News
PHDays 10 coming in spring 2021
For the last several months, the Positive Hack Days 10 organizing committee has been monitoring the coronavirus situation. We had hoped that, despite the current strict quarantine measures and restrictions on international travel, it would be possible to go ahead with the event later this fall. But subsequent events showed that risks and severe restrictions will very likely persist. The upshot is that we will not be able to hold the big anniversary PHDays the way we wanted. And an online-only event would not have been enough to realize the full scope of our ambitions. Therefore, we are announcing the postponement of PHDays 10 until spring 2021. Based on the predictions of health experts and other authorities, we believe that international air travel and mass gatherings are likely to resume by then. We will inform about the new dates of PHDays 10 as soon as this information becomes available. When the dates are announced, we will reach out to all participants and presenters to confirm their ability to attend. Previously purchased PHDays tickets will remain valid. The Call for Papers will be extended and we will continue to accept proposals from all interested presenters. Although we are postponing the forum, we will still have a few exciting things for you in the meantime: we will be holding The Standoff online this fall. Dates and details on the upcoming epic cyberbattle will be announced closer to that time. If you have already purchased a ticket but will not be able to attend next spring, we will give you a full refund. Fill out a refund request (for individuals or for organizations), sign it, and send a scanned copy to phdays10@ruvents.com.
PHDays 10 postponed
Due to the situation with COVID-19 coronavirus, to ensure safety of our guests, we have decided to postpone PHDays 10. The organizing committee has been analyzing the situation for the last two weeks, and has received many questions from our speakers regarding potential rescheduling of the forum. Taking into account the increasing risks of international travel, we started considering postponing the event. Yesterday, the Mayor of Moscow issued a decision canceling all public international events of more than 5,000 people until April 10. However, we can expect that the term might be extended further. In the end, we have decided to reschedule the forum, probably until fall 2020. The new date for PHDays 10 will be announced later. As soon as the dates are announced, we will contact all participants and speakers to see if they can attend. All tickets for PHDays already purchased will remain valid. We will also extend the Call for Papers. Our potential speakers will have an additional opportunity to submit their research. All applications already accepted will automatically be carried over to the new dates. Those who purchased entrance tickets but will not be able to attend PHDays in fall will get full compensation of the ticket cost.
The Standoff: Recap and highlights of live cyberbattle at HITB+CyberWeek 2019
In mid-October, a battle flared for three days in sunny Abu Dhabi between teams of security experts. Attackers (red teams) and defenders (blue teams) fought for control of the digital infrastructure of a mock city specially created by Positive Technologies for HITB+CyberWeek 2019. A longtime favorite among security professionals, The Standoff is a cyberbattle held annually by Positive Technologies at the Positive Hack Days international forum on practical security. The Abu Dhabi competition marked a big first for The Standoff, which had previously been held only in Moscow, most recently in May at PHDays 9. For details, check our previous article. Smart city in Abu Dhabi Positive Technologies created an enormous diorama of Kabakas, a fictional industrial city, spanning about 17 square meters (183 square feet) and containing thousands of figurines. Over 100 meters (328 feet) of miniature railway tracks and more than 500 meters (1,640 feet) of wiring went into creating the city infrastructure. The mock city model allowed demonstrating consequences of real cyberattacks against critical infrastructure.
Become a speaker at Positive Hack Days 10. Call for Papers is now open
The Call for Papers is now open for the Positive Hack Days forum on practical information security. Please submit your application by March 31. Both the esteemed experts and young specialists are welcome. An international program committee consisting of independent researchers and leading IS and IT experts will name the best talks. PHDays 10 topic is "The Origin." We invite everyone to participate in developing the concept of future information security together. We expect over 10,000 visitors and participants, including hackers and information security specialists, serious businessmen and famous politicians. We also welcome practical findings and research outcomes in different areas of cybersecurity: Vulnerability discovery and exploitation Attack mitigation Architectural issues of modern computing systems Detecting and investigating attacks and incidents: practical findings Threat intelligence and threat hunting OSINT Investigating activities of hacker groups Arranging processes for securing information infrastructures: practical findings Methods and ways of developing secure software, such as serverless apps, cloud-based apps, micro-service architectures, and AI systems Formal security models of applications Managing security risks in software development processes Security of BIOS, UEFI, and other firmware Methods of assessing informational risks for businesses Methods of detecting sore spots in business processes Methods of developing information security strategies for businesses We will discuss the security of embedded systems, home and industrial IoT devices, telecommunication networks, smart homes, and CCTV, as well as the security of financial technologies and tools. We will also discuss faults and vulnerabilities in blockchain, talk about reverse engineering, applied cryptography, machine learning, malware, and exploit development. Participation formats: Talk (50 minutes), Fast Track (15 minutes), and Hands-on Lab (up to 4 hours). To participate in the conference, please fill out the application form at .
