Publication date: May 22, 2019

Triumph of critical thinking at PHDays: Day 1 of the forum

Positive Hack Days has already completed its first day. Over 6,000 participants came to Crocus Expo International Exhibition Center, Moscow, on May 21, setting a new attendance record. Under the banner of "Breaking the Constant," dozens of presentations, hands-on labs, competitions, a cyberquest, and an entire digital city awaited at PHDays 9. Below follow some of the highlights from Day 1.

Changing the cybersecurity paradigm

The forum kicked off with the plenary discussion "Safe transformation to an unsafe digital life." Transitioning to digital interactions means risks for the individual, society, business, and government. All the systems that make our lives convenient—smart cities, e-government, digital medicine, the Internet of Things, and management of human and product flows—also can pose a threat. Boris Simis (Positive Technologies), Garald Bandurin (Russian Railways), Alexander Baranov (Higher School of Economics), and Igor Lyapunov (Rostelecom) gave their assessment of whether protection is keeping pace with the risks.

The participants noted a tension between business and security: IT and security pros may not even know about changes happening inside their company, such as deployment of new systems. Often these changes are already incorporated into the business strategy and give a competitive edge. In these circumstances, the classic approach to information security is doomed to fall short.

According to Simis, most of the blame goes to the security crowd, who "know how to do two things: scare and forbid." A solution was proposed by Lyapunov: "A security officer should be a business partner who truly knows what the company is up to. This enables finding the optimal methods and tools to ensure security."

The participants also proposed their own approaches to the security paradigm shift. Baranov pointed out the need for a change of mindset among security developers: "It's not right to expect protection tools to be exploited just by specialists, even if that might seem right. Bringing information security to the masses requires plug-and-play. Protection should be built into the systems used by our parents and grandparents, and therefore must be easy to use."

Lyapunov laid out three criteria necessary for a market change: 1) companies should take responsibility for security incidents, not for regulatory violations, 2) funding mechanisms and venture investments must be present, and 3) international markets must be accessible.

Bandurin emphasized the importance of ontological data models and the security culture. In these questions, the role of the state is paramount. As technologies develop—including quantum computing and quantum encryption—serious research will be necessary, since the level of security will be entirely different. What's needed, Bandurin says, is a "designer-in-chief who plans information systems from the very start, in a holistic way, including the regulations, recovery technologies, and technologies for interaction."

Digitalization

At "From the global digitalization to the new civilization," Ruslan Makarov from the Institute of Digital Economy noted that by 2030, artificial intelligence could boost the world economy by 14 percent (PricewaterhouseCoopers) or 16 percent (McKinsey). Avoiding this process will be as futile as trying to not breathe. According to polling, 62 percent of Russians actively use the Internet or various digital devices.

Speaking at the section, Alexander Bashnin, mathematician and Vice President of the Organizing Committee of Digital Formation, gave an example: "Obtaining a passport occurs according to a functional scheme, but when you register a car, the process is now net-centric." According to Bashnin, the defining trait of the digital economy is hyperconnectedness. Migrating all archives to PDF will not take us closer to a digital economy, because all technologies fall into one of two categories: either they generate hyperconnectedness (such as when information on where we went or which card we used to pay is used by services and applications) or they do not.

Russia needs an entirely new intellectual foundation. Today the country needs to take a risk: to build a system not for building things, but one to motivate people to create ideas and intellectual property. The extraterritorial model for building a digital economy is not a good fit for Russia, due to its enormous size. Rather, what is needed is a dynamic hierarchy based on a measure of the social usefulness of an individual. In a dynamic hierarchy, people can slide both up and down. In 2018, as Bashnin pointed out, the word "justice" was the most popular Internet search, and a dynamic hierarchy enables providing it.

Bashnin said: "I am accused of urging a societal experiment, but it was another experimenter, Karl Marx, who according to a BBC survey was the greatest thinker of the 20th century, even though he lived in the 19th. His old Commodity—Money—Commodity scheme should transform into something more modern in which time is the main resource."

Valeriya Brusnikina, IPChain Vice President, brought up the question of "the new oil"—intellectual property. The share of intellectual property has risen to 30 percent of Chinese exports, and 8 percent of German exports. Products that constitute new intellectual property are appearing all the time—sports logos or social network profiles—but are absent from the Russian Civil Code. Brusnikina explained that how the association attempted to create a collective rights management system to support new social property types. Galina Dobryakova, founder of IREG, said that it's not enough to say in the employment contract that "everything employees do belongs to the company." If no explanation is given of what this "everything" is, employers must prove in each case what exactly this intellectual property is in the agreement, before selling it.

