News
Hack Battle at PHDays: Fight to become the fastest hacker
PHDays 9 will again have the Hack Battle contest. This year, it's organized by SPbCTF, an open independent community from St. Petersburg, Russia. Hack Battle will take the form of a knockout tournament. For two days, adrenaline junkies will fight in groups of three. In the course of 10–15 minutes they need to solve CTF-style tasks. The topics can be web, reverse, forensics & stegano, pwn, coding, and crypto. The winner in a round is the one who completes the task before the others do. A contestant must win five battles to become the Hack Battle winner. Spectators will be watching the hackers, and SPbCTF experts will be commenting the actions. Spectators may still solve tasks along with the battlers. If one of the contestants misses his or her turn, spectators get the chance to participate in the next round. We welcome everyone to have some fun and test their skills. To reserve a time slot, register at hackbattle.spbctf.ru before 5 p.m. (Moscow time) of May 17. The number of participants is limited to 108. If there are more potential contestants, on May 18 at 6 p.m. the organizers will hold an elimination round (at spbctf.ru as well). Stay tuned for more news. The contest has three prize-winning places, winners will receive valuable prizes and invites for the next PHDays. Find more details on the contest web page.
PT Expert Security Center stand
PHDays 9 will include a stand from the PT Expert Security Center, offering an opportunity to talk with experts, try out fun contests, and even apply for a job. Knowledge is power. This is especially true when it comes to countering cyberthreats. The PT ESC experts invite you to see how well you know incident investigation. They've also prepared Who wants to become a rESearCher? Questions will be tough, pushing participants to the limits of their abilities. Prizes await the victors! What's more, the stand will host a tournament named Quest for ESCurity: The Handoff, based on the game card Munchkins. Become a superhero, pirate, astronaut, zombie slayer, knight, or fighter of ancient gods! Sign up and charge ahead, surely crushing all enemies along your path. Signup will be on Telegram (@QuestForESCurity_TheHandoffBot) starting May 18. But be ready to rush headlong into battle (first game on May 21 at 11:00 a.m.), make weighty decisions under pressure (spaces limited!), and proudly bear the title of claimant to the PHDays Munchkinship. For rules and details, see the contest page. During both days, all comers will have the chance to pose questions to the PT ESC experts. In addition, on both days, the thrEat reSearch Camp technical track will be dedicated to incident response, threat intelligence, threat hunting, OSINT, and malware analysis. Want to try your luck at investigating security incidents? Check out our online forensics contest ESCalation Story on Telegram (@jaxhunt_bot) from April 22 to May 15.
2drunk2hack, Competitive Intelligence, Best Reverser: traditional PHDays contests
Just one month left until PHDays 9 starts. Arrangement of presentations is in full swing, preparations for The Standoff and other contests are underway. We have already announced some new contests like Industrial Ninja, IDS Bypass, and ESCalation Story. Of course, this year our traditional hacking contests, like Best Reverser, Competitive Intelligence, and 2drunk2hack, will be held as well. The Best Reverser online contest for reverse engineers will take place from May 1 through May 14. Amateurs and experts of codebreaking can warm up before PHDays and demonstrate good knowledge in analysis of executable files. There will be a valuable prize and an invitation to the conference at stake. The file for analysis will be published on the contest's web page on the starting day. The Competitive Intelligence online contest is your chance to test how quickly and precisely you can find information online. It will be held on May 18, from 9:00 a.m. until 11:59 p.m. (UTC+3) on Telegram @phdayscibot. On Telegram, we will post questions about a certain organization. The task is to find as many correct answers in the minimum amount of time. Winners will get valuable prizes and an invitation to PHDays. Contest discussion group: . At the end of day two, when all the presentations are over and the Standoff battle is won, it's time for the merriest and the most spectacular contest, 2drunk2hack. The participants should perform a successful attack against a web application defended by a WAF. The application contains a finite number of vulnerabilities, sequential exploitation of which allows executing operating system commands, among other things. Every 5 minutes, the participants whose actions have been flagged the most by the WAF will have to drink 50 ml of hard alcohol and keep hacking. Whoever is first to get the main flag during the server command stage, wins the contest. The winner will receive mementos from the organizers. Everyone of drinking age is invited to take part. Details of the contests will be published soon. Stay tuned and get warmed up for the contests!
Two new contests at PHDays: bypassing an IDS and hacking a plant
As we said before, at PHDays 9 participants can test their strength in various applied security workshops. But this is not yet the full extent of the contests. Two new contests—Industrial Ninja and IDS Bypass—were recently added to the list. Industrial Ninja is an opportunity to try some industrial ninjutsu and work out the Big Bang theory. Throughout the event, any participant can try hacking a gas pumping facility. The contest will have three test beds modeling real-life industrial processes. The scenario is that a highly pressurized (over 100,000 Pa) lethal airborne pesticide (in reality, just air) is pumped into an elastic container (a balloon). Each test bed has a different difficulty level reflecting its degree of security: Novice, Veteran, and Ninja. Participants need to figure out the process, seize control of the facility, and cause an accident. The contest will take place over both days of the forum and all are welcome to take part. Those who can seize control of the process and cause an accident at the plant will get prizes from the organizers. The first prize will be a Proxmark3 RDV2. Those who are more interested in bypassing protection systems are welcome to join the IDS Bypass contest. Contestants need to hack five vulnerable hosts and get their flags, while remaining unnoticed by the intrusion detection system. All participants, regardless of knowledge level, are welcome. The vulnerabilities will be well-known ones, so participants will only need to focus on bypassing the IDS. You can brush up on your theory at Network Village where security experts from Positive Technologies and the DC7831 and DC2e06 communities will make presentations on various topics, including IDS bypassing. Participants need a laptop with Wi-Fi and Ethernet adapter. First prize is a WiFi Pineapple TETRA, second prize is a WiFi Pineapple NANO, and third prize is a Shodan account. Detailed participation terms and the whole PHDays agenda will be published soon on the PHDays website. Stay tuned!
ESCalation Story online forensics contest to start April 22
Want to test your mettle at investigating cybersecurity incidents? Take part in the ESCalation Story online contest, which will be held in the run-up to Positive Hack Days. The contest will take place via Telegram from April 22 through May 15. Winners will get prizes from the PT Expert Security Center. The contestants will have to deal with a tricky situation at a small trading company called Much Money. Its CEO recently started thinking hard about security and after attending last year's PHDays decided to hire a cybersecurity expert, Jaxson Hunt (@jaxhunt_bot). Jaxson had always dreamed of catching hackers and wanted a chance to prove himself. But his experience was limited, so when his boss woke him up at night saying someone had hacked into their network, Jaxson was at a loss. "Ouch... Now I'll have to recall what they taught us in our incident investigation classes. We only have a few servers, what could happen, anyway?" thought poor Jaxson. "Maybe the community will help me investigate? I should get a Telegram account, that's the place to find the real pros. Hopefully I can get the situation sorted out before PHDays, since the boss wanted to send me there this year." The first person to figure out what exactly happened and who's behind it all will be the winner of our ESCalation Story. Details will be published soon on the PHDays website. Check our page for news and start getting ready!
