MAY 2012 digital october
Table of Contents About Positive Hack Days 2012
2-3
Forum Program: Day One
4-7
Forum Program: Day Two
8-11
Venue Layout
12-13
Reports
14-43
Sections
44-49
Hands-on Labs
50-57
FastTrack
58-59
PHDays CTF 2012: Circuli Vitae
60-61
CTF Participants
62-65
Competitions
66-81
PHDays Young School: Competition for Young Scientists
82-83
PHDays Everywhere: Join Us Where You Are
84-85
1
F u t u r e
International Forum on Practical Security
N o w
Positive Hack Days is an international forum on information security issues organized by the Positive Technologies company It is the only place for the elite of the hacker’s world, representatives of business and government, and the Internet community to face one another and, in joint efforts, find answers to the most topical questions of information security
2
MAY 2012 digital october
1500 participants: • • • • •
leading international experts in information security; the world’s most skillful hackers; CIO and CISO of major Russian and international companies; IT vendors; representatives of government structures; young scientists and students.
Can a Trojan be installed on a printer? How secure is a universal email? How to recognize and beat a bot network? How to hack quietly and get away with it? Is it possible to control a nuclear power station via a browser? How to make web applications secure? How secure are smartphones and tablet computers? What specialists are sought for on the information security market?
For two days and a night, non-stop: • • • •
Professional discussion and 6 conference streams; International information protection CTF contests; Hacking competitions; Workshops and hands-on labs by leading practicing experts
The only place where world-famous experts will show you how to hack smartphones under iOS and Android, steal money from credit cards, penetrate ERP systems, mobile communication networks and SCADA, and attack electronic government sites, and then tell you how to get protected and evade the attacks.
Positive Hack Days is real communication and unique reports by leading experts. It is knowledge and skills, minimum of ceremonies and maximum of practice. It is the future of information security. The future that has already come.
3
International Forum on Practical Security
Time
8:00 – 9:00
9:00 – 9:50
9:50 – 10:00
10:00 – 10:50
The Main Hall (360)
F u t u r e
N o w
Hall 1 (120)
Visitor Registration and coffee Maria Garnayeva, The techniques of putting a spoke in botmasters’ wheels: the Kelihos botnet
Andrey Andreevich Komarov, Computer security incident investigation: SCADA forensics
Break Dmitry Sklyarov, Andrey Belenko, Secure password managers and militarygrade encryption for smartphone: Huh, really?
10:50 – 11:00
Break
11:00 – 11:50
Evgeny Klimov, Telecom vs fraud. Who will win?
Dmitry Gorelov, Smart-card technologies in Russia: from payphones to Universal Electronic Card section
Aleksandr Matrosov, Eugene Rodionov, Smartcard vulnerabilities in modern banking malware
section
11:50 – 12:00
Break
12:00 – 12:50
Sergey Gordeychik, How to hack a telecom and stay alive 2. Owning a billing
12:50 – 13:00
Break
Alexey Yevgenievich Zhukov, ight cryptography: resource-undemanding and attack-resistant
MAY 2012 digital october
Forum Program Day One [ Future ]
Hall 4(80)
Pierre-Marc Bureau, Win32/Georbot. Understanding a malware and automating its analysis
Hands-on Lab
Hall 5 (60)
Dmitry Ryzhavsky, Wireless network security. How you network was hacked and how it could be avoided
Hands-on Lab
Hall 3 (50)
Vladimir Lepikhin, Web application attacks. The basics
Hands-on Lab
International Forum on Practical Security
Time
The Main Hall (360)
F u t u r e
Hall 1 (120)
13:00 – 13:50
Bruce Schneier, Keynote
13:50 – 14:00
Break Alexander Gostev, The secret of Duqu
14:00 – 14:50
13:50 – 14:00
Break
15:00 – 15:50
Travis Goodspeed, Exploiting radio noise with packets in packets
15:50 – 16:00
Break
16:00 – 16:50
Alexey Lukatsky, How presidential election in Russia influence information security market, or Trends in regulations
16:50 – 17:00
Break
17:00 – 17:50
Demo section Seeing once is better...
section
N o w
Haythem EL MIR, Fighting Anonymous in Tunisia
Alexey Yudin, ERP as viewed by attackers
Sergey Scherbel, Not all PHP implementations are equally useful
Nikita Tarakanov, Alexander Bazhanyuk, Automated vulnerability detection tool
MAY 2012 digital october
Forum Program Day One [ Future ]
Hall 4(80)
Hall 5 (60)
Hall 3 (50)
Andres Riancho, Advanced Web 2.0 Security
Manish Chasta, Securing Android applications
Sergey Lozhkhin, Computer incident investigation
Hands-on Lab
Hands-on Lab
Hands-on Lab
Andrey Masalovich, Concurrence intelligence in Internet
Hands-on Lab
Alexander Lyamin, DDoS Surveillance HowTo. Part 2.
F u t u r e
International Forum on Practical Security
Time
The Mine Hall (360)
8:00 – 9:00
Visitor Registration and coffee
9:00 – 9:50
Sylvain Munaut, Abusing Calypso phones
9:50 – 10:00 10:00 – 10:50
Hall 1 (120)
Igor Kotenko, Program agent cyberwars. Applying the theory of intelligent agents team-work to form cyberarmies
Marcus Niemietz, Hijacking attacks on Android devices
Thibault Koechlin, Naxsi, an open source and positive model based web application firewall
Andrey Valeryevich Fedichev, Why state secrets leak to the Internet
Aleksey Moskvin, On secure application of PHP wrappers
Break Artyom Sychov, Ways to protect money
10:50 – 11:00
Break
11:00 – 11:50
Artyom Sychov, Ways to protect money section
11:30 $natch
12:00 – 12:50 12:50 – 13:00 13:00 – 13:50
13:50 – 14:00
Hall 4(80)
Vladimir Vorontsov, Attacks against Microsoft network web clients
section
11:50 – 12:00
N o w
section
Break Andrei Costin, PostScript: Danger ahead! Hacking MFPs, PCs and beyond…
Evgeniya Shumakher, A lazy way to find out you fellow worker’s salary, or SAP HR security
Ulrich Fleck, Martin Eiszner, From 0-day to APT your favourite framework
Benjamin Delpy, To Recover Plaintext Passwords of Windows Users
Vladimir Styran, The truth about the lie. Social engineering for security experts
Break Datuk Mohd Noor AMIN, Enhancing Cybersecurity Readiness Through International Cooperation
Break
Forum Program Day Two
MAY 2012 digital october
[ The Present ]
Hall 5 (60)
Hall 3 (50)
Alexey Lafitsky, System Engineer Kaspersky lab
Boris Ryutin, Security without antivirus software
Hands-on Lab
Hands-on Lab
Nikhil Mittal, Breaking havoc using a Human Interface Device
Young School / Fast Track
Human resources. Assembly instruction
Hands-on Lab
Andrey Petyhov, Dmitry Kyznetsov What is Young School? Maksim Shudrak, Ivan Lubkin, SibSAU, Krasnoyarsk Dmitry Myulavka, NRNU MEPhI
Darya Kavchuk, the University of Taganrog (SSU) Anastasiya Scherbina, MSU Denis Makrushin, NRNU MEPhI
Sergey Klevoghin, CEH. Ethical hacking and penetration testing Hands-on Lab
Pavel Laskov, T端bingen Wilhelm Schickard Institute for Computer Science
F u t u r e
International Forum on Practical Security
Time
The Mine Hall (360)
14:00 - 14:50
Alexander (Solar Designer) Peslyak, Password security: past, present, future
14:50 - 15:00
Break Mikhail A. Utin, Analysis
15:00 - 15:50
of US laws and regulations protecting personal information. What is wrong and how to fix it‌
15:50 - 16:00
Break
16:00 - 16:50
Alexey Andreev, The past and the future of cyberpunk
16:50 - 17:00
Break
17:00 - 17:50
Fyodor Yarochkin, Vladimir Kropotov,
Life cycle and detection of bot infections through network traffic analysis
Hall 1 (120)
Hall 4(80)
Alexander Mikhailovich Polyakov, SAP insecurity: the new and the best
Yuri Gubanov, How to find an elephant in a haystack
Miroslav Ĺ tampar, DNS exfiltration using sqlmap
Micha Borrmann, Paying with credit cards in the Internet can result in headache
Mikhail Emelyannikov, Why it is impossible to comply with Russian private data protection law
Dmirty Evdokimov, Light and dark side of code instrumentation
Jerry Gamblin, What we can (and should) learn from LulzSec
Vladimir Kochetkov, To hack an ASP.NET site? It is difficult, but possible!
18:00 - 18:30
CTF Final
18:45 - 19:00
Hack2own
19:00 - 19:15
Hack the RFID Final
19:30 - 20:00
Too Drunk to Hack NG
20:00 - 20:30
Award Distribution
20:30 - 21:15
Performance of the Undervud group
22:00
End of Forum
N o w
Forum Program Day Two
MAY 2012 digital october
[ The Present ]
Hall 5 (60) Alexey Yudin, DIY SAP security Hands-on Lab
Hall 3 (50) Sergey Klevoghin, CEH. Ethical hacking and penetration testing Hands-on Lab
Young School / Fast Track Alexander Zhirov, Olga Zhirova, Novosibirsk State University Andrey Shorov, SPIIRAS Polybelova Olga, SPIIRAS
Pavel Markov, Security issues of language D Alexander Kuznetsov, Applying SIEM to computer security incident investigation
Sergey Nevstruev, cticalities of Mobile Security Hands-on Lab
Ilya Smith, Kirill Mosolov, 10. *#level 15. In two clicks Alexey Sintsov, Alexander Minozhenko Hijacking VMware vCenter
Konstantin Korsun, The UISG: achievements and prospects Andrei Costin, Harvesting Voice Conference Bridges
International Forum on Practical Security
F u t u r e
N o w
Venue Layout
VIP Area Guest Area CTF Area Young School / FastTrack Hands-on Labs Halls Registration WC Buffet
Main Hall
MAY 2012 digital october
WC
Hall 5
WC
Hall 4
Hall 3
Hall 1
F u t u r e
International Forum on Practical Security
N o w
Report Keynote Speaker Bruce Schneier Bruce Schneier is an American cryptographer, writer and expert on computer security. Author of several books on security, cryptography and information security. Founder of cryptographic company Counterpane Internet Security, Inc., a member of the Board of Directors of the International Association for Cryptologic Research and a member of the advisory board of the Informative centre of electronic privacy, he has also worked for Bell Labs and the U.S. Department of Defence. He received a bachelor's degree from the University of Rochester in 1984 and a Master’s Degree from American University in 1988. In November 2011 he was awarded an Honorary Doctorate of Science by the University of Westminster for his contribution to the development of computer science. The 2012 PHDays are the first in Russia to deliver a legendary expert in information security, Bruce Schneier. He is the author of dozens of codes and six books, among which the bestseller «Applied Cryptography» has been translated into Russian. English
Enhancing cybersecurity readiness through international cooperation Datuk Mohd Noor Amin As Chairman of the International Multilateral Partnership Against Cyber Threats (IMPACT), Mr. Mohd Noor Amin leads the first United Nations’-backed public-private partnership against cyber threats with UN’s International Telecommunication Union (ITU) as its partner, and with 137 countries as members, IMPACT is also recognized as the world’s largest cybersecurity alliance. Mr. Amin’s role includes strategically guiding IMPACT and its stakeholders — including other international
14
MAY 2012 digital october
Report organizations and its 137 member states — to enhance the global community’s capacity to prevent, defend against and respond to cyber threats. Mr. Amin has been instrumental in converging governments of partner countries, cybersecurity experts, academia, and industry players and leaders onto IMPACT’s politically and commercially neutral platform, to escalate discussions and amplify measures on strengthening cybersecurity. Mr. Amin is also Chairman of Ascendsys, Southeast Asia’s leading managed security services organization. Mr. Amin is also a founding member of the Malaysia—U.S. Friendship Council, which is headquartered in Washington D.C. It is a body established and sponsored by leading Malaysian companies to provide advice on matters relating to bilateral relationship between the two countries. Besides these roles, Mr. Amin is also appointed by the President of the Republic of Guatemala to serve as the nation’s honorary envoy to Malaysia. In previous capacities, Mr. Amin also served as personal legal counsel to two previous Malaysian Prime Ministers and served as general counsel to Malaysia’s ruling party. Mr. Amin is an English trained barrister and has been admitted to the English Bar at Gray’s Inn and to the Malaysian Bar. Mr. Amin holds a Masters in Commercial and Corporate Law from King’s College, University of London (U.K.). English
The past and the future of cyberpunk Alexey Andreev Alexey Andreev (also known as Lexa and Mercy Shelley) is a poet, writer and Internet activist. From 1988 to 1993 he was a student of the Mathematics and Mechanics Faculty of Leningrad University. From 1994 to 1996 he was a post graduate student at the University of West Virginia (USA), since that time he has been a participant in various literary projects on the Internet. Since 1996 he has lived in Moscow and St. Petersburg. As a writer Alexey Andreyev is primarily known for his work in the field of Russian haiku. He became the first Russian author of the haiku, which received worldwide recognition, taking second place in the biggest world competitions: the Shiki Haiku Contest (in 1995) and the Mainichi Haiku Contest (in 1997). His book of haiku was published in 1996 in the U.S.A (in the author's translation) and in 2002 in Japan. The author of several popular articles on haiku, he has been published in the journals «Arion», «New Literary Review»
15
F u t u r e
International Forum on Practical Security
N o w
Report and others, as well as translations of modern haiku from English (including texts of Allen Ginsberg, Jack Kerouac, George Suida) and from French. He has also published two books of poetry (in Russian and English). Under the pseudonym of Mercy Shelley, Alexey Andreev wrote science fiction novels in the style of Russian cyberpunk («Web» and «2048»), which introduced his ironic view of the further development of modern society. Russian
Exploiting radio noise with packets in packets Travis Goodspeed Travis Goodspeed is a neighborly reverse engineer from East Tennessee in Southern Appalachia. He has written key and firmware extraction techniques for several microcontrollers, as well as remote radio exploits for hardware bugs common to most modern digital radio protocols. Noise is everywhere in radio, and in digital radio it is more than a nuisance. With the Packet-in-Packet (PIP) technique, noise can turn a benign packet into a malicious one, allowing for remote Layer 1 frame injection without having a radio. This talk will show how PIP exploits are written, including working examples for IEEE 802.15.4 and the Nordic RF low-power radios. The exploit consists of a string which, when transmitted at Layer 7, is reliably changed by noise to become a Layer 1 frame. The attacker controls all fields of the injected packet and can trigger the exploit in a remote network without having his own radio. The vulnerability being exploited is in hardware, and no software bugs are needed. Russian
16
MAY 2012 digital october
Report Password security: past, present, future Alexander (Solar Designer) Peslyak Alexander Peslyak, better known as Solar Designer, has been professionally involved in computer and network security since 1997, and he has been professionally developing software long before that. Alexander is an Open Source software author & team leader at Openwall Project and Openwall GNU/*/Linux, computer security expert, Founder & CTO at Openwall, Inc., information security consultant at DataForce ISP, member of informal and semi-formal computer security communities. Alexander has presented on computer security and Open Source software topics at international conferences (HAL2001, NordU, FOSDEM, CanSecWest), served as the technical reviewer for a novel computer security book (Michal Zalewski's Silence on the Wire) and wrote the foreword for it. He is recognized in the “security community� primarily for the security tools (software) released to the public under liberal Open Source licenses, and for many contributions to other popular Open Source software (primarily Linux and related applications). The report will address the issues of password protection in an historical perspective, as well as the prospects of authentication technologies in the near future. The developer of John the Ripper, a popular utility to analyse the strength of passwords, Alexander (Solar Designer) Peslyak will graphically demonstrate how the resistance of the sword and shield develops in the world of computer security. Russian
17
F u t u r e
International Forum on Practical Security
N o w
Sections
Ways to protect money
Leading experts from Russia and other countries will consider problems of banking security and offer strategies of their solution within this section. Areas of discussion: peculiarities of bank fraud and resistance to it in Russia, smart cards security, banking Trojans’ evolution, vulnerabilities of web shopping security systems, core and remote banking security.
Moderator: Artyom Sychov
Artyom Sychev is Departmental Deputy Director and Head of Information Security at RoccelkhozBank JSC. He was born in Moscow in 1969 and has over 15 years’ experience in the field of banking systems’ information security. Since 1999 he has held a candidature in technical sciences (with a thesis on firewalls). He took an active part in the development of a set of documents on the standardization of information security for the Bank of Russia. Associate Professor of Bauman Moscow State Technical University, a prize-winner of the professional award of the IS «Silver Dagger.» He is a board member of the inter-regional public organization Association of managers of information security services. Section participants: Artyom Sychov, Deputy Director of the Security Department, the Head of the Information Security Directorate of Russian Agricultural Bank; Dmitry Kuznetsov, Deputy Technical Director of Positive Technologies; Evgeny Tsarev, Head of department at Technoserv; Nikita Shvetsov, Director of Threat Research at Kaspersky Lab; Yury Lysenko, the Head of the Information Security Directorate of the Business Protection Department in Home Credit & Finance Bank; representatives of the leading antivirus vendors Ulrich Fleck (SEC Consult Austria) and Micha Borrmann (SySS GmbH).
