PHDays: to the nines

5/24/2019

PHDays 9 has finished, having brought together a record-breaking 8,000 participants. Information security experts, journalists, politicians, and artists, as well as representatives of business and government from all over the world, attended over 100 talks. In contests, attackers hacked a gas pumping facility, ATM, Tesla cars, and more. The evening wrapped up with a live rock concert. Today we will announce the results of some contests and highlight a few fascinating presentations from Day 2.

Results of The Standoff

Even while presentations were underway, attackers, defenders, and SOCs engaged in cyberwarfare for control of City F. As noted in the roundup for Day 1, the True0xA3 team of attackers exploited a simple vulnerability just 30 minutes into the game and successfully penetrated the defenseless office of an industrial company, getting domain administrator privileges. A while later, the same team stole a financial report from the PC of the head accountant of a local media company.

Overall, Day 1 was rather quiet. The attackers were just testing the waters and trying to expand their presence on the infrastructure. True0xA3 patched the vulnerabilities of the office they captured, preventing other attackers from getting in. Because this office controlled the ICS, the team could target other facilities in the city. But incidents were few and far between.

Towards the evening, the participants found out the city had a cryptocurrency. They started placing miners on every accessible machine. And the same True0xA3 crew hit the jackpot.

The dark of night is the time for dark deeds. Two teams, True0xA3 and TSARKA, were dueling for domination of City F. The bone of contention: the industrial office hacked by True0xA3. After a few hours of fighting, the teams decided to call it a draw and work in parallel. This tactic resulted in several incidents in the morning.

True0xA3 turned the city streets into a light show by switching the lights on and off. Then they caused an oil spill at the oil storage facility. TSARKA hacked two SCADA systems at the oil refinery.

Towards the end of Day 2, there was a massive data leak from third parties. The STS defenders team discovered that the insurance company office was totally compromised. The attackers analyzed public sources and found confidential data—domain user accounts. Some of the defenders saw this activity and blocked it. Others were not so fast. In the end, True0x3A used this information to penetrate the internal network through a corporate VPN and escalate their privileges. In just seven minutes they managed to obtain domain administrator rights. STS came up with a response tactic, but did not manage to implement it in the time available.

Mikhail Levin of the PHDays Organizing Committee summarized: "This year, The Standoff was not just between attackers and defenders, but between the different attacker teams. There were teams like True0xA3, which quickly found the weak spots, patched the holes, and kept things under control. But most teams failed to break into the offices, though protection could be spotty. As for defenders, this year we assessed their approach to protection. What struck us as best was a common-sense approach based on constant monitoring and prompt response."

The highest-scoring attacker team was True0xA3 (3,023,264 points), followed by TSARKA (1,261,019 points), and hack.ERS (125,500 points). The leader among the defenders was Jet Security Team (44,040,600 points). The Standoff also included a hackathon. Developers created applications, which were attacked throughout The Standoff, as the attackers wrote bug bounty reports on the vulnerabilities they found. The winner of the hackathon was bitaps.com.

A detailed look back at all events of The Standoff will be provided later. Stay tuned!

Contests

Over the two days, there were a lot of hacker contests. Security experts at the Network Village test bed spoke about network fuzzing, SSL pinning, MITM attacks, attacks against web applications and USB devices, and many other topics. Participants learned about attack types and vectors, and immediately put that knowledge to good use in the E&E Exploit Express, in which participants had to go through several vulnerable services and collect flags. In this contest, the winner was Throne6g, h4rm0ny came second, and Technical Assistance Center Uzbekistan came third.

Forty people competed for the title of Industrial Ninja in a contest to hack a gas pumping facility. There were three test beds modeling real-life industrial processes. The scenario is that a highly pressurized (over 100,000 Pa) lethal airborne pesticide (in reality, just air) is pumped into an elastic container (a balloon). Each test bed had a different difficulty level reflecting its degree of security: Novice, Veteran, and Ninja. Over the two days, five out of six challenges were solved. The winner, who scored 233 points, spent a week preparing for the contest. The top three winners, in order, were a1exdandy, Rubikoid, and Ze.

At the AI CTF contest, information security specialists could learn about using various ML technologies in gaming CTF services, and machine learning specialists could demonstrate how these services can become vulnerable. Winners were silent (1st place), kurmur (2nd place), and konodyuk (3rd place).

Contestants needed to hack five vulnerable hosts and collect flags, while remaining unnoticed by the intrusion detection system. Here are the participants who pulled off this challenge: psih1337 (1st place), webr0ck (2nd place), empty_jack (3rd place).