Viktor Stepanov, founder of the Business Scaling and Investment Academy, illustrated the ossified nature of education with a historical example: in the fourth century B.C., Aristotle was confident that women had fewer teeth than men. And until the seventh century, this was taken as fact—even though people could have simply counted for themselves! Our society is in the thrall of supposedly unshakable "truths" that have become all too obsolete. The world is moving away from hard skills (the ability to program or hammer nails) and soft skills towards a new model with three main components. The first is developing contextual skills, such as the ability not simply to program, but to program in a particular language. (Often this skill is needed today and superfluous tomorrow, even becoming a limiting factor in personal development.) The second is cross-contextual skills: writing, reading, and managing one's time. The third is the ability not merely to learn, but "unlearn," plus reflective skills and social skills.

Vladimir Mamykin, Microsoft Information Security Director, noted that in 19th-century England, the technical process was ignored and not popularized at a national level. This contributed to the Luddite movement when people damaged looms, other equipment, and entire factories—they were afraid of losing their jobs. Nowadays, it is imperative to educate the masses on the benefits of computers.

The theme of digitalization was taken up at the roundtable "Digital formation: from knowledge economy to digital state." They discussed the changes awaiting us in ideology, politics, law, economics, finance, and governance. Discussion was joined by Evgeny Sakharov, Vice President of the Organizing Committee of Digital Formation, together with Leonid Goloskokov, Head of the Department of Civil Law at the Moscow Academy of the Investigative Committee of the Russian Federation, Kseniya Ermishina, Senior Researcher in the Cultural Unit of the House of Russia Abroad, Alexander Bashnin, Vice President of the Organizing Committee of Digital Formation, and Konstantin Zdiruk.

Discussion of the FSTEC vulnerability data bank

Vitaly Lyutikov, Deputy Director of the Russian Federal Service for Technical and Export Control (FSTEC), and leading security experts held a roundtable discussion on the vulnerability data bank maintained by FSTEC. Topics included the current state of the data bank, experience in using it, future developments, motivation for researchers who submit vulnerability information to the data bank, and FSTEC interactions with researchers and vendors.

Lyutikov explained about the data bank and how the agency interacts with vendors. This work has been performed by his agency since 2015, and today the data bank contains information about the main security threats and vulnerabilities in information systems, including over 21,000 vulnerabilities and 200 security threats. Vulnerability information is provided by both companies and individual researchers. The data bank site gives a rating of researchers who have submitted vulnerability information.

Participants shared difficulties they have had with the FSTEC data bank. Mikhail Kader (Cisco) told that the language barrier gets in the way of Cisco's interaction with FSTEC. He also decribed the frequent practice of researchers who, instead of reporting an issue to the vendor, bring it to the world's attention from conference lecterns.

Yan Sukhikh (Schneider Electric) raised the issue of rules for inclusion of vulnerability information and timelines for failure to act, and expressed the desire of Schneider Electric to organize a workshop with participation from FSTEC.

The need for educational work was underscored by Dmitry Kuznetsov (Positive Technologies). He shared the situation encountered by Positive Technologies exports during protection assessment work: clients do the bare minimum of vulnerability resolution, fix only the vulnerabilities listed in the data bank, or ask to not inform the vendors whose components contain problems.

Evgeny Goncharov (Kaspersky Lab) accentuated the positive. The data bank is helpful, although not a cure-all, to security professionals at certain stages. He praised the balanced approach of FSTEC to many problems and absence of "regulations that would require immediately informing of zero-day vulnerabilities." He also mentioned the problem of hidden vulnerabilities, when the vendor is not willing to admit that a product is vulnerable.

Main speaker Karsten Nohl on the swamp of old problems

In 2009, Karsten Nohl cracked the GSM data decoding algorithm. In 2013, he discovered a vulnerability in SIM cards with which one could intercept virtually everything including text messages, conversations, and payments. For the last five years, he has combined research with security management. At PHDays 9, he spoke on the topic "The rest of the iceberg: Focusing on real hacking threats." While researchers may move from one topic to the next, executives are constantly grappling with the same set of problems. This may seem exhausting, but does allow finding some interesting patterns.

