News
Day 2 of PHDays 8: Games Over (until next year)
The eighth annual Positive Hack Days has wrapped up. Over 5,200 participants gathered in Moscow to watch hackers intercept mobile signals, take cash from an ATM, fool smart utility meters (one of the hackers was 12 years old!), and pull off dozens of other technical feats. True drama was in the air during the finale of the attacker-versus-defender showdown at The Standoff.
Day 1 of PHDays 8: staking it all on the Digital Bet
The first day of Positive Hack Days was full of participants (over 3,800) and events (over 50 talks, plus hands-on labs, roundtables, and nearly a dozen hacking contests). Under the headline topic of the Digital Bet, experts explored how to fool biometric identification systems, discussed whether blockchain security is necessary, and described how office life will change in the digital age—and also demonstrated techniques for hacking mobile networks, IoT devices, industrial control systems, and more. Here are some of the highlights from the first day of PHDays 8. Insight from those in the know The forum was kicked off by Positive Technologies experts, who presented their findings from real-world protection work in 2017. The experts covered the security of corporate systems, industrial equipment, telecom and financial companies, blockchain projects, and vulnerabilities in Cisco ACS and Intel Management Engine. Corporate systems remain vulnerable to both outside and inside attackers. Almost half of companies encountered at least one advanced persistent threat (APT) in 2017. Despite all the software, hardware, and organizational measures usually in place, Positive Technologies penetration testers (in the role of insiders) were successful at every single company tested in obtaining full control of infrastructure. As pointed out by Boris Simis, Deputy CEO at Positive Technologies, only 5 percent of companies even detected pentesting activity. Breaching the network perimeter as an outside attacker, such as by using social engineering or Wi-Fi attacks, was accomplished by Positive Technologies testers at 68 percent of clients. In some ways, the security situation deteriorated year-over-year. Obtaining access to LAN resources was "trivial" at 27 percent of companies in 2016, which increased to 56 percent in 2017. Critical vulnerabilities worsened as well: they made up 84 percent of the total in 2017, compared to 47 percent in 2016. Simis closed by sharing his recipe for protection: "You have to do three simple things: install antivirus protection everywhere, eliminate critical vulnerabilities on the external perimeter at the very least, and realize that you have very likely already been hacked—which is why you need to scour your network for indicators of compromise." Elmar Nabigaev, Head of Threat Response at Positive Technologies, looked at recent developments in attacks. The company's research shows that attacks are increasingly destructive in nature, with the purpose of damaging digital infrastructure. Attacks are also becoming more sophisticated, as they make greater use of zero-day vulnerabilities and complex malware. Among the key findings: even without zero-day vulnerabilities in hand, hackers weaponize public vulnerabilities extremely quickly, making it essential to install patches the moment they become available. Experts predict a rise in targeted attacks, especially on the part of hacker groups sponsored by nation-states—world tensions are a contributing factor. Other predictions include increased attack sophistication plus higher numbers of attacks on industry, the IoT, and cloud services (as a method for third-party compromise), plus low-level attacks. Dmitry Kurbatov, Head of Telecom Security at Positive Technologies, described recent trends in the telecom industry. The last two years have shown minor improvement, but mobile subscribers and their data remain under threat. Smart contract vulnerabilities and attacks on investors were the focus of Arseny Reutov, Head of Application Security Research at Positive Technologies. Since August 2017, hackers have managed to steal enormous amounts (around $300 million) from cryptocurrency exchanges. Research by Positive Technologies shows that these hackers are using classic techniques long seen in other spheres. Most attacks on cryptocurrency exchanges and ICOs take advantage of poor web application security. Reutov also noted that in the last year, Positive Technologies has secured many large ICO projects, including Blackmoon, Utrust, and 3DIO. The reports and other data referenced by Positive Technologies experts during the RE: search session are freely available on the company's website:
