News
Technical talks at PHDays: from OSINT methods to information security in video games
Only a week left before Positive Hack Days 10: The Origin. We continue to introduce you to our speakers and the most awaited technical talks from different conference tracks. Practical OSINT methods in digital world Andrei Masalovich, CEO at Avalanche, will discuss OSINT methods that allow effective extraction of private and even classified information without hacking. The talk covers methods for finding open partitions in cloud storages, scanning of unsecured databases based on PostgreSQL, MongoDB, and Elasticsearch, retrieving classified data via global logistics bases, collecting data via closed profiles in social networks, deanonymizing messenger users. Real-life examples will be provided. Social engineering in 2021 Information security specialist Dmitry Andreev will discuss fundamental principles of social engineering, its various scenarios, and share his experience of preventing social engineering attacks in corporate environment. Prioritizing CVEs with Vulristics open-source extensible framework Vulristics (vulnerability and heuristics) is an open-source extensible framework for analyzing generally available information on public CVE vulnerabilities. Independent security researcher Alexander Leonov will give an in-depth talk about using Vulristics to prioritize vulnerabilities. He will also talk about why it is important to know how to prioritize known vulnerabilities and which extra sources of data can be used for this purpose. Microsoft Active Directory: privilege escalation techniques Egor Bogomolov, Application Security Expert at Singleton Security, defined all privilege escalation techniques possible in Microsoft Active Directory with initial local network configuration. The speaker will also talk about vulnerabilities in out-of-the-box AD networks and explain how administrators of local AD networks can protect from them. Development and validation of ML pipelines Artyom Kravtsov, Computer Vision Research Engineer at SberDevices, will talk about the experience of developing and testing an ML system and a mobile SDK to determine the authenticity of a biometric sample using a photograph. He will speak about the architecture of the developed solution and demonstrate an example of passing biometric verification by a real user. He will discuss in detail the ML component of the system, the process of development and research, as well as internal and external validation of the system. BadUSB attacks Innostage Head of Security Analysis Alexander Borisov will discuss several scenarios of BadUSB attacks (an interesting and a rather effective class of attacks) and the main methods of preventing them. Secure development In addition to traditional PHDays tracks centered around defense, offense (hacks), and the impact of information security on business, this year the forum will include a new secure development track. Information security in video games Application security leader at Sberbank Artyom Bachevsky will discuss typical vectors of attacks in video games and ways of protecting against them. Real-life examples will be given. Unsafe deserialization Mikhail Shcherbakov (PhD in Theoretical Computer Science, KTH Royal Institute of Technology in Stockholm) will give real examples of vulnerabilities and shortcomings that underpin the problem of unsafe deserialization. He will address the issue of building a threat model, describe various approaches and tools for finding and exploiting new vulnerabilities. The talk will focus on techniques of static code analysis and their current limitations. Formal verification of operating system kernels Denis Efremov, Developer at ISP RAN, will share his experience of participating in projects on formal verification and analysis of access control modules for Astra Linux SE and Elbrus kernels, as well as verification of the Contiki code (OS for IoT) within the European VESSEDIA program. The speaker will also disclose details of the development of formal access control models (Rodin/Event-B) and code specifications (Frama-C/ACSL), the use of static and dynamic analyzers, and the inclusion of formal analysis in the continuous integration cycle. Technical talks will also be given by: Sergey Volokitin (Senior Security Analyst, Riscure), Sergey Golovanov (Lead Researcher, Kaspersky), Maxim Goryachy (independent security researcher), and Vladimir Kochetkov (Head of Application Security Analysis Research, Positive Technologies). See you at PHDays!