Positive Hack Days 10: ticket sale has started
Tickets for the tenth international forum on practical information security PHDays are now on sale. You can register and buy tickets here starting December 5. Just as in previous years, we have the Early Birds discount. If you buy tickets before January 31, the ticket package for the two days of the forum costs 9,600 rubles. Starting from February 1, the price for the full 2-day conference registration will be 14,400 rubles, and 9,600 rubles for one day. Other ways to join PHDays There are other ways to become Positive Hack Days participants. Some of those are free. First of all, you can get involved as a speaker. Renowned experts and young specialists are equally welcome to present their research. Call for Papers will be announced soon. Stay tuned. Tickets will also be given to winners of special hacker contests and those participating in The Standoff. Keep track of the news. We will provide more details soon.
Positive Hack Days 10: The Origin
The first known virus for personal computers appeared in early 1980s. A few years later, a network virus caused losses totaling USD 96 million. Now we live in the age of botnets, targeted attacks, and cyberweapons. The age of computers seemed to get off to a rocky start. Would you like to team up with us in fixing the mistakes and creating a world of secure high-tech? Want to see development instead of running around in circles? If so, join us at PHDays 10, which is to take place on May 13–14, 2020, at Expocentre on Krasnaya Presnya, Moscow. In addition to discussing attack and defense, we will try to reset history. At the tenth international forum on practical information security Positive Hack Days, we invite you to participate in developing a concept of information security for the future. We expect over 10,000 visitors and participants, including hackers and information security specialists, serious businessmen and famous politicians. In the exhibition hall, we will have over 50 stands, themed areas for various topics and interests. We will provide high-quality communications and computing resources for demonstrating security systems and hacking tools. The forum agenda includes lectures, contests, competitions, live interaction, and training in real time. We will also have the fifth Standoff. This is a cyberbattle between the teams of attackers, defenders, and SOCs. A battle which the forum visitors are well familiar with. We invite teams from the largest Russian and international companies. SOCs use their preferred security tools, and the attackers use the most advanced attack methods and techniques. The cyberbattle is monitored by the independent SOC of the organizers, deployed using Positive Technologies products, such as MaxPatrol SIEM, PT Network Attack Discovery, PT Application Firewall, PT MultiScanner, and PT ISIM, allowing the experts to see the whole battle map online. An integral part of the Standoff is the cyber-range where Positive Technologies experts emulate the infrastructure of a modern metropolis. This digital environment includes corporate systems of large companies, industries, and other critical infrastructure. The model uses actual ICS, SCADA, and PLC from the best Russian and foreign manufacturers. The format of this cybersecurity exercise allows information security experts, representatives of state agencies, developers, and journalists to understand the current threats. For participating companies, this is a unique chance to practice defending the infrastructure when hackers put real pressure on. See you on May 13 and 14 at Expocentre on Krasnaya Presnya for "PHDays 10: The Origin."