At the turning point of the section the participants will be offered to crack a remote banking system of a fictional bank in a real-time mode and withdraw money from it. The system is specially developed for the competition, but contains actual vulnerabilities and mistakes, detected by the specialists of Positive Technologies who have pentested and analyzed implementation of PCI DSS and STO BR (Russian Bank Information Security Standard) requirements. The second task of the competition will be more complicated – participants will be offered to crack the same remote banking system, but only when its protection system is fixed by the participants of the international information security competition PHDays CTF 2012 held as part of the forum. Specialists from Germany, the Netherlands, Russia, the USA, Tunisia, France and Japan comprise the teams of PHDays CTF 2012. This will allow finding out what country is better prepared for the protection of their banks.
Level: 100 Russian
44
MAY 2012 digital october
Sections
Seeing once is better‌
Moderator: Dmitry Evteev
Dmitry Yevteev started his career in Positive Technologies as an information security specialist. At present, he is Head of Security Assessment Department. Dmitry Evteev supervises dozens of operations of comprehensive penetration testing for various information systems. He takes an active part in developing the information security in Russia by giving educational presentations and professional speeches at the major events and publishing analytical and technical articles on information security. Since 2011, Dmitry has been one of the ideologists and founders of Positive Hack Days, an international information security forum. Section participants: Mikhail Afanasyev, SCADA security. Web vector Alexander Zaitsev, RFID security today Alisa Shevchenko, Why antivirus keeps silence when web money disappears Sylvain Munaut, Listening to mobile network Artyom Chaikin, Mobile device troyan in action Based on the best materials of the Positive Hack Days 2012 forum, this presentation will offer participants the cutting edge feats of hacking and the most relevant studies in the Information Security field. Dmitry Yevteev will demonstrate how to hack into the RFID and SCADA systems, how long it takes to get the passwords of a mobile phone and how to manage a corporate network using the administrator browser.
Level: 100 Russian
45
F u t u r e
International Forum on Practical Security
N o w
Sections Why state secrets leak to the Internet Moderator: Andrey Valeryevich Fedichev Andrey Valeryevich Fedichev is deputy head of administration in Federal Service for Technical and Export Control (FSTEK of Russia) Section participants: Nikolay Anatolyevich Pavlenko, a partner in the Georg Consulting company. Experience shows that the leakage of confidential, secret and official information to the Internet is a rather common problem. Loads of interesting information can be found in an open or relatively open access. Mysterious hackers are rarely guilty. Information most often leaks due to the total change of technologies and society, mistakes in IT systems management, negligence and disregard of official duties. So what is the scale of the problem? And how the problem can be solved? Level: 100 Russian
46
MAY 2012 digital october
Sections
Telecom vs fraud. Who will win? Moderator: Evgeny Klimov
Evgeny Klimov is the President of the Russian Information Systems Security Professional Association (RISSPA) and the founder of the Russian branch of the Cloud Security Alliance. Evgeny graduated in Information security management and technology at the Academy of Federal Security Service of the Russian Federation (FSB Academy). Evgeny started working in the information security field in 2002; he worked as a Project Manager and Head of information security departments of large companies. At present, he is a risk manager at PricewaterhouseCoopers. He holds the following certificates: CISSP (Certified Information Systems Security Professional), ISC2; CISM (Certified Information Security Manager), ISACA; PMP (Project Management Professional), PMI; CCSK Cloud Security Alliance; STO BR IBBS Auditor ABISS. Evgeny Klimov is also a member of the following international professional associations: Information Systems Audit and Control Association (ISACA), Project Management Institute (PMI), International Information Systems Security Certification Consortium (ISC)². This section covers the most relevant and complicated issues on how to respond to unauthorized activities in the sphere of telecom and mobile communications. Level: 100 Russian
47
F u t u r e
International Forum on Practical Security
N o w
Sections
Smart-card technologies in Russia: from payphones to Universal Electronic Card
Moderator: Dmitry Gorelov
Dmitry Gorelov is the Commercial Director of Active-Soft CJSC. He has been engaged in information security for more than 20 years. He’s one of the founders of Rutoken, an expert of the nonprofit partnership Developers and Operators of E-Service Systems (ROSEU), Programming Director of the RusCrypto conference. Section participants: Dmitry Azin, the head of the commercial and personal information security department, JSC UEC. Konstantin Mytnik, the head of smart cards department, JSC Mikron. The section deals with modern smart card technologies and ways to apply them in various public-sector and commercial projects. Special attention will be given to the Universal Electronic Card as the method for providing state and municipal services to the citizens of Russian Federation. Level: 100 Russian
48
MAY 2012 digital october
Sections Human resources. Assembly instruction In this section, the representatives of higher educational institutions, job oriented training facilities and members of the IS market will discuss the issues of education and advanced training in the sphere of informational security. Featured guests: Anatoly A. Malyuk, MEPHI Dmitry V. Ershov, Security Training Center Informzaschita Denis Yu. Gamayunov, CMC MSU Sergey V. Gordeychik, Positive Technologies Level: 100 Russian
49
F u t u r e
International Forum on Practical Security
N o w
Hands-on Labs Web 2.0 security. Advanced techniques Andres Riancho Andres Riancho is an information security researcher who currently leads three closely related efforts: the development of NeXpose's Web application security scanner, the community-driven and Open Source w3af project and a team of skilled Web application penetration testers that work at Bonsai. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer. His main focus has always been in the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and held training
at many security conferences around the globe, like SecTor (Toronto), OWASP (Poland), CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires). Andrés founded Bonsai in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation. Web Application Security, Python, IPS device evasion, Networking, Information security research in general, Software development, Agile, Scrum, Product Owner. This workshop will cover a set of vulnerabilities and attacks that is not usually included in other Web security training courses, the addressed topics have been discovered recently compared to such vulnerabilities as SQL Injection. Most topics are related to new technologies such as HTML5, new programming languages (Ruby) and paradigms («the cloud»). Below are some topics that the reporter will cover: • ClickJacking • Session Puzzling • HTTP Parameter Pollution • Bizarre XSS injection points in HTML5 • Understanding and exploiting localStorage • HTML5 and DOM based XSS and redirects • CSRF and leveraging CORS to bypasses SOP • Understanding and exploiting WebSQL — Client side SQL injection A laptop with VMware Player installed: at least 2 GB RAM and 20 GB of hard drive free space. Level: 300/ English
50
MAY 2012 digital october
Hands-on Labs Win32/Georbot. Understanding a malware and automating its analysis
DIY SAP security Alexey Yudin Alexey Yudin is the Head of Business Applications and Database Security Department of Positive Technologies. He graduated from the Moscow State Forest University (specializing in Applied Mathematics) in 2003. From 2002 to 2005 he held the position of an engineer (Head of the Sector) in the Research Institute of Precision Instruments. He was an analyst at Informzaschita in 2005—2006. Alexey Yudin’s main area of activity is database and business applications security; he partakes in large-scale auditing and penetration testing, as well as in engineering and implementing security systems. This workshop will enable the attendees to learn how to perform security assessment of SAP R/3 and NetWeaver systems (including application servers and infrastructure) by means of available tools. The following topics will be considered: • search and identification of SAP services; • clients brute force; • peculiarities of working with SAP GUI Scripting; • brute-forcing via SAP GUI and SAP RFC; • obtaining access to critical tables; • using hash for brute-forcing; • using system transactions to access operating systems; • receiving data from another client; • data interception over a network and plaintext password recovery; • administrators’ possible malversations and ways to prevent them. A laptop with VMware Player installed: at least 2 GB RAM and 20 GB of hard drive free space. Level: 200 / English
