December 29, 2014

4G Security: Hacking USB Modem and SIM Card via SMS

Telecommunications operators are pushing fast and cheap 4G communications technology. Yet only the chosen few know just how insecure it is. While researching the security level of 4G communications, Positive Technologies experts managed to uncover USB modem vulnerabilities that allow a potential attacker to gain full control of the connected computer as well as to access a subscriber account on a mobile operator portal. Additionally, attacks on a SIM card using a binary SMS allow an intruder to sniff and decrypt traffic or lock the SIM.

December 2, 2014

DDoS attack over Load Balancer: secure your cookies!

In security analysis, we deal with various network devices, both well-known and rare ones. Among the latter, load balancers can be singled out. Today we would like to talk about session persistence methods of F5 BIG-IP load balancer. As we found out, an intruder is able to attack such a system and bypass the specified load balancing algorithm by manipulating with cookies’ value.

What is load balancer? It’s a network device that distributes application traffic between servers and allows to control and change traffic characteristics due to specified parameters. When using applications, a client session should be served by the same server. For this purpose BIG-IP monitors and saves session information, which includes an address of a certain web server that serves the client. This information is used mainly for sending client requests to one and the same web server during the session lifetime.

September 17, 2014

Microsoft Windows 8.1 Kernel Patch Protection Analysis & Attack Vectors

Authors: Mark Ermolov, Artem Shishkin // Positive Research

PDF version: link

Kernel Patch Protection (also known as "patchguard") is a Windows mechanism designed to
control the integrity of vital code and data structures used by the operating system. It was
introduced in Windows 2003 x64 and has been constantly improved in further Windows
versions. In this article we present a descriptive analysis of the patchguard for the latest
Windows 8.1 x64 OS, and primarily focus on patchguard initialization and attack vectors related
to it.

It is natural that kernel patch protection is being developed incrementally, so the initialization
process is common for all versions of Windows that have patchguard. There are a lot of papers
published about kernel patch protection on Windows, which describe the process of its
initialization, so you may use references at the end of this article to obtain details.

August 3, 2014

Cell Phone Tapping: How It Is Done and Will Anybody Protect Subscribers

You probably have read on various news websites about surveillance programs led by security services in different countries that reach phone and Internet communications of ordinary citizens. We have already wrote about possible threats to mobile telecommunication networks and today we want to put more emphasis on one of the attack vectors against mobile subscribers.

In short, the outline is like this. The attacker penetrates into the SS7 (Signaling System's No. 7) network and sends a Send Routing Info For SM (SRI4SM) service message to the network channel, specifying the phone number of an attacked subscriber A as a parameter. The subscriber's A home network sends the following technical information as a response: IMSI (International Mobile Subscriber Identity) and address of the MSC currently providing services to the subscriber.

July 28, 2014

What Is So Dangerous in Smart Grids?

Electricity is rising in price, and the world economy is looking for new ways to improve energy efficiency. In addition to solar and wind stations, everyone around the world is actively building Smart Grids allowing effective energy use. Because they are usually connected to the Internet, there is natural interest in their security level.

July 20, 2014

Review of Hash Runner Tasks


This year, Hashrunner had been taking place during three days before Positive Hack Days — from May, 16 19:00 (UTC+4, Moscow) till May, 19 19:00 (UTC+4, Moscow). Among other matters, we were trying to respect the interests of all geographically dispersed teams and cover 48 hours of two weekend days for every time zone. We received great positive feedback about including the whole weekend and thus we’ll try to keep it this way.

Congratulations to the winners!

  1. InsidePro with 22.81% (write-up) won two R290x video cards plus souvenirs.
  2. hashcat with 21.23% (write-up) won an R290x video card plus souvenirs.
  3. john-users with 12.78% (write-up) won souvenirs.

Within three years of the contest, we had three unique winners: hashcat in 2012, john-users in 2013, and InsidePro in 2014. Every year, most submissions were received in the last 15 minutes and thus the winner was determined in the very nick of time. In 2012 and 2013, InsidePro was beaten into the second place by hashcat and john-users, respectively. This year, InsidePro finally became the first.

