News

6/4/2012

Apple iPhone, Windows XP, And FreeBSD Hacked at PHDays 2012, Moscow

At Positive Hack Days 2012, an international forum on practical information security, the participants of the Hack2own competition demonstratively hacked Apple iPhone 4S and a popular operating system Windows XP. In addition, the CTF contestants detected new vulnerability in FreeBSD, while hackers taking part in the $natch competition showed how to steal money by exploiting vulnerabilities typical of remote banking systems. Russian hackers deserved a special mentioning. Hacking iPhone During PHDays Hack2own, Pavel Shuvalov, an information security expert from Russia, demonstrated a way to hack Apple iPhone. The vulnerability that he exploited was contained in the Office² Plus application distributed in Apple App Store. As a prize, the winner received the iPhone 4S he hacked and 75,000 rubles. Pavel Shuvalov had become famous for his utility Vulndisco Mobile 1.7 designed for jailbreaking iOS-based devices. The iOS system as such proved a hard nut to crack: the main prize, 137,000 rubles meant for a person who would hack the iOS shell without exploiting any vulnerabilities of extraneous applications, remained untouched. 0Day Vulnerability in Windows XP The popular operating system Windows XP was finally hacked by Nikita Tarakanov, an independent expert in information security. To obtain the highest privileges in the system, Nikita exploited a new vulnerability in the system core. This finding made him the winner of the Hack2own competition in the Operating Systems category. Nikita was awarded with 50,000 rubles. Notably, at last year’s Positive Hack Days 2011, Nikita Tarakanov managed to hack the Safari browser for Windows. Hacking Remote Banking Systems The banking section, attended by both information security experts and representatives of financial organizations, was ended with the $natch competition. Before the audience, hackers managed to transfer various amounts of money to their virtual accounts by exploiting vulnerabilities typical of remote banking systems, and then cashed them out in an ATM located nearby. The competition was won by Alexey Osipov, a senior student at Moscow Power Engineering Institute, who was able to steal 3,500 rubles from the bank. Drones and FreeBSD 8.3 Sergey Azovsky, a national security specialist from Yekaterinburg, became the winner of a competition on hacking a drone held as a part of the PHDays CTF contest. Being “cousins” of unmanned aircrafts, drones can be used not only in games: equipped with a camera, they can serve as spies. Fighting the battle, another CTF contestant, a member of the Leet More team, detected a 0day vulnerability in FreeBSD 8.3. The vulnerability enables any local user to bypass security restrictions. Dozens of Other Competitions PHDays 2012 offered great number of various competitions on hacking and security assessment. The participants struggled with WPA-PSK encryption of Wi-Fi, cloned RFID marks at a long distance, searched for a way to bypass firewalls, hacked Cisco appliances, and guessed password encryption algorithms. In the nearest future we will provide detailed information about all competitions held at the PHDays 2012 forum and the names of their winners.

5/31/2012

PHDays 2012: Day One

More than 1000 guests gathered in technocentre Digital October on the first day of Positive Hack Days international forum on practical security organized by Positive Technologies. The place was bursting at the seams: hackers, government and business representatives, information security experts, scientists, and students socialized, attended reports, studied and taught. As the forum scenario author and director, Sergey Gordeychik, noted in his speech, Russian IT industry is now greatly divided. In spite of ultramodern government IT-projects, there still exist such problems as lack of experts, “brain drain”, high level of corruption, and, to crown it all, absence of a unified development strategy. Therefore, we organize the PHDays forum, whose main aim is to gather «jackets» and «T-shirts» together and help them to consolidate their efforts in making information handling more secure. Embrace the unembraceable On Day One of PHDays, the forum guests could enjoy speakers’ reports not only in the lecture halls, but also on live video streaming displays. They were also competing in cracking different information systems and actively participated in hands-on labs. Hacking an authentic Soviet coin-operated telephone, intersecting cash terminal, searching for bonus flags in the garbage container, hunting down moving WiFi access point – these are just several forum events. Bad guys break the law, and so do the good ones It’s worth mentioning the keynote by Bruce Schneier, the world-renowned legend of cryptography. Mr. Schneier shared his ideas about the need society has for the law-breaking individuals and the importance of sporadic rule-breaking actions. The famous reporter spoke up for the hackers, who, at the end of the day, promote progress and social changes. Anonymous revolutionary Heythem El Mir, IS expert from Tunisia, told the forum guests about the struggle of Tunisian National Agency for Computer Security against Anonymous hacker group. For the most part, Anonymous consists of ordinary computer users in possession of easy-to-use utilities developed by a few hackers. This story clearly shows that these days even a layman can crack information systems. Moreover, today’s cyber threats are not limited to spam or fraud, but can even endanger many lives. This was what Mr. Amin, the Chairman of the International Multilateral Partnership Against Cyber Threats (IMPACT), mentioned at the press-conference. And that is why IMPACT considers its main task to coordinate international efforts against malicious actions and prevent proliferation of cyber weapon. And according to Mr. Amin, white hats will play a significant role in the process. CTF Twelve hacking teams from 10 countries were competing in breaking and protecting information systems all through the day and night. The finalists of the first day of the forum are Leet More (St.Petersburg), 0daysober (Switzerland), and Int3pids (Spain). PHDays Everywhere Dozens of hackspaces uniting best hackers from all over the world from Tokio to Krasnodar and from India to Tunisia joined the PHDays forum, making it a really global event. It was specially for the hackspace members supporting our PHDays Everywhere initiative that the Hacked in 137 Seconds competition was orginized. The task was to hack a Cisco network device, and it was the DCUA team (Ukraine) who got the first prize. The second place was taken by the Indian tem XBios. Day Two On May, 31st we will have lots of hands-on labs, 0day vulnerabilities demonstration, reports - among them a keynote from Datuk Mohd Noor AMIN, - and competition finals with the winners awarding; Hack2own prizes are about 700,000 rubles, and CTF about 300,000 rubles.

5/27/2012

Battle for Invitation Cards is Over

Less than a week is left until the information security forum Positive Hack Days 2012, and until today everybody who wanted to visit this event had a chance to win an invitation card in such contests as Blow Up the Town and Hackers vs. Forensics. 10 invitation cards were played in each competition (1st place — 5 tickets, 2nd place — 3 tickets, 3rd place — 2). Blow Up the Town was taking place from May 7 to 25. Participants had to solve various tasks and obtain special keys (flags); these keys were to be submitted to the jury via a form on the participants’ personal pages. If the flag was valid, the participant gained the corresponding number of points. The participants could both warm up their brains before PHDays 2012 and see some most attractive places of Moscow by means of an interactive map.

5/18/2012

Rules of the Hack2Own Competition at PHDays 2012

In 2011 the of Hack2Own winners were Nikita Tarakanov and Alexander Bazhanyuk, representatives of the CISSRT team, who demonstrated 0day vulnerability (CVE-2011-0222) in the latest version of Safari (Internet browser) for Windows and took the first prize, namely, a laptop and 50,000 rubles. This year the budget of the competition has been significantly increased up to 20,000 $. The winners will have enough money to fill the new cases with :) This competition is divided into three categories: exploitation of web browser vulnerabilities, exploitation of kernel vulnerabilities, and exploitation of vulnerabilities in mobile devices. Detailed rules of participation are under the cut. Attention! A laptop is required to participate in the competition. Why do we need it? We just want to make this world securer. We strive for promoting ideas of responsible disclosure of vulnerabilities. That is why the competition has an important condition: a participant who detected a vulnerability should inform the software vendor within 6 months from the moment of its detection. Details on the Hack2own competition are available here.

5/10/2012

Our contribution to the cyber security of Japan

NHK (Japan broadcasting corporation), one of the largest TV companies in the world, has published an explicit article about the Positive Hack Days forum opening on May 30, 2012. The author of the article points out the lack of information security specialists and necessity of ethical hackers in Japan. Participation of local students in such contests as PHDays 2012 Capture the Flag is specified as a way out of Japanese cyber security crisis. It is worth noting that a team from the Land of the Rising Sun named Tachikoma is participating in the CTF. It is formed from the students of such Japanese universities as University of Tokyo, Tokyo Denki University, Tokyo University of Technology and University of Aizu. The team was created in 2012. The first appearance of this newbie team will be at offline-type CTF at PHDays 2012. It has earlier become known that PHDays CTF is in the list of the most popular and respectful CTFs in the world. Its winners are automatically included in the Defcon CTF final. . P.S. By the way, participation in the Blow Up the Town competition until May 25th still provides an opportunity to gain a ticket to PHDays.

4/26/2012

PHDays Young School Finalists Decided

Got tired of waiting for new Brins and Kasperskys in Russia? Frankly speaking, we did. To find out the state of academic IT-security science in Russia, we "put out a bulletin" for young scientists who make researches in this field. The competition started a couple of months before the PHDays. This week, the finalists have been decided. The program committee of the competition, which was composed of representatives of leading IT companies (Microsoft, Yandex, etc.), educational and scientific institutions (MSU, MEPI, SPIIRAS) and core publications (Hacker Magazine), considered 19 applications and selected 7 most interesting reports. The finals of PHDays Young School will host youngsters from educational institutions of Moscow, Krasnoyarsk, Novosibirsk, Saint Petersburg and Taganrog, who will compete for the main prize on May 31. The primary goal of the competition is to give a chance to young scientists to let themselves known. The finalists will personally present results of their research before mainstream audience of experts, leading Russian and international specialists in information security. We hope sincerely that for the young scientists, their presentations at PHDays Young School will be a major step towards their success and that this experience will help them in their future scientific work. The competition took place owing to Andrey Petukhov's determination and enthusiasm. This man shouldered the uneasy task of organizing PHDays Young School. A special thanks to the committee members, namely: Dmitry Kuznetsov (Positive Technologies); Denis Gamayunov (CMC MSU); Alexander Dmitriyenko (Technische Universitat Darmstadt); Vladimir Ivanov (Yandex); Alexey Kachalin (Advanced Monitoring); Nikita Kislitsin (Hacker Magazine); Igor Kotenko (SPIIRAS); Pavel Laskov (Eberhard Karls University, Tubingen); Alexander Polyakov (Digital Security, ERPScan); Aleksey Sintsov (Digital Security, Defcon Russia Group); Beshkov Andrey (Microsoft). So, we are waiting for you at PHDays 2012, on May 31 where the finals of PHDays Young School will take its place. Don't miss the chance to see the future being born!

4/25/2012

Registration for PHDays starts May 14, at midday

Please, note: the number of places is limited. Set your reminders for May's second Tuesdays, 12:00 am. The faster you get registered, the higher are your chances to be among the invitees. PHDays will give you an opportunity to hack anything you see, chat with Bruce Schneier, and wash down failures with free tequila. The registration procedure will be published soon. Stay tuned! P.S. A note for late-risers: don't oversleep ;)

4/25/2012

The Author of John the Ripper Will Speak at PHDays 2012

In 1996, Alexander Peslyak (aka Solar Designer) created a program called John the Ripper. This cross-platform utility designed to analyze password strength has become one of the top 10 popular software in the field of information security, while the program's site has been visited by 15 million people. Besides, Alexander is a founder of the Openwall project and a leading developer of Openwall GNU/Linux (Owl) a highly secured operating system. Alexander Peslyak is considered the greatest brute-force specialist ever since Ali Baba and Abu Yusuf al-Kindi. In 2007, such projects as phpBB 3, WordPress, and Drupal accepted the password security improvements he had developed. In 2009, Alexander was awarded with the Lifetime Achievement Award at Black Hat, a highly recognized conference on information security. At PHDays 2012, the master of bruteforce will present his report titled Password security: past, present, future. In his presentation, he will discuss issues of password protection and speak of history and near-term prospects of the authentication technology.