Telecom security at PHDays: we've got you covered
Security in the mobile industry is making headlines: eavesdropping, SMS interception, spoofing, and SIM card hacking are only a few of the possible attacks. At Positive Hack Days, we invite you to learn about the vulnerabilities in mobile networks and try to hack a mobile operator that we've set up specially for the event. Read on for an overview of PHDays contests and talks covering all aspects of telecom security. Today it's hard to find an industry that does not depend on mobile network operators. A payment terminal in a café, an alarm system in a country house, a gas meter, a truck driving down a highway—all these now have a SIM card inside. Connectivity has brought convenience and efficiency, but not security. Concerns abound: SIM cards carrying viruses, SDRs and IMSI catchers, tracking and eavesdropping via SS7, denial of service on LTE networks, and over-the-air GSM eavesdropping, to name a few. On May 15 at 2:00 p.m., Positive Technologies Director of Telecom Security Dmitry Kurbatov will give a talk entitled "Telecom security: getting better or worse?" (Seliger Hall). The speaker will tell about threats to the connected world and the weaknesses lurking in today's smart cities, transportation, and electrical grid. The forum venue will also have its very own mobile network, for testing and hacking purposes. Positive Technologies telecom security experts will demonstrate popular methods for attacking mobile subscribers: IMSI disclosure, geotracking, SMS interception, and call redirection. Visitors can follow the actions of the "attackers" on large screens, as well as see how this is monitored and logged by PT Telecom Attack Discovery. In addition, the test stand will provide a chance to practice exploiting SS7 vulnerabilities, using protection tools, intercepting and eavesdropping on GSM traffic, and putting SDRs to use. On May 15, technical talks in the Press Hall will be given by Positive Technologies telecom security experts. At 10:00 a.m., Sergey Mashukov will speak on the topic "Exploiting vulnerabilities in the 4G Diameter interoperator network," which will detail security issues with the Diameter protocol. The speaker will share results of security audits conducted for different MNOs. He will also describe successful test attacks he has performed in these environments. Later at 11:00 a.m., Vadim Yanitskiy and Warsaw University of Technology graduate student Piotr Krysik will describe how to use open-source software (OsmoBTS or OpenBTS) to turn an SDR into a GSM mobile phone. Today's phreakers are still targeting telecom companies—and you can become one of them thanks to MITM Mobile. Intercept the airwaves of our on-site mobile operator. The two participants completing the most tasks will win prizes. To take part, bring your own Osmocom, SDR, virtual machines, and other necessary equipment. Of course, the forum will also include The Standoff, a 30-hour cyberbattle in which teams of attackers, defenders, and security operations centers fight for control of a virtual city. The battleground: the full-scale digital infrastructure of a mock metropolis. Attackers will have plenty of interesting targets, including a telecom operator, Internet provider, residents who actively use cell phones and the mobile Internet, plus IoT and VoIP devices. During the game, attacker teams will be able to probe the security of telecom systems identical to those used in real cities. Participation in The Standoff is restricted to teams that have registered in advance. We hope to see you at PHDays! The cost of a ticket is RUB 14,400 for two days and RUB 9,600 for one day.
PHDays 8: come visit Hardware Village
For five years, the Hardware Village team has been offering something special for hackers who aren't afraid to get their hands dirty. At Positive Hack Days this year, the team has several talks and interactive tasks planned to entertain and educate. During both days of the forum, the Hardware Village stand will offer all comers the chance to hack hardware and solder to their heart's content. Piles of hackworthy hardware will be available for modification and hands-on use. We will also talk about JTAG/SWD debugging and all the popular wireless interfaces in the wide 125 kHz to 5 GHz range, plus details of the RFID, NFC, Wi-Fi, and Bluetooth data exchange protocols. For those anxious for the full technical story, talks have been prepared for the second day, covering wired interfaces from low-level UART to the high-speed PCI Express. As in past years, we invite you to test your skill with a tension wrench, as well as savor the company of the DC7499 community, at Lockpick Village. Drop by and have fun!