July 16, 2014

Review of Competitive Intelligence Tasks

Today we'd like to speak about certain practical aspects of confidential data gathering in terms of tasks of the online contest Competitive Intelligence, which was held during May 15, 16 and 17.

July 14, 2014

Review of WAF Bypass Tasks

This year, the visitors of the Positive Hack Days Forum were invited to have a shot at bypassing the PT Application Firewall in the contest called WAF Bypass. It was a good opportunity for us to test our product in action, because the forum gathered the best information security experts. We had prepared a set of tasks for the contest, each representing a script with a typical vulnerability.

The participants were invited to use these vulnerabilities to get flags.  All tasks were solvable, though some solutions were not obvious. The contestants were provided with the report about scanning the tasks' source code with another Positive Technologies product Application Inspector. In this article, we will consider the contest tasks, bypassing methods, and the experience we have obtained.

June 18, 2014

Hot Summer 2014 for Telecoms

Lately, telecom giants have made a series of sensational confessions.  Vodafone told the world about devices that governments use to intercept calls and messages. That's something new! :)

Deutsche Telekom follows Vodafone and is going to reveal how many surveillance requests it gets from governments.

June 3, 2014

Positive Technologies Experts Helped to Fix a Vulnerability in the Emerson DeltaV DCS

During a security analysis, Positive Technologies specialists detected a critical security error in the Emerson DeltaV distributed control system. While having access to the system, an intruder is able to read and replace its configuration files, and to run commands with any user's rights. The vulnerability affects DeltaV versions 10.3.1, 11.3 and 12.3. Emerson’s DeltaV is a general purpose process control system that is used worldwide primarily in the oil and gas and chemical industries.

May 15, 2014

Obtaining Passwords from Cisco Wireless LAN Controllers

During security analysis, experts often deal with default accounts. Particularly, it is very usual for large companies having several hundred systems. That’s why one of the main requirements is to use complex non-dictionary passwords to comply with security standards and best practices.
There are two ways to test the system compliance with this requirement:

  • password brute-forcing,
  • obtaining and checking passwords or their hashes from the system.

The former method can cause account lockout and thus is often found unacceptable. The latter one is preferable, but gives another problem if passwords are encrypted or hashed.

May 8, 2014

Competitive Intelligence Contest at PHDays III Writeup

Many things changed since the contest Competitive Intelligence was held last time. Snowden exposed NSA, it turned out that not only gossip-hungry housewives interfere in people’s lives on the Internet, but also serious specialists with the help of MIT mathematicians. The security of both proprietary and open-source protocol implementations proved to be far lower than expected. Algorithms for processing big data in cloud solutions nowadays allow tracking correlations of bitcoin transactions, which previously were considered safe and anonymous….

Three winners — those, who solves the task quicker than others, will receive free tickets to PHDays IV, where they will be generously awarded. The prize for being the first is iPad. The contest will be held one week before the forum and will last for two days — May 15 and 16.

You are welcome to register at

This year's contest sponsor is Zecurion.

Writeup Cometitive Intelligence PHDays III

The main idea for the "Competitive Intelligence" competition was to employ real-world methods for data collection and analysis, penetration testing, search mechanisms and deductive reasoning as well as to access audience’s awareness level of information security.

Unlike in 2012, since the tasks proved more difficult, this year no one managed to solve all of the challenges. Winners collected 12 correct answers and were ranked based on how much time they spent completing the activities.

Now, let’s estimate the results, provide correct answers for those that failed and review the amended list of winners.

The company to work with was Godzilla Nursery Laboratory - as international company breeding and selling companion godzillas. Godzillas were chosen deliberately as they "guarded" a railway in the Choo Choo Pwn competition.

Google directly hints that the official site of this company with a nice logo is, and most employees have LinkedIn profiles. Well, come on!