Pierre-Marc Bureau Pierre-Marc Bureau is a researcher and information security specialist. Presented his reports at the following conferences: • Hack.lu (keynote) • Recon • Virus Bulletin • Hacktivity • Segurinfo • Microsoft Doing Blue • Infosec Paris Resides in Montrėal, Quėbec. The Win32/Georbot malware family has been in development for at least 18 months. With hundreds of different variants seen in the wild, it is surprising this threat has not attracted more attention from the security industry. It appears this malware is only installed on targeted computers, most likely delivered by a web based exploit. The malware is suspected to be used by individuals to steal sensitive information from infected computers. This workshop will show how the following functionalities were implemented: • Document stealing • Camera snapshots • Take audio snapshots from attached microphone • Network scan • Denial of service attack The authors of this malware decided to obfuscate the code themselves in an effort to avoid antivirus. The workshop will explain how the obfuscation is implemented and how it can be defeated
51
F u t u r e
International Forum on Practical Security
N o w
Hands-on Labs statically with IDA python scripts: ∙ Control flow obfuscation ∙ String obfuscation ∙ API call obfuscation through hashing Finally, it will be shown how the bot communicates with its command and control server using the HTTP protocol as well as how to set up an alternate command and control server in a laboratory and issue commands to the bot and receive a response from it. Windows XP virtual machine and the following tools: • Python • IDA Free • Immunity Debugger (or Olly if you prefer) • Wireshark Required knowledge: • Understanding of assembly • Understanding of the Windows operating system • Understanding of the Python programming language Level: 300 English
Breaking havoc using a Human Interface Device Nikhil Mittal Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has over 3 years’ experience in Penetration Testing for many Government Organizations of India and other global corporate giants in
his current job position. Nikhil Mittal specializes in assessing security risks at secure environments which require novel attack vectors and “out of the box” approach. He is the developer of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests. In his free time, Nikhil likes to scan full IP ranges of countries for specific vulnerabilities, writes some silly Metasploit scripts and does some vulnerability research. Nikhil Mittal has spoken at Clubhack’10, Hackfest’11, Clubhack’11, Black Hat Abu Dhabi’11, Troopers’12 and Black Hat Europe’12. This Hands-on Lab will focus on a highly dangerous and yet widely neglected computer security issue — vulnerability of Human Interface Devices (HIDs). Using a programmable HID Teensy, the reporter will demonstrate how easy it is to hack a system by exploiting the inherent reliance of modern operating systems on HIDs. The case for using Teensy as a keyboard will also be covered. A toolkit, Kautilya, which has been developed by the reporter, will be demonstrated highlighting that programming is not even required for using the device. Kautilya contains easily usable and highly customizable payloads which aim to make the work of a penetration tester easy. The report will be full of live demos. A laptop with VMware Player installed: at least 2 GB RAM and 20 GB of hard drive free space. Teensy++ 2.0 device — amount of devices provided by the organizers is limited. Level: 200 English
52
MAY 2012 digital october
Hands-on Labs Security without antivirus software
Web application attacks. The basics
Boris Ryutin
Vladimir Lepikhin
Boris Ryutin graduated from Rocket and Aerospace Equipment Department of the Baltic State Technical University “Voenmeh” named after D.F. Ustinov (specialized in Flight Dynamics and Aircraft Movement Control) in 2009. He worked as an engineer in the federal Machine-Building Design Bureau. Currently he is a malware analyst at Esage Lab. The participants of this four-hour master class will get basic knowledge of detecting Trojans in OS, learn most recent Trojan development techniques for Windows (SpyEye, Carberp, Duqu), consider Trojans for Android and get acquainted with actual exploits (PDF, Java). A laptop with VMware Player installed: at least 2 GB RAM and 20 GB of hard drive free space. Level: 300 English
Vladimir Lepikhin has been working since 1999 at the Centre “Informzaschita.” Coordinates the direction of “Network Security”. Participated in the development of many copyright courses of the Training Center “Informzaschita.” He specializes in the detection of network attacks and security analysis. For a long time he was engaged in reading and adaptation of the authorized courses of company Internet Security Systems - in the recent past the industry leader in the detection of attacks and security analysis. Now he continues to train for the same product line, but “under the wing” of IBM. He actively participates in the development of authorized training on the products of the company Positive Technologies. He regularly participates in conferences and forums on information security. The mechanisms of attack on web applications, techniques and tools (specialized scanners, security, utilities, using the results of their work during manual analysis) used by violators will be submitted in a systematic form. Practical examples will clearly demonstrate major weaknesses of web applications that make it possible to conduct attacks, illustrated by the shortcomings of the means of protection in use and methods to bypass them. Simple and well-known vulnerabilities will be considered, as well as more complex and interesting cases.
53
F u t u r e
International Forum on Practical Security
N o w
Hands-on Labs Wireless network security. How your network was hacked and how it could be avoided Dmitry Ryzhavsky Dmitry Ryzhavsky lives in Moscow, Russia and is a Cisco Associate Systems Engineer. He has studied the Cisco Systems Networking Academy Program at the Moscow Cisco Systems Training Center. Certificates: Cisco Certified Design Professional (CCDP), Cisco Certified Design Associate (CCDA), Cisco Certified Network Associate (CCNA), and Cisco Certified Internetwork Expert (CCIE) in “Security” and “Routing and Switching.” These days, manufacturers of enterprise-class Wi-Fi provide their clients with a wide range of protection functions against attacks and intrusions. To effectively use this tool, it is not enough for an administrator to read the documentation. We need to know the enemy’s face, and the means of protection is in the ways to detect or prevent well-defined attacks in the arsenal of any trained attacker. The purpose of this report is to give students an opportunity to look at the protection of WLAN from the viewpoint of the hacker as well as that of the system administrator. In the course of the report the most relevant methods of obtaining unauthorized access to WiFi-network will be considered, and the mechanisms proposed integrated solution Cisco Unified Wireless Network to protect against the described attacks are described
and demonstrated. This will allow students to consciously determine which set of security features they need. A laptop compatible with BackTrack (http://www. backtrack-linux.org/) or Slitaz (http://www.aircrackng.org/doku.php?id=slitaz) with at least 2 GB of main memory. A wireless card should be compatible with aircrack -ng (http://www.aircrack-ng.org/doku. php?id=compatibility_drivers). Level: 200 Russian
Internet competitive intelligence Andrey Masalovich Andrew I. Masalovich has a Ph.D. in Physics and Mathematics, is a member of the Board of directors of “DialogueScience”, and head of the Competitive Intelligence sector of the Academy of Information Systems. He has supervised a number of successful projects in the analytical equipment of banks, financial-industrial groups, major network of trade retailers and government organizations. In the past he was a FAPSI Colonel, Commander of the Order “Star of the Glory of the Fatherland”, winner of the scholarship of Sciences “Outstanding Scientist of Russia” (1993). Author of numerous publications on the problems of search and analysis of data. Conducted seminars in several universities in Rus-
56
MAY 2012 digital october
Hands-on Labs sia (Academy of National Economy, Moscow State University, MAI) and in the USA (Harvard, Stanford University, Georgia Institute of Technology, Texas A&M University). An expert for RFBR, INTAS, ITC UN, APEC.
Practicalities of Mobile Security
By using practical examples, participants of the workshop will acquire the skills of using analytical technologies in solving real problems of competitive intelligence, including methods for rapidly detecting confidential information leaks, fast-detection of open partitions on servers, methods of penetration on the FTP server without hacking protection; password leak-detection methods; methods of access to confidential documents via bypassing DLP; means of penetrating into sections behind 403 error messages. Techniques are demonstrated on examples of portals in certainly well-protected companies (such as the leaders of the IT and IS markets, large state organisations, intelligence, etc.). Level: 100 Russian
Sergey Nevstruev is the Head of Mobile Solutions at Kaspersky Lab.
Sergey Nevstruev
57
Level: 100 Russian
F u t u r e
International Forum on Practical Security
N o w
FastTrack Applying SIEM to computer security incident investigation Alexander Vasilyevich Kuznetsov Alexander Kuznetsov graduated from St. Petersburg State Polytechnic University with a degree in applied mathematics. He has been in the business of information security since 2006. He worked as a specialist and leader in the St. Petersburg branch of FSUE «ZaschitaInfoTrans», then in the company «INFORION.» He currently manages the department of information system security at STC «Volcano». He lives in Moscow. The reporter will review the technology of Security Information and Event Management (SIEM), the benefits of its use and behaviour of SIEM-systems. To keep track of developments in modern information system vast amounts of data must be constantly collected from many different sources. This requires an appropriate repository through which professionals could quickly gain access to event logs and use them effectively in the investigation of incidents and to analyse the accumulated statistics. SIEM-systems not only allow for a long time to store a large amount of heterogeneous data, they provide experts access to analytical processing stored information, as well as acting as an independent agent with respect to a pair of «attacking the target-system»: criminals are always trying to conceal their actions, but they will hardly be targeted for attack by SIEM-systems. The reporter will tell of common misconceptions regarding the use of SIEM technology, and will consider current SIEM solutions, comparing their advantages and disadvantages. Level: 200 Russian Ilya Smith, Kirill Moslov, 10.*#level 15 in two clicks Aleksey Sintsov, Alexander Minozhenko. Hijacking VMware vCenter Andrey Costin. Voice Conference Security
58
MAY 2012 digital october
FastTrack The Ukrainian Information Security Group: achievements and prospects Konstantin Korsun Konstantin Korsun is a director of «Isight Partners Ukraine» (www.isightpartners.com), Chairman of the Board of Public Organization «Ukrainian Information Security Group.» He graduated from the Kharkov Higher Military Aviation Engineering School (1993) and the National Academy of Security Service of Ukraine (1996). From 1996 to 2005 worked in the subdivision to combat cyber-crime of the Security Service of Ukraine, from 2005 to 2009 - in the State Service of Special Communication and Information Protection of Ukraine. Founder and leader of CERT-UA(www.cert.gov.ua). The report tells of the formation of the Ukrainian information security community, from the noisy meetings of Ukrainian IT-security personnel in Kiev's pubs, to the creation in 2012 of the Public Organization «Ukrainian Information Security Group» (UISG) as a legal entity. Under the auspices of UISG a conference of the same name is held annually, which is the most prominent and most visited industry event in the Ukraine. Level: 100 Russian
Security aspects of the D language Pavel Markov Pavel Markov graduated from Baltic State Technical University «Voenmekh.» Currently living in St. Petersburg, he is working in JSC “Radio Control Technologies» as an engineer. The report will cover different aspects of writing applications in the D programming language from the perspective of security. The report will consist of a short overview of the D programming language, a description of the criteria for secure application and ways to search for vulnerabilities in applications written in D. Also, the reporter will compare standard examples of buffer overflow for code written in the C and D languages, and provide a comparison study of Win32 application software written in C and D. An attempt to hack into the software will also be demonstrated. Russian
59
F u t u r e
International Forum on Practical Security
N o w
PHDays CTF 2012: Circuli Vitae International Information Protection Contest The challenge is conducted according to the CTF (Capture the Flag) game rules. Several teams are to defend their own networks and attack the networks of other teams for a specified period of time. The aim of the contestants is detecting vulnerabilities in the systems of other competing teams and obtaining sensitive information (flags), and at the same time detecting and fixing vulnerabilities in their own systems.
World’s Most Real-Life CTF
Rules
er ake t winn The CTF will CTF ys ON 20 s. a D H of P in DEF C ification 0 l 00 part ing qua 150, 0 p ce — 100,00 skip a l p 0 — st 0,00 lace es: 1 Priz s, 2nd p ace — 5 l e p l b ru es, 3rd les. rub rubl
The key feature of Positive Hack Days CTF is its closeness to At the beginning of the game, the teams are provided real-life conditions. with identical servers with preinstalled set of vulnerable services. The teams’ aim is to detect the vulnerabilities, fix All the vulnerabilities are not fictional, but indeed occur on them on their servers, and exploit them to obtain sensitive contemporary information systems. information (capture the flags) of the competitor teams. Teams can also score points by capturing bonus flags or The format of PHDays CTF is really wide due to the game flags from the shared game infrastructure, or by holding environment’s saturation with unique elements down services during the King of the Hill contest. • The King of the Hill – an analogue of a real penetration
A final contest will challenge the competitors’ skills and testing or a hacker combat that involves network controlling knowledge of protecting certain infrastructure from Internet attacks. The detailed information about the contest • BlackBox – blind attacks on secure systems will be provided on the second day of PHDays CTF 2012. Teams’ performance at this contest can influence their final • Attack from Internet – CTF teams resisting PHDays rating. HackQuest participants' onslaught The game is constantly monitored by the jury’s supervising • Сombat satellites, time travelling and much more system, which regularly modifies the state of the game infrastructure by adding new flags and vulnerabilities to To add special appeal to the contest, the game the teams’ servers, and checks the state of the previously infrastructure is prepared according to the story lines added flags and the functioning of vulnerable services. The which are unique for each contest within PHDays CTF. Such jury decide the winner on the basis of total points scored by conditions create a remarkable ambience and make the each team. Positive Hack Days CTF contest to stand out against the background of other similar contests. Best teams from Germany, India, Spain, the Netherlands, Russia, the USA, Tunisia, France, Switzerland and Japan.
60
MAY 2012 digital october
The XXI century is the Era of Biotechnologies. Mass production of genetically-modified products was supposed to deal with hunger, diseases and give the humanity the power over the Nature. However by the middle of the century geneticallymodified organisms were everywhere: from tundra to rainforests. In response to the intervention Flora struck back to survive. Gigantic weed-trees and tiny bugs flooded forests and fields of the Earth. People also suffered from the genetic chaos. Numerous epidemics spread over the planet, some of them were artificially induced. That was when World War IV broke out to become the fastest and most devastating war of all. The second half of the century saw demoralized population that was cut by a third because every other child was born with significant genetic de-
viations. Having lost their last bit of hope, people ran to airproof cities to cover from the aggressive environment. And now, two hundred years later, few people who managed to survive are fighting every day to stay alive. On the one hand, there are city states that are constantly fighting against each other, on the other hand – mutant nomads wandering about destroyed cities and dangerous forests. People are surviving off of a few highly-secured automated farms growing “clean” food. Inevitable technological setback forced people to fight for remaining technologies and for serviceability of management systems left by their anсestors. Only twelve underground cities out of hundreds erected in the past still exist. And nobody knows how many of them, if any, will be there tomorrow.
61
F u t u r e
International Forum on Practical Security
N o w
CTF 2012 Participants 0daysober / Switzerland 0daysober is a brand new team emerging from the French part of Switzerland and made by friends who share the same passion for IT security and alcohol.
BIOS / India The BIOS team from Amrita Vishwa Vidyapeetham, Amritapuri, India has been a regular at CTF contests since 2008. Starting off with finishing 24th in CIPHER4 (2008), they have taken part in most worldwide CTF contests such as CODEGATE, ruCTFe, rwthCTF, Mozilla CTF (14th place) and pCTF. They have also succeeded in organizing InCTF, India’s first national CTF contest, for 3 years now.
C.o.P / France Consortium of Pwners (C.o.P.) is a French security team created in 2011 by former members of Nibbles team. The team regularly participates in vulnerability research and CTF contests.
Eindbazen / The Netherlands The team was founded last March to be able to compete in the Codegate 2011 Prequals. So, Eindbazen is just one year old and celebrated its anniversary at the Codegate 2012 Prequals. The team started out with only a handful of people and quickly grew as more skilled people joined. Most team members met in real life and knew each other before the team creation. The team consists solely of Dutch members, including both students and professionals. As the members are spread throughout the country, they are generally unable to get together physically when participating in a CTF competition.
62
MAY 2012 digital october
CTF 2012 Participants FluxFingers / Germany The FluxFingers team has been representing the Ruhr University Bochum in CTF contests since 2007. In the past years it also organized the famous hack.lu CTFs. All the team’s rankings are listed here: https://www.fluxfingers.net/scoring.html
ForbiddenBITS / Tunisia ForbiddenBITS is a Tunisian team created in 2011 that won the Tunisian CTFs (Security challenge Days 1 & 2, Seсurinet Challenges 2011 & 2012) and participated in several other challenges.
HackerDom / Russia The HackerDom team was created in 2005 at the Mathematics and Mechanics Department of the Ural State University. The members give weekly seminars named HackerDom’s Secrets. The team regularly participates in CTF and CTF-like contests, and also holds national (RuCTF) and international (RuCTFE) interuniversity contests in information security.
Int3pids / Spain Int3pids is a Spanish team which was born in 2010 as a spin-off of Sexy Pandas. They love security challenges and have taken part in many well-known CTFs.
Leet More / Russia The Leet More team was created in 2008 at the University of Information Technologies, Mechanics and Optics (ITMO).
63
F u t u r e
International Forum on Practical Security
N o w
CTF 2012 Participants Plaid Parliament of Pwning / USA The Plaid Parliament of Pwning formed from students at Carnegie Mellon University in 2009. Since its creation, the group has grown from only a handful of members to a team with undergraduate students, masters students, PhD students, and University staff, though primarily undergraduates. Over the years, PPP has won numerous CTF competitions, including Codegate, iCTF, CSAW, HUST, Ghost in the Shellcode, Secuinside, and PHDays.
Shell-Storm / France/Switzerland Shell-Storm.org is a development organization based on GNU/Linux systems that provide free projects and source codes. Shell-storm.org provides useful information to people who perform security testing.
Tachikoma / Japan The Tachikoma team is formed from the students of the following universities in Japan: the University of Tokyo, Tokyo Denki University, Tokyo University of Technology, and University of Aizu. It is a very fresh and newbie team that will make it first appearance at offline-type CTF at PHDays 2012. The team was created in February 2012.