ICS/SCADA hackers: choose your own adventure at PHDays
Few people realize how much cities depend on industrial control systems. ICS components are found in the most diverse industries, including manufacturing, energy, transportation, and utilities, among many others. They do more than just make production more efficient—they help to control traffic and optimize consumption of water and power. So what would happen if someone suddenly dragged this infrastructure back to the pre-automation age? One could idly speculate, but instead we recommend coming to Positive Hack Days and seeing for yourself. Guests and participants will be invited to try to find ICS/SCADA vulnerabilities and even attack the infrastructure systems of an entire mock city. The technical zone at PHDays 8 will host the SCADA bugs comeback stand by Gleg, a company specializing in vulnerability research. Stand visitors will be able to compete at SCADA hacking. Over two days, hackers will have free reign of industrial systems made by Wonderware InTouch, iFIX, IGSS, KingView, and IntegraXor, as well as network equipment from Hirschmann and Advantech. Participants' task is simple: to find as many vulnerabilities as possible. Both beginners and experts are welcome. Laptop is required. Results will be announced on May 16 at 2:00 p.m., with fun prizes for the champions. After the awards ceremony, at 3:00 p.m. the organizers will use several SCADA systems to demonstrate how vendor efforts to fix one mistake can actually cause new issues. Throughout the entire forum, The Standoff will see teams of attackers, defenders, and security operations centers fighting for control of a virtual city. The battleground will contain the full-fledged digital infrastructure of a large modern metropolis. Participation is restricted to teams that have registered for The Standoff. During The Standoff, attackers will look for weak spots in the security of real industrial equipment used to control factories, hydroelectric plants, city transport, lighting, oil and gas operations, and more. The scope of damage is limited only by attackers' imagination and the protection systems in place on different network segments. The mock city includes systems responsible for lighting, heating, air conditioning, video surveillance, residential complexes with building management systems (BMS), smart homes, transport system, IoT devices, railroad, electrical plant and substation, hydroelectric plant, oil refinery, and petroleum storage and transportation. Although the city diorama may resemble a toy, with its miniature trains and tank farms, all of the city's digital infrastructure is the real article. We also recommend another two stands specially for those interested in ICS/SCADA hacking. The Fizpribor stand will be home to the H@rd Logic Combat contest, which pits participants against solutions used for low-level automation and accident protection for in-development Russian industrial control systems for nuclear energy. Over two days, participants will try their best against ALTLinux and QNX components, as well as algorithmic modules based on hard logic. The second stand of note is MeterH3cker, with its contest for hacking the smart grid. The contest will last for the duration of the forum and all visitors are welcome to take part. Get your PHDays tickets now! A two-day ticket costs RUB 14,400 and a one-day ticket costs RUB 9,600.
A matter of meters: hack the smart grid at PHDays
Come to the MeterH3cker stand at Positive Hack Days to have fun with the vulnerabilities in smart grid equipment. The contest will take place over both days of the forum and all are welcome to take part. Contest structure The MeterH3cker stand consists of two mock apartment buildings that have smart grid technology installed. Real meters and solar panels will be present in each building. Conditions switch between "Day" and "Night." Solar panels are anticipated to meet the full power needs of each building; surplus power can be sold to the grid at a special feed-in rate. So there are plenty of opportunities to earn money, which is credited to the account balance of the relevant building. The following equipment will be available for participants' hacking pleasure: Solar charge controller. Solar panels generate electricity, and this controller manages the flow of power they provide. During the day, solar panels are used to meet the building's power needs. Any excess power goes to the grid, in which case the meter spins backwards. Electrical meters. These meters record the amount of power that has been consumed, generated by solar panels, and offloaded to the grid. The rates used for billing by the power company depend on the time of day. Electrical devices. The buildings are filled with appliances: light bulbs, TVs, and washing machines. Some of the equipment that consumes electricity—such as central AC and heating—is managed via a programmable logic controller (PLC). In addition, each building is connected to "normal" power from a local substation. At the substation, a data aggregator gathers readings from the meters and enters information about the amount of consumed/generated energy in a local database. The electrical company's billing server then uses this information to change the account balance. Participation The contest will last two days. A preliminary round will take place on the first day. All participants will have full access to all equipment, including the ability to analyze it, find vulnerabilities, and stake out potential vectors of attack. Those with the best results will be invited to return for the finale on the second day. The finale will be a one-on-one competition. Two participants at a time will be called up to the stand. Each participant will be responsible for one building. The task of each participant is to find every way possible to fool the electrical meters and generate more energy than their "neighbor." Whoever has the higher balance when time runs out, wins. One complication: each participant can access the other's equipment, leaving plenty of opportunities for unneighborly sabotage. Forum visitors will be able to monitor events on overhead screens: graphs will visually represent electrical consumption in real time. A green line will represent the amount of electricity actually consumed. Meanwhile, a blue line will reflect the values stored on the data aggregator, which collects readings from the meters installed in the buildings (the blue-line information is what is reflected in the account balance of each building). So the blue lines will change based on the attackers' actions. Will the grid hackers succeed in fooling smart meters to reduce their bill or perhaps become rich from solar power? We'll get to find out soon at PHDays. Register and buy tickets for PHDays while you still can! A two-day ticket costs RUB 14,400; a one-day ticket costs RUB 9,600.