The Standoff Kids at PHDays 10: let the children decide
The Standoff Kids will take place at the Positive Hack Days practical cybersecurity forum at the World Trade Center Moscow on May 19, 2021, under the auspices of the Government of Moscow. The event is intended for children aged 10 to 16. This is the second time that PHDays will introduce young guests to the basics of cyberliteracy and information security, with talks and discussions about the study and career prospects for the future guardians of cyberspace. «The development of information technologies and the growing demand for online services require a fundamentally new level of protection for urban information systems. Ensuring cybersecurity across the city and training specialists in this area is one of the priority tasks of the Moscow Department of Information Technologies [DIT], and we believe that the basics of this profession need to be taught from childhood. With that in mind, we conduct regular educational webinars on digital literacy and cybersecurity basics for children and their parents. But information is always better absorbed in a fun and playful way. As such the kids’ track at Positive Hack Days will help them acquire even more useful skills and knowledge,» said Eduard Lysenko, Minister of the Government of Moscow and Head of the DIT Wannabe infosec pros will have the chance to take part in an interactive quest and help the inhabitants of a futuristic city repel the attacks of a host of cunning cyber-predators. To make it interesting for everyone, players will be divided into teams by age and experience. The smart city of the future is represented by a mock-up of a metropolis with gaming stations and educational installations. Participants will face IT-related tasks, including data search and protection. Models of an airport, amusement park, seaport, and other infrastructure have been built on site. Each team will be given a guide and a navigator tablet with a unique problem-solving scenario for each specific object. Besides the gaming segments, there will be a series of short, but fact-filled lectures on information security: kids will learn to spot modern cyberthreats and attacks, be introduced to steganography and encryption, and pick up the rules of netiquette. «Digital literacy plays a vital role in children’s upbringing and education. The rapid uptake of new technologies without sufficient life experience often causes problems,» comments Boris Simis, Deputy CEO for Business Development, Positive Technologies. «The tasks in our virtual city teach children how to protect data and prevent attacks. Our special focus is on gamification, because this is the best way to captivate young minds. And the skills and knowledge gained can be immediately applied in practice.» The forum and kids’ track organizers are sure that introducing cybersecurity in a gaming format will not only entertain and educate the young participants, but awaken their interest in information security as a profession.
Payment Village: the ins and outs of banking system security at PHDays 10
This year, Positive Hack Days will again be holding several events based on the Payment Village. It will be more than just a competition. Participants will first get an overview of the theory, and then they’ll apply what they learn to try to hack ATMs, cash registers, and POS terminals. We use bank cards, POS terminals, and ATMs every day, but we know little about their structure or the different security aspects of the payment process. The primary aim of the Payment Village platform is to change this situation and make knowledge about the payment industry more readily accessible to enthusiasts, such as users, analysts, and bounty hunters. Payment Village will bring together people who are interested in the vulnerabilities in banking and payment systems, and who enjoy tinkering around in the inner workings of ATMs, self-checkout, and POS terminals. You’ll learn about how intruders crack these systems and how the payment industry is protecting them. We will also be holding contests to find and reward the most curious conference participants. Payment Village is sponsored by iSimpleLab, Azbuka Vkusa, and ARinteg. The topics of this year's talks are: Physical and logical security of POS terminals Vulnerabilities in retail and payment processes Logical vulnerabilities in RBS systems «The iSimpleBank 2.0 RBS platform is used to build digital channels by leading Russian businesses, so it goes without saying that our customers retain security of the utmost importance when working with our platform. iSimpleLab has recently completed several initiatives related to procedural and administration security. We performed an analysis of vulnerabilities for our iSimpleBank 2.0 RBS platform based on the requirements for an evaluation assurance level of at least EAL 4 under GOST R ISO/IEK 15408-3-2013, and we did a real-world field trial of products at events with Positive Technologies. This challenge is interesting for us because it offers a real-life scenario for checking and confirming the readiness of the iSimpleBank 2.0 platform to combat actual cyberthreats,» said Aleksey Kolesnikov, sales director at iSimpleLab. This year’s challenges include: Hack an RBS system Hack POS terminals Hack ATM security systems Hack payment equipment «It so happens that payment equipment was long hard to access for research into both online and offline vulnerabilities,» said Dmitriy Kuzevanov, head of the Information Security Department of Аzbuka Vkusa retail chain. «But recently, the situation has changed drastically. Cash registers are increasingly becoming integrated with numerous external and internal services, including loyalty programs, ERP, and the federal tax service. In addition, cash registers are acquiring peripheral equipment, including NFC, card readers, and UPC- and QR-code readers, which connect through Bluetooth or Wi-Fi. All of this opens up many attack vectors for points of sale. In the Payment Village, attendees will be able to materialize them and learn more about the risks and consequences.» If you can’t join us at the event venue, we’ve prepared a little surprise for you—an ATM protection simulation you can access online to check vulnerabilities. We’ll share more information about this during the conference. We’re giving away tickets to the conference and Payment Village to a couple of lucky Hacker readers and enthusiasts of bank card technologies. To enter to win, just answer the questions in our survey. The two people who submit the most interesting responses will receive their tickets one week before the conference. If you’d like to give a talk on vulnerabilities in payment, banking, and retail systems at the Payment Village, email us at phd10@ptsecurity.com.
