Information security specialists, who hack computer systems and mobile devices to detect and fix previously unknown vulnerabilities in popular software, demonstrated their skills by hacking Safari, SCADA and by detecting a vulnerability in iPad at the Positive Hack Days international forum, which took place on Thursday (19/05/2011) in Moscow.
MOSCOW, May 19th – RIA Novosti, Ivan Shadrin
Information security specialists, who hack computer systems and mobile devices to detect and fix previously unknown vulnerabilities in popular software, demonstrated their skills by hacking Safari, SCADA and by detecting a vulnerability in iPad at the Positive Hack Days international forum, which took place on Thursday in Moscow.
The Positive Hack Days international forum was held by Positive Technologies (develops solutions to ensure corporate information security) for the first time, however the forum was able to draw the attention of information security experts from large Russian companies and from abroad. During the day, the representatives of Kaspersky Lab, Group-IB, VimpelCom, Rostelecom, Russian Argicultural Bank and other companies and organizations, including Federal Service for Technical and Export Control, conducted their reports, business seminars, and masterclasses at the forum sites.
Along with reports, various hacking contests were conducted in the framework of the forum. As part of the hack2own contest, CISSRT information security specialists demonstrated that the latest version of the Safari Internet browser for Windows contained a zero day vulnerability (a vulnerability that was not known by information security specialists before) and exploited it to run an application, thus demonstrating a security flaw in the popular browser and winning a laptop, on which the vulnerable Safari was installed.
The same participants tried to hack the iPad tablet computer by exploiting a vulnerability in a mobile version of the Safari browser, but did not succeed, since the exploit (a program for exploiting vulnerabilities in tested software) written by them, did not work stably. However, as the organizers of the contest told RIA Novosti, the CISSRT representatives proved the existence of the vulnerability in the Safari browser during the qualifying round, and failed to demonstrate it in practice, because they had not enough time before the beginning of the contest to bring the exploit to an acceptably stable condition. According to the authors of the exploit, the vulnerability allows removing and modifying any information in the iPad memory. Nevertheless, technically, in the hack2own contest the iPad withstood the hackers’ attack.
The main hacking contest of Positive Hack Days was "CTF (Capture The Flag) Freestyler", which is a kind of intellectual contest, popular with information security specialists in Russia and all over the world, aimed at assessing participants’ skills in attacking and protecting computer systems. The contest lasted almost all the working time of the forum: from 9 a.m. till 5 p.m. (Moscow time). Ten teams took place in the contest: seven from Russia and three from abroad (USA, France, and India).
The organizers of the contest developed contest software which imitated various real computer systems. In particular, the participants were to attack and protect virtual copies of SCADA systems, used for managing various industrial facilities.
According to the rules of the CTF Freestyler, each team was provided a computer system at their disposal and had to protect it from other teams, at the same time conducting attacks against other teams’ systems. An attack was considered successful, if it resulted in the loss of availability of the affected system. In this case, the team that allowed a successful attack against their system, lost several contest points. The team that conducted a successful attack, on the contrary, gained contest points, but only in the case if the team managed to capture the flag in the enemy’s system. The role of the flag in the contest legend was performed by a specific source code string.
The best protectors and attackers of computer systems proved to be the members of the USA team called "PPP", who became the first and gained the top prize of 5 thousand dollars. Second and third places were taken by the teams from Saint Petersburg and Yekaterinburg. Russian prize-winners were awarded 3 and 2 thousand dollars respectively. CTF Freestyler became one of the major contests among the СTF contests conducted in Russia.
Too Drunk to Hack
After the completion of all reports, hacking competitions and award ceremony, the organizers conducted a mock contest called Too Drunk to Hack, in which only persons of the full legal age could take part. According to the rules, contestants were to hack a copy of the phdays.ru website, which contained several vulnerabilities. In case if a contestant makes a mistake while hacking, they are to drink 50 grams of tequila.
Eight contenders from France, USA, and Russia took part in the contest. As opposed to the "CTF Freestyler" results, in this contest Russian information security specialists were unrivalled – the winner of the Too Drunk to Hack contest was the onsec.ru chief information security expert and web security researcher Vladimir Vorontsov. After 6 mistakes, he detected the vulnerabilities prepared by the organizers and hacked the copy of phdays.com.