Pages

Monday, July 28, 2014

What Is So Dangerous in Smart Grids?



Electricity is rising in price, and the world economy is looking for new ways to improve energy efficiency. In addition to solar and wind stations, everyone around the world is actively building Smart Grids allowing effective energy use. Because they are usually connected to the Internet, there is natural interest in their security level.

Sunday, July 20, 2014

Review of Hash Runner Tasks

Intro

This year, Hashrunner had been taking place during three days before Positive Hack Days — from May, 16 19:00 (UTC+4, Moscow) till May, 19 19:00 (UTC+4, Moscow). Among other matters, we were trying to respect the interests of all geographically dispersed teams and cover 48 hours of two weekend days for every time zone. We received great positive feedback about including the whole weekend and thus we’ll try to keep it this way.

Congratulations to the winners!

  1. InsidePro with 22.81% (write-up) won two R290x video cards plus souvenirs.
  2. hashcat with 21.23% (write-up) won an R290x video card plus souvenirs.
  3. john-users with 12.78% (write-up) won souvenirs.

Within three years of the contest, we had three unique winners: hashcat in 2012, john-users in 2013, and InsidePro in 2014. Every year, most submissions were received in the last 15 minutes and thus the winner was determined in the very nick of time. In 2012 and 2013, InsidePro was beaten into the second place by hashcat and john-users, respectively. This year, InsidePro finally became the first.

Wednesday, July 16, 2014

Review of Competitive Intelligence Tasks

Today we'd like to speak about certain practical aspects of confidential data gathering in terms of tasks of the online contest Competitive Intelligence, which was held during May 15, 16 and 17.

Monday, July 14, 2014

Review of WAF Bypass Tasks

This year, the visitors of the Positive Hack Days Forum were invited to have a shot at bypassing the PT Application Firewall in the contest called WAF Bypass. It was a good opportunity for us to test our product in action, because the forum gathered the best information security experts. We had prepared a set of tasks for the contest, each representing a script with a typical vulnerability.

The participants were invited to use these vulnerabilities to get flags.  All tasks were solvable, though some solutions were not obvious. The contestants were provided with the report about scanning the tasks' source code with another Positive Technologies product Application Inspector. In this article, we will consider the contest tasks, bypassing methods, and the experience we have obtained.

Wednesday, June 18, 2014

Hot Summer 2014 for Telecoms

Lately, telecom giants have made a series of sensational confessions.  Vodafone told the world about devices that governments use to intercept calls and messages. That's something new! :)



Deutsche Telekom follows Vodafone and is going to reveal how many surveillance requests it gets from governments.

Tuesday, June 3, 2014

Positive Technologies Experts Helped to Fix a Vulnerability in the Emerson DeltaV DCS


During a security analysis, Positive Technologies specialists detected a critical security error in the Emerson DeltaV distributed control system. While having access to the system, an intruder is able to read and replace its configuration files, and to run commands with any user's rights. The vulnerability affects DeltaV versions 10.3.1, 11.3 and 12.3. Emerson’s DeltaV is a general purpose process control system that is used worldwide primarily in the oil and gas and chemical industries.

Thursday, May 15, 2014

Obtaining Passwords from Cisco Wireless LAN Controllers

During security analysis, experts often deal with default accounts. Particularly, it is very usual for large companies having several hundred systems. That’s why one of the main requirements is to use complex non-dictionary passwords to comply with security standards and best practices.
There are two ways to test the system compliance with this requirement:

  • password brute-forcing,
  • obtaining and checking passwords or their hashes from the system.

The former method can cause account lockout and thus is often found unacceptable. The latter one is preferable, but gives another problem if passwords are encrypted or hashed.