PHDays: till we meet online
Dear Friends, Recently we have been snowed under with new applications, the organizers' inboxes have been overflowing with proposals, and their phones have been ringing off the hook. We have already accomplished the near impossible by fast-tracking the relocation of PHDays to the World Trade Center in Moscow, and greatly expanding the opportunities for live participation in the forum events. There are still three weeks left, but tickets have already sold out, registration is closed, and the offline platform is fully booked. Anyone who wishes to take part, but did not manage to purchase a ticket, we invite you to join us online. This year we have put a huge amount of effort into the online format to deliver an experience unrivaled in terms of scale and quality. Viewers will be taken inside the event through dozens of camera angles, creating a total immersion effect that is not inferior to TV format. Come and join us—presentations, hands-on labs, contests, and lots more interesting events await! Get connected:
Talks at PHDays: Linux Kernel implants, HTTP request smuggling, and malware detection
There is less and less time before the international information security forum Positive Hack Days 10, which will be held from 20 to 21 May. The Standoff cyber-range is almost ready, red and blue teams are sending their requests, and we are currently designing the conference program. This time PHDays will run three large conference tracks: defensive and offensive tracks, as well as business track that will discuss security influence on business. Today, we present first talks. Linux kernel implants Information security expert Ilya Matveychikov will tell about methods of creating a Linux kernel implant. During a 45-minute talk, Ilya will describe how it is possible to carry out a multipurpose kernel-implanting attack. The expert will also demonstrate real examples of implants in different version of x86 kernels. HTTP request smuggling Emil Lerner will tell about HTTP request smuggling, a technique that is widely used to attack reverse proxies. In recent years, information security researchers have made a number of discoveries. In particular, they have discovered new methods for detecting vulnerabilities and developed new methods of HTTP desync state exploitation. During his talk, Emil will demonstrate the capabilities of the technique that appeared with the landing of HTTP/2 on frontend and HTTP/2—HTTP/1.1 conversion. Listeners will know how to detect reverse proxies vulnerable to the attack and what methods of automating such detection exist. Also, the expert will tell about possible attack vectors and the possible consequences of a successful attack. Linux kernel fuzzing Independent security researcher Andrey Konovalov will tell about Linux kernel fuzzing. Fuzzing is a way to automatically find bugs, transferring randomly generated data to program. Andrey will tell how to use fuzzing to detect errors in Linux kernel and what kernel interfaces can be fuzzed. He will briefly describe ready-to-use fuzzers, such as Trinity and syzkaller, but mainly will focus on writing code for fuzzer, generating inputs, and code coverage assembly. Exploitation of vulnerability CVE-2021-26708 in Linux kernel In January 2021, Linux kernel developer and security researcher at Positive Technologies Alexander Popov discovered and eliminated five vulnerabilities in Linux kernel virtual socket realization. These vulnerabilities were assigned an identifier CVE-2021-26708. In his report «4 bytes of power,» Alexander will talk in detail about exploitation of one of them for local privilege escalation on Fedora 33 Server for x86_64. The researcher will demonstrate how to gain control of the entire operating system with the help of a small memory access error, while bypassing the platform’s security tools. Formal verification of operating system kernels Oracle’s Principal Developer Denis Efremov will share his experience of participating in projects on formal verification and analysis of access control modules for Astra Linux SE and Elbrus kernels, as well as verification of the Contiki code (Operating system for IoT) within the European VESSEDIA program. The speaker will disclose details about the development of formal access control models (Rodin/Event-B) and code specifications (Frama-C/ACSL), the use of static and dynamic analyzers, and the inclusion of formal analysis into continuous verification. Other types of work that help meet the certification requirements will also be considered. hat's all for today, follow the news on our website.
