, an information security expert from Russia, demonstrated a way to hack Apple iPhone. The vulnerability that he exploited was contained in the Office² Plus application distributed in Apple App Store. As a prize, the winner received the iPhone 4S he hacked and 75,000 rubles. Pavel Shuvalov had become famous for his utility Vulndisco Mobile 1.7 designed for jailbreaking iOS-based devices. The iOS system as such proved a hard nut to crack: the main prize, 137,000 rubles meant for a person who would hack the iOS shell without exploiting any vulnerabilities of extraneous applications, remained untouched. 0Day Vulnerability in Windows XP The popular operating system Windows XP was finally hacked by Nikita Tarakanov, an independent expert in information security. To obtain the highest privileges in the system, Nikita exploited a new vulnerability in the system core. This finding made him the winner of the Hack2own competition in the Operating Systems category. Nikita was awarded with 50,000 rubles. Notably, at last year’s Positive Hack Days 2011, Nikita Tarakanov managed to hack the Safari browser for Windows. Hacking Remote Banking Systems The banking section, attended by both information security experts and representatives of financial organizations, was ended with the $natch competition. Before the audience, hackers managed to transfer various amounts of money to their virtual accounts by exploiting vulnerabilities typical of remote banking systems, and then cashed them out in an ATM located nearby. The competition was won by Alexey Osipov, a senior student at Moscow Power Engineering Institute, who was able to steal 3,500 rubles from the bank. Drones and FreeBSD 8.3 Sergey Azovsky, a national security specialist from Yekaterinburg, became the winner of a competition on hacking a drone held as a part of the PHDays CTF contest. Being “cousins” of unmanned aircrafts, drones can be used not only in games: equipped with a camera, they can serve as spies. Fighting the battle, another CTF contestant, a member of the Leet More team, detected a 0day vulnerability in FreeBSD 8.3. The vulnerability enables any local user to bypass security restrictions. Dozens of Other Competitions PHDays 2012 offered great number of various competitions on hacking and security assessment. The participants struggled with WPA-PSK encryption of Wi-Fi, cloned RFID marks at a long distance, searched for a way to bypass firewalls, hacked Cisco appliances, and guessed password encryption algorithms. In the nearest future we will provide detailed information about all competitions held at the PHDays 2012 forum and the names of their winners.
PHDays 2012: Day One
More than 1000 guests gathered in technocentre Digital October on the first day of Positive Hack Days international forum on practical security organized by Positive Technologies. The place was bursting at the seams: hackers, government and business representatives, information security experts, scientists, and students socialized, attended reports, studied and taught. As the forum scenario author and director, Sergey Gordeychik, noted in his speech, Russian IT industry is now greatly divided. In spite of ultramodern government IT-projects, there still exist such problems as lack of experts, “brain drain”, high level of corruption, and, to crown it all, absence of a unified development strategy. Therefore, we organize the PHDays forum, whose main aim is to gather «jackets» and «T-shirts» together and help them to consolidate their efforts in making information handling more secure. Embrace the unembraceable On Day One of PHDays, the forum guests could enjoy speakers’ reports not only in the lecture halls, but also on live video streaming displays. They were also competing in cracking different information systems and actively participated in hands-on labs. Hacking an authentic Soviet coin-operated telephone, intersecting cash terminal, searching for bonus flags in the garbage container, hunting down moving WiFi access point – these are just several forum events. Bad guys break the law, and so do the good ones It’s worth mentioning the keynote by Bruce Schneier, the world-renowned legend of cryptography. Mr. Schneier shared his ideas about the need society has for the law-breaking individuals and the importance of sporadic rule-breaking actions. The famous reporter spoke up for the hackers, who, at the end of the day, promote progress and social changes. Anonymous revolutionary Heythem El Mir, IS expert from Tunisia, told the forum guests about the struggle of Tunisian National Agency for Computer Security against Anonymous hacker group. For the most part, Anonymous consists of ordinary computer users in possession of easy-to-use utilities developed by a few hackers. This story clearly shows that these days even a layman can crack information systems. Moreover, today’s cyber threats are not limited to spam or fraud, but can even endanger many lives. This was what Mr. Amin, the Chairman of the International Multilateral Partnership Against Cyber Threats (IMPACT), mentioned at the press-conference. And that is why IMPACT considers its main task to coordinate international efforts against malicious actions and prevent proliferation of cyber weapon. And according to Mr. Amin, white hats will play a significant role in the process. CTF Twelve hacking teams from 10 countries were competing in breaking and protecting information systems all through the day and night. The finalists of the first day of the forum are Leet More (St.Petersburg), 0daysober (Switzerland), and Int3pids (Spain). PHDays Everywhere Dozens of hackspaces uniting best hackers from all over the world from Tokio to Krasnodar and from India to Tunisia joined the PHDays forum, making it a really global event. It was specially for the hackspace members supporting our PHDays Everywhere initiative that the Hacked in 137 Seconds competition was orginized. The task was to hack a Cisco network device, and it was the DCUA team (Ukraine) who got the first prize. The second place was taken by the Indian tem XBios. Day Two On May, 31st we will have lots of hands-on labs, 0day vulnerabilities demonstration, reports - among them a keynote from Datuk Mohd Noor AMIN, - and competition finals with the winners awarding; Hack2own prizes are about 700,000 rubles, and CTF about 300,000 rubles.
