How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Wednesday, June 27, 2012

Show Me the Money! The $natch Competition at PHDays 2012


The visitors of the Positive Hack Days 2012, which took place in the Digital October Center, not only had a chance to listen to reports by information security professionals or watch the epic CTF battle, but take part in discussions over important industry issues at specialized sections.

Among such discussion platforms, there was a section called How to Protect Money, moderated by Artem Sychev (Head of Information Security Department, Rosselkhoznamk). Along with theory – discussions over the security challenges of the banking sector, – the section offered a practical task: the $natch competition. The competition tried out participants’ skills of exploitation of typical remote banking vulnerabilities, rather logic than web ones.

Specially for the competition, we developed our own remote banking system from scratch and imbedded common vulnerabilities revealed by Positive Technologies experts in the course of security assessment of such systems. The solution called PHDays I-Bank was a standard Internet bank with a web interface, PIN code to access the account and a processing.


The day before the competition the participants received an image of an operating system with the installed remote banking (and its source code, of course) and a test base. Thus, they have a day to detect the vulnerabilities and write an exploit for them. During the competition, each participant got their personal login and password to the remote banking system and a real bank card bound with a specific account. 


The competition lasted for 30 minutes. The participants were to hack the base (this time – operational), transfer money to another account and then, use the bank card to cash out the money in an ATM waiting in for the winners in the lobby.

Though it was not officially announced, the money could have been stolen not only from the “bank” but from other participants as well :) The balances were displayed on a large screen, so during the 30 minutes the guests could follow the game and know who had managed to steal get more money. 



Finally, the competition was won by Gifts, who could take out 3,500 rubles, followed by Chipik (900 rubles). The third place was taken by Raz0r. The game was fair: ATM gave out all the amounts they earned.


CTF vs. Online HackQuest

Then it was time for the CTF teams to join the competition. Their task was to ensure the system’s security. The contestants were also given the image of the operating system with the remote banking, its source codes and the test base. They had 4 hours to detect and eliminate the vulnerabilities on the condition that the system functionality remains unchanged. In other words, the secure but not working system was not an option. 

The role of hackers was played by the Internet users participating in the Online HackQuest competition. When they were granted a VPN access to the network, they had 30 minutes to attack the system and take out the money from the CTF teams’ account.  Detailed description of the rules is published in our blog entry. In the end, the CTF teams snatched the victory: they managed to save almost all their money.

Both the participants and the on-lookers enjoyed the competition immensely and unanimously called it the star turn of the forum’s program.  We already have some ideas of how to make the competition even more exciting and entertaining and will try to embody them in PHDays 2013. So, see you next year!

P. S. We’d like to point it out once again: the remote banking system used for the competition was developed by Positive Technologies specially for the PHDays 2012 competitions. It IS NOT USED in any real bank; though, it is as similar to the real systems as possible and contains vulnerabilities typical for such systems. 

1 comment: