News
A city's electricity and oil production are knocked out, and a container falls onto a barge — PHDays 10 has concluded
The reviews of the jubilee PHDays 10 are in, and attendees are calling it dazzling and invigorating, much like the weather in mid-May. Nothing was out of place on-site: jackets, T-shirts, and even the Russian minister of digital development were spotted. This was much more just than a gathering of over 2,500 information security specialists who had grown tired of being isolated during the pandemic. More than 20,000 people in different countries logged on to watch the forum and the action at The Standoff, the world's largest cyber-range. We talked candidly about important topics, brand-new technologies and approaches, geopolitical issues, business headaches, investor hopes, and troubles encountered by private users. We demonstrated how hackers are able to cripple the modern city, and we presented a methodology to protect against such damage that is nothing short of revolutionary.
The first day of PHDays 10: who blew up the gas distribution station, who deleted information about fines, and how to protect against unacceptable damage
May 20 saw the beginning of Positive Hack Days 10, an international forum on practical security organized by Positive Technologies and Innostage. On the first day, dozens of talks, round tables, and hands-on labs were held at the WTC Moscow. There is news about The Standoff, the largest open cyberbattle—accidents have been added to scams and leaks, and the city’s infrastructure has already been badly damaged by the attackers. However, threats such as a railroad accident have not yet been implemented. There is one day left. It will all end on May 21, but for now let’s summarize the interim results. On Thursday, the True0xA3 team caused an explosion (in the cyber-range’s terms, the risk was triggered) at the Tube company’s gas distribution station, which serves several urban infrastructure facilities. As a result, the gas supply to the city was cut off. The attackers continued to compromise the IT systems of Heavy Ship Logistics, the city’s largest transport company, which serves the airport, railroad, and seaport. The most popular activity was scamming the train ticket system (at the time of this writing, the teams SPbCTF, TSARKA, True0xA3 were involved). A little earlier, Codeby caused a malfunction in the passenger registration system, and an hour later Invuls disrupted the passenger information system. The Codeby team obtained access to a commercial proposal from Nuft, a large regional corporation involved in the extraction and processing of petroleum products. As a result, a major tender for the company was disrupted. The same team deleted information about citizens’ fines in the computer system of 25 Hours, which recently won a tender to modernize and manage the traffic light network. The citizens are happy, but the treasury is out of half a billion. If the management of 25 Hours does not take measures to prevent similar incidents, then the city officials may reject their incompetent cooperation. The folks from True0xA3 once again became interested in the FairMarket retail chain. This time they changed the price tags in the ERP system. Codeby repeated the True0xA3 team’s efforts to coerce the store into illegal alcohol sales by breaking into the store’s ERP system and removing a special excisable product mark from hard liquor items. Several teams succeeded in leaking the personal data of employees and stealing strategic documents. By the 56th hour of the battle, True0xA3 was in the lead, with Codeby in second place, and SPbCTF in third. Many well-known cybersecurity experts spoke at the forum at the same time. «PHDays: The Origin» — the beginning of a major common cause In information security, the most important thing is practice, says Boris Simis, Deputy CEO of Business Development at Positive Technologies: «The manager of one of the partner companies, whose employees worked at SOC for The Standoff in the fall, suggested increasing the specialists’ salaries, since they saw in seven days as many attacks as they might have observed in five—seven years. This allowed them to essentially ascend to another professional level,» Boris recalled during the round table «About PHDays, and why we hold it.» Denis Korablev, Product Director at Positive Technologies, admitted that he had never imagined two writers writing books together. «However, the new task (the practical implementation of Information Security 2.0) taught us to combine the strengths of the development teams into a single whole and to stop thinking in terms of individual products and niches. The work was herculean, and someday we will write a book about it, which we must do together,» said Denis Korablev. «All these years, many companies and people have been working on PHDays, investing their knowledge and their soul, and providing equipment and products,» said Boris Simis. «But this year, for the first time, we have a full-fledged co-organizer, Innostage, and we are extremely grateful to them for that. We also invite other companies to be co-organizers. We want PHDays to become a common cause.» How Tinkoff started antifraud development
Food stores and air ticket systems raided by hackers in Moscow—The Standoff cyber-range is in full steam
The contentions at The Standoff cyber-range are at their equator now, after two days out of four. Digital twins of real retail stores, airport, railway, seaport, traffic light system, power plant, chemical plant, and oil terminal are continually attacked by competing teams. In parallel, lectures are presented by our guests, some of whom contribute to defending the city model. The international forum Positive Hack Days begins on May 20 to end on Friday, together with The Standoff. By Wednesday evening, the attackers gained access to a point-of-sale terminal of the cyber-range’s retail network and "purchased" 68,950 rubles worth of alcohol at 100% discount against a real till slip. They hit the store’s ERP system and managed to remove the special excisable product mark from the hard liquor items, which resulted in withdrawal of the selling license for the products. The hackers also accessed personal data of the outlet’s staff and clients and stole some strategic documents. The transportation industry facilities were truly bombarded by hackers. Several teams were able to defraud the ticket selling system of the transportation company Heavy Ship Logistics, which serves the airport, railway, and seaport. One team gained access to the operations data. So far other facilities prove more robust. The petroleum production and refining corporation Nuft had its "Loss of massive contract due to bid theft" risk triggered by the team True0xA3. The same team has sent the Tube company’s plans to take over the advertising market down the drain: they hacked into the Tube CEO’s computer, stole information about the forthcoming deal, and sold it to rivals. Tube shares fell to a record low. 25 Hours, a commercial real estate complex and amusement park management company, and the city’s energy operator Big Bro Group are still going strong, but the situation can change any minute.
