There’s little time left before Positive Hack Days 2012. Online competitions, which raffle off invitations to the forum, are in full swing. Yet, the most interesting events will happen at the forum’s platform in the Digital October Center. A legendary competition Hack2Own will be one of the highlights of the program.
In 2011 the of Hack2Own winners were Nikita Tarakanov and Alexander Bazhanyuk, representatives of the CISSRT team, who demonstrated 0day vulnerability (CVE-2011-0222) in the latest version of Safari (Internet browser) for Windows and took the first prize, namely, a laptop and 50,000 rubles. This year the budget of the competition has been significantly increased up to 20,000 $. The winners will have enough money to fill the new cases with :)
This competition is divided into three categories: exploitation of web browser vulnerabilities, exploitation of kernel vulnerabilities, and exploitation of vulnerabilities in mobile devices. Detailed rules of participation are under the cut.
Attention! A laptop is required to participate in the competition.
Versions of
systems and applications used in the competition are finally settled not less
than two weeks before the beginning of the forum. The relevant information will
be published on the PHDays 2012 web site (http://www.phdays.com). After every
exploitation attempt the operating system will be restored to its original
state. The competitors should bring their own software needed for conducting
the attack. Wireless or wired network connection will be provided.
Only one device can be attacked in a round using one attack vector; the organizers of the competition follow the link provided by a participant of the competition. In case of success in the first round, a participant takes the first prize, in case of success in the second or the third round – the second or the third prize respectively. After every exploitation attempt the operating system will be restored to its original state. A participant will succeed if after conducting a remote attack against a device he or she will be able to launch an application on that device. The organizers reserve the right to lower a participant’s rating depending on the type of vulnerability used and exploitation conditions (necessity of interaction with a user, attack development limitations and other conditions affecting CVSS severity).
In 2011 the of Hack2Own winners were Nikita Tarakanov and Alexander Bazhanyuk, representatives of the CISSRT team, who demonstrated 0day vulnerability (CVE-2011-0222) in the latest version of Safari (Internet browser) for Windows and took the first prize, namely, a laptop and 50,000 rubles. This year the budget of the competition has been significantly increased up to 20,000 $. The winners will have enough money to fill the new cases with :)
This competition is divided into three categories: exploitation of web browser vulnerabilities, exploitation of kernel vulnerabilities, and exploitation of vulnerabilities in mobile devices. Detailed rules of participation are under the cut.
Attention! A laptop is required to participate in the competition.
Why do we need it?
We just want to make this world securer. We strive for promoting ideas of responsible disclosure of vulnerabilities. That is why the competition has an important condition: a participant who detected a vulnerability should inform the software vendor within 6 months from the moment of its detection.
Hacking Web Browsers. Rules
In every round, attacks should be conducted against one of the specified browsers; the organizers follow the link provided by a participant. Only one attack vector can be used in each round. Having succeeded in the first round, a participant takes the first prize; in the second round, the second prize. Likewise, the third prize is given for the in the third. A participant will succeed if after conducting a remote attack against a client he or she will be able to launch an application on client’s operating system. The organizers reserve the right to lower a participant’s rating depending on the type of vulnerability used and its exploitation conditions (involvement of interaction with a user, attack development limitations and other conditions affecting CVSS severity).
Software for Exploitation
First round: Microsoft Internet Explorer 9, Google Chrome 19.0.1084, Mozilla Firefox 12.
Second
round: Microsoft Internet Explorer 8/9, Mozilla Firefox 10/11/12, Google Chrome
16/17/18/19, Opera 11/12, Apple Safari 5.0/5.1.1/5.1.2.
It is
permitted to exploit the latest versions of typical third-party browser
components in the third round: Adobe Flash Player (11.2.202.235), Adobe Reader (10.1.3),
Java (7 update 4). The list of browsers for the third round is identical to the
list for the second one.
Platforms Used
First round
— Windows 7 Service Pack 1 (x64). Second and third rounds: Windows 7 Service Pack
1 (x64/x86) and Windows XP SP3 (x86).
Participation Terms
All the
preregistered specialists can participate in the competition. Please send your
applications to phdcontests@ptsecurity.com. The last day of the registration is
May 28, 2012. Specify the participant’s name, target browser, and an attack
vector. The organizers of the competition reserve the right to refuse a
candidate in case he or she fails to prove his or her competence to handle the
issues the competition is based on.
Prizes
1st
place – 137,000 Russian rubles
2nd
place – 75,137 Russian rubles
3rd place
– 50,137 Russian rubles
If several
participants of the competition claim the same place, the winner will be
decided by expert evaluation of the exploit technical characteristics
(exploitation complexity, stability, etc.).
Participants
of the competition can visit all events of Positive Hack Days for free.
Technical Details
Hacking Mobile Devices. Rules
Only one device can be attacked in a round using one attack vector; the organizers of the competition follow the link provided by a participant of the competition. In case of success in the first round, a participant takes the first prize, in case of success in the second or the third round – the second or the third prize respectively. After every exploitation attempt the operating system will be restored to its original state. A participant will succeed if after conducting a remote attack against a device he or she will be able to launch an application on that device. The organizers reserve the right to lower a participant’s rating depending on the type of vulnerability used and exploitation conditions (necessity of interaction with a user, attack development limitations and other conditions affecting CVSS severity).
Participation Terms
All the
preregistered specialists can participate in the competition. Please send your
applications to phdcontests@ptsecurity.com. The last day of the registration is
May 28, 2012. Specify the participant’s name, the target operating system,
device’s type (tablet or smartphone) and an attack vector. The organizers of
the competition reserve the right to refuse a candidate in case he or she fails
to prove his or her competence to handle the issues the competition is based on.
Prizes
1st
place – 137,000 Russian rubles
2nd
place – 75,137 Russian rubles + iPhone 4s
3rd place
– 50,137 Russian rubles
If several
participants of the competition claim the same place, the winner will be
decided by expert evaluation of the exploit technical characteristics
(exploitation complexity, stability, etc.).
Participants
of the competition can visit all events of Positive Hack Days for free.
Positive Technologies (the PHDays organizer) and the sponsors of the forum
provide prizes and gifts for all participants of the competition.
Platforms Used
First
round: iOS 5.1.1 (tablet/smartphone) or Android 4.0.4 (tablet/smartphone)
Second
round: iOS 5.1.1 (tablet/smartphone) or Android 4.0.4 (tablet/smartphone) +
well-known software of a third-party manufacturer (to be discussed with the
organizers at the registration stage)
Third
round: iOS 5.0 (tablet/smartphone) or Android 3.0 (tablet), Android 2.3
(smartphone)
Technical Details
Versions of
the software used in the competition are finally settled not less than two
weeks before the beginning of the forum. The relevant information will be
published on the PHDays 2012 web site (http://www.phdays.com). Devices with the
default out-of-the-box configuration are used in the competition, except for
configurations necessary to organize a network connection. After every
vulnerability exploitation attempt the device will be rebooted and restored to
its original state.
A standard
attack vector implies a visit to a specially crafted site via a default browser
of a device. If other attack vectors are used (receiving of SMS/MMS, viewing e-mail
messages, etc.), a participant should specify this information in the
application for the competition.
The
competitors should bring their own software and hardware needed for conducting
attacks. Wireless or wired network connection will be provided.
Exploiting Kernel Vulnerabilities. Rules
Every
participant will be able to demonstrate exploitation of OS kernel
vulnerabilities. An exploit offered by a candidate should give an unprivileged
user a possibility to increase his or her system privileges up to a superuser
level.
In every
round, attacks should be conducted against one of the specified platforms; the
organizers of the competition launch an executable file provided by a participant.
Only one attack vector can be used in a round. In case of success in the first
round, a participant takes the first prize, in case of success in the second or
the third round – the second or the third prize respectively. A participant
will succeed if he or she increases privileges from the level of an
unprivileged user to the maximum privilege level of the system. The organizers
reserve the right to lower a participant’s rating depending on the type of a
vulnerability used and exploitation conditions (necessity of interaction with a
user, attack development limitations and other conditions affecting CVSS severity).
Platforms Used
First round:
Windows
7 Service Pack
1 (x64);
Windows
Server 2008 SP2 (x64);
Debian Linux 3.3.5;
FreeBSD 9.0;
OpenBSD 5.1;
OS X 10.7.4.
Second
round:
Windows 7 Service Pack 1 (x86);
Windows Server 2003 SP2;
Windows XP SP3 (x86);
Debian Linux 2.6.32-45;
FreeBSD 8.0;
OpenBSD
5.0;
OS X
10.7.1.
Third
round: the platforms are identical to those of the first round. It is possible
to use well-known security software (antiviruses, HIPS, etc.) of a third-party vendor
(to be discussed with the organizers at the registration stage).
Participation Terms
All the
preregistered specialists can participate in the competition. Please send your
applications to phdcontests@ptsecurity.com. The last day of the registration is
May 28, 2012. Specify the participant’s name, and the target platform. The organizers
of the competition reserve the right to refuse a candidate in case he or she
fails to prove his or her competence to handle the issues the competition is
based on.
Prizes
1st
place – 75, 000 Russian rubles
2nd
place – 50,000 Russian rubles
3rd place
– 30,000 Russian rubles
If several
participants of the competition claim the same place the winner will be decided
by expert evaluation of the exploit technical characteristics (exploitation
complexity, stability, etc.).
Participants
of the competition can visit all events of Positive Hack Days for free.
Technical Details
Platforms
versions used in the competition are finally settled not less than two weeks
before the beginning of the forum. The relevant information will be published
on the PHDays 2012 web site (http://www.phdays.com). After every vulnerability
exploitation attempt the operating system will be restored to its original
state. The competitors should bring their own software needed for conducting
attacks.
Information
on the detected vulnerabilities should be disclosed using one of the following
ways:
- providing a software vendor with a detailed description of detected vulnerabilities;
- communicating information on the vulnerabilities to CERT;
- communicating information on the vulnerabilities via UpSploit;
- communicating information on the
vulnerabilities by means of participation in other official programs of
remuneration for detected vulnerabilities such as Zero Day Initiative.
You should enter on the arrangement for the blog. You can present it’s primary advantage. Your blog explorings would enlarge your browsers plus . How to make gift baskets
ReplyDelete