[censored] / Russia The [censored] team of the Immanuel Kant Baltic Federal University consists of students of the Computer Security Department. For the period of its existence, the team has participated in almost all large-scale CTF competitions. Furthermore, the team is the reigning champion of RuCTF 2012, the challenge in information security among Russian universities. The best results for the last year: 1st place at RuCTF 2012; 1st place at RusCrypto CTF 2011; 7th place at PHD Quals 2012; 8th place at PHD CTF 2011; 9th place at RuCTF 2011
64
MAY 2012 digital october
65
International Forum on Practical Security
F u t u r e
N o w
Competitions. Every Winner Will Be Awarded Hack2own prize pool – over $20 000 CTF 2012 prize pool – over 300 000 rubles WAF Bypass – the winner gets new iPad!
Online
At site
Principle Hack for invite!
During the forum
PHDays Online HackQuest 2012
Blow Up the Town
Hack in 137 Seconds*
Hack2own
Hackers vs Forensics
Hash runner
$natch Too Drunk to Hack
For real hackers
For everyone
Fox Hunting NG
2600
Best Reverser
Don’t Copy That Floppy
Hack the RFID WAF Bypass
Big Shot WikiLeaks Hack-T-Shorts
* -at PHDays Everywhere spots only!
MAY 2012 digital october
Competitions PHDays Online HackQuest 2012 The PHDays 2012 program will include Online HackQuest, a competition for the Internet users that offers participants to try their hands at solving various information security tasks. On the forum’s second day, Online HackQuest participants will have a chance to influence the results of PHDays CTF 2012, the on-site contest.
Rules
Prizes
For the competition, participants are provided with access to a VPN gateway. After connecting to it, the participants are to identify target systems and detect their vulnerabilities. If exploitation of a vulnerability is successful, the participant gains access to a key (a flag), which should be submitted to the jury via the form on the participant’s personal page. If the flag is valid, the participant gains the corresponding number of points. All flags are in the MD5 format. The winner is the first participant to gain 100 points (which is the maximum possible amount). Participants who manage to gain more than 100 points are traditionally awarded with individual prizes :)
Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes and gifts for the competition.
Technical Details The participation requires Internet connection and a possibility to establish connection to a VPN gateway via PPTP or IPSec.
Participation Terms Any Internet user is welcome to participate in the competition. The registration will open on the PHDays 2012 web site after the forum begins. Moreover, the Online HackQuest will also be available for out-of-competition participation during 14 days after PHDays 2012.
time
type
prizes
Throughout the forum days, 9 am, May 30 – 6 pm, May 31
главный
Valuable prizes
67
F u t u r e
International Forum on Practical Security
N o w
Competitions Hack2own This competition allows the participants to demonstrate their skills in security analysis and hacking mobile devices (e. g. Apple iOS, Android), popular Internet browsers, and operating systems (skills in exploiting kernel vulnerabilities in current OS versions).
Rules The participants of the competition should demonstrate their exploits (each participant gets three attempts to attack). The competition is divided into three categories: exploitation of vulnerabilities in a browser, in mobile devices, and exploitation of kernel vulnerabilities.
Participation Terms The competition is held as part of PHDays 2012 and will last through the forum days. All the preregistered specialists can participate in the competition. Please send your applications to phdcontests@ptsecurity.com (the last day of registration is May 28, 2012). Specify the participant’s name, the competition category, provide a short exploit description and specify the target system and attack vector. Additionally, list all the software and hardware required to demonstrate the exploit at the forum. The organizers of the competition reserve the right to refuse a candidate in case he or she fails to prove his or her competence to handle the issues the competition is based on. If a competitor cannot attend the forum in person, the organizers of the forum may demonstrate the exploit on behalf of the author
by pervious agreement. (In case the competitor wins, the prize will be handed over after the forum.) The copyright on the programs and techniques used at the forum belongs fully to their author and is not transferred to the forum organizer.
Prizes The winner in each category will be chosen by the organizers and will receive corresponding money prizes.
Technical Details The software versions used in the competition will be settled not less than two weeks before the beginning of the forum. The information will be published on the PHDays 2012 web site. After every vulnerability exploitation attempt all the software will be restored to its original state. The competitors should bring their own software and hardware needed for conducting the attack. Wireless or wired network connection will be provided.
time
type
prizes
6:45 am – 7 pm, May 31
главный
Valuable prizes
68
MAY 2012 digital october
Competitions $natch The competition allows the participants to check their knowledge and skills in exploiting typical vulnerabilities in online banking system web services. The competition tasks will include actual vulnerabilities of Internet banking applications detected by Positive Technologies specialists while analyzing security of such systems.
Rules
Participation Terms
The contest is held in two stages. At first the participants are provided with copies of virtual machines containing vulnerable web services of an online banking system (an analogue of an actual Internet banking system). The participants should detect vulnerabilities in the system within a specified period of time. At the second stage the participants are to exploit these vulnerabilities for unauthorized money withdrawal within a limited time.
Any attendee is welcome to participate in the competition. The visitors can register in the contest area. The number of participants is limited.
Prizes Following the results of the contest each participant gets a monetary reward equaling to the amount of money stolen from the game Internet bank service.
Technical Details A notebook is needed to participate in the competition.
time
type
prizes
11:30 am – 11:50 pm, May 31
главный
Valuable prizes
69
F u t u r e
International Forum on Practical Security
N o w
Competitions Too Drunk to Hack NG The competition enables the participants to try their skills in hacking a web application which is protected by a Web Application Firewall and demonstrate the ability to think straight in any situation.
Rules
Participation Terms
The competitors should successfully hack a web application protected by a Web Application Firewall (WAF). The web application, in turn, contains a limited number of vulnerabilities, consecutive exploitation of which allows executing OS commands.
Any attendee who has reached the age of 18 is welcome to participate in the competition. The participants can register in the contest area. The number of competitors is limited.
The whole competition takes 30 minutes. Every 5 minutes the competitors whose actions caused a more frequent WAF reaction are offered 50 g of a strong drink and proceed with the competition. The winner is the first who manages to capture the principal game flag on the stage of executing OS commands on the server. If the principal flag is not captured the winner is the participant with the largest number of flags captured on other stages of exploiting the vulnerabilities.
time 19:30 – 20:00, 31 мая
Prizes Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes and gifts for the competition.
Technical Details The participants should bring their own software and hardware required for the competition. Connection to the game network segment will be provided.
type
prizes
главный
Keepsakes
70
MAY 2012 digital october
Competitions Hacked in 137 Seconds This competition enables the members of the hackspaces supporting PHDays 2012 forum online to demonstrate their skills in cracking Cisco IOS network devices.
Rules
Prizes
Within 3 hours the competition participants should gain unauthorized access to a specified Cisco network device consecutively increasing privileges up to level 15. With every new level gained, the participant obtains a flag in MD5 format, which should be entered into a form on a specified interface. After 3 hours, during exactly 137 seconds the organizers will demonstrate every participant’s achievements in speeded-up mode and decide the winner. The winner is the person who obtains the highest level of privilege for the shortest time.
Prizes and gifts will be provided by the PHDays organizers, the Positive Technologies company, and by sponsors of the forum.
Technical Details Ability to connect to Internet and VPN gateway via PPTP and IPSec is necessary for participation.
Participation Terms Only the members of the hackspaces that support PHDays 2012 forum online are allowed to participate. The registration will be open during PHDays on the forum’s web site. The number of participants is limited.
time
type
prizes
13.55, 30 мая
Online
Valuable prizes
71
F u t u r e
International Forum on Practical Security
N o w
Competitions Hash Runner Hash runner challenges the competitors’ knowledge of cryptographic hash algorithms and skills of cracking password hash functions.
Rules
Prizes
The competitors will be provided with a list of hash functions generated according to various algorithms (MD5, SHA-1, BlowFish, GOST3411, etc.). Points for each decrypted password are scored according to the algorithm’s level of difficulty. To become a winner, a competitor should gain the most points in a limited period of time, leaving the rivals behind.
Prizes and gifts will be provided by the PHDays organizers, the Positive Technologies company, and the forum sponsors. The first prize is the AMD Radeon HD 7990 graphics card.
Technical Details The competitors are to use their own software and hardware. Internet connection will also be needed to participate in the competition.
Participation Terms Any Internet user can participate in the competition. Competitors can register during PHDays on the forum's website. The competition will be held as part of PHDays 2012 and will last through the forum days.
time
type
prizes
Throughout the forum days, 9 am, May 30 – 6 pm, May 31
Online
Valuable prizes
72
MAY 2012 digital october
Competitions WAF Bypass This competition is for enthusiasts and experts engaged in web application security. The competitors are to attack vulnerable web applications protected by Web Application Firewall using SQL Injection technique. The applications function in connection with DBMSes of various vendors.
Rules
Participation Terms
Participants will be offered to attack (or demonstrate the attack possibility) for the purpose of gaining data from a DBMS. There are four vulnerable web applications employed in the contest, each of them uses its own DBMS type. All attacks exploiting any SQL injection vector, inclusive of gaining file system access, OS commanding, brute force and binary search attacks are counted. Attacks exploiting other vulnerabilities (e. g. buffer overflow in the web server or DBMS server) are not counted. The winner is the first who implements an SQL injection exploitation technique in one of the web applications. If several competitors implement different exploitation techniques the winner is the person whose attack allows obtaining the same DBMS data set using the least number of queries to the server.
Any Internet user is welcome to participate in the competition. Participants can register on the PHDays 2012 web site after the forum begins. The competition will last through the forum days.
time Throughout the forum days, 9 am, May 30 – 6 pm, May 31
Prizes The winner will be awarded Apple iPad 3. The best ten competitors will receive prizes and gifts from Positive Technologies (the PHDays organizers) and from the forum sponsors.
Technical Details The participants should bring their own software and hardware required for the competition.
type
prizes
Online
Keepsakes
73
F u t u r e
International Forum on Practical Security
N o w
Competitions WikiLeaks The competition will enable participants of the forum to find out how quickly and accurately they can find hidden information on the Internet.
Rules
Technical Details
The competition web page will contain questions about certain organization, information about which can be found online. The task of the competition participants is to find as many correct answers to the questions as possible in the shortest time. Results will be announced at the end of the second day of the PHDays 2012 forum.
Each participant chooses for themselves what hardware and software they require to use. An Internet connection is also necessary.
Participation Terms
Prizes Prizes and gifts will be provided by the PHDays organizers, the Positive Technologies company, and by sponsors of the forum.
Any Internet user is allowed to take part in the competition. Registration will take place on the PHDays 2012 site after the forum has begun. The competition will last through the forum days.
time Throughout the forum days, 9 am, May 30 – 6 pm, May 31
type
prizes
At site: for everyone
74
Keepsakes
MAY 2012 digital october
Competitions Best Reverser This competition enables the participants to try their skills in reverse engineering of executable files for MS Windows platform. The participants should capture hidden flags (code phrases) in a specially prepared program. This program contains three flags exactly. The access to every subsequent flag becomes possible only after capturing the preceding flag.
Rules
Prizes
Every participant gets a program specially crafted for analysis. There are no limitations on techniques or software used for capturing the flags (except for the applicable laws of the Russian Federation). The winner is the first who gets all three flags and provides a short description of how to get them. The participants who deal with the competition tasks later than the winner or get less than three flags take the second and third places by the jury’s decision.
The 1st prize is the new iPad (Wi-Fi + 4G), the 2nd prize is Amazon Kindle Fire (2 items for 2 prizewinners), the 3rd prize is Amazon Kindle Touch (3 items).
Technical Details The participants should bring their own software and hardware required for the competition.
Participation Terms Any Internet user is welcome to participate in the competition. The registration will open on the PHDays 2012 web site after the forum begins. The competition will last through the forum days.
time
type
prizes
Throughout the forum days, the final is at 7 pm, May 31
At site: for real hackers
Valuable prizes
75
F u t u r e
International Forum on Practical Security
N o w
Competitions Fox Hunting NG Participants can demonstrate their skills in the field of wireless networks security assessment and PCI DSS Wireless Guideline compliance using various software and hardware.
Rules
Participation Terms
The participants should detect 802.11 a/b/g/n wireless access point with a pre-defined ESSID or crack the WPA-PSK encrypted password used for access to the wireless network. The access point location will change with time.
Any attendee is welcome to participate. The participants can register in the contest area. The competition will last through the forum days.
To become a winner a participant must accomplish at least one of the tasks:
Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes and gifts for the competition.
• to become the first who detects the exact coordinates of the current wireless access point location and to inform the organizers about it;
• to become the first who cracks the password of
Prizes
Technical Details The participants should bring their own software and hardware required for the competition.
the access point and to inform the organizers about it.
time Throughout the forum days, 9 am, May 30 – 6 pm, May 31
type
prizes
At site: for real hackers
76
Keepsakes
MAY 2012 digital october
Competitions Hack the RFID This competition allows the participants to try their knowledge and skills in Radio Frequency Identification (RFID) systems.
Rules The participants will be provided with two stationary boxes under locks controlled by RFID readers. The corresponding RFID tags will be attached at a distance from the readers so that it is impossible to unlock the boxes directly with these tags. The participants will be invited to open one or both boxes and take the prizes from within. The participants will be invited to open one or both boxes and take the prizes from within. To determine the competition winner, organizers will estimate the originality of applied methods and the number of opened boxes. At the end of the second forum day, the final RFID tag (125 KHz) cloning competition will be conducted. The participants will be challenged to copy a low-frequency RFID tag and open the corresponding locked box. Here, it will be the distance between the contestant and the tag in the moment of cloning that will be of the decisive importance. The winner will be the one who manages to clone the tag from the maximal distance.
Participation Terms
tion. Those willing to try their hand should register in the contest area. The competition will be held as part of PHDays 2012 and last through the forum days.
Prizes Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes and gifts for the competition.
Technical Details Both low-frequency (125 KHz) and high-frequency (13.56 MHz) RFID reader will be used in the competition. The participants are not allowed:
• to perform any actions aimed at disabling the locks con trolled by RFID readers; • to attempt destroying the boxes; • to prevent other competitors from solving the task. The participants use their own software and hardware.
Any forum visitor is welcome to participate in the competitime
type
prizes
Throughout the forum days, the final is at 7 pm, May 31
At site: for real hackers
Valuable prizes
77
F u t u r e
International Forum on Practical Security
N o w
2600 be selected basing on how fancy the used extraction method was. The contest results will be announced on the second day of the forum.
Participation Terms Any attendee is welcome to participate in the competition. The visitors can register in the contest area. The competition will last through the forum days.
Prizes Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes and gifts for the competition. This competition challenges participants to demonstrate their knowledge, skill and ability in the field of communications hardware. The contestants will be using soviet coin-operated telephone to call a predefined number.
Rules
Technical Details Competitors are prohibited from performing any actions that may damage the competition telephone!
The participants will be asked to first call a predefined number from an authentic soviet telephone using tokens as the means of payment and then extract the used token and give it back to the jury. The winner will
time Throughout the forum days, 9 am, May 30 – 6 pm, May 31
type
prizes
At site: for everyone
78
Keepsakes
MAY 2012 digital october
Competitions Don’t Copy That Floppy The collected media and the read information (in any form that allows identifying the stored data) must be submitted to the organizers in the contest area. A participant who will manage to find and read the largest number of floppies wins. The winner will be decided on the second day of the forum.
Participation Terms Any attendee is welcome to participate in the competition. There is no pre-registration. The competition will take place as part of the PHDays 2012 program and last through the forum days.
Prizes Positive Technologies (the PHDays organizers) and the sponsors of the forum provide prizes and gifts for the competition.
Rules The participant will have to find information media (floppy disks of various types) hidden by the organizers. Moreover, they will have to find a way to read the data stored on the floppies. The floppies can be anywhere: on a wall or behind a column, under a table or on a chair back, or just lying somewhere on the floor in the corner. time Throughout the forum days, 9 am, May 30 – 6 pm, May 31
Technical Details The participants are to use their own software and hardware tools. The organizers provide reading devices at extra charge :)
type
prizes
At site: for everyone
79
Keepsakes
F u t u r e
International Forum on Practical Security
N o w
Competitions BigShot task, for example, to get the person's business card or to take a photo of the both from a specified angle. The winner is a participant who will cope with the largest number of tasks for the shortest period of time. The results will be summed up on the second day of the forum. Participation Terms Any attendee can take part in the competition. The registration will be open in the contest area. The competition will last through the forum days. Prizes This competition allows participants to test their social engineering skills in practice.
Prizes and gifts will be provided by the PHDays organizers, the Positive Technologies company, and the forum sponsors.
