How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Wednesday, June 27, 2012

Show Me the Money! The $natch Competition at PHDays 2012


The visitors of the Positive Hack Days 2012, which took place in the Digital October Center, not only had a chance to listen to reports by information security professionals or watch the epic CTF battle, but take part in discussions over important industry issues at specialized sections.

Among such discussion platforms, there was a section called How to Protect Money, moderated by Artem Sychev (Head of Information Security Department, Rosselkhoznamk). Along with theory – discussions over the security challenges of the banking sector, – the section offered a practical task: the $natch competition. The competition tried out participants’ skills of exploitation of typical remote banking vulnerabilities, rather logic than web ones.

Specially for the competition, we developed our own remote banking system from scratch and imbedded common vulnerabilities revealed by Positive Technologies experts in the course of security assessment of such systems. The solution called PHDays I-Bank was a standard Internet bank with a web interface, PIN code to access the account and a processing.


The day before the competition the participants received an image of an operating system with the installed remote banking (and its source code, of course) and a test base. Thus, they have a day to detect the vulnerabilities and write an exploit for them. During the competition, each participant got their personal login and password to the remote banking system and a real bank card bound with a specific account. 


The competition lasted for 30 minutes. The participants were to hack the base (this time – operational), transfer money to another account and then, use the bank card to cash out the money in an ATM waiting in for the winners in the lobby.

Though it was not officially announced, the money could have been stolen not only from the “bank” but from other participants as well :) The balances were displayed on a large screen, so during the 30 minutes the guests could follow the game and know who had managed to steal get more money. 



Finally, the competition was won by Gifts, who could take out 3,500 rubles, followed by Chipik (900 rubles). The third place was taken by Raz0r. The game was fair: ATM gave out all the amounts they earned.


CTF vs. Online HackQuest

Then it was time for the CTF teams to join the competition. Their task was to ensure the system’s security. The contestants were also given the image of the operating system with the remote banking, its source codes and the test base. They had 4 hours to detect and eliminate the vulnerabilities on the condition that the system functionality remains unchanged. In other words, the secure but not working system was not an option. 

The role of hackers was played by the Internet users participating in the Online HackQuest competition. When they were granted a VPN access to the network, they had 30 minutes to attack the system and take out the money from the CTF teams’ account.  Detailed description of the rules is published in our blog entry. In the end, the CTF teams snatched the victory: they managed to save almost all their money.

Both the participants and the on-lookers enjoyed the competition immensely and unanimously called it the star turn of the forum’s program.  We already have some ideas of how to make the competition even more exciting and entertaining and will try to embody them in PHDays 2013. So, see you next year!

P. S. We’d like to point it out once again: the remote banking system used for the competition was developed by Positive Technologies specially for the PHDays 2012 competitions. It IS NOT USED in any real bank; though, it is as similar to the real systems as possible and contains vulnerabilities typical for such systems. 

10 comments:

  1. All information that you need to know about how to write summer homework you will find in this blog. Thats why I think that you should check it out

    ReplyDelete
  2. Great site and a article as well. In turn, I also want to share with you one good writing service wich provides help with an essay for students - draftify.net. A very professional team with great writers and amazing support.

    ReplyDelete
  3. If you are a student, do not waste your time and relieve your stress by letting our writers work on your academical papers. That's good you can make such desicion and I'm sure you will not regret it ever.

    ReplyDelete
  4. Hi! I stumbles over you post and decided to add some information. If you have no time fro writing papers then you can apply to the essay writing service and find there college essay topic help It is comfortable and saves time!

    ReplyDelete
  5. Very much impressed with this post. Please do find the latest. best men’s cologne of all time

    ReplyDelete
  6. Look for custom term paper writing service that guarantee your research proficiency. Seek our Cheap Custom Essay Writing Services that will provide you competent top writers with excellent research abilities.

    ReplyDelete
  7. A great competitor to check the skills and to find new tech talents. This is not so easy to be a part of such a community and usually, the most successful developer is the most focused and it is so interesting when you deliver one of the steps that makes you closer to your aim. This is the miracle from one part, but you need to listen to yourself to be extremely focused on things you like.

    I used to experience with this thing when I've got work after my university at writing service https://essaypro.com/write-my-essay.html. I'd found out that if I want to be a master of something, I need to be master of simple things like personal finance, personal planning, personal relation, personal dietician, personal training. Why is it so important to contest like described. Because these things are very closer to you and you have a direct impact.

    This was the lesson from my university, that I will remember all my life. Be patient to everything near you, as this life is not about the future this life is about the current moment.

    ReplyDelete
  8. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

    ReplyDelete