Battle for Invitation Cards is Over
Less than a week is left until the information security forum Positive Hack Days 2012, and until today everybody who wanted to visit this event had a chance to win an invitation card in such contests as Blow Up the Town and Hackers vs. Forensics. 10 invitation cards were played in each competition (1st place — 5 tickets, 2nd place — 3 tickets, 3rd place — 2). Blow Up the Town was taking place from May 7 to 25. Participants had to solve various tasks and obtain special keys (flags); these keys were to be submitted to the jury via a form on the participants’ personal pages. If the flag was valid, the participant gained the corresponding number of points. The participants could both warm up their brains before PHDays 2012 and see some most attractive places of Moscow by means of an interactive map.
Rules of the Hack2Own Competition at PHDays 2012
In 2011 the of Hack2Own winners were Nikita Tarakanov and Alexander Bazhanyuk, representatives of the CISSRT team, who demonstrated 0day vulnerability (CVE-2011-0222) in the latest version of Safari (Internet browser) for Windows and took the first prize, namely, a laptop and 50,000 rubles. This year the budget of the competition has been significantly increased up to 20,000 $. The winners will have enough money to fill the new cases with :) This competition is divided into three categories: exploitation of web browser vulnerabilities, exploitation of kernel vulnerabilities, and exploitation of vulnerabilities in mobile devices. Detailed rules of participation are under the cut. Attention! A laptop is required to participate in the competition. Why do we need it? We just want to make this world securer. We strive for promoting ideas of responsible disclosure of vulnerabilities. That is why the competition has an important condition: a participant who detected a vulnerability should inform the software vendor within 6 months from the moment of its detection. Details on the Hack2own competition are available here.
Our contribution to the cyber security of Japan
NHK (Japan broadcasting corporation), one of the largest TV companies in the world, has published an explicit article about the Positive Hack Days forum opening on May 30, 2012. The author of the article points out the lack of information security specialists and necessity of ethical hackers in Japan. Participation of local students in such contests as PHDays 2012 Capture the Flag is specified as a way out of Japanese cyber security crisis. It is worth noting that a team from the Land of the Rising Sun named Tachikoma is participating in the CTF. It is formed from the students of such Japanese universities as University of Tokyo, Tokyo Denki University, Tokyo University of Technology and University of Aizu. The team was created in 2012. The first appearance of this newbie team will be at offline-type CTF at PHDays 2012. It has earlier become known that PHDays CTF is in the list of the most popular and respectful CTFs in the world. Its winners are automatically included in the Defcon CTF final. . P.S. By the way, participation in the Blow Up the Town competition until May 25th still provides an opportunity to gain a ticket to PHDays.
PHDays Young School Finalists Decided
Got tired of waiting for new Brins and Kasperskys in Russia? Frankly speaking, we did. To find out the state of academic IT-security science in Russia, we "put out a bulletin" for young scientists who make researches in this field. The competition started a couple of months before the PHDays. This week, the finalists have been decided. The program committee of the competition, which was composed of representatives of leading IT companies (Microsoft, Yandex, etc.), educational and scientific institutions (MSU, MEPI, SPIIRAS) and core publications (Hacker Magazine), considered 19 applications and selected 7 most interesting reports. The finals of PHDays Young School will host youngsters from educational institutions of Moscow, Krasnoyarsk, Novosibirsk, Saint Petersburg and Taganrog, who will compete for the main prize on May 31. The primary goal of the competition is to give a chance to young scientists to let themselves known. The finalists will personally present results of their research before mainstream audience of experts, leading Russian and international specialists in information security. We hope sincerely that for the young scientists, their presentations at PHDays Young School will be a major step towards their success and that this experience will help them in their future scientific work. The competition took place owing to Andrey Petukhov's determination and enthusiasm. This man shouldered the uneasy task of organizing PHDays Young School. A special thanks to the committee members, namely: Dmitry Kuznetsov (Positive Technologies); Denis Gamayunov (CMC MSU); Alexander Dmitriyenko (Technische Universitat Darmstadt); Vladimir Ivanov (Yandex); Alexey Kachalin (Advanced Monitoring); Nikita Kislitsin (Hacker Magazine); Igor Kotenko (SPIIRAS); Pavel Laskov (Eberhard Karls University, Tubingen); Alexander Polyakov (Digital Security, ERPScan); Aleksey Sintsov (Digital Security, Defcon Russia Group); Beshkov Andrey (Microsoft). So, we are waiting for you at PHDays 2012, on May 31 where the finals of PHDays Young School will take its place. Don't miss the chance to see the future being born!