Pirates at PHDays: say "ahoy" to maritime mayhem
Become a modern-day buccaneer in our Pirate’s Gate contest on May 15–16 at Positive Hack Days. More and more devices are connected to electronic controllers. And if something has a processor inside, it contains vulnerabilities. Hackers long ago figured out how to hijack drones, take over smart cars, and derail trains. So how about stealing a ship? We invite PHDays visitors to hack our ship's navigation system and send the ship to points unknown. Participants will have before them a boom barrier and a small pool, in whose high seas our radio-controlled model boat will be sailing. The winner will be the person who most quickly hacks the boom barrier, reaches the dock, accesses the navigation system, and takes control of the vessel. The contest will be active during the entire forum. Everyone is welcome to take part—just come up to the stand. We recommend bringing your own laptop and SDR (HackRF and bladeRF). Register and buy tickets for PHDays while you still can! A two-day ticket costs RUB 14,400; a one-day ticket costs RUB 9,600.
PHDays 8: full list of contests now available
Every year at Positive Hack Days, contests offer the chance for the best hackers and defenders to show off and win glory. We have already announced a few new contests, some of which will be held online in the weeks leading up to PHDays. Here we'll share all about the contests that will take place at PHDays itself on May 15 and 16. The Standoff Of course, the center of the action is The Standoff, a 30-hour cyberbattle between teams of attackers, defenders, and security operations centers. At stake is a mock city built on a technologically advanced economy. The city precisely recreates all the digital infrastructure found in the real world: power plant and substation, railroad, energy-efficient smart homes, and banks with ATMs and self-service kiosks. And what modern city would be complete without cell phones, the Internet, and online services? The city is populated by corporate employees as well as simple folk who use smart gadgets in their daily lives. Attackers are invited to use their imaginations and do absolutely anything that is not forbidden by the rules. The action will be monitored non-stop by our jury. This year's rematch is set to be decisive, since after 2016 and 2017, the sides are tied 1:1. The teams themselves promise an exciting game, because all three sides will include participants who work in information security every day: integrators, vendors, and client-side information security staff. Learn all about the competition rules and participants: The Standoff. HackBattle The excitement is back with HackBattle, which made its debut last year. A qualifying round will be held on the first day of the forum; participants will be timed as they complete tasks of varying difficulty. The finale will be on the second day, when two hackers take the stage to attack the same target while viewers follow along on the big screen. MITM Mobile Today's phreakers are still targeting telecom companies—and you can become one of them thanks to MITM Mobile. Intercept the airwaves of our very own on-site mobile operator. The two participants completing the most tasks will win prizes. To take part, bring your own Osmocom, SDR, virtual machines, and other necessary equipment. Leave ATM Alone This classic crowd-pleaser will again offer the chance of a lifetime: 15 minutes to (legally) try to steal money from an ATM. Keep any money you can take! Total potential winnings are RUB 40,000. Attackers can look forward to network access on the first day and physical access on the second day. Perhaps you'll hit the jackpot? CAMBreaker Great news: CAMBreaker is returning to PHDays. See how well you can hack IoT devices and find zero-day vulnerabilities in popular IP cameras. We encourage web application aficionados, masters in firmware reverse engineering, and beginning Binwalkers to all take part. Bonus new to this year: firmware has been extracted for analysis from all devices (over 12 in total). blzhquest The St. Petersburg CTF (SPbCTF) community invites PHDays visitors to compete in a unique CTF. Be the first to reach the community's mascot, an enchanted hedgehog who has a few prizes for the best and brightest. Hack servers one after the other in order to climb higher on the pyramid. Each level of the pyramid