The Standoff: new twists added to a PHDays favorite
At this year's Positive Hack Days, teams of attackers, defenders, and security operations centers will wage cyberbattle in The Standoff for the fourth time. But this year, the organizers have some changes in store. City F, which we all remember from before, has grown to become a true modern digital metropolis. Now in addition to the traditional facilities the city infrastructure includes offices. These belong to an airline, insurance company, IT company, media outlet, and maritime shipper. The city even has a soccer club. And just like last year, City F will have its own cryptocurrency. The city is still densely populated. People work in various offices and factories for different companies, live in modern homes, and use all the latest digital technologies in their daily lives. Changes have been made to the format of the game as well (see more on The Standoff page). First, teams of developers will join the fight, making work for both attackers and defenders. During a hackathon, developers will create applications which the attackers will also try to crack. Second, many facilities will remain unprotected. This time the defenders will secure only offices, while the other facilities will remain vulnerable (as sometimes happens in real life). But this does not necessarily mean smooth sailing for attackers. Maxim Tselikov, member of the PHDays organizing committee, said: "We have spiced things up a bit. To see whose approach to security is more effective, we have put the defender teams on equal terms, entrusting them with the different offices. And to make sure the defenders don't completely cut off their perimeters from the bad guys, we will have special checks in place, ones even better than last year's." "Attackers will still be free to act as they will, but we have changed the scoring. The score for a task will now depend on more than just its complexity. Although some tasks will resemble those from past years, they will be worth fewer points than before. We did this to motivate more experienced teams to get out of their comfort zone, while giving beginners a chance to try out new things. Also we have decided to place limits on the ability to compromise bank accounts, to avoid a repeat of the dramatic game-altering events we witnessed last year in the last hour of competition. What we can promise is that the teams will have to work hard. We have prepared a lot of interesting and unexpected tasks for them." Last year, The Standoff ended in a draw. What will this year's competition bring? Let's find out!
New additions to PHDays competitions: More theory and practice
The competitive program of Positive Hack Days 9 promises to be packed. In addition to the traditional contests, there will be applied security competitions of various difficulty held in a workshop format. This means that during a couple hours contestants will acquire basic knowledge of some aspect and will immediately use that knowledge. Network Village Over the course of two days the security experts at the Network Village test bed will speak about network fuzzing, SSL pinning, MITM attacks, attacks against web applications and USB devices, and many other topics. Contestants will learn about attack types and scenarios, and will put the new knowledge to use in the E&E Exploit Express contest. The purpose of the contest is to go through several vulnerable services and collect flags. The participant who gets all the flags first becomes the winner. The services will be available through a Wi-Fi router. The contest is open for anyone interested in networks, the knowledge level is irrelevant, just bring your laptop. AI Track Nowadays artificial intelligence is used not only for protection against attacks, but also for attacking. At the AI Track test bed, famous experts in machine learning will give technical presentations on various aspects of using AI in security. The presentations might be of interest to security specialists, as well as to ML engineers who care about security. Also, throughout the two days a CTF contest will be held. The tasks will be related to the use of ML models. All participants are welcome. The link will be posted before the start of PHDays. Payment Village At the Payment Village test bed, you can practice attacking banking systems. Experts in banking systems security will explain how various banking devices work, what vulnerabilities they have, and will share interesting cases from security analysis projects. In a special demo area they will demonstrate scenarios of attacks on ATMs and POS terminals. After learning the theory, Payment Village contestants will try hacking an ATM. All visitors are welcome to try. More details on contests and prizes will be published in April. Check our page for news and get ready for exciting action!