May 7, 2014

PHDays CTF Quals: Tasks Analysis

Positive Hack Days CTF is an international information protection contest based on the CTF (capture the flag) principles. Several teams are to defend their own networks and attack the networks of the other teams for a specified period of time. The contestants need to detect vulnerabilities in other teams' systems and to obtain sensitive information (flags) while detecting and fixing vulnerabilities of their own systems.

Today we would like to analyze certain interesting tasks that were offered to participants of the past contests.

History and Geography

This year PHDays CTF takes place for the fourth time. The contest was launched during the Positive Hack Days forum in 2011. Back then, the team PPP from the US was the winner. The following year in 2012 Leet More from Russia took first place. In 2013 at PHDays III, Eindbazen from the Netherlands took the top prize. Teams from all over the world — from the USA to Japan — participate in PHDays CTF every year.

More than 600 teams from all over the world have registered to take part in this year’s PHDays CTF.

Tasks and the Atmosphere

Traditionally, tasks and infrastructure are prepared based on a legend of the contest, which would turn a set of tasks into a fascinating competition. Last year, PHDays CTF participants tried to save the fictional world D’Errorim. The upcoming contest will continue the plot.

April 21, 2014

Mobile Switching Center DoS

Mobile Services Switching Center (MSC) is a core element in GSM/UMTS network. MSC is responsible for routing voice calls, as well as other services.

Is it difficult to conduct DoS against MSC and leave mobile subscribers without connection? It depends.  We go for SS7 networks.

Modern protocols usually have embedded security features, but not including SS7/SIGTRAN stack.  Difficult connection procedures provide access control for SS7 signal networks, and at the same time, are expensive and mostly red-tape. But convergent IP networks allows us to access SS7 far easier. And this leads to a security threat as an attacker could send signal messages in SS7 networks, as well as intercept and modify the messages on his/her own way.

April 3, 2014

Search and Neutralize. How to Determine Subscriber’s Location

Mobile networks can be attacked though multiple vectors. In this article, we will consider an attack that allows detecting a cell where a subscriber is located. You see, I do not use more common measure units because the size of a cell is not permanent. In cities, a cell site may have a range of hundred meters, and in rural areas, the range is about several kilometers.

February 28, 2014

Unusual 3G/4G Security: Access to a Backhaul Network

A backhaul network is used to connect base stations (known as NodeB in 3G terminology) to a radio network controller (RNC).

Connection costs for base stations comprise a significant part of provider's total expenses, so it is reasonable to reduce costs related to building and running of such networks, in particular by implementing new technologies.

February 24, 2014

A Sketch of SIP Security

The Internet is a great tool for communication. You can contact other people using e-mail, online chats, voice and video messengers. With the arrival of new cable systems and Balloon-Powered Internet, soon even the penguins of Antarctica will have access to the Internet!

But what about voice? Since there's such wide Internet coverage, why do we need telephone lines?  We could send voice over Internet channels and SIP (Session Initiation Protocol) addresses this need. SIP has a very interesting story but first we want to highlight certain aspects of the protocol.
SIP is the most commonly used protocol for Voice over Internet Protocol (VoIP) services. SIP is a protocol for initiating a session for further data transfer. It transfers information such as login, domain and password in clear text (in open or hash form). Sometimes the authentication process is not supported (connection is established as a combination IP:port).

Next we will examine several threats that can occur while using SIP and methods to exploit them.

January 31, 2014

True Tales About Vulnerabilities in Google Services

Story 1. The Little Content Type that Could

The vulnerability was found in Feedburner. First, I created a feed and tried to inject malicious data. No success there. Injected data just wouldn’t show up, only harmless links were presented. I took a few more attempts and then I found lots of messages from PodMedic. PodMedic examines links in every feed. If it finds troubles in creating a feed, it reports the cause of such troubles. The messages read that links are incorrect because the content type returned was a text type.

Hmm. Ok. I bet the content type on this page isn't filtered. A simple script for my server:

; charset=UTF-8'); ?>

And here it is: