Wednesday, July 22, 2015

Digital Substation Takeover: Contest Overview

Digital Substation Takeover, presented by iGRIDS, was held at PHDays V. The contest's participants tried themselves in hacking a real electrical substation designed according to IEC 61850. The general task was to perform a successful attack against the electrical equipment control system.

Best Reverser Write-Up: Analyzing Uncommon Firmware

While developing tasks for PHDays’ contest in reverse engineering, we had a purpose of replicating real problems that RE specialists might face. At the same time we tried to avoid allowing cliche solutions.

Monday, July 6, 2015

The MiTM Mobile Contest: GSM Network Down at PHDays V

Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.

Friday, July 3, 2015

PHDays V Highlights: Signs of GSM Interception, High Time to Hack Wi-Fi, Future of Encryption

Technological singularity is expected in 15 years at best, but Positive Hack Days transition is happening right now. The fifth forum had a record attendance – over 3,500 visitors, which is comparable to the leading international hacker conferences, and the number of talks, sessions, and various activities surpassed one hundred. The incredible and exciting contests involved hacking spaceships, power plants, ATMs, and railway companies. More Smoked Leet Chicken became the winning champion of this year’s CTF, showing their best at stock exchange speculation. Congratulations! A detailed write-up about that is coming soon. Right now let’s focus on a number of recommendations and tips that impressed us most of all during the 2-day hacker marathon that took place in World Trade Center on May 26-27.

Wednesday, June 3, 2015

WAF Bypass at Positive Hack Days V

As it did last year, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of PT Application Firewall, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.

Friday, May 22, 2015

Online banking vulnerabilities in 2014: Authentication, Authorization and Android

Today the security for online banking (OLB) is insufficient. High severity vulnerabilities in the source code and multiple flaws in authentication and authorization mechanisms of systems allow remote attackers to execute unauthorized transactions or take complete control of an affected system. This has the potential to cause both financial and reputation damage.

In this article we present some results of the research on OLB vulnerabilities discovered by Positive Technologies experts in 2013 and 2014 in the course of security assessments for a number of the largest Russian banks.

Tuesday, May 19, 2015

Schneider Electric Thanks the Winner of the Positive Hack Days Hacker Contest

Early April, Schneider Electric has released several updates and patches fixing vulnerabilities in the software used for creating SCADA and HMI systems at nuclear power plants, chemical plants and other critical units.

The vulnerabilities which even a novice attacker could exploit were found in InduSoft Web Studio, InTouch Machine Edition 2014 as well as previous versions of these products. Among bugs fixed — arbitrary code execution and non-encrypted storage/transfer of sensitive data. The vendor recommends downloading the new patches as soon as possible.

Ilya Karpov and Kirill Nesterov, Positive Technologies researchers, detected the vulnerabilities during an ICS security analysis. Meanwhile, many bugs in those products were independently revealed by the participants of the Critical Infrastructure Attack contest held in May 2014  at the international infosec conference Positive Hack Days IV.