Day 2 of PHDays VII: Revenge of the Hackers
Positive Hack Days VII came to an end this week, having drawn a record-setting 4,800 attendees from all over the world, including the U.S., Israel, Korea, Italy, France, Germany, Kazakhstan, Belarus, India, and Poland. The two-day gathering hosted hundreds of events: seven tracks plus hands-on labs, workshops, and hacking contests. Here are some of the highlights.
The Standoff: hackers strike city-wide panic
Let's start at the heart of the action—The Standoff. This hacking contest unfolded in a massive virtual setting closely modeling a real city containing a plethora of offices, telecom operators, railroads, power infrastructure, and IoT devices. Here teams of hackers, defenders, and security operations centers (SOCs) tried to outdo each other.
The first day started slow, with the only notable event by evening being the theft by Kazakhstan-based team TSARKA of compromising text messages from the city mayor. Later that night, three teams (Rdot.org, TSARKA, and Vulners) stole over 4 million credits from the city bank.
On the second day, hackers hit industry hard. BIZone halted operations at two of the city's key facilities—the power station and oil refinery. In the last hour of competition, TSARKA was able to find a car used by criminals who had left stolen money there. The hackers intercepted text messages sent by the car's GPS tracker, enabling them to calculate its location. At practically the same time, BIZone was again able to shut down the oil refinery. Their prior attack involved an attack on an electrical substation and power plant, but this time they pulled off an attack on the refinery itself.
KanzasCityShuffle succeed in hacking a smart home, Antichat gained access to a web camera, and Hack.ERS was able to steal money from users of SIP services. By hacking the accounts of SIP users, the hackers monetized the attack by making calls to premium-rate short numbers. And almost literally at the last minute, True0xA3 succeeded in stealing the financial reporting of a major city company by hacking the home router of the company's accountant.
Results and in-depth breakdowns of The Standoff are still being prepared—but the thrill and excitement carried over into the other events on the second day.
Day 2 kicked off with "Anti-plenary session. Technologies security: personal views of leading minds." Members of the security community shared their interests and concerns. Conversation started with Alexey Kachalin (Positive Technologies), who gave an idea of the scale of preparation for PHDays. This year's PHDays represents six months of preparations, 1,100 companies (of which 250 specialize in information security), 196 speakers, and 50 partners. In the words of Kachalin, PHDays builds a community: "There are so many people and ideas here—that's what moves us forward. Here and now, we are building a community that's willing to think flexibly and honestly in order to improve the system in which we live and work."
Remarks by Dmitry Manannikov (SPSR Express) described the topsy-turvy nature of the security world. As he sees it, business and security are in different worlds. Security evolves accordingly and the driving factor for these changes is automation, which offers both the promise of progress and the specter of unwanted consequences.
Dmitry shared his predictions: "Business will continue developing and growing, and the need for information security will remain as strong as ever. The technical premium will increase but security will be the province of other people. If we continue to act as if security is secret knowledge, some handed-down relic that defends against mythical risks, business will outgrow us. Security has got to evolve, and with it, we should transform from a limitation on growth into an asset for progress."
The talk "Mind Deep Learning" by Elman Beybutov (IBM) was a real performance, with smartphone music playing the entire time and Siri acting as a sort of co-presenter. Elman analyzed the outlook for artificial intelligence, which is currently at a "bee" level that is three tiers removed from human intellect. Beybutov expects that by 2040, AI will be able to make decisions as a human would. In as soon as seven to ten years, bots could replace humans in technical support and other roles involving rote work.
Alexey Volkov (Sberbank) told how to survive without information security. He shared the basic rules for security hygiene, which he summarized as: "Don't do what you shouldn't, and do what you should."
"They're trying to fool all of us. We can't let ourselves become paranoid or forget that the main weapon against any cybercrime is between our own two ears," concluded Volkov. This motivational tone was continued by Vladimir Bengin (Positive Technologies), who shared three rules that helped him when working on a large information security product. His recipe for success is to believe in what you do, don't get stuck in the clouds, and build a strong team relationship.
The most frank talk at the session came from Alexey Lukatsky (Cisco). He talked forthrightly about his own failures—something difficult to do in a community reluctant to look at its own professional mistakes. Alexey called on the audience to not fear failure. In essence, failing is fine, as long as you recognize the mistake, acknowledge it, and learn from it.
Ivan Novikov (Wallarm) asked the question of who's really in control: us or the machines? His answer was rather pessimistic for the human side: "We truly are working for the machines. Let's think and do something about this. What I realized is that the one thing I can really do well, is to bend these machines to our will. And so I do."
The closing discussion was entitled "Security Path: Dev vs Manage vs Hack." Dmitry Manannikov and Mikhail Levin, together with Vladimir Dryukov, Dmitry Gorbatov, Evgeny Klimov, and Denis Gorchakov, dove into careers and hiring: where can specialists be found, which specialists are needed, how to motivate employees, what career growth looks like, and how a technical contributor can grow. Opinions varied but the conclusion was that the ideal candidate for an infosec role should "be resourceful, have a STEM degree, and come from a rough neighborhood." Manannikov had this to say about career growth: "The way to grow is to cultivate management skills, learn to manage projects, get a business education, and integrate into the business environment in which you work—this is the only way."
Scanning's blind spots
James Kettle, Head of Research at PortSwigger Web Security, took a look at the blind spots in existing scanning technologies. "All of today's scanners generally do a bad job of looking for less common vulnerability types." Last November he released an open-source scanner that takes a different approach to finding vulnerabilities. He showed the mechanics of this scanner, which can find both known and new classes of vulnerabilities. As stated during the talk, his plans involve continuing to perfect the scanner in the years ahead.
Telecom and industry in the digital crosshairs
Mobile network threats were the topic of a talk by Kirill Puzankov, Sergey Mashukov, and Pavel Novikov (Positive Technologies). They demonstrated methods for intercepting text messages and gave discomforting statistics: "Our experts have identified over 50 different SS7 attacks, among these are IMSI disclosure, location disclosure, denial of service, interception and spoofing of text messages, call interception, and access to WhatsApp and Telegram chats. In our audits of mobile operators in 2015–2016, voice interception and eavesdropping were possible in 50 percent of cases. Locating a subscriber was possible in 58 percent of cases, and text message interception in 89 percent."
Brian Gorenc and Fritz Sands analyzed vulnerabilities in SCADA systems. They pinpointed weak spots in development of HMI solutions and their manifestations in code, fleshing them out with real-life cases and recommendations for spotting vulnerabilities in HMI and SCADA systems.
"In the ICS/SCADA world, it's as if the last 20 years never happened. All the improvements made in the security of servers and browsers have been blown off when it comes to SCADA. You'd think it's still 1990 judging by what we see," despaired Sands.
Gorenc recapped: "Why attack HMI? Because we need it for managing critical infrastructure. Often an attacker can fool the operator and bypass the alarm system. This is what happened with Stuxnet, when the early warning systems were disabled and centrifuges were taken offline. HMI is a very interesting target for an attack. There's been a proliferation of malware specially aimed at HMI, such as Stuxnet and BlackEnergy. Shockingly, there is virtually no HMI in the industry that is written taking security standards into account."
Bots both mean and kind
First place in the list of eagerly awaited talks at PHDays VII was Andrei Masalovich's "Stand or fall. An army of intelligent bots controlled by hackers." He described several methods for hacking popular sites and systems with bots, including automated CAPTCHA recycling, brute-forcing of credit card information, publication of media files on a hacked Twitter account, and seizing control of email and Facebook accounts.