Rules
Technical Details
A participant is given a photo of a person and a number of statements that characterize this person. The photo is taken in a way that prevents unambiguous identification. The person is one of the attendees of the forum. The participant’s goal is to identify the person and make certain actions according to the
The participation requires such qualities as determination, excellent social skills and charisma. Neurolinguistic programming skills at level 137 are an advantage :)
time Throughout the forum days, 9 am, May 30 – 6 pm, May 31
type
prizes
At site: for everyone
80
Keepsakes
MAY 2012 digital october
Competitions Hack-T-Shirts g on es puttin colleagu y, stylish or d n a s r n petito ts or fun rticipan ut of com st interesting stand o of all pa ay. o s m to to e y o it th h n p s d r ill take opportu r she conside forum second nizers w o e has an Rules attende shirt’ which he ays orga declared on the D m H u P r e fo Every ‘hack-t- on the part of th winner will be er own he his or h l agents tition. T c e g. Sp ia in this compe e amusin k to parta wishing tion. competi te in the ill last through s a m ip r c e ti T r ation to pa tion w Particip ee is welcome competi etition nd on. The e ti tt a The comp a tr y is n g A e re no preenables th There is days. ts of ors m u participan e spons the for w s) and th n. 012 to sho r 2 e ys iz a n D a H P d titio ays org iduality an e compe he PHD their indiv Prizes logies (t s and gifts for th add o d n n a h , c ty e vi T e creati Positive m provide priz eal to the e foru and visual app th f o t. n ve put on, e rchase, u p ld u o s titors sh -shirts :) al Detail Technic ate, the compe own T ir e ip c th ti ) r To pa essary h (if nec embellis
time Throughout the forum days, 9 am, May 30 – 6 pm, May 31
type
prizes
At site: for everyone
81
Keepsakes
F u t u r e
International Forum on Practical Security
N o w
PHDays Young School Finalists
Got Got tired tired of of waiting waiting for for new new Brins Brins and and Kasperskys Kasperskys in in Russia? Russia? Frankly Frankly speaking, speaking, we we did. did. To To find find out out the the state state of of academic academic IT-security IT-security science science in in Russia, Russia, we we “put “put out out aa bulletin” bulletin” for for young young scientists scientists who who make make researches researches in in this this field. field. The The primary primary goal goal of of the the competition competition is is to to give give aa chance chance to to young young scientists scientists to to let let themselves themselves known. known. We We hope hope sincerely sincerely that that for for the the young young scientists, scientists, their their presentations presentations at at PHDays PHDays Young Young School School will will be be aa major major step step towards towards their their success success and and that that this this experience experience will will help help them them in in their their future future scientific scientific work. work. The The program program committee committee of of the the competition, competition, which which was was composed composed of of representatives representatives of of leading leading IT IT companies, companies, educational educational and and scientific scientific institutions institutions and and core core publications, publications, considered considered 19 19 applications applications and and selected selected 77 most most interesting interesting reports. reports.
82
MAY 2012 digital october
Decided PHDays Young School 2012 Finalists
Who Was To Judge?
• Decompilation Methods for Binary Code And Their Application to Information Security, Maksim Shudrak, Ivan Lubkin. The research advisor is Vyacheslav Zolotarev. Informational Technology Security Chair, Institution of Computer Science and Telecommunications SibSAU, Krasnoyarsk, Russia. • Application of Statistical Algorithms for Detection of Attacks On Web Applications, Dmitry Myulavka. The research is supervised by Vladimir Vorontsov. NRNU MEPhI, Moscow, Russia. • Optimization Methods for Automated Vulnerability Search in Remote Information Networks, Darya Kavchuk. The research advisor is Yevgeny P. Tumoyan. Information Technology Chair, the University of Taganrog (SSU), Taganrog, Russia,
The competition took place owing to Andrey Petukhov’s determination and enthusiasm. This man shouldered the uneasy task of organizing PHDays Young School. A special thanks to the committee members, namely: Dmitry Kuznetsov (Positive Technologies); Andrey Beshkov (Microsoft); Denis Gamayunov (CMC MSU); Alexander Dmitriyenko (Technische Universitat Darmstadt);
• Signature-Based Polymorphic Shellcode Detecting, Anastasiya Scherbina. The research advisor is Denis U. Gamayunov. MSU, Moscow, Russia. • Load Testing of Information Systems, Denis Makrushin. NRNU MEPhI, Moscow, Russia.
Vladimir Ivanov (Yandex); Alexey Kachalin (Advanced Monitoring); Nikita Kislitsin (Hacker Magazine); Igor Kotenko (SPIIRAS);
Out-of-Competition Reports • Secure Clouds Computing by Means of Homomorphic Cryptography, Alexander Zhirov, O.V. Zhirova).. The research adviser is Sergey F. Krendelyov. Novosibirsk State University, Russia. • Exploring Bio-Inspired Approaches to Protection against Infrastructure Attacks on the Basis of Imitation Modelling, Andrey Shorov. The research adviser is Igor V. Kotenko. SPIIRAS.
83
Pavel Laskov (Eberhard Karls University, Tubingen); Alexander Polyakov (ERPScan); Eugene Rodionov (MEPhI); Aleksey Sintsov (Defcon Russia Group)
F u t u r e
International Forum on Practical Security
N o w
PHDays Everywhere: Join Us Unfortunately, some people could not make it to Positive Hack Days, but the Positive Everywhere initiative gives anyone a chance to join the forum wherever they are. PHDays Everywhere participates will be able to: • follow the Internet broadcasting of the forum in the HD format, both in English and in Russian; • take part in the discussions and ask questions to the speakers online; • show your skills of hacking and protecting information at hacker competitions (winners will get prizes).
Hackspaces Tunisia, Tunis: National Institute of Applied Science and Technology (INSAT) Broadcasting partner: Tunisian Information Security Professional Association Contact persons: Haythem El Mir, haythem.elmir@gmail.com; Aymen Frihka aymen. frikha88@gmail.com; www.insat.rnu.tn www.atssi.org.tn India, Kollam: Amrita University Contact person: Vipin Pavithran, vipinp@am.amrita.edu www.amrita.edu Vladivostok (Russia) Far Eastern Federal University Contact person: Andrey Sakharov, phdvladivostok@gmail.com www.dvfu.ru Ukraine, Kiev: Group DefCon-UA Broadcasting partner: The Institute of Physics and Technology of National Technical University of Ukraine ‘KPI’ Contact person: Nikolay I. Ilyin, mykola.ilin@pti.kpi.ua www.defcon.org.ua www.pti.kpi.ua
84
MAY 2012 digital october
Wherever You Are Russia, Kaliningrad: Immanuel Kant Baltic Federal University Contact person: Alexander Puzakov, alpuzakov@gmail.com www.kantiana.ru Russia, Taganrog: Taganrog Institute of Technology of Southern Federal University Contact person: Maksim Naydenko, mak.naydenko@gmail.com www.tti.sfedu.ru Russia, Samara: Samara State University of Economics Contact person: Anton Grudin, onepis2word@gmail.com www.sseu.ru Khabarovsk (Russia) Encraft Contact person: Maxim Koval-Navrotsky, max@maxkn.ru www.encraft.ru Moscow (Russia) {neĂşron} Contact person: Alexander Chemeris, alexander.chemeris@gmail.com www.neuronspace.ru Ekaterinburg (Russia) HackerDom Contact person: Ilya Zelenchuk, ilya@hackerdom.ru www.hackerdom.ru www.urfu.ru
For the complete list of the PHDays Everywhere spots, visit our website
85
F u t u r e
International Forum on Practical Security
Sponsors General Sponsor
Technological Partners
Media Partners General Media Partner
Strategic Media Partners
86
N o w
MAY 2012 digital october
Media Partners Media Partners
Forum’s Friends
87
F u t u r e
International Forum on Practical Security
N o w
About Positive Technologies Positive Technologies has been at the cutting edge of Information Security for more than a decade. A specialist developer of IT Security products, Positive Technologies is an international company that specializes in the detection and management of vulnerabilities that could leave our clients open to attacks. Positive Technologies’ offices and representatives are located in Moscow, London, Rome, Seoul and Tunis. Our experts are members of, and contributors to, international associations and projects such as the Web Application Security Consortium, (ISC)², ISACA, Certified Ethical Hacker, Center for Internet Security. Our innovation division, Positive Research, is one of the largest and most dynamic security research facilities in Europe. This award-winning centre carries out research, design and analytical work, threat and vulnerability analysis and error elimination. Our experts work alongside industry bodies, regulators and universities to advance knowledge in the field of information security and to assist in the development of industry standards. Naturally, this knowledge is also applied to improving the company’s products and services. Positive Research identifies over 100 0-day vulnerabilities per year in leading products such as operating systems, network equipment and applications. It has helped such vendors as Microsoft, Cisco, Google, SAP, Oracle, Apple, and VmWare eliminate vulnerabilities and defects that threatened the safety of their systems.
www.ptsecurity.ru
88