4/12/2012

New Reports at PHDays 2012

New speakers who have recently joined PHDays 2012 will speak of SAP hacking, vulnerabilities in smart cards and Ukrainian style cyber security and answer most interesting questions. For example, how many stadiums can be built for the money stolen from Russian remote banking systems? Or what are the real motives that stand behind the cruel war banks started to fight against hackers? Peculiarities of Fights Against Russian Fraud An interesting fact - on January 1, 2013 the law on national payment system is coming into effect. In case of an unauthorized money deduction from a client's account, the bank will have to return the money to the account. In other words, so far money has been stolen from clients; but starting from next January, the victims of such crimes will be banks. This is quite a reason for the bank community to start a crusade against cybercriminals 'specialized' in remote banking systems. How to make 2013 and the following years unhappy for such hackers? Evgeny Tsarev will give the answer in his report Systems of Russian style Fraud Resistance. The reporter will speak of peculiarities of Russian fraudulence in the banking field, outline various fraud schemes, point out the reasons of a low level of efficiency of the Western approach and demonstrate how a complex security system should be build up. DNS Exfiltration Using SQLmap In military usage, exfiltration is a tactics of retreating from a territory which is under the enemy's control. In such operations, proper camouflaging is far more significant than speed. Likewise, hackers who have obtained access to a system make no rush to copy the data. Firstly, the risk to be disclosed is high. Secondly, the right information may show up later. So, the hacker's program sends the data in small portions through hidden channels that are often not designed for data transfer. A developer from Croatia, Miroslav Stampar in his report DNS Exfiltration Using SQLmap will present a DNS exfiltration technique performed by means of SQL injections, speak of its pros and cons and support it with visual presentations. Methods of Penetration Through Internet Explorer In the report Attack Against Microsoft Networks Web Clients, Vladimir Vorontsov introduces methods that allow conducting attacks against Internet Explorer users that operate within Microsoft Networks. The main goal of the attacks in question is to obtain confidential data from users located both on remote servers (bypassing access restrictions) and on local PCs. Investigating Information Security Incidents Within Automated System of Technological Process Management (SCADA Forensics) Hackers' growing interest in technological infrastructures and automated systems of technological process management (SCADA) is becoming a sort of a trend. According to experts' estimations, Russian leading industry companies lose up to 10% of their revenue because of internal fraud, thievery, violation of technological processes, configuration flaws in measuring equipment. A specific nature of SCADA requires developing an essentially new technical discipline - computer forensics in the field of industrial automated systems. Andrey Komarov's report also covers incident prevention mechanisms used in the field and considers possibilities of Business Assurance Systems (BAS) regarding economic frauds prevention in the SCADA sector (alteration of such data as fuel-dispensing station readings, data of trading and accounting systems, readings of container indicators, data of fuel and discount card processing). The report will be supported with a demonstration of incidents of practical significance that occurred in the TOP 10 largest industrial companies in various countries. Andrey Komarov is the head of audit and consulting department of the Group-IB company. At present, he is involved in work on Penetration Testing Execution Standard (PTSE) as a representative of Russia. Smart Card Vulnerabilities: How Much Are We Talking About? For some years we have been observing a boost in the number of threats to Russian remote banking systems (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Hackers have been managing to steal dozens of millions of dollars every month (the annual amount is quite enough to build at least a stadium for Spartak and TSSK football clubs, one for each). Working on the report Smartcard Vulnerabilities Exploited by Modern Banking Malware, Aleksander Matrosov and Evgeny Rodionov have examined the most widely used banking malware and revealed quite interesting vulnerabilities in two-factor authentication and smart cards. The report will also consider tricks and shams that hackers use to impede forensic investigation. Aleksander Matrosov is a director of the Center for Virus Research and Analytics, the ESET company. Evgeny Rodionov is in charge of complex threat analysis at ESET. New and Popular Ways of SAP Hacking In the last couple of years, SAP security is in focus of ever-growing attention. The public information space has been saturated with various topics from attacks against SAProuter and SAP web applications up to vulnerabilities of low severity level in the SAP core and ABAP code. So far, SAP has released more than 2000 notifications on vulnerability fixes in its products but it's only the beginning. Which vulnerabilities are still there, in SAP systems, apart from the same old XSS, SQL injections and buffer overflow? In the report SAP Insecurity: the New and the Best, Aleksandr Polyakov will focus on a dozen of most interesting vulnerabilities and vectors of attacks against SAP systems: from an encryption flaws to authentication bypassing, and from amusing errors to complicated attack vectors. A great many of vulnerabilities described in the report will be a novelty for the public. Aleksandr Polyakov is the technical director of Digital Security, and one of the world's most prominent experts in SAP security. With PHP, Haste Makes Waist Some third-party PHP implementations allow reducing script-execution period by 5 times. But are they capable of ensuring steady and secure work of web applications? Sergey Scherbel, an expert of the Positive Technologies company, will present his report Not All PHPs Are Equally Useful to introduce revealed security problems and exploitation peculiarities of web applications that use third-party PHP implementations and to give some examples of 0-day vulnerabilities. Sergey's specialization is application security, penetration testing, web application and source code analysis. He is in the team of PHDays CTF developers. About a Secure Use of PHP Wrappers The PHP topic will be further developed by Aleksey Msockvin, another Positive Technologies security expert. His report About a Secure Use of PHP Wrappers focuses on vulnerabilities related to PHP wrappers. Such vulnerabilities have been discussed for quite a while. OWASP TOP 10 and WASC TCv2 provide links to them. However, a number of peculiar features of some wrappers and filters may cause vulnerabilities (including critical ones) even in applications developed according to security requirements. The report covers algorithms that allow transferring data to an application bypassing its logic. This approach can be used for bypassing Web Application Firewalls built into security filter applications, as well as for conducting attacks aimed at obtaining access to file system and executing arbitrary code. The speaker will introduce some of 0-day vulnerabilities detected by means of the method described in the work. Aleksey is a specialist in static and dynamic security analysis of application source code. He is in the team of PHDays CTF developers. Instrumentation Methods of Complex Code Analysis Time goes by, development technologies get more sophisticated, codes get more complex (virtual function, JIT-code and etc.). It gets extremely hard to analyze such codes. To make researchers' lives easier, there are various code instrumentation methods available at present. PIN libraries, Valgrind, DynamoRIO, DynInst, etc. are new indispensable constituents of a security researcher's arsenal. Current methods of instrumentation (of source code, byte-code, and binary code) will be described by Dmitry Evdokimov in his report Light and Dark Sides of Code Instrumentation. Dmitry Evdokimov is a columnist of the Hacker magazine, Russia. He writes a column titled Security-soft. He is also an expert in SAP security in terms of its internal arrangement (SAP Kernel and SAP Basis), and the ABAP code. Cybersecurity in The Ukrainian Style Konstantin Korsun, a former officer of the Anti-Cybercrime Unit, the Security Service of Ukraine, and currently the director of iSIGHT Partners Ukraine LLC will tell the listeners about emergence of community of information security officers in Ukraine. The community was originally started as loud night-outs of Ukrainian IT security specialists in Kiev bars and made its way up to an officially registered (in 2012) public organization called Ukrainian Information Security Group. Currently, Konstantin Korsun is the president of UISG. At PHDays, he will present a report titled UISG, a Community of Information Security Experts of Ukraine. Achievements and Prospects. Stay tuned!