thrEat reSearch Camp: large defensive track at PHDays
Initially, PHDays was centered around attacks, vulnerabilities, and hack techniques. However, we think that it is equally important to pay attention to cyberattack protection methods. Starting from 2019, a large technical defensive track called thrEat reSearch Camp has been organized at the forum along with the offensive track. As was planned by the Positive Technologies Expert Security Center (PT ESC), this track became a platform for defensive experts to share their experience. During the two days, experts will discuss new APT campaigns, share effective methods and tools for detecting incidents, darkweb monitoring, and open sources’ analysis. They will also pick apart complex malware. Elmar Nabigaev, Deputy Director of PT Expert Security Center and Head of the thrEat reSearch Camp program committee explains: «Cyberattacks can affect even top public officials and present an acute risk for any company. However, as before, very few people know how to deal with cyberattacks effectively. Our platform continues to be a space where experts share their opinion and knowledge on current threats and protection methods.» Oleg Skulkin, Senior Digital Forensic Analyst at Group-IB, will give a talk in which he will explain how to stop analyzing ransomware and start collecting actionable CTI data for your team. Alexey Pronin, CISO at RBK.money, will talk about tactics and techniques hackers use to attack financial institutions, ways of penetrating the company’s internal information systems, and protection methods. Sergey Golovanov, Principal Security Researcher at Kaspersky, will talk about the most impressive incident response activities over the past two years—with a focus on APT and analysis of fashionable, stylish, modern virtual and remote infrastructure. It is but a small part of our rich program. Keep an eye on the news at the forum’s site. The forum's co-organizer Innostage will deploy and maintain The Standoff's infrastructure, monitor and control the teams' actions. Rostelecom-Solar, a Russian provider of information security services and technologies, has become a business partner of the forum. PHDays technology partners: Russian private grocery chain Azbuka vkusa, e-payment service RBK.money, and e-banking software developer iSimpleLab. PHDays exhibitors: Axoft, CrossTech Solutions Group, ICL, OCS Distribution, R-Vision, Security Vision, and Jet Infosystems. ARinteg will be partner of the forum's contest program.
