Sunday, July 20, 2014

Review of Hash Runner Tasks


This year, Hashrunner had been taking place during three days before Positive Hack Days — from May, 16 19:00 (UTC+4, Moscow) till May, 19 19:00 (UTC+4, Moscow). Among other matters, we were trying to respect the interests of all geographically dispersed teams and cover 48 hours of two weekend days for every time zone. We received great positive feedback about including the whole weekend and thus we’ll try to keep it this way.

Congratulations to the winners!

  1. InsidePro with 22.81% (write-up) won two R290x video cards plus souvenirs.
  2. hashcat with 21.23% (write-up) won an R290x video card plus souvenirs.
  3. john-users with 12.78% (write-up) won souvenirs.

Within three years of the contest, we had three unique winners: hashcat in 2012, john-users in 2013, and InsidePro in 2014. Every year, most submissions were received in the last 15 minutes and thus the winner was determined in the very nick of time. In 2012 and 2013, InsidePro was beaten into the second place by hashcat and john-users, respectively. This year, InsidePro finally became the first.

Wednesday, July 16, 2014

Review of Competitive Intelligence Tasks

Today we'd like to speak about certain practical aspects of confidential data gathering in terms of tasks of the online contest Competitive Intelligence, which was held during May 15, 16 and 17.

Monday, July 14, 2014

Review of WAF Bypass Tasks

This year, the visitors of the Positive Hack Days Forum were invited to have a shot at bypassing the PT Application Firewall in the contest called WAF Bypass. It was a good opportunity for us to test our product in action, because the forum gathered the best information security experts. We had prepared a set of tasks for the contest, each representing a script with a typical vulnerability.

The participants were invited to use these vulnerabilities to get flags.  All tasks were solvable, though some solutions were not obvious. The contestants were provided with the report about scanning the tasks' source code with another Positive Technologies product Application Inspector. In this article, we will consider the contest tasks, bypassing methods, and the experience we have obtained.

Wednesday, June 18, 2014

Hot Summer 2014 for Telecoms

Lately, telecom giants have made a series of sensational confessions.  Vodafone told the world about devices that governments use to intercept calls and messages. That's something new! :)

Deutsche Telekom follows Vodafone and is going to reveal how many surveillance requests it gets from governments.

Tuesday, June 3, 2014

Positive Technologies Experts Helped to Fix a Vulnerability in the Emerson DeltaV DCS

During a security analysis, Positive Technologies specialists detected a critical security error in the Emerson DeltaV distributed control system. While having access to the system, an intruder is able to read and replace its configuration files, and to run commands with any user's rights. The vulnerability affects DeltaV versions 10.3.1, 11.3 and 12.3. Emerson’s DeltaV is a general purpose process control system that is used worldwide primarily in the oil and gas and chemical industries.

Thursday, May 15, 2014

Obtaining Passwords from Cisco Wireless LAN Controllers

During security analysis, experts often deal with default accounts. Particularly, it is very usual for large companies having several hundred systems. That’s why one of the main requirements is to use complex non-dictionary passwords to comply with security standards and best practices.
There are two ways to test the system compliance with this requirement:

  • password brute-forcing,
  • obtaining and checking passwords or their hashes from the system.

The former method can cause account lockout and thus is often found unacceptable. The latter one is preferable, but gives another problem if passwords are encrypted or hashed.

Thursday, May 8, 2014

Competitive Intelligence Contest at PHDays III Writeup

Many things changed since the contest Competitive Intelligence was held last time. Snowden exposed NSA, it turned out that not only gossip-hungry housewives interfere in people’s lives on the Internet, but also serious specialists with the help of MIT mathematicians. The security of both proprietary and open-source protocol implementations proved to be far lower than expected. Algorithms for processing big data in cloud solutions nowadays allow tracking correlations of bitcoin transactions, which previously were considered safe and anonymous….

Three winners — those, who solves the task quicker than others, will receive free tickets to PHDays IV, where they will be generously awarded. The prize for being the first is iPad. The contest will be held one week before the forum and will last for two days — May 15 and 16.

You are welcome to register at

This year's contest sponsor is Zecurion.

Writeup Cometitive Intelligence PHDays III

The main idea for the "Competitive Intelligence" competition was to employ real-world methods for data collection and analysis, penetration testing, search mechanisms and deductive reasoning as well as to access audience’s awareness level of information security.

Unlike in 2012, since the tasks proved more difficult, this year no one managed to solve all of the challenges. Winners collected 12 correct answers and were ranked based on how much time they spent completing the activities.

Now, let’s estimate the results, provide correct answers for those that failed and review the amended list of winners.

The company to work with was Godzilla Nursery Laboratory - as international company breeding and selling companion godzillas. Godzillas were chosen deliberately as they "guarded" a railway in the Choo Choo Pwn competition.

Google directly hints that the official site of this company with a nice logo is, and most employees have LinkedIn profiles. Well, come on!