consists of a set of tasks for web, reverse engineering, forensics, and crypto. Prizes await the first to complete each level. At the top stands the hedgehog, eager to award the main prize to the first person to ascend the pyramid in its entirety. To take part, walk up to the blzhquest stand and get the username and password for the contest network. Tasks can be completed from anywhere at any time during the forum. Laptop is required. The Labyrinth It's a smart home! At PHDays! Rostelecom has created The Labyrinth, in which participants are given 15 minutes and three tools of their choice to take on a smart home. To win, a three-person team must complete The Labyrinth without triggering any alarms and steal a special PHDays statuette from inside. Teams with the best times will receive prizes from Rostelecom. 2drunk2hack It's a tradition to close out the PHDays contests with 2drunk2hack. Participants will compete at hacking web applications protected by a web application firewall, as well as maintaining their ability to think while inebriated. The objective is to successfully attack a firewalled web application. Every five minutes, the participants whose actions have attracted the most attention from the WAF will down 50 ml of high-proof consolation—and then head back into battle. Win by being the first to collect the main flag via executing commands on the server. Participants must bring their own hardware and software. More information is available on the Contests page.
New contests at PHDays
Many say contests are the most exciting part of Positive Hack Days. And this year we have some all-new additions awaiting. Come to the Fizpribor stand to engage in H@rd Logic Combat. If you're tired of tin soldiers and toy trains, pit yourself against the solutions used for field-level automation and and safety instrumented systems for state-of-the-art Russian industrial control systems in nuclear energy. Over the course of two days, participants will try their hardest against ALTLinux and QNX components, as well as algorithmic modules based on hard logic. Participants must register in advance by writing to hlc@fizpribor.ru. Please note that participation is at the full discretion of the organizers. The winners can look forward to an iPad, electric scooters, and other prizes. All are welcome to take part in EtherHack, a new online contest. Find and exploit vulnerabilities in smart contracts in the Ethereum blockchain. The more tasks you complete, the more points you get—so score big to win. The smart contracts will be on the Ropsten testnet. Participants will need an Ethereum local client or browser extension (MetaMask). First place will be recognized with ether (valued at $1,000); the second-place winner will get a Ledger Nano S cryptocurrency hardware wallet and third place will come with mementos from the organizers. Don't wait until the forum to get hacking! In the weeks leading up to PHDays 8, we will be holding two online contests: HackQuest and Competitive Intelligence. Nifty gifts and free PHDays invites await the winners. Register for PHDays and purchase tickets here. A ticket for two days costs RUB 14,400; one day costs RUB 9,600.
Deloitte Hackazon contest to start April 30
Deloitte is hosting Hackazon, an online contest that offers hackers a chance to warm up before next month's Positive Hack Days. The contest kicks off on April 30 and will last five days. Winners will receive PHDays invites and souvenirs. This jeopardy-style capture the flag (CTF) contest will be hosted on the Hackazon platform, which has been specially developed by Deloitte for simulating attacks on real infrastructure. Participants can gain experience in a safe environment while improving their pentesting skills. Deloitte Hackazon will have tasks of varying difficulty. Participants complete these tasks as quickly as possible, winning points for each task based on its difficulty level. Task completion is tracked in real time. Victory goes to those who complete the tasks most successfully and most quickly! Interested participants must sign up in advance. The first five participants able to complete all tasks will each receive a ticket to PHDays 8. Three of them will also receive PHDays souvenirs. The exact start time, as well as the Hackazon URL, will be posted by the organizers closer to the contest start. Check this space for updates!