Technical talks at PHDays: from OSINT methods to information security in video games
Only a week left before Positive Hack Days 10: The Origin. We continue to introduce you to our speakers and the most awaited technical talks from different conference tracks. Practical OSINT methods in digital world Andrei Masalovich, CEO at Avalanche, will discuss OSINT methods that allow effective extraction of private and even classified information without hacking. The talk covers methods for finding open partitions in cloud storages, scanning of unsecured databases based on PostgreSQL, MongoDB, and Elasticsearch, retrieving classified data via global logistics bases, collecting data via closed profiles in social networks, deanonymizing messenger users. Real-life examples will be provided. Social engineering in 2021 Information security specialist Dmitry Andreev will discuss fundamental principles of social engineering, its various scenarios, and share his experience of preventing social engineering attacks in corporate environment. Prioritizing CVEs with Vulristics open-source extensible framework Vulristics (vulnerability and heuristics) is an open-source extensible framework for analyzing generally available information on public CVE vulnerabilities. Independent security researcher Alexander Leonov will give an in-depth talk about using Vulristics to prioritize vulnerabilities. He will also talk about why it is important to know how to prioritize known vulnerabilities and which extra sources of data can be used for this purpose. Microsoft Active Directory: privilege escalation techniques Egor Bogomolov, Application Security Expert at Singleton Security, defined all privilege escalation techniques possible in Microsoft Active Directory with initial local network configuration. The speaker will also talk about vulnerabilities in out-of-the-box AD networks and explain how administrators of local AD networks can protect from them. Development and validation of ML pipelines Artyom Kravtsov, Computer Vision Research Engineer at SberDevices, will talk about the experience of developing and testing an ML system and a mobile SDK to determine the authenticity of a biometric sample using a photograph. He will speak about the architecture of the developed solution and demonstrate an example of passing biometric verification by a real user. He will discuss in detail the ML component of the system, the process of development and research, as well as internal and external validation of the system. BadUSB attacks Innostage Head of Security Analysis Alexander Borisov will discuss several scenarios of BadUSB attacks (an interesting and a rather effective class of attacks) and the main methods of preventing them. Secure development In addition to traditional PHDays tracks centered around defense, offense (hacks), and the impact of information security on business, this year the forum will include a new secure development track. Information security in video games Application security leader at Sberbank Artyom Bachevsky will discuss typical vectors of attacks in video games and ways of protecting against them. Real-life examples will be given. Unsafe deserialization Mikhail Shcherbakov (PhD in Theoretical Computer Science, KTH Royal Institute of Technology in Stockholm) will give real examples of vulnerabilities and shortcomings that underpin the problem of unsafe deserialization. He will address the issue of building a threat model, describe various approaches and tools for finding and exploiting new vulnerabilities. The talk will focus on techniques of static code analysis and their current limitations. Formal verification of operating system kernels Denis Efremov, Developer at ISP RAN, will share his experience of participating in projects on formal verification and analysis of access control modules for Astra Linux SE and Elbrus kernels, as well as verification of the Contiki code (OS for IoT) within the European VESSEDIA program. The speaker will also disclose details of the development of formal access control models (Rodin/Event-B) and code specifications (Frama-C/ACSL), the use of static and dynamic analyzers, and the inclusion of formal analysis in the continuous integration cycle. Technical talks will also be given by: Sergey Volokitin (Senior Security Analyst, Riscure), Sergey Golovanov (Lead Researcher, Kaspersky), Maxim Goryachy (independent security researcher), and Vladimir Kochetkov (Head of Application Security Analysis Research, Positive Technologies). See you at PHDays!
The Standoff Kids at PHDays 10: let the children decide
The Standoff Kids will take place at the Positive Hack Days practical cybersecurity forum at the World Trade Center Moscow on May 19, 2021, under the auspices of the Government of Moscow. The event is intended for children aged 10 to 16. This is the second time that PHDays will introduce young guests to the basics of cyberliteracy and information security, with talks and discussions about the study and career prospects for the future guardians of cyberspace. «The development of information technologies and the growing demand for online services require a fundamentally new level of protection for urban information systems. Ensuring cybersecurity across the city and training specialists in this area is one of the priority tasks of the Moscow Department of Information Technologies [DIT], and we believe that the basics of this profession need to be taught from childhood. With that in mind, we conduct regular educational webinars on digital literacy and cybersecurity basics for children and their parents. But information is always better absorbed in a fun and playful way. As such the kids’ track at Positive Hack Days will help them acquire even more useful skills and knowledge,» said Eduard Lysenko, Minister of the Government of Moscow and Head of the DIT Wannabe infosec pros will have the chance to take part in an interactive quest and help the inhabitants of a futuristic city repel the attacks of a host of cunning cyber-predators. To make it interesting for everyone, players will be divided into teams by age and experience. The smart city of the future is represented by a mock-up of a metropolis with gaming stations and educational installations. Participants will face IT-related tasks, including data search and protection. Models of an airport, amusement park, seaport, and other infrastructure have been built on site. Each team will be given a guide and a navigator tablet with a unique problem-solving scenario for each specific object. Besides the gaming segments, there will be a series of short, but fact-filled lectures on information security: kids will learn to spot modern cyberthreats and attacks, be introduced to steganography and encryption, and pick up the rules of netiquette. «Digital literacy plays a vital role in children’s upbringing and education. The rapid uptake of new technologies without sufficient life experience often causes problems,» comments Boris Simis, Deputy CEO for Business Development, Positive Technologies. «The tasks in our virtual city teach children how to protect data and prevent attacks. Our special focus is on gamification, because this is the best way to captivate young minds. And the skills and knowledge gained can be immediately applied in practice.» The forum and kids’ track organizers are sure that introducing cybersecurity in a gaming format will not only entertain and educate the young participants, but awaken their interest in information security as a profession.
