Positive Hack Days 2012 Is Over: Hackers Cracked the Planet

6/6/2012

Positive Hack Days 2012 Is Over: Hackers Cracked the Planet

Last days of May Moscow was hosting Positive Hack Days 2012, an international security forum for specialists in practical information security organized by Positive Technologies. During the days, the forum was attended by more than 1,500 people: professionals in information security, hackers from all over the world, and representatives of companies, government structures and Internet community. Hardly could have these people imagined that they would meet under the same roof. PHDays 2012 gave the floor to such speakers as legendary Bruce Schneier and Datuk Mohd Noor Amin, Chairman of IMPACT. Dozens of reports and hands-on labs were presented, numerous hacking and security protection competitions were held, including a large-scale CTF contest.

Capture the Flag and HackQuest

Cyber-punk script and real-life vulnerabilities became a hallmark of the CTF (Capture the Flag) contest, a keynote competition of the forum. The plot offered the teams to make time travel to the future and save the Earth civilization from a catastrophe. To ‘hunt’ the flags, 13 teams came from Russia, Japan, the USA, Germany, France, Tunisia, the Netherlands, India, Spain, and Switzerland. For two days non-stop the teams were searching for vulnerabilities in the rivals’ systems to gain access to secret information (flags), and enhancing security of their own systems by eliminating their vulnerabilities. The first place was taken by LeetMore, a Russian team from Saint Petersburg. They received 150,000 rubles as a prize. The second best team was 0daysober from Switzerland (100,000 rubles). The third leader was Int3pids from Spain (50,000 rubles). The last year’s winners of PHDays CTF, American hackers from PPP, took the fourth place.

In their search for vulnerabilities and flags, the teams could share their quest with the Internet participants of Online HackQuest. The first and second places were taken by Russians – BECHED ahack.ru and ufologists, the bronze went to stratum0, a specialist from Germany.

Hijacking a Drone

Unmanned aircrafts are far more than just phantoms of writers’ imagination. Nowadays they are widely used in armed forces of various countries for efficient annihilation of enemies. The organizers invented a competition that modeled a situation when such a device was hijacked by a hostile force. According to the PHDays CTF legend for the second day, the teams were to find transportation means, namely, an aircraft. For this task the organizers had prepared two AR.Drone devices operated with a mobile phone via insecure connections. The CTF contestants had two hours to take over the device. Sergey Azovskov, a Russian information security expert from Yekaterinburg, was the first to cope with the task.

“It was already a year ago, when the first PHDays set a high standard for a well-organized event in the field of information security. This year, the forum has been even better and proved that an event in our field can be interesting, dynamic, and positive. You can feel it that the organizers have put all their love and care in PHDays, which is half the battle. We have been working with Positive Technologies for many years, and for the second time we have supported the PHDays initiative. I’m positive that this tradition will go on,” commented Alexander Lukatsky, Cisco Systems.

Hacking Apple iPhone and Windows XP

In the modern information space, detecting an absolutely new vulnerability (0day) in a popular and smoothly running product is the same as making a serious invention. That is why competitions on hacking various operating systems and applications played a key role in the program. The result of the competitions is somewhat similar to that of the CTF: most prizes were taken by Russian specialists. Nikita Tarakanov demonstrated a hazardous vulnerability in Windows XP, which gave him 50,000 rubles. Pavel Shuvalov, famous for his Vulndisco Mobile 1.7 utility that is meant for jailbreaking iOS-based devices, hacked an iPhone 4S by exploiting a vulnerability in popular Office² Plus. This victory brought him the iPhone 4s and 75,000 rubles. Besides, fighting for flags, a member of LeetMore (the CTF 2012 winners) detected a 0day in the FreeBSD 8.3 release. This vulnerability enables any local user to bypass security restrictions (FreeBSD Jail).

“The forum was a pleasant surprise for me, because there’s been a huge need for events of that kind in Russia. In particular, I’d like to mention the friendly atmosphere that the organizers have managed to create. The name suits the forum perfectly: everything – the content, the entry list, the quality of the reports – is far better than a year ago. PHDays has reached a higher level but managed to keep its main peculiarities: the unique emotional level and the atmosphere that encourages informal interactions with so many interesting people,” says Alexander Gostev, Kaspersky Lab.