3/26/2012

"The Georgian" botnet by Canadian Pierre-Marc Bureau. A new master-class for PHDays.

Spreading over the world recently has been news of the "Georgian" botnet, based on Win32/Georbot, which steals secret documents and also captures audio and video via web-cameras. It will be possible to learn how Win32/Georbot works, and how to control or neutralize it, in our forum Positive Hack Days on 30 and 31 May. Pierre-Marc Bureau , the leading engineer of the virus laboratory ESET, an expert on cyberwar and cyberespionage, will hold the world's first "georbot master-class". How does it take screenshots and record sound? Pierre will show the audience the numerous possibilities of Win32/Georbot. You will see in real time how this malware, managed by the Canadian specialist, will perform the following tricks: stealing documents taking screenshots via Web-camera, installed on the "victim" computer making an audio recording on the built-in microphone scanning the network causing denial of service Methods of obfuscation Like a real resident, the malware is not looking for fame and tends to remain in the shadows. An exclusive and specially complicated code also makes it imperceptible to antivirus. Participants in the master class will learn how the obfuscation (entanglement) of the code of Win32/Georbot is implemented and will be able to clarify the following points: Control of obfuscation flow sequence of obfuscation API of obfuscation call by hash function How to control the "georbot" Participants will see how this "combat worm" communicates with its command and control server using HTTP. Pierre will also show how to create an alternative command and the sever control element in the laboratory, and how to give commands to the program and get its feedback. What is required for the master class Do not forget to bring a laptop running Windows XP, installed on a virtual machine. It is necessary for the active participants in the master class to install the following applications (which can be downloaded free of charge): Python IDA Free Immunity Debugger (or Olly, if you prefer) Wireshark Required skills for a smooth immersion in the subject: understanding of assembly principals understanding of the structure of Windows understanding of the Python programming language Briefly about Win32/Georbot According to Pierre-Marc Bureau, the Win32/Georbot family of malicious applications appeared about a year and a half ago. The virus has many variations, is not intended for "carpet bombing", is used to steal confidential information and is difficult to identify. Related Links Detailed analysis: .