Payment Village: the ins and outs of banking system security at PHDays 10
This year, Positive Hack Days will again be holding several events based on the Payment Village. It will be more than just a competition. Participants will first get an overview of the theory, and then they’ll apply what they learn to try to hack ATMs, cash registers, and POS terminals. We use bank cards, POS terminals, and ATMs every day, but we know little about their structure or the different security aspects of the payment process. The primary aim of the Payment Village platform is to change this situation and make knowledge about the payment industry more readily accessible to enthusiasts, such as users, analysts, and bounty hunters. Payment Village will bring together people who are interested in the vulnerabilities in banking and payment systems, and who enjoy tinkering around in the inner workings of ATMs, self-checkout, and POS terminals. You’ll learn about how intruders crack these systems and how the payment industry is protecting them. We will also be holding contests to find and reward the most curious conference participants. Payment Village is sponsored by iSimpleLab, Azbuka Vkusa, and ARinteg. The topics of this year's talks are: Physical and logical security of POS terminals Vulnerabilities in retail and payment processes Logical vulnerabilities in RBS systems «The iSimpleBank 2.0 RBS platform is used to build digital channels by leading Russian businesses, so it goes without saying that our customers retain security of the utmost importance when working with our platform. iSimpleLab has recently completed several initiatives related to procedural and administration security. We performed an analysis of vulnerabilities for our iSimpleBank 2.0 RBS platform based on the requirements for an evaluation assurance level of at least EAL 4 under GOST R ISO/IEK 15408-3-2013, and we did a real-world field trial of products at events with Positive Technologies. This challenge is interesting for us because it offers a real-life scenario for checking and confirming the readiness of the iSimpleBank 2.0 platform to combat actual cyberthreats,» said Aleksey Kolesnikov, sales director at iSimpleLab. This year’s challenges include: Hack an RBS system Hack POS terminals Hack ATM security systems Hack payment equipment «It so happens that payment equipment was long hard to access for research into both online and offline vulnerabilities,» said Dmitriy Kuzevanov, head of the Information Security Department of Аzbuka Vkusa retail chain. «But recently, the situation has changed drastically. Cash registers are increasingly becoming integrated with numerous external and internal services, including loyalty programs, ERP, and the federal tax service. In addition, cash registers are acquiring peripheral equipment, including NFC, card readers, and UPC- and QR-code readers, which connect through Bluetooth or Wi-Fi. All of this opens up many attack vectors for points of sale. In the Payment Village, attendees will be able to materialize them and learn more about the risks and consequences.» If you can’t join us at the event venue, we’ve prepared a little surprise for you—an ATM protection simulation you can access online to check vulnerabilities. We’ll share more information about this during the conference. We’re giving away tickets to the conference and Payment Village to a couple of lucky Hacker readers and enthusiasts of bank card technologies. To enter to win, just answer the questions in our survey. The two people who submit the most interesting responses will receive their tickets one week before the conference. If you’d like to give a talk on vulnerabilities in payment, banking, and retail systems at the Payment Village, email us at phd10@ptsecurity.com.
PHDays: till we meet online
Dear Friends, Recently we have been snowed under with new applications, the organizers' inboxes have been overflowing with proposals, and their phones have been ringing off the hook. We have already accomplished the near impossible by fast-tracking the relocation of PHDays to the World Trade Center in Moscow, and greatly expanding the opportunities for live participation in the forum events. There are still three weeks left, but tickets have already sold out, registration is closed, and the offline platform is fully booked. Anyone who wishes to take part, but did not manage to purchase a ticket, we invite you to join us online. This year we have put a huge amount of effort into the online format to deliver an experience unrivaled in terms of scale and quality. Viewers will be taken inside the event through dozens of camera angles, creating a total immersion effect that is not inferior to TV format. Come and join us—presentations, hands-on labs, contests, and lots more interesting events await! Get connected:
Talks at PHDays: Linux Kernel implants, HTTP request smuggling, and malware detection