Many of the recurring security problems faced by business stem from security issues in legacy products and technologies. The speaker showed two photos: one with an empty field, and the other a corporate office complex. He then asked which place would be easier to fully digitize? For most people, the intuitive answer is the latter. Nohl described his experience in India, where a single company starting from scratch was able, over several years, to connect hundreds of millions of people to the Internet. The architecture was designed from the ground up to account for modern security approaches, protocols, and 4G requirements.

But when the perfect-on-paper design goes to a vendor, the latter invariably finds a way to screw up. One contractor downloaded an eight-year-old Linux distribution with known vulnerabilities and installed a new product on it. Another contractor used the same password for the first several thousand hosts—and the password was the company name. In that case, Nohl's colleagues had to change 80,000 passwords. Installing all the latest security updates on smartphones of company clients also proved impossible: nobody other than Google was able to. Therefore it is not realistic to rid ourselves of the legacy of old vulnerabilities. Instead, you get bogged down in them. If you hire thousands of people, many of them will fall for phishing on their very first day on the job.

As Nohl puts it, even big companies get things wrong when it comes to basic security principles—such as their password policy, update installation, or phishing defenses. The good news is that these mistakes are rather generic, and it is possible to improve security incrementally: strengthen passwords, restrict access, and configure a firewall. With his colleagues, Nohl performed a global data analysis regarding the security level of thousands of companies in dozens of industries, creating a "hackability" rating to compare them to each other.

More than 270 million IP addressees were scanned. Each address was associated with a specific owner company and industry, along with corresponding revenues, employee counts, and other parameters. The researchers checked all these companies for more than just one particular vulnerability—they applied hundreds of thousands of signatures.

More than 1,000 hosts were vulnerable to Heartbleed. The worst situation was observed at service companies, which simply do not have the money to spare for security. Retailers, banks, and insurers are protected better, but spend very large sums for the privilege.

Risks of GSM locks and children's smartwatches from AliExpress

At "Practicing attacks on GSM alarm systems, smart home, and kids' smart watches," independent researcher Alexander Kolchanov told of vulnerabilities in smart devices. GSM locks allow remotely opening garage doors, for example. GSM alarms are convenient in apartments, country homes, and other remote sites: as soon as an intruder appears, a message is sent to the owner. Kolchanov demonstrated a typical alarm system sold on Chinese online stores for the equivalent of $50 and available from Russian retailers for half again as much. Thanks to their low price, these devices are becoming increasingly popular.

The GSM controller plugs into a power outlet; a SIM card is inserted into the controller. Owners can "call" or text their heaters in order to make their home toasty before arriving, for example. It's just as easy to water the lawn, among other things. Children's smartwatches allow setting a zone where the child is allowed to be, and any venture outside the zone results in a message to the parents.

These devices may seem secure, but only at first glance. An attacker could take advantage, for example, of the fact that these devices often have factory-set passwords (1234, 8888). Often there is no protection from bruteforcing, and trying all possible 10,000 combinations (in the case of a four-digit PIN) is nearly trivial. Bruteforcing a longer password is not always possible. It is also possible to seize access to a device when the password is leaked via insecure protocols.

All tech, all the time

Congosec DMCC researchers Dhiraj Mishra and Zubin Devnani held a hands-on lab on Fuzzing 101. Main topics included SPIKE fuzzing, blind and AFL fuzzing, searching for memory errors using ASAN with AFL integration, and protocol fuzzing (HTTP, FTP, SMTP).

Mikhail Firstov and Andrey Skuratov (FBK CyberSecurity) presented an overview of various web application attacks that can be encountered in professional security audits as well as in bug bounties.

New to this year is the technical track, thrEat reSearch Camp, with a range of topics including incident response, threat intelligence, threat hunting, OSINT, and malware analysis. Muslim Koser, Head of Products & Technology at Volon, shared his secrets for efficiently finding information about criminals on the darknet. His techniques included how to extract information from huge amounts of data as well as combining human intellect with artificial intelligence and machine learning, in order to get the most out of the data one can collect.

In early April 2019, Positive Technologies specialists noted a phishing campaign targeting the Croatian government. Alexey Vishnyakov, Positive Technologies Senior Specialist in Threat Analysis, spoke on "IronPython on the dark side: the silent trio from Croatia." He gave information on the attackers' infrastructure and their techniques for delivering malware.

Check Point reverse engineer Ben Herzog presented a new approach to detecting a classic attack, in which malicious documents are mailed to victims. The attackers creating such documents are forced to use the words "Enable macros" and hide them in the document header or in a picture. Herzog demoed a classifier that immediately identifies such infected files.

Bowen Pan shed light on trends in APT attacks that complicate their detection and attribution. In his talk "Another practical way of APT hunting and IR-based on ATT&CK methodology," he gave examples of how specialists at @360TIC (now known as RedDrip) analyze data and pinpoint anomalous behavior on client systems.

The Positive Development User Group met for its secure development section, with the first six talks given. The first part of the day was devoted to technical presentations, and the second part to business processes. Speakers shared their experience developing an effective static analyzer for JavaScript code, knowledge of programming standards for making secure applications, vulnerabilities in .NET deserialization, and incremental introduction of secure development and software compliance with the GDPR.

During the day, a series of five-minute Fast Track talks covered application security, cryptography, incident investigation, malware, and reverse engineering.

Day of critical thinking at PHDays

For the first time ever at PHDays, an experimental section under the name of Tech & Society was dedicated to critical thinking. Critical thinking is important for understanding one's abilities and achieving goals. Speakers included Positive Technologies marketing head Vladimir Zapolyansky, business angel Dmitry Kostomarov, Head of Information Security at SO UES Lev Paley, ZOGRAS founder and CEO Eduard Maas, Head of Microbiome Research at Atlas Biomed (UK) Dmitry Alexeyev, digital philosopher Vadim Chekletsov, psychiatrist and psychotherapist Andrey Razmakhnin, Russian theater and movie actress Dina Korzun, and author and YouTube star Irina Shikhman. They shared their success stories and how they were able to spark massive change at an individual level. More about this section will be forthcoming in future news items.

Hacker fun and more

Meanwhile, contests and the main hacker competition of the year were in full swing. At The Standoff, teams of attackers, defenders, and security operations centers (SOCs) were doing battle in City F. The city has become bigger and, dare we say, better: a modern metropolis with well-developed infrastructure, convenient transport network, and industrial facilities. Offices of an airline, insurer, IT company, media outlet, and maritime shipper are all there—the city even has a soccer club. And its own cryptocurrency.

The physical model of the city covers approximately 17 square meters, including 3,000 artificial trees, 467 figurines, 153 meters of railway tracks, and over 300 meters of wiring.

One big change this year is that defenders are assigned only to the office complexes. The remaining infrastructure is left vulnerable. And for the first time, developer teams joined the fray. During the hackathon at The Standoff, teams of developers prepared applications while attackers are constantly putting them through the gauntlet and writing bug bounty reports for any vulnerabilities found.

On the first day, team True0xA3 hacked the unprotected office of an industrial company (all ICS equipment is controlled from this very same office) and was able to obtain domain administrator privileges. This enabled them to steal a financial report from the computer of the main accountant of a local media company.

In addition, the attacker teams reported information to the organizers about vulnerabilities as part of a bug bounty. Cryptocurrency mining was not ignored either, as team True0xA3 racked up the score.

Throughout the day, workshops covered aspects of applied security at various levels of complexity. In just a few hours, participants could get a basic working knowledge of different areas of security and practice their skills.

Also for the very first time, the organizers at Positive Hack Days 9 prepared an entire cyberquest available during both days of the event. In a rehabilitation center, participants must get hints from a pool with special nutrient medium, enter the code of humanity, dodge laser beams, and even defuse a bomb. It was a true hit! On the first day alone, hundreds of participants did their best, with the majority making it to the finish and receiving cool prizes: a portable speaker and sticker pack.

The forum included a cultural component as well. Positive Watch IT Night offered the chance to view short movies about our technology-driven future. Films originated from Canada, France, Ireland, Israel, Russia, United Kingdom, and the U.S.

At day's end, Vladislav Kopp, host of Russian audioliterary project and cult favorite Model for Assembly took the main stage to read a fragment from the futuristic novella Person (Status Quo), written by poet and writer Yan Khachaturov. The reading was accompanied by modern electronic music.

Exciting events await on the second day of the forum as well. As always, you can watch PHDays 9 live and following the action on social networks with the following hashtags: #PHDays #PHDays9 #PT #positivetechnologies

All news