Publication date: May 30, 2013

Positive Hack Days III is Over

The information security forum PHDays III attracted more than 2,000 participants from Germany, India, Spain, Italy, Korea, Netherlands, United Arab Emirates, USA, Japan, and other countries. They are leading information security experts, hackers, bloggers, pressmen, politicians, and government representatives.

The forum, which took place on May 23 and 24, embraced discussions of security and attack technologies, of regulations and law initiatives, competitions in detection of ATM, remote banking system and SCADA vulnerabilities, hands-on labs and hacking battles.

Jackets and t-shirts

Both the government and business need information security experts. This is the main idea of the round table initiated for the sake of young specialists' problems.

Georgy Gritsay, Deputy Head of the Radio Frequency and Telecom Networks Department of the Ministry for Communications, underlined that, according to the situation in 2012, Russia needs information security specialists badly. Ruslan Gattarov, a representative of the Federation Council, noted that the President of Russia pays close attention to the industry — decree of the President No. 31c, which makes information security a state concern issue, was issued in January. Vladimir Zhirinovsky advised young information security specialists to work positively and not to mess with crime, and Oksana Dokuchaeva, who represented the Information Security Center of the Federal Security Service, addressed the Russian regions to pay more attention to CTF games in Russia.

The forum saw more than ten business sections related to cyberwar and cybercrime, SCADA security, regulators audit, bank application security, and other topics.

Much interest was aroused by an open discussion with the representatives of FSTEC, Rostelecom, Cisco, Positive Technologies, where the drawbacks of the modern security certification system were talked over. Vitaly Lyutikov, Head of the Administration of the Federal Service for Technical and Export Control (FSTEC of Russia), stated that the regulating authority was developing a whole series of up-to-date standards: guidelines on security assessment, trust download and some security tools, as well as Federal Standard (GOST) related to the organization of the lifecycle of secured information system development. So long-awaited recommendations on updating of certified security tools (installation of patches decertifies a system) are being prepared now. According to Lyutikov, FSTEC welcomes experts to take part in regulations development and keeps on public discussion of document drafts.

The say, "I don't believe!" and keep on hacking

Dozens of reports were delivered and a lot of topics were brought up at PHDays III — from bypassing modern WAF by Vladimir Vorontsov to detecting attack sources by Alexander Gostev. Numerous SCADA vulnerabilities detected by the expert group of Positive Research Center were also talked over.

Marc Heuse, a researcher and developer from Germany also known as van Hauser, pointed out the importance of coordination of all parties interested in information security development.

"We make a whole. Don't be afraid of hackers, but take into account their specific work. Good hackers are rebels by nature, they hardly blend with common corporate or government structures, where it is supposed that their products are the best, their systems are 100% protected, their customers are secured. They say, "I don't believe", and detect so annoying flaws and vulnerabilities. We need to work together, to understand and teach each other. There is no other way."

Hack an ATM with a clip

The reporters of PHDays III managed to surprise the world once again — they showed the most perilous vulnerabilities detected in hundreds of thousands of surveillance cameras all over the word, dashcams security flaws, security problems with the Internet access systems used by the planes of American Airlines.

Experts demonstrated new ATM attack vectors including access to an ATM service zone using materials at hand. They also switched an ATM to a service mode by a common clip.

Though hackers from all over the world participated in the forum, students from Russia did better than the others. For instance, Anatoly Katyushin, a fifth-year student, was the best in exploitation of a remote banking system vulnerability, and Mikhail Elizarov, a first-year student, conquered not only a railroad controlled by SCADA, but an ATM constructed specifically for the contest as well.

New ideas

A special exhibition, where the largest IT companies (ELVIS-PLUS, Stonesoft Corporation, Kaspersky Lab, EMC, Asteros, Cisco, and ICL) showed their newest solutions, was initiated. Positive Technologies, the forum organizer, presented two products: PT Application Inspector, a security control system, which combines static, dynamic and interactive source code analysis, as well as PT Application Firewall, which combines common white and black lists and new self-training possibilities.

It's just the beginning

PHDays III threw it doors open to young researchers and start-up companies (ONsec, Esage Lab, Fairwaves, SolidLab) as well. They managed to tell the expert audience about their business and to receive valuable comments.

According to the forum organizers, the industry can develop only if innovative and promising ideas are implemented in real life helping to ensure security. 

All news