"Positive Hack Days: The Origin" relocates to the World Trade Center (Moscow) to accommodate even more attendees
Interest in the PHDays practical cybersecurity forum and The Standoff cyberbattle has grown exponentially in the past week. We have received emails, phone calls, and comments of support from all over the world. Therefore, we decided to expand PHDays by moving the offline forum to the spacious World Trade Center in Moscow. This will make it possible to invite several times as many guests to the 10th anniversary Positive Hack Days forum. We are determined to see our infosec community colleagues, partners, customers and friends face to face. The original pared-down format would not have allowed this. That is why we are now giving everyone the opportunity to ask us questions live and discuss industry issues and challenges together. At the same time, the large-scale online broadcast of The Standoff on May 18–21 and PHDays on May 20–21, with real-time translation into English, will go ahead as planned. The broadcast will take the viewer inside the main forum halls and behind the scenes from different angles via dozens of cameras, creating a full immersion experience thanks to TV-style production. "Initially, in light of the pandemic and sanitary restrictions, we chose a not very large offline platform and radically expanded the online format, in terms of both scale and quality. Now we understand that this year we cannot restrict ourselves to such a modest offline event, so we are expanding the platform, leaving the large-scale online broadcast unchanged," noted Vladimir Zapolyansky, Chief Marketing Officer, Positive Technologies. PHDays will feature talks by top developers, government officials, CIOs and CISOs of major Russian and international companies, and leading experts from the banking, telecommunications, oil-and-gas, IT, and other industries. On the program agenda are dozens of presentations, master classes, hands-on labs, round tables, lectures, and competitions. The world's largest open cyber-range, The Standoff, will allow you to witness a real cyberbattle between white-hat attackers and defenders for control of a digital city. You will be given a graphic demonstration of the potential consequences of a cyberattack on the infrastructure of a modern metropolis with its factories, banks, transport system, entertainment venues, and business centers. This will provide a timely insight into how deeply technology affects our lives, how to prevent dangerous incidents from occurring in reality, and how to make our lives more comfortable and secure. Step inside, "The Origin" awaits! On a separate note, because the health and safety of our guests is paramount, the forum will be held in compliance with all sanitary and epidemiological standards. You can register for both days of the forum on the event website. Offline visitors of the forum in Moscow will be able to listen to presentations, personally communicate with speakers, and test out their skills in the traditional competition program. A ticket to the conference also gives access to The Standoff cyber-range. For more information about the event program, see our news.