One of the new additions this year is the ESCalation Story: Spin-Off forensics contest. Participants were invited to solve a number of incident investigation tasks. The best were Stanislav Povolotsky (1st place), Mikhail Prokhorenko (2nd place), and Mikhail Borodin (3rd place).

The concluding contest, as in past years, was 2drunk2hack. More results from all the contests will be provided later.

Problematizing artificial intelligence

Sergey Gordeychik, one of the founders of PHDays and currently CIO at Inception Institute of Artificial Intelligence (IIAI), Abu Dhabi, gave a presentation called "AI as Commodity and a Bit of Security." He talked about methods of implementing artificial intelligence in various areas of the economy.

Forecasting harvests, measuring national economic growth, calculating oil reserves, and many other things are currently achieved with satellite imaging analysis. To automate these tasks, we can use solutions based on machine learning. But those can bring their own problems. For instance, data has to be obtained from different contractors, often in different formats, and the flood of information can reach 1 petabyte per day.

Sergey recommended rereading Summa Technologiae by Stanislav Lem, and reminded that we cannot completely trust machine learning algorithms. He gave an example of an ML solution that incorrectly identified skin diseases. The algorithm encountered photos of people using a ruler to measure their lesions, and therefore "learned" that the presence of a ruler was the primary diagnostic criterion. There is also a risk that ML models may contain backdoors.

In addition, there are issues with the security of GPUs used for ML calculations. Video cards have a number of vulnerabilities, and when access is granted, their memory and data can be read.

Businesses are well aware of why they need facial recognition, image recognition, and machine learning. Banks and retailers want to know the mood of customers when they come in, what to offer them, and which cashier they might get along with best. But for your average user, there are not so many "killer" technologies implementing ML. One important area is neural interfaces, which monitor brain waves to assist people recovering after a stroke.

Sergey believes time will tell which reality humanity will live in: that described in Neal Stephenson's Snow Crash or Monday Begins on Saturday by the Strugatsky brothers, and whether the rest of the world will copy the Chinese social credit system or take inspiration from another dystopian novel.

Identifying APT groups with machine learning

Discussion of machine learning continued with a presentation by Tomoaki Tani and Shusei Tomonaga from the JPCERT/CC incident response group. In a classic targeted attack, the attacker penetrates the network and uses malware to infect hosts and servers. Windows Active Directory records these events, and security systems can use that log, but there's just too much data there. The experts agreed that SIEM systems can be useful, but also pointed out that not all such systems can differentiate a legitimate event log from a malicious one. They presented LogonTracer, an incident response tool visualizing the relationship between credentials and hosts. In the following screenshot you can see an example of activity of the Tick APT group, which attacks medical, biological, technological, and chemical companies in Asia.

How to hack an iPhone

The less security-savvy often ask if it is possible to hack an iPhone. It is possible, if you wedge between the device and the user by performing a man-in-the-middle (MITM) attack. Vladimir Ivanov, information security auditor at Digital Security and author of the Raw-packet project on GitHub, made a presentation called "Apple, all about MITM."

This attack can be performed on a phone connected to Wi-Fi. The attacker needs to disconnect the victim's device from the Wi-Fi network. Another option is to wait for the exact moment the device connects to Wi-Fi. Then the attacker just has to wait for a request from the DHCP server. This request can be intercepted because it is a broadcast request. Tinker a bit with DHCP requests, and the attacker's equipment becomes the gateway between the access point and the Apple device, allowing the attacker to intercept confidential data. According to Vladimir, Apple claims this is not a bug, but a feature.

Section for cybersecurity mythbusting

Positive Technologies experts discussed the opportunities offered by the latest and battle-tested technologies in different industries at "Constructive criticism of security and critical approach to constructing it." Topics included modern cyberattack scenarios; protection of ICS, telecom and banking systems; risks related to IoT and AI; qualitative changes in web applications and their security, and, of course, hardware vulnerabilities and ways of ensuring more secure coexistence with them.

Elmar Nabigaev, Head of Information Security Threat Response at Positive Technologies, took on some of the most popular myths about targeted attacks: "Targeted attacks are very hard to deal with," "It is impossible to protect against APTs," "APT groups are not interested in us," "Preparing for an APT can't be done." Elmar noted that very often, hackers know more about an organization than the organization itself. The main problem is that companies do not practice basic information hygiene. Often this is because of a lack of resources. However, if companies even just patched vulnerabilities on time, this alone would give APT groups a hard time. Why would attackers concoct a complex multistage attack if they can penetrate a company's infrastructure using simple tools and known vulnerabilities? Especially as zero-day vulnerabilities are expensive. Even well-protected companies can never let down their guard: "There are no ironclad guarantees. Even if you managed to stop an attack, you can never be sure about the next one." Defense must be proactive.