Sharing Experience Is Fun

The practical goals of PHDays 2012 were highly praised by guests and participants of the forum. Over 50 presentations, hands-on labs and round tables were conducted under the slogan Minimum marketing, maximum experience. The banking section, attended by experts in information security and representatives of financial organizations, ended in the $natch competition. By exploiting vulnerabilities typical of remote banking systems, hackers managed to transfer different amounts of money to their virtual accounts, and then cash them out in an ATM standing nearby the playground. The competition was won by Alexey Osipov, a senior student at Moscow Power Engineering Institute. He was able to steal 3,500 rubles from the bank. By the way, at the banking section, Artem Sychev with Rosselkhozbank broke alarming news: every day there are 15-20 attempts of money robbery from bank accounts recorded in Russia.

The main hall was really overcrowded when Bruce Schneier, a legendary cryptography researcher, was giving his presentation there. In his ironic manner, Bruce supported those who sometimes feel an uncontrollable urge to break laws out of a sheer curiosity. By breaking rules, they advance the society.

Sergey Gordeychik, CTO of the company-organizer, shared his exciting experience of detecting and eliminating vulnerabilities in the telecommunication networks. A convergence of various types of networks and appliances makes them vulnerable to dozens of hacking methods. For example, an intruder can conduct an attack via a channel used by employees for online games, or employ a vulnerable interface of a web camera, a WiFi access point of a contractor, unfriendly resource located on the same hosting, and etc.

Andrei Costin demonstrated the reasons for and the methods of hacking a printer. Marcus Niemietz showed disadvantages of the Android OS security system. Vladimir Vorontsov explained the purposes of XXE attacks revealing 0day vulnerabilities in between. Alexander Gostev with Kaspersky Lab provided new details about Flame, a recently detected spy cyber weapon of a new generation. The subject of organized hacking was further developed by Haythem El Mir, an information security specialist from Tunisia. In his report about a fight between Tunisian Computer Emergency Response Team and a group of hackers called Anonymous, he stripped away the myth about the professionalism of Anonymous, whose members are believed to be the best hackers ever. A curious incident took place during Jerry Gamblin’s presentation: while he was speaking about his analysis of LutzSec’s activities, who had hacked CIA’s web site, a group of people entered the hall with their faces hidden under the Anonymous masks. The speaker did not get confused the least bit and gladly fit on one of the masks after his presentation.

The experts of Positive Research told about vulnerabilities in popular enterprise software products, such as Cisco Secure ACS network equipment management system, a popular web service Nginx, the Citrix Xen virtualization system, and about a dozen of vulnerabilities in various Web applications.

At the special section on SCADA, Positive Technologies announced their initiative in the field of production management system security – cooperation with Siemens in search for and elimination of vulnerabilities in SCADA SIMATIC WinCC and development of configuration security standards for popular SCADAs.

Besides, the organizers used the forum’s floor to announce their new educational project Positive Education. In the course of the project, Positive Technologies specialists will assist professors of Russian technical universities and institutes in developing practical educational programs of information security. The forum was continued with presentations of young scientists, who came from different Russian cities as finalists of the Young School competition.

This year, Positive Hack Days for the first time was supported by numerous hackspaces as part of the PHDays Everywhere initiative. The geographical map of online platforms attended by the local elite of the hacker world embraced a huge distance from Tokyo to Krasnodar and from India to Tunisia. For the visitors of the hackspaces, the organizers set up interactive online broadcasting with live standups and prepared a special competition – Hacked in 137 seconds, – which required the participants to hack Cisco-based network appliances. The winner was the DCUA team from Ukraine, who were followed by Indian XBios.

“I think, this event gives everyone splendid opportunities to meet their friends and partners, as well as new interesting people, and to discuss all sorts of topics. By now means, it charges you with positive energy for the whole year! I’m sure, we’ll spend the year waiting for PHDays version 3.0 (and time will fly fast)! I know, PHDays and Positive Technologies have a great future ahead. I’m so happy to see accompany the company in its first steps towards their future,” commented Aydar Guzairov, ICL-КME CS.

The Planet Needs Positive Hackers

The keynote speakers of the forum — Bruce Schneier and Datuk Mohd Noor Amin (Chairman of IMPACT) — unanimously mentioned significance that positive hackers have for progress and security of the humankind.

Positive Hack Days 2012 ended with an amusing competition under the name of Too Drunk To Hack NG. Every five minutes a participant whose actions triggered the alarm of the firewall more often than those of other competitors was to drink a shot of tequila and go on trying to hack the application. The competition was won by Vladimir Vorontsov, ONSec. It took him 350 milliliters of the strong drink to win!

“Judging by the feedbacks, Positive Hack Days has become what we wanted it to be – a place where knowledge is shared between all sorts of people: from a science fiction writer up to an official. A place where people with antipodal viewpoints can hear one another and receive the most up-to-date information about information system security. A place, where the future is created,” says Sergey Gordeychick, Positive Technologies.