New to PHDays: defensive track from the PT ESC team
This year, PHDays will include a special track for digital defenders! Our forum has tended to concentrate more on about attacks, vulnerabilities, and hacking techniques, and less on protection. To close that gap, we have created a special technical track named thrEat reSearch Camp for presentations about incident response, threat intelligence, threat hunting, OSINT, and malware analysis. During the two days, experts will discuss new APT campaigns, share effective methods and tools for detecting incidents, monitor the darkweb, and analyze open sources. They will also pick apart complex malware. Presentations will target a diverse audience, with content intended both for novices and technical experts. Elmar Nabigaev, Head of Threat Response at Positive Technologies and member of the PHDays organizing committee, said: "Every year, there is more and more information about new vulnerabilities and flashy hacking techniques. But protection-related topics can get shortchanged. At PHDays 9, we want to change this by doing more to include the other set of people, those who protect us from cybercriminals every day." He continued: "thrEat reSearch Camp will be a space where all PHDays participants can share ideas. We hope this will be the start of a tradition for future years." The PHDays program committee has already selected the first group of speakers who will present at the defensive track. Visitors will learn how optical character recognition helps combat macro viruses, how cloud incidents can be best investigated, how Active Directory logs can be analyzed in a new way, and how security experts monitor threats on the darknet. Detecting macro viruses The 1990s were full of interesting trends. On the computing side, these included documents with injected malicious code. Most commonly, attackers would embed a VBA macro in an innocent-seeming document, such as an invoice. Many still remember the Melissa macro virus, which appeared in March 1999 and infected hundreds of thousands of computers all over the world. But malicious macros have made an unexpected comeback. In 2014, Microsoft noted an increasing number of such threats: the company's tools were generating as many as around 8,000 VBA detections per day. In 2016, Microsoft blocked macros in Microsoft Office by default. However, malware developers found a way to bypass this restriction: they now kindly ask users to enable macros. Check Point reverse engineer Ben Herzog will present a new approach to macro detection. Attackers who create such documents invariably use the words "Enable Content" and must hide them in a document's header or in a picture. Ben will demonstrate a classifier that immediately detects infected files and also share the results of his research, based on tens of thousands of malicious documents. New method of analyzing AD event logs Analysts from the JPCERT/CC Incident Response Group will speak on the topic "Analyzing Active Directory event logs with visualization and machine learning." Tomoaki Tani coordinates investigation of cybersecurity incidents and analyzes incident trends and attack methods. Shusei Tomonaga is engaged in malware analysis and forensics investigation. He is spearheading a group responsible for analyzing targeted attacks on critical industries in Japan. Event log analysis is a key stage in incident investigation. Analyzing Active Directory event logs allows identifying the hosts compromised as the result of lateral movement. The duo will show a new method of analyzing Active Directory event logs with LogonTracer, a tool that visualizes relationships between accounts and hosts. Cloud incident investigation An increasing number of companies are migrating their infrastructure to public clouds, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. According to IDC, the biggest spender on cloud services in 2018 was healthcare ($12.1 billion), followed by government ($8.4 billion) and finance ($7.3 billion). Analysts expect that investment in cloud services will continue at an accelerated clip until 2021. The cloud boom has been fuelled by the digitalization of key industries. Despite the advantages of cloud technology, it also brings security risks. Frederic Baguelin, incident response expert at Société Générale and co-founder of ArxSys, will speak about incident investigation on cloud infrastructure. Frederic will tell about EC2 and methods for analyzing EC2 instances in the AWS ecosystem. He will propose an automated approach based on AWS and the Python API to retrieve snapshots for local analysis. He will also demonstrate the tools needed to perform a full scan directly from the cloud. Monitoring darknet threats Muslim Koser, Head of Products & Technology at Volon, will speak about effective methods for gathering information about attackers on the darknet. Muslim has over 20 years of information security experience. For the past 10 years he has been leading threat intelligence teams. The speaker will explain how to cope with information overload to pinpoint the useful nuggets, and how to combine AI and ML with HUMINT to get the most out of the "take." \* Don't miss your chance to speak from the same stage as big-name experts at PHDays 9! Apply by March 31. Stay tuned to keep up with the latest news!
PHDays talks to include eavesdropping on videoconferences, new version of GhostTunnel, and Java Card attacks
Our review board has been hard at work sorting through proposals for talks at Positive Hack Days. We encourage would-be speakers to apply soon: the call for papers closes on March 31. Recently we announced a highlighted speaker at PHDays 9, prominent GSM security researcher Karsten Nohl. Today we present the first group of speakers whose talks have already made the cut. Yamila Vanesa Levalle, security researcher at ElevenPaths, will be making her PHDays debut. She will speak about two open-source Python tools that automate attacks on Cisco Meeting Server (CMS).
Karsten Nohl to speak at PHDays 9
World-renowned GSM security researcher Dr. Karsten Nohl will give a keynote talk at Positive Hack Days 9. A member of the Chaos Computer Club in Germany during his student days, Karsten is a leading specialist in data security and encryption. He likes to test security assumptions in proprietary systems and typically breaks them. He is personally behind the security for Reliance Jio, the world's fastest-growing telecom network.