There is less and less time before the international information security forum Positive Hack Days 10, which will be held from 20 to 21 May. The Standoff cyber-range is almost ready, red and blue teams are sending their requests, and we are currently designing the conference program. This time PHDays will run three large conference tracks: defensive and offensive tracks, as well as business track that will discuss security influence on business. Today, we present first talks. Linux kernel implants Information security expert Ilya Matveychikov will tell about methods of creating a Linux kernel implant. During a 45-minute talk, Ilya will describe how it is possible to carry out a multipurpose kernel-implanting attack. The expert will also demonstrate real examples of implants in different version of x86 kernels. HTTP request smuggling Emil Lerner will tell about HTTP request smuggling, a technique that is widely used to attack reverse proxies. In recent years, information security researchers have made a number of discoveries. In particular, they have discovered new methods for detecting vulnerabilities and developed new methods of HTTP desync state exploitation. During his talk, Emil will demonstrate the capabilities of the technique that appeared with the landing of HTTP/2 on frontend and HTTP/2—HTTP/1.1 conversion. Listeners will know how to detect reverse proxies vulnerable to the attack and what methods of automating such detection exist. Also, the expert will tell about possible attack vectors and the possible consequences of a successful attack. Linux kernel fuzzing Independent security researcher Andrey Konovalov will tell about Linux kernel fuzzing. Fuzzing is a way to automatically find bugs, transferring randomly generated data to program. Andrey will tell how to use fuzzing to detect errors in Linux kernel and what kernel interfaces can be fuzzed. He will briefly describe ready-to-use fuzzers, such as Trinity and syzkaller, but mainly will focus on writing code for fuzzer, generating inputs, and code coverage assembly. Exploitation of vulnerability CVE-2021-26708 in Linux kernel In January 2021, Linux kernel developer and security researcher at Positive Technologies Alexander Popov discovered and eliminated five vulnerabilities in Linux kernel virtual socket realization. These vulnerabilities were assigned an identifier CVE-2021-26708. In his report «4 bytes of power,» Alexander will talk in detail about exploitation of one of them for local privilege escalation on Fedora 33 Server for x86_64. The researcher will demonstrate how to gain control of the entire operating system with the help of a small memory access error, while bypassing the platform’s security tools. Formal verification of operating system kernels Oracle’s Principal Developer Denis Efremov will share his experience of participating in projects on formal verification and analysis of access control modules for Astra Linux SE and Elbrus kernels, as well as verification of the Contiki code (Operating system for IoT) within the European VESSEDIA program. The speaker will disclose details about the development of formal access control models (Rodin/Event-B) and code specifications (Frama-C/ACSL), the use of static and dynamic analyzers, and the inclusion of formal analysis into continuous verification. Other types of work that help meet the certification requirements will also be considered. hat's all for today, follow the news on our website.
"Positive Hack Days: The Origin" relocates to the World Trade Center (Moscow) to accommodate even more attendees
Interest in the PHDays practical cybersecurity forum and The Standoff cyberbattle has grown exponentially in the past week. We have received emails, phone calls, and comments of support from all over the world. Therefore, we decided to expand PHDays by moving the offline forum to the spacious World Trade Center in Moscow. This will make it possible to invite several times as many guests to the 10th anniversary Positive Hack Days forum. We are determined to see our infosec community colleagues, partners, customers and friends face to face. The original pared-down format would not have allowed this. That is why we are now giving everyone the opportunity to ask us questions live and discuss industry issues and challenges together. At the same time, the large-scale online broadcast of The Standoff on May 18–21 and PHDays on May 20–21, with real-time translation into English, will go ahead as planned. The broadcast will take the viewer inside the main forum halls and behind the scenes from different angles via dozens of cameras, creating a full immersion experience thanks to TV-style production. "Initially, in light of the pandemic and sanitary restrictions, we chose a not very large offline platform and radically expanded the online format, in terms of both scale and quality. Now we understand that this year we cannot restrict ourselves to such a modest offline event, so we are expanding the platform, leaving the large-scale online broadcast unchanged," noted Vladimir Zapolyansky, Chief Marketing Officer, Positive Technologies. PHDays will feature talks by top developers, government officials, CIOs and CISOs of major Russian and international companies, and leading experts from the banking, telecommunications, oil-and-gas, IT, and other industries. On the program agenda are dozens of presentations, master classes, hands-on labs, round tables, lectures, and competitions. The world's largest open cyber-range, The Standoff, will allow you to witness a real cyberbattle between white-hat attackers and defenders for control of a digital city. You will be given a graphic demonstration of the potential consequences of a cyberattack on the infrastructure of a modern metropolis with its factories, banks, transport system, entertainment venues, and business centers. This will provide a timely insight into how deeply technology affects our lives, how to prevent dangerous incidents from occurring in reality, and how to make our lives more comfortable and secure. Step inside, "The Origin" awaits! On a separate note, because the health and safety of our guests is paramount, the forum will be held in compliance with all sanitary and epidemiological standards. You can register for both days of the forum on the event website. Offline visitors of the forum in Moscow will be able to listen to presentations, personally communicate with speakers, and test out their skills in the traditional competition program. A ticket to the conference also gives access to The Standoff cyber-range. For more information about the event program, see our news.