Vladimir Nazarov, Head of ICS Security at Positive Technologies, observed that industrial companies still believe in "air gapping," "security through obscurity," and that "protection tools impact operations." As Vladimir said, "You have to know who is on the ICS network and what is going on there. If you do not know what this, you don't have a chance." It is also vital to simplify monitoring of industrial protocols by deploying and fine-tuning specialized monitoring tools.

Dmitry Kurbatov, Head of Telecommunications Security at Positive Technologies, brought up the dangers associated with the latest communication standards: "A 5G network can be hacked just as easily as a website or company's security system." 5G networks are intended to tie together the so-called Internet of Everything. As Dmitry pointed out, "The main 5G subscribers will be devices and not people. This means billions of connected IoT devices."

The 5G network standard is still under development, the maturity level is growing, and developers are trying to use the Secure by Design approach. Nevertheless, attacks on signaling networks aimed at intercepting user traffic remain a serious threat. This will be especially true during the transitional period when 5G will be running on top of 4G networks. Dmitry also pointed out that the traditional information security paradigm of confidentiality, integrity, and availability has been changing—the IoT prioritizes availability above all.

Timur Yunusov, Head of Banking Security at Positive Technologies, touched upon the security of banking systems.
He noted that financial organizations have different levels of security awareness: some companies don't even have robust knowledge of banking processes. Regulatory requirements remain a crucial driver of security. Yet in most cases financial companies are guided by risks: How much can an attacker steal? And what is the likelihood of an incident?

According to Positive Technologies experts, it is easy to find vulnerabilities in financial systems, but hard to fix them. Timur summarized: "What should banks do after they order and obtain vulnerability reports? Our first recommendation would be to contact vendors in order to fix vulnerabilities. But security experts are a bother for vendors: the latter are not interested in fixing bugs, as they are not the ones who stand to lose money. A financial firm must be large in order to prod vendors and eliminate vulnerabilities."

Arseny Reutov, Head of Application Protection Research at Positive Technologies, spoke about the evolution of web application security. He identified four stages in the development of applications and protection tools: monolithic applications, virtual applications, containerization, and serverless architecture.

"Web applications are developing, but the security remains at the same level. Tools for securing information are not keeping pace with the ongoing changes," Arseny concluded.

Security expert Maxim Goryachy spoke about firmware. The credo of firmware developers is "security through obscurity." The problem is that firmware offers maximum privileges (memory and data access), end users almost never update firmware, and the code and architecture quality is usually poor. What makes things even worse is that firmware attacks are not detected by modern protection tools. Manufacturers are often unwilling to fix bugs, and vulnerable equipment can be used for years (giving rise to so-called forever day vulnerabilities).

Machine learning engineer Alexandra Murzina talked about risks of using AI. In cybersecurity, AI can be used both for defense (IDS, WAF), and for offense (fuzzing); however, AI itself can be vulnerable. According to her, "some people want models to make mistakes and strive to find as many vectors giving a misleading result as possible."

Nikolai Anisenya, Head of Mobile Application Security at Positive Technologies, spoke about security of mobile applications. He busted the myth about non-existence of iOS Trojans.

Nikolai also talked about threats related to biometrics and the security of communication channels. He commented that biometrics do not guarantee security of mobile applications: "When using biometrics, critical data is stored on-device and can be easily accessed with escalated privileges." As for communication channels, many developers have learned to use encryption in their applications, but do not always implement it correctly.

Censor-proof registrar

Positive Technologies expert Alexei Goncharov in his presentation "Threat Mining in Namecoin" touched on all the fashionable topics of recent years—blockchain, bots, bitcoins, big data—to explain a thing called Namecoin. It’s a public blockchain domain name registrar based on bitcoins. What makes Namecoin unique is its protection from forced de-delegation of domain names. If you try to resolve facebook.bit (in other words, translate that domain name into an address), the registrar will go to the blockchain to get addresses, take a record from there, and resolve it. Namecoin is resistant to abuse, or, as the owners of this blockchain call it, censor-proof. After information enters the blockchain, it can’t be deleted. So nobody can capture, blackhole, or de-delegate a domain. This caught the attention of owners of various botnets, who started using it to manage the names of C&C servers. But the ability to see all changes in the blockchain allows security specialists to track down and study the actions of such attackers.

PHDays was complete with standout events unusual for the IT world: a cyberquest, music festival (Positive Wave), children’s activities (The StandOff Kids), Movie Battle, experimental social track, and rock concert. Descriptions of all these will be forthcoming soon. Videos of PHDays 9 talks are available at https://www.phdays.com/en/broadcast/.