Open letter to the research community
Dear all, In light of recent events, we have received many words of encouragement in comments on social media, through direct messages, and over the phone. We truly appreciate your support. It means a lot to us. Over the years, we have detected and helped fix a huge number of vulnerabilities in applications and hardware from almost all renowned vendors, such as Cisco, Citrix, Intel, Microsoft, Siemens, and VMware. All this would be impossible without close collaboration with the best infosec researchers, or without vendors’ proactive approach and willingness to cooperate with research centers like ours in fixing all detected vulnerabilities. In line with the responsible disclosure policy, we only announce new vulnerabilities by agreement with vendors, and only after the vendor itself confirms it has fixed the bug and delivered the patch to customers. We believe this approach makes our world better and more secure. To unite our community, we started Positive Hack Days (PHDays), the biggest international security forum in Russia. Cybersecurity specialists and business leaders now have an opportunity to connect with white hats and cybersecurity geeks who know firsthand what a true pentest is and are willing to share their experience. To gain more practical knowledge on how cybercriminals operate in actual life, every year for more than a decade now, we have held The Standoff, an attackers-vs-defenders cyberbattle set in a real-world environment. Only this way, under hyper-realistic conditions, is it possible to learn how infrastructure components can be attacked and how to protect them. The Standoff and PHDays threw their doors open to capture-the-flag (CTF) teams from many countries, including Russia, the U.S., Kazakhstan, India, Japan, and the UAE. Even the world’s top CTF teams, such as PPP, Carnegie Mellon University’s competitive hacking team, have sharpened their skills in cyberexercises at The Standoff cyber-range. Following our principle of open knowledge for the community, we made the event available to everyone. All-comers could watch videos of interesting talks, try their hand at detecting vulnerabilities or warding off a cyberattack, as well as freely monitor the cyberbattle traffic and take this expertise away with them so as to better protect their companies, develop efficient antihacker products, and create securer solutions and components. Openness of information and knowledge, responsible disclosure, and a hands-on approach to cybersecurity are our key values. As such, we cannot but promise hot new infosec research, continued wide support for the community, and a host of new interesting conferences. Thank you very much for your support, and see you all at PHDays 10! Please also go check out our collection of best infosec findings in the past three years, and share it with your colleagues. Denis Baranov, Managing Director, Head of Research Department at Positive Technologies
PHDays 10 contests: hacking ATMs, security systems, and smart contracts; machine learning capabilities and vulnerabilities
As the pandemic recedes, the PHDays forum returns in May in near pre-Covid format: with interesting talks, The Standoff cyberbattle, and, of course, traditional competitions. Anyone can take part in the open contests—all you need is a laptop, curiosity, and enthusiasm. For security reasons, we suggest taking part in all events online. There will be an opportunity to practice attacks on banking systems in the Payment Village, where our experts will explain various payment devices and their vulnerabilities. In the special demo zone, guests will be guided through attack scenarios on ATMs and POS terminals. The Payment Village is supported by IsimpleLab, Azbuka Vkusa, and ARinteg. Blockchain Track will bring together enthusiasts of blockchain security and decentralized finance (DeFi) to talk about how cryptocurrency exchanges get hacked, analyze the subtle vulnerabilities in smart contracts, and share their opinions on security methods. Also up for discussion will be issues of scaling blockchain networks and development prospects for L2 solutions. As a smart contract hacker, you can test your skills in the DeFi Hack online competition (requires a local Ethereum client or browser extension (MetaMask)). The rapid development of artificial intelligence (AI) technologies and their implementation in information security are bringing new opportunities as well as new threats. In the AI Track section, you can listen to reports on the topic of AI in security. We have invited experts to share their experience of applying machine learning (ML) for security, and researchers to tell about the risks of AI-driven solutions. Meanwhile, the AI CTF competition will introduce infosec specialists to various ML techniques in capture-the-flag gaming and demonstrate the vulnerabilities in services that provide it. The tasks of varying complexity will be of interest not only to experienced CTF players, but also to beginners who want to get a handle on the topic. The Network Village will provide a platform for expert presentations on the topic of network security. At the stand, fans of security system robustness testing will be able to take part in the IDS Bypass contest. Participants will try to hack five vulnerable nodes and capture all the flags. The task is complicated by the intrusion detection system (IDS), which monitors traffic and blocks attempts to attack the network. The vulnerable services are selected so as to force competitors to focus on bypassing the IDS. The number of participants in the contests is limited. To register your participation, please fill out the form. Stay tuned for more details about the contests in the near future. Follow our news and train your brain before battle commences! This year, PHDays is co-organized by Innostage, which specializes in multidiscipline IT solutions. The forum's business partners are Rostelecom-Solar, a Russian provider of infosec services and technologies, and MONT, which distributes software for any business. PHDays technological partners are Russian supermarket chain Azbuka Vkusa, e-payment service RBC.money, and remote banking software developer iSimpleLab. Represented at the PHDays exhibition will be Axoft, Crosstech Technologies, ICL, OCS Distribution, R-Vision, Security Vision, and Infosystems Jet. The competition program partner is ARinteg.