A high-level overview is as follows: as bots encounter CAPTCHA tests on targeted sites, others bots insert these same CAPTCHA tests on hacker-controlled sites, where unsuspecting humans provide the necessary answers, which are reused to pass the tests on the original targeted site. Andrei mentioned a researcher who, like many, noticed that popular online stores fail to verify all information that is entered during the payment process. The researcher decided to find out what exactly, then, is being verified. Of the top 400 online stores on Amazon.com, only 47 use 3-D Secure, and 26 stores check only two of the three card fields (for example, the card number and expiration date, but not the CVV). Hackers can obtain card numbers and expiration dates more easily than they can CVVs, but the number of possible three-digit CVVs is limited to 10,000. So this researcher decided to see how quickly it would be possible to bruteforce the CVV with a Selenium botnet. The bots went to hundreds of stores and simultaneously tried to make purchases, verifying each possible CVV value for a particular card number. Getting the CVV for a VISA card took only six seconds. MasterCard did better, by enforcing a block after ten attempts.
Masalovich then proceeded to describe how bots can be used to seize legions of email accounts. Traditional brute-force attacks are caught easily—attempts to log in are blocked after the third incorrect password for a particular user name. But in a "horizontal" brute-force attack from various servers (or proxy services) when a single simple password has been chosen, entering three different user names a few milliseconds apart will be treated by the server as three isolated entry errors, with no reactive measures taken. Even a million attempts will not cause any response from a mail server. So an attacker can take a database of a million user names and sequentially seize those that have the simplest passwords (such as 123456 or Qwerty). Today's defenders recognize this use of a single password for multiple accounts as a sign of a botnet, even though these passwords are sometimes very unusual and seemingly strong. As a result, certain strong passwords are encountered by the busload in databases of cracked passwords.
The next stop for Masalovich was Facebook. When a user forgets their password, the site sends a confirmation code that the user must enter to recover their account. While these codes are generated in a robust and so-far uncracked way, the values of these codes stay within a narrow range that does not exceed a million possible versions at any given moment. So if someone clicks the account recovery button, that person can receive a confirmation code and request a password reset on behalf of a million different Facebook users, and give that code to a million bots to enter. This would yield about 20 Facebook accounts, but requires simultaneous use of a large number of bots to achieve.
Twitter was not left out of the discussion. Twitter offers storage of media files, which can be shared with other users. But it's possible to post a media file and impersonate a victim, with no password required. An attacker would need to upload a file to ads.twitter.com and share it with the victim account, and then intercept the publication request and replace the owner_id and user_id values with those of the victim. The tweet is subsequently published as if it were created by the victim.
The most awaited Fast Track rapid-fire talk was that of Anton Lopanitsyn, "User-friendly, though. (Messaging bots expose sensitive data)." Bots are used by popular instant messenger Telegram not only to find pictures, songs, and exchange rates, but in corporate environments to automate internal and external processes. They are used as a task manager for Jira, for example. Bots are already integrated with Teamcity, Redmine, Zabbix, Jenkins, Nagios, version control systems, and internal corporate services. Having complained about the lack of documentation on methods in the Telegram API, Lopanitsyn took a list of companies from a job-listing site and used the type bot argument to find those company names on Telegram. He found that due to a lack of user authorization in Telegram bots, any person who added a corporate bot could, for example, reserve a conference room at an unrelated company, spam the time and attendance system, change the status of tasks in the project management system, send employees on vacation, and more. He also hypothesized that SQL database injection would be possible if the bot interfaces with a database. And because Telegram uses third-party libraries for media files, there is also the risk of arbitrary code execution. Follow all the PHDays VII events on Twitter and Facebook. Recordings are available at www.phdays.com. The results of contests, including The Standoff, will be published soon.
Forum Partners: Rostelecom, R-Vision, Kaspersky Lab, IBM, Microsoft, Solar Security, InfoTeCS, and SAP
Forum Sponsors: Axoft, Web Control, ANGARA, Check Point, McAfee, and Symantec
The Standoff Partners: Palo Alto Networks, ICL System Technologies, and Beyond Security
The Standoff Participants: Infosec, Advanced Monitoring, Jet Infosystems, and CROC
Technology Partners: Cisco, CompTek, Acronis, Synack, ARinteg, Qrator Labs, Wallarm, Zecrion, Aktiv, QIWI, PROSOFT, and Advantech
Premier Media Partner: TASS