How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Friday, December 18, 2015

Tickets For PHDays VI Are Now Available

Tickets for the international forum on information security Positive Hack Days VI are available for purchase from December 17. We are keeping last year’s prices till mid-January. A two-day ticket costs 7,337 rubles before January 30.

You can register and buy ticket on the RUNET-ID Registration page. From January 31, the price will raise: a ticket for two days will cost 9,600 rubles, and 7,337 rubles for a one-day pass.

From March 1, the cost will raise to 14,400 for two days and 9,600 rubles per day.

Thursday, December 3, 2015

Speak About Your Cyberwar at PHDays VI

Positive Hack Days VI, the international forum on practical information security, opens Call for Papers on December 3, 2015. Our international program committee consisting of very competent and experienced experts will consider every application, whether from a novice or a recognized expert in information security, and select the best proposals.

Now, more than ever before, cybersecurity specialists are being asked to stop sitting on the fence and choose a side — competitive intelligence vs DLP systems; security system developers vs targeted cyberattacks; cryptographers vs reverse engineers; hackers vs security operations centers. A new concept of PHDays VI is designed to show what the current vibe is in information security.

Thursday, July 9, 2015

Hot Cyberwar. Hackers and Missile Launchers

The most spectacular contest during PHDays V was the one organized by Advantech. The contest's participants must gain control over an industrial system that controlled a missile launcher and to hit a certain secret object.

Wednesday, July 8, 2015

Writeup: Competitive Intelligence Contest at PHDays V

This year among the participants of Competitive Intelligence were not only the contest’s usual fans but also CTF teams, so we adjusted difficulty levels accordingly. In addition, we allowed team play on one condition: a person couldn’t participate both individually and as part of a CTF team. That is why we reached a mutual agreement to disqualify the player who scored most — azrael.

All the contests were revolving around the fictional state — United States of Soviet Unions. The Competitive Intelligence participants had to look for info about company employees with the USSU citizenship. Meantime the players were free to answer five various questions regarding five different organizations. Within one block, you could open new questions after answering the previous ones. (One team even managed to find the right answer using a brute force method, but failed to advance after that – they just didn’t have enough info.)

Friday, July 3, 2015

The MiTM Mobile Contest: GSM Network Down at PHDays V

Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.

Tuesday, June 30, 2015

Best Reverser Write-Up: Analyzing Uncommon Firmware

While developing tasks for PHDays’ contest in reverse engineering, we had a purpose of replicating real problems that RE specialists might face. At the same time we tried to avoid allowing cliche solutions.

Thursday, June 11, 2015

Digital Substation Takeover: Contest Overview

Digital Substation Takeover, presented by iGRIDS, was held at PHDays V. The contest's participants tried themselves in hacking a real electrical substation designed according to IEC 61850. The general task was to perform a successful attack against the electrical equipment control system.

Friday, June 5, 2015

How They Hacked Internet Banking at PHDays V

During Positive Hack Days V, which was held on May 26 and 27 in Moscow, the $natch competition was organized again. It consisted of two rounds. First, the contest's participants were provided with virtual machine copies that contained vulnerable web services of an internet banking system (an analog of a real system). After that, they had to analyze the banking system image and try to transfer money from the bank to their own accounts by exploiting security defects they had detected.

Wednesday, June 3, 2015

WAF Bypass at Positive Hack Days V

As it did last year, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of PT Application Firewall, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.

Tuesday, June 2, 2015

PHDays V Highlights: Signs of GSM Interception, High Time to Hack Wi-Fi, Future of Encryption

Technological singularity is expected in 15 years at best, but Positive Hack Days transition is happening right now. The fifth forum had a record attendance – over 3,500 visitors, which is comparable to the leading international hacker conferences, and the number of talks, sessions, and various activities surpassed one hundred. The incredible and exciting contests involved hacking spaceships, power plants, ATMs, and railway companies. More Smoked Leet Chicken became the winning champion of this year’s CTF, showing their best at stock exchange speculation. Congratulations! A detailed write-up about that is coming soon. Right now let’s focus on a number of recommendations and tips that impressed us most of all during the 2-day hacker marathon that took place in World Trade Center on May 26-27.

Friday, May 29, 2015

PHDays V. Day First: How to Intercept SMS and Hack Satellite

Positive Hack Days launched on May 26, and on the very first day, cybersecurity experts demonstrated various techniques that are used to hack ATMs, online banking systems, mobile carriers' networks, energy, transport, and industrial companies. More than 50 reports were presented at the Word Trade Center. A number of hands-on labs, round tables were held as well. The organizer provided several video streams to broadcast the most interesting events on the forum's website.

Damage caused by a cyberattack can be measured in billions of dollars, while its actual cost is rather low. According to the Positive Research center, anyone with less than 10,000 dollars is able to gain remote access to somebody else's SIM card, which means access to the subscriber's traffic, SMS, calls and location data. Twenty percent of SIM cards are vulnerable to such attacks. It is also possible to obtain a subscriber's confidential information by attacking his mobile carrier's equipment. An attack on a GSM cell can cost about 1,000 dollars. To hack a base station, an intruder might need only a PC and access to the SS7 network.

Monday, May 25, 2015

Making Money on Cyberwar

It is well known that insider info about ups and downs of large corporations, if gained in time and played right, can earn you millions on the stock market. It’s hackers’ prerogative to get hold of such data or to influence a company’s activity by cracking critical business systems. So why not make some dough on your skill at Positive Hack Days V?

This year PHDays participants will be able to become part of our virtual country — the United States of Soviet Unions (USSU) — and trade stocks on the PHDays Stock Market. All forum attendees will be able to buy and sell “company” stocks (firsthand or using a broker) and gain advantage from insider info on the stock market.

Wednesday, April 29, 2015

PHDays V: How to Create Your Own Shodan, Find ROP Shellcodes, and Automate Reverse Engineering

The fifth Positive Hack Days international forum on practical security will take place in Moscow World Trade Center on May 26-27. With the second wave of Call for Papers finished, we present a new portion of reports.

Wednesday, February 25, 2015

What's New in the PHDays Program: supercomputer protection, iOS security, exploit selling

The first stage of Call for Papers has finished recently and we'd like to announce another batch of reports that will be presented on May 26 and 27 at PHDays V (you can find the first announcement on our blog). Speakers will discuss how to improve iOS application security and what hackers find attractive about supercomputers. They will also address the relationship between sellers and buyers of zero-day vulnerability exploits.

Tuesday, February 24, 2015

PHDays V: Encryption Standards, M&A in Yandex and Chemical Attacks

Early December was marked with Call for Papers opened for everyone willing to speak at Positive Hack Days V. Later we announced the first speakers introducing John Matherly, the creator of Shodan, John Bambenek, a cyber detective, and Chris Hadnagy, a professional social engineer.

The first CFP stage was over at the end of January. Today we present a new portion of reports included in the technical, practical and business program of upcoming PHDays. The forum guests will learn how to fortify a corporate IT system digitally, how to bypass Moscow Metro Wi-Fi authorization, and how attackers exploit vulnerabilities in physical processes.