The Standoff in Abu Dhabi: citywide cyberbattle takes the international stage
Competition held at HITB+ CyberWeek in UAE, winners hail from Russia The Standoff, a three-day hyperrealistic tournament testing the skill of more than 60 security specialists from multiple countries, has concluded in the United Arab Emirates. As part of Hack In The Box (HITB_+_ Cyberweek), attackers (red teams) tried to steal money from a mock city's bank, cause an oil spill, bring trains and traffic to a standstill, and make street lighting go haywire. Their efforts were opposed by defender (blue team) counterparts. The Standoff is no generic Capture The Flag competition. Unlike traditional CTFs, it pits teams of attackers and defenders against each other. The infrastructure of the imaginary city of Kabakas was featured in a huge diorama (17 square meters, or approximately 183 square feet) so that viewers could observe the aftermath of attacks. This faithful recreation of the digital infrastructure of an entire city included modern systems and hardware including ICS/SCADA, e-banking, and building automation. This enables professionals to model real situations and hone their skills at defending systems and monitoring security. First held in 2016, The Standoff had previously taken place only in Moscow at PHDays, a conference organized by Positive Technologies. Hack a chemical plant—or a Ferris wheel A total of three defender teams and nine attacker teams took part. Defenders secured three different companies, responsible for the city's oil and gas, transportation, and energy. Targets included an ammonia factory and electrical substation, oil storage tank and loading terminal, railroad, traffic signal and street lighting management, heating and air conditioning, and even a Ferris wheel. The city had its own bank as well. Mikhail Levin, one of the organizers of The Standoff, said: "Many teams, being used to collecting flags in standard CTFs, were initially at a loss for what to do. Like in real life, in The Standoff you can use practically any hacking technique that exists. What's more, only by smartly combining these techniques is it possible to achieve victory in The Standoff. Those playing for the bad guys could attempt ambitious APT attacks or even sabotage—think oil spills, lights-out on city streets, and rail accidents. These threats are international in nature and training needs to be more than just theoretical. In the real world, security teams have a limited number of tools available. So at the contest, defenders had only NGFW and WAF solutions, which still made life much harder for hackers. These automatically blocked all head-on attacks, forcing red teams to camouflage themselves and modify their standard tools. By exporting a competition originally dreamt up at PHDays, one of the largest security-related gatherings worldwide, we have succeeded in making extremely realistic hacking competitions accessible to a much broader community." Chronology: day by day Attackers could earn game currency in a number of ways: stealing it from bank accounts, mining it, and by participating in the bug bounty program. But mostly they made money by completing tasks. On Day 1, attacker teams scoped out targets using public sources (OSINT). For instance, they identified corporate email addresses for all three companies and sold them to spammers. Several teams informed of minor vulnerabilities as part of the bug bounty, but were unable to make use of them to escalate privileges on target infrastructures. Defenders did not report any incidents for the day. On Day 2, attackers continued finding information of value (email addresses and phone numbers) on corporate websites and selling it to spammers. But two teams pulled ahead. Team True0xA3 (from Russian company Informzashchita), which already had prevailed in The Standoff at PHDays 9, hacked the corporate network of the oil company. There the team found confidential correspondence and information about executive salaries, yielding 500,000 points. Another high-achieving team was Team 404, which combined silver and bronze winners from the CTF Cyber Battle of the Emirates, which had been held at HITB previously. The team obtained access to bank accounts of a third of the city's population (50 out of 150 accounts, each account holding 13,500 of game currency) and even managed to automate transfers of the money to an offshore bank. By day's end, they had racked up 660,843 points. Among other notable events on the second day, defenders of the energy company from the team Short Notice (UAE) detected malicious activity (use of vulnerabilities and downloading of malicious shellcode) on the border of their network. They investigated this activity and informed regarding the attackers' actions. The attackers were ultimately blocked and pushed off the company network. The leveraged vulnerabilities were subsequently closed. On Day 3, True0xA3 got onto the process network of the oil company. They interrupted operations by shutting a valve, which stopped oil from pumping through the pipes. The team also completed a second task by changing the maximum tank level indicators and causing a reservoir to overfill. This resulted in an oil spill. Results The winner of The Standoff was True0xA3. Only they and one other team, n0x, found a way to mine cryptocurrency and obtain access to hosts on corporate infrastructures. This enabled True0xA3 to complete two high-value tasks and nab victory from Team 404, which took second place partly on the strength of having stolen money from bank accounts. The highest-rated blue team was Short Notice. These defenders were the most diligent at ensuring the availability of services and regularly reported on incidents, including discovered miners and compromised accounts. They also announced detection of a stager (small payload module designed to place the rest of the payload on the victim system). Levin added: "Our plans include working with other major cybersecurity conferences to gradually turn The Standoff into the de facto standard for security competitions. In parallel, we will be striving to make The Standoff available 24/7/365 so that teams from different companies can participate and train remotely. Two or three days is just not a lot of time for setting up multistage attacks on an unknown target or mastering complicated detection techniques. Having a resource that's always available will help everyone to get the absolute maximum out of this format."
The Standoff cyberbattle in review: how Positive Technologies Expert Security Center tracked the action
At this year's Positive Hack Days, teams of attackers, defenders, and security operations centers (SOCs) waged cyberbattle in The Standoff for the fourth time, fighting for control of a mock city's digital infrastructure. Attackers acted just like real cybercriminals aiming to steal money from a bank, pilfer confidential data, or cause an industrial accident. They raced to complete tasks and earn points. Meanwhile, defenders and SOCs protected targets and countered the attacks. This year, The Standoff also included a hackathon for developers (covered in a previous article). The Positive Technologies Expert Security Center monitored events from start to finish. They analyzed the events detected by Positive Technologies products: MaxPatrol SIEM, PT Network Attack Discovery, PT Application Firewall, PT MultiScanner, and PT ISIM. As a result, they were able to reconstruct a full picture of the battle. Read on for an account of what happened during The Standoff and how the teams comported themselves during attacks on the city's facilities and infrastructure. City F infrastructure City F has grown to become a true modern digital metropolis. The city infrastructure included an electrical plant, oil refinery, and petrochemical plant, all owned by Big Bro Group. All industrial processes were controlled by modern industrial control system (ICS) equipment. City F had an airport, sea port, and railroad. The city also hosted Hedgehog Airlines and Heavy Ship Logistics. The digital infrastructure included offices of Future Electronics (IT company), Behealthy (insurance company), City-F Media Group (media holding), and even Voshod (soccer club). Streets were bustling with cars, supported by fully automated traffic lights and roadside lighting. The mock city was densely populated, with people working in offices and industrial companies while living in modern houses. No luddites, they enjoyed all the conveniences of the digital age, including E-Coin Bank as well as mobile communication services and Internet access from operator Future TeleCom.
The Way of the Industrial Ninja: PLC hacking at PHDays 9
This year's PHDays 9 included Industrial Ninja—a contest of skill at hacking a gas pumping facility. At the PHDays venue, we created three stands that, at different levels of difficulty (No Security, Low Security, High Security), emulated the same industrial process: pressurized air was pumped to inflate, and then deflate, a balloon. No matter the security level, the hardware in each of the stands was identical: an S7-300 Siemens Simatic PLC; emergency deflation button and pressure sensor (connected to the PLC's digital inputs); and intake and outlet valves (connected to the PLC's digital outputs). You can see these components in the following picture:
The Standoff developer hackathon: a fun debut
At PHDays 9, we added something new to The Standoff: a hackathon for developers. Teams of attackers and defenders fought for control of a mock digital city, as usual. But all the while, there were also developers working around the clock to make application updates and maintain uninterrupted uptime under a crush of attacks. Four teams applied to take part in the hackathon. Each represented a different non-commercial project. Of them, only Bitaps (bitaps.com) made the cut. Bitaps publishes analysis of the blockchain of Bitcoin, Ethereum, and other cryptocurrencies, in addition to offering payment processing and developing a cryptocurrency wallet. A few days before The Standoff was due to start, we gave Bitaps remote access to the game infrastructure in order to install their application (which was hosted in the unprotected segment of the city network). During the game, attacker teams, in addition to their usual attempts against city infrastructure, could scour the Bitaps application for vulnerabilities. The attackers sent a bug bounty report for each vulnerability found. The organizers verified these reports and gave the developers the opportunity to implement a fix. For each confirmed vulnerability, the relevant attacker team was rewarded with in-game currency and the developer team was penalized. What's more, the organizers could shake things up by sending feature requests. The developers worked feverishly to add functionality without creating new security issues. Success was measured in money: implementing feature requests, as well as each minute of proper application operation, brought credits. But the developers lost money for each vulnerability, each minute of downtime, and each minute of improper operation of the application. Our bots monitored the situation closely: if they detected an issue with the application, we informed the Bitaps team and gave them a chance to resolve it. No resolution? Get ready to see losses. Just like in real life! On Day 1, the attackers gently probed for vulnerabilities, finding only a few minor ones that were fixed quickly. Around 11 p.m., when the developers were feeling snug and safe, we caught their attention with a feature request. The feature was a tricky one: based on the application's existing payment processing capabilities, the developers' job was to implement a service to transfer tokens between two wallets by clicking a link. The payment sender (application user) should go to a special page, enter an amount, and set a one-time password for the payment. The application then should generate a unique link, which is sent to the payment recipient. The recipient opens the link, enters the one-time password, and indicates the wallet to credit the payment to. Filled with excitement, the team got down to work. By 4 a.m. link-based token transfers were ready to roll. This quickly caught adversaries' attention. After a few hours, attackers succeeded in finding a minor XSS vulnerability, which they reported. We checked and confirmed it. The developers made a fix. On Day 2, the attackers turned their full attention to the offices of the virtual city. With this respite, the developers could finally rest after a very long night.