Ticket sales for Positive Hack Days 10 open
On May 20–21, Moscow will host the tenth anniversary Positive Hack Days forum. Every year, this event attracts thousands of visitors—for example, last year's PHDays housed more than 8,000 people. This year, the forum organizers have decided to hold the event in a hybrid format: some of you will be able to attend it in person, and some will be able to watch a live online broadcast. You can register and buy a ticket for the two days of the forum right now on the event's website. "This year, we have set ourselves the task of organizing one event in two formats: first, there will be a good old offline get-together with a small number of participants: we are selling only a little more than a hundred tickets for PHDays. And for those who will be with us online, we have planned a large-scale broadcast, which will allow you to see the main halls and backstage of the forum, to feel the effect of total immersion," explains Victoria Alexeeva, Positive Hack Days Producer. Ticket holders will be able to listen to presentations, personally communicate with the conference speakers who will come to Moscow, and try their hand in the traditional competition program. Also, a ticket for the conference gives you the opportunity to visit The Standoff, a cyberbattle which will take place during the Positive Hack Days at the event's venue at the Hyatt Regency Moscow Petrovsky Park Hotel. Read more about what is planned in the program in our previous news. How else you can get to PHDays 10: First, anyone who bought a ticket to the Positive Hack Days planned for 2020 and has not returned it can use it to attend the forum in 2021. Second, as always, one of the ways to participate is to make a presentation. Both recognized experts and novice specialists can present the results of their research. Call For Papers has already started, so make sure you submit your applications until March 28.
Positive Hack Days opens Call for Papers: become a speaker!
Sign up and submit your proposal at cfp.phdays.com by March 28. Make the cut to speak at Positive Hack Days, which celebrates its tenth anniversary this year! The central theme of PHDays 10 is The Origin. Join us in envisioning the future of information security. Doing so means starting with the practical questions and issues of today. Topics this year will include: Vulnerability detection and exploitation Attack prevention and resilience Architectural issues with modern computing systems Incident detection and investigation Threat intelligence and threat hunting OSINT Cybercriminal investigations Real-world experience with building out IT security processes Secure development: serverless and cloud apps, microservice architectures, AI Formal application security models Security risk management for software developers Security of BIOS/UEFI and other firmware Evaluation of information risks for business Identification of pain points in business processes Methods for developing a security strategy If your research focuses on other aspects of information security that you think will be of interest to the audience, we encourage you to apply. How to present You can share your findings in any of the following formats: Talk (50 minutes) Fast Track (15 minutes) Hands-on Lab (up to 4 hours) Options include: Send a video of your talk. After evaluation, the review board will include the video in the forum stream. Speak live from anywhere. We will help to test your connection quality ahead of time. Give your talk at the forum venue in front of a small audience. Due to pandemic-related restrictions, the number of offline visitors will be smaller than in past years. PHDays talks will be broadcast on The Standoff, the same platform we used for the conference and cyberbattle in 2020. The Standoff, as a brand, will be a full-fledged partner of the forum. How to apply If you're interested in speaking, apply at cfp.phdays.com. Name and country of residence of the speaker (speakers) Contact information (email address) Title and brief summary of the talk Biography We encourage sending any abstract, presentation, additional materials, illustrations, or utilities that may help us to evaluate your work. If your research has already been published, specify the relevant conference, journal, or website. If you know about similar works by other researchers, list them and indicate how your approach is different. Please inform us if you can only share some slides but cannot provide the full research paper. You may submit as many proposals as you want. Each proposal will be considered by an international review board of independent researchers and leading IT experts. We look forward to seeing you at Positive Hack Days!